Posted on 12/17/2008 10:38:22 AM PST by Red Badger
Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.
The "zero-day" vulnerability, which came to light last week, allows criminals to take over victims' machines simply by steering them to infected Web sites; users don't have to download anything for their computers to get infected, which makes the flaw in Internet Explorer's programming code so dangerous. Internet Explorer is the world's most widely used Web browser.
Sponsored Links (Ads by Google)
Security for Your PC PC Magazine Editor's Choice Winner Best Anti-Spyware. Secure Your PC! www.pctools.com
Secure your branch IT Manage secure remote hardware from a centralized location www.Avocent.com/branch
SCADA Security Course Hands on SCADA security course learn to assess and secure InfoSecInstitute.com/SCADA_sec Microsoft said it plans to ship a security update, rated "critical," for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.
Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors' machines if they're using Internet Explorer and haven't employed a complicated series of workarounds that Microsoft has suggested.
Microsoft said it has seen attacks targeting the flaw only in Internet Explorer 7, the most widely used version, but has cautioned that all other current editions of the browser are vulnerable.
Microsoft rarely issues security fixes for its software outside of its regular monthly updates. The company last did it in October, and a year and half before that.
---
On the Net:
Microsoft's security advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx
And piss the Swiss off by associating there fine product with that??
Because makers of swiss cheese would take them to court for defamation...
You can’t convince me that some MS developer didn’t intentionally design this “flaw” in as a backdoor.
Or else Microsoft is hiring the criminally stupid...
I never use it. Fire Fox.
"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus
The latter.
mark
The best protection you can have, assuming you’ve taken the ordinary precaution of having antivirus software, is to make occasional backups of
System State, using the Windows Backup utility. Fast, easy, free, and foolproof.
It’s a manual version of the XP System Restore. System Restore sometimes works, but it has become the prime target of malware, and just when you need it, it is disabled.
Firefox is also vulnerable to the latest crop of malware. Don’t kid yourself.
Restoring System State from a backup replaces all executable files and the Registry. It takes your programs back to the date when you made the backup without touching documents.
Me Two!..........
The best protection you can have, assuming you’ve taken the ordinary precaution of having antivirus software, is to make occasional backups of
System State, using the Windows Backup utility. Fast, easy, free, and foolproof.
It’s a manual version of the XP System Restore. System Restore sometimes works, but it has become the prime target of malware, and just when you need it, it is disabled.
Firefox is also vulnerable to the latest crop of malware. Don’t kid yourself.
Restoring System State from a backup replaces all executable files and the Registry. It takes your programs back to the date when you made the backup without touching documents.
/////////////////////////////
GOOD INFO THANKS
Better to turn off and then turn back on the System Restore, after you are clean, IMO.
bttt
I don’t use IE7 — still use IE6. I wonder if the patch is applicable or needed for IE6? Anyone know?
ping
IE has gotten a bad name, because it really DOES have all those holes!.............
Emergency fixes have been out for years.
Firefox, Safari
I’m quite fondue Swiss Cheese............
I like firefox but I like safari much better, am enjoying it.
“I don’t use IE7 — still use IE6. I wonder if the patch is applicable or needed for IE6? Anyone know?”
I think that they said that all are vulnerable, I already downloaded the patch so I switched back to IE from firefox.
I've been using this because I don't have admin rights on my laptop. Works pretty well.
I use Chrome on my Windows box, hopefully they’ll have a Linux version soon.
..........
That would be cool. Is Linux more secure than Windoze?
I think Microsoft is the flaw. Always has been ... always will be.
LOL
So far I’d have to say yes. But it could just be that Windows is just targeted more. If Linux had a larger market share, would hackers start turning their attention more to Linux attacks, I don’t know.
I didn’t realize people still used IE. Everyone I know uses Firefox.
Only liberals use IE..........
I had a whole bunch of problems going from FF 3.0.3 to 3.0.4. Lost my bookmarks, history, etc. Streaming radio stations don’t work anymore. I had problems with T-Bird, too. Don’t know how T-Bird and FF3 are connected is beyond me. It all happened immediately after the upgrade.
I think Microsoft is the flaw. Always has been ... always will be.
There's a clue in there somewhere.............
Easy fix...Lose the IE 
and get Firefox!
Coincidence?............
I agree. Once all the kids are out of school (since the schools have both the hype of Microsoft) ... I’m moving to Linux.
ping for pretty soon!
I’ve gotten 2 updates in the last few days from Bill Gates and thought that was unusual. Now I know why.
bookmark
Firefox can’t even load eBay correctly.
Stealing a rant from someone else who explains it well: The controls that form Internet Explorer are a core system service in Windows. They are fundamental to the operation of all modern Windows versions. The Add/Remove Programs dialog in Windows 2000 and Windows XP? That's generated using the same controls that form Internet Explorer. I say "controls that form Internet Explorer" because IE isn't really a single application (like, say, Firefox or Opera), it's really a collection of libraries that can be called by top-level processes like the Explorer shell, Internet Explorer, the Add/Remove Programs dialog, or other applications. Probably the most important library is MSHTML.DLL, which more than anything else probably is Internet Explorer. These controls must be able to have full system access, or else they won't be able to do their job. They have to be able to spawn admin-level processes and write to local files and do other things that are "bad" from a security standpoint, because when these controls are used as part of the basic Windows UI, they have to be able to do these things as part of day-to-day operation. And so we have Security Zones. The Local Zone is where (by default) all of the "full access pass" stuff runs, the stuff that you see in the Explorer shell and other regular Windows UI bits (as well as HTML files and things that are sitting on your hard drive). Nothing from the Internet is supposed to run in the Local Zone. Everything that you view in Internet Explorer goes in the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone, or the Restricted Sites Zone. You can set the security parameters on those four zones in the Security tab of the Internet Options in IE. Most of these security exploits you see in Internet Explorer are called "cross-zone scripting exploits". What they do (usually) is find a way to use scripting to open a Local Zone resource (such as a help file), and then somehow alter it so that it contains malicious code instead. This is how the Ilookup trojan works. Other exploits escalate the security level of an iframe to Local Zone, or some other tactic. But the general idea is getting malicious code into the Local Zone without your permission, where it can be executed with full system access. This is why locking down the Local Zone is a workaround against these sorts of exploits, but locking down the Local Zone has serious side effects in Windows itself. The difference between Internet Explorer and other browsers is that the other browsers simply do not have this sort of problem. Mozilla and Opera do not have the requirement to manage operating-system level tasks using the same controls they use to render web pages, and so do not even have a "Local Zone" to take advantage of. They are not designed to let scripts do bad things at all. There are still exploits that can be performed on browsers like Opera and Mozilla. Directory traversals, buffer overflows, taking advantage of design defects... Hell, have a look at the stuff Opera's had to fix in version 7 so far. (I think the "really big favicon" exploit is my favorite.) And you can find cross-site scripting vulnerabilities in Mozilla, but they don't let you install software; they just cause data security problems because one site might be able to read another site's JavaScript variables or cookies or something. But IE's fundamental security model makes it incredibly vulnerable to exploits that allow the arbitrary installation of software, or worse. And that's why IE is more fundamentally insecure than the alternatives, and until something is fundamentally changed about it (which may or may not happen with XP SP2), it's going to remain more fundamentally insecure regardless of popularity levels.
bfl (bump for later)
Thanks for the information.
Though I have personally had no problems at all with IE, because of the rap on IE out there, I’ve tried FireFox regularly over the years. But I have always found bugs and problems with it in certain situations such that it just would not allow me to accomplish the work I needed to do on the specific website, so that I had to remember to go back to IE when I was doing said specific things on said specific websites. That got tiresome and inconvenient, so I just went back to using IE6, but I never upgrade to IE7 (or Media Player 10, Vista, etc etc) because I have found either the newer M-soft stuff doesn’t work as well as older versions, or I just don’t like the features as well. I do however, pick and choose, and do download M-soft security updates.
I use Thunderbird Mozilla for email for a specific feature I like about it, but there are some features about it that really suck, so I may move on to some other email client. My wife still uses Outlook Express (for years now) and has never experienced any problems. I used it also for years before I switched to Mozilla Thunderbird about a year ago.
If FireFox would fix their bugs or someone else comes up with a browser that is completely free of bugs so I don’t have to be switching back and forth to IE to accompish things, then I am more than happy to switch over.
In short:
Microsoft: Insecure By Design
Thanks — I just went and downloaded it on all three of our XP machines.
Can anyone advise me — is it advisable to download SP3 for Win XP?
I didn’t take it when it first came out — wanted to wait a few months to see if there were bugs to iron out.
Fixed the title to make it accurate.
bfl
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.