Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 6 & 7 Unpatched Exploit Goes Wild

Posted by CmdrTaco on from the brace-for-impact dept.

Kolargol00 writes "Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework."

4 of 149 comments (clear)

  1. Re:tough titty says the kitty by Opportunist · · Score: 3, Informative

    Most companies still using IE6 or 7 cannot.

    Usually you're facing a scenario akin to this: Some external company created a mission critical web applications. Of course a web app had to be it, because it saves you a lot of dough because you don't need to create a frontend, it's already there! You also don't need to roll out anything, it's already part of the system!

    Since MS cares really much (/sarcasm) about standards, you had the choice: Doing it for IE, or for the rest. Since IE is part of every Windows installation, and you didn't want to roll out a frontend in the first place (remember, paradigmas are to stick to, even if they become a problem, else your boss might ask "why did you want that in the first place?"), you will create that frontend for IE. IE 6 orIE 7, to be exact, because they, too, are only kinda-sorta compatible to each other.

    Fast forward to the present. The company that made your mission critical application already overstepped its allotted budget by about twice its size and is still busy fixing the odd bugs... provided the company still exists, that is.

    Are you the one going to your boss telling him that they should stop fixing bugs now and migrate the behemoth to IE8? He will ask for the reason. You tell him about the security problems. He will laugh at you and call you a scaredy-cat.

    That was the moment I quitted my well paid CISO position. It became too much of an ejector seat to be comfortable anymore.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Re:Internet Explorer and News for Nerds by davester666 · · Score: 2, Informative

    And I missed including the obvious extension to this, namely, you would be transitioning your company off Windows software, which is the most attacked software in the world.

    Other OS's may be equally or more vulnerable, but no other is more exploited than Windows.

    --
    Sleep your way to a whiter smile...date a dentist!
  3. Re:I'm safe. by Urigeller23 · · Score: 2, Informative

    http://www.h-online.com/security/news/item/Exploit-for-new-IE-hole-952183.html

    English version of the report.

  4. Re:Serves the noobs right by ircmaxell · · Score: 2, Informative

    Actually, that's exactly what I do here. When our QC team needs to test websites on IE6 (Because some of our clients still use it and they pay the bills), they simply RDC into a server that we keep live solely for IE6. It has nothing else on it, and has networking locked down to only allow traffic to our local subnet (and hence only our applications). Anyone who needs to test is simply granted RDC rights, and they can do it. And considering the server is a VM, it was basically free (we already had the terminal server and windows licenses)...

    --
    If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good