bit-tech.net

Microsoft issues Internet Explorer zero-day warning

Microsoft issues Internet Explorer zero-day warning

Internet Explorer's handling of CSS has been found to contain a remote code execution vulnerability.

Microsoft has issued a warning about an unpatched zero-day vulnerability in Internet Explorer, which leaves Windows open to attack.

The vulnerability, discussed in Microsoft's Security Advisory 2488013, relates to Internet Explorer's handling of malicious Cascading Style Sheet (CSS) code, and can be exploited to overwrite uninitialised memory and execute arbitrary code.

The flaw can be exploited to remotely run code under the account of a logged in user by simply visiting a CSS website that contains malicious code. It's a serious issue, but it's one that Microsoft believes isn't currently being exploited by ne'er-do-wells.

There is no known fix for the flaw at present, although Microsoft reports that it's 'investigating new, public reports of a vulnerability in all supported versions of Internet Explorer, and on completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.'

In the meantime, the company advises users to run Internet Explorer in Protected Mode and ensure that their main user account is not configured as a system administrator. This will limit the rights available to malicious code executed from within the browser.

Although Microsoft claims to be 'unaware of any active exploitation of this vulnerability,' it does confirm that the flaw is public knowledge. This potentially means that attackers could quickly pick up on it and start to exploit the flaw before Microsoft fixes it.

Are you disappointed to see yet another security hole appear in Internet Explorer, or just pleased that Microsoft is looking into the problem as soon as public reports surfaced? Share your thoughts over in the forums.

24 Comments

Discuss in the forums Reply
Fordy 23rd December 2010, 15:18 Quote
It's ironic that the only people whom use IE, are the ones who do not know how to deal with such threats.
SaNdCrAwLeR 23rd December 2010, 15:25 Quote
Quote:
Originally Posted by Fordy
It's ironic that the only people whom use IE, are the ones who do not know how to deal with such threats.

it's also ironic that current iterations of IE use such an old version of CSS that most people who fiddle with it are pretty much moving on to CSS3 =X
Krayzie_B.o.n.e. 23rd December 2010, 16:39 Quote
Who the hell still uses Internet Explorer?
No_Na_Me 23rd December 2010, 16:48 Quote
Quote:
Originally Posted by Krayzie_B.o.n.e.
Who the hell still uses Internet Explorer?

roughly 55 % of visitors to my site, and alarmingly a high percentage are from the UK.

Opera all the way for me.
thehippoz 23rd December 2010, 16:54 Quote
another active x exploit :(
SlowMotionSuicide 23rd December 2010, 17:08 Quote
Quote:
Originally Posted by Krayzie_B.o.n.e.
Who the hell still uses Internet Explorer?

1500 workstations at my workplace, for some god-forbidden reason our admin seem to think IE 6 is great choice of a web browser.
aLtikal 23rd December 2010, 17:46 Quote
Tell him, a guy from the internet nicknamed "aLtikal" thinks he is a ****ing stupid **** :D
RichCreedy 23rd December 2010, 18:50 Quote
i use ie - but not 6, and would advise anyone to upgrade from ie6 to a later version.

anyway, no browser is totaly secure, so you cant call people stupid for using ie.
mucgoo 23rd December 2010, 19:10 Quote
no car is ever totally safe, but you chose the safest one right? and if the safest car(s) also performed better and were easier to use then it's a no brainer right, you'd be stupid for using anything else
azrael- 23rd December 2010, 22:17 Quote
Quote:
Originally Posted by SaNdCrAwLeR
Quote:
Originally Posted by Fordy
It's ironic that the only people whom use IE, are the ones who do not know how to deal with such threats.

it's also ironic that current iterations of IE use such an old version of CSS that most people who fiddle with it are pretty much moving on to CSS3 =X
You *do* know that newer versions of CSS don't replace older ones, but merely build on top of what is already there? And here's the big shocker: this doesn't only hold true for CSS! :p
cgthomas 23rd December 2010, 22:32 Quote
Quote:
Originally Posted by Krayzie_B.o.n.e.
Who the hell still uses Internet Explorer?

Bit Tech do... I'm viewing the website in IE. Gosh some people .......
RichCreedy 23rd December 2010, 23:38 Quote
who says the other browsers are safer, just because you dont know about the flaws in the other browsers doesnt make them safer, at least people know there are flaws with ie and can take steps to limit the damage.

check this 2008 article it gives an informed view, it is however now outdated, but still to a point applies.
Cthippo 24th December 2010, 04:52 Quote
What annoys me is that I am going to get this patch from windows update even though I don't use IE because if the way IE is tied into Windows. If this were a vulnerability in FF or Chrome, so what, because I don't use those browsers. I don't use IE either, but I'm still stuck with it.
Aracos 24th December 2010, 11:13 Quote
Quote:
Originally Posted by Cthippo
What annoys me is that I am going to get this patch from windows update even though I don't use IE because if the way IE is tied into Windows. If this were a vulnerability in FF or Chrome, so what, because I don't use those browsers. I don't use IE either, but I'm still stuck with it.

You can completely disable IE on win 7. Maybe not what you're after but it's a step in the right direction.
fozmcfc 24th December 2010, 11:40 Quote
I still use I.E. had no issues for years certainly since I.E.6 anyway.

The biggest annoyance for me at the moment is when you click on new tab and try to open a page, you have to leave an age it seems before opening up a page on it, otherwise it always opens over the other tab you have open.
leexgx 24th December 2010, 12:48 Quote
about time MS now report the issue with exploit CSS now i do be leave its been actively used my self, Opera is not affected to this issue

what i find interesting is CSS exploits happening in google search for images as one of my customers was and most likely more, when i clicked on the search result opens the pages then runs an CSS exploit and trys to install fake av software in the background (opera just gets some error when it trys to run it bad code)
NethLyn 24th December 2010, 13:47 Quote
Quote:
Originally Posted by No_Na_Me
roughly 55 % of visitors to my site, and alarmingly a high percentage are from the UK.

Opera all the way for me.

Opera's great but it's on version 11.00 at the minute, so will wait for 11.01 before returning to using it for everything as they always find and thankfully fix bugs in new builds quickly.

I only use IE for Youtube vids and other non-essentials now, but we'll see what v9 brings - not that I'd stop using FF for all the general purpose stuff.
Landy_Ed 24th December 2010, 16:19 Quote
Quote:
Originally Posted by mucgoo
no car is ever totally safe, but you chose the safest one right?

Haha, NO!

My neighbour has just bought a Chrysler Voyager MPV. 40mph collision with a wall = fatal chest injury & lost limns for the driver according to ncap, & the older model which still sold reasonably well it was driver decapitation at 30mph. If it was all about safety first, there would be a lot less brand diversity on the road network.

More accurate, in any event, to compare to our choice of security systems, but what thought to you give to the brand or type of lock on your front door? The majority of users are suffering because of the popularity of their choice, not because it is specifically so much more vulnerable than any other out there.
Devolve 24th December 2010, 17:56 Quote
Quote:
Originally Posted by Landy_Ed
Quote:
Originally Posted by mucgoo
no car is ever totally safe, but you chose the safest one right?

Haha, NO!

My neighbour has just bought a Chrysler Voyager MPV. 40mph collision with a wall = fatal chest injury & lost limns for the driver according to ncap, & the older model which still sold reasonably well it was driver decapitation at 30mph. If it was all about safety first, there would be a lot less brand diversity on the road network.

More accurate, in any event, to compare to our choice of security systems, but what thought to you give to the brand or type of lock on your front door? The majority of users are suffering because of the popularity of their choice, not because it is specifically so much more vulnerable than any other out there.

The difference here is they are getting "functionality" of a people carrier. I dont see any "real" functionality of IE over any other browser. fair enough not everyone goes for safest car, but its usually the something-est. most IE users are just going with whats already there. Either way, any bad choice is usually due to ignorance, car or computer.
RichCreedy 24th December 2010, 18:45 Quote
internet explorer isn't a bad choice, unless your still using 6, it's about personal preference, firefox is no more secure in its vanilla state. all the browsers have their own security issues. if you have a fully patched up pc and fully up to date malware protection, you limit your risk.

it's also about safe browsing habits, be aware of the websites your visiting.
raybies 26th December 2010, 00:21 Quote
IE 1-9 are a PoS
FF 3-3.6 are a PoS
Chrome is a little behind the Chromium curve.

Why oh why do companies force us to use PoS? Garmin being one that makes you use an IE plugin to update your device.
Citibank being another that forces people to use IE + Acrobat if you want to download a statement double PoS, WTF!
PingCrosby 28th December 2010, 20:43 Quote
EXTERMINATE.....EXTERMINATE......
benji2412 28th December 2010, 23:04 Quote
Personally I use FF over IE because I think it's less cluttered, FF used tabs before and I like the add ons. I just don't get on with IE, safety doesn't factor in to it with me.
Cthippo 29th December 2010, 08:50 Quote
Quote:
Originally Posted by RichCreedy
firefox is no more secure in its vanilla state.

It is somewhat only because fewer people use it and therefore fewer black hats look for holes in it. Also, It's open source, so lots of people are looking at the code. i recall an incident a couple of years ago where a serious security problem was found in FF and the fix was out within 9 hours.

Quote:
Originally Posted by RichCreedy
it's also about safe browsing habits, be aware of the websites your visiting.

This.

I don't run any AV and I know a lot of people on here don't either.


It's been shown that it doesn't matter what browser you use or what AV you have, it all comes down to browsing habits.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums