Microsoft Issues Advisory For Internet Explorer Vulnerability

jones_supa (887896) writes "Neowin reports how Microsoft made a rare weekend post on its Security Response Center blog to announce an advisory that affects all currently supported versions of Internet Explorer (versions 6 to 11). The issue is based on a newly discovered exploit that could be used against the web browser. The vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. Memory may be corrupted in a way that could allow an attacker to execute arbitrary code in the context of the current user. Microsoft is aware of 'limited, targeted attacks' that have used the exploit. IE 10 and 11 are protected against attacks using this exploit if they have their Enhanced Protected Mode turned on. Also, PCs that have either the Enhanced Mitigation Experience Toolkit 4.1 or the EMET 5.0 Technical Preview installed are also secured against this security hole. Microsoft will take the appropriate action to protect its customers by delivering a security update."

Windows XP

[Jagungal]

I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

Re:

[yuhong]

What is funny is that the current exploits do not target XP.

Re:

[turkeydance]

amazing. xp might be overlooked with by malware.

Re:

[SumDog]

It's the new OS/2

Re:

[slowdeath]

Probably Microsoft did not list XP because it is "no longer supported..." Some of the IE versions listed certainly do run on XP.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[reikae]

From the Fisher-Price Windows XP to the poker-machine-look-a-like Windows 8 :-)

Re:

[SpaceLifeForm]

Funny by happenstance? Or Funny by design?

Perhaps this is a ploy to drive sales of the garbage known as windows 8.

Re:

[yuhong]

I mean in the sense that people have been predicting the rise of WinXP exploits after it ended support. And the April 2014 date comes from 2 years of mainstream support after Vista was released plus 5 years of extended support afterwards BTW.

Re:

[denbesten]

> What is funny is that the current exploits do not target XP.

More likely is that Microsoft is no longer testing/reporting on XP, so we do not know if it is vulnerable or targeted. Given that the vulnerability is with the browser, it seems likely that XP would be vulnerable. The significant difference being that the forthcoming MS hot-fix that may or may not install on XP and definitely will not apply via automatic updates.

Re:

[Culture20]

That's the thing: XP no longer receives security patches. It's reached EOL.

Re:

[NJRoadfan]

Its very likely a patch will be made for Windows Embedded POSReady 2009. We'll see what pops up on Windows Update next month. Since its basically XP SP3, its likely someone will "crossport" the patch to retail XP.

Re:

[HideyoshiJP]

Let's not forget that Server 2003 is still supported...

Re:

[suss]

Meanwhile, people will be wondering if this vulnerability has been known for at least a month, possibly much longer, because those Windows 8 licenses haven't been selling as well as expected...

Re:

[Skuld-Chan]

XP users will still get patches for individual products like Office and IE.

Re:

[SpaceLifeForm]

But his Billness said that IE is part of the OS!

Re:

[Bing Tsher E]

That was back with Windows 98. Explorer.exe was integrated with IE back then. They ended that because your browser shouldn't crash your whole desktop.

Get with the times.

Re:

[buhusky]

This is an IE issue, not an XP issue. IE 8 is still supported last time I checked?

Re:

[JDG1980]

I wonder if this is going to be one of the first big exploits that will affect Windows XP and leave the masses of users still using it vulnerable.

Since this appears to be an IE-specific exploit, couldn't they mitigate by using Chrome or Firefox instead?

Admittedly, that may not be a feasible solution for the dinosaur businesses stuck with IE6 ActiveX apps, but for Grandma it should work fine. (And these dinosaur businesses can pay out the nose for extended support from MS.)

Fuckwit.

[Anonymous Coward]

Because it's a local privilege escalation vulnerability and not a remote visit-this-website-and-get-fucked vulnerability? Fuckwit.

Re:

[Kalriath]

Not really, it's just as relevant. XP is 12 years old, hasn't been on sale for about 5 years, and is no longer supported. There are multiple upgrade paths including Windows 7, Windows 8, OS X (well, if you buy a Mac) and even Linux. If the Linux Kernel team isn't expected to continue patching the 2.4 kernel, why should Microsoft be expected to keep patching XP?

Re:

[Kalriath]

No, just you.

Be glad it's not Open Source

[Teun]

Be glad it's solid commercial software developers were paid for.

The exploit requires Flash

[SpaceLifeForm]

Link [fireeye.com]

I suspect this exploit has existed for many years now, probably used by NSA too.

Re:

[cavebison]

Be glad it's solid commercial software developers were paid for.

As opposed to OpenSSL you mean?

To paraphrase Ballmer...

[msobkow]

To paraphrase Ballmer...

"Linux, Linux, Linux!"

IE6

[SumDog]

Wait...IE6 is still supported? WTF?!

Re:

[cmdrbuzz]

Yes, technically under Windows 2003 (Server) IE6 is "supported". Still sucks as a browser though.

Re:

[Billly Gates]

Nope.

IE 8 no longer is supported either [microsoft.com]

Re:

[Billly Gates]

This was from a Windows 7 system

Re:IE6

[viperidaenz]

You forgot the fact that only IE6, IE7 are available for Windows 2003 Itanium. That's supported until next year.
Windows Server 2008 Itanium only supports up to IE8, which is supported until 2020.

That page is specific to XP. Click the "learn more" link just after the quoted text you pasted.

Re:

[LordLimecat]

I dont think its that big a deal: how many viruses are targetting itanium?

Re:

[viperidaenz]

The point is, IE6, 7 and 8 are still supported despite the claims of parent posts.

Re:

[Bing Tsher E]

In a similar vein, Internet Explorer runs on Solaris, since there once was a version that did.

To paraphrase a very bad politician, "At this point, what difference does it make?"

Re:

[yuhong]

I believe this is an error.

Re:

[LordLimecat]

IE8 is supported still:
http://en.wikipedia.org/wiki/I... [wikipedia.org]
You can also check the lifecycle on MS's website, which seems to indicate 10 years (5 standard, 5 extended) support for IE. That jives with what Wikipedia is saying, particularly with IE7 (2006) being in extended support.

Re:

[viperidaenz]

Until 14/07/2015!

IE7 is around until 14/01/2020 thanks to Windows Server 2008.

Re:

[viperidaenz]

Click the learn more [microsoft.com] link on that page. It's specifically for Windows XP.

If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.

I don't see where it says Windows Server 2008 support is affected.

The security announcement for this exploit specifically mentions all affected supported software, include IE6 on Windows Server 2003 Service Pack 2.
Microsoft can't say "Yes we support the OS at this Service Pack level, exception this specific fundamental component that can not be removed, you need to install a different version of it that doesn't quite work the same."

Re:

[bloodhawk]

Actually no. Even on Windows 2003 it is NOT supported any more. you either need to upgrade to a supported version or be without support for that part of the system.

Re:

[viperidaenz]

"that part of the system" you mean the entire GUI?
Stop spreading lies.

Re:

[LordLimecat]

Internet explorer is considered a separate product. Its not "the GUI".

Re:

[viperidaenz]

The rendering component of IE is used by the shell.
Windows Explorer and Internet Explorer share common components.

Re:

[LordLimecat]

Thats not correct. If you rip out the iexplore internals using a tool like nLite, a whole bunch of things break-- but the GUI isnt one of them, nor is the shell.

Re:

[toddestan]

You need to learn Microsoft's various levels of support so you aren't talking out of your ass. Extended support is what comes after mainstream support. Mainstream support is when the OS gets new features, functionality, and new versions of packaged software like IE and WMP via Windows Update. When the product goes into extended support, you only get security patches and bug fixes, but nothing new. Extended support is still free for anyone with a valid license. Extended support is what just ended for XP

Re:

[viperidaenz]

It's supported on the latest supported service pack for all Windows products.
Which means IE6 is supported on Win 2003 SP2 for x86, x64 and Itanium.

Re:

[operagost]

Well, Win2K3 SP2 is still supported, and it can run IE 6. That doesn't mean IE 6 should be supported, but they do mention it in the KB article.

Re:

[gadget junkie]

Browsers other than IE are not affected and/or can pe patched. Can someone remind me how to uninstall IE from Windows?

you cannot, as per testimony by the company in the antitrust investigation. I do wonder how to translate "schmucks" in legalese.

Re:

[X10]

Of course you can. You uninstall IE6 by uninstalling Windows. Then you install Ubuntu, and you have a choice of Firefox or Chrome.

What's a real distro?

[tepples]

To avoid a "no true Scotsman" fallacy, I'd like to know what definition of "real distro" you plan on using.

IE (and its holes) are "deeply integrated w the OS

[raymorris]

Also very interesting is WHY it can't removed. According to Microsoft's testimony, IE is "deeply integrated with the OS" and removing it would make the OS not longer work. If it's deeply integrated into the OS and it's full of huge security holes ...

Quite apart from the number of bugs, I'm very glad that Firefox is just a web browser. All it does is display web pages. So Firefox bugs basically just affect web pages. Any problems with Firefox are not problems that go deep into the OS.

a) Konqueror is not the system shell. b) MS testif

[raymorris]

A) Konqueror is not the system shell. Explorer is.

Still, as I said "I'm glad Firefox is just a web browser ...". Do you see the words Konqueror or KDE in that sentence? I'm comparing IE and Firefox. The fact that Konqueror does something else silly isn't really directly relevant.

B) As I said, Microsoft execs testified that IE is deeply intertwined with the Windows OS. I guess you're not aware that an OS is more than just a kernel, so you think Microsoft was committing perjury when they testified to those f

IE is easily removed? I guess Microsoft was lying

[raymorris]

> it's easily detected + removed by processexplorer

IE is easily removed? I guess Microsoft was lying.
What you don't seem to get is that IE is the exploitable process, and it's essential to the system. It's a readily exploitable process that can't be removed mainly because if you do remove it, the system stops working.

Re:

[zbaron]

Because, as GGGGGGGGGGGP asked

Can someone remind me how to uninstall IE from Windows?

Re:

[viperidaenz]

You can't, without replacing the entire shell.
You can delete the shortcuts, but the rendering engine must stay as it's used by many other things including countless 3rd party products.

Re:

[greg1104]

Can someone remind me how to uninstall IE from Windows?

fdisk /dev/sda

IE 8 no longer supported and 0wned!

[Billly Gates]

I did a re-image of a computer and saw this [microsoft.com]

Since corporations like my own use IE 8 with low rights mode with sandboxing and protected mode turned off so they can run compromised certificates for ancient java I wonder if we will get patched?

This is much scarier as we handle HIPPA and credit card information and can be hacked.

C strikes again!

[Animats]

Another vulnerability due to C's poor handling of pointers.

Re:

[BetterThanCaesar]

Actually, C does not try to handle pointers at all. It treats them just like a long int (with the appropriate cast) [...].

That's not actually true. First of all, there is no direct connection between the size of pointers and the size of long int. That is platform and implementation dependent. Secondly, at compile-time, pointer arithmetic differs a lot from that of integers. You cannot add two pointers. You can subtract two pointers to the same type (except void); that will give you the number of elements between them, in the ptrdiff_t type. (In theory, that's only possible if the pointers point to the same array, but the compi

There's just one vulnerability in IE:

[Arancaytar]

"IE".

Re:In other news ...

[Joe_Dragon]

http://www.pressthered.com/atm... [pressthered.com]

Re:In other news ...

[Anonymous Coward]

How else are you supposed to download Chrome or Firefox on Windows?

Re:

[TechyImmigrant]

>How else are you supposed to download Chrome or Firefox on Windows?

wget.

Oh no. That's Linux.

How is wget practical for most?

[tepples]

On several GNU/Linux distributions, Firefox and Chromium are available through the built-in app store. (Or should I say "APT store"?) But let's assume for a moment that Wget.exe for Windows is installed to a folder on the %Path%.

C:\Users\pino>wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.

How is the median user (not an outlier technophile like much of the Slashdot population) expected to parse out a download URL from the result of wget http://getfirefox.com/ [getfirefox.com] o

Re:

[unrtst]

This whole line of thought is broken by bad assumptions. You ask:

How is the median user (not an outlier technophile like much of the Slashdot population) expected to parse out a download URL from the result of wget http://getfirefox.com/ [getfirefox.com] [getfirefox.com] or wget http://mozilla.org/ [mozilla.org] [mozilla.org] without using IE?

If you didn't include those URL's, you'd be closer to having a point. However, you did include them. Where'd they get those? They can get the download URL from the same place (maybe it was a friend, or an email, or an IM, or off a magazine ad... I have no idea).

You also added in the condition that it be for a median user, which the AC that TechyImmigrant was replying to did not include.

For a median user, they'll probably keep using whatever wa

Re:

[tepples]

My point is that it's more practical to use IE for a few minutes to download Firefox and/or Chrome and then stop using IE.

Re:

[TechyImmigrant]

>For a median user

There's only one median user. We should find him/her and show him/her how to do it.

Re:

[mrbcs]

How about, I don't know, USE ANOTHER COMPUTER!!!!!

We now have these wonderful devices called flash drives. I think one of those might work. /sarcasm

In this day in age, I'm pretty sure everyone can find either another computer or a family member to download a 20 meg (or so) file for them.

Re:

[LordLimecat]

You can always use FTP, though its pretty miserable.

Re:

[Culture20]

Powershell can download via http. So can vbscripts.

Re:

[hawkinspeter]

Care to provide a simple/one-liner as an example?

Re:

[Gumbercules!!]

Invoke-WebRequest http://www.google.com/ [google.com] -OutFile c:\google.html

Re:

[hawkinspeter]

From a dos window:

'Invoke-WebRequest' is not recognized as an internal or external command, operable program or batch file.

From a PowerShell:

The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Am I doing something wrong?

Re: In other news ...

[Gumbercules!!]

http://technet.microsoft.com/e... [microsoft.com] Using an old version of powershell?

Re:

[hawkinspeter]

Care to provide a simple/one-liner as an example of how to read that link?

Re:

[Gumbercules!!]

Ha! I'd give you mod points for that if I could. That's the first time I have ever tried to post using the new Beta interface on a mobile and it munted the link badly.

http://technet.microsoft.com/en-us/library/hh849901.aspx [microsoft.com] is the link.

That requires powershell 3. Prior to that you could use: System.Net.WebClient but the Invoke-WebRequest is far easier.

Re:

[hawkinspeter]

I was trying it on an old XP virtual machine and it looks to be version 2 of PowerShell.

Isn't there an easy one-line that would work on XP and above? (i.e. an analog of wget for windows).

Re:

[Gumbercules!!]

$client = new-object System.Net.WebClient
$client.DownloadFile( $url, $path )

Probably works on Powershell 2 however I think it requires the .NET framework installed. Powershell wasn't that good until later versions. I have to say, current versions are actually extraordinarily powerful, when working with other Microsoft technologies, like Hyper-V or Exchange but the early versions were no reason to leave VBScript.

Re:

[hawkinspeter]

Thanks, that works.

Re:

[Anonymous Coward]

Powershell defeats the point. Powershell doesn't come with WinXP, so it must be downloaded, which probably shouldn't be happening until after Chrome or Firefox are downloaded.
WSH (JScript or VBScript) can be used as an option to get a file using HTTP, without needing to download another program. However, needing to type lines of code doesn't really count as a workable method that relies exclusively on code that comes with WinXP.

Re:

[flyingfsck]

Actually Windows does come with a command line FTP client that can be used to download Firefox/Chrome. You just need a Linux user to execute it for the clueless Windows user...

Re:

[Nofsck Ingcloo]

WGET is available for Windows and it runs fine.
http://gnuwin32.sourceforge.ne... [sourceforge.net]

Re:

[TechyImmigrant]

And how are you supposed to get it if you don't have a browser?

wget?

Re:

[TechyImmigrant]

C:\>wget
'wget' is not recognized as an internal or external command,
operable program or batch file.

C:\>

Re:In other news ...

[Anonymous Coward]

Maybe

ftp.exe -A ftp.mozilla.org
cd /pub/mozilla.org/firefox/releases/latest/
ls ...
binary
get ...

How do you find the FTP hostname and path?

[tepples]

That would work for someone dead-set on avoiding loading IE at all costs. But in practice, I imagine that most people aren't going to discover the hostname "ftp.mozilla.org" or the path string "/pub/mozilla.org/firefox/releases/latest/" very easily, especially without using either IE or another computer.

Re:

[Anonymous Coward]

Be sure to go Program Features to enable FTP, because it's not available in Windows by default.

Re:

[RockDoctor]

Has been on every version of Windoze which I've tried it on for ... I don't know how long. Going back into the 1990s at least. I honestly can't remember if it was in Win 3.11, which I was using until about 2000.

Re:

[dtfinch]

XP comes with a perfectly good command line ftp client, ported from BSD.

Re:

[gmhowell]

Why do you support people who do that?

You can't always choose who your mortgage gets sold to.

Re:

[tepples]

What prevents you from refinancing? Does refinancing cost substantially more than a copy of Windows 8.1 to run in a virtual machine?

Re:

[Ol Olsoc]

Why do you support people who do that?

You can't always choose who your mortgage gets sold to.

Automatic deduct?