Forgot your password?
typodupeerror
Security Microsoft

Microsoft Issues Advisory For Internet Explorer Vulnerability 152

Posted by samzenpus
from the watch-out dept.
jones_supa (887896) writes "Neowin reports how Microsoft made a rare weekend post on its Security Response Center blog to announce an advisory that affects all currently supported versions of Internet Explorer (versions 6 to 11). The issue is based on a newly discovered exploit that could be used against the web browser. The vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. Memory may be corrupted in a way that could allow an attacker to execute arbitrary code in the context of the current user. Microsoft is aware of 'limited, targeted attacks' that have used the exploit. IE 10 and 11 are protected against attacks using this exploit if they have their Enhanced Protected Mode turned on. Also, PCs that have either the Enhanced Mitigation Experience Toolkit 4.1 or the EMET 5.0 Technical Preview installed are also secured against this security hole. Microsoft will take the appropriate action to protect its customers by delivering a security update."
This discussion has been archived. No new comments can be posted.

Microsoft Issues Advisory For Internet Explorer Vulnerability

Comments Filter:
  • Windows XP (Score:5, Interesting)

    by Jagungal (36053) on Sunday April 27, 2014 @05:05PM (#46854609)

    I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

    • by yuhong (1378501)

      What is funny is that the current exploits do not target XP.

      • amazing. xp might be overlooked with by malware.
      • Probably Microsoft did not list XP because it is "no longer supported..." Some of the IE versions listed certainly do run on XP.
        • They'd be absolutely stupid to not capitalize on this and push people to the poker-machine-look-a-like Windows 8

          • by reikae (80981)

            From the Fisher-Price Windows XP to the poker-machine-look-a-like Windows 8 :-)

      • Funny by happenstance? Or Funny by design?

        Perhaps this is a ploy to drive sales of the garbage known as windows 8.

        • by yuhong (1378501)

          I mean in the sense that people have been predicting the rise of WinXP exploits after it ended support. And the April 2014 date comes from 2 years of mainstream support after Vista was released plus 5 years of extended support afterwards BTW.

      • by denbesten (63853)

        > What is funny is that the current exploits do not target XP.

        More likely is that Microsoft is no longer testing/reporting on XP, so we do not know if it is vulnerable or targeted. Given that the vulnerability is with the browser, it seems likely that XP would be vulnerable. The significant difference being that the forthcoming MS hot-fix that may or may not install on XP and definitely will not apply via automatic updates.

    • by suss (158993)

      Meanwhile, people will be wondering if this vulnerability has been known for at least a month, possibly much longer, because those Windows 8 licenses haven't been selling as well as expected...

    • XP users will still get patches for individual products like Office and IE.

      • But his Billness said that IE is part of the OS!
        • That was back with Windows 98. Explorer.exe was integrated with IE back then. They ended that because your browser shouldn't crash your whole desktop.

          Get with the times.

    • by buhusky (3064123)
      This is an IE issue, not an XP issue. IE 8 is still supported last time I checked?
    • by JDG1980 (2438906)

      I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

      Since this appears to be an IE-specific exploit, couldn't they mitigate by using Chrome or Firefox instead?

      Admittedly, that may not be a feasible solution for the dinosaur businesses stuck with IE6 ActiveX apps, but for Grandma it should work fine. (And these dinosaur businesses can pay out the nose for extended support from MS.)

  • by Teun (17872) on Sunday April 27, 2014 @05:18PM (#46854683) Homepage
    Be glad it's solid commercial software developers were paid for.
  • To paraphrase Ballmer...

    "Linux, Linux, Linux!"

  • by SumDog (466607)

    Wait...IE6 is still supported? WTF?!

    • by cmdrbuzz (681767)

      Yes, technically under Windows 2003 (Server) IE6 is "supported". Still sucks as a browser though.

      • Until 14/07/2015!

        IE7 is around until 14/01/2020 thanks to Windows Server 2008.

      • by bloodhawk (813939)
        Actually no. Even on Windows 2003 it is NOT supported any more. you either need to upgrade to a supported version or be without support for that part of the system.
        • "that part of the system" you mean the entire GUI?
          Stop spreading lies.

          • Internet explorer is considered a separate product. Its not "the GUI".

            • The rendering component of IE is used by the shell.
              Windows Explorer and Internet Explorer share common components.

              • Thats not correct. If you rip out the iexplore internals using a tool like nLite, a whole bunch of things break-- but the GUI isnt one of them, nor is the shell.

    • by operagost (62405)
      Well, Win2K3 SP2 is still supported, and it can run IE 6. That doesn't mean IE 6 should be supported, but they do mention it in the KB article.
  • I did a re-image of a computer and saw this [microsoft.com]

    Since corporations like my own use IE 8 with low rights mode with sandboxing and protected mode turned off so they can run compromised certificates for ancient java I wonder if we will get patched?

    This is much scarier as we handle HIPPA and credit card information and can be hacked.

  • Another vulnerability due to C's poor handling of pointers.

Do molecular biologists wear designer genes?

Working...