New IE Zero-Day Being Exploited In the Wild

wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."

I/E 9 at risk

[minstrelmike]

I'm shocked. Shocked I tell you.

Re:I/E 9 at risk

I'm shocked. Shocked I tell you.

Clearly we should stop supporting all browsers before IE12 and Firefox 39725.1

Re:I/E 9 at risk

A more beautiful web... one exploit after another.

Re:I/E 9 at risk

[localman57]

Also, I think they should modify all future browsers to use extra caution when opening a file called "exploit.html" . In retrospect, it seems so obvious...

Re:I/E 9 at risk

[DarkOx]

I know you were going for funny but, well "I am shocked."

Microsoft has taken IE security pretty seriously and has established a pretty darn good track record with IE7->9 so far, at least on ASLR enabled platforms. I am surprised to see a reliable exploit that can be implemented as a drive-by on otherwise current platforms. This going to be a big deal and likely force an off cycle patch.

Re:I/E 9 at risk

[multiben]

Lol :D Yes, they may as well have called it "fuck-u-up.html"

Re:I/E 9 at risk

[Delarth799]

Firefox 39725.1 was released two weeks ago man! Get with the times, currently we are using Firefox 82349.9 with Firefox 10^2 coming out in another month.

Re:I/E 9 at risk

[JustOK]

FF 10^100 = google chrome

Re:I/E 9 at risk

[girlintraining]

I'm shocked. Shocked I tell you.

Almost every major browser in use has had a vulnerability. Those that haven't are vulnerable because of commonly-used plugins. It's not just IE9, it's browsers in general... it's the repeated and systemic perversion and added complexity of trying to turn the web into the end-all and be-all of the internet. When it was created, the uses for it were not as complicated as they are now.

It's the complexity of the web that is its vulnerability -- I honestly don't think there's a way to write a truly-secure web browser because everything from the protocols up have been shoehorned into things they were never designed to do. The entire thing needs to be jettisoned -- html, css, xml, http, ssl, everything. We need to start over from scratch, and build a new set of protocols and specifications, not just continually band-aid over existing ones. And this time, security needs to be a design consideration from the start, not evolved in.

Anyone with an understanding of information systems' security will tell you -- security needs to be built in from the start or it doesn't matter how much effort you put in later, you're going to be chasing down problems forever. Start with a secure and vetted design and it's a lot more likely to perform. Of course, real security would mean that governments, corporations, and other interested parties wouldn't be able to snoop on what you're doing -- anything sent in the clear can be screwed with. Oh... and it wouldn't be as convenient as it is today; You'd have to think about what you were doing, instead of blithering about and when you get "hacked" blaming everyone but yourself.

Real security would mean no more excuses... from anyone. That's why you won't exactly be seeing a parade down main street anytime soon congratulating people on making computers more secure; Responsibility? Not on MY internet!

Re:I/E 9 at risk

The entire thing needs to be jettisoned? Start over from scratch? The odds of that happening to the web are about the same as the odds of that happening with the government. It sounds good, but it's far from practical.

Re:I/E 9 at risk

[amicusNYCL]

We should take a page from the book of the mod_security team and add "exploit.html" to our list of URL filters. Make sure your AV software is also set to block "virus.exe" from running.

The mod_security reference is about the fact that they block files called "shell.php" from running, as if blocking specific filenames equals security. We had a hard time figuring out why the servers were refusing to acknowledge the existence of the PHP scripts that were launching our courseware shells.

Re:I/E 9 at risk

No, they haven't. And no, they don't.

Unless you're comparing them to their prior efforts instead of to their competitors.

Re:I/E 9 at risk

IE 9 has aslr, sandboxing, drp, plis a phishing list protection. You can hate on their html 5 support but only Chrome comes close.

IE 9 has holes and so does Chrome and Ff. Especially with flash!

Re:I/E 9 at risk

[c0lo]

Also, I think they should modify all future browsers to use extra caution when opening a file called "exploit.html" . In retrospect, it seems so obvious...

No need... a properly configured firewall will do it before the browser gets the page

Re:I/E 9 at risk

[hairyfeet]

Yeah, I put this right beside those users that posted to tell me "Oh IE isn't fragmented, you just have to buy the latest OS to use it!" wow, really? No shit.

The sad part is I at this point really don't have much in the way of sympathy anymore for anyone using IE and getting boned. this is like a dog walking out in front of a car and getting hit again and again, sooner or later you just figure its Darwin's way of thinning the herd of the dumbasses in the breed.

The only nice thing I can say about IE is thanks to Steve "herpa derp" Ballmer cutting loose the IE team after IE 6 and just letting the damned thing rot we have more choices than ever so there really is no excuse. You've got Chrome and Chromium and Comodo Dragon in that line, Firefox and Kmeleon and Seamonkey and IceDragon in the Gecko line, then you have Safari and QTWeb and Opera.

Frankly we've got choice coming out of our asses folks, everyone can have the web THEIR way, so even though I like Dragon you might like Seamonkey or Opera and that's fine, you get the web YOUR way and I'll get my web my way.

But unless you are forced by a very stupid (or hamstringed by bad intranet apps) IT dept there really is no point running IE and as TFA demonstrates plenty of reasons not to. Its the #1 target by far because the malware writers know the truly clueless users, those that think that 30 day trial of Norton that expired 3 years ago equals having an antivirus and who will click on any damned thing, use IE because they don't know any better. For them IE users are easy pickings and again, Darwinism, they should have learned the first time they got burned.

This is why I no longer support IE in ANY way. Some customer tells me they have IE problems? i give them their choice of Dragon or IceDragon (Firefox spinoff) and THEN if they have a problem with it I'll help, but every. single. time. I've had a user tell me they have "A problem with Internet explorer" I open the thing up and its got more toolbars and other malware bullshit than you can even count, anybody stupid enough to use IE while the spyware and toolbars and other shit just keeps piling up deserves what they get.

Re:I/E 9 at risk

[RaceProUK]

Firefox 10^2

I think you meant Firefox 10^20

Re:I/E 9 at risk

[parkinglot777]

FF 10^100 = google chrome

FF 10^100 == google chrome

Fixed...

Re:I/E 9 at risk

Yeah, I put this right beside those users that posted to tell me "Oh IE isn't fragmented, you just have to buy the latest OS to use it!" wow, really? No shit.

The sad part is I at this point really don't have much in the way of sympathy anymore for anyone using IE and getting boned. this is like a dog walking out in front of a car and getting hit again and again, sooner or later you just figure its Darwin's way of thinning the herd of the dumbasses in the breed.

The only nice thing I can say about IE is thanks to Steve "herpa derp" Ballmer cutting loose the IE team after IE 6 and just letting the damned thing rot we have more choices than ever so there really is no excuse. You've got Chrome and Chromium and Comodo Dragon in that line, Firefox and Kmeleon and Seamonkey and IceDragon in the Gecko line, then you have Safari and QTWeb and Opera.

Frankly we've got choice coming out of our asses folks, everyone can have the web THEIR way, so even though I like Dragon you might like Seamonkey or Opera and that's fine, you get the web YOUR way and I'll get my web my way.

But unless you are forced by a very stupid (or hamstringed by bad intranet apps) IT dept there really is no point running IE and as TFA demonstrates plenty of reasons not to. Its the #1 target by far because the malware writers know the truly clueless users, those that think that 30 day trial of Norton that expired 3 years ago equals having an antivirus and who will click on any damned thing, use IE because they don't know any better. For them IE users are easy pickings and again, Darwinism, they should have learned the first time they got burned.

This is why I no longer support IE in ANY way. Some customer tells me they have IE problems? i give them their choice of Dragon or IceDragon (Firefox spinoff) and THEN if they have a problem with it I'll help, but every. single. time. I've had a user tell me they have "A problem with Internet explorer" I open the thing up and its got more toolbars and other malware bullshit than you can even count, anybody stupid enough to use IE while the spyware and toolbars and other shit just keeps piling up deserves what they get.

If I had any mod point, they would be coming your way.

Re:I/E 9 at risk

[mcgrew]

Clearly we should stop supporting all browsers before IE12 and Firefox 39725.1

Unless I'm mistaken, IE is the only browser to ever be vulnerable to a drive-by (please correct me if I'm wrong). I thought with W7 MS had pretty much gotten its act together in regards to security and software bugs, but I guess I was wrong about that.

Just say no to Microsoft. It isn't safe.

Re:I/E 9 at risk

[tom17]

FF 10^100 == Googol Chrome

Fixed..
Copyright lawsuits avoided...

Re:I/E 9 at risk

[mcgrew]

but every. single. time. I've had a user tell me they have "A problem with Internet explorer" I open the thing up and its got more toolbars and other malware bullshit than you can even count, anybody stupid enough to use IE while the spyware and toolbars and other shit just keeps piling up deserves what they get.

Heh, a friend told me the other day he broke his monitor with his mouse; his XP PC had slowed to a crawl after he let his daughter in law use it. I looked at it for him, it was full of useless crud like weatherbugs and toolbars, when I gave it back to him my advice was "never install anything produced by Yahoo, ever, and don't use IE." It seems he'd DLed FF from Yahoo, and it came preinstalled with crapware and must have had a half dozen useless and redundant toolbars. I uninstalled it and IE9 and reinstalled FF from mozilla.org.

But at least he had no viruses I could find, just useless TSRs eating his meager memory. Had he been using IE9... well, what other browser except IE has ever been vulnerable to drive-bys?

The second time anyone brings me a computer full of crapware, I install kubuntu on it, because it means they didn't listen when I warned them about dangers. That always solves the problem.

Re:I/E 9 at risk

IE 9 has aslr, sandboxing, drp, plis a phishing list protection. You can hate on their html 5 support but only Chrome comes close.

IE 9 has holes and so does Chrome and Ff. Especially with flash!

Lack of 5 support by itself is enough reason to hate on IE9. Where Chrome and Firefox have at least made the effort to adopt standards, Microsoft thinks it can be above everyone. #news: you don't own the market anymore...

Also, as a web dev, IE's developer tools are impossible to work with compared to Firebug.

Re:I/E 9 at risk

[cbhacking]

Completely wrong, as it happens, although I'm honestly not sure how you could have gotten that idea. Drive-by exploits, in the sense of "you visit a website and are pwned", have existed for all major browsers.

Firefox: much like this IE9 bug; only requires you to execute some script
Chrome: buffer mismanagement in SPDY or bad casts in SVG
Safari: visit a website and automatically execute a shell script from it
Opera: buffer overflow using file download name in the prompt (can trigger automatically)

To be fair, most of these are pretty old; 2010 or sometimes before. I could have chosen a 2012 for Chrome, but chose to look explicitly at the browser, not at the Flash plugin (even though it's bundled with the browser and enabled by default...) Secunia's database also isn't comprehensive; for example, there were vulns found (by a white-hat, so patched before release and not included here) in Chrome earlier this year. That said, if you filter advisories to "extremely critical", IE has a much longer list than the other browsers (although part of that will just be market penetration making it the thing people have been targeting most). I also ignored browser version; that list for IE includes IE6 for example.

Re:I/E 9 at risk

[hairyfeet]

Easy way to get them off IE, without having to resort to Kubuntu (which is a BAD idea unless you want to be their 24/7/365 tech support BTW, because they'll drive you batshit wanting some Windows this or that software to run or because something is "acting funny" which is actually its default behavior and just different) is to give them Comodo Dragon with ABP and the ForecastFox extensions.

This way they have a browser that's fast like Chrome but with no phone home, if you take the default option that has the browser go through Comodo Secure DNS it blocks automatically the malware ad servers and other nasties, is close enough to Chrome that Chrome plugins and extensions work while still being below the radar enough nobody is targeting it, and both it and IceDragon (their own fork of Firefox) will autoupdate and take care of everything for them.

I'm a firm believer in eating my own dogfood and I've been running it since V5 and we are now up to V21 and no problems, no hassles, in all those releases I found exactly one weird bug and by popping on their forums and posting what was happening I got a message from one of the devs actually apologizing for the bug (even though it was something Joe Average probably would have never encountered) and posting a workaround for me and anybody else that encountered it along with a promise to fix it in the next release...which they did.

Considering we are talking about a free product? I couldn't be happier with the browser or the service. Its fast, snappy even on the 1.8GHz Sempron I keep here in the shop as a nettop, has plenty of features for a guy like me while still having sane defaults for Joe Average, and once i started installing it over Firefox the amount of issues I've had to deal with has dropped like a stone and I have yet to see Dragon infected with a damned toolbar! Give it a try McGrew, your friends and family that switch will thank you for it.

Re:I/E 9 at risk

[JustOK]

sorry, must have been a typo...

It's not aZero Day

Once it's in Metasploit its not a zero-day anymore. Microsoft has already had a few hours to deal with this threat, and system administrators are starting to find out about it, so if you want to exploit it, you're going to run into people who have blocked your exploit because they know about it. That means its not a zero-day anymore.

If an exploit is reported on Slashdot, it is by definition no longer a zero-day exploit.

Re:It's not aZero Day

[M0j0_j0j0]

and probably Vupen already sold it 10 months ago to , Ebay style.

I should be safe!

[dougmc]

... as long as it doesn't strike in those first few minutes where I have a freshly installed system and am using IE to download FIrefox (IE is great for this, by the way!) ... then I should be safe!

Re:I should be safe!

[w3c.org]

windows key + r cmd ftp ftp.mozilla.org cd /pub/mozilla.org/firefox/releases/latest/win32/en-US/ get "Firefox Setup 15.0.1.exe"

Day Zero

[puddingebola]

Been saing for years that if we'd just get rid of day zero on the calendar that so many security concerns could be solved, but instead we get yet another vulnerability. How did this happen on day 260?

Re:Day Zero

The term Zero Day, only means that the vulnerability was released to the public, before the patch. So the software companies have zero days to make a patch before its being used by all the wannabe kiddie hackers.

Re:Day Zero

WOOSH

Re:Day Zero

[pkinetics]

But what would the Mayans have done?

How many IE9 users got infected?

Both.

XP Only?

The underlying flaw affects IE 9 and earlier, and from what has been seen so far, the in-the-wild exploit only targets IE 8 and 7 on Windows XP only, Bekrar said.

“The vulnerability was probably found by fuzz testing and its exploitation was trivial on Windows XP,” Bekrar added.

Obviously

[cultiv8]

One of these devs was on the job.

Let's blame Unix!

[93+Escort+Wagon]

After all, you're right - there sure seem to be a lot of Day 0 vulnerabilities. If programming languages just started counting from 1 like sensible people do, this could all be avoided.

Re:Let's blame Unix!

Sensible people = 1st floor => floor at ground level
Everyone else = 1st floor => first floor above the ground level floor

Re:Let's blame Unix!

[jimshatt]

I actually refer to them as ground zero, ground one, etc. With 'ground' as past tense of 'grind' of course.

Getting fed up

[gravyface]

of shoddy browser security. Could this not be "solved" with proper sandboxing? If there's legacy code to support (this has been cited many times in the past for reasons why), please, please fork IE into two branches: IE Classic or whatever that's fully backwards compatible, and an IE Lite that's completely sandboxed and locked down for wide-spread corporate deployment.

Re:Getting fed up

LOL, it's that 'corporate deployment' that requires the full backwards compatibility. If it were not for crappy intranet sites we'd all be able to use the latest stuff all the tim.

Re:Getting fed up

[GoodNewsJimDotCom]

Not just IE. All of Windows could be sandboxed. Exe should not be able to modify files outside their own install directory. Leave legacy support for old trusted .exes though.

Re:Getting fed up

[pokoteng]

And it is that "legacy support" that is causing half the problems of Windows. It's never good to support legacy, at least, not without very careful consideration. Considering sandboxing though, it might just be alright to have all the legacy stuff in a VM-like environment entirely and have your host system be something a lot more stable. That just sounds like having linux host + windows guests though.

Re:Getting fed up

No, not even the install directory should be modified, only the %APPDATA% and other working folders. All programs should be run as their own users and added to groups for accessing only the necessary data. This is exactly how I run & administer Linux systems. I simply chroot and runas in my launchers -- My own toy OS does this natively by requiring all applications to configure their user & group permissions at install time, similar to mobile phones' permissions. That this isn't the default way everything already works speaks to how utterly worthless everyone else is in terms of security (except us *nix admins). Protip, that's why Apache runs as its own user on your LAMP.

Re:Getting fed up

[Bengie]

All programs should be run as their own users

Network admins would love creating 30 user accounts for every person and every person would love remembering 30 accounts.

Re:Getting fed up

[DigiShaman]

You and me both! Just how many times has IE been patched to plug a "full remote code execution" bug? How many more damn times must we see a zero-day IE exploit that can render total ownage of an OS?

Defective by design indeed!

Re:Getting fed up

Ie has been sandboxed for years. Only chrome is that zandboxed while FF is not!

IE 9=!IE 6

Its rendering engine is a differeny story though. :-)

IE 9 is certainly usable for corp users and has improved.

Re:Getting fed up

[yuhong]

AFAIK the original exploit targets XP where it is NOT sandboxed.

Re:Getting fed up

Exe should not be able to modify files outside their own install directory.

Wouldn't this mean you couldn't even be able to save files?

Re:Getting fed up

[gravyface]

Meant to say "business" deployment. Oh Slashdot, some day when you're big and strong you'll have an edit feature.

Re:Getting fed up

Dude, Someone figured out how to use java, to run a script when you go to a web page. Turn off java, and you dont have an issue.

Re:Getting fed up

[Bozzio]

It's only a matter of tim.

Re:Getting fed up

[cbhacking]

Why the hell would you do it that way? All major OSes, including NT (XP, Vista, Windows *, Windows Server *), have the ability to *automatically* run a program as a specific user, even if that user is different from the user that launched the program. On POSIX systems, this is enshrined in the filesystem permission bits; setUID and setGID.

Win8 actually does this for apps installed from the Marketplace. Each one gets a new, unique SID (security identifier, essentially a user account except without things like the ability to log into it), and install and data folders are created for each app that are accessible by that app's SID. There *are* ways to break out of this sandbox - some apps need more system-wide access, even if still only at standard user privileges - but the application developer must intentionally enable the app to do so, and the app must declare its ability to do so in its manifest (which contains the capability list).

Windows Phone 7 (despite being based on the CE kernel, which normally doesn't really have user accounts) and of course WP8 (NT kernel) also do this, and I believe both Android and iOS do as well (although I haven't yet checked).

Re:Getting fed up

[Billly+Gates]

IE 7 and above are sandboxed!

MS sucks in many areas in their browsers but recently they have redeamed themselves in this area. Firefox is a joke in comparison and was so bad adobe had to make a custom version of flash taht was sandboxed. Chrome already had both sandboxed

Re:Getting fed up

[Billly+Gates]

Actually there have been 30+ exploits in Firefox between 3.6 and the current release over the year and a half!

They are everywhere and nupen came to fame earlier this year from cracking Chrome. It is not a design flaw per say as IE 9 is sanboxed. It is hard when you have JIT javascript, flash, and java which job is to ACTUALLLY EXECUTE on the given platform.

According to the exploit it needs flash or java to spray the sandbox heap until the sandbox eventually gets compromised. So that is the problem right there

stealthy file name

[binarstu]

They (as in the bad guys) named their main attack vector "exploit.html?" Yeah -- nothing suspicious-sounding about that one.

Question:

[Starteck81]

I have a question. Does the exploit work on Win 7 machines or just Win XP?

Yes I RTFAed. It doesn't really spell out what combo of IE and Windows are vulnerable.

Re:Question:

[thetoadwarrior]

Ie 9 isn't on XP.

Re:Question:

[Blakey+Rat]

IE9 only runs on Vista, 7 and Server 2008. So XP isn't affected assuming IE8 also isn't. (Since they didn't mention IE8, I assume you're safe?)

Re:Question:

[Blakey+Rat]

Oop, the SecurityWeek article specially mentions that IE7 and IE8 on XP *are* affected and exploits them were spotting in the wild.

This means:
IE7, IE8 on XP = definitely vulnerable
IE7, IE8, IE9 on Vista/7 = probably vulnerable but no exploit seen in the wild

Re:Question:

[fatphil]

TFA:
"""
The underlying flaw affects IE 9 and earlier, and from what has been seen so far, the in-the-wild exploit only targets IE 8 and 7 on Windows XP only, Bekrar said.
"""

TFS mentions the "earlier" versions too.

Re:Question:

[Curate]

From TFA:

The underlying flaw affects IE 9 and earlier, and from what has been seen so far, the in-the-wild exploit only targets IE 8 and 7 on Windows XP only, Bekrar said.

Re:Question:

[rgbrenner]

do you think the "and earlier" versions that are also vulnerable might be on XP?

Re:Question:

Oop, the SecurityWeek article specially mentions that IE7 and IE8 on XP *are* affected and exploits them were spotting in the wild.

Good think I'm running IE6!

HAHAHAHAH! SUXXORS!

Re:Question:

[Crudely_Indecent]

The exploit is for IE 9 and earlier. XP can use iE 6 through IE 8 - all of which are earlier than IE 9.

Re:Question:

[ski9826]

http://technet.microsoft.com/en-us/security/advisory/2757760 There's a list of what's affected on that page :)

Re:Question:

[Starteck81]

Thank you! You're response is by far the best. I wish I could mod you up.

Re:Question:

[thetoadwarrior]

True but he asked if it includes Win 7 so I'm just saying win 9 isn't an XP thing.

Re:Question:

[thetoadwarrior]

The earlier stuff doesn't matter since he's asking if it works on Win 7.

exploit yes, virus no

[planckscale]

This exploit has been targeting chem and defense companies. The thing about these exploits is that they typically are just a method to drop the actual payload which is usually a virus or trojan. In this case it looks like the payload is Poison Ivy, which was added to NOD32 AV defs back in 2008. Yes, the attacker could compromise the machine and get admin shell, but the majority of the time they’re installing a keylogger or other virus which NOD32 will catch.

From TFA:

First, a file named “exploit.html” appears to be the entry point of the attack, which loads “Moh2010.swf”, an encrypted Flash file that it decompress in memory.

According to AlienVault's Jaime Blasco, the payload dropped is Poison Ivy, as was the case with the previous Java zero-day. Poison Ivy is a remote administration tool (RAT) that was used the Nitro attacks that targeted chemical and defense companies. Interestingly, after exploitation, the attack loads “Protect.html”, a file that checks to see if the Web site is listed in the Flash Storage settings, and if it is, the Web browser will no longer be exploited despite additional visits to the malicious site.

Re:exploit yes, virus no

I, for one, on two of my computers, don't have Flash installed in my primary browsers. I have a totally separate browser for the purpose of Flash. Without reading the article, or even fully reading your comment, would I be safe (despite being a home user)?

"the zero-day season is really not over yet"

[davidwr]

Some say a diamond is forever.

I'd say the same about "the zero-day season" at least with respect to systems like Windows as we know it + commonly used 3rd party applications as we know them.

Re:"the zero-day season is really not over yet"

The term "Zero-Day" means the virus was released to the public, before it was shown to the company that should fix it. The company now has zero days to make a patch before the exploit is released to the public.

Well, you can mitigate the damage

[davidwr]

Running web browsers in a well-written sandbox with only very careful access to "the outside machine" will help keep browser bugs from turning into system-wide vulnerabilities.

Sure, someone may take over your browser and turn it into DNS-generation-engine, but once you quit your browser, anything left over will require a social-engineering attack ("download catpics.exe and after you quit your browser, run it!") to continue living.

While no sandbox is perfect, there is (hopefully) a smaller and better-engineered code base to maintain.

Yes and no

[davidwr]

If there are no practical, well-understood or at least vendor-supported work-arounds, then for the vast majority of people, it's still a "zero-day."

Hopefully MS and the other affected vendors (e.g. Adobe) will announce a practical work-around within a day or two.

You should be safe

[davidwr]

I think this actually requires you to visit a poisoned web site.

So, unless the web site or torrent that you are getting Firefox from is compromised, you should be okay.

Re:You should be safe

[jafiwam]

Not really.

Compromised ad servers seem to happen often enough still. People have in not so recent past gotten infected from not so dangerous sites such as CNN.com.

Some sites are such morasses of server calls to other places all jumbled in one page it defies description. True, someone visiting the same four sites is going to be OK, but someone visiting Facebook (as an example) may very well be exposed.

new zero-day?

[csumpi]

How is that possible? Isn't "new" and "zero-day" mutually exclusive?

Re:new zero-day?

[ameoba]

No - redundant.

Re:new zero-day?

[DMUTPeregrine]

A Zero Day exploit is one that has not been released to the public or manufacturer. There are 0 days of public awareness of the exploit. Once released it's Day 1, and that counter increments until the exploit is fixed.
The term has since changed, and now a 0-day seems to be any unpatched vulnerability, no matter how long the public/manufacturer have been aware of it.
Under the old definition (which actually makes sense) news about a 0-day is impossible, since once it's in the news it's not a 0-day anymore. Thus, the announcement of a new 0-day is impossible. Under the new definition it's perfectly possible, and in fact 0-days can get quite old. There are some vulnerabilities (eg in SCADA systems) that the manufacturers have refused to fix, and so these will be 0-days forever.

Does this include IE9-64?

[fast+turtle]

Yes I RTFA and didn't see any information on whether IE9-64 is affected. Pretty lousy of the tester to not bother indicating if the problem is only with the 32bit version as the 64bit has a better baseline security configuration. Due to these issues, it's just one of the reasons I also use Palemoon64. Improved security such as full ASLR along with DEP support so I'm hopefull this does not affect IE9-64 due to the limited number of folks actually using it.

Re:Does this include IE9-64?

[WD]

Yes, IE9-64 is affected by the vulnerability. Whether exploits in the wild will succeed against it is another question...

Re:Does this include IE9-64?

No the IE9 default is not, so unless you config your settings to allow it your safe...

But wait...

[elliott666]

I thought PCs didn't get viruses?

Oh wait, that was Macs.

Re:But wait...

[mcgrew]

I thought PCs didn't get viruses? Oh wait, that was Macs.

PC stands for "Personal Computer" and macs are PCs. Some PCs get viruses... the ones running Windows. Any computer can be trojaned or taken over by other social engineering, but Windows is the only OS prone to drive-by infections.

And why I run Opera Browser

I've used Opera for ages, I feel it's the best on the market, but there's security through obscurity
Sadly Opera allows this security.

Safety precautions

[joeflies]

So as long as I don't visit a page called exploit.htm I should be ok?

Internet Explorer is still a thing?

[Trogre]

Isn't IE that tool people use to download Firefox?

Re:Internet Explorer is still a thing?

[tqk]

Isn't IE that tool people use to download Firefox?

(0) kiak /home/keeling_ aptitude search explore
p bzr-explorer - GUI application for using Bazaar
p emboss-explorer - web-based GUI to EMBOSS
p kzenexplorer - manage tracks and playlists on Creative La
p swac-explore - audio collections of words (SWAC) explorer
p tracker-explorer - metadata database, indexer and search tool
(0) kiak /home/keeling_ which firefox
/usr/bin/firefox

Nope. "Oh. My. Gawd! Another IE zero day exploit!" Well, if you weren't using the !@#$ it was installed with, you wouldn't need to care. Popcorn anyone?

Re:Internet Explorer is still a thing?

[Kalriath]

[root@server ~]# aptitude search explore
-bash: aptitude: command not found
[root@server ~]# which firefox /usr/bin/which: no firefox in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)

Nope.

Re:Internet Explorer is still a thing?

[tqk]

apt-get install aptitude && aptitude update && apt-get install iceweasel && HTH. # Enjoy. :-)

FF was installed with the OS when I reinstalled recently. Tooduls.

Re:Internet Explorer is still a thing?

[root@server ~]# apt-get
-bash: apt-get: command not found

Nope.

[root@server ~]# links

Re:Internet Explorer is still a thing?

Why would you need to download Firefox just to install Chrome? IE can deal with Chrome download page just fine.

Re:Internet Explorer is still a thing?

[Trogre]

yum install firefox?

pacman -S firefox?

Re:Internet Explorer is still a thing?

Maybe he wants to use more than a few tabs.

Re:Internet Explorer is still a thing?

Isn't IE that tool people use to download Firefox?

Be careful with your jokes, friend! 'girlintraining' is going to read that and come back with a lengthy, boring rebuttal.

Re:Internet Explorer is still a thing?

No firefox is that copy of IE, that people use thinking its actually something better. when in fact its the same thing with different options enabled. ( IE blocks them because they can become exploits). IE is one of the easier browsers to hack. Its the first one my son ( he is 10) was able to hack, back in July 2012. Which was kinda a cool hack, As he could "track the fox", and follow me to all the pages I would go to when I used firefox. I told him to work on catching the fox, and seeing how much data he could collect from it. But thats a whole different story.. Sorry for you Fox users who think your browser is da bomb.. Learn some script, and you will see the true story. Sure MS - IE, is BLOATED bigtime, Its still more secure then Fox.

Re:Internet Explorer is still a thing?

[Kalriath]

yum would work ;)

Except that as a headless web server, it doesn't run X so Firefox is right out.

yum install links it is!

so this affects what... about 5 users?

[tresstatus]

does anyone actually use IE when they don't have to?

Re:so this affects what... about 5 users?

*yawn*

Re:so this affects what... about 5 users?

[tqk]

does anyone actually use IE when they don't have to?

I've known people who thought IE was the Internet. No amount of $BASEBALLBAT could sway them from that belief. There's people on /. who think they'll never have to give up on XP.

Hence, Win* malware. It's some weird, deficient intellect related, form of masochism is all I can think. Whatever floats your boat, I guess.

Re:so this affects what... about 5 users?

[cbhacking]

There are also actually some useful features of IE that no other browser has be default (there are halfway-there implementations of some in Firefox extensions, and full implementations of a few others). I use IE, Firefox, and Chrome on a daily basis (Opera and Safari are also installed but rarely get used). For example, I prefer the built-in tab management in IE over both of the others, although I'm a little annoyed that they disabled Quick Tabs by default in IE9 (easy to restore it though). This is one area where Firefox extensions surpass the built-in behavior of IE, though.

Re:so this affects what... about 5 users?

[tqk]

There are also actually some useful features of IE that no other browser has [by] default ...

Yeah, like ready and willing access to an underlying OS which can't be bothered to protect itself from malware. Are you a malware author/distributor? I'll bet they love IE.

The lower classes have a couple of words they use that describes IE's behaviour wrt women. They start with a 'w' or an 's'.

Actually, I've no real problem with IE; it's a web browser. I blame its underlying OS's fragility.

Re: all versions

IE 7 - 9 in all versions of Windows. However, flash is used for the exploit

Question though:

[MtViewGuy]

Does this exploit work if you're running a modern Internet security suite such as the new Norton Internet Security 2013 with all anti-malware definitions up to date? Mind you, my default web browser on my desktop and laptop is Google Chrome 21.0.1180.89, the current "stable" release version.

Re:Question though:

[GoogleShill]

I'm sure once the anti-malware vendors update their signatures in a few days they will detect it, but for now its fair game. The problem with anti-malware/anti-virus software as that they are purely reactive, they really don't help much against zero-day attacks.

Re:Question though:

[MtViewGuy]

I'd almost agree, but most companies that sell Internet security software update their definitions many times a day around the clock. In fact, in Norton Internet Security 2013 on my desktop and laptop computers, the updates occur at least 7-8 times per days for the latest anti-malware definitions.

Re:Question though:

[GoogleShill]

I don't know what they are updating, but they certainly are not pushing signature updates 7-8 times a day. Not enough new threats come out every day to warrant that kind of update cycle.

FWIW, I don't even see an official product page for the "2013" version, which makes me think you might be running a trojan and the 2012 version only updates every few days, which is typical.

Re:Question though:

[MtViewGuy]

I'm running the 2013 version, given it was directly downloaded from Symantec's own web site. :-) The release version (which came out a week ago) is 20.1.1.2. In fact, I found out that NIS 2013 can do "pulse" updates of anti-malware definitions about 2-3 rimes per hour.

DNH: 1

[seandiggity]

But I thought they turned on that "Do Not Hack" HTTP header??

UAC is pointless

[GoogleShill]

This exploit gains the privileges of the running user on Windows Vista and 7. The entire point of all the "allow/deny" popup BS with UAC was because they wanted to restrict processes to the lowest privilege necessary. IE is supposed to be a high-risk, sandboxed application and yet this exploit magically gets around it and gains access to the full user's account, which probably has admin rights on the machine. MS does not understand security. You don't start out by giving a user admin rights, you make them ask for it, a la 'sudo'. UAC starts out by keeping the user an administrator, and dropping the rights for new processes and trying to intercept when those processes need higher access so that the OS can display a verification prompt. Since Vista, this has been exploited over and over again. The only way to be safe under windows is to always use a low-priv account, and type in the full username/password of an administrator whenever the UAC prompt comes up, and that is a terrible user experience.

Re:UAC is pointless

You don't need admin rights to put a keylogger on Linux

UAC was always a compromise between keeping Windows secure and keeping it easy to use. It was meant to be an extra hurdle that hackers would need to jump to gain access, not a be-all and end-all solution. Generally speaking, the vast majority of times UAC is bypassed, it's because there's an exploit in a program that already has admin rights (Flash, acrobat and java being the favs).

Re:UAC is pointless

You are absolutely wrong about UAC.

UAC integrity level is determined at process create time, and process create only. To perform a privileged operation, you must either IPC to a process with that privilege, or you must launch a new process with an elevated token -- which triggers the UAC dialog on a separate desktop. Processes are NOT all launched with administrative privileges. In fact, IE8/9 in protected mode actually launches *low* privilege helper processes for browser tabs. They communicate via IPC with the browser frame, which runs at medium integrity and can do more things, but still cannot perform any tasks that require UAC authorization.

Try running process explorer, and enable the column for integrity level -- it will be illuminating for you.

Privilege escalation on Win7 involves either exploiting kernel mode code (which has full permissions to the system implicitly), or exploiting a user-mode process that already has administrative privileges, like a system service for instance. Exploiting a medium or low integrity user-mode process will NOT allow you to get administrative privileges. UAC has not been "exploited over and over again"; it is specific vulnerable processes which are targeted for privilege escalation, not the protection layer itself.

MS did take a step backwards with Windows 7 by making "automatic authorization" the default setting for UAC, instead of Vista's "authorize every time" model. But the underlying security model is the same; the user token is determined at process creation, it does not gain or lose privileges over time. One of the first things I do with any Win7 box is to up the UAC level to where it was in Vista, so that any authorizations are explicit (and I can see what's really going on.)

I say this as a Windows internals guy, having worked on kernel & user mode software for DLP, process protection, etc. I've dealt with these cross-process issues in detail. MS got a lot of flak for UAC usability in Vista, but they didn't deserve it -- it did what it was supposed to do, and in a way that was minimally invasive for the level of security it provided. I cannot imagine going back to a Windows machine without it.

All of Windows could be sandboxed

[SpaceLifeForm]

True, true. And simple also. Just have all the routers do DPI on the traffic, and if it is from a Windows machine, then just drop the packet.

M$ and Their LUsers

M$ has made laziness and convenience a virtue. Lots of people, especially those who control some money, think computers should require zero intellectual investment. The Philosophy Of Dumbing Down.

You Miss The Issue

By using C or C++, lots of security risks come from rather mundane tasks such as parsing HTML or XML. A C buffer overflow allows for code injection and it can happen in a CSV parser as much as in a JS engine. Yes, more code normally means more problems. But it has little to do with scripting. You can turn off scripting and plugins in many browsers already. But it won't protect you from what is still enabled - HTML parsing, layouting, image libraries, CSS and so on. There have been exploitable bugs in JPEG and GIF libraries. Stop using C and C++ would be the right thing to do. Search for "Memory Safe Language", if you want to research the subject. Too many C and C++ developers think that they are better than average and will never write exploitable bugs. Of course that is a fallacy.

Re:You Miss The Issue

[cbhacking]

Managed / memory-safe languages aren't a guaranteed protection, though.

First of all, there can be bugs in the runtime that lead to possible exploits. I have a friend who manages to generate segfaults in Java about once every two weeks (no idea how many of them are the same bug being hit multiple times; maybe all of them). In case you're confused, a segfault (as opposed to a NullPointerException) means the runtime thought it could access the memory there, after running all its checks... and found out otherwise when it tried and the CPU had to slap it down. The eqivalent term for segfault on Windows would be "access violation" and in both uses, it boils down to a security bug , potentially exploitable by triggering memory corruption. For that matter, JavaScript itself should be memory-safe.

Which brings us to the second issue: when you're trying to JIT-compile a script, the actual processing of the script is done in the compiler. You could write all of that in the safest language in the world... and it wouldn't do you any good if there's a bug in the compiler's code generation (note: not in the parsing of the script) that causes the resulting code, when executed, to be memory-unsafe. It's much, much harder to verify the safety of generated code (for a reasonably complex language; JS certainly being one) than it is to verify the safety of the code generator itself (even if written in C++).

The Slashdot Mental Disconnect

[Toreo+asesino]

I wonder, given many people here are convinced it's a dying product, why a story like this makes the front-page? Either IE is popular so news like this is important, or IE is a side-lined product that has no relevance...it seems that narrative changes depending on if the news is good or bad.

I find it curious we rarely hear about new major product releases from MS, but the second there's a vulnerability it's the top story. Are we interested in IT or just IT that isn't MSFT tech? There's a difference.

Meh, what am I saying. This place is unashamedly like the Fox News of IT - interested in a narrative only, not reality. Flame away.

Re:The Slashdot Mental Disconnect

Bitcoin exploit make front page too.
Does this means bitcoin is popular?

I'm late to the party but...

Would this be usable on xbox-es running the beta fall update?

One of the two features its featuring is IE (the other some f2p mmofps).

Why is this news?

This has been around for years! The 2008 Antivirus virus is a grand example of this. And I do believe Microsoft knew about this years ago. In 2009 the virus changed its name, and again in 2011 and 1012. There is a new form of the virus out which displays a fake FBI screen, which you can not do anything about untill you pay. ( unless you are technically inclined, or happen to know someone who is). I Cant believe this is just now getting attention... Oh wait, this is MS, I am talking about.. I guess I do believe it.

Re:exploit yes, virus YES'S

The exploit allows the virus to attack. The "drive by" has been around since 2008. Look at the antivirus virus, there is also a couple of FBI virus. They lock you out of your stuff, change your settings, mark every folder and file on your computer as hidden. From what I can tell its a flaw in the way IE allows Flash to use the browser. Then the real hole, is how windows, allows IE to "make changes" to the kernal. If everything HAD to be downloaded and installed manually, this would not be an issue. Or if FLASH, would step up to the plate and fix their stuff, ( including but not limited to, adding itself to boot when windows runs, having an installer constantly running in the background, having the updater, check for updates every 7-10 mins, not allowing any form of settings to control the program), then there would not be a problem. If you ask me This "new security hole", should be pushed back on flash to fix their crap. Flash is basically a virus that dont break anything to the point of unfixable. They use their script to fix what they break when they break it.

Alternative workaround

[overmoderated]

Install Linux.

EMET no dll file, no caveman can do it

me space lizard cavemoon, ask wild can't put any file into emet 3.5?
where in software lizard garden grows the rare emet 3.6 dll file nutrient we need so badly?
me space lizard cavemoon, say no more trade with freckled fraced white moons of Earth
may great space lizard shove incompatible mandrake rpm's up your bung holds, through wget and rpmupdate

False Assessment

Indeed, Java is far from being well-implemented. I could reliably crash it when running the YaCY distributed search engine. It would pull a PDF from the internet and try to parse it using a Java-based parser. That would kill the JVM. I blame it on SUN/Oracle not having a strong incentive to get the JVM right.

I am in general not a fan of Java and designed a language of my own memory safe language called Sappeur. Sappeur is essentially a safe subset of C++. It does not need a VM, which means Sappeur programs can launch in milliseconds and don't have these GC freezes. It took me a bit more than 10000 lines of C++ code to implement the compiler, as the compiler generates C++ code and actual machine code generation is done by GCC or msvc.

So, the memory-safety property depends mainly on about 10k lines of code (LOC), which is not much. According to wikipedia, the SUN JVM is 250k lines of code. It is evident that proving the correctnes of 10k LOC is much more feasible than proving 250k LOC.

When it comes to security, Simple And Stupid approaches are always the most robust ones. If the software industry really wanted top-notch security, we could drop our addiction to C and C++ and we could get simple, yet effective solutions. We could mathematically prove correct things like Sandboxes and compilers. Google and M$ could afford it. It just does not contribute to the next quarterly results. It might destroy the quarterly results in three years if we don't do anything. But that is not how managers think.

Finally, every Security Line Of Defense is valuable and should be employed. We can't even expect MMUs to be implemented correctly. Defense in Depth - that is what we need. So: Memory Safe Language // Sandbox // MMU+OS - that is much better than just two or one layer of defense.

Hit & run downmods don't stand up to facts

After all, trolls: Your having to downmod my posts here unjustifiably on computing technical grounds:

http://tech.slashdot.org/comments.pl?sid=3124197&cid=41374257

http://tech.slashdot.org/comments.pl?sid=3124197&cid=41374807

http://tech.slashdot.org/comments.pl?sid=3124197&cid=41376221

http://tech.slashdot.org/comments.pl?sid=3124197&cid=41377421

?

* That's pretty "piss poor" on your parts, "hit & run" unjustifiable downmod using trolls... Especially since you can't justify how & on what grounds you did so!

APK

P.S.=> YOU know it, I know it, & again - by THIS point? So does anybody else reading...

... apk

Microsoft delivers patch already... apk

http://support.microsoft.com/kb/2744842

* And, there you go... done!

APK

P.S.=> MS fixed this issue, & 4 others along with it... bonus!

... apk