Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

Posted by CmdrTaco on from the oh-we'll-fix-it-eventually dept.

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

10 of 279 comments (clear)

  1. Re:IE8 has the flaw but is immune... by FlyingBishop · · Score: 3, Interesting

    But even at Google they apparently have some stuff that requires them to disable it. You can bet a lot of the shops that can't ditch IE will have to disable DEP for backwards compatibility with the crappy apps that are the only reason they don't switch to something better anyway.

  2. Vista, Win7 - really? by TheNetAvenger · · Score: 5, Interesting

    Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

    Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.

    So saying it is a 'problem' on Vista or Win7 is stretching the truth.

    1. Re:Vista, Win7 - really? by Sycraft-fu · · Score: 4, Interesting

      Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.

      By default, IE8 on 7 is pretty secure.

  3. Re:IE8 has the flaw but is immune... by KnownIssues · · Score: 4, Interesting

    Then why would Microsoft state that IE8 is vulnerable to this flaw? They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.

  4. Re:IE8 has the flaw but is immune... by should_be_linear · · Score: 3, Interesting

    And how are other browsers better in that case?
    This whole problem is based on fact that MS is not willing/able to fix this issue for quite long time (days?). Other browsers are different in a way that they are fixing security issues ASAP.

    --
    839*929
  5. Re:IE8 has the flaw but is immune... by plague3106 · · Score: 3, Interesting

    A security fix which breaks other required functionality isn't much better though is it? A patch rushed out the door without much testing isn't a patch I necessarly want to install.

  6. Re:The right time to upgrade by robogun · · Score: 3, Interesting

    So I was doing an install of ATT DSL a few months ago. You don't just plug it in, you have to authenticate.

    Only IE works with their server, and the install disc includes IE6 in case you don't have it.

  7. Re:Not fixing it in IE6... by BlackBloq · · Score: 4, Interesting

    That's simple B.S. Every person I deal with in supporting their machine I get rid of every shortcut to IE and tell them that they have a new browser. They all love Firefox and Opera. I use Firefox (with noscript) to fix computers with alot of kids. This is good because some kids click everything they can find online! For slow systems I install Opera. It uses the least system resources and starts the fastest. This makes the user very happy cuz all they want is for their machine to function as advertised. So they don't really love the browser, they couldn't give two shits, they just know if it works on facebook, or takes forever loading up a 'heavy' page.

  8. Re:Not fixing it in IE6... by fluffy99 · · Score: 3, Interesting

    My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.

    I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.

  9. Re:IE8 has the flaw but is immune... by Bert64 · · Score: 3, Interesting

    The real solution is not open source browsers specifically...

    The real solution is diversity.
    All software will have bugs, but they are a lot more difficult to exploit if there are a handful of different browsers running on a handful of different platforms and hardware architectures that your targets could be running. Also, having an even split in the market would force all the different software makers to compete on quality... If one vendors drags their feet they will face losing lots of market share... MS can drag their feet without risk of losing anything right now because people are locked in to them.

    The attacks recently succeeded proved the dangers of monoculture, if your a hacker looking to target any large corporation or government you can be sure that your target will be running windows/ie/msoffice so one exploit, trojan and skillset will suffice against any number of targets.

    Nature has proven the importance of diversity...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!