Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Advisory For Internet Explorer Vulnerability

Posted by samzenpus on from the watch-out dept.

jones_supa (887896) writes "Neowin reports how Microsoft made a rare weekend post on its Security Response Center blog to announce an advisory that affects all currently supported versions of Internet Explorer (versions 6 to 11). The issue is based on a newly discovered exploit that could be used against the web browser. The vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. Memory may be corrupted in a way that could allow an attacker to execute arbitrary code in the context of the current user. Microsoft is aware of 'limited, targeted attacks' that have used the exploit. IE 10 and 11 are protected against attacks using this exploit if they have their Enhanced Protected Mode turned on. Also, PCs that have either the Enhanced Mitigation Experience Toolkit 4.1 or the EMET 5.0 Technical Preview installed are also secured against this security hole. Microsoft will take the appropriate action to protect its customers by delivering a security update."

86 of 152 comments (clear)

  1. Windows XP by Jagungal · · Score: 5, Interesting

    I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

    1. Re:Windows XP by yuhong · · Score: 2

      What is funny is that the current exploits do not target XP.

    2. Re:Windows XP by turkeydance · · Score: 1

      amazing. xp might be overlooked with by malware.

    3. Re:Windows XP by SumDog · · Score: 1

      It's the new OS/2

    4. Re:Windows XP by slowdeath · · Score: 1

      Probably Microsoft did not list XP because it is "no longer supported..." Some of the IE versions listed certainly do run on XP.

    5. Re:Windows XP by suss · · Score: 1

      Meanwhile, people will be wondering if this vulnerability has been known for at least a month, possibly much longer, because those Windows 8 licenses haven't been selling as well as expected...

    6. Re:Windows XP by SpaceLifeForm · · Score: 1
      Funny by happenstance? Or Funny by design?

      Perhaps this is a ploy to drive sales of the garbage known as windows 8.

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
    7. Re:Windows XP by Neo-Rio-101 · · Score: 1

      They'd be absolutely stupid to not capitalize on this and push people to the poker-machine-look-a-like Windows 8

      --
      READY.
      PRINT ""+-0
    8. Re:Windows XP by denbesten · · Score: 2

      > What is funny is that the current exploits do not target XP.

      More likely is that Microsoft is no longer testing/reporting on XP, so we do not know if it is vulnerable or targeted. Given that the vulnerability is with the browser, it seems likely that XP would be vulnerable. The significant difference being that the forthcoming MS hot-fix that may or may not install on XP and definitely will not apply via automatic updates.

    9. Re:Windows XP by yuhong · · Score: 1

      I mean in the sense that people have been predicting the rise of WinXP exploits after it ended support. And the April 2014 date comes from 2 years of mainstream support after Vista was released plus 5 years of extended support afterwards BTW.

    10. Re:Windows XP by Culture20 · · Score: 1

      That's the thing: XP no longer receives security patches. It's reached EOL.

    11. Re:Windows XP by Skuld-Chan · · Score: 2

      XP users will still get patches for individual products like Office and IE.

    12. Re:Windows XP by SpaceLifeForm · · Score: 1

      But his Billness said that IE is part of the OS!

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
    13. Re:Windows XP by Bing+Tsher+E · · Score: 1

      That was back with Windows 98. Explorer.exe was integrated with IE back then. They ended that because your browser shouldn't crash your whole desktop.

      Get with the times.

    14. Re:Windows XP by Kalriath · · Score: 1, Insightful

      Not really, it's just as relevant. XP is 12 years old, hasn't been on sale for about 5 years, and is no longer supported. There are multiple upgrade paths including Windows 7, Windows 8, OS X (well, if you buy a Mac) and even Linux. If the Linux Kernel team isn't expected to continue patching the 2.4 kernel, why should Microsoft be expected to keep patching XP?

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    15. Re:Windows XP by NJRoadfan · · Score: 1

      Its very likely a patch will be made for Windows Embedded POSReady 2009. We'll see what pops up on Windows Update next month. Since its basically XP SP3, its likely someone will "crossport" the patch to retail XP.

    16. Re:Windows XP by reikae · · Score: 2

      From the Fisher-Price Windows XP to the poker-machine-look-a-like Windows 8 :-)

    17. Re:Windows XP by buhusky · · Score: 1

      This is an IE issue, not an XP issue. IE 8 is still supported last time I checked?

    18. Re:Windows XP by JDG1980 · · Score: 1

      I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

      Since this appears to be an IE-specific exploit, couldn't they mitigate by using Chrome or Firefox instead?

      Admittedly, that may not be a feasible solution for the dinosaur businesses stuck with IE6 ActiveX apps, but for Grandma it should work fine. (And these dinosaur businesses can pay out the nose for extended support from MS.)

    19. Re:Windows XP by HideyoshiJP · · Score: 1

      Let's not forget that Server 2003 is still supported...

    20. Re:Windows XP by Kalriath · · Score: 1

      No, just you.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  2. Re:In other news ... by Joe_Dragon · · Score: 3, Informative

    http://www.pressthered.com/atm...

  3. Be glad it's not Open Source by Teun · · Score: 4, Funny

    Be glad it's solid commercial software developers were paid for.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    1. Re:Be glad it's not Open Source by cavebison · · Score: 1

      Be glad it's solid commercial software developers were paid for.

      As opposed to OpenSSL you mean?

  4. To paraphrase Ballmer... by msobkow · · Score: 1

    To paraphrase Ballmer...

    "Linux, Linux, Linux!"

    --
    I do not fail; I succeed at finding out what does not work.
  5. Re:In other news ... by Anonymous Coward · · Score: 4, Funny

    How else are you supposed to download Chrome or Firefox on Windows?

  6. IE6 by SumDog · · Score: 1

    Wait...IE6 is still supported? WTF?!

    1. Re:IE6 by Billly+Gates · · Score: 1

      Nope.

      IE 8 no longer is supported either

      --
      http://saveie6.com/
    2. Re:IE6 by viperidaenz · · Score: 1

      Until 14/07/2015!

      IE7 is around until 14/01/2020 thanks to Windows Server 2008.

    3. Re:IE6 by Billly+Gates · · Score: 1

      This was from a Windows 7 system

      --
      http://saveie6.com/
    4. Re:IE6 by bloodhawk · · Score: 1

      Actually no. Even on Windows 2003 it is NOT supported any more. you either need to upgrade to a supported version or be without support for that part of the system.

    5. Re:IE6 by viperidaenz · · Score: 2

      Click the learn more link on that page. It's specifically for Windows XP.

      If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.

      I don't see where it says Windows Server 2008 support is affected.

      The security announcement for this exploit specifically mentions all affected supported software, include IE6 on Windows Server 2003 Service Pack 2.
      Microsoft can't say "Yes we support the OS at this Service Pack level, exception this specific fundamental component that can not be removed, you need to install a different version of it that doesn't quite work the same."

    6. Re:IE6 by viperidaenz · · Score: 1

      It's supported on the latest supported service pack for all Windows products.
      Which means IE6 is supported on Win 2003 SP2 for x86, x64 and Itanium.

    7. Re:IE6 by viperidaenz · · Score: 4, Interesting

      You forgot the fact that only IE6, IE7 are available for Windows 2003 Itanium. That's supported until next year.
      Windows Server 2008 Itanium only supports up to IE8, which is supported until 2020.

      That page is specific to XP. Click the "learn more" link just after the quoted text you pasted.

    8. Re:IE6 by yuhong · · Score: 1

      I believe this is an error.

    9. Re:IE6 by LordLimecat · · Score: 1

      I dont think its that big a deal: how many viruses are targetting itanium?

    10. Re:IE6 by LordLimecat · · Score: 1

      IE8 is supported still:
      http://en.wikipedia.org/wiki/I...
      You can also check the lifecycle on MS's website, which seems to indicate 10 years (5 standard, 5 extended) support for IE. That jives with what Wikipedia is saying, particularly with IE7 (2006) being in extended support.

    11. Re:IE6 by LordLimecat · · Score: 1

      Internet explorer is considered a separate product. Its not "the GUI".

    12. Re:IE6 by viperidaenz · · Score: 1

      The point is, IE6, 7 and 8 are still supported despite the claims of parent posts.

    13. Re:IE6 by Bing+Tsher+E · · Score: 1

      In a similar vein, Internet Explorer runs on Solaris, since there once was a version that did.

      To paraphrase a very bad politician, "At this point, what difference does it make?"

    14. Re:IE6 by operagost · · Score: 1

      Well, Win2K3 SP2 is still supported, and it can run IE 6. That doesn't mean IE 6 should be supported, but they do mention it in the KB article.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    15. Re:IE6 by toddestan · · Score: 1

      You need to learn Microsoft's various levels of support so you aren't talking out of your ass. Extended support is what comes after mainstream support. Mainstream support is when the OS gets new features, functionality, and new versions of packaged software like IE and WMP via Windows Update. When the product goes into extended support, you only get security patches and bug fixes, but nothing new. Extended support is still free for anyone with a valid license. Extended support is what just ended for XP, five years after mainstream support ended in April 2009. Vista is in extended support for another 3 years. Windows 7 is still in mainstream support until the start of next year after which it goes into extended support until sometime in 2020. After ended support comes the custom paid support where you can still get security patches and bug fixes for a price. I don't know how long Microsoft will keep that up, but my guess is that if you have deep enough pockets Microsoft will support you for a long time.

      I guess the whole point of this discussion is that Microsoft still has versions of Windows with IE6 & 7 in extended support for another couple of years. Considering that IE6 came out in 2001 and installs as far back as Windows 98 that's an incredibly long time for a web browser.

    16. Re:IE6 by LordLimecat · · Score: 1

      Thats not correct. If you rip out the iexplore internals using a tool like nLite, a whole bunch of things break-- but the GUI isnt one of them, nor is the shell.

  7. Re:In other news ... by TechyImmigrant · · Score: 2

    >How else are you supposed to download Chrome or Firefox on Windows?

    wget.

    Oh no. That's Linux.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  8. Re:In other news ... by Anonymous Coward · · Score: 4, Informative

    Maybe

    ftp.exe -A ftp.mozilla.org
    cd /pub/mozilla.org/firefox/releases/latest/
    ls ...
    binary
    get ...

  9. Re:Uninstall IE6? by gadget+junkie · · Score: 1

    Browsers other than IE are not affected and/or can pe patched. Can someone remind me how to uninstall IE from Windows?

    you cannot, as per testimony by the company in the antitrust investigation. I do wonder how to translate "schmucks" in legalese.

    --
    "If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
  10. Re:Uninstall IE6? by viperidaenz · · Score: 1

    You can't, without replacing the entire shell.
    You can delete the shortcuts, but the rendering engine must stay as it's used by many other things including countless 3rd party products.

  11. IE 8 no longer supported and 0wned! by Billly+Gates · · Score: 1

    I did a re-image of a computer and saw this

    Since corporations like my own use IE 8 with low rights mode with sandboxing and protected mode turned off so they can run compromised certificates for ancient java I wonder if we will get patched?

    This is much scarier as we handle HIPPA and credit card information and can be hacked.

    --
    http://saveie6.com/
  12. Re:Uninstall IE6? by X10 · · Score: 1, Troll

    Of course you can. You uninstall IE6 by uninstalling Windows. Then you install Ubuntu, and you have a choice of Firefox or Chrome.

    --
    no, I don't have a sig
  13. Re:Uninstall IE6? by greg1104 · · Score: 1

    Can someone remind me how to uninstall IE from Windows?

    fdisk /dev/sda

  14. C strikes again! by Animats · · Score: 1, Funny

    Another vulnerability due to C's poor handling of pointers.

    1. Re:C strikes again! by BetterThanCaesar · · Score: 1

      Actually, C does not try to handle pointers at all. It treats them just like a long int (with the appropriate cast) [...].

      That's not actually true. First of all, there is no direct connection between the size of pointers and the size of long int. That is platform and implementation dependent. Secondly, at compile-time, pointer arithmetic differs a lot from that of integers. You cannot add two pointers. You can subtract two pointers to the same type (except void); that will give you the number of elements between them, in the ptrdiff_t type. (In theory, that's only possible if the pointers point to the same array, but the compiler can't know if that's true in the general case.) You can add an integer to a non-void pointer. Adding N to a pointer p is the same as &p[N], i.e. you get a pointer to the Nth element.

      --
      "Stop failing the Turing test!" -- Dilbert
  15. How do you find the FTP hostname and path? by tepples · · Score: 1

    That would work for someone dead-set on avoiding loading IE at all costs. But in practice, I imagine that most people aren't going to discover the hostname "ftp.mozilla.org" or the path string "/pub/mozilla.org/firefox/releases/latest/" very easily, especially without using either IE or another computer.

  16. How is wget practical for most? by tepples · · Score: 1
    On several GNU/Linux distributions, Firefox and Chromium are available through the built-in app store. (Or should I say "APT store"?) But let's assume for a moment that Wget.exe for Windows is installed to a folder on the %Path%.

    C:\Users\pino>wget
    wget: missing URL
    Usage: wget [OPTION]... [URL]...

    Try `wget --help' for more options.

    How is the median user (not an outlier technophile like much of the Slashdot population) expected to parse out a download URL from the result of wget http://getfirefox.com/ or wget http://mozilla.org/ without using IE?

    1. Re:How is wget practical for most? by unrtst · · Score: 2

      This whole line of thought is broken by bad assumptions. You ask:

      How is the median user (not an outlier technophile like much of the Slashdot population) expected to parse out a download URL from the result of wget http://getfirefox.com/ [getfirefox.com] or wget http://mozilla.org/ [mozilla.org] without using IE?

      If you didn't include those URL's, you'd be closer to having a point. However, you did include them. Where'd they get those? They can get the download URL from the same place (maybe it was a friend, or an email, or an IM, or off a magazine ad... I have no idea).

      You also added in the condition that it be for a median user, which the AC that TechyImmigrant was replying to did not include.

      For a median user, they'll probably keep using whatever was installed when they bought their system, or maybe something someone else installed for them.
      Slight above that, it depends on their OS. If on Windows, they'll probably use IE, search bing for Firefox or Chrome, and click around (duh).
      That still doesn't apply to the question... how else are you supposed to download ?

      That's a great question. You can't even use a naive "telnet getfirefox.com 80"... that'll just get you a 403 forbidden! If you include the "Host: getfirefox.com", then it'll give you a redirect to https://www.mozilla.org/firefo...
      NOTE: that's https... if you try to go to the non-ssl version, it just redirects to the HTTPS again. So you can't get that without something like "openssl s_client -connect www.mozilla.org:443", and I don't think you'll find that on windows.

      ftp works with a little digging through ftp.mozilla.org (assuming you know that url). Finding the binary is pretty easy. One needs to know some basics, but it's one of the easiest protocols out there. Ok for a median user? probably not. But it IS an option.

      You could also have someone email it to you (if you can get files that big), or send you a CD or thumb drive with it (ex. your kind sysadmin at work might do this for you if you ask nice just to get rid of another IE 6 user). This technique worked for newbs back in the day (aol cd's and floppies anyone?), so why not now?

    2. Re:How is wget practical for most? by tepples · · Score: 2

      My point is that it's more practical to use IE for a few minutes to download Firefox and/or Chrome and then stop using IE.

    3. Re:How is wget practical for most? by mrbcs · · Score: 1
      How about, I don't know, USE ANOTHER COMPUTER!!!!!

      We now have these wonderful devices called flash drives. I think one of those might work. /sarcasm

      In this day in age, I'm pretty sure everyone can find either another computer or a family member to download a 20 meg (or so) file for them.

      --
      I'm not anti-social, I'm anti-idiot.
    4. Re:How is wget practical for most? by TechyImmigrant · · Score: 2

      >For a median user

      There's only one median user. We should find him/her and show him/her how to do it.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  17. Re:You should get a better mortgage company by tepples · · Score: 1

    What prevents you from refinancing? Does refinancing cost substantially more than a copy of Windows 8.1 to run in a virtual machine?

  18. What's a real distro? by tepples · · Score: 1

    To avoid a "no true Scotsman" fallacy, I'd like to know what definition of "real distro" you plan on using.

  19. IE (and its holes) are "deeply integrated w the OS by raymorris · · Score: 2

    Also very interesting is WHY it can't removed. According to Microsoft's testimony, IE is "deeply integrated with the OS" and removing it would make the OS not longer work. If it's deeply integrated into the OS and it's full of huge security holes ...

    Quite apart from the number of bugs, I'm very glad that Firefox is just a web browser. All it does is display web pages. So Firefox bugs basically just affect web pages. Any problems with Firefox are not problems that go deep into the OS.

  20. Re:In other news ... by LordLimecat · · Score: 1

    You can always use FTP, though its pretty miserable.

  21. The exploit requires Flash by SpaceLifeForm · · Score: 1
    Link

    I suspect this exploit has existed for many years now, probably used by NSA too.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  22. Re:In other news ... by Culture20 · · Score: 1

    Powershell can download via http. So can vbscripts.

  23. Re:You should get a better mortgage company by Ol+Olsoc · · Score: 1

    Why do you support people who do that?

    You can't always choose who your mortgage gets sold to.

    Automatic deduct?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  24. a) Konqueror is not the system shell. b) MS testif by raymorris · · Score: 1

    A) Konqueror is not the system shell. Explorer is.

    Still, as I said "I'm glad Firefox is just a web browser ...". Do you see the words Konqueror or KDE in that sentence? I'm comparing IE and Firefox. The fact that Konqueror does something else silly isn't really directly relevant.

    B) As I said, Microsoft execs testified that IE is deeply intertwined with the Windows OS. I guess you're not aware that an OS is more than just a kernel, so you think Microsoft was committing perjury when they testified to those facts.

    It's amazing how far delusional fanbois will go to defend Microsoft, "they didn't make a big security blunder, they all just systematically perjured themselves for several months". Even if you believe that, is perjury somehow better than screwing up?

  25. IE is easily removed? I guess Microsoft was lying by raymorris · · Score: 1

    > it's easily detected + removed by processexplorer

    IE is easily removed? I guess Microsoft was lying.
    What you don't seem to get is that IE is the exploitable process, and it's essential to the system. It's a readily exploitable process that can't be removed mainly because if you do remove it, the system stops working.

  26. Fuckwit. by Anonymous Coward · · Score: 1

    Because it's a local privilege escalation vulnerability and not a remote visit-this-website-and-get-fucked vulnerability? Fuckwit.

  27. Re:a) Konqueror is not the system shell. b) MS tes by zbaron · · Score: 1
    Because, as GGGGGGGGGGGP asked

    Can someone remind me how to uninstall IE from Windows?

  28. Re:In other news ... by hawkinspeter · · Score: 1

    Care to provide a simple/one-liner as an example?

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  29. Re:In other news ... by flyingfsck · · Score: 1

    Actually Windows does come with a command line FTP client that can be used to download Firefox/Chrome. You just need a Linux user to execute it for the clueless Windows user...

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  30. Re:In other news ... by Gumbercules!! · · Score: 1

    Invoke-WebRequest http://www.google.com/ -OutFile c:\google.html

  31. Re:In other news ... by hawkinspeter · · Score: 1
    From a dos window:

    'Invoke-WebRequest' is not recognized as an internal or external command, operable program or batch file.

    From a PowerShell:

    The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    Am I doing something wrong?

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  32. Re:In other news ... by Anonymous Coward · · Score: 1

    Powershell defeats the point. Powershell doesn't come with WinXP, so it must be downloaded, which probably shouldn't be happening until after Chrome or Firefox are downloaded.
    WSH (JScript or VBScript) can be used as an option to get a file using HTTP, without needing to download another program. However, needing to type lines of code doesn't really count as a workable method that relies exclusively on code that comes with WinXP.

  33. Re: In other news ... by Gumbercules!! · · Score: 1

    http://technet.microsoft.com/e... Using an old version of powershell?

  34. Re: In other news ... by hawkinspeter · · Score: 1

    Care to provide a simple/one-liner as an example of how to read that link?

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  35. Re: In other news ... by Gumbercules!! · · Score: 1

    Ha! I'd give you mod points for that if I could. That's the first time I have ever tried to post using the new Beta interface on a mobile and it munted the link badly.

    http://technet.microsoft.com/en-us/library/hh849901.aspx is the link.

    That requires powershell 3. Prior to that you could use: System.Net.WebClient but the Invoke-WebRequest is far easier.

  36. Re: In other news ... by hawkinspeter · · Score: 1

    I was trying it on an old XP virtual machine and it looks to be version 2 of PowerShell.

    Isn't there an easy one-line that would work on XP and above? (i.e. an analog of wget for windows).

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  37. Re: In other news ... by Gumbercules!! · · Score: 1

    $client = new-object System.Net.WebClient
    $client.DownloadFile( $url, $path )

    Probably works on Powershell 2 however I think it requires the .NET framework installed. Powershell wasn't that good until later versions. I have to say, current versions are actually extraordinarily powerful, when working with other Microsoft technologies, like Hyper-V or Exchange but the early versions were no reason to leave VBScript.

  38. Re:In other news ... by TechyImmigrant · · Score: 1

    C:\>wget
    'wget' is not recognized as an internal or external command,
    operable program or batch file.

    C:\>

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  39. Re:In other news ... by Anonymous Coward · · Score: 1

    Be sure to go Program Features to enable FTP, because it's not available in Windows by default.

  40. Re:In other news ... by dtfinch · · Score: 1

    XP comes with a perfectly good command line ftp client, ported from BSD.

  41. Re: In other news ... by hawkinspeter · · Score: 1

    Thanks, that works.

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  42. Re:In other news ... by Nofsck+Ingcloo · · Score: 1

    WGET is available for Windows and it runs fine.
    http://gnuwin32.sourceforge.ne...

  43. Re:In other news ... by TechyImmigrant · · Score: 1

    And how are you supposed to get it if you don't have a browser?

    wget?

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  44. Re:In other news ... by RockDoctor · · Score: 1

    Has been on every version of Windoze which I've tried it on for ... I don't know how long. Going back into the 1990s at least. I honestly can't remember if it was in Win 3.11, which I was using until about 2000.

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"