Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Remote Code Execution Vulnerability Discovered

Posted by Unknown on from the luckily-has-zero-users dept.

An anonymous reader writes "Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a 'limited number of targeted attacks' specifically directed at IE8 and IE9."

63 comments

  1. News for nerds? by Anonymous Coward · · Score: -1

    I'm not sure how this is news for nerds, or even anything that matters...

    1. Re:News for nerds? by Anonymous Coward · · Score: 2, Insightful

      Common now, someone will have to repair the machines of those who don't use a real browser.

    2. Re:News for nerds? by Mitchell314 · · Score: 4, Insightful

      A commonly used program has a long running vulnerability. I would definitely say that's right up /.'s alley.

      --
      I read TFA and all I got was this lousy cookie
    3. Re:News for nerds? by ameen.ross · · Score: 2

      I see what you did there, but some IT guys / nerds work for companies that have managers that force IE down their departments' throats. Then when something goes wrong they blame it on the IT folks. News like this just gives us some plausible deniability for such cases.

      --
      $(echo cm0gLXJmIC8= | base64 --decode)
    4. Re:News for nerds? by DeathToBill · · Score: 1

      Sense of humour fail?

      --
      Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
    5. Re:News for nerds? by canadiannomad · · Score: 1

      A commonly used program has a long running vulnerability. I would definitely say that's right up /.'s alley.

      Sense of humour fail?

      I thought he was making his own joke :)

      --
      Hmm, the humour and sarcasm seem to have been be lost on you.
    6. Re:News for nerds? by Anonymous Coward · · Score: 0

      Sense of humour fail?

      No more than IE failed ... ;-)

    7. Re:News for nerds? by Anonymous Coward · · Score: 0

      An excuse to rage at Microsoft. I would definitely say that's right up /.'s alley.

      FTFY

    8. Re:News for nerds? by Anonymous Coward · · Score: 4, Funny

      IE is very good browser these days. I'm not even joking.

    9. Re:News for nerds? by Anonymous Coward · · Score: 0

      How about the multitude of web applications that were designed specifically for IE in the past and have to be used today without much support from the original vendor? THAT is the major point behind "forcing IE down someone's throat".

      Luckily, we seem to be moving away from those dark ages and nowadays you can switch between Chrome, Firefox, Opera and IE most of the time without much impact. The Internet hasn't learned the lesson well (about designing for a single browser or introducing incompatibilities between browser) but it has learned a little bit that we are better today.

    10. Re:News for nerds? by Anonymous Coward · · Score: 0

      IE is very good browser these days. I'm not even joking.

      Only the version that works only on Windows 8... Need I say more?

    11. Re:News for nerds? by Anonymous Coward · · Score: 0

      I'm not even joking.

      We know, you're earning your living. Social media marketing is no joking matter.

    12. Re:News for nerds? by Anonymous Coward · · Score: 0

      I'm not even joking.

      We know, you're earning your living. Social media marketing is no joking matter.

      $150k student debt has to be paid.
      Yeah a communications degree and masters in leadership is not cheap.

    13. Re:News for nerds? by w1zz4 · · Score: 1

      Many nerds work in IT, some of them works in Security...

    14. Re:News for nerds? by Anonymous Coward · · Score: 0

      Common now, someone will have to repair the machines of those who don't use a real browser.

      Yes, repairing broken machines IS common. Jesus, man, learn the language or STFU.

    15. Re:News for nerds? by Ravaldy · · Score: 1

      When is /. going to remove the anonymous coward option? People should own up to their comments. Pussies I tell you.

    16. Re:News for nerds? by amicusNYCL · · Score: 1

      That's a fantastic opinion there "Ravaldy"... if that is your real name.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    17. Re:News for nerds? by Anonymous Coward · · Score: 0

      It's very good. Criteria, what the fuck is a criteria?

    18. Re:News for nerds? by evilmidnightbomber77 · · Score: 1

      Or some shithead wrote a corporate app that works only in IE6, so everyone is stuck on that, if they want to be able to submit support tickets or expenses. Been There, Done That, Got the T-shirt.

    19. Re:News for nerds? by Anonymous Coward · · Score: 0

      Maybe there's a reason for that. Let me paint you a picture. Corporation takes all and gives none. Pissed off developer asked to write an app. How would you write it? I tell you what I'd do. I'd bake so much insecurity into that fucker that failure is a certainty.

      and the captcha is malice I love it.

    20. Re:News for nerds? by KingMotley · · Score: 2

      The number of letters required to spell its name of course. IE wins, hands down!

    21. Re:News for nerds? by Anonymous Coward · · Score: 0

      O. pera. (Everyone gets a car?)

    22. Re: News for nerds? by Anonymous Coward · · Score: 0

      No. The latest version of IE runs on 7 & 8 both. Nice try troll.

    23. Re:News for nerds? by Ravaldy · · Score: 1

      Just saying that these have 0 ID. At least we have accounts with history...

  2. Fix? by Anonymous Coward · · Score: 0

    Always, always.

  3. At least there is a simple FixIt that blocks it by Anonymous Coward · · Score: 1

    Which is way better than having an advisory and then having to wait weeks for a fix that requires a reboot,

    1. Re:At least there is a simple FixIt that blocks it by Anonymous Coward · · Score: 1

      The FixIt is only for 32-bit and can't be deployed, must be installed. Fanguish.

  4. Internet Explorer 6? by ArcadeMan · · Score: 3, Insightful

    Even Microsoft sent flowers to the mock funerals. And now they're digging out the grave to patch a corpse?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Internet Explorer 6? by Anonymous Coward · · Score: 4, Interesting

      Even Microsoft sent flowers to the mock funerals. And now they're digging out the grave to patch a corpse?

      You can be pretty sure they would rather not have to work on it, but they've committed to supporting it until Spring 2014.

      They've made a rod for their own back with that one, but that's how it is.

      The really exciting bit will be when IE6 support finally does come to an end. I'd be willing to bet there are people who've found expoits but are holding back from using them until then. My bet is that anyone still using IE6 on the day of the last security patch will be hacked into oblivion by the end of that week.

    2. Re:Internet Explorer 6? by linebackn · · Score: 2

      It is because back in the 1990s Microsoft intermingled parts of their OS and browser and insisted their browser was "integrated" in such a way that it could not be removed.

      As everyone can clearly see now, this was a dumb thing to do. They did it purely to dissuade vendors from bundling other competing browsers. But now they are committed to supporting the OS and browser as the same piece of software.

      Had they not "integrated" the products, even if they had bundled them, they could have chosen to EOL the browser application version prior to the operating system.

    3. Re:Internet Explorer 6? by yuhong · · Score: 2

      Actually IE6 is supported until July 2015 if you count Server 2003. And BTW IE7 is supported until January 2020 if you count Server 2008. I wonder how much it costs to support each version of IE for MS.

    4. Re:Internet Explorer 6? by Rayor · · Score: 1

      It even says in the very article OP cited that Microsoft said they would continue to support it.

      --
      "Using linux is like a game, if you're able to make it run better than Windows, you're winning" - Unknown slashdotter.
  5. Pretty good in general by jones_supa · · Score: 3, Informative

    Things like this happen, but I have to say that these days Microsoft has mostly taped Windows together quite well. We don't anymore see sensational headlines like "Blaster worm infects millions of computers". So for the 6.x core things are way better than in the past. However the EOL'ing of Windows XP will probably zombify heaps of machines.

    1. Re:Pretty good in general by Anonymous Coward · · Score: -1

      In June, the President reaffirmed his commitment to reducing carbon pollution when he directed many federal agencies, including the Environmental Protection Agency, to take meaningful steps to mitigate the current and future damage caused by carbon dioxide emissions and to prepare for the anticipated climate changes that have already been set in motion.

      Climate change is one of the greatest challenges of our time. Based on the evidence, more than 97% of climate scientists are convinced that human caused climate change is occurring. If our changing climate goes unchecked, it will have devastating impacts on the United States and the planet. Reducing carbon pollution is critically important to the protection of Americans’ health and the environment upon which our economy depends.

      Responding to climate change is an urgent public health, safety, national security, and environmental imperative that presents an economic challenge and an economic opportunity. As the President has stated, both the economy and the environment must provide for current and future generations and we can and must embrace cutting carbon pollution as a spark for business innovation, job creation, clean energy and broad economic growth. The United States’ success over the past 40 years makes clear that environmental protection and economic growth go hand in hand.

      The President’s Climate Action Plan directs federal agencies to address climate change using existing executive authorities. The Plan has three key pillars: cutting carbon pollution in America; preparing the country for the impacts of climate change; and leading international efforts to combat global climate change.

      Cutting Carbon Pollution

      EPA plays a critical role in implementing the Plan’s first pillar, cutting carbon pollution. Over the past four years, EPA has begun to address this task under the Clean Air Act.

      Our first steps addressed motor vehicles, which emit nearly a third of U.S. carbon pollution. EPA and the National Highway Traffic Safety Administration, along with the auto industry and other stakeholders, worked together to set greenhouse gas and fuel economy standards for Model Year 2012 to 2025 light-duty vehicles. Over the life of these vehicles, the standards will save an estimated $1.7 trillion for consumers and businesses and cut America’s oil consumption by 12 billion barrels, while reducing greenhouse gas emissions by 6 billion metric tons.

      EPA’s and NHTSA’s standards for model year 2014 through 2018 heavy-duty trucks and buses present a similar success story. Under the President’s Plan, we will be developing a second phase of heavy-duty vehicle standards for post 2018 model years.

      Building on this success, the President asked EPA to work with states, utilities and other key stakeholders to develop plans to reduce carbon pollution from future and existing power plants, which are responsible for about 40 percent of America’s carbon pollution.

      EPA will soon issue new proposed carbon pollution standards for future power plants, reflecting new information and the extensive public comments on our 2012 proposal. For existing plants, we are engaged in outreach to a broad group of stakeholders with expertise who can inform the development of proposed standards, regulations, or guidelines, which we expect to issue in June of 2014. These guidelines will provide guidance to States, which have the primary role in developing and implementing plans to address carbon pollution from existing plants. This framework will allow us to capitalize on state leadership and innovation while also accounting for regional diversity and providing the necessary flexibility.

      The Plan also calls for the development of a comprehensive, interagency strategy to address emissions of methane – a powerful greenhouse gas that also contributes to ozone pollution, but which has substantial economic value. EPA will work with other agencies to assess emissions data, address data gaps, and ident

    2. Re:Pretty good in general by mwvdlee · · Score: 1

      Just like you didn't hear about the ~20k people that died of starvation today; it's not news if it happens every day.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re:Pretty good in general by VortexCortex · · Score: 1

      Things like this happen, but I have to say that these days Microsoft has mostly taped Windows together quite well. We don't anymore see sensational headlines like "Blaster worm infects millions of computers"

      Hmm, well, before Snowden we didn't see any headlines like "NSA is beyond creepy, LoveINT: using PRISM spying on romantic interests?"

      I guess the spying just wasn't happening until the headlines appeared. Similarly, I guess all the unpatched exploits sitting in my
      /with/great/power/comes/great/responsibility/ directory don't exist either. I mean, it's not like I didn't inform MS about them and they just haven't patched them. I bet I'm the only person on the planet capable of discovering multiple remote code execution flaws. I mean, otherwise we'd hear about black-markets for exploits. Hell, the NSA would probably even buy them from VUPEN or some such nonsense.

    4. Re:Pretty good in general by VortexCortex · · Score: 1

      So wait, Microsoft can be blamed for both Winodws8 AND climate change shills?!

      Talk about focusing on your core competency! MS is Genius!

    5. Re:Pretty good in general by sasparillascott · · Score: 1

      Great points. I've thought about the XP EOL issue as well. Unless MS changes plans somehow, is nearly all downside and not much upside. They've still got close to 40% of their user base on it - they drop the security updates and every new security update for the newer versions is just a road map on what to exploit in XP. If the users dump XP in large numbers and don't upgrade (go Linux, go Mac, go Chrome) MS looses big chunks of marketshare (further making things look worse for them).

      About the only upside is that they won't have to pay for the updates for XP, but since they have to do it for the newer versions anyways (and the updates often overlap) - it won't be saving alot of money.

      Seems like it'll be better to wait till the last month or two before turning things off (that way you've got all the upgraders upgraded) and then tell the world that they're going to keep XP updates going (or make them pay per use & make it cheap).

    6. Re:Pretty good in general by hweimer · · Score: 1

      There have been reports on 58 different remote code execution vulnerabilities in Internet Explorer 10 in 2013 alone. I would hardly call that "taped together quite well".

      --
      OS Reviews: Free and Open Source Software
    7. Re:Pretty good in general by Anonymous Coward · · Score: 0

      The 97% consensus figure is an outright lie.
      http://wattsupwiththat.com/2013/08/28/cooks-97-climate-consensus-paper-crumbles-upon-examination/

      The rest of it is partisan agenda driven flack - what part of the administration is paying you to SPAM /.?

    8. Re:Pretty good in general by Ravaldy · · Score: 1

      Chrome the favoured browser on /. had a fair share of remote execution vulnerabilities over the last year or so. I really wish MS would provide 2 versions of their IE. One of end users and one for Enterprise. The boat load of extra security features in IE = large gaps to cover in QC... Just my 2 cents. I don't really care what browser people use as long as it works with our internal applications. Currently our internal apps support all 3 major browsers. Safari is black listed due to it's known issues with AJAX.

    9. Re:Pretty good in general by Anonymous Coward · · Score: 0

      Part of this is because it's much easier (and more rewarding) to create malware that just sits and siphons off personal information.. Computers are being used way more for everything from banking and shopping than they were back in the days of Blaster..

      Sure, it's partially due to having better security. but definitely not the only reason..

  6. In Reality... by Anonymous Coward · · Score: 0, Funny

    "A limited Number of Targeted Attacks"

    Must be that all 25 of their IE users got hit so now they are trying to patch it.

  7. Why didn't they wait till after April 2014? by Anonymous Coward · · Score: 1

    The bad guys could have kept this secret till after the end-of-life for XP and made a mint.

    1. Re:Why didn't they wait till after April 2014? by Vanderhoth · · Score: 1

      I'm not sure that would have mattered. This is a browser issue, not an OS issue. TFS also states IE10 is included in the problem, which to my knowledge only runs on windows 8.

    2. Re:Why didn't they wait till after April 2014? by DigitalSorceress · · Score: 1

      IE10 is available for Win7 - in fact, you need to apply an "IE10 Blocker" to keep MS Automatic Updates from forcing it down your throat.

      Granted, from my experience, IE10 on Win7 is a bit different under the hood from IE10 on Win8 - I've run into quite a few issues where there was a problem in IE10 on Win7, but it was ok on Win8 - or vice versa.

      --

      The Digital Sorceress
    3. Re:Why didn't they wait till after April 2014? by VortexCortex · · Score: 1

      The bad guys could have kept this secret till after the end-of-life for XP and made a mint.

      Economics 101: That which is in increasing supply is priced lower.

      Exploits are caused by programming mistakes. In Windows there is a near boundless supply of exploit vectors, due to the quality of MS code... The only reason folks can sell Windows exploits at all is because security researchers are providing the labor to mine the exploits. Dirt is not scarce. You pay for dirt because of the labor others perform to move it about. It's the labor which is scarce, not the exploit vectors.

      The limiting factor is not number of exploits available to discover, but the number of users of the exploitable platform. Hence, economics 101 is at work here. The maximum return on investment is in the maximum number of exploitable systems.

      Folks are expected to increase migration away after XP EOL (AKA: WTF\r\n). Cashing in now is actually better, economically, than cashing in later.

  8. IE 11? by xdor · · Score: 1

    I thought IE 10 and after were sand-boxed? Or is it the nature of the buffer overrun that the injection gets CPU level access?

    According to the advisory they only get current user-level access. How do they run a buffer overrun exploit that actual stays in the user-context and doesn't go all the way to the CPU?

    1. Re:IE 11? by gbjbaanb · · Score: 1

      You believed the bulls^H^H hype?

      I liked that Microsoft admitted IE8 and IE9 were being hit, the implication being that IE10 is perfectly ok, completely unaffected and you should upgrade, but they're still going to patch it, you know, just to be on the safe side...

    2. Re:IE 11? by DarkOx · · Score: 1

      A buffer overrun does not by nature imply one can escalate privileges beyond the context of the user the process is running as.

      Most modern operating systems protect the memory region a process has been assigned to run in by the kernel. This is partially implemented with hardware support from the MMU so if the kernel has setup the hardware properly there are few ways for things to go wrong. In general a process cannot read or write to a memory region it does not own. When it tries it will be blocked and an interrupt will transfer execution back to the kernel which will do something about it.

      Usually when exploiting a buffer vulnerability you have to be careful not cause read or write outside the process space because the application will then crash and you lose your vector. So even without a sandbox ( beyond the basic per process memory protection the OS provides to every app), you don't get out of the user context unless you are able to inject some shell code and call some other libraries/syscalls/etc to get yourself additional privileges. This is Windows though so there is a good chance the user is already a Local Administrator and has more then enough privileges to pwn the box. Especially on IE 6/7 which are likely on XP where you don't have UAC.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  9. overwrites previously allocated virtual memory by raymorris · · Score: 2

    It sounds like the destruction of objects is incomplete, so the attacker can still write to that area of memory. It's certainly possible that it's writeable BECAUSE it's still associated with the process, which mean it runs in the context of that process. Additionally, it's likely that while the attacker can write to the memory, they can't arbitrarily execute it directly. Rather, they have to cause IE to execute it, in which case it would run with the privileges IE has when IE runs it.

    A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.

    Yes, I'm aware that on Windows 8 Microsoft has attempted to sandbox the browser. Like putting a lion in a cage, that works until the lion reaches through the bars. It doesn't compare to using a browser such as Firefox which does not have the potential harmful abilities baked in. No need to sandbox something that doesn't exist.

    1. Re:overwrites previously allocated virtual memory by yuhong · · Score: 1

      A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.

      Huh? All process you start after log in have the same privileges as the user you are logged into.

    2. Re:overwrites previously allocated virtual memory by raymorris · · Score: 1

      My language was unclear. In Explorer, you can go to "My Computer" and choose "Format Drive". Windows Explorer IS Internet Explorer, showing a different menu bar.

      In Chrome, Firefox or Seamonkey, there is no "format drive" function. Browsers don't need, and should not have, the ability to reformat your hard drive. That decision to combine the system shell with the browser is the underlying cause of the severity of many Explorer security issues.

    3. Re:overwrites previously allocated virtual memory by Anonymous Coward · · Score: 0

      You seem to have a very outdated view of things.

      1. IE was de-integrated from the shell in IE7.
      2. By default, applications can always do anything the user can do. This has nothing to do with being integrated into the shell, that's just how privileges work (on all the major OS's). The application (or a third-party wrapper around the application) must be deliberately added to reduce its privileges -- that's what sandboxing is.
      --- The exception is that the user has a limited ability to do things like type passwords for secure elevation, a la sudo or UAC, since they have physical access to input devices that run at a privilege level higher than the user privilege level. That privilege has never been extended to IE.
      3. Since IE8, IE has run in less privileges than the user. AFAIK the only other browser that does that is Google Chrome (certainly the only other one whose done it for a comparable length of time), which sandboxes in a very similar fashion.
      4. Your last paragraph shows a fundamental misunderstanding of what a sandbox is. The harmful ability baked in is better known as "not having a sandbox".

      In IE4-IE6 there were legitimate reasons to be concerned about the integration with the Shell. The really embarrassing security issue with IE was ActiveX auto-install which was addressed a zillion years ago, though.

    4. Re:overwrites previously allocated virtual memory by yuhong · · Score: 1

      That decision to combine the system shell with the browser is the underlying cause of the severity of many Explorer security issues.

      Evidence?

    5. Re:overwrites previously allocated virtual memory by raymorris · · Score: 1

      Here are 1.3 million pieces of evidence:
      https://www.google.com/search?q=IE+security+zone+exploit

      As explained US_CERT, the US Computer Emergency response team:

      > There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model,
      > local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular,
      > proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI),
      > and ActiveX. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an
      > attacker significant access to the operating system.

      Microsoft winked a acknowledgement the root of the problem yesterday with their advisory about this particular
      vulnerability. Microsoft's advisory says:

      > By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML
      > email messages in the Restricted sites zone.

      That's as opposed to the Local Intranet Zone, the Trusted Sites Zone, etc. IE opens content in the restricted zone (cage) and hope that there isn't a leak, like hoping that lion doesn't reach out of the cage. (and hope that IE picked the right zone to start with - web sites and batch files are both .com addresses.) Opera doesn't need to try to keep web sites from accessing functions in the local computer zone - there is no local zone, it just does web sites.

      If your browser doesn't run shell batch files and registry patches, it doesn't have to decide which batch files to run in what context. It simply doesn't run batch files, or do anything else but show web pages.

    6. Re:overwrites previously allocated virtual memory by yuhong · · Score: 1

      I think they locked down the local machine zone in XP SP2: http://blogs.msdn.com/b/ieinternals/archive/2011/03/23/understanding-local-machine-zone-lockdown-restricted-this-webpage-from-running-scripts-or-activex-controls.aspx

  10. No sensational headlines? by hAckz0r · · Score: 3, Interesting
    That because the threat has changed. Now it's about botnets and making a long term profit, not just scaring people senseless. If the botnet is not completely stealth then it is not successful, and dies an early death. The current set of botnets are almost military grade software, out there waiting for the highest bidders line of work. The problem has not gone away, its just gone underground where only the most talented admins can even find or track them.

    .
    Botnet Command and Control map:
    https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotnetMaps#botnet

  11. Incomplete headline by gmuslera · · Score: 1

    New IE Remote Code Execution Vulnerability Discovered... 3 years ago, reported to Microsoft, that reported it to the NSA, that took advantage of it all that time. Now a new, safer backdoor that only they should exploit is being deployed thru the fix for this vulnerability.

    Is all those new slashdot redesigns, headlines can't hold all the relevant information anymore.

  12. guess by beefoot · · Score: 1

    If I were to guess, NSA and MS must have coded the back door themselves.

  13. Translation by Anonymous Coward · · Score: 0

    NSA: Dear Microsoft, too many foreign parties are now using our vulnerability, time to replace it with a new one.

  14. What's Internet Explorer? by LostMyBeaver · · Score: 1

    I think I remember using it once. But the alternative was Netscape 4.

  15. Flaws, who has critical flaws by Anonymous Coward · · Score: 0

    But don't mention the critical Firefox flaws, because its against /. groupthink

    http://www.theregister.co.uk/2013/09/18/firefox_24_update/