Microsoft To Ship Emergency IE Patch

← Back to Stories (view on slashdot.org)

Microsoft To Ship Emergency IE Patch

Posted by kdawson on Tuesday January 19, 2010 @08:26AM from the advanced-persistent-threat dept.

Grotendo writes "Microsoft plans to release an emergency patch for Internet Explorer very soon to counter targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser. The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend." Microsoft has downplayed the seriousness of the IE zero-day, and insisted that it affects only IE6 even as security researchers close in on exploits for IE7 and IE8. Microsoft has had no comment about the firestorm that Google unleashed by directly accusing the Chinese of cyber espionage. ShadowServer has up a sobering post on the massive extent of the problem of "groups that can be referred to as the Advanced Persistent Threat."

30 of 187 comments (clear)

Min score:

Reason:

Sort:

Enough is enough! by LostCluster · 2010-01-19 08:29 · Score: 5, Informative

I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.
1. Re:Enough is enough! by MrEricSir · 2010-01-19 08:43 · Score: 5, Funny
  
  Why not just exploit their browser's security flaws and wipe their hard drive?
  That way they learn their lesson about safe browsing the old fashioned way.
  
  --
  There's no -1 for "I don't get it."
2. Re:Enough is enough! by H0p313ss · 2010-01-19 08:50 · Score: 4, Funny
  Pro
  
  Amusing
  Might solve problem
  Cons
  
  Illegal
  Immoral
  Counter proposal: have you tried carpet bombing a small third world country today?
  --
  XML is a known as a key material required to create SMD: Software of Mass Destruction
3. Re:Enough is enough! by Archangel+Michael · 2010-01-19 08:53 · Score: 2, Interesting
  
  I'm running similar code on my site, and yet many of the "visitors" are still using IE6. I suspect most of those are bots, because of the traffic pattern looking for Registration and Forum pieces.
  It is sad when you can spot a bot by the UserAgent.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
4. Re:Enough is enough! by dgatwood · 2010-01-19 09:10 · Score: 3, Informative
  
  No. Chrome frame is only active if a page specifically codes for it. Otherwise, it does nothing. An attack page would not typically include code for a workaround.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
5. Re:Enough is enough! by NatasRevol · 2010-01-19 09:22 · Score: 3, Funny
  
  Just drop carpets!
  
  --
  There are two types of people in the world: Those who crave closure
6. Re:Enough is enough! by GF678 · 2010-01-19 09:27 · Score: 2, Informative
  
  I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.
  I'm sure corporate users who have IE6 forced upon them will appreciate it if they try to view your site.
  I'm sure your response would be "well they can bring it up with their IT department and use it as a way to persuade the upgrade". Doesn't work like that in the real world, particularly if old IE6-only compatible web apps are still in use.
7. Re:Enough is enough! by PopeRatzo · 2010-01-19 11:39 · Score: 2, Funny
  
  Oh, an Opera website says it's widely used on in the former Yugoslavia!
  Tell you what: Find some market share data not on an Opera website and we can talk.
  What's really funny is, if you click on the first link in the story on the Opera website, do you know what it links to? (wait for it...)
  That's right, the first link in the Opera article about how they have more users than Chrome links to the market share data that I sited above, which shows Chrome at more than twice Opera's market share.
  In fact, the story that the Opera story links to breaks out the market share for Opera Mini (0.53%), which, if you add it to the market share for Opera (2.43%) still comes to considerably less than Chrome's 4.63%. And those are December numbers. If you look at more recent numbers (see the link in my comment above) Chrome's lead is bigger.
  Maybe it's possible to have more users and still less market share, but it's more probably that Opera is being a little bit, um, exuberant in their analysis of the statistics. It wouldn't be the first time that a company painted an extra-rosy picture of the facts.
  
  --
  You are welcome on my lawn.
8. Re:Enough is enough! by Runaway1956 · 2010-01-19 11:58 · Score: 2, Informative
  
  "If it ain't broke don't fix it"
  Correct. And, it's time to make the decision makers understand that it's broken. If it isn't broken enough to convince them, then LET'S BREAK IT MORE!!
  Most of the rest of what I read here today is just so much whining and sniveling, from one side or the other.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Quoth the TFA by McBeer · 2010-01-19 08:32 · Score: 2, Informative

targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser
IE 6 hasn't been Microsoft's flagship browser for 4 years.

--
Hikery.net - The best hiking site ever. Made by yours truly.
1. Re:Quoth the TFA by poetmatt · 2010-01-19 08:59 · Score: 2, Informative
  
  it does, however, share the same vuln with IE7 and IE8. So maybe it's more appropriate as "microsoft's web browser" (irrespective of version) is at fault.
2. Re:Quoth the TFA by igadget78 · 2010-01-19 09:05 · Score: 2, Insightful
  
  Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.
  Maybe not, but when you work at a hospital in the IT department and your patient critical applications are still relying on IE6 because the vendor who wrote it sucks and can't figure out how to make it work with an updated browser, you appreciate that Microsoft, however insistant they are on dropping that old clunker of an app, is at least trying to resolve it.
3. Re:Quoth the TFA by IshmaelDS · 2010-01-19 09:20 · Score: 2, Informative
  
  True IE 6 hasn't but if you read the microsoft bulletin it also says that IE 7 and 8 share the vulnerability. http://www.microsoft.com/technet/security/advisory/979352.mspx "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable."
  
  --
  letting an idiot know they are an idiot is not a game... it's a responsibility. - by Kristopeit, M. D. (1892582)
4. Re:Quoth the TFA by thetoadwarrior · 2010-01-19 09:41 · Score: 2, Informative
  
  Because some companies have contracts with MS that have them on Win2k until (if I recall correctly) until the extended support is over which is this summer so MS can't really tell IE6 users to fuck off completely.
  
  I'm sure they could get out of the contract at an unnecessary cost. MS made this mess and unfortunately we're stuck with it for awhile longer. Hopefully once the extended support is over then companies will start dumping their old stuff and upgrading.
  
  In my opinion this shouldn't matter to most sites because they're not meant for business customers. It doesn't matter if Youtube, for instance, works on IE6 as far as I'm concerned. Anyone on IE6 for their home PC should be excluded until they get a real browser.
Countering attacks? by jhol13 · 2010-01-19 08:33 · Score: 3, Interesting

Microsoft is not "countering the targeted attacks".
Unless of course the German and France CERT teams recommendation to ditch IE is considered one.
I have the patch details: by rehtonAesoohC · 2010-01-19 08:33 · Score: 4, Funny

It uninstalls all versions of Internet Explorer and installs Firefox with Adblock pre-installed.

Bravo Microsoft!
1. Re:I have the patch details: by Monkeedude1212 · 2010-01-19 08:57 · Score: 2, Funny
  
  It also sets the DNS to itself and caches anything you might have had saved in your browser history.
  That way, you still seemingly visit the same sites you always do, just they never get updated, and you are completely secure from everything on the net!
IE is only good at one thing... by jameskojiro · 2010-01-19 08:36 · Score: 2, Insightful

And that is running Windows Update and it isn't that good at doing that....

--
Tsukasa: All I really want, is to be left alone...
1. Re:IE is only good at one thing... by meheler · 2010-01-19 08:46 · Score: 4, Interesting
  
  The sound of Windows update running is drilled into my mind forever.. Click.. click click click.. click. click.. click click click click click.
  My mind constantly asking "what the.. i haven't clicked a damned thing"
2. Re:IE is only good at one thing... by Quantumstate · 2010-01-19 08:48 · Score: 2, Insightful
  
  All I know is that three certain windows updates have been drilled into my Vista boot process for ever. Did someone really intentionally program an update process so that if it failed it would just try again?
3. Re:IE is only good at one thing... by QuantumRiff · 2010-01-19 08:53 · Score: 2, Informative
  
  Shh, don't tell anyone...
  >wuauclt /detectnow
  Forces the update.exe agent to check.
  
  --
  
  What are we going to do tonight Brain?
4. Re:IE is only good at one thing... by jameskojiro · 2010-01-19 09:16 · Score: 2, Interesting
  
  How many people on slashdot still run XP to avoid the bloat of Vista/7.
  Quite a few I would imagine....
  
  --
  Tsukasa: All I really want, is to be left alone...
5. Re:IE is only good at one thing... by hairyfeet · 2010-01-19 10:03 · Score: 2, Insightful
  
  And you, dear nightspirit, didn't read TFA did you? Here, let me highlight a relevant passage for you..."While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."
  TL:DR? IE8 is totally pwned as well. They just haven't released the script into the wild yet. When they do any script kiddie can pwn ANY MSFT browser, from 6 on up, DEP or not. So I really wouldn't be recommending IE to...well anyone at this point.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
6. Re:IE is only good at one thing... by uassholes · 2010-01-19 10:15 · Score: 2, Insightful
  
  How is requiring faster hardware an improvement?
Contribute to the death of IE 6 on your site... by MikeRT · 2010-01-19 08:38 · Score: 2, Informative

Make it painfully clear to IE6 users what they're doing.

My version, which is more educational for them.
The IE Patch by Bigbutt · 2010-01-19 08:49 · Score: 4, Funny

Do you find yourself mysteriously waking up in a back alley more than once a week?
Do you find empty HTML pages littering your desktop and you have no idea where they came from?
Do you discover new directories on your computer?
Get the IE Patch!
It comes in 4 strengths so you can be gradually weaned from the habit.
Week 1. IE 6 Patch. Internet cravings are pretty intense the first week so the IE 6 Patch is there to help you learn how to just say "NO".
Week 2. IE 7 Patch. It's easier to avoid launching IE. You still need to check Amazon or e-Bay from time to time but the edge has been honed down a bit.
Week 3. IE 8 Patch. You find it a lot easier to avoid clicking on the 'e' although you still lapse when you aren't thinking.
Week 4. Firefox. You've mastered the addiction. You're free to browse the Internet worry free. Even looking at the 'e' makes you nauseous.
Congratulations on taking the first step to breaking the IE addiction.
[John]

--
Shit better not happen!
Re:'flagship webbrowser' by spuke4000 · 2010-01-19 09:13 · Score: 2, Informative

Uhhh... yes the do (as of a few days ago): http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OfficialGmailBlog+(Gmail+Blog)

--
This post cannot be rebroadcast without the express written constent of Major League Baseball.
"Emergency" reaction by burkmat · 2010-01-19 10:12 · Score: 2, Informative

Wow, so that's... 4 days after full disclosure that they announce their response.

"Could be here as soon as this weekend", which is still more than a week from the exploit being published. That's swell.
Anyone else grateful MSFT doesn't run the fire department?
So that's what it takes to get a patch out, MS? by Hurricane78 · 2010-01-19 12:15 · Score: 3, Funny

At least two governments officially stating to avoid IE, others in fear, every single web developer on the country hating you, Google getting hacked, and every security expert on the planet laughing at you?
Wow. Just wow.
May I extrapolate from that, what it would take, to get a real Bugzilla for IE and make it follow recent standards?
My guess: Inter-dimensional time war with Lovecraft’s the old ones, lead by Cthulhu, fighting the Shrike and its army, armed with gamma ray bursts and black holes, using giant stars as ammunition.
On the other hand: That would be awesome!

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I like these "Your browser is out of date" sites by L4t3r4lu5 · 2010-01-19 23:14 · Score: 2, Interesting

They look totally different to the popup-style messages on compromised websites saying "Your Anti Virus is out of date! Download our version!" or "You have been infected by Win32.BullRubbish.exe.foobar! Upgrade to New Anticrap UberVirusWare 2011!"

You're training them to download stuff from the web, from sites they don't regularly visit / don't trust, because a popup told them to.

Well done.

--
Finally had enough. Come see us over at https://soylentnews.org/