Skip to comments.New zero day vulnerability identified in all versions of IE
Posted on 04/27/2014 4:26:55 PM PDT by dayglored
A new zero day vulnerability that resides in all versions of Internet Explorer has been spotted in the wild, Microsoft confirmed late Saturday.
The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm Fire Eye, which first reported the flaw Friday.
The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections, according to Fire Eye.
An attack could be triggered by luring visitors to a specially crafted web page, Microsoft explained.
Okay, XP die-hards, you were warned. Here it comes.
"The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft said. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
Microsoft said it is investigating the vulnerability and may issue an out-of-cycle security update to address the issue.
Fire Eye said the flaw was significant because it affects more than a quarter of the total browser market.
"Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market," Fire Eye said in its advisory.
If its an IE problem what does XP have to do with it?
In other words, nothing?
Does XP still receive IE updates however?
I wonder if it’s just static at this point?
The article says MS is looking to do an out of cycle update.
So yes, IE updates are separate from the OS. Remember when they were forced to unbundle them?
The only time I used IE was to get XP updates.
As far as I know, Microsoft discontinued support of old IE versions that run on XP, and does not back-port newer supported versions to XP. Therefore AFAIK there won't be any patches for the IE flaw, for any version that runs on XP.
If somebody can show that Microsoft will produce a patch for a version of IE that runs supported on XP, let me know please.
I’m currently on Ubuntu (I have a copy of 8.1 but am currently still using Ubuntu IRL)
So this is not an actual XP issue then, it is an independent issue with the browser.
This sounds like one more reason to never run your machine as an administrator useless you have a need. Most viruses can’t install with out admin rights.
Best of luck with that. I'll bet you 99 of the 100 say, "WHUT?"
The 1 out of 100 is a corporate SysAdmin who has a Windows Update server.
IE and the OS are in an incestuous relationship. The fix may require both the be patched.
What this IE flaw has to do with XP is: the flaw will get a patch, for the newer, supported versions of IE. It WILL NOT get a patch for the older unsupported versions that run on XP.
AFAIK. If you know different, post a link to the Microsoft article that says it. Please!
Weird that this wasn’t discovered until such time as MS wants to panic its herd into W8.
Which software is more likely to have sloppy memory management?
"...PCs running Windows XP will not receive any updates fixing that bug when they are released..."
If you're a Microsoft XP User, stop using Internet Explorer and switch to Google Chrome, FireFox, Safari or something other than IE.
As this is an EXPLOIT and not a Virus/Malware, the critical point is that the exploit is tied to IE.
For those of you with System Restore turned on make sure you have a System Restore point set, and a good backup of XP including the OS and your data files.
Stopping usage of IE will provide some protection for now but ultimately, XP is going to be breached world-wide and those of you running it will regret not upgrading.
Okay, you're on an XP system, and XP updates are unavailable. Please tell me how you get an update for your unsupported version of IE?
AFAIK, and this is the key: THE FACT THAT YOU'RE RUNNING XP MAKES YOU INELIGIBLE FOR ANY UPDATES, including IE updates.
If you know different, please post a link to the Microsoft page that says so. I'd sure like to have that link to give to my family and friends who are still running XP and will be calling me for help.
Who in his right mind is using the IE that came with XP? It was garbage then, and it isn't much better now. Download a real browser, one that is currently supported. Chrome, Opera, or any Gecko or Webkit-based browser (Safari, PaleMoon, etc.) It's hardly a challenge.
Besides, most of the XP holdouts are in the embedded world. XP runs their CNCs and their chromatographs and their oscilloscopes. Those devices do not browse the Web; many are not even accessible from the Internet. Most laptops and desktops with XP are already in the trash. I have a few, but I maintain them for a very specific technical reason; mechanically and electrically they are junk, and new laptops are cheap.
No, it's not weird at all if you'd remember that Microsoft has been issuing security updates for Windows XP for 12 years .......
Windows XP "security" has been so bad that the first Tuesday of every month became known as "PATCH TUESDAY" on a world-wide basis.
That's been going on for 12 years. The fact that Microsoft HAD TO issue updates over the course of 12 years to fix known and newly found vulnerabilities should be telling those of you who insist on running it and refusing to upgrade that any decision to continue running the most security hole laden OS in history is really a dumb decision on your parts.
Microsoft released a statement saying that the only way to protect against this, if you're running XP, is to upgrade to Win7 or Win8.
I'm shocked. Shocked!
Of course, they -are- correct, that's a true statement.
Unless you're a big corporation paying extortion money to Microsoft for continued XP update support (yes, it exists if you have enough money).
Good luck with that. I'd disconnect my phone and disown any family members still running XP. They've known end of support was coming, and refused to change.
Prepare to suffer the consequences of stupid decisions.
Why did you need IE to get updates and not some other browser like Firefox? Never used IE of anything for years now.
Huh, last I knew, Windows Updates only ran with IE, because it required ActiveX, which is only available in IE.
When did that change???
If you are using IE for anything but Windows updates, why? There are plenty of other browsers out there that are much more secure than IE. Safari, Chrome (Google product, be careful), Opera, Firefox, lots of others.
C'mon, let's be fair, ALL OSes issue security patches. That includes Mac OS X, Linux, BSD Unix, etc. etc. not just Windows.
Nobody in their right mind expects software, especially huge, complex software, to not have flaws.
Why would you write that? Reading the article, this vulnerability is very specific to Internet Explorer and has nothing to do with any MSFT operating system, including XP.
There are tons of users, especially business users, who HAVE to use IE because their business applications only run on it.
Same for Win XP.
For two decades, Microsoft strongly encouraged developers to tie applications to their specific OS and browser, and now the folks who did so are paying the price.
Anyone who uses Windows and/or IE in this day and age needs to have their mental state seriously questioned.
Because it's true. Read further before you write back, please.
XP users can't get IE updates.
There is no upgrade path from XP. Those boxes were built to run with as little as 512 MB of RAM, if not even less. They have slow processors that won't run Win7 or later. I know because I dealt with this before, and I have a few of those boxes now. The only upgrade path that they have, in theory, is Linux; but in practice they have only the path into dumpster because it costs you too much to upgrade them and to use them, compared to buying a new system.
The real problem is with XP that operates equipment. Here is an example:
This particular, now obsolete, oscilloscope was sold for about $25K then, and it still is a perfectly good instrument today. It is selling right now from $5K to $10K. But it is controlled by WinXP. If you have ten of those oscilloscopes in your business, would you be in any hurry to scrap a quarter million dollars in working hardware just because of a very remote threat? Those scopes have never seen a Windows Update in their life, by the way - you cannot risk that on a soft real time equipment. If you have to protect them, you do that with firewalls; but most scopes are not even connected to the network. Maybe GPIB; but Ethernet at that time was not very useful.
This is not the highest price for a unit of equipment either. Take this signal source analyzer, for example - its price can be above $60K:
There are CNC machining centers and robots, however, that cost far more than that. The fact is that XP/XPe was a de-facto standard for all such equipment for ten years. All high-end, smart equipment made in the last decade runs XP. There is no way to upgrade it. Discarding it would cause terrible financial losses, and it would be also not very wise because the hardware still works fine. So XP will soldier on.
Dear Mr Rip Van Winkle. I used to run Win updates on the old Netscape browser back in the nineties.
And let’s not forget the 100,000’s of ATM machines across the country that are still running WinXP and -are- connected to the network, whether directly or indirectly.
Quit IE once I discovered the bliss of AD Block etc.
So did I, before the updates started requiring IE. That was somewhere in the early 2000's, I think.
Windows Updates on Win7 and later is integrated into the OS as part of Control Panel.
Please tell me how you run Windows Updates on XP without IE. What's the procedure, suitable for an average user? If there's an easy way to do it, I'd love to know.
Of course, updates are disabled for XP now, so I don't expect it to work. I just want to know how you USED to do it on XP without IE.
Well, sure, you can get the update files as a download and install them manually, if you know how and are willing to go through that extra hassle and understand what to get.
I've tried explaining that to normal Windows users, without success. They want to get Windows Updates by clicking "Windows Updates". That's not an unreasonable expectation.
I could never find a way to have the "Windows Update" service run with any other browser as a tool. If you know a way, by all means spill the beans, please.
If (and you should) download another browser such as Chrome or Palemoon make sure you make it your default browser, Other wise you'll be stuck having to use IE.
You can always change the setting.
Sure there are, they're called Windows 7 and Windows 8. Pick one.
I'm not going to debate "upgrade" vs. "upgrade path."
I'm also not going to debate hardware requirements. People running Windows XP on an older machine will obviously have to upgrade some hardware, whether that's memory, disk, etc..
Fact is, Windows 8 uses LESS resources than Windows 7 did, so most computers capable of having 4gb of memory installed (and that's alot of old computers) will run Windows 8 reasonably well.
My comments were addressed to the "FMCDH" crowd who says they'll never give up Windows XP (and the handful who wanted by force of Government *make* Microsoft support it going forward.)
True, but only ONE O/S has the bragging rights for "Patch Tuesday" for the last 12 years and that's Windows XP.
Thank God Microsoft finally dropped XP. Now we get our First Tuesday's of the month back.
Sponsoring FReepers are contributing
$10 Each time a New Monthly Donor signs up!
Get more bang for your FR buck!
Click Here To Sign Up Now!
Ummm, no, Patch Tuesday will still be there for Vista, Win7, and Win8.
And it's the SECOND Tuesday of the month. :)
Why use XP now anyway? Firefox is far superior to all others for power users.
That never changed how Windows Update worked on XP, it always uses IE.
And if you copy/pasted the URL for Windows Updates into Firefox, there was an error saying you had to use IE.
I'm not sure what you're referring to. If you mean manually finding and identifying and downloading and manually installing updates, yes of course that can be done with a non-IE browser. Hell, I've done that with Firefox on Linux.
I'm talking about the normal Windows Update service that normal users use, to get Windows Updates.
How were you able to run the Windows Update service with (say) Firefox?
The good part about ATMs is that they are wearing out much faster than a lightly used indoor equipment for scientists. There are those buttons, screens, slots, rollers, sensors... lots of stuff that deals with moving objects. Those things wear out first. ATMs can have short amortization period because they are very profitable, so their useful life can be set to just a few years.
I am not sure, though, that many ATMs are connected to the Internet. Not every "network" is the Internet. Here is what howstuffworks.com has to say:
Most host processors can support either leased-line or dial-up machines. Leased-line machines connect directly to the host processor through a four-wire, point-to-point, dedicated telephone line. Dial-up ATMs connect to the host processor through a normal phone line using a modem and a toll-free number, or through an Internet service provider using a local access number dialed by modem.
Dial-up was extremely common for several decades, and I guess it is still used today. It is pretty secure - you have to have physical access to the cable or to the switch, and still the connection is encrypted. In such configuration WinXP's vulnerabilities are not a concern because there is no data ports that one could tweak to exploit security holes. An ATM may not even have a network card, for example, just the modem. The buttons are connected to a custom peripheral controller, so no three finger salute for you. Such systems are only vulnerable to their own security holes - and with a very limited set of inputs you can mathematically prove that the software is correct.
The quoted text does mention that some ATMs may dial the ISP and be connected to the Internet. But those that do that most likely will not be using IE for encryption. It's more complicated than whipping up one's own https client, even if you call DLLs that came with Windows. As these connections are point to point, originated by the ATM to a fixed IP address of the bank, it is not practically possible to "trick" an ATM to connect to some other site and become hacked. Besides, what is the risk? That the machine dispenses all its cash to a hacker? Thieves are known to steal the whole ATM; a patch won't be effective against a steel cable and a powerful truck.
Yes, XP users were warned. The practice of abandoning support for older versions of MS software is something that happens across all Microsoft platforms, not just the OS business. It is the Microsoft business model and every user of XP knew this when they first started using XP.
In time, the platform will become unusable. If you are still on XP, get off of it. Otherwise do not complain when a third party provider who promises to keep XP running, so hoses it up that you lose all of your data, or worse.
You have a poor grasp of irony.
I think I read that Embedded XP support will continue for a while yet.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.