Serious security flaw found in IE - Advised to use different browser

http://news.bbc.co.uk/2/hi/technology/7784908.stm

It must be serious if people are being told to switch to a different browser temporarily.

 

I don't think we need this news to know how bad IE is.

 

You point being? No browser is perfect. FF had a similar problem.

 

The point isn't to bash on IE...it is to let people know of this security issue so they can avoid being affected by it .

 

I Read somewhere that this vulnerability is exploited by many P*rn Site , so beware

 

The workaround is simple: Set the Internet Zone security level to high. Then use the Trusted Zone for white listing necessary sites - not unlike white listing with NoScript.

 

Was it this widespread? This one is pretty severe. The user only has to visit an infected site...ie you don't have to click on a attachment etc.. and this thing has spread wildly to 10000 sites in a matter of days. Also, I can't remember MS every recommending ditching IE until a patch is available.. never. IF FF has indeed had an exploit that was this sucessful and infected this many machines in this short order, then please remind me. Because yes, I can remember FF exploits but nothing that seems as effective as this attack on IE.

I do remember some FF exploits and one when FF 3 was first released but they patched it before it could do any harm. I think that point tells all that FF team seem to be more proactive in these things.. Probably since more people can work on FF being it is open source. IE on the other hand is good old MS proprietary code so there are less people tinkering with that browser.. except for the hackers of course. But this is embarrassing to say the least for MS being this is hitting their flagship browser IE 7 on their self proclaimed most secure OS Vista.

But I commend MS for being honest about this and recommending ditching IE. MS really needs to fix this like yesterday and their reputation is on the line as far as how long a fix will take. Its not like this was discovered in the lab like allot of FF flaws.. this one is in the wild and growing.

 

Pardon my ignorance, but just what, exactly, is this particular flaw; the linked news article seemed to be inordinately vague?

EDIT: Ahh, I seem to have found a little more detail. According to this news item, the flaw

 

^Shyster1, it's apparantly not an XML flaw, further research point to the oledb32.dll as explained by Microsoft themselves here.
And as explained by Microsoft on this page, just changing the setting in the Internet zone security to High is NOT enough.
One has to completely disable active scripting and the OLEDB32 library as also described by NoScript developer Giorgio Maone on his site hackademix.net.
More information on this from SANS and Sophos.
Cheers.

 

Microsoft hasn't told people to ditch IE, Mr Ferguson from Trend Micro did, Microsoft have advised against this.

..........

 

Thanks for the info Baserk. This just may push me off the fence and over to the non-I.E. side.

 

Sorry mate but your post is not well thought. How can you argue that point when you know that FF does not come pre-installed in an OS. WTH? Mate, duh, obviously IE7 issues are widespread because every Windows from Xp to Vista has it. Imagine FF would come with an OS; from XP to VISTA. How about that widespread idea?

In any case, it is well known that IE7 is more of a target than the rest. Someone has to justify the linux boys activities.

 

I was only pointing out what you said:

"You point being? No browser is perfect. FF had a similar problem."

By your own admission, FF does not have a similar problem due that it is not on every OS, and is more of a target etc... I just took your post for face value.. "that FF had a similar problem" And from your second post you contradic that same statement. Thank you for clarifiying that for me.

 

Is 8 beta considered relatively safer than version 7?

 

I think you are mistaken:

 

I don't know why people are using I.E., I simply cannot understand any possible reasoning whatsoever.

Firefox. Chrome. Opera.

I don't know man.

Want to customize the living daylights out of your browser and even make it look just like I.E.? Get Firefox.

Speed? Chrome.

Want it pretty much souped up out of the box? Get Opera.

Heck man, there is Safari if you're feeling chic.

Why anyone uses I.E. is beyond me- ESPECIALLY people in this forum who SHOULD know better. Ignorance is not an excuse in this particular demographic. I've always thought I might as well put out all my information in the open if I used I.E. which is why I NEVER use it- I simply do not feel secure with it. Internet Explorer? Why?

Ah F' it man.

Relatively safer? Relative to what, 7? Yes. Relative to 7, much safer. Relative to any other browser? Heck no.

I don't have any proof, but man, I will bet you a silver dollar there will be more backdoors into I.E. 8 than a Chinese restaurant. I don't trust any MSFT product when it comes to security; period. Why the heck do you want to use 8 anyway? It's already obsolete and it isn't even out yet.

Firefox. Opera. Chrome. Safari.

Pick 1. Anyone. And you will be much better served.

 

It says in the article that other versions are affected, but doesn't specifiy which.

Just found this which says IE7, IE 5.01 with Service Pack 4, IE6 with and without Service Pack 1 and IE8 Beta 2.

http://www.networkworld.com/community/node/36318

 

It is obvious you do not do e-banking. I use IE because it does not crash when I pay my bills . Opera, Chrome, FF are not 100 % compatible with my Bank. Is that a reason?

I used to gild the lilly like that when I was 12 and I had no comeback.

 

Most sites are vague because they don't want to spread the word of that "security flaw" so hackers don't take advantage of it as pointed out in another site.

--A friendly note to all Internet Explorer users …

If you’re using IE (any version, ranging from 5.01 t0 8.0 beta 2) then you need to be aware of a new vulnerability which is set to become a big problem over the next few days.

I’m not going to rehash the details of this vulnerability other than to say that it’s pretty serious and has the scope to affect a massive number of users.

Here’s the scope of this vulnerability according to Microsoft:

Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50% in the number of reports today compared to yesterday.
--

 

Let me highlight one thing.

Microsoft also designs the operating systems we all use, and they think that they are best equipped to design security software?

Hahaha....

 

I really would consider a new bank.

If your current one forces you to use a woefully insecure browser because they're unable to develop a standards compliant website, I'd be kinda worried about the security of my online banking.

 

You do that .

 

What are you talking about?

 

"I don't have any proof..." - that statement probably applies much more broadly than you think it does.

 

No, it doesn't. Don't worry. Well, at least not to me. If you're relating it to the cosmos and the inner-workings of the monkey psyche, then well, you're probably right.

And while I don't have the proof now, soon, when I.E. 8 is released, I promise you I will have more than enough proof. It's Microsoft and it's Internet Explorer; vulnerabilities are a certainty. Besides, a Chinese restaurant only tends to have a single back door. So it won't take much to make my statement accurate.

We will be seeing many posts and threads discussing I.E. 8 vulnerabilities soon enough.... sadly.

 

I'd like to be wrong about this and just tell people to set their setting to High and be done with it.

But if you would have quoted the next sentence on that Microsoft site also, folks could have read;

Based on our investigation, setting the Internet zone security setting to High will protect users from known attacks.
However, for the most effective protection, customers should evaluate a combination of using the High security setting in conjunction with one of the following workarounds. (see the next sentence link)

And as has been posted on other websites;
Assumption: Setting the security level to "High" for the "Internet" security zone or disabling "Active Scripting" support protects me against attacks.
Correction: Technically no. It is still possible to trigger the vulnerability. However, it does make exploitation trickier as it protects against attacks using scripting. (from Secunia website)

The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases. (from hackademix.net blog)

 

I read somewhere that MS been seeing more IE 7 infections but then they will also point out that all versions may be affected. At this point, I would not assume beta 8 is immune. And it looks like setting up your internet protection to high will not even help. Disabling active scripting and the oledb32.dll seems to be the only way to secure IE at the moment. And I also agree that there are sites that only work with IE. I cannot log onto my school account with FF and have to use IE for that. For now, I will only use IE as little as possible.

Even if MS patches this thing there are going to be allot of machines/people that will not patch their PC's and I can see allot more infections. Personally, I am a bit surprised that the great vista/IE became so compromised. Not just the fact that hackers found a way in, but that they were successful in exploiting it and having it rage so fast in the wild.. This is a real mess for MS.

 

Looks like MS will issue an emergency patch tomorrow. http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=212500756&subSection=All+Stories

 

Then you're not getting out much. Some people are interested in compatibility, for starters. By that I mean real-world compatibility, by the way, so no need to go into how IE does not implement this or that web standard properly...

I don't; I happen to have better things to do with my time.

Speed? Don't make me laugh, that's a red herring if there ever was one. Given the performance of today's computers, pretty much the only thing that metters is your network throughput.

I'm not interested in soup, sorry.

Safari, eh? I'd rather have a browser that works...

Nothing to do with ignorance, quite the opposite, actually. You know, I was using FFx for half a year, until switching back to IE. Plus, I have probably forgotten more about computer security than you ever knew. Which is why my machine is secure, IE issues notwithstanding.

 

What's your point? I am truly at a loss as to what it might be you are trying to say here.

 

It bears mention that those people who are most at risk are the "power users" and assorted dolts who log in and browse the web with administrative privileges, which will turn off IE's protected mode, and will give any kind of malicious software free reign of your system. If, on the other hand, you log in as a Standard User, running IE in protected mode as you should, the kind of actions that malicious software is able to perform will be severely restricted. It is still possible to do some nasty things with your personal data, but the system as a whole will be immune.

 

Yes, not having to click accept 400 times during daily use makes you a dolt.

Logging in as a standard user and running IE sounds about as appealing as genital warts.

 

Yep, that sounds about right. Now me, I can't remember having to "click accept" even once during the last couple of weeks. Maybe that's because I know what it is I am doing, and when I need administrative privileges for what I want to do.

To put it very bluntly, if you habitually run with administrative privileges and with UAC turned off, then you deserve whatever hits you. In addition, you have no standing to complain about the security of Microsoft's (or anybody else's) software, given the fact that you clearly have no understanding of computer security at all.

 

Oh man. He quoted everything I said!

Well, I will give you some more quotes then:

----------
I do get out much, which is probably why I don't know the reasons why people like to use I.E., because out there, in the world, people don't really discuss such things.

Oh, you mean real-world compatibility. I have yet to run into an incompatible website with Firefox, not a single one buddy. And besides, if I ever do run into one, I can just use "IEtab" and I will be good to go.

------

I didn't ask if you do? It was a rhetorical question- guess that went over your head.

-----------------

I wasn't trying to make you laugh? Um. Chrome is faster man. It just is. I don't think anyone will argue with this fact, well, besides you.

----------------

Soup is very good. Why don't you like soup? Soup sprinkled with some browsers and plug-ins will enable you to grow up to be a big healthy boy!

---------------

I was listing options, why is this so hard to understand for you? Safari IS an option. Oh? It doesn't work? Really? So it's broken ha? Well that sucks.

--------------

OOOOOOOOOOOOOOOOOO you have forgotten more about computer security than I will ever know???? BURNNNNNNNNNNNNNNNNNNNN.

LOL

Man, what is this? This your first attempt at a flame-war or something? Dude. Buddy. You gotta be original. I gotta dock you a point on lack of creativity.

You're machine is secure, IE issues notwithstanding??????????????????????

LOL

So you ADMIT that IE has security issues. hahaha....

NICE!

-----------

Done.

Next please!

Quote away sunshine. Sadly, I will not be giving you anymore quotes... so enjoy it!

 

@nu_D: Re: flame wars

It takes two to tango, and Pirx isn't the only one suffering from two-left-feet syndrome (if he, in fact, is trying to dance, which I doubt).

 

Yeah, good reason for you. However, I've never had a problem online banking or access my credit card info with Firefox.

 

Meh. Not a IE user anyway.

 

Making people confirm that they want to run an application they just browsed through 5 levels of nested menus in order to get to isn't security, it's idiocy masquerading as security.

It's hilarious that you're preaching about how clueless other people are when you seem to believe this ridiculous fallacy though.

I'll trust the software and common sense that's been keeping my computers clean for years, thanks.

 

And rightly so...

 

You clearly do not understand OS security at all. What does the amount of labor you went through to find your shortcut or application have to do with anything? Vista asks you for confirmation because the application in question requests, or will potentially request, write access to system-level objects. Any modern OS would act in similar ways (well, some will just throw a "Permission denied" message at you; wonder if you'd like that better), and it has to act this way. Do you understand why that is?

Would you like to explain what "fallacy" that is you speak of?

Well, good luck to you, then.

 

The fact that I just went through the menu in order to run the applicaton would suggest that maybe, just maybe, I'd like to run said application, hence me not being too impressed when Vista decides to ask if I want to allow said application.

It's funny you should mention how much I'd like denied permissions though, even with UAC disabled and running as administrator (oh the humanity!), Vista will still prevent all number of relatively simple tasks from being carried out unless you spend the next 10 minutes fannying about taking ownership of files, and even that will fail to work half the time.

How come I can run as a regular user on pretty much any modern Linux distribution without being bombarded with popups? How come when I do actually choose to run as administrator I can have full control over my system? How come this isn't the case with Vista?

The fallacy is the idea that UAC actually protects the average user when in reality all it does is condition them to click accept to every dialog box that pops up. Which is no more secure than not having a dialog box in the first place, but much more annoying.

There's also the fact that it's laughably easy to work your way around UAC for this reason alone.

 

I tried to explain the situation in general already, so there isn't much more I can do, unless you give some specifics. It does sound though as if you are trying to do stuff that you are not supposed to be doing anyway.

Now this happens to be an excellent question. A partial answer to this is that, for historical reasons, a significant amount of Windows software, including some fairly well-known commercial software (lots of games, by the way), is written incompetently, as if this was still the 80s, and the software was running in DOS. To put this more succinctly, there is a lot of software out there that is simply not Windows compatible, and that violates guidelines that Microsoft had put in place many years ago.

Unix-like systems, on the other hand, were designed with security in mind from the start, and any Unix developer always had to conform to the appropriate security restrictions. So, to put this yet another way, if you ran the kind of garbage that people habitually dsitribute for Windows system on a Unix box, you would be constantly bombarded with Access Denied messages as well. Thus the appropriate reaction would be to complain to the outfit that created the incompatible software, and not to Microsoft.

While there is no doubt that UAC does protect the user, your last point is worth considering, and believe me, it has been considered. I do agree that people can differ on this point, and whether or not Microsoft has hit the right balance in this regard is something that reasonable people can argue about. But again, if you do normal day-to-day tasks in Vista, you should never see any of these prompts. I never do, and I use quite a large number of different software packages on a regular basis. However, people need to be educated as to what kinds of acticities do require security prompts, so that they know when to expect them. And they need to understand what it means to give a program administrative access to their machine.

Finally, understand that anything you as a user are allowed to do freely, any program that you start, advertently or inadvertently (say, by visiting certain web sites), will be able to do as well. That is one of the main reason why we have to have a strict separation between user-level and system-level permissions, and ask for confirmation when those boundaries are crossed.

First you fuss about the prompts, and now you are complaining about the fact that Vista does allow you to turn off the prompts? You can't have it both ways, you know...

 

I can't say I ever noted any specific cases where the administrator account wasn't enough for Vista, I did however resort to a registry edit to add a "Take Ownership" option to the right click menu, which kinda indicates how much of an annoyance it was.

Considering how long it's taken Microsoft to finally drop DOS and 16bit support from Windows in general, you'd think we'd have been spared a large number of these issues by now however. There are also still plenty of terribly written applications available for *nix based operating systems yet the annoyance level is nowhere near as high.

I just enabled UAC to see if it was all in my head, and within minutes of a reboot was hit by a notification popup from Windows defender complaining about the Tango Patcher reloader wanting to run on startup, a UAC prompt on attempting to run CCleaner, a popup from HWMonitor, a popup from MeGUI and a popup from Fraps. These are all applications I use on a daily basis and having Vista throw UAC prompts at me regarding them was one of the reasons I just disabled UAC.

I wasn't referring to the ability to disable the UAC prompts, but the ease with which malicious code can bypass UAC, as pointed out by the well publicized UAC exploit.

Now don't get me wrong, I'm not against Microsoft beefing up security in Windows, it's about time, I just don't think that bombarding users with popups is the right way to go about it.

 

Since all of the applications you listed request access to system files and/or the registry, UAC prompts are to be expected. I agree that it can be annoying, and I hope in future iterations of Vista (Win 7, Win 8, etc) Microsoft will incorporate an exclusion list to help lessen UAC pop-ups.

 

Meh. Doesnt much matter to me anyway. i long ago stopped using IE for anything of real importance back before IE6 was out, and i never looked back. Firefox and Opera are safe and more secure, and have so many other features to offer. IE is almost irrelevant today, if it wasnt for the fact that MS forcibly bundles it with their OS.

Others like it, and thats their choice, but i just plain couldnt care less about it. I laugh when they find holes in it. It doesnt make one bit of difference to me.


ev

 

I am familiar with some of these. I know for a fact that I can run CCleaner from my Standard User account without any popups as long as I don't attempt to access system objects, which is a case in point of what I said above. HWMonitor is an example of a somewhat half-baked application written by a hobbyist; it would have been straightforward to design the application in such a way that no popups appear (by runnning certain functionality as a service). The same is true for Fraps. Like I said, you really shouldn't blame Microsoft for these...

O.k., I misunderstood you then, and apologize for that. Otherwise, going into the details of this exploit, and on why Microsoft has a different opinion on its status, would take me too far afield. I'll just say that, IMHO, this is another instance where educating users on how to properly use their system would help. And, yes, that may be asking too much in cases like these.

Not to be misunderstood, I am not trying to argue that Vista's approach to security is perfect. As a matter of fact, there's lots of things I find objectionable about it. However i know that Microsoft was faced with an extremely difficult task, of balancing the need for better OS security with the need for backwards compatibility, and the desire of a minimally disruptive user experience. They were between a rock and a hard place in many respects. While I do not agree with all of the choices they made in that situation, I think one must acknowledge that the choices they made are at least understandable, and justifiable.

Well, what would you do if you were in their place?

 

There are many people who just won't give up using IE, me thinks because switching would somehow be out of their overall comfort zone. My stepmom who I would consider to be knowledgeable about computers (along with my relatively hip "with it" 19 year old stepbrother oddly enough) absolutely refuses to switch from IE, just yesterday I let her borrow my laptop, and she began searching instinctively for the IE icon. When I clicked on Firefox (admittedly it was the Minefield build w/ Minefield's logo), she was like "how would I have known that." I'm pretty sure that if Firefox's icon were there along with IE's, she would have picked IE, it's happened before.

Even sadder, It was the first thing I installed on her new (at the time) computer two years ago. She's probably only willingly launched it on there twice.

Everyone else in the house swears by Firefox though, pretty much because I told them to not use IE.

Needless to say, I'll make sure that her machine is the first one patched in our house tomorrow as it's the one that the whole family uses.

 

wait so firefox is safe from this problem right?

 

Yes sir.. This exploit is for IE only.

 

Correct, this is an IE only thing, as far as I know.