Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Internet Explorer 11 Vulnerability Identified After Hacking Team Breach

Posted by Soulskill on from the who-knows-where-zero-days-hide dept.

An anonymous reader writes: After analyzing the leaked data from last week's attack on Hacking Team, Vectra researchers discovered a previously unknown high severity vulnerability in Internet Explorer 11, which impacts the browser on both Windows 7 and Windows 8.1. The vulnerability is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, it can allow an attacker to bypass protections found in standard memory. Microsoft has published a patch for this vulnerability, and also patched another one pulled from the Hacking Team files by different security researchers.

58 comments

  1. Critical IE vuln by Anonymous Coward · · Score: 0

    The more things change, the more they stay the same.

    1. Re:Critical IE vuln by Anonymous Coward · · Score: 2, Insightful

      If anything these leaks will remind us to continously rethink our security configurations. It needs to be on a neurotic level and even then it's probably not enough. Everything needs to be isolated and access has to be as limited as possible to data that's not explicitly needed for whatever task at hand. We need to always assume our systems are vulnerable and possibly even compromised without our knowledge.

      Or wait, my boss just told me we don't have the budget for it. Never mind.

    2. Re:Critical IE vuln by Anonymous Coward · · Score: 0

      That sounds quite mentally exhausting as well.

    3. Re:Critical IE vuln by thsths · · Score: 2

      Defence in the depth is the only option we have - relying on a single piece of software to be "secure" is obviously more than optimistic.

      But even defence in depth fails if the government throws enough money at a hacking company. They will just buy the exploits and string them together to take over the flash player, escape the sandbox, escalate privileges, and then jump across the network. Defence in depth makes this a tedious, expensive and uncertain exercise, but by no means impossible.

    4. Re: Critical IE vuln by Anonymous Coward · · Score: 1

      Show me again which internet browser is perfect and never has any vulnerabilities because I can't seem to remember?

    5. Re: Critical IE vuln by packrat0x · · Score: 1

      Show me again which internet browser is perfect and never has any vulnerabilities because I can't seem to remember?

      W3M

      --
      227-3517
    6. Re: Critical IE vuln by packrat0x · · Score: 2

      Show me again which internet browser is perfect and never has any vulnerabilities because I can't seem to remember?

      W3M

      Oh wait, there were 5 total W3M vulnerabilities

      --
      227-3517
    7. Re: Critical IE vuln by Anonymous Coward · · Score: 0

      http://lynx.isc.org/

    8. Re: Critical IE vuln by ITRambo · · Score: 1

      There is no perfect browser. I prefer to use one that is the very responsive to security issues. Flash patches in Chrome are released within a day or so with Chrome automatically updating. IE11 is not automatically updated rapidly. I no longer think of MS "automatic updates" for IE as being automatic as MS still has to reboot Windows to patch many IE holes. So, they can go weeks without being fixed. IE is horrible. Chrome updates without you even knowing it as long as your computer is on and online. I hope Edge works like this as it's currently faster than Chrome in Windows 10 preview build 10166 on my PC. Did I mention that IE is horrible?

    9. Re:Critical IE vuln by Anonymous Coward · · Score: 0

      IE is only allowed to access internal sites. There done.

      If you need to google stuff use a more secure browser.

    10. Re:Critical IE vuln by Anonymous Coward · · Score: 0

      The leader in firewalls is an offspring of the sigint branch of a government which in a state of permanent war.

      Now, do we believe this thing does not have backdoors for said government and their sugardaddy ally?

    11. Re:Critical IE vuln by Anonymous Coward · · Score: 0

      You just failed security 101 there.

  2. Programmers and Custom Code by Anonymous Coward · · Score: 1, Insightful

    It's intensely annoying that programmers continue to re-invent the wheel and poorly whenever they need something which they're certain that nobody but their clever selves has ever thought of before. Would it kill them to use a data structure from the standard library of the language they're using? But no, they're too cool and smart for that. They have to code it up custom and then introduce dozens of silly bugs because they're too lazy to write tests and their code is perfect anyway, or so they think, and this is what we get. The best programmers that I have met and worked with are the ones with some humility rather than the arrogant asses who call themselves "10X" developers and other such crap. Yeah right, 10 times the bugs maybe.

    1. Re:Programmers and Custom Code by Anonymous Coward · · Score: 1

      This is very much true. It's important to distinguish clever standard-conforming solutions from custom solutions. The biggest mistake many seemingly clever devs do is to break well established standards while trying out new approaches.

    2. Re:Programmers and Custom Code by Anonymous Coward · · Score: 0

      I agree. As a 9X developer, I just don't buy into this fantasy about 10X developers.

    3. Re: Programmers and Custom Code by Anonymous Coward · · Score: 1

      Huh. My programming goes to 11X.

    4. Re: Programmers and Custom Code by GrumpySteen · · Score: 1

      My programming is usually just XXX.

    5. Re:Programmers and Custom Code by Anonymous Coward · · Score: 0

      Well, if you drank the SSL/TLS Standards Cool Aid, you were pwned 100% of time and you are STILL pwned.

      If one the other hand, you had own your neat little 3DES symmetric cipher crypto code (complete with a courier transferring the secret code), you actually stood chances to have a secure crypto channel.

      But hey, the IT business is full of nice-looking propaganda which later turns out to be as useful as a bottle of leaded coke.

      Just saying.

  3. For IE users .. by invictusvoyd · · Score: 4, Funny

    Do not look at the laser with the remaining eye

  4. Thank you to whoever hacked Hacking Team by jonwil · · Score: 5, Insightful

    Thank you to whoever hacked Hacking Team. Because of your work leaking the big data dump, a number of fairly nasty security holes in commonly used computer software such as Flash and Internet Explorer have now been patched by their manufacturers.

    Companies (or government agencies) who discover/collect/buy/obtain unpatched vulnerabilities in software and sit on them so they can use them for spying purposes are no better than criminal gangs who discover/collect/buy/obtain unpatched vulnerabilities and sit on them so they can use them for building malware.

    IMO There is NEVER a valid reason for ANY entity to hold onto an unpatched vulnerability and exploit it, not even the arguments of "National Security" and "we need this to stop terrorists" that have been used by the NSA and other agencies to justify this practice.

    1. Re:Thank you to whoever hacked Hacking Team by thsths · · Score: 0

      > IMO There is NEVER a valid reason for ANY entity to hold onto an unpatched vulnerability

      How about profit? Maybe even legal profit, and certainly lots of it?

    2. Re:Thank you to whoever hacked Hacking Team by Anonymous Coward · · Score: 0

      Profit is ALWAYS a good reason to do stuff. /sarcasm

    3. Re:Thank you to whoever hacked Hacking Team by Anonymous Coward · · Score: 1

      I don't want to live on this planet anymore.

    4. Re:Thank you to whoever hacked Hacking Team by rvw · · Score: 1

      Isn't it time to sue HT, and make it illegal to keep these vulnerabilities to yourself? I can imagine the EU passing a law like this. If that means HT moves to Russia or Panama, let them!

    5. Re:Thank you to whoever hacked Hacking Team by fustakrakich · · Score: 3, Insightful

      Companies (or government agencies) who discover/collect/buy/obtain unpatched vulnerabilities in software and sit on them...

      When a government acts badly, the citizens have an obligation to correct it. When they don't, they are complicit.

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:Thank you to whoever hacked Hacking Team by Anonymous Coward · · Score: 0

      Not a problem. For an exorbitant fee your ashes can be blasted off-planet.

      --

    7. Re: Thank you to whoever hacked Hacking Team by Anonymous Coward · · Score: 0

      Only if they also offer a patch. They are in the business of security right?

    8. Re:Thank you to whoever hacked Hacking Team by drinkypoo · · Score: 1

      Similarly, there is NEVER a valid reason for ANY entity to hold onto research findings nor trade secrets nor military secrets.

      Wow, I'm surprised to see such insight from you. See, when people do that, it's because they're trying to hold back the human race.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:Thank you to whoever hacked Hacking Team by Anonymous Coward · · Score: 0

      The valid reason is that we can and he can't. He can go fuck himself. :-) Those who have the gold make the rules.

  5. Microsoft Standard Response: by tomxor · · Score: 2

    Thank you for the feedback.
    This issue is no longer reproducible in the latest build of Microsoft Edge on the Windows 10 Insider Preview <build-number>.

    Best regards,

    The Microsoft Edge team

    From personal experience i'd expect that is the current likely response to any IE11 bug where you give irrefutable evidence, clear and concise explanations and isolated test cases.

    Selectively naming things obsolete when it suits.

    Before Edge it would have been "does not affect enough users, will not fix"... Microsoft do not understand the concept of an evergreen browser, if Edge doesn't forcefully replace IE11 then they just fucked everyone again.

    1. Re:Microsoft Standard Response: by Anonymous Coward · · Score: 1

      Neither does google.
      Or Apple.
      or..

      Think about the three things you can do as a consumer: Complain, Escalate, Publish.

    2. Re:Microsoft Standard Response: by tomxor · · Score: 1

      Obviously you dont understand what an evergreen browser is either.

      Evergreen browsers enable continuous obsolescence of old versions... making another product and ceasing development on the current one instead of replacing it completely fucks this model.

    3. Re:Microsoft Standard Response: by Anonymous Coward · · Score: 0

      Sorry, I formulated it wrongly.

      Companies not responding to consumers need is indeed troublesome. But so many companies are doing it. My plea was if companies can't protect our privacy and/or security even after we asked them to do it. Do we really need to go so far as to elect our representatives to make laws to force them to it?

    4. Re: Microsoft Standard Response: by Anonymous Coward · · Score: 0

      I suspect that not replacing IE is the more secure option. So long as IE is IE, it will suffer brutal demand to never fix anything ever because it will break somebody's horrible intranet application or whatever the ghastly legacy case is. That obviously doesn't do security or pace of development any good. If they leave IE in existence; but gradually hide it increasingly well except from the Group Policy setting that allows you to specify URLs to automatically be opened in IE for compatibility, and the interfaces that applications that embed IE's rendering engine use, then they'll be largely free to develop the non-IE at a normal pace. It still has the disadvantage of leaving IE lurking there; but to replace IE would be to attract exactly the same perverse incentives, so not replacing it is probably the lesser evil.

    5. Re:Microsoft Standard Response: by drinkypoo · · Score: 1

      Microsoft do not understand the concept of an evergreen browser

      What? Because Microsoft is getting rid of software which is architecturally unrepairable, they don't understand the value of keeping good software around? Look, there's lots of good reasons to hate Microsoft, you don't have to make up idiotic shit like this. iexplore must die, don't get in the way.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:Microsoft Standard Response: by Anonymous Coward · · Score: 0

      Edge is mostly IE11, don't make shit up about Microsoft producing anything more than marketing hype.

  6. drop dead date by Anonymous Coward · · Score: 0

    I'm a security professional who works for facebook.

    clearly we need Windows to block IE11, and in turn block Facebook.

    in fact we need a drop dead date for all of those things.

    just because I say so.

  7. Re:what's your point? by Anonymous Coward · · Score: 0

    Modern IE has actually been pretty good about vulnerabilities. In theory more secure than firefox and chrome due to stuff like sandboxing.

    IE 6 was a cluster fuck, but most of the security problems nowadays are Flash and Java. And it's not like FF and Chrome never have security holes.

    I don't personally use IE, but it's certainly come a long way. MS does so much shitty stuff like Windows 8 UI, there is no need to attack them for stuff they are actually trying to get right.

  8. Custom allocator by Alioth · · Score: 3, Insightful

    This sounds awfully familiar...OpenSSL had a critical vulnerability because they had decided to write a custom allocator instead of using the one provided by the OS. You would think IE developers, with their product being WIndows-only and strongly tied to Windows would never dream of reinventing the allocation wheel, especially as Windows memory management in general has had a huge amount of work done on it in the last few years to make it harder to exploit memory allocation bugs.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
    1. Re:Custom allocator by Anonymous Coward · · Score: 0

      Gold hat alert: Start scanning for custom allocations everywhere = gold for the taking.
      In programming 101, you use operating system calls, not rewrite/duplicate operating system functions (and then your program must work with a lower ring). Things that jump to mind are 3rd party logon/security routines. Some sort of VMware should expose more standalone code/allocations, because the arrogant p***ks duplicated OS functions (see string routines). Video drivers with DMA looks like juicy targets. Database code where the vendors think they know better. Fire up the code using a windows7 backwards compatibility install facility for a older os to discover which vendors and apps did this terrible practice. Mmmm profit.

      On a more serious note this may explain memory leakages, wrongly blaming the OS vendor, when the real issue is probably some very expensive enterprise application. SAP candidate? This also means if one knows uptime has been high, and homemade allocation/ deallocation, finding memory leaks will yield zerodays. Conspiracy nuts will now claim memory leaks are builtin backdoors, which why they have not been hunted down and fixed.

      Code auditors should 'stand up' when they spot DIY memory allocation routines.

       

  9. What? by pahles · · Score: 1

    There was a bug and now there is a patch?

    --
    Sig?
  10. Do like Firefox by Anonymous Coward · · Score: 1

    Warn users and make them click to run IE every time.

  11. This is... by calexontheroad66 · · Score: 1

    A gift that keeps on giving...

  12. Re:what's your point? by Anonymous Coward · · Score: 0

    I might deserve -1

    But can the one who voted me -a troll actually say why I'm wrong?

  13. yet another javascript problem by Anonymous Coward · · Score: 0

    occurs within a custom heap in JSCRIPT9

    It seems that virtually 100% of browser exploits involve javascript. It was a bad idea for all KINDS of reasons. Keep it disabled, and you are much safer, not to mention the web gets less annoying without sites trying to disable cut and paste, or pop random things up over what you are trying to read.

    Letting untrusted sites run code on your computer needs to die as a thing.

  14. Re:what's your point? by Billly+Gates · · Score: 1

    Yep I can do a .msi, push gpos, use .pac files, etc.

    And for several years it is just as secure as chrome and is w3c compliant and can render pages properly

    --
    http://saveie6.com/
  15. Yeah Propaganda by Anonymous Coward · · Score: 0

    How is IE conceputually more secure than Chrome. They have sandboxing for each window too,

    Please elaborate or I will call your post Redmond Propaganda.

  16. BINGO by Anonymous Coward · · Score: 0

    They also claimed "the new Windows 7 kernel has been totally rewritten". Then a few months later we learn about exploits "which affect all Windows versions from Win3.1 to Windows 8".

    The Redmonders are habitual liars and when they talk about the weather you better don't believe what they say.

    1. Re:BINGO by Anonymous Coward · · Score: 0

      No, it appears YOU claim they stated that. Citation/proof please.

    2. Re:BINGO by Anonymous Coward · · Score: 0

      This isn't wikipedia go back to you cave.

  17. If Only by Anonymous Coward · · Score: 0

    ...this sort of thing could never happen in the CSS parser/renderer and the html parser and rendering code.

    But yeah, JS and its necessarily bloated base of C and C++ code (it needs ridiculous amounts of optimizer code to run just sufficiently fast) certainly made the day of more than one TLA.

    If we had used some memory-safe Pascal variant, we could do this with probably 1/100 lines of C and C++ code. And it would be as fast as the JS crapola and their JIT compiler.

    But hey, WE NEED EXPLOITS AGAINST THE TERROZERS ! And not to control the general populace, we really swear !

  18. Concept PWN by Anonymous Coward · · Score: 0

    The entire software engineering community has been suckered into "C and Unix are the way to go" meme. IT folks also believe they are massively more smart than anybody else. Especially, they love to gloat about "military intelligence is an oxymoron".

    Assessing the REAL WORLD, it seems though that military intelligence is running rings around the software engineering suckers, including the neckbeard suckers. Instead of memory safe Pascal we use the portable assembler C and then hand-wring about all the nasty-follow ons. Every time again. And again. And one more time.

    Never do we act like MEN and kick the C dreck out. We never ask Niklaus Wirth and CAR Hoare for their advice. Instead we applaud when those Bell Labs idiots get a medal from the head of CIC of the military intelligence folks.

    We are actually DUMB FUCKS who don't realize for which "achievement" the Bell Labs idiots got their medal.

  19. I, for one, am GLAD it's identified... apk by Anonymous Coward · · Score: 0

    See subject: Keyword = identified. Worst ones aren't. For those of you "naysayers" out there? It's fairly obvious you've NEVER written a piece of software (or you're just bitching to bitch, OR you're fans of some other OS etc. - et al).

    Why do I say that??

    Well (since I've been writing software since 1982 here for MANY platforms from mainframes & midranges down to PC's) - It's HOW SOFTWARE EVOLVES & IMPROVES... it's not static + perfect "out of the gate" (especially if/when it's a larger/complex program) - worse when it's a largely used piece of software (like IE is since it's the default browser in the largest used OS there is) that has TONS of 'bad guys' (& in SOME cases 'good guys' too) targetting it for the express purpose of FINDING BUGS that are exploitable (remotely especially).

    APK

    P.S.=> Again, see subject - these issues are not the problem. It's the ones we DON'T KNOW ABOUT that are - this, then (that all "said & aside") is a GOOD thing, & MS will patch for it shortly enough since it HAS been id'd... apk