Microsoft warns of IE exploit code in the wild

Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.

Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.

The exploit code was published to the BugTraq mailing list on Friday with no explanation.

"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.

"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future," Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.

Anyone believed to have been affected can visit Microsoft's Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft's PC Safety Customer Service and Support number at 1-866-727-2338.

In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.

[Gold_Storm_Mac]

no comment

[ckh1272]

Why do you always comment with "no comment" with regards to a Microsoft related article? It's getting a little repetitive and tiring IMO.

[ClaBR]

Hum... a 8 years old software has a bug, 2 new versions available. UPGRADE to IE8! It's FREE. Btw, if you were on a Mac, well, you would be screwed:<br /><br />http://my.advisor.com/doc/13244<br /><br />Yep, a software newer than IE6 but no patches would be done to it. Instead, you need to buy a newer version to get the fix.<br /><br />NO COMMENT....

[Vegaman_Dan]

@Gold_Storm_Mac: <br /> <br />"no comment" <br /> <br />Then your posting had .... <br /> <br />"no value" and "no purpose"

[Dalkorian]

ClaBR, you seriously can't do any better than a 6 year old article about security issues with 10.2? <br /><br />ROFLMAO!<br /><br />Friends don't let friends use internet exploder.

[Vegaman_Dan]

@Dalkorian: <br /> <br />"Friends don't let friends use internet exploder." <br /> <br />Apparently they don't let them run spell-check either.

[gertruded]

What a shock that there is another security hole in Windows.

[lazycat202]

please take a few minutes and read the story again! It's IE, not windows :P yes!! MS build IE

[adhetola]

I think if you paid enough attention to the article you'd have noticed the mention that "IE8 is not affected". But in anyways I respoect your "vast" knowledge of Windows (nt).

[Random_Walk]

Well to be fair, Microsoft has always claimed and maintained that IE was an integral and inseparable part of Windows...

[Vegaman_Dan]

@Random_Walk: <br /> <br />"Well to be fair, Microsoft has always claimed and maintained that IE was an integral and inseparable part of Windows..." <br /> <br />Might want to catch up to the same decade as the rest of the class. IE isn't part of Windows anymore. You can buy Windows without IE in Europe if you want. You are free to install whatever browser you want.

[Dalkorian]

by Vegaman_Dan November 24, 2009 1:35 PM PST<br />Might want to catch up to the same decade as the rest of the class. IE isn't part of Windows anymore.<br /><br />---------------------------------------------------------------------<br /><br />Right, because M$ says so. Show me what parts of the code base they removed to get rid of internet exploder. Oh that's right, you can't.<br /><br />Hey Dan, wanna buy a bridge in Brooklyn? I'll sell it to you cheap!

[jake3373]

Control Panel &gt; Programs &gt; turn Windows Features On or Off &gt; uncheck IE &gt; click OK &gt; IE gone. Now try to get rid of Safari on a mac (although Safari is a much better browser than IE, so you really wouldn't have a reason to disable it)

[Vegaman_Dan]

@Dalkorian: <br /> <br />Okay, you got me. They still have it in the code base. But then Apple includes Safari and iTunes in theirs. Do you have to use it? No. Can you uninstall them from OS X? Um... okay, so maybe that causes problems. <br /> <br />Can you uninstall IE? Completely? No. You can disable it. Can you uninstall iTunes completely? No, but you can disable it.

[nrg.dude]

Perfect time to switch to Firefox!

[RamaSubbu_SK]

Why no switch to IE 8 ? <br /> http://www.net-security.org/secworld.php?id=8527

[nrg.dude]

No switch to IE 8 because one bitten, twice shy.

[Dalkorian]

Friends don't let friends use IE.

[Vegaman_Dan]

@Dalkorian: <br /> <br />I'm curious who your friends are. Hmm.

[WinNoMo]

Too bad IE is "integrated" and cannot be removed from Windows. At least according to MS. I love swiss cheese.

[lazycat202]

who said IE can't be removed from Windows? and YES! MS built IE and MS has the right to add IE in its OS. Apple has Safari. Can we add IE into AppleOS?

[Vegaman_Dan]

IE can be removed from Windows. There's been numerous flamewars here on CNET about it. True, older versions of the OS had it as part of the system, but since Vista, you could remove it. <br /> <br />Too bad people don't bother reading the news to keep up to date before spreading misinformation. :/

[Dalkorian]

Oh wow, the apologists are just tripping over themselves here.<br /><br />"Can we add IE into AppleOS?" - Actually, M$ had ported IE5 for OS X at one point. They eventually did the world a favor and quit doing that, but yes you can still likely find IE5 for OS X. Few would argue that you didn't deserve to be arrested after doing so though (even you apologists don't bother trying to defend IE5, it was that bad).<br /><br />"Too bad people don't bother reading the news to keep up to date before spreading misinformation." - Considering who that one came from, it was the funniest joke I've read all month.

[Vegaman_Dan]

@Dalkorian: <br /> <br />""Too bad people don't bother reading the news to keep up to date before spreading misinformation." - Considering who that one came from, it was the funniest joke I've read all month." <br /> <br />I'm glad you found it funny. I'm here to keep you entertained. I must say that your own comments have caused great hilarity from those that read them.

[WinNoMo]

Same story. Different day. Some people will never learn.

[Seaspray0]

and an outdated browser. I take it you didn't notice that the up to date browser IE8 is not affected by this. I can make the same stupid claims if you were using firefox 1.0 instead of the most recent version.

[Vegaman_Dan]

@WinNoMo: <br /> <br />Based on your comments, you certainly haven't learned anything. You're still spouting the same incorrect information.

[Kevico_Suave]

More please. Keep it coming until every last user of IE6 switches or at the very least upgrades.<br /><br />Thanks!

[bananaphonerules]

"Symantec urges IE users to keep their antivirus software up-to-date" <br />Why not just run Windows Update and get the current version if IE? <br />Oh right; it doesn't sell AV by doing updates.

[ittesi259]

Because many a IT department refuses to update.....for some reason unknown to me.

[Random_Walk]

"for some reason unknown to me."<br /><br />Two words: legacy apps.

[Vegaman_Dan]

@Random_Walk: <br /> <br />"Two words: legacy apps." <br /> <br />Two more words. "Compatibility Mode." <br /> <br />Care to spread more FUD, Penguinisto?

[The_happy_switcher]

Wow, and it's not even Tuesday yet. The fun never ceases at Windows Adventureland.

[Vegaman_Dan]

Sorry I coudln't comment. My Macbook needed to shut down to install another update for iTunes when it crashed. Could you repeat your comment again about fun and adventureland again?

[The_happy_switcher]

Sounds like another case of operator error.

[Vegaman_Dan]

@The_Happy_Switcher: <br /> <br />The only thing I did was power up the MacBook and log in. The OS then told me it has updates to run for iTunes at which point during the install the system crashed. That spinning beach ball is only pretty to look at for so long. After an hour, I shut it down manually and restarted. <br /> <br />If you believe that the operator error in this case was turning on the machine, then .... yeah, perhaps you shouldn't use a Mac.

[CA1900]

Turn off Javascript? That'll cripple half the web sites I use. Not a great "solution."

[Michichael]

Firefox + Noscript - a jacascript whitelist

[will_col]

My company won't upgrade Internet Explorer 6 because all the applications that we have won't run on Internet Explorer 7 or 8. Sucks, but that's the corporate world not wanting to spend thousands of pounds on upgrading all these applications.<br /><br />Damn, I miss not having tabs in my browser at work :(

[Vegaman_Dan]

Compatibility mode will handle most, if not all apps affected. Those that it cannot are such that are a bit... shall we say 'dated' and 'need to catch up with the rest of the world' ? <br /> <br />Yeah, I agree, tabs are awesome. I like them on all the browsers.

[Dalkorian]

Seriously, I know how much flame I'm going to get for this one, but your company should be barred from the internet. It's far to dangerous out there to be that flippant about bad decisions.

[jake3373]

Many companies still use IE6 because they can't update their special applications to be compatible with IE8 unless they want to pay the developer lots of money to make a new version.<br />This isn't just programs that run inside IE, but also some old Visual Basic programs that use an IE frame DLL to render the main part of the program. If you upgrade IE, the version of the IE frame inside the app will update, and the program will likely crash (no "compatibility mode" inside VB6 IE frames).

[jesmmifs]

Good. Maybe this will stop people using Internet Explorer 6.

[play7]

I can understand older systems running 6 or even 7 but trher is no need. 8 should be used.

[Dalkorian]

No, it should not.

[Vegaman_Dan]

@Dalkorian: <br /> <br />Perhaps people shouldn't read your comments?

[ducttape36]

im confused. i thought 'in the wild' meant that the code was already being used, you know, in the wild. but it says, "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact" so shouldnt this just be classified as proof of concept?

[Vegaman_Dan]

It's more sensationalistic if you say it's in the wild. That gets more hits and page views.

[Dalkorian]

You're right of course, but the "proof of concept" was released "in the wild" ("The exploit code was published to the BugTraq mailing list on Friday with no explanation."). I guess that gives them the leeway to fudge a bit.<br />;-)

[John_Esch]

Well, it's really funny - I even can't understand why whether any download of IE8 nor one of WEB,de don't work anyway. Former versions did very well. <br /><br />My system does be a MS Windows XP Professional SP.3 - updoted up do today. <br /><br />IE8 always - equal what version you do install - freezes, showing alwas the answer "no rsponse" or in plain German: " "keine Rückmeldung".<br /><br />Meanwhile I've forgotten IE at all and normally only use whether "Mozilla Firefox 3.5! or " Google Chrome" - and that's it.<br /><br />I would like to use IE8 as well, but it ain't working aniyway - so what to do?

[play7]

People just dont know what they are doing. Internet habits can play a factor of be a important factor if you go to sites that are exposed to purposely build codes to attack your IE or any browers indeed you have problems.