Slashdot Mirror
Microsoft Says Upgrade To IE8, Even Though It's Vulnerable
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.
So saying it is a 'problem' on Vista or Win7 is stretching the truth.
Looking back at the whole story it seems that Google planed this in advance. They got hacked for real... but then someone had an idea: this an IE exploit so lets benefit from this. Let's show everyone how bad IE really is. So they posted on their blog saying that they will get out of China because of this attack (very dramatic so everybody heard about it) but I suspect that they have no intention to do that. I think they used their blog just to let people know: "we are Google, we know stuff about security but we've been hacked, we will lose this big market and it's all because of this flawed IE". Now everybody is running away from IE (finally).
Not sure if this is evil but I'm sure IE will lose because of this.
That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.
After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes the browser of choice for public Internet use?
* note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker). Also, there's the fact that Microsoft has a lot of old baggage around that it can ill afford to simply stop supporting.
Quo usque tandem abutere, Nimbus, patientia nostra?
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
The road to tyranny has always been paved with claims of necessity.
Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.
As usual, another analogy on /. fails...
Your comment is outrageous. The submission consists of a factual statement and some literal quotes from Microsoft.
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.
Fair point on the former, but the latter could be managed to an extent via GPO - you just have to roll your own policies to do it.
Quo usque tandem abutere, Nimbus, patientia nostra?
The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?
I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?
(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)
WTF? First of all how do .NET programmers have anything to do with IE6 installs? Second - why pick on .NET and not on Java which came first or even Python and Ruby which claim to be even easier? Oh yeah... the first from Microsoft and the others are open source... And btw these programmers you are talking about would still be employed and would be doing much more damage if it was not for .NET and Java to keep them from producing billions of buffer overflows and memory leaks.
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Pain is merely failure leaving the body
(due to hordes of crap .NET programmers*)
You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.
I am TheRaven on Soylent News
Firestone still took the contract, they weren't going to turn down a sale of millions of tires.. They knew what Ford was putting them on.
Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.
Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.
Proud member of the Weirdo-American community.
We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.
The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.
I'm a virgo and on Slashdot. Coincidence? Yes.
Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
That is a misrepresentation, at best.
The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Actually, IE5 is the only version not effected. You should be downgrading not upgrading.
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
"But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.
http://p8ste.com - Web based Clipboard
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
Is this an ActiveX thing?
No, it doesn't appear so at this time. But it could be.
I mean how the hell do you get the pointer in the first place? And how do you keep the browser from page faulting?
I'm so confused!
The attacker actually don't "get the pointer". He discovered some bug where IE would deallocate an object but still hold a pointer to it. A "dangling" pointer.
The attacker then typically allocates *a lot* of other objects, hoping that they will take up the address pointed to by the "dangling" pointer. He will try to arrange the allocations such that the allocated "data" is actually attack code if ever executed as instructions. The attacker could hide attack code in string constants/buffers etc.
Then he proceeds to prompt IE to actually *follow* the dangling pointer. If he's lucky (and skillful) IE will now hit something which was actually "data" - but when executed as CPU instruction it is actually malicious attack code.
This is why DEP will kill this attack. As soon as the CPU is jumping into a NX memory block, it faults. And the heap/stack are marked as NX (DEP) in all recent MS OSes for IE8.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
That's simple B.S. Every person I deal with in supporting their machine I get rid of every shortcut to IE and tell them that they have a new browser. They all love Firefox and Opera. I use Firefox (with noscript) to fix computers with alot of kids. This is good because some kids click everything they can find online! For slow systems I install Opera. It uses the least system resources and starts the fastest. This makes the user very happy cuz all they want is for their machine to function as advertised. So they don't really love the browser, they couldn't give two shits, they just know if it works on facebook, or takes forever loading up a 'heavy' page.
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration.
Ya, well then you're going out of your way to make yourself vunerable again. At which point, I'd have to ask... why did you bother to upgrade?
Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collective hands. We decide how and when Firefox is fixed and we decide how thorough that fix is.
And to the average user, there is no differnce. They'll have to way for FF to update itself to get the patch as well, as they're waiting on the mozilla people to do so.
So while you're probably not a programmer
Actually I am.
, like most computer users, you have options with Firefox that you don't have with IE. You could learn to program and help fix Firefox's code. You stand virtually no chance of doing this with IE's code no matter how expert you become. It is of no help to look at this as though Firefox hackers are your workers so you can sit back and wait for them to deliver a fix ("I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out?").
Ya, in the real world, thats not going to happen. By the time the average user learned to progam, they'd be a new version of both IE and FF out already. As I explained, to the average user, there is no difference between FF and IE; either browser you're still at the mercy of a 3rd party for a patch.
Software freedom changes the game by giving you permission to control your computer; the more free software you run, the more control you have. Like with any other freedom how much of that permission you're willing to leverage is up to you
No, it doesn't. It puts users are the mercy of the OS community (which has an attitude "if you didn't pay for it you don't have a right to complain") instead of a company. But at the end of the day, its the same for them. Don't be delusional; people just want to USE their computers, not spend time learning to program to fix other people's software.
The place I work is still running IE 6. About 6 months ago they did a big effort to upgrade to IE 7, tested all their apps, and then decided that they weren't ready. There is currently no time table to upgrade to IE7 let alone 8.
A company I interned at had IE 4.0 for the longest time, even after 5 came out, and the latest versions of netscape....
I think what our friends at Microsoft don't realize is that big companies (especially big regulated companies) are really slow to move on things. Upgrade to IE 8 is not really a valid answer. A large regulated company will spend months testing, and in many cases it will take years to go upgrade. Now if IE didn't encourage people to violate web standards, then it wouldn't be that bad. But unfortunately it does and people do. So fixing things to work with IE7 or even IE8 after IE 6 is a pretty big deal.
So good luck with that. I know my company is going to be running IE 6 for at least another year, maybe more. They have to go slow because it is a financial company and they are subject to all sorts of SOX controls and regulations. Also upgrading browsers does not immediately generate revenue so it is not a high priority. They don't even use the right resources for testing so it drags out much longer than it should....
I worked at a Microsoft Fanboy company but even then it took a good 6 months to test all the apps with IE 7 and there the roll out wasn't company wide, just that division. There was also a project in Parallel to fix the issues and move all development projects to Visual Studio 2005. They properly staffed based on what they had, and it still took 6 months. And they were Microsoft Fanboys. I mean SQL SErver 2005 comes out, they need to upgrade within a year. SQL Server 2008 comes out, they put on a project to upgrade within a year. Windows Vista comes out, they need to upgrade.... And even there 6 months time is a lot of time to be exposed to a vulnerability. And they are the exception not the rule.
For many companies a security issue or browser upgrade does not generate revenue and is super low priority....
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
Nonsense. We manage something like 2,800 apps centrally for 60,000+ desktops using a 3rd party tool. We have another 400 or so apps that we manage for our 11,000 servers. Total staff to package and update this environment? About a dozen.
Firefox is just another app to us.
https://developer.mozilla.org/En/A_Brief_Guide_to_Mozilla_Preferences
If the administrators can write to the application directory and prevent the user from doing so, then they can enforce profile settings in Firefox (and almost any Mozilla app).
The problem is you need to invest a lot of time, money and expertise into setting something like that. For a big shop like yours, that's no problem - the cost of initial setup is easily justified by the fact you have to manage 60k+ desktops and over 2,000 apps, and doing that manually would cost a fortune.
Most of us aren't that large though. We've got maybe 150 desktops/laptops, which is enough to make managing them manually impractical, but not enough to justify purchasing and learning systems management and package management software and the ins and outs of crafting your own package for each application and so on.
You say that "Firefox is just another app to us", but I'm sure you (or someone) spent a long time figuring out how to pull apart the installer and repackage it for your environment and to have everything working for the users but without giving them too much control over bits you want/need to manage centrally, and so on. Again, if you're already set up and have the knowledge of doing that for thousands of other apps, it's not too big a deal. But for us, nobody has that knowledge, and even if they did, nobody has the time to sit around working out how to repackage the application of the month; especially when it's only going to be required by a handful of people.
So either you need to buy some fantastic systems management software ($$$) and hope the vendor supplies packages/scripts/instructions for packaging the apps you use; or you buy packaging tools and learn to do it yourself ($$ + time), or you just use the stuff the more-or-less works out of the box ($). It's no surprise then that most smaller shops use Microsoft's software across the board, and then manually manage installs of additional software in the few cases where they're really needed.
No registry hacks are necessary to set configuration information in Firefox. It's all text files, the way God intended config files to be. :)