Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

← Back to Stories (view on slashdot.org)

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

Posted by CmdrTaco on Monday January 18, 2010 @02:33AM from the oh-we'll-fix-it-eventually dept.

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

26 of 279 comments (clear)

Min score:

Reason:

Sort:

IE8 has the flaw but is immune... by vistapwns · 2010-01-18 02:37 · Score: 5, Informative

Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...

--
"...I think the Microsoft hatred is a disease." - Linus Torvalds
1. Re:IE8 has the flaw but is immune... by vistapwns · 2010-01-18 02:44 · Score: 3, Informative
  
  And how are other browsers better in that case? If they have to disable DEP on firefox, it's even worse than IE because it's not sandboxed. Anyways, the articles I've been reading say Google was exploited thru IE6 that they have on XP systems.
  
  --
  "...I think the Microsoft hatred is a disease." - Linus Torvalds
2. Re:IE8 has the flaw but is immune... by UnknowingFool · 2010-01-18 02:45 · Score: 4, Informative
  
  If it has the flaw, then it's not immune but it's less vulnerable. If DEP is disabled (which may be required to get some apps to work), then IE8 can become exploited too.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
3. Re:IE8 has the flaw but is immune... by Penguinisto · 2010-01-18 03:03 · Score: 4, Informative
  
  True, DEP is enabled by default on the Win 7 / IE8 combo. OTOH, neither will run (very well, anyway) a horde of old enterprise services and suites that still linger about the industry, compatibility modes be damned.
  There are fixes and workarounds, but they can get rather expensive (and usually involve an XP Mode server of sorts, or Terminal Services seat licenses, etc).
  Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
4. Re:IE8 has the flaw but is immune... by Ralish · 2010-01-18 04:24 · Score: 5, Informative
  
  They are aiming for both backwards compatibility and security, but above all, they are aiming to put out a fix that isn't broke. I'm honestly not trying to be the Microsoft apologist here, but the complexity of putting out a patch for IE is a lot more complex than you might first think, even compared to other browsers. Here's why:
  Using Firefox as an example, when Mozilla finds a security flaw in Firefox, they simply release a new point release of all supported versions of Firefox (currently 3.0 and 3.5) that contains the fix, as well as all previous fixes, and usually several other security/stability fixes bundled into that particular point release. So, this means a release across two product versions, which can be expanded to releasing on the architectures supported for those particular versions as well as supported platforms. The source code change probably isn't architecture or platform specific (wrong?) so can thus be inserted into the correct maintenance trees in the source repository and the binaries/sources made available.
  Using Microsoft as an example, when Microsoft finds a security flaw in Internet Explorer, they need to patch every supported version of IE on every supported version of Windows down to specific IE patch level possibly also impacted by Windows patch level. For a security flaw like this that affects IE6 through IE8, that means patches for every version of Windows from 2000 to 7, for every architecture (x86, x86_64, ia64), for numerous patch levels. For example, in many versions of Windows two separate patch levels of IE might be simultaneously supported (e.g. IE6 SP1 on Windows 2000 and IE6 SP2(SP3?) on XP). Keep in mind that the binaries for the same exact patch level of IE on two different versions of Windows on the same architecture are highly unlikely to be the same (e.g. IE7 on XP will not be the same as IE7 on Vista, nor will the patch binaries be the same, and OS SP level may also make a difference). Versions of Internet Explorer on Windows CE/Mobile might also be impacted resulting in further patch complexity. Oh, and x64 versions of Windows (and ia64?) have both the 32-bit and 64-bit versions installed side-by-side, due to issues with plug-in compatibility (you can't load 32-bit code into a 64-bit application). So, you'll need to patch both versions on 64-bit platforms, and once again, the 32-bit binaries for 64-bit systems are unlikely to be identical to the 32-bit binaries for 32-bit systems. In summary, we are talking a huge number of binary patches that all need to be thoroughly tested, passed through regression suites, and so forth, because if even one of these patches breaks something, odds are, you'll have a lot of pissed off users.
  That being said, this is largely Microsoft's fault. By integrating the browser so closely to the OS, they've managed to create this complexity. A clean(er) separation of web browser from OS internals would, while not making things simple, would surely reduce the current clusterfuck. Doing so would bring you much closer to the model that most (every?) other web browser uses, and should drastically reduce the amount of testing that would need to be done. For now, this isn't the case, and the present reality is that patching every version of IE since 2001 is a very messy business.
5. Re:IE8 has the flaw but is immune... by edxwelch · 2010-01-18 04:28 · Score: 1, Informative
  
  DEP is not exclusive to IE8. You can enable it system wide if you want. However, DEP is only good for this particular exploit. It's possible to write a exploit that circumvents both DEP and sandboxing
6. Re:IE8 has the flaw but is immune... by Anonymous Coward · 2010-01-18 05:36 · Score: 1, Informative
  
  Except that there are times where you can't update your browser because some line-of-business application is only compatible with IE6. IT is probably chomping at the bit to upgrade, but can't until the business either finds a replacement app or the vendor makes updates.
  IT is demonized for decisions that they didn't always have a part in.
7. Re:IE8 has the flaw but is immune... by Pharmboy · 2010-01-18 09:51 · Score: 2, Informative
  
  Yea, after reading the article (some of us do) I found that this summary is a piss poor one, more aimed at bashing MS than giving the real facts. We don't need to make up imaginary reasons to hate MS, they already provide plenty of real reasons.
  
  --
  Tequila: It's not just for breakfast anymore!
Re:Vista, Win7 - really? by Penguinisto · 2010-01-18 03:08 · Score: 3, Informative

Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.
Microsoft has come a long way in securing their OS, but they still have a long way to go before claiming that their product is as secure as, say, FreeBSD or OSX.

--
Quo usque tandem abutere, Nimbus, patientia nostra?
Re:Faulty Products. A comparison. by plague3106 · 2010-01-18 03:17 · Score: 5, Informative

Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.
As usual, another analogy on /. fails...
Re:Channeling BadAnalogyGuy by MrMr · 2010-01-18 03:19 · Score: 4, Informative

Your comment is outrageous. The submission consists of a factual statement and some literal quotes from Microsoft.
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.
Re:Not fixing it in IE6... by Penguinisto · 2010-01-18 03:20 · Score: 3, Informative

Fair point on the former, but the latter could be managed to an extent via GPO - you just have to roll your own policies to do it.

--
Quo usque tandem abutere, Nimbus, patientia nostra?
The right time to upgrade by Random+BedHead+Ed · 2010-01-18 03:26 · Score: 4, Informative

The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?
I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?
(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)
Re:Faulty Products. A comparison. by Anonymous Coward · 2010-01-18 03:29 · Score: 1, Informative

Incorrect... The fault was Ford stuck the tires on as OEM parts, and actually UNDER-INFLATED the tires. The issue that occurred with the Firestone tire would have happened with ANY P or UV tired that was also under-inflated on that vehicle at highway speeds. An under inflated tire causes major heat build up, and leads to tire failure.
As another posted said, a crap analogy.
Re:Faulty Products. A comparison. by robogun · 2010-01-18 03:40 · Score: 2, Informative

Firestone still took the contract, they weren't going to turn down a sale of millions of tires.. They knew what Ford was putting them on.
Re:Not fixing it in IE6... by maotx · 2010-01-18 04:00 · Score: 4, Informative

We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.
The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.

--
I'm a virgo and on Slashdot. Coincidence? Yes.
Microsoft's advisory admits that both IE7 and IE8 by benjymouse · 2010-01-18 04:06 · Score: 3, Informative

Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
That is a misrepresentation, at best.
The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
IE5 rules supreme by edxwelch · 2010-01-18 04:16 · Score: 4, Informative

Actually, IE5 is the only version not effected. You should be downgrading not upgrading.
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
"But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."
Re:Who cares? by amicusNYCL · 2010-01-18 04:49 · Score: 2, Informative

Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Re:Not fixing it in IE6... by Anonymous Coward · 2010-01-18 05:05 · Score: 1, Informative
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
I work for one of those such big FTSE companies. I tried using Firefox but repeatidly came across too many sites which either didn't work or rendered badly.
Off the top of my head, these don't work with Firefox:
1. The whole intranet.
2. The brand assets site.
3. The whole HR system (Oracle e-Business).
4. The IT department equipment ordering site.
5. The desk booking system.
6. Oracle Financials for PO's and expenses.
7. Manugistics stock system.
8. Our spam filter application.
9. Quality Centre (what used to be Test Director).
10. Sharepoint.
11. The meeting room booking system.
The only thing which does work is the Safecom print queue system! Note that I'm not blaming the Firefox devs here, all the applications have been written to work in IE and IE only.
In the end, I still use Firefox but also have IE View running with a large list of domains to run in Internet Explorer. I tried IE Tab but it doesn't like ActiveX which seems to be the main issue on a lot of these sites.
Re:Vista, Win7 - really? by pyrbrand · 2010-01-18 05:47 · Score: 3, Informative

Actually, on Vista and Win7, IE runs even lower privileged than normal user. It has no messaging access to any process not in limited mode, and no write access to any files not in the user's "local low" directory.
Re:Vista, Win7 - really? by shutdown+-p+now · 2010-01-18 06:17 · Score: 2, Informative

...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.
The folks who write IE (as well as other MS developers) are very well aware of the nature privilege escalation vulnerabilities. This is effectively the required read around here, and, while rather high-level, it does give a good overview of these kinds of attacks.
Regardless, more security layers are always better, especially when you can't guarantee the code to be absolutely, definitely 100% secure. Things like sandbox, DEP, ASLR etc are absolutely not a replacement for writing proper code, security reviews etc, but they help to limit and contain the effects of many discovered vulnerabilities, which this particular case demonstrates very well. In many cases it can mean that a discovered vulnerability is downright non-exploitable (at best you can DoS the client by crashing him). In some other cases it is exploitable, but requires a very significant amount of effort to get past all the layers; if vulnerability becomes known before an exploit is available, this buys more time to get a proper fix out.
Re:Not fixing it in IE6... by sgtrock · 2010-01-18 07:28 · Score: 3, Informative

Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK
Nonsense. We manage something like 2,800 apps centrally for 60,000+ desktops using a 3rd party tool. We have another 400 or so apps that we manage for our 11,000 servers. Total staff to package and update this environment? About a dozen.
Firefox is just another app to us.
Re:Not fixing it in IE6... by Anonymous Coward · 2010-01-18 09:43 · Score: 3, Informative

https://developer.mozilla.org/En/A_Brief_Guide_to_Mozilla_Preferences
If the administrators can write to the application directory and prevent the user from doing so, then they can enforce profile settings in Firefox (and almost any Mozilla app).
Re:Not fixing it in IE6... by Anonymous Coward · 2010-01-18 11:14 · Score: 1, Informative

I believe most browsers run in user space.
Re:Not fixing it in IE6... by sgtrock · 2010-01-19 02:16 · Score: 2, Informative

No registry hacks are necessary to set configuration information in Firefox. It's all text files, the way God intended config files to be. :)