New IE 8 Zero Day Discovered

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

why are they taking so long?

[wulper]

this IS a critical bug... onehundredandeighty days... 180 zero days. why? MS wants to drive up marketshare of competing browsers incompetence? MS employees acitvely exploiting the bug?

Re:

[wulper]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

Re:

[Billly Gates]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.

Re:

[Billly Gates]

Because it's from Ms.

And what a great way to force users to upgrade

Re:why are they taking so long?

[Jumunquo]

From ZDI advisory:
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed

Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

Re:why are they taking so long?

[Anonymous Coward]

You forgot to add to your timeline:

4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

Re:

[DrXym]

XP was supported for 13 years. A pretty generous term by any measure. At some point a line has to be drawn and further issues should be ignored.

Re:

[Anonymous Coward]

Microsoft was still heavily pushing Windows XP for netbooks in 2009.
So make that not even 5 years.

Re:

[toddestan]

This issue was disclosed to Microsoft while XP still had almost six months of support left. They should have fixed it, not let it go figuring by the time it was disclosed publicly XP would be out of support.

Though the funny thing is, Microsoft is still on the hook to fix it as they still support IE8 on other versions of Windows, including (off the top of my head) Server 2003 and Vista.

Re:

[DrXym]

Says who? Other operating systems including popular dists of Linux have well defined end of lifes on their products. Why should Microsoft be expected to support their product indefinitely?

Zero-Day allowing the attacker run arbitrary code

[buchner.johannes]

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention [wikipedia.org] features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

Re:

[Antique Geekmeister]

> Or does this warning assume the worst case, where all these other features are turned off?

It seems not. But remember that Internet Explorer was written to be inseparable from the operating system itself, with effectively bare metal access to provide Microsft-only speed, power, and enforced reliance on Microsoft's system libraries. It was designed _not_ to be lmodular, and designed _not_ to be clealy segregated from the underlying operating system so that it would be impossible to remove or replace on

Re:

[EmperorArthur]

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention [wikipedia.org] features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

The NX bit, and DEP forced us to develop Return Oriented Programming https://en.wikipedia.org/wiki/... [wikipedia.org] Basically because function arguments and return pointers are on the stack you can make the code that's already there do the work for you. It's not as easy as just writing a little shell code and tends to be more specific as far as the version of the software the victim is running, but it's really quite neat and hard to stop.

Re:

[toddestan]

Windows XP supports the NX bit, which came in with a service pack. Maybe you're thinking of Windows 2000? Though by default I believe Windows XP won't use it unless you specifically turn it on. And of course, you need to have a processor that has the NX bit in the first place. Windows Vista defaulted it to on (though only for the 64-bit versions), and Windows 8 requires it to the point where it won't boot on a processor that lacks the NX bit.

American Date Format

[labnet]

American Date Format :DIE Already!!!!!!!!!!!
American Imperial Units: DIE Already!!!!!!!!!!
American Imperialism : .....[shhh the nsa is listening]

Re:

[PsychoSlashDot]

American Date Format :DIE Already!!!!!!!!!!!

Sorry, but as a non-American I have to admit I find that date format the most comfortable. Things are likely different globally, but here people tend to say "May 10th, 2014" much more often than "the 10th of May, 2014". Adding two bonus words so you can satisfy some "most granular to least granular" fetish doesn't fit.

For instance, the catastrophe that happened in the US over a decade ago is called "September 11th", not "the 11th of September".

Frankly I'd be okay with a compromise... 10(5)14 is May 10

Re:American Date Format

[harperska]

Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

Re:

[bill_mcgonigle]

I speak in the American format and write in the ISO format. To me they're the best of breed, one for spoken communication, one for written. But don't forget that we're surrounded by OCD-ish folks (like the GP) who are so crazy-obsessed with EvEnNeSs. I did that last one just to piss them off.

Re:American Date Format

[QuasiSteve]

Remember, Remember, November 5th.

This day, July 4th, is our Independence Day.

Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

Re:American Date Format

[Dynedain]

Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.

Re:American Date Format

[gl4ss]

third of the fifth? or fifth day of the third?

month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.

even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.

Re:

[Dynedain]

Reread my comment, I was responding to someone who likes M-D-Y because that's how he speaks: "event happened on May fifth, 2001"

I'm completely in agreement that it's stupid in written and datestamp formats and leading to confusion. I always use YYYY-MM-DD to avoid ambiguities.

My point was that the grandparent's argument only holds true for English. In many other common languages, the day comes first: "event happened on fifth of May", so the natural inclination of making written dates match speaking order do

Re:

[Antonovich]

And you are a non-American (as in the continents) native speaker of English? I'm from NZ and it's the other way round, or at least was until I left 10 years ago... The "dialect" has undergone very strong Americanisation over the last few decades though. Your "for instance" is also a little ridiculous - a non-American would never say "nine eleven" meaning "the eleventh of September" (or even "eleven nine"). I also can't remember anyone ever saying "September eleventh" but plenty of people saying "September e

Re:

[markhb]

As an American, for that particular day, there is an added significance to the number itself as 911 is our universal emergency telephone number, similar to the European 112 or 999. I would typically write today's date as 22 May 2014, but when I do so I am being consciously pretentious. Otherwise I'd use 5/22/2014 (I was the Y2K guy at my previous job; it cured me of 2-digit years for good).

Re:

[LordWabbit2]

Sorry, but as a programmer different dates formats are a bloody pain in the ass. Say it like you want to (while putting a pancake on your head, I don't give a shit) but store it (ie. type it) in ISO format. YYYY-MM-DD [wikipedia.org]

There are a lot of systems which transmit data as strings (xml, json, csv) which need to get parsed back into datetime and a simple thing like YYYY/MM/DD instead of YYYY-MM-DD can cause a cluster fuck of note. If everyone just used the ISO format my job would be a lot easier.
As a develop

Re:

[Crash42]

If you want to go for the lazy option, use the Dutch system: the tenth of May 2014 is just "ten May twothousand fourteen"
It really is DMY.

Re:

[RabidReindeer]

I've heard "10th May, 2014" or even "10 May, 2014". And actually, the common US reference isn't so much "September 11th" as it is "Nine-eleven", written 9/11.

My preferred date format is "2014-05-10". It collates better.

Re:

[GuB-42]

Obligatory XKCD : http://xkcd.com/1179/ [xkcd.com]

Re:

[Zaiff Urgulbunger]

The problem I have with the US date format is simply that it's often ambiguous when used on the internet - it being international and all.

The way people "say" dates is fine, so if someone likes "May 10th" or "10th of May", I'm easy - there's no ambiguity. But writing 05/10/2014 on a website is a bit crap because it is ambiguous. Either go with writing the month name or 3-letter abbrev. or go with ISO format 2014-05-10 - you're still allowed to say it in whatever order you like! So when I read an ISO forma

Re:

[Anonymous Coward]

American Date Format :DIE Already!!!!!!!!!!!

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

• 2013/10/11 - Case disclosed to vendor
• 2014/02/10 - Vendor confirmed reproduction
• 2014/04/09 - Original predicted disclosure (180 days)
• 2014/05/08 - ZDI notified the vendor of the intent to publicly disclose
• 2014/05/21 - ZDI publicly disclosed

But, otherwise, I don't really see the point.

Re:American Date Format

[compro01]

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

That's what ISO 8601 specifies. YYYY-MM-DD.

Re:

[praxis]

nobody else will start saying or writing the year first

lolwut

You need to get out in the world more.

You know many people who start with the year when they are referencing a specific date? "We are planning a trip in 2015-07-20".

Saying and writing are two different things. People do write the year first; in fact it's a very popular format.

Re:

[Megane]

Right on, and fuck the European date format too. YYYY-MM-DD 4evah!

Re:

[BradMajors]

Computers that are still running XP almost certainly can not be upgraded to Windows 7 or 8 because they have additional hardware requirements. Microsoft has failed their customers by not providing a way to upgrade their software and forcing them to stay with XP.

Re:

[wulper]

surely anybody who hasn't updated ie8 until now probably won't install a patch when it comes out either. I didn't think about that.

Re: why are they taking so long?

[MotherErich]

Why is anyone still using IE8?

Re:

[Skarjak]

To think that my last comment on how there was no reason to use IE in this day and age got modded as flamebait...

Re:why are they taking so long?

[lennier1]

The NSA probably wanted more time to exploit it.

Re:

[account_deleted]

Comment removed based on user account deletion

Enough already

[Anonymous Coward]

I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.

Re:

[CFBMoo1]

I installed an HP Dodo Rockjet Printer with my abacus and the stone tablet prints are really nice quality. Wilma really likes it as well and she prints out all her pictures to it.

Re:

[jones_supa]

You can buy a cheap dodo printer, but the hidden costs are in the crackers, which you need to acquire to keep the printer running. A bag of crackers costs more than the dodo.

Re:

[Black LED]

Just wait until some hacker starts drawing images of gaping anuses and penises on your Etch-a-Sketch [deviantart.com].

No no no.

[Captain Coolwater]

It's "640k 0 days should be enough for anybody". I'm not going to tell you again.

October?!

[anarkhos]

Can't Balmer spare any developers developers developers?

Re:

[sjames]

I think they're all lost in the poppies, poppies, poppies!

IE EIGHT?

[PopeRatzo]

Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

Re:IE EIGHT?

[xlsior]

Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.

Re:

[msobkow]

So use Firefox or Chrome. No big deal.

Re:IE EIGHT?

[xlsior]

So use Firefox or Chrome. No big deal.

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.

Re:

[Lennie]

The right answer is:

Stop using IE on Windows XP, use Firefox or Chrome, they get updates.

Or better yet: stop using Windows XP.

Re:

[Lennie]

Scrap that, if you read the advisory they mention turn off ActiveX.

So basically, it's an ActiveX exploit, so turn that off.

Re:

[Anonymous Coward]

Right. And the other $500 for the other puter'. oh, and the $300 for the app upgrades. Oh, and the $100 for a printer that has drivers. Or, M$oft, you could just patch what's broke for the common good. Eventually all good chipsets come to an end, and they move off. But until then...

Re:

[blindseer]

Bad car analogy. Software fixes don't take up warehouse space like auto parts, and the incremental cost to patch another computer is so close to zero that computing it be pointless.

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines th

Re:

[reikae]

Will switching to Macs solve the problem though? I was under the impression that Apple supports old OS X versions for a shorter period than Microsoft supports old versions of Windows. Snow Leopard was released in 2009, XP SP3 in 2008. According to Wikipedia Snow Leopard isn't supported anymore, let alone anything released in 2001 when XP first came out.

With a libre software solution you would have the option to pay someone to backport security fixes so you could run the current versions for a long time, but

Re:

[LordSnooty]

The car analogy would work if MS were forced to release the source code once their support ends. That's how an old car would be dealt with - parts from the manufacturer until they stop making them, meaning a third party can step in and make the parts if there is a demand for them. the 'open' nature of a car allows this to happen. An open-source OS also permits this. A closed-source OS is different.

Re:

[chuckugly]

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP.

And on those machines you surf the WWW using IE?

Re:

[blindseer]

And on those machines you surf the WWW using IE?

At home, yes. I'll surf the web for answers to questions that pop into my head with whatever computer I happen to be using at the time. With IE being the default browser then it tends to get used. Even if I install a different browser the IE engine is so intertwined with the OS that other software will use it for things like help files.

At work the people will use those computers for all kinds of crazy things. The primary use is for running the equipment but they'll use them to check e-mail or whatever,

Re:

[chuckugly]

Machines used for MMI are connected to the internet? I think I see what we like to call a root cause here.

Re:

[blindseer]

I had the same question. The response I got was that the software license control system needed an internet connection. Locking the network down wasn't really a big issue to worry about. Having internet access meant security updates could be installed easily, meaning the systems were arguably more secure because of the internet access. Loss of security updates from Microsoft changes that obviously.

Re:

[blindseer]

If we switch away from Microsoft then we're not likely to ever switch back. Perhaps their next version of Windows won't suck as bad as 8.x and we upgrade then.

Re:

[blindseer]

The bosses won't invest in Windows 8.1 because it has a really bad UI. They don't like how it looks and works so they are going to stick with Windows 7 and XP as long as possible. Microsoft dropping support for XP and offering 8.1 as a replacement is not going over very well. It sounds like if they have to give up XP because of lack of support then they'd consider Linux or Apple rather than going to Windows 8.1 because the UI is just that bad.

Re:

[blindseer]

Right now our choices are, keep XP, move to Windows 8.1, or choose an OS that Microsoft does not make. Only one person at work has asked for Windows 8, everyone else wants XP or 7. For a variety of reasons Windows 8 is not an option for widespread adoption. If Microsoft removes the choice to keep XP then the choice to move to something not made by Microsoft becomes that much easier.

Even though the desktops may stay on Windows XP there are still servers that need to be upgraded. We can move the Server 20

IE8 Last for Windows XP

[BBCWatcher]

Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?

These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.

Re:

[cavreader]

Oh by all means lets get the government bureaucrats involved in policing software security. What could possibly go wrong? Stop looking to the government to protect you and start taking some responsibility for your own actions. You want guaranteed online security then just unplug your network cable because that is the only thing that will make you 100% secure from online attacks. There is not a browser on the market that doesn't have exploitable flaws if you really smart, motivated, and look hard enough. But

Re:

[The Cisco Kid]

Or people could just quit using this crap.

Re:

[AmiMoJo]

You would be crazy to run IE8 on XP anyway. A vulnerability like this on Vista or later wouldn't be such a big deal because IE runs with low permissions, so the arbitrary code can't do much other than screw with IE itself. DEP probably mitigates it a lot too.

XP is fucked from a security point of view. Sorry, but it just is, and we need to move past it.

Re:

[gradinaruvasile]

Well there are plenty user-level malware programs out there - typycally ransomware run with user level privileges (admin is a bonus, but to screw up the current user, its not necessary). For example, cryptolocker can work without administrative permissions too since it messes up your personal files.

Re:

[toddestan]

The stupid thing is that it's not really a Windows XP exploit. It's an IE8 exploit, which Microsoft still supports on other versions of Windows such as Server 2003 and Vista. So Microsoft is still on the hook to fix it anyway, so it's not like they gained a whole lot by dragging their feet on this.

Do NOT use MIcrosoft products

[Anonymous Coward]

They give NSA all of their backdoors months in advance. Do not use Microsoft products!

Who thinks we are really safe today online?

[0x537461746943]

It is really a sad state that computer systems are in nowadays. Every year multiple vulnerabilities are published showing how easy it is for someone to find critical vulnerabilities in software used every day by citizens and government officials. I bet the NSA is into Chinese government systems and China already has access to american government systems. The underground hacker/criminal scene certainly already has access to corporate and government systems too if you think about how many vulnerabilities

Have we forgotten how to hyphenate?

[Anonymous Coward]

What's with all the illiteracy these days? It's not a "zero day"; it's a "zero-day". Zero-day is an adjective and must be hyphenated.

Zero-day attack [wikipedia.org]

It is not a zero day.

[140Mandak262Jamuna]

According to the timeline it is a -180 day.

Re:

[PhilHibbs]

Has it been exploited? A zero-day attack is an exploit on the same day that the information is released. No-one has said anything about an attack. If it gets attacked today, it's a zero-day. If it's already been attacked, then it's an already-exploited vulnerability, there's no point in attaching positive or negative numbers to it. An exploited bug that never gets detected would be a minus infinity day attack!!!! Anyway that's a "zero-day attack", I don't know what a "zero-day vulnerability" is, the term do

Re:

[140Mandak262Jamuna]

Very true. The way the term originated, if an attack is mounted today it would be 180 day attack. N day attack originally meant the number of days it took for someone to exploit a vulnerability after it was known. But when you are shooting for funny ....

Huh? Naming problem?

[grep -v '.*' *]

"Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 ... The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch.

So then wouldn't that make it a minus 180 day vuln instead? </snark>

Oh -- it was found 180d ago so that's be a plus 180. Wrong orientation base there, sorry.

Don't blink this time MS

[Dega704]

Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.

Re:

[Anonymous Coward]

Fuck you! XP FOREVER!!!!!

Everyone should stop using Internet Explorer

[Anonymous Coward]

Doesn't matter even if it is a newer version e.g. IE10, IE11.

If you're in a corporate environment and some legacy in-house apps only play nice with IE, cough out some money and upgrade or port those apps.

It's time to let IE go the way of Realplayer: once annoyingly ubiquitous, now a mere footnote in tech history.

Zero Day? Duh...

[Anonymous Coward]

OK, first I was confused because I read IE 8 as Windows 8.

So a bug is discovered in IE 8, which has been deployed for a long time... but...

Somehow the meaning of "Zero Day" has changed over the last few years. It used to mean a vulnerability that was discovered before a version of software even went live.... ouch.

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... s

Re:

[Teresita]

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

And a "new" zero day at that. That's a relief, it could have been an old one.

TAG: NOTNEWS

[The Cisco Kid]

IE is a vulnerable pile of crap and always will be.

Everyone that doesn't live under a rock already knows this.

No amount of "ZOMG! NEW HACK FOUND IN IE!" announcements is going to get through the skulls of those that still use it.

Please, no more stories about IE vulnerabilities. Consider it a standing notice "IE is a POS"

Re:

[jbo5112]

It also boasts a worst in class standards support. When building advanced web services, Chrome's lack of support is a big enough pain. IE 11 is still about 3x as bad, but it is getting better. IE 10, in particular, was a huge improvement, but I often wonder why they still bother trying to build a browser from scratch.

IE8

[A Non-MS Coward]

In IE8, Internet explores YOU.

IE8 is officially so what.

[gelfling]

IE8 no longer needs to exist. The only technical reason for it is Windows Updates for XP which are no longer available.