Microsoft investigates another IE flaw report

A new, unpatched flaw in Internet Explorer could let miscreants surreptitiously run malicious code on Windows PCs, according to the discoverer of the bug.

The problem affects Internet Explorer 6--the latest version of Microsoft's Web browser--on computers running Windows XP with Service Pack 2 and all security patches installed, Tom Ferris, an independent security researcher in Mission Viejo, Calif., said in an interview Monday. Other versions of Windows and IE may also be vulnerable, he said.

The security hole allows for "full-blown remote code execution," Ferris said. "If a user browses to a bad Web site, malicious software can be installed on their PC without their knowledge."

Ferris claims credit for discovering the problem and said he informed Microsoft of the flaw on Aug. 14. He reported some basics of the bug on his Security Protocols Web site Saturday, but he is not sharing more details to prevent information from getting into the wrong hands.

A Microsoft representative late Monday confirmed the company received Ferris' report. The Redmond, Wash., software giant can't confirm whether the flaw exists, but it is investigating the report, the representative said. "At this time, there are not any attacks, and there are not any risks" to users, she said.

Ferris said he provided Microsoft with details on the bug, including computer code to prove the existence of the problem. On his Web site, Ferris shows a screen shot of a crashing IE 6 Web browser, which he said was caused by the same bug.

Upon completion of the investigation, Microsoft will take the appropriate action to protect users, the representative said. This may include providing a security update through its monthly patch release or providing an out-of-cycle security update, she said.

There are several unpatched vulnerabilities in IE 6, according to Secunia. The security monitoring company has issued 69 alerts on the Web browser since 2003; almost one-third of those security bugs remain unpatched, according to Secunia's Web site. Secunia has yet to put out an advisory on this latest IE security issue.

Ferris has found bugs in Microsoft software before. Earlier this month, Microsoft credited him with reporting a bug in a Windows feature called the Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.

Ferris recommends people pick a different Web browser or use caution when surfing the Web to protect against any exploitation of the latest IE flaw and other browser bugs. Microsoft, as always, urges users to apply all available software patches and run updated security software.

Terrible news

Anyway, switch to Firefox is the best and final choice.

[201293546946733175101343322673]

Huh?

What a lousy and stupid solution. Why don't you suggest people not to use their computers at all so their computers won't be affected by virus, spyware and trojan horse?

Do you not drive because you may get involved in a car accident? :)

Terrible news

Anyway, switch to Firefox is the best and final choice.

[201293546946733175101343322673]

Huh?

What a lousy and stupid solution. Why don't you suggest people not to use their computers at all so their computers won't be affected by virus, spyware and trojan horse?

Do you not drive because you may get involved in a car accident? :)

[amadensor]

A possible way to make it worse

Do not forget that Windows uses IE to render all sorts of other things. This means that perhaps a carefully crafted email or document could also cause this to happen.

[amadensor]

A possible way to make it worse

Do not forget that Windows uses IE to render all sorts of other things. This means that perhaps a carefully crafted email or document could also cause this to happen.

[educateme]

HAHAHAHAHA Can I laugh at Windows users much more?

You guys must feel like pincushions by now, no other product in
history has taken so much out of society's pockets, and ruined
their days off fixing more crap. The solution is not to stop using
IE, it is to STOP using Windows. Microsoft sucks, can I say it any
louder for you poor slobs that cant say "SH*T" with a
mouthful....WINDOWS SUCKS, get over your lame professions
that this OS is Ok, and that smart users "patch" their systems.
Have you not learned by now that its not going to end. Lets see,
I patched my Apple PowerBook once or twice a month, does it
get bitten weekly by bugs, viruses, worms, or trojans NOPE!!! In
this world, trojans are for when youre having "safe" fun, but for
PC losers its the sign of bad birth control, Bill Gates birthed a
"lemon" on the world. Go ahead, admit it, you bought junk.
Hahahaha. You really ought to buy a Macintosh and learn what
stability and trouble free computing is all about. Poor suckers.
Bill Gates loves you though, I am sure he's got a big present for
you this holiday, keep waiting for it, its in the mail.......;-)

[CharlesRovira]

Microsoft is NOT bought by 'people' for themselves

Windows is bought, as it always was, by OEMs and corporations in order to shove a 'product' on the shelves.

You don't even have to want it. If you are buying a PC system, you are buying a license for Windows. (It's not even an OS but the LICENSE to run an OS.) You may not want it, but you're getting it. Running Linux? Too bad. You're paying for a Windows license.

[notagumshoe]

Stop making Mac users look unintelligent.

It isn't necessary to banter MS Window users everytime
something goes wrong Microsoft. If they haven't switched yet
because of viruses and other flaws (yes I think being affected by
a virus is a flaw) they won't switch because you tease them. Yes,
I am very happy with my Macintosh but from reading your
comment people might think that only jerks would buy form
Apple. Also I don't think a horrible internet browser is a reason
to change operating systems, not to say that I think people
should use Internet exploer, but their are options for people
content with their systems. Perhaps if every internt user, on
Windows, switched to a safer browser than Internet Exploer,
Microsoft might understand that their low standards are not
acceptable. As of right now MS has no reason to change how
they do things until a significant competitor appears.

[davearonson]

Mac is not the only alternative

Of course, the Linux brigade will also chime in, if they haven't yet. There are also the BSD family (Free, Open, Net, and so on), and if you REALLY want a near-total lack of any kind of support, OS/2, er, I mean, eComStation, or even those that have more or less officially died such as BeOS or NeXT.

All of these are far more secure than Windows. Then again, so is [insert your own joke here].

-Dave

You must be a computer genius!

I'm sure if Apple was on 9 out of 10 computers it would have the same problem, but you knowing so much about Microsoft and Apple probably already knew that. Maybe you should call Bill and ask for a job because you seem to know all about the problem.

No matter what we do nothing is safe from people who really want to exploit it.

0

0

[Kidtamer]

Go Ahead and Laugh

Being just one of those 'stupid people' who have a Windows OS (2 in fact), I would like to say this to you: UP YOURS!!! Why don't you direct your rudeness to those who cause the problems rather than those innocent people who have those problems inflicted upon them...that have few choices..had to buy M.S. operating systems? As long as the average consumer is stuck with a working budget, he is also stuck with an O.S. that is within their budget. Further, not everyone can build their own system. Some of us work for a living in a NON-virtual, REAL world and have just a few more things to think about and spend money on than computer O.S.'s! Rather than laugh at innocent folks who have few choices in the matter, why don't you criticize the A-holes that create the worms, trojans and other BS? I think that maybe your priorities are a bit mixed up. But, as I was taught, it takes all kinds. Maybe they will find a patch to fix jerks like you!

[educateme]

HAHAHAHAHA Can I laugh at Windows users much more?

You guys must feel like pincushions by now, no other product in
history has taken so much out of society's pockets, and ruined
their days off fixing more crap. The solution is not to stop using
IE, it is to STOP using Windows. Microsoft sucks, can I say it any
louder for you poor slobs that cant say "SH*T" with a
mouthful....WINDOWS SUCKS, get over your lame professions
that this OS is Ok, and that smart users "patch" their systems.
Have you not learned by now that its not going to end. Lets see,
I patched my Apple PowerBook once or twice a month, does it
get bitten weekly by bugs, viruses, worms, or trojans NOPE!!! In
this world, trojans are for when youre having "safe" fun, but for
PC losers its the sign of bad birth control, Bill Gates birthed a
"lemon" on the world. Go ahead, admit it, you bought junk.
Hahahaha. You really ought to buy a Macintosh and learn what
stability and trouble free computing is all about. Poor suckers.
Bill Gates loves you though, I am sure he's got a big present for
you this holiday, keep waiting for it, its in the mail.......;-)

[CharlesRovira]

Microsoft is NOT bought by 'people' for themselves

Windows is bought, as it always was, by OEMs and corporations in order to shove a 'product' on the shelves.

You don't even have to want it. If you are buying a PC system, you are buying a license for Windows. (It's not even an OS but the LICENSE to run an OS.) You may not want it, but you're getting it. Running Linux? Too bad. You're paying for a Windows license.

[notagumshoe]

Stop making Mac users look unintelligent.

It isn't necessary to banter MS Window users everytime
something goes wrong Microsoft. If they haven't switched yet
because of viruses and other flaws (yes I think being affected by
a virus is a flaw) they won't switch because you tease them. Yes,
I am very happy with my Macintosh but from reading your
comment people might think that only jerks would buy form
Apple. Also I don't think a horrible internet browser is a reason
to change operating systems, not to say that I think people
should use Internet exploer, but their are options for people
content with their systems. Perhaps if every internt user, on
Windows, switched to a safer browser than Internet Exploer,
Microsoft might understand that their low standards are not
acceptable. As of right now MS has no reason to change how
they do things until a significant competitor appears.

[davearonson]

Mac is not the only alternative

Of course, the Linux brigade will also chime in, if they haven't yet. There are also the BSD family (Free, Open, Net, and so on), and if you REALLY want a near-total lack of any kind of support, OS/2, er, I mean, eComStation, or even those that have more or less officially died such as BeOS or NeXT.

All of these are far more secure than Windows. Then again, so is [insert your own joke here].

-Dave

You must be a computer genius!

I'm sure if Apple was on 9 out of 10 computers it would have the same problem, but you knowing so much about Microsoft and Apple probably already knew that. Maybe you should call Bill and ask for a job because you seem to know all about the problem.

No matter what we do nothing is safe from people who really want to exploit it.

0

0

[Kidtamer]

Go Ahead and Laugh

Being just one of those 'stupid people' who have a Windows OS (2 in fact), I would like to say this to you: UP YOURS!!! Why don't you direct your rudeness to those who cause the problems rather than those innocent people who have those problems inflicted upon them...that have few choices..had to buy M.S. operating systems? As long as the average consumer is stuck with a working budget, he is also stuck with an O.S. that is within their budget. Further, not everyone can build their own system. Some of us work for a living in a NON-virtual, REAL world and have just a few more things to think about and spend money on than computer O.S.'s! Rather than laugh at innocent folks who have few choices in the matter, why don't you criticize the A-holes that create the worms, trojans and other BS? I think that maybe your priorities are a bit mixed up. But, as I was taught, it takes all kinds. Maybe they will find a patch to fix jerks like you!

[Earl Benser]

Simple solution for Windows Userrs...

... QUIT USING IE !!!!

If you haven't learned by now that IE is near the root of all Windows
disasters, learn it now. Delete IE functionality (You can;t get rid of
the code due to MS's Marketing driven misdesign of the WIndows
OS) and move to a real browser.

It really doesn't take any skill or experience to make the shift.

Critical MS Flawzzz

because of some secuity work I have been doing online for some celebz.... I recently crossed over the line and become a target for malicous online activites.... and because of such... within the last three months it seems like I have worked my way through the dictionary of microsoft exploits... due to being a victim of many types of attacks....

Well..... my fellow brothers.... it is bad.... really bad.... you do not have to be connected to the internet for what i have been seeeing lately.... but the worst part about it.. when i think back to my years as an admin on an enterprise level MAN county behavioral health and a & d nework.....for three years with 300 users.... I remember seeing all of the same symptoms and "comprimises" which have come to a head lately.... back then... It was just because I did not recognize what I do today through years of experience on a major network.... whereas before my first thousand help calls, the scope to which my configuration of an OS has changed dramatically....

The following is only a partial list of programs which upon bootup and install....(and literally from power on even before the OS boots fully)which are not only defective and require a fix to be downloaded, but also installed in a time sensitive maner depending on the level of sofistication of your programmer...

1. Fat16 & 32 Partitions - no file level security
2. d-com services enabled upon startup with command priveleges set to Everybody buy default
3.Indexing Services enabled by default
4.Several services designed for remote configuration by administrators which alow a SYSTEM logon to execute and change priveleges locally or remotely...
5. IE6 by default allowing for third party installs with out prompting
6. Windows Update - gets redirected to a local file so that the desired remote code gets a potential execution with the default install of XP sp3 allowing for automatic updates...
7.Remote assistance enabled by default
8. Norton Scheduler gets incremented with jobs upon the installation of the program in order to update the file definitions for the new program for yet another potential opportunity for external code execution.
9. Propriatery protocols... i notice this upon the review of a packet capture in which i did not see any activity on the nic,switch,router,or modem... but yet I was gettin tons of packets in though the capture... well my capture program did not recognize the protocol... but it alomost seemed like a dirivitive of the old token ring protocol.....
9. default registry values set ready for remote or network configuration.... if you don't review the complete set of security polocied these too provide for an additional potenital instance.


So basically without me haveing to type the detail instructions which I have developed to achieve a secure instal..

If you can imagine having all these extra steps for completing a system install or repair... and worse if you are not aware of the urgency and order of the exploits... any one of these could initate a process which would not only take administrative priveleges but backup the entire contents of your hard drive to a remote network server but alow for a remote network user to remotely enable a mic or pc cam.... and had been so since at least 2002......


Don't forget to thank the quag for all the work he put into solving this problem....O' what problem.....

hhahah

The Quag

[Earl Benser]

Simple solution for Windows Userrs...

... QUIT USING IE !!!!

If you haven't learned by now that IE is near the root of all Windows
disasters, learn it now. Delete IE functionality (You can;t get rid of
the code due to MS's Marketing driven misdesign of the WIndows
OS) and move to a real browser.

It really doesn't take any skill or experience to make the shift.

Critical MS Flawzzz

because of some secuity work I have been doing online for some celebz.... I recently crossed over the line and become a target for malicous online activites.... and because of such... within the last three months it seems like I have worked my way through the dictionary of microsoft exploits... due to being a victim of many types of attacks....

Well..... my fellow brothers.... it is bad.... really bad.... you do not have to be connected to the internet for what i have been seeeing lately.... but the worst part about it.. when i think back to my years as an admin on an enterprise level MAN county behavioral health and a & d nework.....for three years with 300 users.... I remember seeing all of the same symptoms and "comprimises" which have come to a head lately.... back then... It was just because I did not recognize what I do today through years of experience on a major network.... whereas before my first thousand help calls, the scope to which my configuration of an OS has changed dramatically....

The following is only a partial list of programs which upon bootup and install....(and literally from power on even before the OS boots fully)which are not only defective and require a fix to be downloaded, but also installed in a time sensitive maner depending on the level of sofistication of your programmer...

1. Fat16 & 32 Partitions - no file level security
2. d-com services enabled upon startup with command priveleges set to Everybody buy default
3.Indexing Services enabled by default
4.Several services designed for remote configuration by administrators which alow a SYSTEM logon to execute and change priveleges locally or remotely...
5. IE6 by default allowing for third party installs with out prompting
6. Windows Update - gets redirected to a local file so that the desired remote code gets a potential execution with the default install of XP sp3 allowing for automatic updates...
7.Remote assistance enabled by default
8. Norton Scheduler gets incremented with jobs upon the installation of the program in order to update the file definitions for the new program for yet another potential opportunity for external code execution.
9. Propriatery protocols... i notice this upon the review of a packet capture in which i did not see any activity on the nic,switch,router,or modem... but yet I was gettin tons of packets in though the capture... well my capture program did not recognize the protocol... but it alomost seemed like a dirivitive of the old token ring protocol.....
9. default registry values set ready for remote or network configuration.... if you don't review the complete set of security polocied these too provide for an additional potenital instance.


So basically without me haveing to type the detail instructions which I have developed to achieve a secure instal..

If you can imagine having all these extra steps for completing a system install or repair... and worse if you are not aware of the urgency and order of the exploits... any one of these could initate a process which would not only take administrative priveleges but backup the entire contents of your hard drive to a remote network server but alow for a remote network user to remotely enable a mic or pc cam.... and had been so since at least 2002......


Don't forget to thank the quag for all the work he put into solving this problem....O' what problem.....

hhahah

The Quag

[Harfeld Bilgewing]

I just came to see...

What all the trolls were posting.

[aabcdefghij987654321]

The usual grunts and bodily function noises

After all, what do you expects from trolls?

[Harfeld Bilgewing]

I just came to see...

What all the trolls were posting.

[aabcdefghij987654321]

The usual grunts and bodily function noises

After all, what do you expects from trolls?

[fred dunn]

Ambiguous "Chicken Little" Info at best...

There is a flaw in XXXX product but I can't tell you what it is because if I did I'd have to kill you. Come on, if you're not going to give details on the flaw then why publish that there is a flaw? Is there really a flaw? You don't know yet but yet your publishing an ambiguous story. Do some research and then publish otherwise it's just rumor.

[fred dunn]

Ambiguous "Chicken Little" Info at best...

There is a flaw in XXXX product but I can't tell you what it is because if I did I'd have to kill you. Come on, if you're not going to give details on the flaw then why publish that there is a flaw? Is there really a flaw? You don't know yet but yet your publishing an ambiguous story. Do some research and then publish otherwise it's just rumor.

[aabcdefghij987654321]

Does news.com copy/paste this same story weekly?

Need I say more?

[Michael Grogan]

Naw

They'd have to do it daily to keep up with the endless stream of IE flaws, bugs and vulnerabilities. How cone an 'Old Dude' like you has yet to gain the wisdom to see that the emperor has no clothes?

[booboo1243]

Bill Gates should be paying for this mess we're in/

With hard time.

[aabcdefghij987654321]

Does news.com copy/paste this same story weekly?

Need I say more?

[Michael Grogan]

Naw

They'd have to do it daily to keep up with the endless stream of IE flaws, bugs and vulnerabilities. How cone an 'Old Dude' like you has yet to gain the wisdom to see that the emperor has no clothes?

[booboo1243]

Bill Gates should be paying for this mess we're in/

With hard time.

[bp2004]

Security improving

The new exploit only allows malicious code to be run on your computer? Isn't this an improvement?

Usually its been "this exploit could allow an attacker to take complete control of your computer"

Security is improving.


<end sarcasm>

[bp2004]

Security improving

The new exploit only allows malicious code to be run on your computer? Isn't this an improvement?

Usually its been "this exploit could allow an attacker to take complete control of your computer"

Security is improving.


<end sarcasm>

[fred dunn]

I can provide them with a bunch of screenshots...

of IE crashing, So what.

[fred dunn]

I can provide them with a bunch of screenshots...

of IE crashing, So what.