Microsoft Says Upgrade To IE8, Even Though It's Vulnerable 279
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
Re:IE8 has the flaw but is immune... (Score:3, Interesting)
But even at Google they apparently have some stuff that requires them to disable it. You can bet a lot of the shops that can't ditch IE will have to disable DEP for backwards compatibility with the crappy apps that are the only reason they don't switch to something better anyway.
Vista, Win7 - really? (Score:5, Interesting)
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.
So saying it is a 'problem' on Vista or Win7 is stretching the truth.
well done Google (Score:2, Interesting)
Not sure if this is evil but I'm sure IE will lose because of this.
Re:IE8 has the flaw but is immune... (Score:4, Interesting)
Re:IE8 has the flaw but is immune... (Score:3, Interesting)
This whole problem is based on fact that MS is not willing/able to fix this issue for quite long time (days?). Other browsers are different in a way that they are fixing security issues ASAP.
Faulty Products. A comparison. (Score:1, Interesting)
You know what struck me as strange when I read this post? I thought about the issue that Firestone went through a few years back with their faulty tires causing a few deadly accidents. By comparison:
If Firestone were to beg people to buy their faulty product, even though it was dangerous, people would think that Firestone being rather twisted and greedy.
When Microsoft basically does the same thing with their faulty product, it's somehow "OK"?
I guess the "go fix your shit and don't come back until it's done" mentality is rather dead these days...
Re:Vista, Win7 - really? (Score:5, Interesting)
Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.
By default, IE8 on 7 is pretty secure.
Re:IE8 has the flaw but is immune... (Score:4, Interesting)
A security fix which breaks other required functionality isn't much better though is it? A patch rushed out the door without much testing isn't a patch I necessarly want to install.
Re:The right time to upgrade (Score:4, Interesting)
So I was doing an install of ATT DSL a few months ago. You don't just plug it in, you have to authenticate.
Only IE works with their server, and the install disc includes IE6 in case you don't have it.
Re:What?!?! (Score:3, Interesting)
Is this an ActiveX thing?
No, it doesn't appear so at this time. But it could be.
I mean how the hell do you get the pointer in the first place? And how do you keep the browser from page faulting?
I'm so confused!
The attacker actually don't "get the pointer". He discovered some bug where IE would deallocate an object but still hold a pointer to it. A "dangling" pointer.
The attacker then typically allocates *a lot* of other objects, hoping that they will take up the address pointed to by the "dangling" pointer. He will try to arrange the allocations such that the allocated "data" is actually attack code if ever executed as instructions. The attacker could hide attack code in string constants/buffers etc.
Then he proceeds to prompt IE to actually *follow* the dangling pointer. If he's lucky (and skillful) IE will now hit something which was actually "data" - but when executed as CPU instruction it is actually malicious attack code.
This is why DEP will kill this attack. As soon as the CPU is jumping into a NX memory block, it faults. And the heap/stack are marked as NX (DEP) in all recent MS OSes for IE8.
Re:Not fixing it in IE6... (Score:4, Interesting)
Re:Not fixing it in IE6... (Score:4, Interesting)
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
Re:IE8 has the flaw but is immune... (Score:4, Interesting)
The real solution is not open source browsers specifically...
The real solution is diversity.
All software will have bugs, but they are a lot more difficult to exploit if there are a handful of different browsers running on a handful of different platforms and hardware architectures that your targets could be running. Also, having an even split in the market would force all the different software makers to compete on quality... If one vendors drags their feet they will face losing lots of market share... MS can drag their feet without risk of losing anything right now because people are locked in to them.
The attacks recently succeeded proved the dangers of monoculture, if your a hacker looking to target any large corporation or government you can be sure that your target will be running windows/ie/msoffice so one exploit, trojan and skillset will suffice against any number of targets.
Nature has proven the importance of diversity...
Re:IE8 has the flaw but is immune... (Score:2, Interesting)
Sorry, but Microsoft retains the lion's share of the blame by virtue of writing a thoroughly non-standards-compliant browser that required, at every bend, browser-specific workarounds which are not compatible with later releases.
I'm currently working for an organisation with literally ten thousand plus web applications originally written for IE6. We've been working to migrate them to IE7 since Vista RC (over three years, wow, time flies) and are about a year over deadline for our Vista SOE release as a result.
Some might conclude that more resources should have been thrown at the migration, and undoubtedly this would have sped things up. However in the corporate world, doing things quickly takes a back seat to doing things profitably; everyone should not be already running IE8 over IE6 if doing so incurs a loss.
Would the cost of speeding the migration have exceeded the cost of extending support for IE6, plus the security and other costs of running an older OS/browser platform not under general support? Honestly I don't know, but the higher-ups here seemed to think so, and they're in a better position to judge than I.
What's more IE6 is still under extended support, saying "upgrade to IE8 or wait until patch Tuesday" just doesn't fly when you're spending tens of thousands of dollars annually on support.
Of course all of these details are invisible when you don't actually work in or have exposure to the types of corporations still running IE6. It easier to blame the situation on incompetent IT across the board than to understand the challenges involved.
Insightful my arse.