Microsoft issuing emergency fix for browser flaw (Save this title for future use)

Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

The "zero-day" vulnerability, which came to light last week, allows criminals to take over victims' machines simply by steering them to infected Web sites; users don't have to download anything for their computers to get infected, which makes the flaw in Internet Explorer's programming code so dangerous. Internet Explorer is the world's most widely used Web browser.

Security for Your PC PC Magazine Editor's Choice Winner Best Anti-Spyware. Secure Your PC! www.pctools.com

Secure your branch IT Manage secure remote hardware from a centralized location www.Avocent.com/branch

SCADA Security Course Hands on SCADA security course learn to assess and secure InfoSecInstitute.com/SCADA_sec Microsoft said it plans to ship a security update, rated "critical," for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.

Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors' machines if they're using Internet Explorer and haven't employed a complicated series of workarounds that Microsoft has suggested.

Microsoft said it has seen attacks targeting the flaw only in Internet Explorer 7, the most widely used version, but has cautioned that all other current editions of the browser are vulnerable.

Microsoft rarely issues security fixes for its software outside of its regular monthly updates. The company last did it in October, and a year and half before that.

I've said it for years: IE and LookOut...err, Outlook cannot be made "safe". The program code used is embedded in the operating system itself and will not/cannot be changed or it will break the O/S. Anyone using either of these Microsoft products in any version is fully open to all kinds of exploits, whether current "patches" are applied or not. The solution is to NOT USE IE or Outlook. Ever. For anything.

Stealing a rant from someone else who explains it well:

The controls that form Internet Explorer are a core system service in Windows. They are fundamental to the operation of all modern Windows versions. The Add/Remove Programs dialog in Windows 2000 and Windows XP? That's generated using the same controls that form Internet Explorer. I say "controls that form Internet Explorer" because IE isn't really a single application (like, say, Firefox or Opera), it's really a collection of libraries that can be called by top-level processes like the Explorer shell, Internet Explorer, the Add/Remove Programs dialog, or other applications. Probably the most important library is MSHTML.DLL, which more than anything else probably is Internet Explorer.

These controls must be able to have full system access, or else they won't be able to do their job. They have to be able to spawn admin-level processes and write to local files and do other things that are "bad" from a security standpoint, because when these controls are used as part of the basic Windows UI, they have to be able to do these things as part of day-to-day operation. And so we have Security Zones.

The Local Zone is where (by default) all of the "full access pass" stuff runs, the stuff that you see in the Explorer shell and other regular Windows UI bits (as well as HTML files and things that are sitting on your hard drive). Nothing from the Internet is supposed to run in the Local Zone. Everything that you view in Internet Explorer goes in the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone, or the Restricted Sites Zone. You can set the security parameters on those four zones in the Security tab of the Internet Options in IE.

Most of these security exploits you see in Internet Explorer are called "cross-zone scripting exploits". What they do (usually) is find a way to use scripting to open a Local Zone resource (such as a help file), and then somehow alter it so that it contains malicious code instead. This is how the Ilookup trojan works. Other exploits escalate the security level of an iframe to Local Zone, or some other tactic. But the general idea is getting malicious code into the Local Zone without your permission, where it can be executed with full system access. This is why locking down the Local Zone is a workaround against these sorts of exploits, but locking down the Local Zone has serious side effects in Windows itself.

The difference between Internet Explorer and other browsers is that the other browsers simply do not have this sort of problem. Mozilla and Opera do not have the requirement to manage operating-system level tasks using the same controls they use to render web pages, and so do not even have a "Local Zone" to take advantage of. They are not designed to let scripts do bad things at all.

There are still exploits that can be performed on browsers like Opera and Mozilla. Directory traversals, buffer overflows, taking advantage of design defects... Hell, have a look at the stuff Opera's had to fix in version 7 so far. (I think the "really big favicon" exploit is my favorite.) And you can find cross-site scripting vulnerabilities in Mozilla, but they don't let you install software; they just cause data security problems because one site might be able to read another site's JavaScript variables or cookies or something. But IE's fundamental security model makes it incredibly vulnerable to exploits that allow the arbitrary installation of software, or worse.

And that's why IE is more fundamentally insecure than the alternatives, and until something is fundamentally changed about it (which may or may not happen with XP SP2), it's going to remain more fundamentally insecure regardless of popularity levels.

Thanks for the information.

Though I have personally had no problems at all with IE, because of the rap on IE out there, I’ve tried FireFox regularly over the years. But I have always found bugs and problems with it in certain situations such that it just would not allow me to accomplish the work I needed to do on the specific website, so that I had to remember to go back to IE when I was doing said specific things on said specific websites. That got tiresome and inconvenient, so I just went back to using IE6, but I never upgrade to IE7 (or Media Player 10, Vista, etc etc) because I have found either the newer M-soft stuff doesn’t work as well as older versions, or I just don’t like the features as well. I do however, pick and choose, and do download M-soft security updates.

I use Thunderbird Mozilla for email for a specific feature I like about it, but there are some features about it that really suck, so I may move on to some other email client. My wife still uses Outlook Express (for years now) and has never experienced any problems. I used it also for years before I switched to Mozilla Thunderbird about a year ago.

If FireFox would fix their bugs or someone else comes up with a browser that is completely free of bugs so I don’t have to be switching back and forth to IE to accompish things, then I am more than happy to switch over.

Though I have personally had no problems at all with IE...

While you may not think you have any problems, malware installed via IE could be sending your personal info to all kinds of bad guys anywhere. The days when viruses, worms, trojans, etc. were written by pimply faced teenagers staying up all nite on Jolt Cola with the express purpose to crash computers or destroy data has changed. Now it's big business and the programmers don't want to cause any visible problems because that way you'd know your machine is compromised. Most people nowdays would never know if they had tons of malware sending their keystrokes, passwords, banking PINs etc. off to a server in some foreign country. They write the programs to disable/bypass anti-virus programs but not leave any obvious symptoms of the infection.

Believe me, I've got a friend's infected machine sitting here right now that I'm trying to clean up for him without him losing all his documents, pictures, bookmarks, etc. The only thing he noticed was that it was running slower and slower and after a while his browser and some other programs wouldn't run. Running AdAware, SpybotS&D, HijackThis and others only found a couple of obvious infections, but it still won't work even with a new browser install.

But I have always found bugs and problems with it in certain situations such that it just would not allow me to accomplish the work I needed to do on the specific website...

Don't blame FireFox or other browsers. The problem is whoever wrote the website used Microsoft proprietary code that isn't standards compliant and will only work with IE and will break any other browsers. Few people are aware of this problem and blame the other browsers, which are standards compliant and go back to IE, which is not. What you need to do is send an email to the operator of the website that doesn't work in non-IE browsers and let them know that you won't be patronizing their website/business unless they fix the problem and become standards compliant. If enough people did this, the flood of email would make any business change. No business wants to drive/turn away business clients. If you just go along and change back to IE, you are perpetuating this non-compliance with web standards and compounding the problem for everyone else.

There are hundreds if not thousands of websites that have explained and documented this problem, and almost all the time the problem is Microsoft-centric, non-standards compliant website programming. If you have any question about whether this is true, just run the website URL you have problems with through any of the web standards compliance checking sites like W3C.org. You'll quickly find that the problem is generally ['tho not always] the website, not the browser.

If FireFox would fix their bugs or someone else comes up with a browser that is completely free of bugs so I don’t have to be switching back and forth to IE to accompish things...

As above, it is usually not FF that is the problem. They've had their share of problems, but the code is fixed almost immediately and updated versions are available almost immediately, where Microsoft's patches can be months to years after the breach/hole/exploit is found. And again, almost all of the security holes cannot and will not be fixed in IE and Outlook, because they would have to change the underlying O/S code, which would break the O/S.

If you were running FF on Linux with update notification active, you would be getting notifications of updates and bug fixes within hours or a few days of the exploit being discovered- and patched/corrected. And it just has to update the FF program code only, which doesn't touch the O/S system files or code.

A little research will confirm everything I've written here. Again, don't blame FF or other programs when it is Microsoft centric problems that you experience.

See my post #53. What you think are other browsers “problems” probably are actually not, as explained there.

And the primary reason all those “other people’s discards” are so badly infected is because they used IE and Outlook on Windows. While other programs can have security problems, the highest probability is that they were infected through IE/Outlook/Windows. There are quite scientific and educated estimates by security professionals/companies that at least 80% of all the compromised computers worldwide sending spam, connected in malware bot-nets, etc. are the direct result of IE/Outlook/Windows combination. Eliminate that combination and almost all spam and bot-nets worldwide would be eliminated. Then the bad guys would target other programs and O/S’s for sure, but because of the inherent security programmed into the system code from the ground up, they wouldn’t be too successful. At least not as successful as they have been with such a known insecure O/S and programs as IE/Outlook/Windows.

“Don’t blame FireFox or other browsers. The problem is whoever wrote the website used Microsoft proprietary code that isn’t standards compliant and will only work with IE and will break any other browsers. Few people are aware of this problem and blame the other browsers, which are standards compliant and go back to IE, which is not. What you need to do is send an email to the operator of the website that doesn’t work in non-IE browsers and let them know that you won’t be patronizing their website/business unless they fix the problem and become standards compliant.”

It isn’t my job, when they improve their product I will use it, I’m not obsessed enough to go crusading to make the internet “compliant” for various competitors in the browser market.

I don’t have any axes to grind so I just go with whatever is my preference at the time.

I don’t know if you are correct, that the problem is with the websites or is actually with the Firefox browser, which is my opinion, but I don’t really care. I don’t have time and as far as I am concerned, it would be fruitless anyway to go around emailing websites telling them to “rewrite their code so FireFox will work”, yada yada.

The problems we had with FireFox were not on podunk websites. They were on websites that are household names. For example, one is ebay, where I am a seller. I would be filling out their online form to sell something, have added pics and description, and then it would hang up and I would NOT be able to finish the listing. I would have to dump out and go to IE and start over to do my listing, losing 15 minutes of my valuable time. Then to keep using FF as my main browser, I would have to remember to NOT use it for ebay listings, which I would forget sometimes, and same result. I don’t have time for that. I want one browser for everything.

Another example, my wife was having trouble with videos running properly on youtube using FF, but when she switched back to IE, they ran smoothly. And there were other websites where FF had problems.

And if you think ebay will listen to emails about “fixing their code so Firefox will work” from sellers, even power sellers, you don’t know how that business runs. Ebay treats their sellers like dog do-do. There is no chance — zip, zero, nada — they would pay any attention to such an email.

I run malware programs on all our computers regularly, and I reformat the machines completely every year to two years max, so as I said, until someone comes up with a reliable one stop browser to replace IE to go with our XP systems, we’ll continue to use IE.

I think if our personal information had already been stolen, then we would somehow have eventually become aware of it, thru unauthorized credit card charges, identity theft, etc. But none of that has happened to us, so it appears that we have been able to protect ourselves from the bad guys, in spite of using IE.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.