Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exploit In Hacker Kit 'Raises the Stakes'

Posted by Soulskill on from the calling-a-bluff dept.

CWmike writes "Roger Thompson, chief research officer of AVG Technologies, said Sunday that an exploit for the newest IE flaw had been added to the Eleonore crimeware attack kit. 'This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day,' Thompson said on his company's blog. Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then."

14 of 96 comments (clear)

  1. Bug is really for Windows XP by Anonymous Coward · · Score: 2, Informative

    This bug is really only a serious problem for Windows XP users. (Yes, I know there are still a lot of them - however there are also a lot of Windows 7 users now and some Vista users). For Vista and Windows 7, since IE runs not just as a standard user, but also with Protected Mode (less than standard user rights and cannot write to the file system or registry outside of some very restricted locations, it isn't really an issue. Hence the lower priority on the patch.

    1. Re:Bug is really for Windows XP by NetNed · · Score: 5, Informative

      Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

    2. Re:Bug is really for Windows XP by MightyMartian · · Score: 2, Insightful

      I don't see the problem here, providing permissions on registry keys is set up appropriately. At the end of the day, browsers like Firefox and Chrome can modify files in the filesystem.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:Bug is really for Windows XP by benjamindees · · Score: 4, Funny

      And it's even possible for a browser to alter the registry exactly why???

      Broken Windows create jobs.

      --
      "I assumed blithely that there were no elves out there in the darkness"
    4. Re:Bug is really for Windows XP by NetNed · · Score: 3, Informative

      No DEP is both hardware based and software based.

      Microsoft has software based DEP listed as: "An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor."

      You can read all about it here

    5. Re:Bug is really for Windows XP by CoderJoe · · Score: 4, Insightful

      And it's even possible for a browser to alter the registry exactly why???

      Because it is a program, just like any other, and needs to be able to store its own settings somewhere. For many windows programs, this somewhere is the registry.

      (who modded this insightful?)

    6. Re:Bug is really for Windows XP by CarpetShark · · Score: 3, Funny

      "Broken Windows create jobs."

      I'm a window cleaner, you insensitive clod.

    7. Re:Bug is really for Windows XP by hweimer · · Score: 2, Insightful

      Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

      DEP has been broken by return-oriented programming. The fact that most exploits don't use it just means that they catch enough victims simply by using the old techniques.

      --
      OS Reviews: Free and Open Source Software
    8. Re:Bug is really for Windows XP by Anonymous Coward · · Score: 4, Informative

      No DEP is both hardware based and software based.

      Nope, DEP is hardware only. What Microsoft calls "software DEP" is nothing more than SafeSEH, which is a totally unrelated and considerably less useful security measure.

    9. Re:Bug is really for Windows XP by dimeglio · · Score: 2, Insightful

      I believe the registry keys we're having an issue with are those, for example, which control application startup enabling malware to install, and not the browser's settings.

      --
      Views expressed do not necessarily reflect those of the author.
    10. Re:Bug is really for Windows XP by hairyfeet · · Score: 2, Interesting

      For those on XP there is an easy way that will probably work to stop this cold. I say probably because I haven't had the time to look for an attack site and play with the code. But on XP you can use the Free Comodo Internet Security or Comodo Av (both free) and under "Defense +" settings choose to run IE always in the sandbox. This will keep IE from doing any real registry or file writing, instead dumping any writes to a virtual registry and file system that is locked off from the OS.

      While I agree it is MUCH better to have DEP and ASLR, there are still tons of quite good machines out there that simply don't support those features and are still running XP. For those machines I use Comodo Internet Security and so far I have yet to have a customer or family member running it to come back pwned. Of course I try my damnedest to get them off of IE and onto FF, as we can see with TFA IE is still to big a target.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    11. Re:Bug is really for Windows XP by RaymondKurzweil · · Score: 2, Funny

      Fuck you... this is an issue of a fundamental freedom. An application as powerful and useful as a browser should have the right to alter an setting in the registry it wants!!

  2. ie sucks by Anonymous Coward · · Score: 2, Funny

    IE is such a poor piece of technology. Before I enter a serious relationship, in addition to a background check, I also investigate the browser my potential significant other is using. If it's IE, I don't even bother since I don't date dummies.

  3. Becuase you are an administrator by Sycraft-fu · · Score: 4, Informative

    If you are an administrator of a system that by definition means you can do everything, including modify the registry. If you cannot understand this concept, then you need to learn more about how privilege levels in computers work and come back. There is no power without responsibility. The power to do something is the power to fuck something up.

    Now as this applies to this specifically, most people who use Windows XP run as an administrator. They don't have to, you can run as a deprivileged user and indeed we make people here do that at work, but users do not choose to because it is a pain to do. That means any program they spawn runs with permissions to do anything, since that is the whole idea of an administrator. There is nothing special about a web browser, it is just a process. It can write to the registry, drive, or anything else. The OS doesn't put random restrictions on programs.

    In Vista and 7, things are a little different. By default, even users flagged as administrators aren't actually running at an administrator privilege level. They run as regular users and have to elevate when they need to. This means that programs they launch without elevation cannot do things such as write to the registry, as that is not a normal user (and thus their programs) have. Also an additional layer of security was introduced called Mandatory Integrity Control. This allows for programs to be launched with even less privilege than a normal user has. This has to be configured per application, and the only thing I know that uses it is Internet Explorer. It restricts access much further, including denying read access to a great deal of what a user can read.

    This is all the same deal as with UNIX. Though Windows permissions are different (Windows has far more granular security) it is the same basic thing. If you run a program as root in UNIX it can do everything, including mess with config files not belonging to it and so on. That is the point of root: To have access to everything. You can't grant that access to the user, but somehow deny it to the user's processes, that goes against the whole idea.

    The fundamental problem is that people using XP and older run their systems as administrators, because it is easy to do. The first user you make is an administrator (the system must have one) and it doesn't make you make another. That means that all apps have all access.