New IE 8 Zero Day Discovered

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Wednesday May 21, 2014 @11:38AM from the no-shortage dept.

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

29 of 134 comments (clear)

Min score:

Reason:

Sort:

why are they taking so long? by wulper · 2014-05-21 11:43 · Score: 2

this IS a critical bug... onehundredandeighty days... 180 zero days. why? MS wants to drive up marketshare of competing browsers incompetence? MS employees acitvely exploiting the bug?
1. Re:why are they taking so long? by wulper · 2014-05-21 11:53 · Score: 2
  
  that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.
2. Re:why are they taking so long? by Jumunquo · 2014-05-21 11:57 · Score: 5, Informative
  
  From ZDI advisory:
  Vendor Contact Timeline:
  10/11/2013 - Case disclosed to vendor
  02/10/2014 - Vendor confirmed reproduction
  04/09/2014 - Original predicted disclosure (180 days)
  05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
  05/21/2014 - ZDI publicly disclosed
  Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!
3. Re:why are they taking so long? by Billly+Gates · 2014-05-21 12:04 · Score: 2, Funny
  
  that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.
  No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.
  
  --
  http://saveie6.com/
4. Re:why are they taking so long? by Anonymous Coward · 2014-05-21 12:12 · Score: 5, Interesting
  
  You forgot to add to your timeline:
  4/08/2014 - Windows XP (stuck on IE 8) goes out of official support
  Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.
5. Re: why are they taking so long? by MotherErich · 2014-05-21 13:25 · Score: 2
  
  Why is anyone still using IE8?
  
  --
  You have to be smarter than the machine you're working with.
6. Re:why are they taking so long? by lennier1 · 2014-05-21 15:47 · Score: 3, Funny
  
  The NSA probably wanted more time to exploit it.
7. Re:why are they taking so long? by Anonymous Coward · 2014-05-21 21:40 · Score: 2, Insightful
  
  Microsoft was still heavily pushing Windows XP for netbooks in 2009.
  So make that not even 5 years.
Enough already by Anonymous Coward · 2014-05-21 11:53 · Score: 2, Funny

I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.
1. Re:Enough already by CFBMoo1 · 2014-05-21 12:39 · Score: 2
  
  I installed an HP Dodo Rockjet Printer with my abacus and the stone tablet prints are really nice quality. Wilma really likes it as well and she prints out all her pictures to it.
  
  --
  ~~ Behold the flying cow with a rail gun! ~~
2. Re:Enough already by jones_supa · 2014-05-21 20:43 · Score: 2
  
  You can buy a cheap dodo printer, but the hidden costs are in the crackers, which you need to acquire to keep the printer running. A bag of crackers costs more than the dodo.
October?! by anarkhos · 2014-05-21 11:59 · Score: 2, Funny

Can't Balmer spare any developers developers developers?

--
>80 column hard wrapped e-mail is not a sign of intelligent
>life
IE8 Last for Windows XP by BBCWatcher · 2014-05-21 12:35 · Score: 3, Interesting

Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?
These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.
Re:IE EIGHT? by xlsior · 2014-05-21 12:57 · Score: 5, Interesting

Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.
American Date Format by labnet · 2014-05-21 13:03 · Score: 5, Insightful

American Date Format :DIE Already!!!!!!!!!!!
American Imperial Units: DIE Already!!!!!!!!!!
American Imperialism : .....[shhh the nsa is listening]

--
46137
1. Re:American Date Format by harperska · 2014-05-21 13:29 · Score: 4, Informative
  
  Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.
2. Re:American Date Format by bill_mcgonigle · 2014-05-21 13:47 · Score: 2
  
  I speak in the American format and write in the ISO format. To me they're the best of breed, one for spoken communication, one for written. But don't forget that we're surrounded by OCD-ish folks (like the GP) who are so crazy-obsessed with EvEnNeSs. I did that last one just to piss them off.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:American Date Format by QuasiSteve · 2014-05-21 13:49 · Score: 5, Insightful
  
  Remember, Remember, November 5th.
  This day, July 4th, is our Independence Day.
  Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.
  But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.
4. Re:American Date Format by Dynedain · 2014-05-21 14:38 · Score: 3
  
  Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.
  
  --
  I'm out of my mind right now, but feel free to leave a message.....
5. Re:American Date Format by compro01 · 2014-05-21 15:44 · Score: 4, Informative
  
  I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):
  That's what ISO 8601 specifies. YYYY-MM-DD.
  
  --
  upon the advice of my lawyer, i have no sig at this time
6. Re:American Date Format by LordWabbit2 · 2014-05-21 20:30 · Score: 2
  
  Sorry, but as a programmer different dates formats are a bloody pain in the ass. Say it like you want to (while putting a pancake on your head, I don't give a shit) but store it (ie. type it) in ISO format. YYYY-MM-DD
  
  There are a lot of systems which transmit data as strings (xml, json, csv) which need to get parsed back into datetime and a simple thing like YYYY/MM/DD instead of YYYY-MM-DD can cause a cluster fuck of note. If everyone just used the ISO format my job would be a lot easier.
  As a developer who helped fix the Y2K issues that would have happened at a major bank I am well and truly tired of different date formats.
  
  --
  There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
7. Re:American Date Format by gl4ss · 2014-05-21 21:09 · Score: 3, Interesting
  
  third of the fifth? or fifth day of the third?
  month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.
  even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.
  
  --
  world was created 5 seconds before this post as it is.
It is not a zero day. by 140Mandak262Jamuna · 2014-05-21 13:39 · Score: 5, Funny

According to the timeline it is a -180 day.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Re:IE EIGHT? by Anonymous Coward · 2014-05-21 14:00 · Score: 2, Interesting

Right. And the other $500 for the other puter'. oh, and the $300 for the app upgrades. Oh, and the $100 for a printer that has drivers. Or, M$oft, you could just patch what's broke for the common good. Eventually all good chipsets come to an end, and they move off. But until then...
Don't blink this time MS by Dega704 · 2014-05-21 14:22 · Score: 4, Interesting

Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.
1. Re:Don't blink this time MS by Anonymous Coward · 2014-05-21 15:40 · Score: 2, Funny
  
  Fuck you! XP FOREVER!!!!!
Re:IE EIGHT? by xlsior · 2014-05-21 17:48 · Score: 3, Informative

So use Firefox or Chrome. No big deal.

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.
Re:IE EIGHT? by blindseer · 2014-05-21 18:37 · Score: 2

Bad car analogy. Software fixes don't take up warehouse space like auto parts, and the incremental cost to patch another computer is so close to zero that computing it be pointless.
At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.
At work we have CNC machines that run XP. They use serial and/or parallel ports to talk to the computer. The software that runs everything is one of a kind. Replacing all of that would cost tens of thousands of dollars that we don't have. They are behind a firewall to keep the shop workers from surfing porn on the computers but the system has to have some access to the internet for some functions.
Microsoft might want to consider extending support for XP because if we cannot get what we need from Microsoft I might be asked for alternatives from the people that run the shop. Considering the cost of Microsoft products I will offer solutions to the powers that be that do not include Microsoft. You may not be bothered by that. I won't be bothered by that. Microsoft should be bothered by this if they are not already.
At work Windows 7 is tolerated. Windows 8 and Vista makes the boss's eye twitch, the GUI bothers him as does the price. No XP could mean no Windows. I'm the new guy on the crew and I'd be happy to suggest Macintosh and Linux solutions. With this coming up my recommendation may come up today. If Microsoft doesn't mind our getting Apples instead of Dells then all is well. If Microsoft wants our money then they will produce a fix so we can keep going.
I'm talking 100+ desktops running XP. If Microsoft says we need to buy Vista or 8.1 to fix our problems then we must look at alternatives. That might mean replacing the Server 2003 systems too. I imagine we are not unique. Microsoft can patch this and keep our business, or not and lose our business.
I'm not demanding they provide a fix, just showing the problems they have if they don't.

--
I am armed because I am free. I am free because I am armed.
Zero-Day allowing the attacker run arbitrary code by buchner.johannes · 2014-05-21 22:32 · Score: 2, Interesting

"Zero-Day exploit allowing the attacker to run arbitrary code"
I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention features of MS Windows after XP.
Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.