Microsoft Says Upgrade To IE8, Even Though It's Vulnerable 279
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
IE8 has the flaw but is immune... (Score:5, Informative)
Re:IE8 has the flaw but is immune... (Score:3, Informative)
Re:IE8 has the flaw but is immune... (Score:5, Informative)
Re:IE8 has the flaw but is immune... (Score:5, Informative)
True, DEP is enabled by default on the Win 7 / IE8 combo. OTOH, neither will run (very well, anyway) a horde of old enterprise services and suites that still linger about the industry, compatibility modes be damned.
There are fixes and workarounds, but they can get rather expensive (and usually involve an XP Mode server of sorts, or Terminal Services seat licenses, etc).
Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.
Re:Vista, Win7 - really? (Score:4, Informative)
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Microsoft has come a long way in securing their OS, but they still have a long way to go before claiming that their product is as secure as, say, FreeBSD or OSX.
Re:Faulty Products. A comparison. (Score:5, Informative)
Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.
As usual, another analogy on /. fails...
Re:Channeling BadAnalogyGuy (Score:5, Informative)
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.
Re:Not fixing it in IE6... (Score:4, Informative)
Fair point on the former, but the latter could be managed to an extent via GPO - you just have to roll your own policies [3sharp.com] to do it.
The right time to upgrade (Score:5, Informative)
The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?
I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?
(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)
Re:Faulty Products. A comparison. (Score:1, Informative)
Incorrect... The fault was Ford stuck the tires on as OEM parts, and actually UNDER-INFLATED the tires. The issue that occurred with the Firestone tire would have happened with ANY P or UV tired that was also under-inflated on that vehicle at highway speeds. An under inflated tire causes major heat build up, and leads to tire failure.
As another posted said, a crap analogy.
Re:Faulty Products. A comparison. (Score:3, Informative)
Firestone still took the contract, they weren't going to turn down a sale of millions of tires.. They knew what Ford was putting them on.
Re:Not fixing it in IE6... (Score:5, Informative)
We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.
The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.
Microsoft's advisory admits that both IE7 and IE8 (Score:4, Informative)
Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
That is a misrepresentation, at best.
The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx [technet.com]
It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.
IE5 rules supreme (Score:4, Informative)
Actually, IE5 is the only version not effected. You should be downgrading not upgrading.
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/ [theregister.co.uk]
"But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."
Re:IE8 has the flaw but is immune... (Score:5, Informative)
They are aiming for both backwards compatibility and security, but above all, they are aiming to put out a fix that isn't broke. I'm honestly not trying to be the Microsoft apologist here, but the complexity of putting out a patch for IE is a lot more complex than you might first think, even compared to other browsers. Here's why:
Using Firefox as an example, when Mozilla finds a security flaw in Firefox, they simply release a new point release of all supported versions of Firefox (currently 3.0 and 3.5) that contains the fix, as well as all previous fixes, and usually several other security/stability fixes bundled into that particular point release. So, this means a release across two product versions, which can be expanded to releasing on the architectures supported for those particular versions as well as supported platforms. The source code change probably isn't architecture or platform specific (wrong?) so can thus be inserted into the correct maintenance trees in the source repository and the binaries/sources made available.
Using Microsoft as an example, when Microsoft finds a security flaw in Internet Explorer, they need to patch every supported version of IE on every supported version of Windows down to specific IE patch level possibly also impacted by Windows patch level. For a security flaw like this that affects IE6 through IE8, that means patches for every version of Windows from 2000 to 7, for every architecture (x86, x86_64, ia64), for numerous patch levels. For example, in many versions of Windows two separate patch levels of IE might be simultaneously supported (e.g. IE6 SP1 on Windows 2000 and IE6 SP2(SP3?) on XP). Keep in mind that the binaries for the same exact patch level of IE on two different versions of Windows on the same architecture are highly unlikely to be the same (e.g. IE7 on XP will not be the same as IE7 on Vista, nor will the patch binaries be the same, and OS SP level may also make a difference). Versions of Internet Explorer on Windows CE/Mobile might also be impacted resulting in further patch complexity. Oh, and x64 versions of Windows (and ia64?) have both the 32-bit and 64-bit versions installed side-by-side, due to issues with plug-in compatibility (you can't load 32-bit code into a 64-bit application). So, you'll need to patch both versions on 64-bit platforms, and once again, the 32-bit binaries for 64-bit systems are unlikely to be identical to the 32-bit binaries for 32-bit systems. In summary, we are talking a huge number of binary patches that all need to be thoroughly tested, passed through regression suites, and so forth, because if even one of these patches breaks something, odds are, you'll have a lot of pissed off users.
That being said, this is largely Microsoft's fault. By integrating the browser so closely to the OS, they've managed to create this complexity. A clean(er) separation of web browser from OS internals would, while not making things simple, would surely reduce the current clusterfuck. Doing so would bring you much closer to the model that most (every?) other web browser uses, and should drastically reduce the amount of testing that would need to be done. For now, this isn't the case, and the present reality is that patching every version of IE since 2001 is a very messy business.
Re:IE8 has the flaw but is immune... (Score:1, Informative)
DEP is not exclusive to IE8. You can enable it system wide if you want. However, DEP is only good for this particular exploit. It's possible to write a exploit that circumvents both DEP and sandboxing
Re:Who cares? (Score:3, Informative)
Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.
Re:Not fixing it in IE6... (Score:1, Informative)
I work for one of those such big FTSE companies. I tried using Firefox but repeatidly came across too many sites which either didn't work or rendered badly.
Off the top of my head, these don't work with Firefox:
The only thing which does work is the Safecom print queue system! Note that I'm not blaming the Firefox devs here, all the applications have been written to work in IE and IE only.
In the end, I still use Firefox but also have IE View running with a large list of domains to run in Internet Explorer. I tried IE Tab but it doesn't like ActiveX which seems to be the main issue on a lot of these sites.
Re:IE8 has the flaw but is immune... (Score:1, Informative)
Except that there are times where you can't update your browser because some line-of-business application is only compatible with IE6. IT is probably chomping at the bit to upgrade, but can't until the business either finds a replacement app or the vendor makes updates.
IT is demonized for decisions that they didn't always have a part in.
Re:Vista, Win7 - really? (Score:4, Informative)
Re:Vista, Win7 - really? (Score:3, Informative)
...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.
The folks who write IE (as well as other MS developers) are very well aware of the nature privilege escalation vulnerabilities. This [amazon.com] is effectively the required read around here, and, while rather high-level, it does give a good overview of these kinds of attacks.
Regardless, more security layers are always better, especially when you can't guarantee the code to be absolutely, definitely 100% secure. Things like sandbox, DEP, ASLR etc are absolutely not a replacement for writing proper code, security reviews etc, but they help to limit and contain the effects of many discovered vulnerabilities, which this particular case demonstrates very well. In many cases it can mean that a discovered vulnerability is downright non-exploitable (at best you can DoS the client by crashing him). In some other cases it is exploitable, but requires a very significant amount of effort to get past all the layers; if vulnerability becomes known before an exploit is available, this buys more time to get a proper fix out.
Re:Not fixing it in IE6... (Score:4, Informative)
Nonsense. We manage something like 2,800 apps centrally for 60,000+ desktops using a 3rd party tool. We have another 400 or so apps that we manage for our 11,000 servers. Total staff to package and update this environment? About a dozen.
Firefox is just another app to us.
Re:Not fixing it in IE6... (Score:3, Informative)
https://developer.mozilla.org/En/A_Brief_Guide_to_Mozilla_Preferences [mozilla.org]
If the administrators can write to the application directory and prevent the user from doing so, then they can enforce profile settings in Firefox (and almost any Mozilla app).
Re:IE8 has the flaw but is immune... (Score:3, Informative)
Yea, after reading the article (some of us do) I found that this summary is a piss poor one, more aimed at bashing MS than giving the real facts. We don't need to make up imaginary reasons to hate MS, they already provide plenty of real reasons.
Re:Not fixing it in IE6... (Score:1, Informative)
I believe most browsers run in user space.
Re:Not fixing it in IE6... (Score:3, Informative)
No registry hacks are necessary to set configuration information in Firefox. It's all text files, the way God intended config files to be. :)