New IE Remote Code Execution Vulnerability Discovered

An anonymous reader writes "Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a 'limited number of targeted attacks' specifically directed at IE8 and IE9."

Re:News for nerds?

Common now, someone will have to repair the machines of those who don't use a real browser.

Re:News for nerds?

[Mitchell314]

A commonly used program has a long running vulnerability. I would definitely say that's right up /.'s alley.

Fix?

Always, always.

At least there is a simple FixIt that blocks it

Which is way better than having an advisory and then having to wait weeks for a fix that requires a reboot,

Re:At least there is a simple FixIt that blocks it

The FixIt is only for 32-bit and can't be deployed, must be installed. Fanguish.

Re:News for nerds?

[ameen.ross]

I see what you did there, but some IT guys / nerds work for companies that have managers that force IE down their departments' throats. Then when something goes wrong they blame it on the IT folks. News like this just gives us some plausible deniability for such cases.

Re:News for nerds?

[DeathToBill]

Sense of humour fail?

Re:News for nerds?

[canadiannomad]

A commonly used program has a long running vulnerability. I would definitely say that's right up /.'s alley.

Sense of humour fail?

I thought he was making his own joke :)

Re:News for nerds?

Sense of humour fail?

No more than IE failed ... ;-)

Internet Explorer 6?

[ArcadeMan]

Even Microsoft sent flowers to the mock funerals. And now they're digging out the grave to patch a corpse?

Re:Internet Explorer 6?

Even Microsoft sent flowers to the mock funerals. And now they're digging out the grave to patch a corpse?

You can be pretty sure they would rather not have to work on it, but they've committed to supporting it until Spring 2014.

They've made a rod for their own back with that one, but that's how it is.

The really exciting bit will be when IE6 support finally does come to an end. I'd be willing to bet there are people who've found expoits but are holding back from using them until then. My bet is that anyone still using IE6 on the day of the last security patch will be hacked into oblivion by the end of that week.

Re:Internet Explorer 6?

[linebackn]

It is because back in the 1990s Microsoft intermingled parts of their OS and browser and insisted their browser was "integrated" in such a way that it could not be removed.

As everyone can clearly see now, this was a dumb thing to do. They did it purely to dissuade vendors from bundling other competing browsers. But now they are committed to supporting the OS and browser as the same piece of software.

Had they not "integrated" the products, even if they had bundled them, they could have chosen to EOL the browser application version prior to the operating system.

Re:Internet Explorer 6?

[yuhong]

Actually IE6 is supported until July 2015 if you count Server 2003. And BTW IE7 is supported until January 2020 if you count Server 2008. I wonder how much it costs to support each version of IE for MS.

Re:Internet Explorer 6?

[Rayor]

It even says in the very article OP cited that Microsoft said they would continue to support it.

Re:News for nerds?

An excuse to rage at Microsoft. I would definitely say that's right up /.'s alley.

FTFY

Pretty good in general

[jones_supa]

Things like this happen, but I have to say that these days Microsoft has mostly taped Windows together quite well. We don't anymore see sensational headlines like "Blaster worm infects millions of computers". So for the 6.x core things are way better than in the past. However the EOL'ing of Windows XP will probably zombify heaps of machines.

Re:Pretty good in general

[mwvdlee]

Just like you didn't hear about the ~20k people that died of starvation today; it's not news if it happens every day.

Re:Pretty good in general

[VortexCortex]

Things like this happen, but I have to say that these days Microsoft has mostly taped Windows together quite well. We don't anymore see sensational headlines like "Blaster worm infects millions of computers"

Hmm, well, before Snowden we didn't see any headlines like "NSA is beyond creepy, LoveINT: using PRISM spying on romantic interests?"

I guess the spying just wasn't happening until the headlines appeared. Similarly, I guess all the unpatched exploits sitting in my
/with/great/power/comes/great/responsibility/ directory don't exist either. I mean, it's not like I didn't inform MS about them and they just haven't patched them. I bet I'm the only person on the planet capable of discovering multiple remote code execution flaws. I mean, otherwise we'd hear about black-markets for exploits. Hell, the NSA would probably even buy them from VUPEN or some such nonsense.

Re:Pretty good in general

[VortexCortex]

So wait, Microsoft can be blamed for both Winodws8 AND climate change shills?!

Talk about focusing on your core competency! MS is Genius!

Re:Pretty good in general

[sasparillascott]

Great points. I've thought about the XP EOL issue as well. Unless MS changes plans somehow, is nearly all downside and not much upside. They've still got close to 40% of their user base on it - they drop the security updates and every new security update for the newer versions is just a road map on what to exploit in XP. If the users dump XP in large numbers and don't upgrade (go Linux, go Mac, go Chrome) MS looses big chunks of marketshare (further making things look worse for them).

About the only upside is that they won't have to pay for the updates for XP, but since they have to do it for the newer versions anyways (and the updates often overlap) - it won't be saving alot of money.

Seems like it'll be better to wait till the last month or two before turning things off (that way you've got all the upgraders upgraded) and then tell the world that they're going to keep XP updates going (or make them pay per use & make it cheap).

Re:Pretty good in general

[hweimer]

There have been reports on 58 different remote code execution vulnerabilities in Internet Explorer 10 in 2013 alone. I would hardly call that "taped together quite well".

Re:Pretty good in general

The 97% consensus figure is an outright lie.
http://wattsupwiththat.com/2013/08/28/cooks-97-climate-consensus-paper-crumbles-upon-examination/

The rest of it is partisan agenda driven flack - what part of the administration is paying you to SPAM /.?

Re:Pretty good in general

[Ravaldy]

Chrome the favoured browser on /. had a fair share of remote execution vulnerabilities over the last year or so. I really wish MS would provide 2 versions of their IE. One of end users and one for Enterprise. The boat load of extra security features in IE = large gaps to cover in QC... Just my 2 cents. I don't really care what browser people use as long as it works with our internal applications. Currently our internal apps support all 3 major browsers. Safari is black listed due to it's known issues with AJAX.

Re:Pretty good in general

Part of this is because it's much easier (and more rewarding) to create malware that just sits and siphons off personal information.. Computers are being used way more for everything from banking and shopping than they were back in the days of Blaster..

Sure, it's partially due to having better security. but definitely not the only reason..

Re:News for nerds?

IE is very good browser these days. I'm not even joking.

Re:News for nerds?

How about the multitude of web applications that were designed specifically for IE in the past and have to be used today without much support from the original vendor? THAT is the major point behind "forcing IE down someone's throat".

Luckily, we seem to be moving away from those dark ages and nowadays you can switch between Chrome, Firefox, Opera and IE most of the time without much impact. The Internet hasn't learned the lesson well (about designing for a single browser or introducing incompatibilities between browser) but it has learned a little bit that we are better today.

In Reality...

"A limited Number of Targeted Attacks"

Must be that all 25 of their IE users got hit so now they are trying to patch it.

Re:News for nerds?

IE is very good browser these days. I'm not even joking.

Only the version that works only on Windows 8... Need I say more?

Re:News for nerds?

I'm not even joking.

We know, you're earning your living. Social media marketing is no joking matter.

Why didn't they wait till after April 2014?

The bad guys could have kept this secret till after the end-of-life for XP and made a mint.

Re:Why didn't they wait till after April 2014?

[Vanderhoth]

I'm not sure that would have mattered. This is a browser issue, not an OS issue. TFS also states IE10 is included in the problem, which to my knowledge only runs on windows 8.

Re:Why didn't they wait till after April 2014?

[DigitalSorceress]

IE10 is available for Win7 - in fact, you need to apply an "IE10 Blocker" to keep MS Automatic Updates from forcing it down your throat.

Granted, from my experience, IE10 on Win7 is a bit different under the hood from IE10 on Win8 - I've run into quite a few issues where there was a problem in IE10 on Win7, but it was ok on Win8 - or vice versa.

Re:Why didn't they wait till after April 2014?

[VortexCortex]

The bad guys could have kept this secret till after the end-of-life for XP and made a mint.

Economics 101: That which is in increasing supply is priced lower.

Exploits are caused by programming mistakes. In Windows there is a near boundless supply of exploit vectors, due to the quality of MS code... The only reason folks can sell Windows exploits at all is because security researchers are providing the labor to mine the exploits. Dirt is not scarce. You pay for dirt because of the labor others perform to move it about. It's the labor which is scarce, not the exploit vectors.

The limiting factor is not number of exploits available to discover, but the number of users of the exploitable platform. Hence, economics 101 is at work here. The maximum return on investment is in the maximum number of exploitable systems.

Folks are expected to increase migration away after XP EOL (AKA: WTF\r\n). Cashing in now is actually better, economically, than cashing in later.

Re:News for nerds?

I'm not even joking.

We know, you're earning your living. Social media marketing is no joking matter.

$150k student debt has to be paid.
Yeah a communications degree and masters in leadership is not cheap.

IE 11?

[xdor]

I thought IE 10 and after were sand-boxed? Or is it the nature of the buffer overrun that the injection gets CPU level access?

According to the advisory they only get current user-level access. How do they run a buffer overrun exploit that actual stays in the user-context and doesn't go all the way to the CPU?

Re:IE 11?

[gbjbaanb]

You believed the bulls^H^H hype?

I liked that Microsoft admitted IE8 and IE9 were being hit, the implication being that IE10 is perfectly ok, completely unaffected and you should upgrade, but they're still going to patch it, you know, just to be on the safe side...

Re:IE 11?

[DarkOx]

A buffer overrun does not by nature imply one can escalate privileges beyond the context of the user the process is running as.

Most modern operating systems protect the memory region a process has been assigned to run in by the kernel. This is partially implemented with hardware support from the MMU so if the kernel has setup the hardware properly there are few ways for things to go wrong. In general a process cannot read or write to a memory region it does not own. When it tries it will be blocked and an interrupt will transfer execution back to the kernel which will do something about it.

Usually when exploiting a buffer vulnerability you have to be careful not cause read or write outside the process space because the application will then crash and you lose your vector. So even without a sandbox ( beyond the basic per process memory protection the OS provides to every app), you don't get out of the user context unless you are able to inject some shell code and call some other libraries/syscalls/etc to get yourself additional privileges. This is Windows though so there is a good chance the user is already a Local Administrator and has more then enough privileges to pwn the box. Especially on IE 6/7 which are likely on XP where you don't have UAC.

Re:News for nerds?

[w1zz4]

Many nerds work in IT, some of them works in Security...

Re:News for nerds?

Common now, someone will have to repair the machines of those who don't use a real browser.

Yes, repairing broken machines IS common. Jesus, man, learn the language or STFU.

overwrites previously allocated virtual memory

[raymorris]

It sounds like the destruction of objects is incomplete, so the attacker can still write to that area of memory. It's certainly possible that it's writeable BECAUSE it's still associated with the process, which mean it runs in the context of that process. Additionally, it's likely that while the attacker can write to the memory, they can't arbitrarily execute it directly. Rather, they have to cause IE to execute it, in which case it would run with the privileges IE has when IE runs it.

A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.

Yes, I'm aware that on Windows 8 Microsoft has attempted to sandbox the browser. Like putting a lion in a cage, that works until the lion reaches through the bars. It doesn't compare to using a browser such as Firefox which does not have the potential harmful abilities baked in. No need to sandbox something that doesn't exist.

Re:overwrites previously allocated virtual memory

[yuhong]

A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.

Huh? All process you start after log in have the same privileges as the user you are logged into.

Re:overwrites previously allocated virtual memory

[raymorris]

My language was unclear. In Explorer, you can go to "My Computer" and choose "Format Drive". Windows Explorer IS Internet Explorer, showing a different menu bar.

In Chrome, Firefox or Seamonkey, there is no "format drive" function. Browsers don't need, and should not have, the ability to reformat your hard drive. That decision to combine the system shell with the browser is the underlying cause of the severity of many Explorer security issues.

Re:overwrites previously allocated virtual memory

You seem to have a very outdated view of things.

1. IE was de-integrated from the shell in IE7.
2. By default, applications can always do anything the user can do. This has nothing to do with being integrated into the shell, that's just how privileges work (on all the major OS's). The application (or a third-party wrapper around the application) must be deliberately added to reduce its privileges -- that's what sandboxing is.
--- The exception is that the user has a limited ability to do things like type passwords for secure elevation, a la sudo or UAC, since they have physical access to input devices that run at a privilege level higher than the user privilege level. That privilege has never been extended to IE.
3. Since IE8, IE has run in less privileges than the user. AFAIK the only other browser that does that is Google Chrome (certainly the only other one whose done it for a comparable length of time), which sandboxes in a very similar fashion.
4. Your last paragraph shows a fundamental misunderstanding of what a sandbox is. The harmful ability baked in is better known as "not having a sandbox".

In IE4-IE6 there were legitimate reasons to be concerned about the integration with the Shell. The really embarrassing security issue with IE was ActiveX auto-install which was addressed a zillion years ago, though.

Re:overwrites previously allocated virtual memory

[yuhong]

That decision to combine the system shell with the browser is the underlying cause of the severity of many Explorer security issues.

Evidence?

Re:overwrites previously allocated virtual memory

[raymorris]

Here are 1.3 million pieces of evidence:
https://www.google.com/search?q=IE+security+zone+exploit

As explained US_CERT, the US Computer Emergency response team:

> There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model,
> local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular,
> proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI),
> and ActiveX. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an
> attacker significant access to the operating system.

Microsoft winked a acknowledgement the root of the problem yesterday with their advisory about this particular
vulnerability. Microsoft's advisory says:

> By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML
> email messages in the Restricted sites zone.

That's as opposed to the Local Intranet Zone, the Trusted Sites Zone, etc. IE opens content in the restricted zone (cage) and hope that there isn't a leak, like hoping that lion doesn't reach out of the cage. (and hope that IE picked the right zone to start with - web sites and batch files are both .com addresses.) Opera doesn't need to try to keep web sites from accessing functions in the local computer zone - there is no local zone, it just does web sites.

If your browser doesn't run shell batch files and registry patches, it doesn't have to decide which batch files to run in what context. It simply doesn't run batch files, or do anything else but show web pages.

Re:overwrites previously allocated virtual memory

[yuhong]

I think they locked down the local machine zone in XP SP2: http://blogs.msdn.com/b/ieinternals/archive/2011/03/23/understanding-local-machine-zone-lockdown-restricted-this-webpage-from-running-scripts-or-activex-controls.aspx

No sensational headlines?

[hAckz0r]

That because the threat has changed. Now it's about botnets and making a long term profit, not just scaring people senseless. If the botnet is not completely stealth then it is not successful, and dies an early death. The current set of botnets are almost military grade software, out there waiting for the highest bidders line of work. The problem has not gone away, its just gone underground where only the most talented admins can even find or track them.

.
Botnet Command and Control map:
https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotnetMaps#botnet

Incomplete headline

[gmuslera]

New IE Remote Code Execution Vulnerability Discovered... 3 years ago, reported to Microsoft, that reported it to the NSA, that took advantage of it all that time. Now a new, safer backdoor that only they should exploit is being deployed thru the fix for this vulnerability.

Is all those new slashdot redesigns, headlines can't hold all the relevant information anymore.

guess

[beefoot]

If I were to guess, NSA and MS must have coded the back door themselves.

Re:News for nerds?

[Ravaldy]

When is /. going to remove the anonymous coward option? People should own up to their comments. Pussies I tell you.

Re:News for nerds?

[amicusNYCL]

That's a fantastic opinion there "Ravaldy"... if that is your real name.

Translation

NSA: Dear Microsoft, too many foreign parties are now using our vulnerability, time to replace it with a new one.

Re:News for nerds?

It's very good. Criteria, what the fuck is a criteria?

Re:News for nerds?

[evilmidnightbomber77]

Or some shithead wrote a corporate app that works only in IE6, so everyone is stuck on that, if they want to be able to submit support tickets or expenses. Been There, Done That, Got the T-shirt.

Re:News for nerds?

Maybe there's a reason for that. Let me paint you a picture. Corporation takes all and gives none. Pissed off developer asked to write an app. How would you write it? I tell you what I'd do. I'd bake so much insecurity into that fucker that failure is a certainty.

and the captcha is malice I love it.

What's Internet Explorer?

[LostMyBeaver]

I think I remember using it once. But the alternative was Netscape 4.

Re:News for nerds?

[KingMotley]

The number of letters required to spell its name of course. IE wins, hands down!

Flaws, who has critical flaws

But don't mention the critical Firefox flaws, because its against /. groupthink

http://www.theregister.co.uk/2013/09/18/firefox_24_update/

Re:News for nerds?

O. pera. (Everyone gets a car?)

Re: News for nerds?

No. The latest version of IE runs on 7 & 8 both. Nice try troll.

Re:News for nerds?

[Ravaldy]

Just saying that these have 0 ID. At least we have accounts with history...