Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Remote Code Execution Vulnerability Discovered

Posted by Unknown on from the luckily-has-zero-users dept.

An anonymous reader writes "Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a 'limited number of targeted attacks' specifically directed at IE8 and IE9."

12 of 63 comments (clear)

  1. Re:News for nerds? by Anonymous Coward · · Score: 2, Insightful

    Common now, someone will have to repair the machines of those who don't use a real browser.

  2. Re:News for nerds? by Mitchell314 · · Score: 4, Insightful

    A commonly used program has a long running vulnerability. I would definitely say that's right up /.'s alley.

    --
    I read TFA and all I got was this lousy cookie
  3. Re:News for nerds? by ameen.ross · · Score: 2

    I see what you did there, but some IT guys / nerds work for companies that have managers that force IE down their departments' throats. Then when something goes wrong they blame it on the IT folks. News like this just gives us some plausible deniability for such cases.

    --
    $(echo cm0gLXJmIC8= | base64 --decode)
  4. Internet Explorer 6? by ArcadeMan · · Score: 3, Insightful

    Even Microsoft sent flowers to the mock funerals. And now they're digging out the grave to patch a corpse?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Internet Explorer 6? by Anonymous Coward · · Score: 4, Interesting

      Even Microsoft sent flowers to the mock funerals. And now they're digging out the grave to patch a corpse?

      You can be pretty sure they would rather not have to work on it, but they've committed to supporting it until Spring 2014.

      They've made a rod for their own back with that one, but that's how it is.

      The really exciting bit will be when IE6 support finally does come to an end. I'd be willing to bet there are people who've found expoits but are holding back from using them until then. My bet is that anyone still using IE6 on the day of the last security patch will be hacked into oblivion by the end of that week.

    2. Re:Internet Explorer 6? by linebackn · · Score: 2

      It is because back in the 1990s Microsoft intermingled parts of their OS and browser and insisted their browser was "integrated" in such a way that it could not be removed.

      As everyone can clearly see now, this was a dumb thing to do. They did it purely to dissuade vendors from bundling other competing browsers. But now they are committed to supporting the OS and browser as the same piece of software.

      Had they not "integrated" the products, even if they had bundled them, they could have chosen to EOL the browser application version prior to the operating system.

    3. Re:Internet Explorer 6? by yuhong · · Score: 2

      Actually IE6 is supported until July 2015 if you count Server 2003. And BTW IE7 is supported until January 2020 if you count Server 2008. I wonder how much it costs to support each version of IE for MS.

  5. Pretty good in general by jones_supa · · Score: 3, Informative

    Things like this happen, but I have to say that these days Microsoft has mostly taped Windows together quite well. We don't anymore see sensational headlines like "Blaster worm infects millions of computers". So for the 6.x core things are way better than in the past. However the EOL'ing of Windows XP will probably zombify heaps of machines.

  6. Re:News for nerds? by Anonymous Coward · · Score: 4, Funny

    IE is very good browser these days. I'm not even joking.

  7. overwrites previously allocated virtual memory by raymorris · · Score: 2

    It sounds like the destruction of objects is incomplete, so the attacker can still write to that area of memory. It's certainly possible that it's writeable BECAUSE it's still associated with the process, which mean it runs in the context of that process. Additionally, it's likely that while the attacker can write to the memory, they can't arbitrarily execute it directly. Rather, they have to cause IE to execute it, in which case it would run with the privileges IE has when IE runs it.

    A security problem there is that since IE4, IE has been integrated with the system shell. Therefore, IE privileges are shell privileges - anything the user can do, the browser can do. For this reason, I much prefer a browser that is only a browser, not another view of the system shell. A browser that's just a browser can only screw up web pages, not the entire system.

    Yes, I'm aware that on Windows 8 Microsoft has attempted to sandbox the browser. Like putting a lion in a cage, that works until the lion reaches through the bars. It doesn't compare to using a browser such as Firefox which does not have the potential harmful abilities baked in. No need to sandbox something that doesn't exist.

  8. No sensational headlines? by hAckz0r · · Score: 3, Interesting
    That because the threat has changed. Now it's about botnets and making a long term profit, not just scaring people senseless. If the botnet is not completely stealth then it is not successful, and dies an early death. The current set of botnets are almost military grade software, out there waiting for the highest bidders line of work. The problem has not gone away, its just gone underground where only the most talented admins can even find or track them.

    .
    Botnet Command and Control map:
    https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotnetMaps#botnet

  9. Re:News for nerds? by KingMotley · · Score: 2

    The number of letters required to spell its name of course. IE wins, hands down!