Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Microsoft issuing emergency fix for browser flaw (Save this title for future use)
www.physorg.com ^ | 12/17/2008 | Staff

Posted on 12/17/2008 10:38:22 AM PST by Red Badger

Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

The "zero-day" vulnerability, which came to light last week, allows criminals to take over victims' machines simply by steering them to infected Web sites; users don't have to download anything for their computers to get infected, which makes the flaw in Internet Explorer's programming code so dangerous. Internet Explorer is the world's most widely used Web browser.

Sponsored Links (Ads by Google)

Security for Your PC PC Magazine Editor's Choice Winner Best Anti-Spyware. Secure Your PC! www.pctools.com

Secure your branch IT Manage secure remote hardware from a centralized location www.Avocent.com/branch

SCADA Security Course Hands on SCADA security course learn to assess and secure InfoSecInstitute.com/SCADA_sec Microsoft said it plans to ship a security update, rated "critical," for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.

Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors' machines if they're using Internet Explorer and haven't employed a complicated series of workarounds that Microsoft has suggested.

Microsoft said it has seen attacks targeting the flaw only in Internet Explorer 7, the most widely used version, but has cautioned that all other current editions of the browser are vulnerable.

Microsoft rarely issues security fixes for its software outside of its regular monthly updates. The company last did it in October, and a year and half before that.

---

On the Net:

Microsoft's security advisory:

http://www.microsoft.com/technet/security/advisory/961051.mspx


TOPICS:
KEYWORDS: browser; browsers; computer; ie; malware; microsoft; operatingsystems
Navigation: use the links below to view more comments.
first 1-5051-56 next last
Why don't they call their browser, Swiss Cheese?...........
1 posted on 12/17/2008 10:38:22 AM PST by Red Badger
[ Post Reply | Private Reply | View Replies]

To: Red Badger

And piss the Swiss off by associating there fine product with that??


2 posted on 12/17/2008 10:39:55 AM PST by Abathar (Proudly posting without reading the article carefully since 2004)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger
Why don't they call their browser, Swiss Cheese?...........

Because makers of swiss cheese would take them to court for defamation...

3 posted on 12/17/2008 10:40:47 AM PST by bcsco (Illinois politicians should be read their Miranda rights when sworn in to office...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

You can’t convince me that some MS developer didn’t intentionally design this “flaw” in as a backdoor.

Or else Microsoft is hiring the criminally stupid...


4 posted on 12/17/2008 10:41:16 AM PST by Redbob (W.W.J.B.D.: "What Would Jack Bauer Do?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

5 posted on 12/17/2008 10:43:06 AM PST by TSgt (Extreme vitriol and rancorous replies served daily. - Mike W USAF)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

I never use it. Fire Fox.


6 posted on 12/17/2008 10:44:18 AM PST by Dallas59 (Not My President)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Redbob
I'm amazed Windows Vista is secure. Windows XP leaks like a sieve. Even the most well designed product will have a flaw. Its good to hear Microsoft came up with a quick patch to the Internet Explorer exploit.

"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus

7 posted on 12/17/2008 10:44:53 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives In My Heart Forever)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Redbob

The latter.


8 posted on 12/17/2008 10:46:10 AM PST by traderrob6
[ Post Reply | Private Reply | To 4 | View Replies]

mark


9 posted on 12/17/2008 10:46:39 AM PST by eureka! (The election does not depress me as much. Thanks Chicago Pols!!!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Red Badger

The best protection you can have, assuming you’ve taken the ordinary precaution of having antivirus software, is to make occasional backups of
System State, using the Windows Backup utility. Fast, easy, free, and foolproof.

It’s a manual version of the XP System Restore. System Restore sometimes works, but it has become the prime target of malware, and just when you need it, it is disabled.

Firefox is also vulnerable to the latest crop of malware. Don’t kid yourself.

Restoring System State from a backup replaces all executable files and the Registry. It takes your programs back to the date when you made the backup without touching documents.


10 posted on 12/17/2008 10:47:39 AM PST by js1138
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dallas59

Me Two!..........


11 posted on 12/17/2008 10:48:44 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Red Badger
do yourself a favor...


12 posted on 12/17/2008 10:49:15 AM PST by sten
[ Post Reply | Private Reply | To 1 | View Replies]

To: js1138

The best protection you can have, assuming you’ve taken the ordinary precaution of having antivirus software, is to make occasional backups of
System State, using the Windows Backup utility. Fast, easy, free, and foolproof.

It’s a manual version of the XP System Restore. System Restore sometimes works, but it has become the prime target of malware, and just when you need it, it is disabled.

Firefox is also vulnerable to the latest crop of malware. Don’t kid yourself.

Restoring System State from a backup replaces all executable files and the Registry. It takes your programs back to the date when you made the backup without touching documents.
/////////////////////////////
GOOD INFO THANKS


13 posted on 12/17/2008 10:49:44 AM PST by TomasUSMC ( FIGHT LIKE WW2, FINISH LIKE WW2. FIGHT LIKE NAM, FINISH LIKE NAM)
[ Post Reply | Private Reply | To 10 | View Replies]

To: js1138

Better to turn off and then turn back on the System Restore, after you are clean, IMO.


14 posted on 12/17/2008 10:50:30 AM PST by library user
[ Post Reply | Private Reply | To 10 | View Replies]

To: Red Badger

bttt


15 posted on 12/17/2008 10:52:21 AM PST by Recovering_Democrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

I don’t use IE7 — still use IE6. I wonder if the patch is applicable or needed for IE6? Anyone know?


16 posted on 12/17/2008 10:52:40 AM PST by webschooner
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #17 Removed by Moderator

To: Redbob

ping


18 posted on 12/17/2008 10:54:00 AM PST by Rumplemeyer
[ Post Reply | Private Reply | To 4 | View Replies]

To: Albanese

IE has gotten a bad name, because it really DOES have all those holes!.............


19 posted on 12/17/2008 10:54:50 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Red Badger

Emergency fixes have been out for years.

Firefox, Safari


20 posted on 12/17/2008 10:56:20 AM PST by Vinnie (You're Nobody 'Til Somebody Jihads You)
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #21 Removed by Moderator

To: MikeWUSAF; sten

22 posted on 12/17/2008 10:58:07 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Albanese

I’m quite fondue Swiss Cheese............


23 posted on 12/17/2008 11:00:51 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 21 | View Replies]

To: sten

I like firefox but I like safari much better, am enjoying it.


24 posted on 12/17/2008 11:01:26 AM PST by rose
[ Post Reply | Private Reply | To 12 | View Replies]

To: webschooner

“I don’t use IE7 — still use IE6. I wonder if the patch is applicable or needed for IE6? Anyone know?”


I think that they said that all are vulnerable, I already downloaded the patch so I switched back to IE from firefox.


25 posted on 12/17/2008 11:03:20 AM PST by ansel12 ( When a conservative pundit mocks Wasilla, he's mocking conservatism as it's actually lived.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Red Badger

I've been using this because I don't have admin rights on my laptop. Works pretty well.

26 posted on 12/17/2008 11:04:40 AM PST by TenthAmendmentChampion (Join us on the best FR thread, 8000+ posts: http://www.freerepublic.com/focus/chat/1990507/posts)
[ Post Reply | Private Reply | To 23 | View Replies]

To: TenthAmendmentChampion

I use Chrome on my Windows box, hopefully they’ll have a Linux version soon.


27 posted on 12/17/2008 11:05:22 AM PST by dfwgator (I hate Illinois Marxists)
[ Post Reply | Private Reply | To 26 | View Replies]

To: TenthAmendmentChampion

..........

28 posted on 12/17/2008 11:06:54 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 26 | View Replies]

To: dfwgator

That would be cool. Is Linux more secure than Windoze?


29 posted on 12/17/2008 11:07:06 AM PST by TenthAmendmentChampion (Join us on the best FR thread, 8000+ posts: http://www.freerepublic.com/focus/chat/1990507/posts)
[ Post Reply | Private Reply | To 27 | View Replies]

To: MikeWUSAF

I think Microsoft is the flaw. Always has been ... always will be.


30 posted on 12/17/2008 11:07:28 AM PST by K-oneTexas (I'm not a judge and there ain't enough of me to be a jury. (Zell Miller, A National Party No More))
[ Post Reply | Private Reply | To 5 | View Replies]

To: Red Badger

LOL


31 posted on 12/17/2008 11:07:57 AM PST by TenthAmendmentChampion (Join us on the best FR thread, 8000+ posts: http://www.freerepublic.com/focus/chat/1990507/posts)
[ Post Reply | Private Reply | To 28 | View Replies]

To: TenthAmendmentChampion

So far I’d have to say yes. But it could just be that Windows is just targeted more. If Linux had a larger market share, would hackers start turning their attention more to Linux attacks, I don’t know.


32 posted on 12/17/2008 11:10:42 AM PST by dfwgator (I hate Illinois Marxists)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Red Badger

I didn’t realize people still used IE. Everyone I know uses Firefox.


33 posted on 12/17/2008 11:12:40 AM PST by CriticalJ
[ Post Reply | Private Reply | To 1 | View Replies]

To: CriticalJ

Only liberals use IE..........


34 posted on 12/17/2008 11:14:07 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 33 | View Replies]

To: sten

I had a whole bunch of problems going from FF 3.0.3 to 3.0.4. Lost my bookmarks, history, etc. Streaming radio stations don’t work anymore. I had problems with T-Bird, too. Don’t know how T-Bird and FF3 are connected is beyond me. It all happened immediately after the upgrade.


35 posted on 12/17/2008 11:14:37 AM PST by raybbr (It's going to get a lot worse now that the anchor babies are voting!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: K-oneTexas

I think Microsoft is the flaw. Always has been ... always will be.

There's a clue in there somewhere.............

36 posted on 12/17/2008 11:15:58 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Red Badger
PhotobucketEasy fix...Lose the IE Photobucket and get Firefox!
37 posted on 12/17/2008 11:17:20 AM PST by SiVisPacemParaBellum (Peace through superior firepower!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: K-oneTexas

Coincidence?............

38 posted on 12/17/2008 11:17:36 AM PST by Red Badger (I was sad because I had no shoes to throw, until I met a reporter who had no feet.....)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Red Badger

I agree. Once all the kids are out of school (since the schools have both the hype of Microsoft) ... I’m moving to Linux.


39 posted on 12/17/2008 11:19:17 AM PST by K-oneTexas (I'm not a judge and there ain't enough of me to be a jury. (Zell Miller, A National Party No More))
[ Post Reply | Private Reply | To 36 | View Replies]

To: Red Badger

ping for pretty soon!


40 posted on 12/17/2008 11:20:50 AM PST by Joann37
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

I’ve gotten 2 updates in the last few days from Bill Gates and thought that was unusual. Now I know why.


41 posted on 12/17/2008 11:24:47 AM PST by saganite
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

bookmark


42 posted on 12/17/2008 11:39:29 AM PST by what's up
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dallas59

Firefox can’t even load eBay correctly.


43 posted on 12/17/2008 11:46:24 AM PST by Nephi (Like the failed promise of Fascism, masquerading as Capitalism? You're gonna love Marxism.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: webschooner; ansel12; All
I've said it for years: IE and LookOut...err, Outlook cannot be made "safe". The program code used is embedded in the operating system itself and will not/cannot be changed or it will break the O/S. Anyone using either of these Microsoft products in any version is fully open to all kinds of exploits, whether current "patches" are applied or not. The solution is to NOT USE IE or Outlook. Ever. For anything.

Stealing a rant from someone else who explains it well:

The controls that form Internet Explorer are a core system service in Windows. They are fundamental to the operation of all modern Windows versions. The Add/Remove Programs dialog in Windows 2000 and Windows XP? That's generated using the same controls that form Internet Explorer. I say "controls that form Internet Explorer" because IE isn't really a single application (like, say, Firefox or Opera), it's really a collection of libraries that can be called by top-level processes like the Explorer shell, Internet Explorer, the Add/Remove Programs dialog, or other applications. Probably the most important library is MSHTML.DLL, which more than anything else probably is Internet Explorer.

These controls must be able to have full system access, or else they won't be able to do their job. They have to be able to spawn admin-level processes and write to local files and do other things that are "bad" from a security standpoint, because when these controls are used as part of the basic Windows UI, they have to be able to do these things as part of day-to-day operation. And so we have Security Zones.

The Local Zone is where (by default) all of the "full access pass" stuff runs, the stuff that you see in the Explorer shell and other regular Windows UI bits (as well as HTML files and things that are sitting on your hard drive). Nothing from the Internet is supposed to run in the Local Zone. Everything that you view in Internet Explorer goes in the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone, or the Restricted Sites Zone. You can set the security parameters on those four zones in the Security tab of the Internet Options in IE.

Most of these security exploits you see in Internet Explorer are called "cross-zone scripting exploits". What they do (usually) is find a way to use scripting to open a Local Zone resource (such as a help file), and then somehow alter it so that it contains malicious code instead. This is how the Ilookup trojan works. Other exploits escalate the security level of an iframe to Local Zone, or some other tactic. But the general idea is getting malicious code into the Local Zone without your permission, where it can be executed with full system access. This is why locking down the Local Zone is a workaround against these sorts of exploits, but locking down the Local Zone has serious side effects in Windows itself.

The difference between Internet Explorer and other browsers is that the other browsers simply do not have this sort of problem. Mozilla and Opera do not have the requirement to manage operating-system level tasks using the same controls they use to render web pages, and so do not even have a "Local Zone" to take advantage of. They are not designed to let scripts do bad things at all.

There are still exploits that can be performed on browsers like Opera and Mozilla. Directory traversals, buffer overflows, taking advantage of design defects... Hell, have a look at the stuff Opera's had to fix in version 7 so far. (I think the "really big favicon" exploit is my favorite.) And you can find cross-site scripting vulnerabilities in Mozilla, but they don't let you install software; they just cause data security problems because one site might be able to read another site's JavaScript variables or cookies or something. But IE's fundamental security model makes it incredibly vulnerable to exploits that allow the arbitrary installation of software, or worse.

And that's why IE is more fundamentally insecure than the alternatives, and until something is fundamentally changed about it (which may or may not happen with XP SP2), it's going to remain more fundamentally insecure regardless of popularity levels.

44 posted on 12/17/2008 11:55:22 AM PST by hadit2here ("Most men would rather die than think. Many do." - Bertrand Russell)
[ Post Reply | Private Reply | To 16 | View Replies]

To: hadit2here

bfl (bump for later)


45 posted on 12/17/2008 12:01:55 PM PST by Excellence ("There is no such thing as multi-culturalism in Saudi Arabia." Mark Steyn)
[ Post Reply | Private Reply | To 44 | View Replies]

To: hadit2here

Thanks for the information.

Though I have personally had no problems at all with IE, because of the rap on IE out there, I’ve tried FireFox regularly over the years. But I have always found bugs and problems with it in certain situations such that it just would not allow me to accomplish the work I needed to do on the specific website, so that I had to remember to go back to IE when I was doing said specific things on said specific websites. That got tiresome and inconvenient, so I just went back to using IE6, but I never upgrade to IE7 (or Media Player 10, Vista, etc etc) because I have found either the newer M-soft stuff doesn’t work as well as older versions, or I just don’t like the features as well. I do however, pick and choose, and do download M-soft security updates.

I use Thunderbird Mozilla for email for a specific feature I like about it, but there are some features about it that really suck, so I may move on to some other email client. My wife still uses Outlook Express (for years now) and has never experienced any problems. I used it also for years before I switched to Mozilla Thunderbird about a year ago.

If FireFox would fix their bugs or someone else comes up with a browser that is completely free of bugs so I don’t have to be switching back and forth to IE to accompish things, then I am more than happy to switch over.


46 posted on 12/17/2008 12:19:29 PM PST by webschooner
[ Post Reply | Private Reply | To 44 | View Replies]

To: hadit2here

In short:

Microsoft: Insecure By Design


47 posted on 12/17/2008 12:24:22 PM PST by D-fendr (Deus non alligatur sacramentis sed nos alligamur.)
[ Post Reply | Private Reply | To 44 | View Replies]

To: ansel12

Thanks — I just went and downloaded it on all three of our XP machines.

Can anyone advise me — is it advisable to download SP3 for Win XP?

I didn’t take it when it first came out — wanted to wait a few months to see if there were bugs to iron out.


48 posted on 12/17/2008 12:32:03 PM PST by webschooner
[ Post Reply | Private Reply | To 25 | View Replies]

To: Red Badger
Microsoftfraud issuing emergency fix for flawed browser flaw

Fixed the title to make it accurate.

49 posted on 12/17/2008 12:35:06 PM PST by big'ol_freeper (Gen. George S. Patton to Michael Moore... American Carol: "I really like slapping you.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

bfl


50 posted on 12/17/2008 12:52:16 PM PST by kcvl
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-56 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson