New Attack Fells Internet Explorer

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

Is that supposed to be news??

[rpp3po]

Yes, old, unpatched browser versions can be exploited. Is this a joke?

Re:Is that supposed to be news??

[UnknowingFool]

old != unpatched.

The article says IE 6 and IE7. It does not say unpatched. For many people these are their current browsers as they have not upgraded to IE 8. For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

Re:Is that supposed to be news??

[thetoadwarrior]

It mentioned versions 6 & 7. Considering how long people hold onto their verison of IE, it will be ages until IE7 disappears. Also, MS does have some contracts with companies that means they're stuck on Win 2k for now which means nothing greater than IE6. Granted these companies could use FF but understandably they're paying for support from MS and want to use a browser they will support.

If MS is going to be taking money for something like this then they should still be supporting IE6 and patching up its holes.

Re:Is that supposed to be news??

[DarkOx]

Considering how long people hold onto their version of IE, it will be ages until IE7 disappears.

I really don't think you are right about that. There will always be those home users on dialup that don't run automatic updates ever but they are not very useful in a bot net anyway. Most people will get update to IE8 weather they mean to do it or not. IE 6 lives in the corporate space because it was around long enough for its own software ecosystem to develop in and on it. IE7 was around for like a year before 8 was released as beta and 8 does not break much compatibility with 7 its much less significant than 6 -> 7.

I doubt there is much code out there target at 7 that does not work on 8. The projects that do would have to have been pretty small and would have been designed and completed in a pretty narrow time window between 7's release and the pretty clear public information on what was coming in 8.

Re:Is that supposed to be news??

[caluml]

I work for a very large bank, and IE 6 is the corporate standard. The banking platform is only designed to work with IE6. Some of the internal admin tools don't work with IE8.

Re:Is that supposed to be news??

[lord_rob+the+only+on]

Using SAP by any chance ?

In my former company, they use SAP and it's absolutely an IE only application for its web interface. It doesn't work *at all* with Firefox. At least that was the case when I was working there (We were using SAP ECC6)

Re:Is that supposed to be news??

[MillionthMonkey]

I'm tired of constantly upgradng everything. I drive an old car built in 1997, and I don't understand why I can't keep running the same browser at least a few years. Yeah I know - constant updating keeps programmers employed.

Drat, improving technology keeps programmers employed.
Double drat- your reluctance to update combined with a propensity to complain keeps additional people employed just to make sure things continue to look pretty on your screen.

Re:Is that supposed to be news??

[Sir_Lewk]

With an atitude like that, you are a nuisance to everyone else on the road.

Re:Is that supposed to be news??

[MillionthMonkey]

What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?
Who ever they are, they have bigger IT problems than this exploit will ever generate.

A lot of people- you'd be surprised. Earlier this year I worked for a place where at least a third of their customers (from academic departments, mostly) were still using IE6 and various IE5 versions.

Re:Is that supposed to be news??

[RobertM1968]

old != unpatched.

For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

Or upgrade hardware - we have a variety of customers who's machines are too old to run IE7 or IE8 efficiently, and who have no plans (or budget or whatever) to upgrade their hardware until it dies or is very near death.

Re:Is that supposed to be news??

[Max+Littlemore]

Care to name the bank? That should be public knowledge - or at least available to all customers and any potential customers.

Re:Is that supposed to be news??

[Nefarious+Wheel]

Software doesn't wear out.

Yes it does.

When the world around a piece of running software changes, that piece of software in the middle often doesn't work like it used to. Yes, it's contextual, but it's also mostly true. It's often (humourously) referred to as the "principle of bit decay".

Basically, if it works, it's obsolete.

Re:Is that supposed to be news??

[gcerullo]

No NCSA Mosaic would be a Model-T. IE 6 is a friggin Edsel.

Re:Is that supposed to be news??

[http]

HTML 4 has not changed in over a decade.. EMCA 262 (Javascript) was released almost exactly a decade ago. Version 4 died on the table, and 5 isn't out for a while yet.
What is the improving technology?

Re:Is that supposed to be news??

[plague3106]

If inpections are too heavy a burden on people, those people should not have cars then. As far as getting stuck with "repairs" you don't want, either you're not going to someone trustworthy and should find another mechanic, or you should do the inspection yourself upfront so you can call their BS. Most inspections are just quick checks on belts, brake wear, etc, it should be trivial to do it yourself.

As far as the cost of the inspection, tell that to the state; here its only $20, and only if you pass.

Re:Is that supposed to be news??

[kbielefe]

Allow me to translate from trollspeak. "no way of doing that" means "no way of doing that, that I could find by clicking around for a minute on the GUI." In this case, I don't even think they did that, because there are options to change how often it prompts for updates, and for applying security updates automatically without prompting.

I really like Ubuntu's choice of default behavior here. Prompting the user to apply updates means no "I lost data because it upgraded while I was in the middle of working on it" kinds of complaints. My wife can wait to apply updates until after an important task she is working on. I can see what packages are being updated before applying them so I know where to be on the lookout for potential problems.

Maybe it makes me an elitist, but I also like that you have to know what you're doing in order to change that default behavior too much. Most of the complaints about foolproof features in software come from people who don't think they are the fools.

Oh good Lord *facepalm*

[David+Gerard]

Microsoft Windows has once again trounced all comers in security, with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets. Malware rose 15% just from August to September this year.

Windows users continued to be stupidly complacent Typhoid Marys, telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0% for the fifteenth year in a row, and pumping out gigabytes of spam and denial-of-service attacks from their thoroughly 0wn3d computing cesspits.

“The truth is out,” said Steve Ballmer, taking care not to wash his hands when preparing the food for his Windows 7 House Party. “Mac and Linux users are just too pussy for viruses. Gotta keep your immune system up! What are you, some sort of faggot? Too artsy or nerdy for MANLY food?”

The time on the digital clock behind him changed at random as he foamed slightly at the mouth. “Windows — we’re NUMBER ONE! And here you were saying Windows was a load of ‘number two.’”

Re:Oh good Lord *facepalm*

[ColdWetDog]

*** ALERT ****

Humor Process Failure

(A)bort, (R)etry, (F)lail

Re:Oh good Lord *facepalm*

[MillionthMonkey]

Thanks!

Versions 6 & 7

[Travis+Mansbridge]

Specifically versions 6 & 7, says the article.

Re:Versions 6 & 7

[Sulphur]

So if I am using dos and Windows 3.11, I should be safe. Right.

Re:Versions 6 & 7

[thunderclap]

yes! absolutely. But a better suggestion is Commodore 64! its virus free! It NEVER GETS THEM. Hell, Linux can't even say that.

Summary needs clarification

"According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

So, are they referring to IE or the attack code?

Re:Summary needs clarification

[click2005]

No, they're referring to Symantec's code :)

Re:Summary needs clarification

[pbhj]

Is it too much to hope that someone is using this attack vector to upgrade corporate computers from IE6 to something that can render web pages correctly?

CSS Behvaiors?

[DontLickJesus]

If I'm interpreting this correctly, it would appear to be a buffer overflow attack against the "style" element. Seeing that IE6-7 are the only current browsers that handle CSS behaviors (basically javascript in CSS) I'm going to make an educated guess and say it stems from the validation (and execution of) Javascript in CSS.

Re:Virus warning

[clang_jangle]

As soon as I go to the bug trak web site , my snake oil scamware goes off like crazy.

FTFY.

A great reason to choose Firefox

[simsodep]

There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.

Re:A great reason to choose Firefox

[jbacon]

It sounds like the root flaw actually lies in your own login implementation. I guarantee that IE is capable of handling sessions. If you have a website that makes you money, you should realize a couple points: First, most of your userbase runs IE. Having the site unusable in said browser is very bad. Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it.

Re:A great reason to choose Firefox

[Zero__Kelvin]

"It sounds like the root flaw actually lies in your own login implementation."

"Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it."

It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.

Re:A great reason to choose Firefox

[Tim+C]

More likely the users would complain, management would haul the IT chief in to a room to ask what was going on, and he'd explain that the users were wasting lots of time filing frivalous tickets trying to access sites for non-work purposes, and management would issue a statement telling them to stop wasting time and money.

In the home space, people would simply go "Huh? But then I won't be able to use my other webs!" and go somewhere else - especially if it's a commercial site they were looking to make a purchase from. Amazon won't serve me? I'll go to B&N, or eBay, or any of a huge number of other companies that will be more than happy to take my business.

What the world needs

[hey!]

is a definitive software engineering treatise on the history of IE security exploits.

It is certainly true that there is a kind of economic network effect going here. For many years we saw so many web sites that only worked properly with IE because IE was so dominant. The same factor naturally attracts black hats looking for systems to exploit. Once we factor that out, what can we learn from how IE was conceived and maintained?

Did clumsy code-reuse and maintenance play a significant role? That is did they stretch existing code to do things it hadn't been designed to do because it was close enough to pass the demo test on time? That's a decision we all face; we'd all *like* to rewrite things better when we take a look at them, but in the real world we've got to ship good enough code on a deadline to justify our salary. I think MS might be particularly vulnerable to the "killer demo" imperative. They are a business that is dependent on organizations choosing entire MS product stacks because they *anticipate* something they're going to need in the future will be dependent on something else in that stack.

Did "business strategy" considerations confuse priorities for system requirements? E.g., The decision to make IE a fundamental part of the OS allowed MS to gain control of (destroy) the browser market while evading anti-trust regulation. Did that result in undesirable coupling of IE to the underlying system? Did the desire to leverage browser market dominance to give other MS products a competitive advantage create confusion in requirements or priorities?

Were there cultural attitudes that made security and quality secondary? E.g. Did MS value having shiny new features soon before doing a quality implementation? Did their success at achieving effective control of the browser market cause them to under-invest in maintenance because they had no competition worth worrying about?

These are the kinds of things I'd like to know. It's almost past the point where any individual security flaw in IE is interesting to me, because there have been so many and will be so many more. It's time for a really first rate summing up by somebody who knows what he's talking about.

Re:What the world needs

[DoofusOfDeath]

is a definitive software engineering treatise on the history of IE security exploits.

Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)

Re:Not aware of a patch?

[tepples]

VUPEN Security is not aware of any vendor-supplied patch.

I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

Microsoft doesn't make IE 8 for older versions of Windows such as Windows 2000. It'd be like saying Windows 7 is a "vendor-supplied patch" for Windows Vista.

Re:In other news...

[koiransuklaa]

What does that have to do with anything? Fully patched IE 6 and IE 7 are _supported_ products, the ones you list are not.

Re:Virus warning

It should tell him that his scanner spots that malicious code, like most AVs: http://www.virustotal.com/analisis/74af02248eb35da5a0e615538f73ecd37e186aef5234da237908ba48290c2aa5-1258907794

Google strikes back

[sagematt]

Which butthurt Google Chrome Frame developer found out about this?

Re:Firefox

[Tim+C]

The only people still using internet exploder are people who don't care about security.

Or perhaps they just don't know about that sort of thing, and expect their computer to just work, just as their TV, fridge, microwave, phone, etc all just work?

or whatever the OS X browser is called

First you lambaste people for not knowing enough about IE and its alternatives, then you admit to not knowing enough about Safari. Beautiful.

Hypocrits!

So, isn't the responsible thing to do to notify Microsoft, and given them adequate time to produce a patch?

By posting the exploit to a public list, this guy is basically handing the bad guys a weapon. That's criminal. But because it's a Microsoft product, the Slashdot folks just eat that up -- Hey, fuck'em, they're running Wind0ze!!!111

Re:Not aware of a patch?

[0123456]

Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.

You haven't been in IT long, have you?

MSIE version 8 is not known, according to TFA.

[jbn-o]

The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!

Some users, like office workers, are not in control of the computers they use and cannot switch away from what they were given. Sometimes they were set up with particular versions of software to suit other programs. The "Banner" system some universities use, for instance, requires MSIE7 and a particular old version of Sun's Java runtime. Certain sections of Banner don't work properly with non-MSIE browsers like Firefox. I understand this is an extremely costly system and switching away is considerably complicated. I'm not endorsing these choices or claiming any of these choices is wise, but it is there.

The article also says the status of MSIE8 is not mentioned by the researchers: "Neither company [Symantec and Vupen] was able to confirm that the attack worked on Microsoft's latest browser, IE 8.". What part of what article were you referring to?

Re:Virus warning

[someone1234]

Yes, it detects the code on display, not an actual exploit.
It is crappy AV software.