Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

Posted by CmdrTaco on from the oh-we'll-fix-it-eventually dept.

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

9 of 279 comments (clear)

  1. Re:IE8 has the flaw but is immune... by should_be_linear · · Score: 4, Insightful

    Having radio button somewhere that makes your OS vulnerable to _KNOWN_ exploit is really stupid idea.

    --
    839*929
  2. Re:Not fixing it in IE6... by quantumplacet · · Score: 4, Insightful

    it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.

  3. Re:IE8 has the flaw but is immune... by should_be_linear · · Score: 4, Insightful

    OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?

    --
    839*929
  4. Re:Not fixing it in IE6... by Bacon+Bits · · Score: 5, Insightful

    How is this a troll? What he said is true.

    Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.

    --
    The road to tyranny has always been paved with claims of necessity.
  5. When will we change programming practices? by haruchai · · Score: 4, Insightful

    It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
    Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
    Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
    the old "we've always done things this way and it would be too expensive to change" is real crap.
    What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?

    Isn't it past time that things changed?

    --
    Pain is merely failure leaving the body
  6. Re:Not fixing it in IE6... by TheRaven64 · · Score: 4, Insightful

    (due to hordes of crap .NET programmers*)

    You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.

    --
    I am TheRaven on Soylent News
  7. Re:Marketing must be pleased by Anonymous Coward · · Score: 5, Insightful

    Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

    Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

    Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."

  8. Re:Not fixing it in IE6... by riegel · · Score: 5, Insightful

    Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.

    Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.

    --
    http://p8ste.com - Web based Clipboard
  9. MOD PARENT DOWN (INFORMATIVE?) by BasharTeg · · Score: 4, Insightful

    If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.

    Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?