Forgot your password?
typodupeerror
Microsoft Security

New IE 8 Zero Day Discovered 134

Posted by samzenpus
from the no-shortage dept.
Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."
This discussion has been archived. No new comments can be posted.

New IE 8 Zero Day Discovered

Comments Filter:
  • this IS a critical bug... onehundredandeighty days... 180 zero days. why? MS wants to drive up marketshare of competing browsers incompetence? MS employees acitvely exploiting the bug?
    • by wulper (788005)
      that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.
      • Re: (Score:3, Funny)

        by Billly Gates (198444)

        that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

        No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.

    • Re: (Score:1, Troll)

      by Billly Gates (198444)

      Because it's from Ms.

      And what a great way to force users to upgrade

    • by Jumunquo (2988827) on Wednesday May 21, 2014 @07:57PM (#47061857)

      From ZDI advisory:
      Vendor Contact Timeline:
      10/11/2013 - Case disclosed to vendor
      02/10/2014 - Vendor confirmed reproduction
      04/09/2014 - Original predicted disclosure (180 days)
      05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
      05/21/2014 - ZDI publicly disclosed

      Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

      • by Anonymous Coward on Wednesday May 21, 2014 @08:12PM (#47061969)

        You forgot to add to your timeline:

        4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

        Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

        • Re: (Score:1, Troll)

          by DrXym (126579)
          XP was supported for 13 years. A pretty generous term by any measure. At some point a line has to be drawn and further issues should be ignored.
          • Re: (Score:2, Insightful)

            by Anonymous Coward

            Microsoft was still heavily pushing Windows XP for netbooks in 2009.
            So make that not even 5 years.

          • by toddestan (632714)

            This issue was disclosed to Microsoft while XP still had almost six months of support left. They should have fixed it, not let it go figuring by the time it was disclosed publicly XP would be out of support.

            Though the funny thing is, Microsoft is still on the hook to fix it as they still support IE8 on other versions of Windows, including (off the top of my head) Server 2003 and Vista.

        • "Zero-Day exploit allowing the attacker to run arbitrary code"

          I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention [wikipedia.org] features of MS Windows after XP.

          Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

          • > Or does this warning assume the worst case, where all these other features are turned off?

            It seems not. But remember that Internet Explorer was written to be inseparable from the operating system itself, with effectively bare metal access to provide Microsft-only speed, power, and enforced reliance on Microsoft's system libraries. It was designed _not_ to be lmodular, and designed _not_ to be clealy segregated from the underlying operating system so that it would be impossible to remove or replace on

          • "Zero-Day exploit allowing the attacker to run arbitrary code"

            I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention [wikipedia.org] features of MS Windows after XP.

            Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

            The NX bit, and DEP forced us to develop Return Oriented Programming https://en.wikipedia.org/wiki/... [wikipedia.org] Basically because function arguments and return pointers are on the stack you can make the code that's already there do the work for you. It's not as easy as just writing a little shell code and tends to be more specific as far as the version of the software the victim is running, but it's really quite neat and hard to stop.

      • by labnet (457441) on Wednesday May 21, 2014 @09:03PM (#47062281)

        American Date Format :DIE Already!!!!!!!!!!!
        American Imperial Units: DIE Already!!!!!!!!!!
        American Imperialism : .....[shhh the nsa is listening]

        • Re: (Score:1, Insightful)

          American Date Format :DIE Already!!!!!!!!!!!

          Sorry, but as a non-American I have to admit I find that date format the most comfortable. Things are likely different globally, but here people tend to say "May 10th, 2014" much more often than "the 10th of May, 2014". Adding two bonus words so you can satisfy some "most granular to least granular" fetish doesn't fit.

          For instance, the catastrophe that happened in the US over a decade ago is called "September 11th", not "the 11th of September".

          Frankly I'd be okay with a compromise... 10(5)14 is May 10

          • by harperska (1376103) on Wednesday May 21, 2014 @09:29PM (#47062403)

            Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

          • I speak in the American format and write in the ISO format. To me they're the best of breed, one for spoken communication, one for written. But don't forget that we're surrounded by OCD-ish folks (like the GP) who are so crazy-obsessed with EvEnNeSs. I did that last one just to piss them off.

          • by QuasiSteve (2042606) on Wednesday May 21, 2014 @09:49PM (#47062497)

            Remember, Remember, November 5th.

            This day, July 4th, is our Independence Day.

            Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

            But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

          • Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.

            • by gl4ss (559668) on Thursday May 22, 2014 @05:09AM (#47063967) Homepage Journal

              third of the fifth? or fifth day of the third?

              month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.

              even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.

              • by Dynedain (141758)

                Reread my comment, I was responding to someone who likes M-D-Y because that's how he speaks: "event happened on May fifth, 2001"

                I'm completely in agreement that it's stupid in written and datestamp formats and leading to confusion. I always use YYYY-MM-DD to avoid ambiguities.

                My point was that the grandparent's argument only holds true for English. In many other common languages, the day comes first: "event happened on fifth of May", so the natural inclination of making written dates match speaking order do

          • And you are a non-American (as in the continents) native speaker of English? I'm from NZ and it's the other way round, or at least was until I left 10 years ago... The "dialect" has undergone very strong Americanisation over the last few decades though. Your "for instance" is also a little ridiculous - a non-American would never say "nine eleven" meaning "the eleventh of September" (or even "eleven nine"). I also can't remember anyone ever saying "September eleventh" but plenty of people saying "September e

            • by markhb (11721)
              As an American, for that particular day, there is an added significance to the number itself as 911 is our universal emergency telephone number, similar to the European 112 or 999. I would typically write today's date as 22 May 2014, but when I do so I am being consciously pretentious. Otherwise I'd use 5/22/2014 (I was the Y2K guy at my previous job; it cured me of 2-digit years for good).
          • Sorry, but as a programmer different dates formats are a bloody pain in the ass. Say it like you want to (while putting a pancake on your head, I don't give a shit) but store it (ie. type it) in ISO format. YYYY-MM-DD [wikipedia.org]

            There are a lot of systems which transmit data as strings (xml, json, csv) which need to get parsed back into datetime and a simple thing like YYYY/MM/DD instead of YYYY-MM-DD can cause a cluster fuck of note. If everyone just used the ISO format my job would be a lot easier.
            As a develop
          • by Crash42 (116408)

            If you want to go for the lazy option, use the Dutch system: the tenth of May 2014 is just "ten May twothousand fourteen"
            It really is DMY.

          • I've heard "10th May, 2014" or even "10 May, 2014". And actually, the common US reference isn't so much "September 11th" as it is "Nine-eleven", written 9/11.

            My preferred date format is "2014-05-10". It collates better.

          • by GuB-42 (2483988)

            Obligatory XKCD : http://xkcd.com/1179/ [xkcd.com]

          • The problem I have with the US date format is simply that it's often ambiguous when used on the internet - it being international and all.

            The way people "say" dates is fine, so if someone likes "May 10th" or "10th of May", I'm easy - there's no ambiguity. But writing 05/10/2014 on a website is a bit crap because it is ambiguous. Either go with writing the month name or 3-letter abbrev. or go with ISO format 2014-05-10 - you're still allowed to say it in whatever order you like! So when I read an ISO forma
        • by Anonymous Coward

          American Date Format :DIE Already!!!!!!!!!!!

          I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

          • 2013/10/11 - Case disclosed to vendor
          • 2014/02/10 - Vendor confirmed reproduction
          • 2014/04/09 - Original predicted disclosure (180 days)
          • 2014/05/08 - ZDI notified the vendor of the intent to publicly disclose
          • 2014/05/21 - ZDI publicly disclosed

          But, otherwise, I don't really see the point.

          • by compro01 (777531) on Wednesday May 21, 2014 @11:44PM (#47062931)

            I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

            That's what ISO 8601 specifies. YYYY-MM-DD.

        • by Megane (129182)
          Right on, and fuck the European date format too. YYYY-MM-DD 4evah!
    • Why is anyone still using IE8?
    • by Skarjak (3492305)
      To think that my last comment on how there was no reason to use IE in this day and age got modded as flamebait...
    • by lennier1 (264730) on Wednesday May 21, 2014 @11:47PM (#47062939)

      The NSA probably wanted more time to exploit it.

    • by hairyfeet (841228)
      Or maybe its the fact that the only one this really affects is Windows XP and since XP is EOL there is no point? Vista has IE 9, the rest can upgrade to current so the only version of Windows stuck with IE 8 is XP. I'm sorry but if you are surfing the net with a 13 year old OS? Then you deserve what you get, after all nobody would expect a 13 year old copy of Debian or OSX to get patches so why should Windows?
  • by Anonymous Coward

    I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.

  • October?! (Score:3, Funny)

    by anarkhos (209172) on Wednesday May 21, 2014 @07:59PM (#47061861)

    Can't Balmer spare any developers developers developers?

  • Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

    • Re:IE EIGHT? (Score:5, Interesting)

      by xlsior (524145) on Wednesday May 21, 2014 @08:57PM (#47062239) Homepage
      Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.
      • by msobkow (48369)

        So use Firefox or Chrome. No big deal.

        • Re:IE EIGHT? (Score:4, Informative)

          by xlsior (524145) on Thursday May 22, 2014 @01:48AM (#47063353) Homepage
          So use Firefox or Chrome. No big deal.

          Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.
      • by Lennie (16154)

        The right answer is:

        Stop using IE on Windows XP, use Firefox or Chrome, they get updates.

        Or better yet: stop using Windows XP.

        • by Lennie (16154)

          Scrap that, if you read the advisory they mention turn off ActiveX.

          So basically, it's an ActiveX exploit, so turn that off.

  • by BBCWatcher (900486) on Wednesday May 21, 2014 @08:35PM (#47062121)

    Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?

    These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.

    • Re: (Score:1, Troll)

      by cavreader (1903280)

      Oh by all means lets get the government bureaucrats involved in policing software security. What could possibly go wrong? Stop looking to the government to protect you and start taking some responsibility for your own actions. You want guaranteed online security then just unplug your network cable because that is the only thing that will make you 100% secure from online attacks. There is not a browser on the market that doesn't have exploitable flaws if you really smart, motivated, and look hard enough. But

    • Or people could just quit using this crap.

    • by AmiMoJo (196126) *

      You would be crazy to run IE8 on XP anyway. A vulnerability like this on Vista or later wouldn't be such a big deal because IE runs with low permissions, so the arbitrary code can't do much other than screw with IE itself. DEP probably mitigates it a lot too.

      XP is fucked from a security point of view. Sorry, but it just is, and we need to move past it.

      • Well there are plenty user-level malware programs out there - typycally ransomware run with user level privileges (admin is a bonus, but to screw up the current user, its not necessary). For example, cryptolocker can work without administrative permissions too since it messes up your personal files.
    • by toddestan (632714)

      The stupid thing is that it's not really a Windows XP exploit. It's an IE8 exploit, which Microsoft still supports on other versions of Windows such as Server 2003 and Vista. So Microsoft is still on the hook to fix it anyway, so it's not like they gained a whole lot by dragging their feet on this.

  • by Anonymous Coward

    They give NSA all of their backdoors months in advance. Do not use Microsoft products!

  • It is really a sad state that computer systems are in nowadays. Every year multiple vulnerabilities are published showing how easy it is for someone to find critical vulnerabilities in software used every day by citizens and government officials. I bet the NSA is into Chinese government systems and China already has access to american government systems. The underground hacker/criminal scene certainly already has access to corporate and government systems too if you think about how many vulnerabilities
  • by Anonymous Coward

    What's with all the illiteracy these days? It's not a "zero day"; it's a "zero-day". Zero-day is an adjective and must be hyphenated.

    Zero-day attack [wikipedia.org]

  • by 140Mandak262Jamuna (970587) on Wednesday May 21, 2014 @09:39PM (#47062441) Journal
    According to the timeline it is a -180 day.
    • by PhilHibbs (4537)

      Has it been exploited? A zero-day attack is an exploit on the same day that the information is released. No-one has said anything about an attack. If it gets attacked today, it's a zero-day. If it's already been attacked, then it's an already-exploited vulnerability, there's no point in attaching positive or negative numbers to it. An exploited bug that never gets detected would be a minus infinity day attack!!!! Anyway that's a "zero-day attack", I don't know what a "zero-day vulnerability" is, the term do

      • Very true. The way the term originated, if an attack is mounted today it would be 180 day attack. N day attack originally meant the number of days it took for someone to exploit a vulnerability after it was known. But when you are shooting for funny ....
  • "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 ... The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch.

    So then wouldn't that make it a minus 180 day vuln instead? </snark>

    Oh -- it was found 180d ago so that's be a plus 180. Wrong orientation base there, sorry.

  • by Dega704 (1454673) on Wednesday May 21, 2014 @10:22PM (#47062625)
    Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Fuck you! XP FOREVER!!!!!

  • Doesn't matter even if it is a newer version e.g. IE10, IE11.

    If you're in a corporate environment and some legacy in-house apps only play nice with IE, cough out some money and upgrade or port those apps.

    It's time to let IE go the way of Realplayer: once annoyingly ubiquitous, now a mere footnote in tech history.

  • by Anonymous Coward

    OK, first I was confused because I read IE 8 as Windows 8.

    So a bug is discovered in IE 8, which has been deployed for a long time... but...

    Somehow the meaning of "Zero Day" has changed over the last few years. It used to mean a vulnerability that was discovered before a version of software even went live.... ouch.

    Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... s

    • by Teresita (982888)
      Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

      And a "new" zero day at that. That's a relief, it could have been an old one.
  • IE is a vulnerable pile of crap and always will be.

    Everyone that doesn't live under a rock already knows this.

    No amount of "ZOMG! NEW HACK FOUND IN IE!" announcements is going to get through the skulls of those that still use it.

    Please, no more stories about IE vulnerabilities. Consider it a standing notice "IE is a POS"

  • In IE8, Internet explores YOU.
  • IE8 no longer needs to exist. The only technical reason for it is Windows Updates for XP which are no longer available.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...