Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

Posted by CmdrTaco on from the oh-we'll-fix-it-eventually dept.

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

4 of 279 comments (clear)

  1. Vista, Win7 - really? by TheNetAvenger · · Score: 5, Interesting

    Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

    Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.

    So saying it is a 'problem' on Vista or Win7 is stretching the truth.

    1. Re:Vista, Win7 - really? by Sycraft-fu · · Score: 4, Interesting

      Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.

      By default, IE8 on 7 is pretty secure.

  2. Re:IE8 has the flaw but is immune... by KnownIssues · · Score: 4, Interesting

    Then why would Microsoft state that IE8 is vulnerable to this flaw? They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.

  3. Re:Not fixing it in IE6... by BlackBloq · · Score: 4, Interesting

    That's simple B.S. Every person I deal with in supporting their machine I get rid of every shortcut to IE and tell them that they have a new browser. They all love Firefox and Opera. I use Firefox (with noscript) to fix computers with alot of kids. This is good because some kids click everything they can find online! For slow systems I install Opera. It uses the least system resources and starts the fastest. This makes the user very happy cuz all they want is for their machine to function as advertised. So they don't really love the browser, they couldn't give two shits, they just know if it works on facebook, or takes forever loading up a 'heavy' page.