Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

Posted by CmdrTaco on from the oh-we'll-fix-it-eventually dept.

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

23 of 279 comments (clear)

  1. IE8 has the flaw but is immune... by vistapwns · · Score: 5, Informative

    Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...

    --
    "...I think the Microsoft hatred is a disease." - Linus Torvalds
    1. Re:IE8 has the flaw but is immune... by UnknowingFool · · Score: 4, Informative

      If it has the flaw, then it's not immune but it's less vulnerable. If DEP is disabled (which may be required to get some apps to work), then IE8 can become exploited too.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    2. Re:IE8 has the flaw but is immune... by KnownIssues · · Score: 4, Interesting

      Then why would Microsoft state that IE8 is vulnerable to this flaw? They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.

    3. Re:IE8 has the flaw but is immune... by Penguinisto · · Score: 4, Informative

      True, DEP is enabled by default on the Win 7 / IE8 combo. OTOH, neither will run (very well, anyway) a horde of old enterprise services and suites that still linger about the industry, compatibility modes be damned.

      There are fixes and workarounds, but they can get rather expensive (and usually involve an XP Mode server of sorts, or Terminal Services seat licenses, etc).

      Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    4. Re:IE8 has the flaw but is immune... by should_be_linear · · Score: 4, Insightful

      Having radio button somewhere that makes your OS vulnerable to _KNOWN_ exploit is really stupid idea.

      --
      839*929
    5. Re:IE8 has the flaw but is immune... by should_be_linear · · Score: 4, Insightful

      OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?

      --
      839*929
    6. Re:IE8 has the flaw but is immune... by Ralish · · Score: 5, Informative

      They are aiming for both backwards compatibility and security, but above all, they are aiming to put out a fix that isn't broke. I'm honestly not trying to be the Microsoft apologist here, but the complexity of putting out a patch for IE is a lot more complex than you might first think, even compared to other browsers. Here's why:

      Using Firefox as an example, when Mozilla finds a security flaw in Firefox, they simply release a new point release of all supported versions of Firefox (currently 3.0 and 3.5) that contains the fix, as well as all previous fixes, and usually several other security/stability fixes bundled into that particular point release. So, this means a release across two product versions, which can be expanded to releasing on the architectures supported for those particular versions as well as supported platforms. The source code change probably isn't architecture or platform specific (wrong?) so can thus be inserted into the correct maintenance trees in the source repository and the binaries/sources made available.

      Using Microsoft as an example, when Microsoft finds a security flaw in Internet Explorer, they need to patch every supported version of IE on every supported version of Windows down to specific IE patch level possibly also impacted by Windows patch level. For a security flaw like this that affects IE6 through IE8, that means patches for every version of Windows from 2000 to 7, for every architecture (x86, x86_64, ia64), for numerous patch levels. For example, in many versions of Windows two separate patch levels of IE might be simultaneously supported (e.g. IE6 SP1 on Windows 2000 and IE6 SP2(SP3?) on XP). Keep in mind that the binaries for the same exact patch level of IE on two different versions of Windows on the same architecture are highly unlikely to be the same (e.g. IE7 on XP will not be the same as IE7 on Vista, nor will the patch binaries be the same, and OS SP level may also make a difference). Versions of Internet Explorer on Windows CE/Mobile might also be impacted resulting in further patch complexity. Oh, and x64 versions of Windows (and ia64?) have both the 32-bit and 64-bit versions installed side-by-side, due to issues with plug-in compatibility (you can't load 32-bit code into a 64-bit application). So, you'll need to patch both versions on 64-bit platforms, and once again, the 32-bit binaries for 64-bit systems are unlikely to be identical to the 32-bit binaries for 32-bit systems. In summary, we are talking a huge number of binary patches that all need to be thoroughly tested, passed through regression suites, and so forth, because if even one of these patches breaks something, odds are, you'll have a lot of pissed off users.

      That being said, this is largely Microsoft's fault. By integrating the browser so closely to the OS, they've managed to create this complexity. A clean(er) separation of web browser from OS internals would, while not making things simple, would surely reduce the current clusterfuck. Doing so would bring you much closer to the model that most (every?) other web browser uses, and should drastically reduce the amount of testing that would need to be done. For now, this isn't the case, and the present reality is that patching every version of IE since 2001 is a very messy business.

  2. Marketing must be pleased by webdog314 · · Score: 5, Funny

    Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

    Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

    1. Re:Marketing must be pleased by Anonymous Coward · · Score: 5, Insightful

      Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

      Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

      Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."

  3. Vista, Win7 - really? by TheNetAvenger · · Score: 5, Interesting

    Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

    Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.

    So saying it is a 'problem' on Vista or Win7 is stretching the truth.

    1. Re:Vista, Win7 - really? by Sycraft-fu · · Score: 4, Interesting

      Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.

      By default, IE8 on 7 is pretty secure.

  4. Re:Not fixing it in IE6... by quantumplacet · · Score: 4, Insightful

    it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.

  5. Re:Not fixing it in IE6... by Bacon+Bits · · Score: 5, Insightful

    How is this a troll? What he said is true.

    Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.

    --
    The road to tyranny has always been paved with claims of necessity.
  6. Re:Faulty Products. A comparison. by plague3106 · · Score: 5, Informative

    Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.

    As usual, another analogy on /. fails...

  7. Re:Channeling BadAnalogyGuy by MrMr · · Score: 4, Informative

    Your comment is outrageous. The submission consists of a factual statement and some literal quotes from Microsoft.
    If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.

  8. The right time to upgrade by Random+BedHead+Ed · · Score: 4, Informative

    The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?

    I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?

    (Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)

  9. When will we change programming practices? by haruchai · · Score: 4, Insightful

    It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
    Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
    Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
    the old "we've always done things this way and it would be too expensive to change" is real crap.
    What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?

    Isn't it past time that things changed?

    --
    Pain is merely failure leaving the body
  10. Re:Not fixing it in IE6... by TheRaven64 · · Score: 4, Insightful

    (due to hordes of crap .NET programmers*)

    You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.

    --
    I am TheRaven on Soylent News
  11. Re:Not fixing it in IE6... by maotx · · Score: 4, Informative

    We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.

    The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  12. IE5 rules supreme by edxwelch · · Score: 4, Informative

    Actually, IE5 is the only version not effected. You should be downgrading not upgrading.

    http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/

    "But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."

  13. Re:Not fixing it in IE6... by riegel · · Score: 5, Insightful

    Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.

    Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.

    --
    http://p8ste.com - Web based Clipboard
  14. MOD PARENT DOWN (INFORMATIVE?) by BasharTeg · · Score: 4, Insightful

    If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.

    Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?

  15. Re:Not fixing it in IE6... by BlackBloq · · Score: 4, Interesting

    That's simple B.S. Every person I deal with in supporting their machine I get rid of every shortcut to IE and tell them that they have a new browser. They all love Firefox and Opera. I use Firefox (with noscript) to fix computers with alot of kids. This is good because some kids click everything they can find online! For slow systems I install Opera. It uses the least system resources and starts the fastest. This makes the user very happy cuz all they want is for their machine to function as advertised. So they don't really love the browser, they couldn't give two shits, they just know if it works on facebook, or takes forever loading up a 'heavy' page.