Slashdot Mirror
Microsoft Patches Remote Code Execution Hole for Internet Explorer
mask.of.sanity writes: Microsoft has released an out-of-band patch for Internet Explorer versions seven to 11 that closes a dangerous remote code execution flaw allowing attackers to commandeer machines. From their advisory: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability." The attack could assist in watering hole and malvertising campaigns. The Windows 10 Edge browser is not impacted.
This bug has been around since IE 7? Wow, this just confirms that MS will only patch bugs once others find them and then they have to work on fixing them.
Most IEs, even the recent ones, suffer from this bug. MS revealing these long standing issues affecting IE... isn't it a good way to promote Edge, the new MS browser not affected by this bug?
Slashdot, fix the reply notifications... You won't get away with it...
When is MicroSoft going to get off their butts and fix their operating systems so that the first user is not defaulted to administrator rights or at least have the first user forced to make a 'normal' user account for normal usage? Even 'ancient' Linuxs only add the first user to sudoers so that they have to explicitly invoke rootly powers.
Unlike Linux, Windows uses proper security tokens. Each process has it's own token governing what it can do to which resources. On Linux the "token" is - rather naively - a user id.
When you log on to Windows - since Vista - with an account with administrative rights, thee token that is created for the shell process is 1) stripped of all administrative rights and 2) given an integrity level of "normal". Integrity levels are also part of the token.
What it means is that *even when you log on as an administrator* you do not possess any administrative or god-like rights. You are a standard user.
When you invoke a program that has a manifest which states that it requires some form of administrative rights, Windows will prompt you for "elevated" privileges. Only when you accept to use your administrative privileges will the process be started with a token with higher than standard user rights.
It really is a much more elegant solution than the stupid effective user in Linux, where the description of a process rights is strongly tied to a user: There must exist a user with the specific sets of rights you want the process to have. Not so on Windows: Any process can have it's own token with fewer or more rights/privileges.
You can turn off UAC (don't!), which is why Microsoft must write the disclaimer *If the current user is logged on with administrative user rights*. If you turn off UAC and log in with an administrative account - then you run all processes with full permissions/privileges.
When is MicroSoft going to get off their butts and fix their operating systems so that the first user is not defaulted to administrator rights or at least have the first user forced to make a 'normal' user account for normal usage?
They did fix it. You are just ignorant.
How many of these problems could be mitigated if this were not MicroSoft's default approach?
The answer is 92% - and it is mitigated by default.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
This bug has been around since IE 7? Wow, this just confirms that MS will only patch bugs once others find them and then they have to work on fixing them.
So, what's your point? IE 7 through to 11 use the same Trident layout engine so it stands to reason one security flaw could affect IE 7 through to 11. Heartbleed was in OpenSSL's source for 3.5 years & Shellshock was in BASH since 1989 before anyone found them. Bugs can exist in software for years whether they are open or closed source.