IE 6 & 7 Unpatched Exploit Goes Wild

Kolargol00 writes "Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework."

...and?

[snugge]

there will always be unpatched exploits for OLD and OBSOLETE software.

Before anyone nags about Metasploit...

[Securityemo]

When non-security geeks nag about metasploit lowering the threshold for malicious behavior, it's like watching someone complain about gun laws in a warlord-ruled third world hellhole. It doesn't matter, and you're being silly. Besides, metasploit is geared a lot more towards rapid exploit prototyping, and is clearly designed with this in mind; only the already skilled can use it in this manner because you already need to be able to do it "manually" to take advantage of the framework. Hell, it's even harder to use the (ruby) framework than to code perl exploits; but you can do it faster and the shellcode part of the framework allows you to make complicated shellcode in a reliable fashion. It's not like one of those make-your-own-malware kits.

Re:Internet Explorer and News for Nerds

[dave562]

It's great to know not to use IE if you're supporting yourself and your parents. It's a completely different world when you're supporting an entire organization.

Re:Internet Explorer and News for Nerds

[Akido37]

It's great to know not to use IE if you're supporting yourself and your parents. It's a completely different world when you're supporting an entire organization.

In that case, it's not like you can do anything about it anyways. If you had the power to change that, hopefully you would have done it by now.

Who are the asshats?

[SmallFurryCreature]

Why can opensource developers fix issues so quickly when a billion dollar company can't? Why is this code that the developers were paid very good salaries to develop, on which the company made billion of dollars of profit, so insecure that it keeps turning up vulnerability after vulnerability?

Maybe when you car door keeps popping open and therefor people steel your car, it is time to stop blaming the thiefs and start to talk to the car maker.

IE is a joke, so punch the clowns that made it.

Re:I wish it could be used for good

[Opportunist]

Since I have been that "stubborn IT department" for a sizable share of my life, mind if I defend myself? It's not the IT guys that refuse to upgrade most of the time.

Unless you're a tiny company with 20 employees, upgrading to another browser is not a trivial task. And I'm not even talking about installing the new version. That actually IS trivial. Any sensible company of halfway decent size already has automatic overnight rollouts in place. If they don't, well, tell me the name and I know what shares to sell quickly.

The problem is not a technical one. It's a compatibility nightmare. You might know that IE6, IE7 and IE8 are not really 100% compatible to each other. Sure, the differences are subtle and often consist of "one more click here", but I'm sure you also know the average company user: The moment his computer does not work EXACTLY as he is used to, it is "broken" and he will refuse to do anything anymore before IT comes down and "fixes" it. And no, sending out instructions how to work around the problem 'til the fix can be applied do not work. Never have, never will.

It's not IT that stalls. Actually, it's mostly a battle between CTO and CISO. The CTO fears incompatibilities, the CISO security breaches. It's easy if the company decided to roll them into one position (because, frankly, a CISO... what does that guy do except look scared all day?). Then you just find one person hanging on a rope somewhere in a basement instead of two guys in suits duking it out in the server room.

Re:Serves the noobs right

[Khyber]

"but there's not a lot we can do about it."

Bullshit - ditch the slacking fuckwits and build it yourself in-house.

Re:Serves the noobs right

[Khyber]

And before you point out "To change off it would cost hundreds of thousands of dollars." just bear in mind all it takes is me doing one right thing and that hundreds of thousands of dollars in fixing your shit just got turned into multi-million dollar losses because you refused to ditch the slacking bastards and get your own shit sorted out.

Re:tough titty says the kitty

[Low+Ranked+Craig]

True, except it is perfectly possible to create something that works in both IE6 and IE 7/8 and Firefox and Safari. Coding for IE6 only, even back in 2003 or 2004 is just plain lazy and bad practice, period, end of story. If you know what you're doing, (and a professional web app developer should, don't you think?) making a web app, even one with a lot of CSS and JavaScript work on IE6 and Firefox, etc, just ain't that hard. I've been doing it for years.

Just do your fucking job for once

[SmallFurryCreature]

We are talking IE6 here, it is a decade old by now. Do you still use 10 year old PC's? Do you use 10 year old cars?

Oh, you yourself might not be the problem, the real issue is IT management who keeps trying to cut costs by going for the lowest support contract and guess what costs the least to support? NO.

That is it, the word NO is simplest.

"Can I get an open port to SSH to our external servers?" "NO" Time spend: 0.5 seconds.

"Can I install software X that I do actually need?" "NO" Time spend: 0.5 seconds.

"Can I get a license for virtual window machines so I can test software in a safe environment?" "NO" Time spend: 0.5 seconds.

"Can we upgrade our software at least with in say half a decade of release so we are not completely behind the times?" "NO" Time spend: 0.5 seconds.

The problem is very simple, it is a constant cost factor to keep up-to-date. New versions are released so often after all, nearly every 2-3 years. Who can keep up? And it is oh so tempting to skip an upgrade. Why do all the compatibility testing during the beta and release candidates of a new product when you can let everyone else test it for you? Because sherlock, that doesn't test it for you. And that is the testing you need. So you save some money now, but are building up the future migration costs, till those costs become so high that you can no longer afford them no matter what.

It is all about budgets and promotions, you get promoted for keeping you budget low this year, and by then it is the next guys problem if he inherits the hidden costs.

And all because people have become more interested in management then actually doing their job. Because those incompatibilities between IE versions? Those are your fucking JOB. That is why you are paid system monkey, to sort these things out. What next? A car mechanic explaining why he hasn't replaced the brakes on a vehicle that crashed because it was such a hassle and they were covered in dirt and he just didn't want to get his hands dirty? That is exactly what you are saying. Oh my job is so hard, I can't be blamed for not doing it.

Sadly, big companies seem to attract your kind, who is more interested in their performance rating then actually just doing their fucking job. If I let my servers get so out of date they are hacked, well my customers kick me very very hard. I make sure to keep up with the alpha and beta's so that I know the issues with a new release, know the developers know them and can fix them and then am ready to implement them, so that at least then when a problem hits, I don't first have to upgrade several releases in order to not find every issue with a "solved in version X". And you know what, by staying on the edge, you often beat the bad guys. They after all are aiming for the largest mass, and the largest mass is guys like you who can straight faced give an excuse for running a decade old browser.

Really, how can you standup and claim your earned your keep when you still haven't managed to retire IE6. Do you still have a punch card reader for that essential piece of accounting software? Still use floppies because you might need one? Have word perfect installed for an old word file? No? You upgrade stuff like that? Then why does the browser, a piece of software that by its nature faces the whole nasty outside world, not get updated?

Yeah yeah, legacy system needs it. No it doesn't because such systems should be upgraded as times change. You aren't still running windows NT 3.5 are you?

Frankly, I see this problem far to often. You get asked to work on a problem and then find the software is several releases out of date and then have to find a way to bill a client for essentially doing what their own admins should have done. Admins are to afraid of having to say to their boss "why yes sir, the system is running perfectly but I still need resources to make sure it keeps doing that in the future" and developers are more interested in chasing glory then keep their past projects maintained.

Re:Just do your fucking job for once

[Otto]

We are talking IE6 here, it is a decade old by now. Do you still use 10 year old PC's? Do you use 10 year old cars?

Firstly, many, many people use 10 year old cars. Not as many use 10 year old computers, I grant you, but cars can last for 30-40 years or more.

Secondly, IE6 is only a tad over 8 years old. It came out in the latter half of 2001.

Really, how can you standup and claim your earned your keep when you still haven't managed to retire IE6. Do you still have a punch card reader for that essential piece of accounting software? Still use floppies because you might need one? Have word perfect installed for an old word file?

I've worked for very large companies before. And yes, punch card readers are still used in some industries. And yes, floppies are still used. And yes, Word Perfect is still used.

Big corporations don't work the way you think they do. Most of them make money by, oddly enough, not paying for things. If that 10 year old computer running 10 year old software does the job, then they will let it sit there and keep doing its job until it *needs* to be upgraded.

You don't upgrade simply because there is an available upgrade. Upgrades cost money, and every dime you spend has to produce results in some fashion. Spending money in order to "not make any more money" is generally money that you should not have spent.

That said, upgrades do make sense, but only as part of larger strategies. You don't upgrade simply because you can. That way lies never-ending maintenance costs.

Admins are to afraid of having to say to their boss "why yes sir, the system is running perfectly but I still need resources to make sure it keeps doing that in the future"

True, but that's mainly because this is a lie and we both know it.

Once you have the system working, it will work that way until the hardware fails. You don't need to continually upgrade it to make it continue to work.

You only need to continually upgrade a system that is continually doing new things. A developer's box needs upgrades. The corporate user's box who does research using the web needs upgrades. The servers? Generally they don't need anything more than security fixes. They get upgraded when they get replaced or when the upgrade can be worked into a larger project. Upgrading solely for the sake of upgrading makes no sense.

Re:Just do your fucking job for once

[Opportunist]

Excuse me? Did something crawl up your rear and die there or why the hostility?

Here's your environment. It's not made up, it's real. I can vouch for that, I was the CISO for that environment for about a year.

You have: A mission critical web application, written for IE6. Not only for you but also for 8 sister companies that have equal share in pay (and say) where this application goes. A staff of 200 people (in your company, not counting the sisters) used to this application, each and every one of them having limited to no computer knowledge out of what they have been rote-trained to. A boss whose primary concern is to keep things running who does not believe you when you "scare" him with security threats (i.e. when you're doing your job). On the up side, you have near limitless funds at your disposal, but they have to pass boss-approval.

What do you do? Suggest an immediate upgrade to IE8? No-go. It breaks the mission critical application. Suggest bringing the app up to speed? Takes time. First to assemble the CISOs and CTOs of the other sister companies, then piss away a few meetings and lots of time trying to figure out who pays for the shit (remember, you have limitless funds but still have to pay less than the others. It's a prestige thing that you shift the cost onto the sisters). But hey, you get to spend lots of time traveling and living on company expense! So you can imagine that some of the CISOs/CTOs you're dealing with are not too keen on ending this any time soon, even if you are. You can NOT push forwards alone, because the app has to be compatible across companies (they basically use the same database backend and any minor inconsistency results in a disaster, effectively shutting your operation down, making the evening news and ensuring you won't work in any position anymore that doesn't end in "want fries with that?").

Btw, telling anyone that the security hole is a problem gets met with laughter.

Welcome to the world of CISOs. The comic foil in the C?O world.

Re:Quick Reaction Times

[mcgrew]

I'm not knocking MS

When they know about an exploit and don't patch it until some black hat uses it, they deserve to be knocked, as does any other software company that acts like that (say, Adobe).

Re:Pick up the rope, stay with the tour

Butthurt much? Your write-up probably just sucked.