Serious security flaw found in IE

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
The BBC is reporting about the latest flaw in IE. I saw this on other sites a few days ago but people thought it would be patched before it made it into the wild.

http://news.bbc.co.uk/2/hi/technology/7784908.stm
Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer users.

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer," said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. "It's just a question of modifying the payload the trojan installs."

Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites," said Mr Curran. "In terms of vulnerability, it only seems to be affecting IE7 users at the moment, but could well encompass other versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus Project and an expert on privacy and cyber security, echoed Trend Micro's warning.

"It won't be long before someone reverse engineers this exploit for more fraudulent purposes. Trend Mico's advice [of switching to an alternative web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there was a virtual arms race going on, with hackers always on the look out for new vulnerabilities.

"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but letting people know about this flaw was the right thing to do. If you keep flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's fine to say 'don't use Internet Explorer' for now, but other browsers may well find themselves in a similar situation," he added.


The flaw in IE allows criminals to gain control of computers that have visited a website infected with malicious code designed to exploit it. While restricting web surfing to trusted sites should reduce the risk of infection, the malicious code can be injected into any website. Users do not have to click or download anything to become infected, merely visiting an infected website is sufficient.

What should Internet Explorer users do?

? Change the program's internet zone security setting to "high". This should protect against all known exploits of this vulnerability by disabling scripting and disabling less secure features in IE. It is, however, likely to slow down a user's web experience.

? Log out of your computer and create a new user account which has limited rights to change the PC's settings. Log in as that user. This should reduce the chances of anyone being able to exploit the flaw should your computer become infected.

? Keep antivirus software up to date. This is likely to have only limited effect as most antivirus software packages only investigate files that are downloaded from the internet, rather than looking at every page visited.

? Switch to another browser, preferably Firefox. This is by far the best option.
 

Nik

Lifer
Jun 5, 2006
16,101
3
56
Hasn't anyone ever heard of antivirus, antispyware, malware detection, and common fucking sense?

"Switch to another browser, preferably Firefox. This is by far the best option"

If that doesn't absolutely stink of firefox fanboyism then I don't know what does.

Anyway, I'll stick with afore-mentioned anti-'s and Google Chrome, thanks.
 

skace

Lifer
Jan 23, 2001
14,488
7
81
Originally posted by: Nik
Hasn't anyone ever heard of antivirus, antispyware, malware detection, and common fucking sense?

"Switch to another browser, preferably Firefox. This is by far the best option"

If that doesn't absolutely stink of firefox fanboyism then I don't know what does.

Anyway, I'll stick with afore-mentioned anti-'s and Google Chrome, thanks.

sounds like alot of overhead.....
 

Aikouka

Lifer
Nov 27, 2001
30,383
912
126
Originally posted by: Nik
Yeah, that's the "common sense" part I included earlier.

Which makes your antis serve as nothing more than resource hogs :p.
 

mooseracing

Golden Member
Mar 9, 2006
1,711
0
0
Originally posted by: darkxshade
Originally posted by: Tooncesthedrivingcat
going outside > internet

There are a lot more security flaws outside than the internet :p

MY anti spyware protection made by springfield is alot better outside though.
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Anti-virus software will not protect you from this one. I've already done test with 2 different AV programs and neither of them caught it.
, AVG, Norton let it execute without issues.

MS page on the exploit:
http://www.microsoft.com/techn...y/advisory/961051.mspx

It isn't installing a program , it is causing IE to crash then inserting code into memory , so nothing has to be installed.


The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
 

Nik

Lifer
Jun 5, 2006
16,101
3
56
Originally posted by: Aikouka
Originally posted by: Nik
Yeah, that's the "common sense" part I included earlier.

Which makes your antis serve as nothing more than resource hogs :p.

Memory is cheap and I think my 3.4 gig dual core can handle it ;)
 

randay

Lifer
May 30, 2006
11,018
216
106
i like it when old people who know nothing about computers freak out like the internet is going to end.
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Originally posted by: randay
i like it when old people who know nothing about computers freak out like the internet is going to end.

Nobody is freaking out.

This exploit is nasty in the way it works. All the user will see is IE crash and the normal, program has crashed message will appear. There is no other popup or indication that anything has been done to the host pc.

The user then re-launches IE and goes back to browsing. They don't know they have even been infected.
 

Specop 007

Diamond Member
Jan 31, 2005
9,454
0
0
Originally posted by: Modelworks
Originally posted by: randay
i like it when old people who know nothing about computers freak out like the internet is going to end.

Nobody is freaking out.

This exploit is nasty in the way it works. All the user will see is IE crash and the normal, program has crashed message will appear. There is no other popup or indication that anything has been done to the host pc.

The user then re-launches IE and goes back to browsing. They don't know they have even been infected.

LIES!! I was JUST told above that all I need is antivirus, antimalware and common sense! All your boogeyman claims are just voodoo!

 

Raduque

Lifer
Aug 22, 2004
13,140
138
106
It sure would be nice if there was some sort of anti-hacker/'sploiter special forces group that's allowed to go anywhere in the world and eliminate anybody who works on exploiting security flaws for any reason other than getting them fixed.

These spyware, trojan, botnet douchebags really piss me off.
 

AnonymouseUser

Diamond Member
May 14, 2003
9,943
107
106
Originally posted by: randay
i like it when old people who know nothing about computers freak out like the internet is going to end.

I like it when smug-people-hiding-behind-their-Anti-Virus/Malware/Spam-programs-who-think-they-know-computers-but-still-use-IE still get infected.
 

Nik

Lifer
Jun 5, 2006
16,101
3
56
Originally posted by: AnonymouseUser
Originally posted by: randay
i like it when old people who know nothing about computers freak out like the internet is going to end.

I like it when smug-people-hiding-behind-their-Anti-Virus/Malware/Spam-programs-who-think-they-know-computers-but-still-use-IE still get infected.

*hugs his spotless HDDs*
 

randay

Lifer
May 30, 2006
11,018
216
106
Originally posted by: AnonymouseUser
Originally posted by: randay
i like it when old people who know nothing about computers freak out like the internet is going to end.

I like it when smug-people-hiding-behind-their-Anti-Virus/Malware/Spam-programs-who-think-they-know-computers-but-still-use-IE still get infected.

yeah, thats always hilarious as well. me, i have no av and have used IE for many years until chrome came out with no problems.