Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Advisory For Internet Explorer Vulnerability

Posted by samzenpus on from the watch-out dept.

jones_supa (887896) writes "Neowin reports how Microsoft made a rare weekend post on its Security Response Center blog to announce an advisory that affects all currently supported versions of Internet Explorer (versions 6 to 11). The issue is based on a newly discovered exploit that could be used against the web browser. The vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. Memory may be corrupted in a way that could allow an attacker to execute arbitrary code in the context of the current user. Microsoft is aware of 'limited, targeted attacks' that have used the exploit. IE 10 and 11 are protected against attacks using this exploit if they have their Enhanced Protected Mode turned on. Also, PCs that have either the Enhanced Mitigation Experience Toolkit 4.1 or the EMET 5.0 Technical Preview installed are also secured against this security hole. Microsoft will take the appropriate action to protect its customers by delivering a security update."

16 of 152 comments (clear)

  1. Windows XP by Jagungal · · Score: 5, Interesting

    I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

    1. Re:Windows XP by yuhong · · Score: 2

      What is funny is that the current exploits do not target XP.

    2. Re:Windows XP by denbesten · · Score: 2

      > What is funny is that the current exploits do not target XP.

      More likely is that Microsoft is no longer testing/reporting on XP, so we do not know if it is vulnerable or targeted. Given that the vulnerability is with the browser, it seems likely that XP would be vulnerable. The significant difference being that the forthcoming MS hot-fix that may or may not install on XP and definitely will not apply via automatic updates.

    3. Re:Windows XP by Skuld-Chan · · Score: 2

      XP users will still get patches for individual products like Office and IE.

    4. Re:Windows XP by reikae · · Score: 2

      From the Fisher-Price Windows XP to the poker-machine-look-a-like Windows 8 :-)

  2. Re:In other news ... by Joe_Dragon · · Score: 3, Informative

    http://www.pressthered.com/atm...

  3. Be glad it's not Open Source by Teun · · Score: 4, Funny

    Be glad it's solid commercial software developers were paid for.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  4. Re:In other news ... by Anonymous Coward · · Score: 4, Funny

    How else are you supposed to download Chrome or Firefox on Windows?

  5. Re:In other news ... by TechyImmigrant · · Score: 2

    >How else are you supposed to download Chrome or Firefox on Windows?

    wget.

    Oh no. That's Linux.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. Re:In other news ... by Anonymous Coward · · Score: 4, Informative

    Maybe

    ftp.exe -A ftp.mozilla.org
    cd /pub/mozilla.org/firefox/releases/latest/
    ls ...
    binary
    get ...

  7. Re:IE6 by viperidaenz · · Score: 2

    Click the learn more link on that page. It's specifically for Windows XP.

    If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.

    I don't see where it says Windows Server 2008 support is affected.

    The security announcement for this exploit specifically mentions all affected supported software, include IE6 on Windows Server 2003 Service Pack 2.
    Microsoft can't say "Yes we support the OS at this Service Pack level, exception this specific fundamental component that can not be removed, you need to install a different version of it that doesn't quite work the same."

  8. Re:IE6 by viperidaenz · · Score: 4, Interesting

    You forgot the fact that only IE6, IE7 are available for Windows 2003 Itanium. That's supported until next year.
    Windows Server 2008 Itanium only supports up to IE8, which is supported until 2020.

    That page is specific to XP. Click the "learn more" link just after the quoted text you pasted.

  9. IE (and its holes) are "deeply integrated w the OS by raymorris · · Score: 2

    Also very interesting is WHY it can't removed. According to Microsoft's testimony, IE is "deeply integrated with the OS" and removing it would make the OS not longer work. If it's deeply integrated into the OS and it's full of huge security holes ...

    Quite apart from the number of bugs, I'm very glad that Firefox is just a web browser. All it does is display web pages. So Firefox bugs basically just affect web pages. Any problems with Firefox are not problems that go deep into the OS.

  10. Re:How is wget practical for most? by unrtst · · Score: 2

    This whole line of thought is broken by bad assumptions. You ask:

    How is the median user (not an outlier technophile like much of the Slashdot population) expected to parse out a download URL from the result of wget http://getfirefox.com/ [getfirefox.com] or wget http://mozilla.org/ [mozilla.org] without using IE?

    If you didn't include those URL's, you'd be closer to having a point. However, you did include them. Where'd they get those? They can get the download URL from the same place (maybe it was a friend, or an email, or an IM, or off a magazine ad... I have no idea).

    You also added in the condition that it be for a median user, which the AC that TechyImmigrant was replying to did not include.

    For a median user, they'll probably keep using whatever was installed when they bought their system, or maybe something someone else installed for them.
    Slight above that, it depends on their OS. If on Windows, they'll probably use IE, search bing for Firefox or Chrome, and click around (duh).
    That still doesn't apply to the question... how else are you supposed to download ?

    That's a great question. You can't even use a naive "telnet getfirefox.com 80"... that'll just get you a 403 forbidden! If you include the "Host: getfirefox.com", then it'll give you a redirect to https://www.mozilla.org/firefo...
    NOTE: that's https... if you try to go to the non-ssl version, it just redirects to the HTTPS again. So you can't get that without something like "openssl s_client -connect www.mozilla.org:443", and I don't think you'll find that on windows.

    ftp works with a little digging through ftp.mozilla.org (assuming you know that url). Finding the binary is pretty easy. One needs to know some basics, but it's one of the easiest protocols out there. Ok for a median user? probably not. But it IS an option.

    You could also have someone email it to you (if you can get files that big), or send you a CD or thumb drive with it (ex. your kind sysadmin at work might do this for you if you ask nice just to get rid of another IE 6 user). This technique worked for newbs back in the day (aol cd's and floppies anyone?), so why not now?

  11. Re:How is wget practical for most? by tepples · · Score: 2

    My point is that it's more practical to use IE for a few minutes to download Firefox and/or Chrome and then stop using IE.

  12. Re:How is wget practical for most? by TechyImmigrant · · Score: 2

    >For a median user

    There's only one median user. We should find him/her and show him/her how to do it.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.