Ah, the security vulnerability that was used in the Google attack. It’s been around the internet about a million times now, and even governments have started advising people to move away from Internet Explorer. As is usually the case, however, the internet has really blown the vulnerability out of proportion. I’ll get right to it: if your machine and/or network has been compromised via this vulnerability, then you most likely had it coming. No sympathy for you.
That sounds really harsh, so let me back it up with some explanations. The vulnerability in question is Microsoft Security Advisory 979352, and “[it] is an Internet Explorer memory corruption issue triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker’s code.”
While this all sounds mighty serious, reality is different. If you look at all the brouhaha on the net, you’d think that everyone running Internet Explorer and Windows is vulnerable to this attack, and that it disembowels tiny kittens. Luckily, though, that’s not the case – this attack is remarkably low-impact, and if you are affected, than it is probably your own fault.
That’s because this vulnerability only affects users of Internet Explorer 6 on Windows XP. If you’re still running that configuration by choice, then it’s your own fault if you get bitten. It’s like complaining Ford’s cars aren’t safe because you crashed and died while driving one while wearing a blindfold. If your corporate network still uses IE6, the same thing applies. Of course, there are still a number of tools that are designed for IE6, but that’s something the developers of those tools should be ashamed of.
Windows XP with Internet Explorer 7/8, Windows Vista, and Windows 7 are all secure, despite the fact that the exploitable code exists in those versions of Internet Explorer too – which sounds weird, until you realise that these newer pieces of software benefit from Microsoft’s 2002 Trustworthy Computing initiative, which implemented a company-wide focus on security in the development process.
As you can see, both IE Protected Mode and Data Execution Prevention play a major role in mitigating this flaw, perfectly illustrating why features like this should be part of an operating system: layered security. Due to the proper design of Windows Vista and 7 (there, I said it) a potentially dangerous flaw has been rendered completely useless. Despite currently not at risk, users of Windows XP SP2/SP3, as well as Vista users running IE7, should enable DEP anyway.
By the way, I left Windows 2000 off the chart since it’s no longer sold. In case you’re curious: yes, IE6 on Windows 2000 is exploitable. Sadly, there’s no fix because you can’t upgrade to newer versions of IE. Moving solidly into Irrelevantland now: IE5 is not affected.
Microsoft advises users to upgrade to newer versions of IE and/or Windows. “We recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP,” Microsoft writes, “Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows.” Or, switch to a non-IE browser, or even a non-Windows operating system, of course.
In any case, the outstanding security track record of Windows Vista and Windows 7 remains largly untarnished. I never thought I’d say this, but hats off to the Windows team for (finally) delivering solid, secure products.
Now, if you don’t mind, I’m going to see if the pigs at the farms here in my home town are where they’re supposed to be.
With nearly everything in the tech industry moving and an incredible pace compared to other industries, it’s a shame that a bad reputation takes so damn long to be erased.
Well, Microsoft certainly earned it over the last 15 years.
Thanks to competition, they have upped their game. Microsoft have better products because of competition, which was a far-cry from when they used to destroy them and control the market.
Internet Explorer is a better product thanks to the likes of Firefox but ultimately, Microsoft planted their own bad seeds with IE which keep growing thorns.
Well, you know what they say? “What goes around, comes around”
Edited 2010-01-18 22:51 UTC
I guess Microsoft will just have to cry into its giant bag of money.
But seriously Windows XP with IE 7 AND IE 8, *may* still be vulnerable on XP.
Win XP doesn’t have ASLR, which makes it vulnerable to the return to libc attack
http://en.wikipedia.org/wiki/Return-to-libc_attack
Vista and later systems do, and thus are not exploitable.
Even if you’re running XP SP3, real DEP requires NX, which of course means that you need to be running on a PAE configuration.
For x86-32, at least. Nothing extra is necessary on x86-64. But there is still a sizable population of earlier x86 hardware out there that cannot be protected.
I had been told at one point that Win XP does always enable PAE mode in order to utilize the NX, but it doesn’t use the higher memory extensions unless explicitly told to in the boot.ini – I could be wrong, but I heard it from someone I generally trust on these matters.
Edit: Wikipedia seems to back this notion up in the foot notes – http://en.wikipedia.org/wiki/Physical_Address_Extension
Your point about DEP not working on older x86 hardware is indeed valid of course, and I have plenty of said hardware still plugging along myself.
Edited 2010-01-18 22:57 UTC
http://www.vupen.com/exploits/Microsoft_Internet_Explorer_Use_after…
They have an exploit for IE8 with DEP enabled.
This makes this whole article totally wrong and downright dangerous, because just because there is no publically available code does not mean that bad guys can’t figure it out. Took that company only a few days.
Funny how when there’s a proof of concept of a Linux or Mac vulnerability, it’s all discarded as “it’s not in the wild” and “show me a real infection” and so on…
…yet when it’s Microsoft, proof of concepts and even regular concepts are accepted without so much as a blink of the eye.
Double standards. You has them.
On top of that, they bypassed DEP. What about protected mode? Did you buy (yes, you have to buy it) the concept to test it out? Or do you believe that security company’s (BUY OUR PRODUCT) puppy eyes?
Edited 2010-01-19 16:30 UTC
You are wrong again. I never ever said anything like that. I am the first who wants fixes for Linux bugs.
All you will find me saying is that sometimes it makes no real sense to use exploits on Linux or OSX because there are just too few users running the software.
You said the flaw would only work on XP with IE6 and that DEP and protected mode would make you safe. That again was wrong. Protected mode has been circumvented on Vista and DEP in IE8. It is just a matter of time before all IEs on all versions of windows are vulnerable.
And the thing is: Exploiting bugs in browsers is big business now. Once a flaw is found it will be exploited if there enough users running that browser.
So contary to what you said I think that every possible exploit will be used if it makes economically sense for the attacker.
In the case of IE it does.
Except, that’s not what I said.
What I said was that you’re safe against the CURRENT EXPLOIT. You know, the one everyone’s talking about, as used in the Google attack? The headline didn’t tip you off?
No.
There is a difference.
On the one hand there is currently available exploit code. That is what is what MS and you are talking about.
On the other hand there is the IE flaw that was used to hack Google. The available exploit code is not the code the (Chinese) hackers used to hack Google. They used the flaw in IE and their own code.
It is not like all hackers rely on publically available code. They can code themselves.
Which simply means users of Windows 2000 must choose a different browser entirely now.
Or upgrade to a modern OS.
http://www.techradar.com/news/internet/microsoft-switch-from-ie-and…
In short: Microsoft tells us, that switching to other Browsers would actually increase the risk.
I do not know, how they can possibly arrive at this conclusion. No other major browser has a zero-day exploit on the rampage, and IE is not really fixed yet. The second line of defence prevents the attack from succeeding in Vista, Win7 with EI8, but the flaw is still there.
I know, that in USA you cannot do anything against Microsoft issuing such moronic statements, here in Austria however, if you say “competition is worse than us”, you might have to prove this statement in court. If you cannot prove it, you have to pay damages for tarnishing the competitor’s reputation.
yes, because you can trust a website that has an image caption of “Microsoft: IE8 all this bad publicity” to not mis-quote someone. The fact that part of the quote is missing casts doubt over its accuracy.
My bet is that the IE7 default install will be exploited.
They are only talking about the CURRENT exploit and that is just v0.01. Updates will follow.
Good luck getting through DEP, ASLR, and protected mode.
Since Vista’s inception, it hasn’t been cracked.
So you are the security expert now? I found this article to be really weak and fanboish. That is why I started to a quick Google search.
And well, I hate to break it to you but IE7 has been cracked:
http://twitter.com/george_kurtzCTO
And it is looking bad for IE8:
http://twitter.com/dinodaizovi
And that is just one day after the release of the first exploit, once security is breached you get new attack vectors and new exploits are possible. It is not like DEP etc. always migitates everything 100%. It just helps.
I found it to be a refreshing assessment instead of one of many sensationalist articles that focused on the government warnings and not who exactly is at risk.
Because some people on twitter say so? That isn’t proof.
Well, those people are the CTO of McAfee and the white hat security researcher who’s actually trying to expand upon the exploit, so they shouldn’t be dismissed outright. Granted, the CTO points to a YouTube video on how McAfee software can block this exploit, so you could argue he’s got an agenda. But that doesn’t change the fact that the researcher has been able to get as far as read-only access to the system through IE7 on Vista. Hopefully, protected mode won’t be easy to break out of, but still Microsoft needs to patch this ASAP. Mechanisms like DEP and protected mode are meant to be extra layers to mitigate the impact of exploits, but not long term substitute solutions. (Although after this incident, I would like to see an additional patch to opt-in IE7 to DEP by default; it probably couldn’t be done in IE6 due to the same compatibility issue that have kept them from upgrading to newer versions.)
Those “some people on Twitter” are a real CTO of a very big computer security company and a real security researcher with lot of creds.(Just google him, he won numerous hacking contests and has a long list of research)
They are the real thing, they don’t pretend to be security experts on the internet.
You don’t know much about security then. As I mentioned before ASLR, DEP, and protected mode are great ideas but if their implementation is poor (and it is in Windows) then they are useless in the grand scheme of things. Less experienced hackers may not be able to crack Windows protection schemes but they are still vulnerable.
Again those guys did it on XP without DEP. IE8 enables DEP by default so it will be much harder. Btw main reason why IE7 didn’t have DEP enabled by default? Third party ActiveX component, try guess which .
The Java plugin. With DEP enabled, the JIT engine would dump generated machine code into memory pages marked with the NX bit and then attempt to execute it causing the JVM to crash.
No need to, social engineering is more effective. These hackers however were exploiting corporate culture. It shocks me that Google would have anybody in their company using IE6^aEUR”a fact I^aEURTMm sure they are quickly rectifying right now.
And it^aEURTMs not just a matter of silly people use old software^aEUR”IE6 is still a supported product. It is therefore an official Microsoft product and its age has no relevance as Microsoft have a contractual obligation to support it. This is why businesses still use the damn thing, because it still has the Microsoft seal of approval. As soon as MS say that IE6 is no longer supported, the corps will jump off of it right away as they will have legal, contractual requirements to do so to meet safety requirements for handling customer^aEURTMs data.
Microsoft have had a lot of time to statically analyse IE6, even re-compile it with the latest compilers, or even audit the bloody thing. The fact is that IE6 has been one giant weekend for Microsoft and continues to be so. They care about security only when it makes them look bad. They^aEURTMve had 9 years to find this bug. So what^aEURTMs the excuse? It^aEURTMs old? No. It^aEURTMs a supported product used by hundreds of thousands of companies.
I doubt it’s that simple. Keep in mind the underlying flaw is present in all prevalent versions of IE, including IE8 which, no doubt, have been threat modeled, reviewed for security flaws, and analyzed and compiled with the latest tools. Historically, Microsoft has published post-mortems for notable exploits that describe why exactly those mechanisms proved insufficient (e.g., [1]), and hopefully they’ll publish one for this flaw as well. Until we have information on what the flaw looked like from their end (ideally with the relevant source snippets), it’s premature to simply attribute it to incompetence or apathy.
[1] http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-s…
Not true. All three have been circumvented at some point. Apparently the randomization on Vista wasn’t that random because of too little entropy which made it possible to guess address locations. Protected mode was circumvented through an implementation flaw of Vista’s Integrity Levels and DEP was circumvented with Java.
No use telling him. Judging by this write up he is on MS payroll.
First of all IE6 is still officially supported by MS. People are still paying to get security patches and so it is not the fault of the users when they get hacked.
So:
_It is Microsofts fault._
2. The exploit works on IE7 on XP and Vista (not all setups, but still)
3. This article makes it sound like the good advancements in Vista regarding security cure all potential holes.
_They do not._
In conclusion:
This thing needs updates or should be deleted. Security is serious stuff for experts to write about.
Ah, the “I disagree so he must be paid by Microsoft argument”.
Very convincing argument. Cicero would be proud.
Seriously now – it’s fine you disagree with me, but at least try to do so in a constructive manner (like Kroc did), because people aren’t going to take you seriously this way. Your dislike for all things MS is clear enough without childish stuff like this.
Well sorry, but if you use MS “get the facts”-like marketing material, which is obviously wrong and even enrich it with your pro-MS spins I will say what that looks like. (And I don’t really think MS is paying you, but it sure looks that way.)
And my bias towards open solution is no secret.
MS marketing never relies on the “you are an idiot if you use these products of ours” technique.
Yeah the parent is being slightly jerky by suggesting you’re a MS lacky, but he’s also got a bit of a point. We’ve only been talking about Buffer overflows and protection against them. Its an unfounded and unwarented leap from that to
There are exploits for Vista. There have been security vulnerabilities. Is MS security improving? Yes, it finally is improving. Is it perfect, no its not. While you didn’t explicitly say that its perfect. Saying its secure is pretty much the same thing in a lot of people’s books.
It is always wise for security experts to be cautious in their statements concerning security. What was secure yesterday is no longer secure today. What is secure today, may not be tomorrow.
They are when they are told by the company that they are putting themselves at risk when they use IE6 to surf the web.
Who doesn’t know that IE6 is a massive security risk? Google should have been the last company to be compromised by something like. Don’t make excuses for cheapskate companies.
I think the Mozilla Foundation would be even less likely to be comprimised by IE6…
Many companies use enterprise managment software from SAP to run their business processes. For a long time, the “web interfaces” SAP provided worked with IE6 and nothing else, meaning that companies who bought into SAP were stuck with IE6. It wasn’t until very recently that IE7 became an available option. The culprit is heavy reliance on ActiveX and lack of concern for portability.
Thom,
I agree that people who are still using IE6 on XP are to some extent responsible for the consequences. However, I would like to point something out that I’m sure that you’re familiar with which is Microsoft’s encouragement of vendor lockin for software written on Microsoft’s OS.
Let me be clear, and I’m sure I’ll be corrected if I’m mistaken, but hasn’t it always been Microsoft’s software development strategy to encourage software developers to a) use Microsoft’s OS and b) Use Microsoft’s nonportable API and c) Implement broken “open standards” in such a way that software written using Microsoft’s api only works with their broken standard (ex. Java++ , the graphics format png is another, Kerberos implementation is another, etc.)
Soooo… if software developers are encouraged to use Microsoft APIs that are *only* compatible with Microsoft’s broken standards (ex. activeX), how then can you hold the poor (as in bad luck/bad decision making) businesses who chose to hire software developers who write software in a Microsoft OS that only works on that OS, and God help you if you try to upgrade, because the source code is long gone and/or the developer is long gone.
I mean, I know that had you been the CIO of a fortune 500 company who was informed that the software being written on your computers was hard wired to *only* work on IE 6, you would have kicked some ass and fire the sorry programmers on the spot. But management isn’t hired for their technical competency, their hired because they know how to “manage” people, that includes CIOs who are not technical people, they are managers. And let’s not forget that the people who make these poor decisions are not the technical people, it’s management who calls the shots.
And where do the management get their advice? Do they ask their technical people for their opinion? Well, yes, if they value and appreciate their technical people. And no, if they don’t value them or think that they would lose face by acknowledging their technical imcompetence. Instead such managers listen to …. marketing representatives from a large corporation who are *very good* at marketing.
So, where did the idea of locking software to a particular browser with broken apis come from? Not from *all* those businesses who are now screwed, but the central corporation that marketed the message to write to their broken standards using their nonportable apis.
If management were to take advice from their supplier, then Microsoft themselves are now advocating that everyone drops IE6 and XP.
http://arstechnica.com/microsoft/news/2010/01/microsoft-wants-you-t…
That much is very good advice, and the only real problem here seems to be that Microsoft advocate replacing WindowsXP/IE6 with Windows 7 and IE8.
Surely any manager worth his salt would see that this is just asking for the same lock-in and security problems all over again?
I think Thom’s analogy is a bit off. A better one would be likening being killed in an older car without airbags when a newer car with air bags would have saved your life.
Even that’s a bit off, I think. It’s more like being engulfed in flames because your car had a poorly built fuel tank, and the company wanted to charge you hundreds of dollars to fix it.
Once we get the story straight, it becomes clear that Thom’s analogy works quite against his argument. My son just happened to tell me the other day that his school uses Windows 2000 on classroom computers. Thom implies that it’s close to irrelevantland, but I’ve got good money that says they’re using IE6. Any takers?
MS isn’t trying to make money by fixing IE6. They’ve told companies to upgrade to a newer version.
As I pointed out before there was no need for Google to connect to the internet with IE6. You can keep an instance of IE6 for testing or old activex apps while having an alternative browser for internet surfing.
This is another case of cheapskate companies refusing to spend money on old systems. I’ve seen this crap so many times. I know of a very large pharm company that uses IE6 on all the workstations because it works with google and they don’t want to spend a dime on support unless something breaks.
Which, if you’re running Windows 2000, requires what, now? An upgrade to a new OS; i.e., spending money!
Because Windows 2000 remains such a sorry OS?
Just think of the number of pointy-click script kiddies that school could kick out. That network sounds like some serious fun for any budding pentesters. I just hope the computer teacher is open to self directed learning as ours was back in the day.
Also, if Google have a better web browser then why aren’t their employee’s using it?! And IE6 for that matter!!!
Dare I call a conspiracy
It was my understanding that the IE6/XP only nature of the bug was only limited to the publicly posted zero-day exploit that is out now, and that newer versions of both IE and the OS could still be compromised by using a still-secret method that the Google attackers took advantage of. Are you sure that isn’t the case?
Although to be fair, most of the noise out there now is because of the publicly available exploit, and if it was just the Chinese who had access to the exploit a lot of that might quiet down.
No, it isn’t.
The Aurora exploit now works with IE7 on XP and Vista. IE8 on XP SP2 and Vista SP0 does not use DEP and so it is just a matter of time or effort until IE8 gets cracked.
And even with DEP you aren’t secure until a real fix is released.
Edited 2010-01-19 02:02 UTC
I’m guessing you’re talking about this:
http://blogs.pcmag.com/securitywatch/2010/01/aurora_exploit_ported_…
Even if he has developed an exploit that doesn’t mean the machine can be taken over. From the same article:
Note that IE7 still has protected mode implemented by default, so even if an attacker can get the exploit to execute, there’s not a lot he can do, because he’s running in the crippled user context of protected mode.
A Vista machine _might_ not do much, but XP has no protected mode and will do whatever the exploit wants.
But once you have native code running finding another bug somewhere or use another unpatched flaw is just another small step. Most black hats have multiple options at that point.
Just like DEP only really works on new CPUs. Athlon XPs and P4s etc are out of luck.
Anyways, IE8 is still kinda new and the majority of XP users still use IE6 (like the whole of China) or IE7 and they are right now all f–ked. So it is still the majority of Windows users overall and with each passing day it is likely to get worse.
Edited 2010-01-19 03:47 UTC
That’s still too much speculation at this point.
Yes a lot of people are still using IE6 thanks to pirates in Asia who don’t want to upgrade or switch to another browser. Most Windows users are not all f–ked however, it isn’t a virus. They still have to be led to a website containing malicious code and there haven’t been any IE7 attacks in the wild.
I know people like you want to use this as an opportunity to push alternative browsers but I think the real lesson is that there is a major problem with companies and individuals holding onto legacy systems.
http://www.itpro.co.uk/619561/microsoft-admits-flaw-may-hit-ie7
And hacked websites are all over the web, there were even banking sites that had exploit code embedded. If you surf the web with an insecure browser that is used by billions of people you are at risk PERIOD
lol and all it would take is a few mod_security rules to block such crap from exploiting banking sites in the first place.
Ok, I’ve had enough of this, I can’t sit by and just read the dumb comments anymore. Seriously, Vista SP0? Why are we even talking about people who intentionally sabatoge their computers? SP0? FFS? Let me sumarize the part of the article that discusses SP0.
People who disable updates deserve to have computers that r belong to someone else! Is it Microsoft’s fault the driver didn’t buckle their seat belt? RTFM
The reason why people are STILL using IE 6 is because after IE 6 came out, Microsoft stopped developing the browser. Until Firefox came along and stole market share, Microsoft was content to sit on their asses. So for 5 years, the official browser was IE 6. Thats 5 yrs worth of apps that run on IE 6 but probably not anything else. Now after 9 yrs, they are still finding bugs in it. And Microsoft’s answer is: throw out 5 years of development and switch to shiny new Win 7/IE 8? Umm how about fix you busted ass code already? jeez….
And does anyone know if the Google people were perhaps accessing an app that was IE 6 only? Lord knows there are enough of them out there.
Whose fault is it that these companies decided to use an internet browser as an interface for local apps? Even if they are locked into IE6-only apps that’s still a poor excuse to surf the net with it when you can install multiple browsers on a single machine. You can even set it up so IE6 is blocked from accessing the internet.
I’m really sick of excuses for these cheapskate companies that are too cheap to have the apps re-written properly so they are independent of the browser. This is all about money and these companies don’t want to spend any until they absolutely have to.
The naivete here is absolutely astonishing.
These companies were not compelled through legal mandate or threat of violence to build internal and external infrastructure on non-standard extensions to a proprietary piece of software. I have no sympathy for the technically incompetent CIOs who made development or purchasing decisions that led to dependence on obsolete and insecure technologies. They made the choice and now they suffer the consequences.
The mistake is in assuming that any large, well connected, and heavily financed organization such as Microsoft would ever hold your interests above their own. That goes for Apple, Red Hat, the FSF and many others. They all have agendas whether they be financial, social, or politically motivated, and they exist solely to further their own causes. As managers, developers, or users, our responsibility is to recognize this and to make the best decisions possible to serve our own interests or the interests of those we advise.
Does Microsoft deserve some criticism for its role in this mess? Sure. But the ultimate responsibility falls on those who chose to employ their solutions without any roadmap for the future.
How is it naive to expect Microsoft to support a product they are still selling? Microsoft made the choice for IE 7 and IE 8 to not be backwards compatible with IE 6. And while the CIO’s may have made poor choices, Microsoft are the ones who control the technology. I am not saying that the companies involved aren’t also to blame, but Microsoft deserves most of the criticism here. They aren’t even fully disclosing the dangers of the bug from what I can see.
In the case of the browser, MS made the right choice to stop supporing old IE6 only crap. I don’t agree with much MS does but moving the browser towards a secure and standards compliant program should be recognized.
The problem is squarely on the people who developed an IE6 only application without thinking “gee.. the browser is an easy program to change between versions and brands; I think I’ll make my code only work with one specific brand/version.”
The secondary layer of responsibility is on the buying authority that though “yeah, this looks good.. let’s buy this expensive and hard to replace information product that only works wit one brand/version of browser even though that’s an easily changed bit of software that will have new versions in the future”
It’s bad enough that user’s saved data from Office applications pretty much dictates the use of that same or newer Office version to continue accessing it. To willfully accept that condition from your application interfaces is madness. You put it on a server so it’s easy to manage and update, so everybody can access it and so that the client side OS becomes less relevant. The only one of those that doesn’t fail is “so everybody can access it” though that also includes people outside the organization too now.
Good calm analysis, Thom.
Due to the inherited (and unfortunate) complexity and ever-growing bling of the web, all modern browsers are presumably more or less exploitable.
And for the record: Firefox ain’t doing good in the security front either.
From interview with Charlie Miller:
Alan: So, if you had to make a recommendation, Mac, PC, or Linux? Or do you find them to be equally (in)secure?
Charlie: I’ll leave Linux out of the equation since I know my grandma couldn’t run it. Between Mac and PC, I’d say that Macs are less secure for the reasons we’ve discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn’t much malware out there. For now, I’d still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.
I’m not sure how your quote relates to FF security history as there’s only mention of Linux, osX and Windows platforms with the focus on osX and based on popularity rather than it’s technical level of security.
Granted, FF did rank in the top patch counts for 2009 but that’s kind of expected since they openly disclose vulnerabilities as a matter of policy. A high patch count is perfectly acceptable and potentially desirable provided the time between bug discovery and patch release remains short. If FF is being used in a major attack blitz or falling over with lists of un-patched vulnerabilities, I’d like to see those reports as remaining unaware of them doesn’t help me or my users.
All this ranting and raving, always when the news is about security and Microsoft.
Well, I’ll be here and posting same kind of crap the next time the news will be about Linux vulnerabilities. Then I get modded down.
Just like Slashdot, which surprisingly is perhaps nowadays more moderate place than OSAlert.
the reference to a random location of freed memory could result in execution of the attacker’s code.
How can this possibly work? Seriously, if a reference to a deleted object does magic such as this, that is really bad as the object has been deleted, the memory is free and anything can now be stored in the same location once it’s been freed. Perhaps if the address stored in the pointer is not cleared, in other words the pointer is not set to NULL, the memory location referenced by the pointer gets filled with something else – the malicious code from outside. May be they have forgotten to NULL the pointer!
Again, I am just trying to make logic out of this!
Edited 2010-01-19 08:01 UTC
If I understand correctly the security problem also occurs on supported software. MS should deliver a solution to the companies with support contract with updates or upgrades. Companies without support should take care of that themselves.
Normal customers must take action themselves, but.. I guess about 95% of the people I know have no idea what the problem is. They just say it works, why change it? I can’t blame them, they are only interested in getting their work done or the stuff they like to do.
I’ve read in the other comments about some settings in new windows versions. Just forget about settings, the only setting that counts is the default. When that restricts people to do what they want, all lower settings are also important. Never forget users want to get their ‘work’ done and really don’t care about safety. After all they did what was told: do updates and use a virus scanner.
http://www.techradar.com/news/internet/microsoft-switch-from-ie-and…
OK, so Microsoft admit there is a vulnerability, and that a better exploit may possibly be used against other versions of Windows and IE.
Then they say this:
Say whaaat?
Translation: “Our older code is rubbish, but our newer stuff, which BTW you will have to pay all over again for, and which has exactly the same vulnerability, is way better. Seriously. No, really. Don’t use the other guy’s stuff which isn’t known to be broken, because we say it might be.”
Windows with IE has an unpatched, well-publicised, 0day, remote code execution vulnerability, common across all versions of Microsoft’s OS and browser, they can’t say when they will have a fix … and yet they want people to believe that a non-Microsoft browser is worse?
ROFLMAO at Microsoft. They only prize they win for this one is “The Chutzpah Award”.
Edited 2010-01-19 10:43 UTC
Beware, someone might nominate you as the troll and Linux zealot of the year.
Too late, he already has been lol
A retail company with a widely known problem in an older product is suggesting people move to a newer product from there own line while using the same marketing scare tactics they’ve always employed against competitive products; this has to be the first time in history such a thing has ever happened.
Really, your surprised that the MS recommendation involves the newest browser on the newest OS platform they provide.
The browser part is obvious, they have put effort into security during design of IE7 and IE8. They are actively discouraging IE6 and preferring IE8 become most popular. I wouldn’t want to support three versions of the same program either.
The os recommendation has the obvious angle of pushing for another sales unit. Win7 also has security features missing from winXP; there is some technical basis for recommending it to maximize user protection if your sticking with an all MS stack.
Not to go all medieval on yer tuchas Samuel L. Jackson style, but Englisc, modor wyrter! Gedon eow cwe~A 3/4 an hit!?! (and yes that was english, just a few CENTURIES out of date)
Seriously, how the blue blazes do you get THIS:
from this:
Given that the vulnerability does not exist on IE8, the upgrade to IE8 and windows upgrades to remove the vulnerability is FREE if you are on a OS made less than a decade ago, etc, etc…
The only part that needs to be taken to task is the ‘non-microsoft browser’ part – since we all know it’s bullshit and IE is basically playing russian roulette with your computer.
But the entire rest of your post reads like that free*** anti-corporation reality distortion field has really gotten you in it’s grip; interpreting the exact opposite of everything said.
Next you’ll be telling me there are less IE users today than there were five years ago because you believe the lie of ‘share’.
NEWS FLASH
2009 – 62.5% of 1.7 billion is 1062 million IE users
2005 – 90% of 1 billion is 942 million IE users
So while IE lost market share, it gained 120 million users. Percentages can lie – in fact they mean jack **** if the size of the sample pool changes, or you don’t poll the exact same people every time, or if firefox is double counted due to prefetch, or if Opera is mis-counted thanks to the use of masking to get around faulty browser sniffing…
http://my.opera.com/deathshadow/blog/2010/01/11/browser-statistic-l…
Don’t blindly believe the outright lies and propaganda spewed forth by groups like the FSF. They use fact omission (card stacking) as proof, random user comments on slashdot as if they are legitimate sources, and at times outright lies to push their socialist agenda that has little to nothing to do with what freedom means.
I blogged about that too.
http://my.opera.com/deathshadow/blog/2010/01/19/windows-7-sins-nope…
… and it’s SO obvious if you know ANYTHING about marketing and propaganda – they use cult-like indoctrination and misinformation; Any second I expect the Church of Stallman followers to don purple robes and eat the poisoned yogurt so the aliens from Haley’s comet will take them to heaven.
— edit — oh wait, even that would make more sense than most of the claims of it’s die hard fanbase.
Edited 2010-01-19 19:23 UTC
That’s my favorite part, it really is. So… the FSF are crazy socialists cultists? Are they also in the State department? Are they responsible for flouridation? Tell me, DeathShadow, have you ever seen an FSF member drink anything other than whiskey?
Actually, Microsoft confirmed that ALL versions of Windows and ALL versions of Internet Explorer are vulnerable; not simply WinXP+IE6.
Please get your facts right.
Management is more to blame on this, or rather mis-management.
If management bought something to run internally, then they would need to buy a new version of the software, probably with money they don’t have as it needs to go elsewhere (e.g. your salary).
Alternatively, management contracted out, and the contract may stipulate a certain version of software be used (e.g. Windows XP, IE6); in which case, the contractor may have their hands tied with respect to upgrading the software until the contract renews – and then, only if the management agrees.
This then comes back to bite management and the contractor – management may have more than one contract with said software stipulated, but not have them all renew at the same time; so they will be reluctant to change the contract.
Likewise a contractor may have a contract with one client with said software stipulated, and may have not have the resources to maintain the software both for that one client and update it for everyone else. (It may be their primary client has the stipulation.)
All said, there are numerous reasons – all of which are legitimate – as to why software may not get upgraded. The problem is breaking the cycle so that the upgrades can happen; or getting management to spend the money (or both).
In a beaurocratic company (basically any company with >10000 employees, and many with less as well) it’s a hard thing to get software upgrades. (Many are still migrating or just finishing the migration from Win2k to WinXP!)
Any person or company stupid enough to still be using IE deserves everything that they get.
No sympathy from here.
It’s only due to the competition from the likes of Firefox and Chrome that MS have got off their backsides and done *anything at all* to IE.
Looks like they haven’t done enough though, and it’s very unlikely that anything that they do will ever be enough.
Given that IE is (slowly) declining in its market share, the message might actually be starting to get through. “I.E. bad, others better”.
Edited 2010-01-20 07:52 UTC