bit-tech.net

MS warns of major IE flaw

MS warns of major IE flaw

Even the latest Internet Explorer 8 beta is affected by the security hole - and it can be traced all the way back to IE 5.01.

If you're still using Microsoft's Internet Explorer are your primary web browser, now might be a good time to change: crackers are exploiting a pretty serious unpatched vulnerability in the wild.

According to an article on Wired, around 10,000 malicious websites – mostly hosted in China – are actively using a so-far unpatched vulnerability in the Internet Explorer web browser shipped as standard with all versions of Windows to steal usernames and passwords for online banking and MMO games.

The vulnerability – covered in Microsoft Security Advisory 961051 – affects all currently available versions of IE on all versions of Windows, including the latest IE8 Beta on Windows Vista. Interestingly, the flaw even stretches back as far as Internet Explorer 5.01 – meaning that while crackers may only be discovering the hole now, the issue has been around for a considerable time.

The security hole is described by Microsoft as “an invalid pointer reference in the data binding function of Internet Explorer [, which means when] data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable [remotely].

While the Protected Mode offered by IE7 and IE8 on Vista and the similar Enhanced Security Configuration setting on IE7 on Windows Server 2003 and 2008 can reduce the impact of the flaw, they do not offer complete protection. Currently, the only known way to be absolutely safe from this attack is to use an alternative browser.

So far, Microsoft has not issued any statement about a patch for the issue – but with such a severe bug, it wouldn't be unexpected for the company to release an emergency patch out of its normal monthly 'Patch Tuesday' release cycle. So far, however, no fix is expected.

UPDATE: Microsoft has broken with its normal patch schedule and released an emergency fix, which has been pushed out via Windows Update today. If you don't have Windows (or Microsoft) Update enabled to check for downloads automatically, you can grab the fix via the MS08-078 security bulletin.

Any IE stalwarts finally tempted over to the dark side of alternative web browsers, or is this latest security hole simply a storm in a teacup? Share your thoughts over in the forums.

21 Comments

Discuss in the forums Reply
landi_uk 17th December 2008, 13:15 Quote
A bit late with the news MS have already announced that a patch is released tonight
bowman 17th December 2008, 13:39 Quote
..people use IE? Christ people, time to switch. It's not like this is the first or last major security flaw.
Gareth Halfacree 17th December 2008, 13:40 Quote
Quote:
Originally Posted by landi_uk
A bit late with the news MS have already announced that a patch is released tonight
Aye - that article was written last night, before the patch was announced.
airchie 17th December 2008, 14:43 Quote
Typo
Quote:
If you're still using Microsoft's Internet Explorer areas your primary web browser,

And as has been said, why oh why would anyone use IE??
Firefox and/or Opera are surely the way forward??
phuzz 17th December 2008, 14:59 Quote
Some of the web admin pages I use at work will only work with IE, and Exchange web access only works properly with IE, so I have to keep it on my system. (there is one bit of Cisco software that somehow uses IE to download it's installer and will fail if you have any version of IE except 6. This is a PITA)
StephenK 17th December 2008, 15:05 Quote
True but IE would be popular with a lot of folks as 'the one they have on their machines'. These people are also usually more vulnerable to these dangers as they are often less net savy :(
Goty 17th December 2008, 15:09 Quote
Quote:
Originally Posted by phuzz
Some of the web admin pages I use at work will only work with IE, and Exchange web access only works properly with IE, so I have to keep it on my system. (there is one bit of Cisco software that somehow uses IE to download it's installer and will fail if you have any version of IE except 6. This is a PITA)

I use exchange all the time with Firefox all the time with no issues.

*shrugs*
Bauul 17th December 2008, 15:28 Quote
I like IE... I honestly do. It all makes sense to me. Everything else is different and therefor scary and uncomfortable. Plus Firefox is ugly.

These are my actual reasons believe it or not.
BioSniper 17th December 2008, 15:42 Quote
I am forced to use IE at work. Something to do with being an MS partner apparently.
Nexxo 17th December 2008, 16:27 Quote
Quote:
Originally Posted by airchie
Typo
Quote:
If you're still using Microsoft's Internet Explorer areas your primary web browser,

And as has been said, why oh why would anyone use IE??
Firefox and/or Opera are surely the way forward??
Opera, yes, for its small footprint and speed. Firefox has great flexibility, but with great flexibility comes great bloat. It still does not display video streams fluently because of the resource hog it is.
DarkFear 17th December 2008, 17:07 Quote
This might be a stupid question, but how would a username/password be obtained for a MMO?

Banking details I can understand since you'd be using IE to view the banking website but I’m not quite sure about the MMO thing.

I used to play WoW but have switched over to GuildWars/Last Chaos and these games use their own client for logging in etc. How would a username/password be obtained in this case?

I suppose this would only be a problem if you have to launch the game via IE but I’m not aware of any MMO’s that runs via IE (though that doesn’t mean there aren’t any).
Glider 17th December 2008, 17:39 Quote
I think IE is nested inside Windows so closely that everthing accessing the networking stack gets IE code.
Lepermessiah 17th December 2008, 19:57 Quote
IE works fine, FF was a lot better, not so much anymore. FF the last year has had more security alerts then IE.
flacowboy 17th December 2008, 20:02 Quote
patch was released
Akava 17th December 2008, 21:30 Quote
Just had a 5 MB update from Windows update for IE7 so I would say Flacowboy is correct.
samkiller42 17th December 2008, 21:41 Quote
I use IE7 daily, it's stable enough for my uses, and i don't get issues with it, plus, i know what i'm doing with it. Yes, i have firefox, but it's not as easy to fireup, 1 click for IE, 2 clicks for FF, 1 click wins for me.

Sam
frojoe 17th December 2008, 22:08 Quote
why is it two clicks for you, its only one for me?
The Jambo 17th December 2008, 22:23 Quote
Quote:
Originally Posted by DarkFear
I suppose this would only be a problem if you have to launch the game via IE but I’m not aware of any MMO’s that runs via IE (though that doesn’t mean there aren’t any).

Runescape runs completely using the browser, along with many other free MMO's.
The_Beast 17th December 2008, 23:00 Quote
I have to use IE at school and work but when I come home I like to cuddle up and browse with Firefox
Tyrmot 18th December 2008, 10:34 Quote
Quote:
Originally Posted by phuzz
Some of the web admin pages I use at work will only work with IE, and Exchange web access only works properly with IE, so I have to keep it on my system. (there is one bit of Cisco software that somehow uses IE to download it's installer and will fail if you have any version of IE except 6. This is a PITA)

Have you tried using the 'IE Tab' add-on for Firefox? Lets you render web pages using the IE engine in Firefox... I find it works in the various work-related sites I have to use that don't like Firefox...
whisperwolf 18th December 2008, 12:31 Quote
Considering firefox shoved out updates for security holes on the 16th, it does seem a bit rich how much coverage IE gets for this patch, and the usual "its insecure" wails and moans. I've tried firefox repeatedly and just can never get on with it, nothing ever seems to be where i want it to be, I know you can customise it, but it’s too much effort. Currently trying Chrome on the home PC and that’s much nicer to work with for me, but believe thats still got security holes as well.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums