May 2, 2006 3:22 PM PDT

One IE flaw leads to another

As researchers pored over a vulnerability found within Microsoft's Internet Explorer less than a week ago, they discovered a totally new IE flaw.

The new bug could be used to launch code execution attacks. Microsoft acknowledged that the vulnerability, found by Andreas Sandblad of Secunia, is not just a successful exploit of the flaw uncovered last week by Michal Zalewski.

It was originally believed that the flaw found by Sandblad was related to the one discovered by Zalewski, but a Microsoft representative confirmed that the two vulnerabilities are separate.

"During analysis, Secunia discovered a variant of this vulnerability," security company Secunia wrote on its Web site on Tuesday, referring to the bug found by Zalewski. The company confirmed the problem "on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2."

Both flaws could be used to corrupt a PC's memory if the computer's user can be tricked into visiting a malicious Web site, Secunia said.

Secunia added that Microsoft is working on a patch.

See more CNET content tagged:
vulnerability, flaw, researcher, Microsoft Internet Explorer, Microsoft Corp.

55 comments

Join the conversation!
Add your comment
Using IE...
...in the face of all the evidence of its insecurity is a real triumph of hope over experience. The single most effective security measure a Windows users can take is to remove the IE icon from their desktop/taskbar/Start menu and never willingly use it again.

Of course, there are some circumstances that make using IE unavoidable. The only way most people can get security patches is via Microsoft Update, which requires IE to use. While this is tantamount to trying to vaccinate oneself against HIV using a smackhead's dirty syringe, there isn't much choice in the matter.

For all other uses, pleas use Mozilla, Firefox, Opera or one of the other, less toxic, alternatives to IE.
Posted by JFDMit (180 comments )
Reply Link Flag
NEVER HAD A PROBLEM
I use IE for everything but one web site of a browser based game and then I use firefox ONLY for the shift through tabs ability to make the mandatory clicks go by faster.

But after years of essentially 100% I.E use I have:

NEVER HAD A VIRUS
NEVER HAD MY IDENTITY STOLEN
NEVER HAD MY BANK INFO STOLEN
NEVER HAD MY BROWSER HIJACKED
NEVER HAD A ROOT-KIT (NOT EVEN SONY'S lol)
NEVER HAD ANY PROBLEMS

Now of course I do not do porn, p2p,don't STEAL software (which could have crap embedded as part of the crack!). I use A/V s/w and a firewall 24/7

and as a matter of FACT don't ever to seem to have a problem with ADWARE OR SPYWARE....

but yeah..... best to dump IE right away.... NOT!

Thanks for the laughs and the melodramtic post... maybe next year you'll win an OSCAR!
Posted by The user with no name (259 comments )
Link Flag
they keep talking about these IE flaws...
but I've still never had one exploited myself
Posted by Bobman (114 comments )
Reply Link Flag
That you know of..........
I guess your virus protection scheme is perfect. Could you share it
with the rest of us. Or is it that you don't actually use the internet
and/or e-mail?
Posted by fastdodge (32 comments )
Link Flag
That you know of
I guess your virus protection scheme is perfect. Could you share it
with the rest of us. Or is it that you don't actually use the internet
and/or e-mail?
Posted by fastdodge (32 comments )
Link Flag
Spyware
Also counts as a security breach. How many times do you run a spyware scanner?

But hey, I am also sure that when you just keep browsing to respectable sites, you will not get much trouble, but I bet you don't dare to let kiddos use your PC.

It's like driving. If you always stay on the main roads, you will not get any mud on your car. But I like to get off the roads sometimes, and get muddy. Most of the times it brings you to the nicest places.
Posted by Steven N (487 comments )
Link Flag
The Death of Internet Explorer
Internet Explorer has been on its deathbed for a long time. IE7 was
Microsoft's last chance to resurrect that nasty mess of a browser.
From the looks of it, they didn't pull it off. It's time to say goodbye
to Internet Explorer.
Posted by keparo (4 comments )
Reply Link Flag
Not gonna happen
As long as it comes right on the desktop with no other alternatives pre-installed IE will still be dominate. There are still a big number of users that want things to just work without any effort. There are also people like my dad, who I installed firefox for telling him its alot safer but will continue to use IE because firefox looks different.
Posted by kaufmanmoore (42 comments )
Link Flag
And go with wat?
Another bug ridden browser? Or are you proposing to skip this Internet thing altogether and go back to pen and paper?
IE, regardless of its design flaws, is as secure (or insecure) as the other browsers around, judging from the number of vulnerabilities, their seriousness and the patch availability history. The only thing actually protetcting the users of other browsers is lack of market share (and yes, this is an often repeated argument, but based on hard data it seems to be true). If everyone ditched IE and moved to another browser, the history would be the same, with malware authors moving to the new dominant browser.
So if you are really happy with your current browser security, the best thing you can do is to shut up and enjoy in silent the benefits of using unpopular tech. Because if that product ever becomes popular, you will have to start looking for alternatives. That's unless someone manages to come out with a new browser that's way more secure, has extremely few vulnerabilities and it's still compatible with the vast majority of web sites. But that hasn't happened yet, and I don't see it happening anytime soon.
Posted by Hernys (744 comments )
Link Flag
10+ years, same 'ol story
IE was a virus on its initial launch, still is 10 years out.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Wouldn't a complete rewrite be easier?
OK....we get it. Microsoft was late to the web party. They rushed IE. It sucks in security.

This happens to all companies that rush products. But, seeing as this is such a high profile product, wouldn't it make more sense to just rewrite the damned thing from the ground up with security foremost in the specs?

This would also be a great product to show the world how fabulous .Net is. Rewrite IE in .Net.

Use typesafe coding (no unmanaged code) and that should get rid of all of these buffer overflows - which seem to be never-ending.

IE from .Net. Unless .Net sucks too, this seems like win-win to me.
Posted by Jim Hubbard (326 comments )
Reply Link Flag
Hope this blog helps about IE7 rewrite
Hope this blog helps
<a class="jive-link-external" href="http://blogs.msdn.com/ie/archive/2005/09/19/47131" target="_newWindow">http://blogs.msdn.com/ie/archive/2005/09/19/47131</a>
6.aspx
Posted by Tanjore (322 comments )
Link Flag
22 for Firefox in the last 2 weeks
22 for Firefox in the last 2 weeks.

I think they are ahead for the year. And last year too.
Posted by NotParker (19 comments )
Reply Link Flag
So easily forgotten...
IE is junking your PC for the past 15 years, while FF is only present for a few years... Let's see where they are in 10 years...

Also, FF bugs are much more public, compared to MS. I bet if would be able to look at the bug reports of the MS test teams, that the counter would be very different.

And also... how many of these FF bugs have actually been exploited? How long till they are fixed? How much spyware is installed on my PC (none, and I don't mind going to funny sites). That is what counts for me.
Posted by Steven N (487 comments )
Link Flag
But very few were serious...
Most would only crash FF if exploited. With IE, nearly every flaw is high or critical and includes the risk of complete takeover of your PC.

You can keep claiming IE is no different than FF, but the facts do not support you.
Posted by umbrae (1073 comments )
Link Flag
This is getting tiresome
While I am far from being a fan of anything MicroSlop, I have to confess that these repeated articles about "security flaws" in IE, or any browser for that matter, that require someone to be duped into visiting a malicious web site in order for damage to occur, is well past tiresome. Actually, down right boring.

At some point you just have to acknowledge that the stupid shall be punished and call it a day. There is no amount of legislation that can protect the terminally stupid from themselves.
Posted by (63 comments )
Reply Link Flag
On the money
You are right on the money. The stupid will do stupid things, especially if given a tool with which to project their stupidity globally!

:)
Posted by J_Satch (571 comments )
Link Flag
Right on!
The most dangerous security exploit on any platform is that empty
space between the user's ears. It can't be fixed. It can't be patched.
It has always been and will always be the most vulnerable point of
any system.
Posted by lkrupp (1608 comments )
Reply Link Flag
Sad but true
Empty space between the ears........qoute of the century!
There will always be vulnerabilities as no code is perfect; and true, the Goliaths' (MS) will have a target on their back much faster than the Davids will (FF, Crapintosh...etc) and true the did put out a crappy product and integrated it throughout their OS. Nothing can be done about this now, it is what it is. So with that, I hope that you make better decisions.
Anyone commenting back and forthin in this forum is intelligent enough to SEPERATE! I have a design/music/video machine that does not touch the internet plain and simple. It has far too many critical things for me to chance screwing up. I also have a dune buggy machine that's meant to troll the depths of the Internet, afterall, if we don't get down to the dirtiest places, we'll never understand what is at our disposal!!!
How else would I cop free apps, vids and songs?!? How else would I be entertained for months upon end??
Now that being said, I have to Hardware &#38; Software firewall my dunebuggy, because I don't want to fall out of it in the desert next to Osama and his boys, I want to keep trolling and spit some sand in their faces while blaring Hells Bells and throwin empty beer cans at em!!!

Be realistic about security, about the net, and about networking. If it's that valuable to you, don't open it to hell. If anything in the past few weeks has taught you anything, it's only going to get worse as more things arrise; ie. Mac Vulnerabilities!!!! Ha, welcome to the jungle white box sukkuz!!!!!!!!!!!!
Posted by beonedrine (31 comments )
Link Flag
You must be referring to...
...the most common of hardware flaws, the loose nut behind the keyboard.
Posted by J_Satch (571 comments )
Link Flag
How many of the FF flaws....
are considered critical. Sure they have a lot of holes but the critical ones are patched in a matter of days. To be fair, when I did use IE, I never got a virus but I did get a boatload of spyware/adware. Ever since the move to FF, I don't get spyware/adware (I love extensions!).

Seriously folks, how many of you are the average computer user? I would bet most of you know how to take proper measures to ensure the security of your computer no matter what browser you use. It's the people like my boss who are constantly infected with junk from the net b/c they don't know what they are doing no matter how much I preach at them.
Posted by alaaji (7 comments )
Reply Link Flag
Well, I live on the east coast...
and have never had a direct hit by a hurricane. Guess those people in New Orleans are just big babies.

Seriously, you are just lucky. Nothing is fool proof and most likely you would not know if a professional got you. I am sure you might avoid the "I Love You" virus, but if you get hit by a real hacker you will not know until money vanishes from your account.
Posted by umbrae (1073 comments )
Reply Link Flag
This was meant to be threaded under another message...
but works good for anyone that says, "I use IE and have never had a problem". :)
Posted by umbrae (1073 comments )
Link Flag
most hackers aint
gonna take the time to hack through some Joe Schmo's firewall and security measures just to drop something into a nobody's system or hope to steal a nobody's money.

Can it be done? Sure

Is the time it takes for me to hack into your system only to find out you have no money or have nothing interesting for me.... NOPE

Your AVERAGE internet user IS NOT going to be the victim of a RANDOM hack attack. Now maybe if they pissed of a dude at school.... or maybe if they slept with (and got caught) some other guy's girlfriend...

but it is just FUD to try to scare people into thinking that Harry Hacker is gonna take the time and effort to get into my Grandma's eMachine used strictly for email, photos of the little ones and news sites. And UNLESS you know who your target is this is EXACTLY what you may get rewarded with for all your work.... a system that has nothing of interest for you.

When there are SO MANY EASIER ways of recruiting a zombie, stealing money etc the RANDOM HACK through firewalls and security measures is not much of a risk at all.
Posted by The user with no name (259 comments )
Link Flag
Here is nice joke...
As I am reading threads for this article I see this ad that reads...

&lt;
Microsoft TechNet-Secrurity Center:


Security tools for IT Pros: Visit the new Security Learning Paths site to help plan, prevent, detect, and respond to various IT security issues.

Learn more&gt;&gt;
Click Here!

* Microsoft TechNet - Security Center Find security tools here
* Antivirus Protection: Download a free trial of Antigen for Exchange Download now
* Steve Ballmer Details Microsoft's Security Strategy Read More
* Microsoft TechNet--Learning Paths for Security Learn More
* White paper: Microsoft helps customers mitigate security risks Download now
&lt;

What a Joke! Microsoft security Ad next to an IE flaw article. These morons, can't they figure a better way place their ads?

That said, anyone who uses IE deserves what he gets, VIRUSES &#38; SPYWARE. As many previous posters have pointed out the problem lies with windows. I say this from my own experience.

It is two years since I switched to Mac platform (OS X was the reason, I hated Mac OS 9). Since then, I never had to run a virus scanner, disk-defrag, or reinstall anything. And my computer works with the same speed and responsiveness I saw the day I bought it (I use Powerbook with stupid G4 processor). During the same period I saw my coworkers had to reformat their hard-drives, reinstall Windows..apps and even loose data because they were not careful to backup.

I hate to sound like a Mac Zealot, but my advice..just switch to anything that's *NIX. BSD, Linux, MacOS X. Doen't matter...anything else is better than Windows which is a plague that's consuming countless hours of man hours and billions of dollors worldwide. And, we are not even talking about the hardship people have to go through.
Posted by The_Nirvana (104 comments )
Reply Link Flag
Who's the MORON??
oh, that would probably be........ YOU!

qtd: These morons, can't they figure a better way place their ads?

I am sure that MS as well as any other company that advertises on the web IS NOT PLACING their own ads here or anywhere else.

In fact I would bet you that they are just served up here by C/Nets server and ad software/partner with no analysis of where they are being placed. This happens in the TV world too...


so in my best Napolean Dynamite voice....


IDIOT!

lol
Posted by The user with no name (259 comments )
Link Flag
WoW!
You are either the luckiest person alive or the Pope
needs to see you ASAP! :)
Posted by Mister C (423 comments )
Reply Link Flag
the pope? lol
well I hope he just remembers that if the Priests and Cardinals want to dress him up as an altar boy and play 'hide the salami' that it's NOT REALLY a salami!

pmsl
Posted by The user with no name (259 comments )
Link Flag
Return to the topic
Grow up, get back to the topic at hand.

Lots of interesting points have been made so far. I.E. is O.L.D. and a complete rewrite is in order. I.E. has flaws and Microshaft patches them. Then Microsoft patches the patches. Then discovers new vulns while patching the patches.

Dunno about you, but if I came accross a brick wall that was riddles with band-aids, I wouldn't stand too close to it (this is a valid comparison to the code in I.E.) for fear of it crumbling apart.

Yes, other browsers have vulnerabilities, but Microshaft waits SO long to issue theirs. Haven't you noticed that? Even their Patch Tuesdays - if there's a patch available now, ISSUE IT NOW! I'm embarrassed to tell my boss about the latest vuln, then have to say, "sorry, there's nothing I can do - gotta wait for Microsoft to save us from themselves". I really have to give the Open Source teams such as Mozilla credit for showing us that a patch doesn't need to take months/years to be issued. Why this rabid clinging to I.E., in the face of all the onslaught of problems, created by Microsoft, is beyond me. It just doesn't make sense. Someone explain why they stick to I.E. when they KNOW it has these vulns. Explain it not as if you're trying to convince me to use I.E., explain it... nevermind. I already know. It's familiar, easy, and you're too lazy and set in your ways to change. Even if it saves you (as an example) from losing all those precious baby picures.

I used to love Microsoft - I read Bill's book, he was my idol. But after having to deal with all this garbage over the years, it's taken its toll and it's no fun anymore. I just want stuff to work, is that so wrong? Opera works. Firefox works. OpenOffice.org works. I'll soon find out how well a distro of Linux works.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Learn what you're talking about
You've demonstrated a complete lack of knowledge about both software architecture and security.

Rewriting code is stupid. By rewriting code you only add new bugs. The smart move is to thread model the architecture to understand where the weak points are and target your rewrites for the maximum benefit. This is what is being done with IE7.

There's a very specific reason why patches are released at a consistent time. Scheduled downtime.

Releasing patches is very dangerous. Usually, the exploits that a patch addresses are not public. By releasing patches at a consistent time, it ensures that most people (and corporations in particular) know when they're coming and will update their systems fairly quickly after the patch is released.
Releasing a patch is an advertisement of what the vulnerability is. There are rediculously advanced techniques for doing binary diff analysis which hackers can use to find out exactly what the fix is and how to hit the exploit in unpatched systems in less than a day. Keep average patch time to a minimum is critical to containing that sort of threat.

Beyond that, IE6 is indeed a bit behind the times in terms of security, but not that far. Microsoft is one of a very small companies in the world whose products are consistently getting more secure. Windows at this point is MORE secure than Mac OSX and *at least* as secure as almost every flavor of *NIX. You can say what you want about its reliability and the average computer savvy of its users, but WinXP SP2 and Win2k3 SP1 are both more secure than Mac OSX if you read up on the recent pen tests.

But obviously, you're more interested in believing unsubstantiated attacks on one of the few companies who actually does care about security than you are about actually researching what the security landscape of today is like. If you want to believe that MacOSX and FireFox are so much more secure than Microsoft and that you don't have to use due diligence to stay safe with them, then my blessing goes out to the east asian mob who owns your box.
Posted by Meh234 (37 comments )
Link Flag
Not true
Actually, individual compromises are becoming increasingly common. The chances of finding potentially valuable personal information on a random machine is pretty high. Even if it's not credit card numbers, other personal information is frequently sellable.
Beyond that, it's a quick way to drop programs onto a host machine for use in things like DDOS attacks or just for monitering.

Is it potentially overstated? Probably. But it still a very real threat? Absolutely.
Posted by Meh234 (37 comments )
Reply Link Flag
wrong thread
This was supposed to go under the comment from the person who said that individual compromises aren't a real threat.
Posted by Meh234 (37 comments )
Link Flag
Microsoft Should Just Give Up on Internet Explorer
The following article explains it quite well... no need for me to add anything more.

<a class="jive-link-external" href="http://www.foxnews.com/story/0,2933,193058,00.html" target="_newWindow">http://www.foxnews.com/story/0,2933,193058,00.html</a>

Walt
Posted by wbenton (522 comments )
Reply Link Flag
oh yeah!
Dvorak?

That guy has bounced around to so many different places that it isn't funny.

But sometimes his articles are. :)
Posted by Sboston (498 comments )
Link Flag
IE 7 does not support an addressed supported subfolder.
Also know as; a 'Trash Can'. Sound familiar?
Posted by Pop4 (88 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.