Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Fells Internet Explorer

Posted by Soulskill on from the tricking-an-old-dog dept.

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

12 of 202 comments (clear)

  1. Is that supposed to be news?? by rpp3po · · Score: 4, Insightful

    Yes, old, unpatched browser versions can be exploited. Is this a joke?

    1. Re:Is that supposed to be news?? by UnknowingFool · · Score: 4, Insightful

      old != unpatched.

      The article says IE 6 and IE7. It does not say unpatched. For many people these are their current browsers as they have not upgraded to IE 8. For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    2. Re:Is that supposed to be news?? by caluml · · Score: 4, Insightful

      I work for a very large bank, and IE 6 is the corporate standard. The banking platform is only designed to work with IE6. Some of the internal admin tools don't work with IE8.

      --
      Get your own free personal location tracker
    3. Re:Is that supposed to be news?? by lord_rob+the+only+on · · Score: 4, Interesting

      Using SAP by any chance ?

      In my former company, they use SAP and it's absolutely an IE only application for its web interface. It doesn't work *at all* with Firefox. At least that was the case when I was working there (We were using SAP ECC6)

  2. Oh good Lord *facepalm* by David+Gerard · · Score: 5, Funny

    Microsoft Windows has once again trounced all comers in security, with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets. Malware rose 15% just from August to September this year.

    Windows users continued to be stupidly complacent Typhoid Marys, telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0% for the fifteenth year in a row, and pumping out gigabytes of spam and denial-of-service attacks from their thoroughly 0wn3d computing cesspits.

    “The truth is out,” said Steve Ballmer, taking care not to wash his hands when preparing the food for his Windows 7 House Party. “Mac and Linux users are just too pussy for viruses. Gotta keep your immune system up! What are you, some sort of faggot? Too artsy or nerdy for MANLY food?”

    The time on the digital clock behind him changed at random as he foamed slightly at the mouth. “Windows — we’re NUMBER ONE! And here you were saying Windows was a load of ‘number two.’”

    --
    http://rocknerd.co.uk
    1. Re:Oh good Lord *facepalm* by ColdWetDog · · Score: 4, Funny

      *** ALERT ****

      Humor Process Failure

      (A)bort, (R)etry, (F)lail

      --
      Faster! Faster! Faster would be better!
  3. Summary needs clarification by Anonymous Coward · · Score: 5, Funny

    "According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

    So, are they referring to IE or the attack code?

    1. Re:Summary needs clarification by click2005 · · Score: 4, Funny

      No, they're referring to Symantec's code :)

      --
      I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
  4. A great reason to choose Firefox by simsodep · · Score: 4, Informative

    There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.

  5. What the world needs by hey! · · Score: 4, Interesting

    is a definitive software engineering treatise on the history of IE security exploits.

    It is certainly true that there is a kind of economic network effect going here. For many years we saw so many web sites that only worked properly with IE because IE was so dominant. The same factor naturally attracts black hats looking for systems to exploit. Once we factor that out, what can we learn from how IE was conceived and maintained?

    Did clumsy code-reuse and maintenance play a significant role? That is did they stretch existing code to do things it hadn't been designed to do because it was close enough to pass the demo test on time? That's a decision we all face; we'd all *like* to rewrite things better when we take a look at them, but in the real world we've got to ship good enough code on a deadline to justify our salary. I think MS might be particularly vulnerable to the "killer demo" imperative. They are a business that is dependent on organizations choosing entire MS product stacks because they *anticipate* something they're going to need in the future will be dependent on something else in that stack.

    Did "business strategy" considerations confuse priorities for system requirements? E.g., The decision to make IE a fundamental part of the OS allowed MS to gain control of (destroy) the browser market while evading anti-trust regulation. Did that result in undesirable coupling of IE to the underlying system? Did the desire to leverage browser market dominance to give other MS products a competitive advantage create confusion in requirements or priorities?

    Were there cultural attitudes that made security and quality secondary? E.g. Did MS value having shiny new features soon before doing a quality implementation? Did their success at achieving effective control of the browser market cause them to under-invest in maintenance because they had no competition worth worrying about?

    These are the kinds of things I'd like to know. It's almost past the point where any individual security flaw in IE is interesting to me, because there have been so many and will be so many more. It's time for a really first rate summing up by somebody who knows what he's talking about.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  6. Re:In other news... by koiransuklaa · · Score: 4, Insightful

    What does that have to do with anything? Fully patched IE 6 and IE 7 are _supported_ products, the ones you list are not.

  7. Hypocrits! by Anonymous Coward · · Score: 5, Insightful

    So, isn't the responsible thing to do to notify Microsoft, and given them adequate time to produce a patch?

    By posting the exploit to a public list, this guy is basically handing the bad guys a weapon. That's criminal. But because it's a Microsoft product, the Slashdot folks just eat that up -- Hey, fuck'em, they're running Wind0ze!!!111