Several Critical MSIE Flaws Uncovered

An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."

Thanks Microsoft!

[Anonymous Coward]

I know some people around the Mozilla camp were a bit afraid of how the media would cover their recent security problems. But, once again, Microsoft's really come through by offering problems of their own to take the spotlight off Firefox.

Re:Thanks Microsoft!

[Karzz1]

Is it just me, or have there been a ton of browser vulnerabities discovered recently? It seems that every couple of weeks or so there is a hole found in IE or Firefox/Mozilla or others even. Are security firms concentrating their efforts on browsers or are browsers simply more inherently insecure than most other software?

Vulnerabilities

[Mark_MF-WN]

Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser. Lots of people access their email through a browser, and that tendency seems to be increasing. This makes browser security absolutely paramount. It is the biggest gateway into the system.

Re:Vulnerabilities

[sl70]

Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser.

Damn this is true! I went to my insurance agent the other day, and he uses IE to access all my account information that is stored on the headquarters's server. Made me want to reconsider my choice of insurance companies.

Re:Thanks Microsoft!

[m50d]

I think it's that browsers are more hacked-together. No one would be stupid enough to try and make an email client be an applications platform - but that's exactly what both mozilla and MS do with their browsers. That leaves a whole lot of exploitability.

Re:Thanks Microsoft!

[bunratty]

No, Mozilla uses an applications platform so that the developers can easily write cross-platform code. It's just that they also developed that platform, and it's also called Mozilla. Mozilla-the-browser (and also Firefox and Thunderbird) run on top of Mozilla-the-platform.

Re:Thanks Microsoft!

[eyegone]

No one would be stupid enough to try and make an email client be an applications platform

Ever hear of Lotus Notes?

Re:Thanks Microsoft!

[Kent Recal]

Ever hear of Lotus Notes?

Yes, I have and it is a nice proof for grandparents statement.

Re:Thanks Microsoft!

[hey!]

Well, except you really have it backwards.

Notes is a messaging/workflow management application platform that can be trivially used as an email system, a use for which it is overkill, given that the least common denominator capabilities of Internet email systems are so extremely limited.

I think Notes is mispositioned in a marketing sense, given what it is. It completes against Exchange, which truly is an email system that has been overextended into a platform. This naturally leads to a lot of dissatisfaction with the product when it's used for plain old Internet email, which it is 90% of the time. Most IT departments don't have enough on the ball to develop workflow management applications, or even use non-Microsoft products.

It's too bad, because there's a lot of good stuff in there.

Re:Thanks Microsoft!

[calculadoru]

Please do not mention Lotus Notes ever again. It has been, still is, and looks like it will be, the absolute bane of my existence as a corporate drone. It sucks the life out of everyone who uses it, it destroys and maims everything it touches. It is the worst program/platform/whatever the bloody hell they think it is, EVER. It was designed to incur maximum confusion in the user, with productivity and ease of use kept to an absolute minimum. It is a vile, pestilent disease on the otherwise healthy body of my

Re:Thanks Microsoft!

[hey!]

Lotus always had a horrible touch with user interfaces. It always amazed me that they couldn't hire a couple of HCI gurus for a couple of hundred thousand dollars to whip it into shape. It's a flagship product, after all.

Notes and I parted ways around R5, when it was clear where the IBM/Lotus people managing the product were headed. They were building a layer of HCI crap over the good stuff in the product, which was nearly a decade old. It was clear to me that the facade they were putting up in front o

Re:Thanks Microsoft!

[n0-0p]

Well, I assess software for a living, and in my experience it's a combination of several things that makes browsers so difficult to secure.

• Browsers are in general extremely complex apps and complexity leads to security issues
• Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues
• Browsers must deal with cross domain concerns (local system vs. remote sight), which can be very tricky
• Most browsers were initially developed during the internet boom when features ruled and security was a foreign word

IE in particular has the deck stacked against it because it was pretty much ignored in the MS security push that started in 2002. The team had already been disolved and the app was in maintenance mode. They just didn't commit the resources to dig into the code and do a thorough security review like they did with most of their apps. Instead there were some tacked on fixes like shuffling the zones, modifying ActiveX prompts, and disabling most functionality in Server 2K3. I personally have no question that they regret that decision, and we'll see what happens with IE7 this summer.

Re:Thanks Microsoft!

[starfishsystems]

we'll see what happens with IE7 this summer

I expect that Microsoft's "integration" strategy for subverting interoperability will continue to induce pain points in fresh code just as it has done in legacy code.

In a complex design which combines a tolerance for brittleness and nonmodularity with a strong preference for products to fail open rather than closed, that has to be so. It becomes that much harder to meet functional tests, let alone the nonfunctional ones related to security.

Re:IE7

[Anonymous Coward]

Yes, all the Linux, UNIX, OS/2, Solaris, etc. etc. users are going to dump Firefox and switch their systems to Windows so they can use IE7 and then Firefox will die.

Re:IE7

[The Snowman]

I don't see how basically a patch against what is most often just a few lines of code can open more holes, either. That's just dumb.

I see you have never worked on an enterprise-class application, otherwise you would know that just changing the boolean algebra inside an if() statement can have catastrophic consequences. Usually what happens is there is a bug. To fix this bug, the developer must modify this conditional (i.e. a transaction is not always processing because the if() skips it under weird circumstances). However, there is some obscure requirement that, despite being well-documented, is difficult to understand. That if() statement has conflicting requirements, and the logic needs to be expanded to accomodate both situations. However, desparate for a quick, one line fix, the developer changes a single line (or character, e.g. "!" not logic). This breaks a bunch of other stuff.

Some applications are like a house of cards -- precariously perched, even one small error can bring the whole structure down. Good configuration and requirements management can mitigate this risk, but the possibility of error is always there.

Exerpt from "The Devil's DP Dictionary"

[rah1420]

One-line Patch: A kludge so trivial that no testing is necessary. Repaired with another one-line patch. See Recursion.

Recursion: See recursion.

Re:IE7

[Aadain2001]

Just FYI: IE only starts faster because MS preloads it into memory at startup. To compare FF to IE on (more)equal footing, start FF and then try to open a new window. This is closer to how IE works on Windows.

Re:IE7

[SQLz]

You don't have to run the application to pre-load parts it it into memory. In fact, does't the whole windows shell share a lot of components with IE?

MS does the same thing with office to make it start faster.

There's more than simple buffer overflows

[n0-0p]

String handling is not not the only kind of parser attack, and buffer safe routines do not necessarily protect you from the full range of buffer issues that can occur. Integer issues in particular are a growing concern even with buffer safe libraries. Your average programmer does not have an in depth understanding of the C standard on things like type promotion and sign extension. Google on David LeBlanc's SafeInt library and look over the code for some in depth understanding of this.

Of course, there's a lot of fertile territory in parsers for all sorts of non-buffer related exploits. Cross domain context and external includes were both used in the most recent Firefox exploits. These issues are not unique to XML and HTML formats. I've seen exactly the same problems occur in binary OLE document handlers. This is why I stated that the parsers as a whole are complex issues. They touch so many areas and intermingle so many other concerns that they can be a security nightmare.

Re:Thanks Microsoft!

[wfberg]

Browsers are like cheerleaders. They're popular, and they might say they use protection, but you'd better know they get around.

Dupe?

[Kohath]

Is this story a dupe?

I could swear I read about security problems in MSIE before...

Re:Dupe?

[lostwanderer147]

No, no you haven't. It's all just the vast liberal conspiracy. They just want you to hate America. Now move along and go collect your tax refund.

Deja-vu

[Anonymous Coward]

That's simply called a "deja-vu", you see, that's what happens when either: the matrix has been modified, or you've been in front of the computer tooo long, or you're dealing with a bug advisory of a ordered group of flaws, bugs and exploits conventionally named "Internet Explorer".

Re:Dupe?

[HermanAB]

No, it is all the people that are still using MSIE that are duped.

Great..

[Marble68]

I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything. Although exploits were found in Firefox, they were patched rapidly. It's not standard on all our desktops. I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.

Re:Great..

[0x461FAB0BD7D2]

IE lite? You mean less features than IE already has? I think that's called telnet isn't it?

Re:Great..

[VStrider]

IE lite? You mean less features than IE already has? I think that's called telnet isn't it? Excellent! Plus...telnet will keep you insecure, in the spirit of IE.

Re:Great..

[Mz6]

I've found that most corporate sites, both internal and external, require MORE features than most regular web sites. An IE Lite that cuts down on that, would take away those flashy "features" :)

Re:Great..

[Marble68]

Well, you would think the development team would either know how or want to take advantage of client side features.

Their apps basically round trip everything to the server for processing. Never mind how friggin' slow it is, they insist on avoiding doing anything "client side."

And they do *just* enough to make it IE specific.

I totally agreee with you that if your going to do some type of internal app, most people would use all the resources available to them.

Not where I work, though. Drives me nuts. ARG!

Block IE from connecting to the outside world

[tepples]

I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.

It's called denying iexplore.exe and other apps known to embed the IE OCX the right to connect to the public Internet on port 80, using a software firewall on each machine or a proxy server that only Firefox knows about.

Re:Great..

[hsmith]

Punch your boss in the face if they are requiring you to use IE only for .NET. I do .NET development and there are TONS of cross browser controls out there for every feature imaginable. I don't see why anyone using .NET would be tied to IE only.

Re:Great..

[TFGeditor]

Wouldn't it be nice if Microsoft just released the IE source and made it open source so we could either fix vulnerabilities ourselves or enjoy the rapid response of the oss community.

Re:Great..

[zootm]

I think that's essentially the idea of IE in Server 2003, which has a reduced featureset for security. I think it's only available for 2003 though, which kinda negates its usefulness in the context you want it.

But thats not fair!

[Anonymous Coward]

People taking advantage of Microsoft's upgrade release cycle to discover security flaws when there's a month to go to the next upgrade!

I hereby demand that everyone only look for security flaws the week before the scheduled security update so that Microsoft can continue to claim it patches all their flaws in a timely manner!

Re:But thats not fair!

[grahammm]

No, the best time to announce a security flaw is just before a scheduled security update which does not address the flaw.

Re:But thats not fair!

[joeljkp]

I simply don't understand the policy of scheduling security patches. If a vulnerability is found, isn't the best policy to release the patch as soon as it is available (and properly tested)?

This seems akin to scheduling firefighter visits every two weeks, and if your house catches fire in the meantime, being told to wait it out.

Re:But thats not fair!

[grahammm]

Which I believe is what Microsoft used to do, but they gor complaints from administrators who have to plan updates (security or otherwise) and therewanted a release schedule rather than ad-hoc updates.

Re:But thats not fair!

[joeljkp]

Do they release the patches on their site immediately, but only schedule when the updates get pushed to Windows Update? Or do they forego all patches until their scheduled release?

Re:But thats not fair!

[Barlo_Mung_42]

Exploits creators are lazy. They normally reverse engineer the patch to create the exploit. So having a set time when the admins can schedule their updates reduces the amount of time between release of patch and application of patch.

The scheduling is meant for enterprises

[n0-0p]

Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.

Marketing...

[Freggy]

It's just a question of marketing. By limiting the patches to once a month, it /seems/ as if the number of security vulnerabilities actually is not that big. A lot more Joe Users would start raising questions if they saw that they have a security flash popping up twice a week...

Re:But thats not fair!

[Tiger4]

It is a marketing decision, but it comes straight from Machiavelli's little book, the Prince.

If a Prince is going to distribute benefits, be sure they are annoucned singly and prominently, no matter how trivial, to maximize their seeming importance. If a Prince will announce taxes or bad news, be sure to collect them into groups and hit the people al at once, so that each has lessend overall impact.

MS has no trouble telling you about new products and features, no matter what day or week of the month. Bu

Good for bidness

[yofal]

There's no rush cause we've got something to sell!

http://www.microsoft.com/windows/onecare/default.m spx [microsoft.com]

Re:Good for bidness

[ScytheBlade1]

For the record, you can sign up to beta this product....I did, and if it's worth anything at all,...

Re:Good for bidness

[Stevyn]

"Windows OneCare automatically takes care of key tasks such as running antivirus scans, updating the antivirus engine and virus definitions, updating the firewall, and running a monthly PC tune-up to improve and maintain your computer's performance."

they forgot to mention "patching all those OS holes so they can't be exploited by clicking on a random link in somebody's AIM profile"

IE is not a Browser

[mfh]

Using IE as a browser is like putting your OS on the internet. Be smart, use a PROGRAM, not your OS to surf the web. Get Firefox http://getfirefox.com [getfirefox.com].

Re:IE is not a Browser

[-kertrats-]

Not sure /. is the best place to be advertising Firefox. We get it.

Re:IE is not a Browser

[Tibor the Hun]

Go easy on him, he must be new around here.

Re:IE is not a Browser

[Jeff DeMaagd]

That's an odd claim, really.

I've been using Firefox since it was called Phoenix, but I don't really buy that argument.

While Internet Explorer is overly integrated into the operating system, the fact that your computer can access the internet means that your OS is on the internet too. Just that doing so with IE is believed to be more dangerious.

Re:IE is not a Browser

[Anonymous Coward]

Accessing the internet with IE is like sharing needles with people under a bridge somewhere.

At least with other browsers you can disable internet behaviour. IE runs with so many things open it's far from funny. Microsoft doesn't want to fix it, or it would be done.

Re:IE is not a Browser

[gvc]

Using Windows *is* putting your OS on the internet.

Although Windows has non-privileged user accounts, they are essentially useless. I tried to set up my mother and my daughter with these, and they were just a pain in the neck. So they, along with just about everybody else, run administrator-privilege accounts.

If I'm running as a non-privileged user, the most a javascript hack can do is mess up my account.

So for most Windows machines, any old application program (and Firefox is just any old application) is an open wound.

If Microsoft want to get serious about security, they'll have to change the run-as-administrator culture. To do this they'll have to:

(a) make it easy, and the default, to run
without privilege

(b) make it unpleasant to run with privilege

I won't bet on an attitude adjustment - from Microsoft or from Windows users - any time soon.

Re:IE is not a Browser

[QuietLagoon]

While I agree 100% with your comment, there is another factor here as well, third-party software. For example, I maintain the PC for my cousin's family. They run Windows XP with individual [non-privileged] user accounts, and one password-protected admin account that is used only when I'm on the phone with them.

It has been working OK, except for some thrid-party software. One example, Kodak's EasyShare. Everytime a user logs into their account, EasyShare puts up a modal dialog box stating that some features may not be available unless the user account is raised to admin privilege.

This causes two problems: I get questions about the presence of the dialog box, and I get questions about the missing features.

While it is often correct to blame Microsoft, Kodak is the problem in this instance, not Microsoft.

Re:admin privilege req'd

[Baron_Yam]

Try printing from MS Publisher or editing an MS Org chart in PowerPoint; Neither will work unless you have admin privilege, because both expect to write to %systemroot%.

If MS doesn't care about the problem (and these two examples are still present in the latest version without any apparent intention of being fixed), why should 3rd party software develpers care?

Re:admin privilege req'd

[QuietLagoon]

You raise a very valid point.

Re:admin privilege req'd

[man_of_mr_e]

I've never had a problem with Publisher 2003 needing systemroot access. If you're running older versions, you don't need to give them root access. All you need to do is give them write permission to the directory without replacing the permissions on the files within, that way nothing alter existing files. There's nothing special about systemroot other than it's a place many system files are stored.. let the user create new files there isn't going to comprimise security any more than letting them create new files somewhere else.

Re:IE is not a Browser

[iso]

I'm no Microsoft fan/appologist by any stretch of the imagination, but FWIW Microsoft is finally addressing this in Longhorn. I saw a demo at WinHEC where they showed a non-privileged user in Longhorn get to an "administrator" section by being prompted for the admin password (like Mac OS X/KDE). The Microsoft guys expressed concern over this very issue, and suggested that Microsoft would like to see nearly 100% of home users run as non-admin in Longhorn.

Of course Longhorn's not going to happen until the en

Re:IE is not a Browser

[fermion]

Which is a point I also try to make. IE is a simple application front end. It allows developers to create GUI based applications without getting into all the GUI specifics. The controls are limited, but when one needs a simple cross platfrom(meaning that if you write it on Windows XP, it will probably work on Windows ME), writing for IE is a good compromise. This is especially try for prototyping.

The problem comes when one is trying to develop a serious web application that one expects customers to us

Re:IE is not a Browser

[ThisIsFred]

Just playing devil's advocate here, but by now, everyone should know that IE isn't just a browser. It's foremost a user shell for Windows, and also a development framework. It just happens to be able to render HTML, XML, and has partial compatibility for CSS as well.

SP2 and Win2k3?

[sriram_2001]

Weird - the advisory doesn't mention SP2 specifically.Also, it has 'to be determined' next to Windows 2003.

Re:SP2 and Win2k3?

[diegocgteleline.es]

Which points out how insecure is IE in windows 98/Me and why you should switch!

If Microsoft would care about windows 98 users, they'd have backported some of the XP SP2 features (say, the popup blocker) to windows 98.

Of course they haven't done that (they need to encourage people to switch to SP2 and sell more SP2 licenses). Firefox is the best option for windows 98 users (and they still make 20-30% of the internet population), IE has no place for a windows 98 internet users. In XP maybe, but definitive

Poor choice of slogan

[rokzy]

who came up with the clever design idea of making eEye's slogan "Vulnerabilty Is Over" and then pasting it at the bottom of each vulnerability report as if it's a status message?

reminds me of the Simpsons scene where someone is reporting a crime via a radio and says "over" at the end of the transmission. then Wiggum says "thank god that's over". karma for the first person to find the quote, but I only have the real kind not the /. stuff.

Re:Poor choice of slogan

[dark-br]

Marge: [on radio] Husband on murderous rampage. Send help. Over.
Chief Wiggum: Whew, thank God that's over. I was worried for a little bit.

Ok, now where is mar karma? ;)

Other Winggum quotes here [thesimpsonsquotes.com].

Re:Poor choice of slogan

[subtropolis]

i thought that as well and sent them a msg about it. I was confused as well until i noticed that tm at the end.

The Known Flaws.

[rtb61]

I have often also wondered about all those flaws that have been discovered and not declared, just quitely made use of. At least with open source the oppurtunity for discovery as well as a rapid fix has become obvious.

Re:The Known Flaws.

[m50d]

You assume that any audit will find 20% of the flaws that exist. So if there's only one security firm audit, that will get 20% leaving 80%, and you can expect a black hat to find 20% of those, so about 16% of the total flaws when it started. But each new audit chips away at the black hat's library, and as soon as they use their exploit and get discovered (which will happen, generally you assume a 0-day is a one-shot weapon) it's useless. I've heard tales of people who held onto a wonderful flaw for 3 years

A large window?

[ninja_assault_kitten]

You need to realize that there's a difference betwen public and private disclosure.

I happen to know for certain that Mozilla was aware of the vulnerabilities to which you speak at least 10 days before they were publicly disclosed.

Take your head out of the sand and realize that there's more going on around you than meets the eye.

Re:A large window?

[FidelCatsro]

That is called resonible disclosure.
Most developers have a policy one way or the other on it.
I tend to prefer to give them some time to attempt a patch before disclosures, and 10 days is rather fair.
It beats the alternatives of either instant disclosure and allowing the black hats
a good head start on exploits ,or waiting too long before disclosure which will have the same effect as its bound to leak one way or the other but admins wont know about it till its much too late .

Re:A large window?

[bunratty]

I see you found the softcore child porn easily enough. :(

Simple solution: restricted user for browsing

[adam1101]

The solution to all these browser exploits (IE, Firefox, Safari) is simple: create a restricted user to run the browser only. This can easily be done in Windows XP/2K, Linux and OS X. Restricted users cannot affect other users or system files. As long as you don't keep important data in this account, you can just periodically erase this user and create a new one.

Re:Simple solution: restricted user for browsing

[Phil John]

Until your OS has a privilege escalation vulnerability and suddenly a buffer overflow allows execution of arbitrary code.

Re:Simple solution: restricted user for browsing

[ThisIsFred]

It doesn't need one. If you're running Linux and have gcc installed, and some remote site gets arbitrary code to run under the browser's account, it'll be able to download a script/binary that compiles a program which allows privilege elevation. If you're running Windows, the executed code can just download a precompiled rootkit from the attacking machine.

All desktop and server Linux distros should have ACL support by default, which would make it easier to limit access in special cases like this. That is,

Re:Simple solution: restricted user for browsing

[mcc]

For some reason reading this suggestion the phrase comes to mind "the terrorists have already won".

Ineffective and impossible.

[argent]

Let's pretend for a moment that this would actually work. It's not possible to get people to implement it.

It's hard enough to get any of the browser teams to commit to implementing a complete sandbox, even though that could be done without inconveniencing the users.

It's hard enough to get users to adjust the sandbox that they're already using so that it's as complete as possible, even though doing so imposes very little invenvenience.

Getting users to go through a lot of inconvenience to create a new account to run their browser in, that's really tough.

But even if you could do it, it wouldn't be effective.

A restricted account could still be used to compromise their privacy, it could still be used to destroy data they consider important... their bookmarks, information maintained on websites they connect to, and so on.

And that's assuming it would remain restricted: once I can run native code on your machine, getting out of a restricted environment is just a matter of time. It's easiest on Windows, of course, but even your typical UNIX or Mac OS X box has all kinds of mechanisms that a restricted account can use to extract information from your "real" account, or launch code (directly or through a boobytrap) into the "real" environment.

The only "restricted environments" I have used that I would consider secure enough to not treat malware running in that account as an immediate threat, apart from physically separate boxes, are FreeBSD Jails or completely emulated systems (VMware, Virtual PC, etc).

But we do know one thing that does work very well. And that's having a sandbox that has no holes in its design. That means there's no holes that the developer's reluctant to close, and no holes that users are reluctant to see closed. That means that any holes that do occur are bugs, and as such can be quickly fixed without embarassment and without discouraging users from applying them.

It's not perfect, but it works much better than a whole sandboxed account, and it's much easier to implement and MUCH more convenient.

So: the first absolute requirement for building a secure web is for the browser manufacturers to commit to a completely closed sandbox. That means there is no mechanism inside the sandbox to get outside the sandbox even as far as to see information stored about other websites. That means: no XPI installers, no ActiveX or Active Scripting, no "open safe files after download", no use of "Desktop" applications to open documents (even if you think the document is local), nothing. Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to explicitly download the document and so move it outside the sandbox, and THEN explicitly open it in the unsandboxed environment. Those two steps must never be shortchanged.

What does that mean to the user, then?

Not much, in most cases. For Firefox users that means they'll have to download XPI files and then load them from the menu or their desktop file manager. For Safari users, no more "open safe files", and no more warnings the first time they open an app because the browser won't ever be opening apps behind their back. For Windows, there would be a bigger impact: a few tools like Software Update would be separate applications, but the bigger impact is that some third-party applications would need to be redesigned to use the new safe API.

Windows, I can see their reluctance. The rest? I don't get it... they're not gaining all that much by having a leaky sandbox, and the fact that even such small leaks can be exploited is sure a good argument for having at the very least no designed-in holes at all.

Lets take them down hard..

[E IS mC(Square)]

BG: What, Firefox has a critical flaw? They are hogging all media attention for that? Fuck that. Hey tech team, how many more IE vulnerabilities have not been reported yet?

Tech team: 349 that we know of, SIR!

BG: Good. All critical?

Tech team: ALL CRITICAL, SIR! YES SIR!

BG: Good. Hey PR team, take the first 10 of them, contact some security firm and 'leak' them.

PR: YES SIR!

BG: Now we will see what firefox is going to do about this.

(Evil laugh all around)

Not just one!

[vmp17]

Although eEyes' reports look a bit confusing (look at the "Vulerability is over" image at the bottom), I think according to this page http://www.eeye.com/html/research/upcoming/index.h tml [eeye.com] there are 3 security vulnerabilities affecting IE and Outlook that allow remote code execution.
The oldest one is 60 days old now and still not fixed.

Is MSIE addictive?

[Mother Sha Boo Boo]

Almost every week I receive an email or an IM of a friend complaining their pc's are full of spywares, porn and gambling pop-ups, search bars, or: "I can't reach Google! Oh my God, it just opens porn!". I always say: "Try another browser, Firefox is pretty friendly". A friend of mine switched back to IE just because Firefox sorted her imported IE bookmarks alphabetically, instead of keeping the old order. Come on, it can't be only this.... MSIE must be addictive somehow...

Re:Is MSIE addictive?

[Bazzalisk]

Familiarity is an issue, I always open firefox when on the computer of one of my friends who primarily uses Opera. One of his housmates always opens IE ;-/

OOOOLLLLDDD News

[Urgo]

Sorry but I need to say this..

'Mozilla 1.0.3 vulnerabilities'

That would be Firefox 1.0.3.... Mozilla Suite aka just mozilla and FireFox are two separate programs and have very different versions. Saying Mozilla 1.0.3 is very misleading. Please use the correct name or it makes your news story look very silly. Who cares if a version of mozilla from 2002 [archive.org] has security holes.

</rant>

Possible Wishful Thinking, But... Is IE Pointless?

[FhnuZoag]

Is Internet Explorer still really of any benefit to Microsoft? Once upon a time, it might have been used to push ActiveX, or reinforce the Windows platform by encouraging integration. But security worries, and legal trouble, have put paid to that...

To my naive eyes, it seems that IE is more trouble than it's worth. It's earlier bugginess puts a weight on later development to duplicate previous rendering errors, and it is strongly challenged by Opera, Mozilla, and the like. Also, their developers have to take care not to break compatiability too much - or at least, to sort out how to get various plugins to work with newer versions. The whole thing is a running sore with regards to their reputation, and the number of idiots running the browser means everything has to be dumbed down.

It seems that the wise thing for Microsoft to do, simply from a selfish level, is to ditch the IE project. Open source what can be open sourced, develop a light, secure, bare-bones and idiot-proof version for bundling with their OS, and re-dedicate their resources elsewhere.

Internet Explorer has no future.

Re:Possible Wishful Thinking, But... Is IE Pointle

[oneiron]

Microsoft has a vision of an integrated web desktop (or at least used to)... Eliminating IE would put a damper on that, to say the least.

Time for the season finale...

[mtec]

These are the voyages of the browser Explorer, It's mission; to explore strange new exploits and seek out new viruses and hacker civilizations, to boldly expose data not exposed before!!
*cue music*

... Timing!

[SEWilco]

With the next MS Windows security bulletin release scheduled for June 14

Note to security companies: Schedule your next flaw announcements on June 15.
Yes, everyone on the same date.

Re:"Nothing for you to see here. Please move along

[Liquidrage]

Yes, it is.

The linked article with the flaws is about as useful as lipstick on a pig. So even when there's something to see there's still nothing to see. I think there's some Taoist wisdom in there somewhere.

Re:"Nothing for you to see here. Please move along

[Liquidrage]

Which is fine for them and MS, but that still leaves us with nothing to discuss in regards to the flaws so there was no point in posting the story.

Re:"Nothing for you to see here. Please move along

[SpaceLifeForm]

BS. It's certainly not a surprise, but it should be a constant reminder to everyone that Windows is not secure if the user runs IE and/or Outlook. And that reminder is what is needed in light of the recent Firefox bugs that the media flouted.

But to say there is nothing to discuss in quite disengenous. What needs to be discussed is why these holes continue to exist in MS products.

Re:"Nothing for you to see here. Please move along

[Liquidrage]

What holes? Can you explain to me just how serious these holes are? Can you explain to me what they do? Can you explain to me if threat of these being exploited is real?

I eagerly await you reponse. Because that is the information I would like to have and feel the need to have in order to discuss them. Without that information we're left to make assumptions.

Re:"Nothing for you to see here. Please move along

[SpaceLifeForm]

March 31: http://www.eweek.com/article2/0,1759,1781171,00.a s p [eweek.com]

He said Microsoft was alerted to the first vulnerability March 16.

That bug was found in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.

Default install problem. Minimal user interaction.

According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.

...more than 30 percent of th

Re:Funny how the emphasize

[vegaspctech]

...in an attempt to take the spotlight off all of the Firefox exploits lately.

ALL of the Firefox exploits lately? In the last two years there have been 17 reported Firefox vulnerabilities and 81 reported Internet Explorer vulnerabilities. The browser with the most recent, critical vulnerability is Internet Explorer. Do tell, where does the spotlight belong?

You can't compare like that

[MarkByers]

According to Secunia, Firefox has 17 advisories [secunia.com]. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.

You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.

In Secunia's own words:

Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vul

Re:You can't compare like that

[MarkByers]

I disagree.

To do a proper comparison, you should rate each individual vulnerability, based on: how critical its is, if there was an exploit released, how long it took to patch, etc.

Just saying 81 > 17 is not an accurate comparison at all. How do you know that the 81 vulnerabilities in IE weren't all very minor things? Have you checked? Adding in a fudge factor doesn't make up for not knowing the facts.

Also IE has been around for a lot longer so of course there has been more time to find more exploits.

Re:Funny how the emphasize

[KiloByte]

It also may be a good idea to compare the criticalness level of MSIE vulnerabilities to the Firefox ones that get published.

People just don't bother with minor problems in IE -- on the other hand, there is much vested interest in digging every smallest issue in Firefox, and dragging it into the press.

Re:Funny how the emphasize

[vegaspctech]

"LATELY" not FOREVER. The rise of Firefoxs popularity has seen the increase of exploits and vulns. Read, dont translate.

You'd do well to take your own advice. The author wrote of taking the spotlight off all the Firefox exploits lately, implying there have been more for Firefox than Internet Explorer. For what period has that been true?

Re:Funny how they emphasize

[ArielMT]

No, it hasn't. The rate of flaw discoveries in Mozilla's applications (Firefox included) has remained statistically level since before Firefox was called "Phoenix." Quite obviously, the Mozilla Foundation's marketshare has not remained steady since then, as you argue.

Security through obscurity doesn't work. It is a fundamentally flawed concept, which I would've thought Slashdotters realized. To suggest that an open-source project like Firefox doesn't know that is simply absurd.

The rapid response of

Please tell me you don't write code.

[khasim]

Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found... (and only about 5 times as many are)

No .... that's only "logical" if there is no such thing as "security", just "marketshare".

By your logic, a program written by a first year student who didn't pay any attention to any security would have as many flaws discovered as a program written by an expert who tested for vulnerabilities ....

As long as both of them had the same number of users.

In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.

Re:Please tell me you don't write code.

[ssj_195]

In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.

I call it the Heisenberg Insecurity Principle.

Re:Funny how the emphasize

[vegaspctech]

Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found...

Logically found? That's assuming all other things are equal, such as level of difficulty for discovering vulnerabilities in each. Clearly this is not the case. You can't go to the Internet Explorer home page and download its source code.

Re:Funny how the emphasize

[internic]

Actually, I'd expect that each version of a piece of software has some finite number of vulnerabilities V, and I'd think that with a user base U that after an amount of time t you'd have found a number of exploits something like E = V(1 - exp(-a*U*t)), where "a" is some constant for that particular piece of software. Yes, I just pulled that out of my ass, but the point is that I'd expect diminishing returns with more users and time, since eventually you will have found all the easy to find vulnerabilities

Re:The remote exploit

[Rosco P. Coltrane]

The remote exploit is why I use OS X.
My time is worth it.

Are you a lawyer?

No, NO.

[game kid]

It should have a Javascript DOM-based moving <div> or something. Marquees are, like, so IE3. [microsoft.com]

Better yet, be thoughtful of screen-reader users, and make it a static list [w3.org] that has scrolling abilities [w3.org].

Well, it's not that complex.

[biendamon]

Let's take a look at why an administrator might say both those quotes.

"Oh, no MS releases too many secuirty patches making my job as an admin hard, what a bunch of A-holes"

Looking at our hypothetical admin's thought processes, what's going through his head might be: "IE is just a damn application, but they've embedded it into the OS. So every time they release a patch for this friggin' application, I have to patch! I'd prefer to just remove the damn thing, but no... There's no uninstaller for it."

And now, let's look at the next quote.

"*Stoopid* MS is going to take a month to release a security patch, what a bunch of A-holes. Firefox ROX#$%^&!"

So what's the administrator thinking on this one? It's pretty simple: "Okay, so now this damnable embedded application, this junk browser that has to be on my operating systems, isn't gonna be patched for a month? The way they did it before would have been acceptable if I could patch the application without worrying about it breaking the OS or making me reboot. But NEITHER of these patching methods works well for me. I've either gotta patch applications that might destabilize my systems all the time, or I've gotta give hackers the keys to my network for a month!"

So, while the point you're trying to make - i.e., that neither of the upgrading options Microsoft has provided are acceptable to admins - is a valid one, it's a situation Microsoft brought on themselves.