Microsoft: Hole exploit endangers all IE versions

An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicized two days ago, Microsoft says.

Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.

The company recommends setting the Internet zone security setting to "high" and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.

"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog.

Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.

"The exploit sites we've seen so far drop a wide variety of malware--most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the Malware Protection Center blog says. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground."

People visiting trusted sites could be affected as well from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.

A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for January 13.

Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE 7 and IE 8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through e-mail.

[Vegaman_Dan]

From what I'm hearing internally, MS is scrambling to get this addressed immediately. The problem however, is that even when you have a patch ready, do you release it without first doing compatibility testing with existing apps and configurations, or do you just shotgun it out there and hope for the best?

If you release the patch and it works, great! If you release the patch and it hoses the rest of your system or some third party application, then you get yelled at for not testing it. It's not an easy line to walk at all.

[Penguinisto]

Take the time and test it - I can still use Firefox and Safari just fine ;)

[ferretboy88]

Don't use Safari for windows ever. its like swiss cheese.

[The_Decider]

If you fix something and it breaks lots of other stuff(or just one thing) you didn't do a very good job of design.

Of course, given that you are zero knowledge of software engineering, you wouldn't know this.

[Vegaman_Dan]

Penguinisto:

I don't think I'd trust Safari- that browser hasn't had much success in the security area so far. Give it ime though and it will catch up. Firefox is doing better there and Chrome eveh better than Firefox.


The_Decider wrote:

"If you fix something and it breaks lots of other stuff(or just one thing) you didn't do a very good job of design.:

Have you ever tried to test millions of line of code to make sure that the single bit change you are about to make doesn't affect the rest of it? Are you willing to take that chance with blind trust? I for one would rather have it tested than to rush in like a blind fool.

"Of course, given that you are zero knowledge of software engineering, you wouldn't know this."

You're right. I don't know how difficult it is, but then again, neither do you. That doesn't exactly make you the knowledgable person to be making such comments, does it?

[Fil0403]

As usual, that's acceptable and perfectly normal for any company but Microsoft, judging from the many usual ignorant comments here.

[Fil0403]

@ Penguinisto: I agree with you, it's always a good idea to have a Fiat Uno and a Nissan Micra to use when something's wrong with the Mercedes-Benz.

[Seaspray0]

Penguin, "any 13-year-old couldn't figure out how to use it" is not the same as your quote "any 13 year old can write a script". Where's your 13 year old who can WRITE it, not be given it. I'm still waiting. Put up or shut up.

[Penguinisto]

@ferretboy:

I won't, but thanks for the warning - I don't use Windows @ home, and @ work Firefox works well enough. Now Safari on Mac? No problems. :)

@Fil0403:

I think you got it backwards... IE is more like the old pickup truck in the garage that constantly has troubles and lousy gas mileage (and a rust-hole in the floorboards) - you only use it when you need to (like when you have to update Windows). Firefox is more like a Volvo - hella safer to drive. Safari is like a Subaru for the same reasons. Chrome I don't know about - never used it, and don't currently see a need to.

BTW, if MSFT hadn't embedded IE so damned deeply into the OS, it wouldn't have half the troubles it experiences. Food for thought, no?

/P

[loose_screw]

I'm so happy to be using Chrome.

[Penguinisto]

Seaspray: Deductive Fallacy and False Dilemma. Five Yard Penalty:
http://en.wikipedia.org/wiki/Deductive_fallacy
http://en.wikipedia.org/wiki/False_dilemma

/P

[rictor99]

Best answer to all these IE exploits seems to be switching to another browser such as Firefox or Chrome, something any self-respecting Internet user did long ago.

[jinx101a]

@rictor99: It's a computer program... any self respecting Internet user. Someone's on their elitist soap box.

[Lerianis]

Rictor, ANY program can have security holes. Look at Safari, Firefox, etc.: all of them have security holes, some JUST AS SEVERE as IE. Now, I am a little pissed at Microsoft for not fixing this KNOWN PROBLEM a long time ago, but there are plenty of holes in other operating systems and browsers that are known about and haven't been fixed.

[Penguinisto]

"ANY program can have security holes."

...and the similarities end there.

An application that has a security hole that can't be taken advantage of (because the OS keeps it in a sandbox, or has a security structure built to contain any damage it may do) is still a secure application.

Internet Explorer's problem lies in the fact that Microsoft stupidly embedded it so deeply into Windows (all in an attempt to avoid being found liable in a lawsuit FFS!), that a security hole in Windows stands a solid chance of allowing an attacker to compromise the whole machine.

A good example of how to secure applications at the OS level? A Linux LAMP server (Linux, Apache, MySQL, and PHP). When you use PHP to run a website, PHP is highly permissive, and is often a PITA to code securely. OTOH, if PHP gets popped, so what? The worst you have is a script that you get to fix (the one that let the attacker do something he shouldn't have), some altered content you have to fix or remove, clear out the mail queue, and that's it. The underlying web server and OS are still untouched.

/P

[FutureGuy]

@rictor99 exactly, all other browers and bug free. When was the last time FF issued a security update, ohh wait just last month.

[Penguinisto]

When was the last time a FF exploit existed that could turn your computer into a zombie/bot?

[BigGuns149]

Does FF wait 2+ years to fix security bugs though? Secunia lists 3 bugs that have been known >2 years in IE that still exist in current "up-to-date" versions of IE.

Mozilla isn't perfect either, but they seem to have more urgency about patches than Microsoft, which in recent years only releases patches on patch Tuesday. Even if M$ immediately creates a patch they sit on it until patch tuesday and let you deal with any issues in the meantime. That seems like the best case scenario because there are many security issues that sit unresolved for months sometimes even years as Secunia notes.

Mozilla doesn't make you invincible, but given the choice between the two it is pretty clear that M$ takes a more lax approach to security so I think it isn't much of a stretch to say that one has a better chance security wise with Mozilla than M$ IE.

[Vegaman_Dan]

Penguinisto:

"When was the last time a FF exploit existed that could turn your computer into a zombie/bot?"

Um, actually just last month. That was the reason for the security patch. FF gets a *lot* of security patches. And I'm glad that it does.

[tm_anon]

@BigGunes149
If M$ fixed all security vulnerabilities in the old version of Windows, who'd ever buy the new one? Might seem like I'm MS bashing, but it makes perfect business sense. If the old version does too good of a job, nobody wants the new version unless you add in so much new stuff they can't help it. If you just leave security vulnerabilities in the old versions, people have no choice.

[Lerianis]

Tm_anon, then you should say the same thing about OSX, Linux, etc. They have security holes that they know about that have not been fixed, and you don't get on their case, do you?

[UITD]

@BigGuns149: "...M$..." --> Shows that your level of intelligence hasnt surpassed that of a dry soap dish. Grow up. The Microsoft bashing is about as old as the crust in your underwear.

[Seaspray0]

Penguin, "any 13-year-old couldn't figure out how to use it" is not the same as your quote "any 13 year old can write a script". Where's your 13 year old who can WRITE it, not be given it. I'm still waiting. Put up or shut up.

[Penguinisto]

@Dan:

URL for that one?

I also recall that it only affected Windows machines in that aspect (complete remote control, that is).

[Hep Cat]

Tell me again how this isn't Microsoft's fault?

[The_happy_switcher]

What do you expect when you let monkeys code?

[Ben2talk]

This isn't Microsoft's fault.
You're fault - you should know better than to hit the 'boot to crap mode' Windows key.

Change to something better. Change to something free maybe!

[Vegaman_Dan]

This is definitely Microsoft's issue to resolve. Nobody is trying to convince you otherwise- you're just trolling for embarassment- and you found it. Congratulations- the red glow on your cheeks is a very nice look for you.

[theunclesam]

This is why I stick to Lynx. ::snicker::

[yumdrum]

Lynx!!! ... Nice!

[giant_david]

Yes , Lynx !

[queticomn]

Time to switch to FireFox, or Opera (like usual not mentioned). Chrome already has had security breaches, not to mention its spy ware. Maybe it high time windows users think of migrating to Linux.

Heh...

[ethana2]

If anyone would like help switching to Ubuntu, or wants more information, just let me know.
ethana2@gmail.com
at your service.

[artistjoh]

I have Ubuntu and even as the "easiest" of the Linux systems it is no where near "easy for ordinary users. It is true that the software bundled with the basic download is easy to deal with, problem is if you want to do more. Gimp is far too limited as a graphics program for me, for example, but soon as I try to find plug ins to expand it to something more comparable with Photoshop I am confronted with endless offerings most of which are half baked and require more than average computer expertise to install and the only guide to quality is masses of varying opinions in comments sections. It takes forever to find and perfect just to get functionality that comes as standard in the commercial world. Linux suits geeks who like to tinker, but for the rest of the world we would rather pay for the simplicity that comes with OS X or Windows. At least we know that while we might have to use another browser for a while when in the Windows world, that there is a team at Microsoft who are working to fix it and that the patch will be easy to install when it does come. Both Apple and Microsoft make the computer experience too easy for many to switch to Linux, even if linux is like OS X, a safer environment.

[Lerianis]

There IS NO SPYWARE IN CHROME. That allegation has been TOTALLY debunked, and proven to have been a gross misrepresentation of what Chrome actually does.

[Argyll]

Hey FutureGuy, all of the other browsers may not be bug free, but they sure as heck are better then IE. Firefox, Safari, Opera, Chrome - just take your pick from that list or any other browser you can find and you'll be far better off.

[jinx101a]

@Argyll... let's just list every browser other than IE. Chrome isn't that great personally... and I still question why anyone would want to use the browser of an advertising company. FireFox is probably the best safest browser IMO (even though IE isn't that bad to be honest). My only problem with FireFox is that version 3's JavaScript engine is horribly slow. I'm waiting for their new JS engine that is supposed to bring the performance back up.

[Ipopngraphics]

hmmmmm bugs? viruses? trojan horses? worms? spy bots? WHAT ARE THOSE?????? In 20 years of computing experience I haven't run across ANY of those anomalies.... but then again, I've never OWNED a Windows computer either.... used a few, until frustration took away the fun.

[Seaspray0]

I haven't gotten a virus on my 20 year old atari ST either.

[Vegaman_Dan]

I've owned them all and haven't gotten a virus yet either. But then again, I don't visit Chinese porn sites or other sites that are likely to be giving out the bad vibes either.

I do something silly like use common sense- it doesn't need to be patched and works with all OS's.

[forever4now]

All major companies using Windows should require their employees to install at least two web browsers for use. That way, they do not put their company and data at total risk, if/when exploits occurs.

[tm_anon]

Most major companies rely on their IT guys to advise them. Most IT guys I know of advise the company to stick with MS products, including IE. Meaning, the guys companies are hiring to do their IT are screwing companies by being **********.

[The_happy_switcher]

Dump Windows once and for all and these problems go away. Microsoft will never get its ***** together.

[The_happy_switcher]

Let the countdown begin until Anderson or Vegandan, whatever the hell his name, begins to post saying this isn't microsoft's fault. WHoever guesses the time wins a small prize.

[Seaspray0]

It is microsoft's fault. It's their code. Every company is responsible for the code they write, and I haven't seen one company yet that writes perfect code nor have I seen one yet that hasn't released patches. I just don't make it a habbit of trolling other OS forums like you do, applerocks1963.

[Mr. Dee]

When you have a market share like Microsoft Windows, you tend to get a lot of attention because you are more lucrative. The ability to reach a larger base of users is greater, over 1 billion. Apple and its measly 25 million is a waste of time to hackers. But I definitely sure if it was in the same position as Windows is, OS X and Linux would be getting some of that love. Maybe hackers consider OS X technically inferior to hack.

[skillingssucks]

...kind of like how you're technically inferior to most people?

[philpacker]

The bet should be: "How long is it before somebody invokes the 'It only happens to IE because they have such high market share' argument". Straight out of the Microsoft PR department. Strikingly, you don't hear real developers supporting that argument. Quality code is quality code. The more people use it get you debugged faster not slower. So by now, with the billions of browser-hours under their belt IE should be the most stable browser not the least.

Get real, get another browser and be thankful that their are alternatives

[The_Decider]

Dee Dee Dee,

Why do you people without a clue continue to parrot that BS?

Other market leaders don't get exploited every other second. Security and market share are disjoint.

Windows get owned for one simple reason: it is easy. With wide open doors like IE, active x, and a good chunk of the windows API that do the heavy lifting for exploit writers, it is no wonder they get shredded.

[DrtyDogg]

you don't hear that argument out of "real developers" my reason is I'll stick to where the money is. Right now the money is still with writing for Windows.

[Vegaman_Dan]

Hey AppleRocks- it is Microsoft's fault. They wrote the browser. Why would you believe that it woudln't be their fault? It certaiinly isn't anyone else's. As far as I know, Apple didn't write IE, nor did Mozilla.

Yep, it's MSFT's issue and one they are addressing with a patch in compatibility testing currently.

You really should try harder in your trolling attempts. This one wasn't even tricky or entertaining. Usually you have a really good rant or start foaming at the mouth, but this time- meh. I'll give you a C+ for effort.

[realneil]

I quit using Internet Explorer Years ago,...........like this episode shows, Using IE is like being slowly pecked to death by chickens. It just doesn't ever stop.
I use Chrome, FireFox, and sometimes Flock to browse with and with the prudent use of free software, AVAST antivirus, ThreatFire, and Spybot Search & Destroy, my systems stay clean.
I also use a MAC and an old PC with UBUNTU. They stay virus free too,....go figure,.....

[ValleyData]

I scroll through these posts looking for nuggets of info from other users' experiences. It is really too bad there is so much "my software/OS is better than your software/OS" crud to wade through.

Quit whizzing on each other, why don't ya!

[Vegaman_Dan]

Unfortunately there are entirely too many people whose egos are tied directly to their choice of OS and challenge to their choce is a challenge to their fragile sense of security. It's easier to put down others than to actually come up with useful content.

I use a Mac, Windows box and Linux boxen for each of their preferred areas of excellence. None of them can do it all so wasting your breath complaining about how this or that is better tha nthe other is... well, a waste of breath.

Use what works for you and quit trying to convince others that they are wrong simply because they have a different color of logo on their case. Racism (and that's what it is at that level) is so very much outdated.

[raywkirk]

I totally agree with ValleyData. I don't give a rat's ass what your favorite ANYTHING is, or why.
I'm only interested in INFORMATION that will help me to deal with this problem.

[Wookiee-1138]

How nice that Microsoft is finally admitting what many of us have been saying for years.

IE is crap.

[Seaspray0]

Provide the quote from microsoft and who said it.

[SactoGuy018]

Besides the obvious security issues, I also heavily use Firefox 3.0 and Chrome 1.0 because both have proven to be not only safer, but also a lot faster in rendering web pages. Chrome has emerged as the first really serious competitor to Firefox, especially given its very clean interface and the use of Webkit for extremely fast performance.

[Ben2talk]

No, Chrome has emerged as a browser with a really evil EULA for stupid people who don't understand or care what the EULA means.

These people agree to anything. Give me your bank details now!

[DrtyDogg]

@Ben: Does it mean I get free software. . .

[tm_anon]

If Chrome weren't made by Google, you wouldn't care if it was the best browser on the planet. If it was still in beta and untested, you wouldn't touch it. Look up SRware Iron, better browser built off of the Chromium core, a newer version than Chrome is. It also doesn't send your personal info anywhere, includes Adblock and includes many of the same features as Chrome. It's just not made by Google, so who gives a rats ass that it's out there and available for free.

[VS_Dude]

Firefox is good - a bit resource-greedy though.
Opera is great - coming into its own for sure.
Chrome and Safari - too nascent, too fragile.
IE - a lot of sites still require it (and Windows) to work.
Linux - basic desktop with a smattering of useful but restricted software.
Mac - amazing desktop with a smattering of useful but restricted software (some sites won't like the OS).

What's a guy to do? Follow orders and make things as safe as possible while we wait for Windows 7!

[Ben2talk]

Funny, Firefox runs well on my 256MB machine - opens very quickly. Internet Explorer will not work - it's only available for Windows or Mac OS, and I think - I bought a computer, why pay more for 'crap mode' operating systems?

DRM also doesn't run on my machine.

Why resign yourself to wait for 'Windows Crap Mode 7' ? You think it's going to be fresh?

[DrtyDogg]

Funny, the guy who introduced me to linux just hit me up for more RAM because a machine he just acquired was running slowly(it previously had 256MB).

[The_Decider]

Restricted software?

Is that a joke or are you just stupid?

Oh wait, you let MS do your thinking for you-you are stupid.

[Vegaman_Dan]

I'm curous why people have to use childish language, disrespectful names, or just resort to immature conduct when they are discussing a product they don't like, then get upset when people don't treat them with respect.

Funny that.

Wouldn't it make more sense to present your case in a thougthful and logical manner, respecting others for their own opinions, and not taking anything personally. You're far more likely to have your comments taken seriously when you are polite and respectful.

[Fil0403]

Childish, disrespectful, and immature have long been good words to define the opinions of many people regarding anything remotely related to Microsoft. Thoughtful, logical, and respecting are definitely qualities hard to recognize in these opinions. It's hard for some people to accept that a company dominates so many markets, so much, for so long.

[Fil0403]

This is one of the many good things of using Microsoft Windows Internet Explorer: when there is a problem, you know practically immediately what it is, where it is, and what to do to protect yourself (if anything, because I have never needed to do anything); I pitty the ignorants who use such swiss-cheeses as Mozilla Firefox, Apple Safari, Google Chrome, Opera and the likes and think they are secure just because the respective companies don't tell them when they find one and they ignore the ones that exist and no one fixes; it's what is called "security-by-ignorance".

[Dalkorian]

LOL - wow, you really are funny. Was it intentional or accidental?

[Fil0403]

Maybe someone can explain me how users of "Microsoft's browser" in Microsoft Windows Vista "are at risk" of anything other than their own stupidity if, with the default settings, "Microsoft's browser" cannot modify anything outside the Temporary Internet Files folder without user consent.

[Penguinisto]

...because in order to get any performance or normal use out of it, you have to tweak Vista to remove UAC?

[Penguinisto]

Oh, and BTW:
http://www.theregister.co.uk/2008/12/12/ie_zero_day_misconceptions/

[Dalkorian]

Maybe you can ask M$, since it's their buggy code and their advisory about the bug in question. I can take a guess - a bug in the code?

Why do fista apologists confuse "annoying" with "secure"?