backtop


Print 65 comment(s) - last by MrPoletski.. on Dec 23 at 9:12 AM

A new security flaw discovered in Microsoft's Internet Explorer has the company and its customers losing much sleep

News broke in the security world earlier this week that a critical vulnerability had been found in Microsoft's Internet Explorer 7.  The vulnerability could be used to take over computers and is known to be currently being used to steal passwords.

Rick Ferguson, a senior security adviser at security firm Trend Micro says thus far the hole has only been exploited to steal online game passwords, but the attacks could become much more serious for unpatched users.  He states, "It is inevitable that it will be adapted by criminals. It's just a question of modifying the payload the trojan installs."

The seriousness of the flaw was evidenced by Microsoft's rather public announcement of the vulnerability and panicked rush to develop a patch.  So-called "out-of-band" announcements from Microsoft are rare. 

In this case it made such an announcement, stating in a press release, "Microsoft teams worldwide have been working around the clock to develop a security update to help protect our customers.  Until the update is available, Microsoft strongly encourages customers to follow the Protect Your Computer Guidance at www.microsoft.com/protect, which includes activating the Automatic Update setting in Windows to ensure that they receive the update as soon as it is available."

Microsoft has announced that it will have a patch for the vulnerability by 1800 GMT on 17 December, available via Windows Update.

Some experts have suggested that corporate and private users switch browsers, to an alternative such as Firefox, Opera, or Chrome until the security flaw is patched on affected systems.  Only Microsoft Internet Explorer 7 is vulnerable to this latest attack.

However, some security experts are cautioning that a switch may be equally problematic.  Says Graham Cluley, senior consultant with security firm Sophos, "Firefox has issued patches and Apple has too. Whichever browser you are using you have to keep it up to date.  People have to be prepared and willing to install security updates. That nagging screen asking if you want to update should not be ignored."

The report ironically follows fast on a report that Firefox is a dangerously vulnerable application for businesses.  Apple's Safari has also been blasted within the last year for poor security and patching

Even the security of major open source software, not a popular target for hackers who heavily use such software, was recently brought into question when a major encryption scheme was found to be broken.  All of these instances illustrating the growing challenge of computer security, the difficulty with being a market leader (and thus a mark), and need for diligence when it comes to patches and updates.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Bit late?
By blowfish on 12/17/2008 1:05:40 PM , Rating: 3
I'm surprised that DT trailed the BBC by a good few hours on this story.




RE: Bit late?
By afkrotch on 12/17/2008 1:08:43 PM , Rating: 3
I find DT trails behind other sites by a few hours to days, while they at the same time are ahead of other sites by a few hours to days.


RE: Bit late?
By headbox on 12/17/2008 1:19:54 PM , Rating: 5
It takes time to read other news sites, then copy paste sections to make your own story.


RE: Bit late?
By Dreifort on 12/17/2008 1:56:10 PM , Rating: 5
Yahoo posted this story yesterday ;)

But it's Internet Explorer. I mean...really. Is this even news worthy?


RE: Bit late?
By on 12/17/08, Rating: -1
RE: Bit late?
By TheSpaniard on 12/17/2008 5:06:07 PM , Rating: 2
really last I checked my computers were used for things like x-ray crystallography and other data crunching and mind numbing tasks

YOU use it as a toy then so be it

PS: god can we force him to change his name? it drives me nuts when PS3 is attached to everything that flys from this person's keyboard


RE: Bit late?
By kmmatney on 12/18/2008 12:29:51 AM , Rating: 3
Woohoo! Another X-ray crystallographer!


RE: Bit late?
By TheSpaniard on 12/18/2008 11:03:45 AM , Rating: 2
we are far and few between arent we?

PS: I only do crystallography as confirmation of ligand-protein binding the rest of my life is stuck somewhere between assays and SDS-PAGE gells


RE: Bit late?
By YouInspireMe on 12/19/2008 4:40:19 AM , Rating: 2
Spaniard, I am going to save you alot of typing. In the future you can just cut and paste this;

"I want you to believe that I am smarter than you. I don't respect your intellect and will go to great length to impress you with my vocabulary."


RE: Bit late?
By menace on 12/19/2008 10:41:13 AM , Rating: 2
So you run folding@home and leave your computer running all the time. That makes you superior to the rest of us wasting our valuable FLOPS having fun.


RE: Bit late?
By MrPoletski on 12/23/2008 9:12:32 AM , Rating: 2
The guys obviously a crack head. don't feed the troll and the troll will starve here so head off elsewhere.


RE: Bit late?
By notolerance on 12/17/2008 6:33:50 PM , Rating: 4
Huh?!! You done what to the dog?!?!


RE: Bit late?
By MrPoletski on 12/23/2008 9:10:45 AM , Rating: 2
quote:
I find DT trails behind other sites by a few hours to days, while they at the same time are ahead of other sites by a few hours to days.


The chief editor of Dailytech is clearly from Gallifrey.

Is he a Doctor?


RE: Bit late?
By TomZ on 12/17/2008 1:17:09 PM , Rating: 2
Clicking through to the BBC article, it seems like this article is basically a copy-and-paste job from the BBC article. I guess that's the sad state of journalism these days - no value added.

Jason, how about adding in some technical information about the vulnerability? After all, the average reader at DT is more technologically sophisticated compared to the average BBC reader. Add some value!


RE: Bit late?
By spread on 12/17/2008 1:51:29 PM , Rating: 1
You can read about it in my blog. I'll copy pate off DT.... I mean write a story.


RE: Bit late?
By TomZ on 12/17/2008 1:59:03 PM , Rating: 5
Instead of being a series of "tubes," I tend to see the Internet as a series of mirrors - each original thought reflected countless times across numerous sites. I notice that a lot with news stories and blogs, as well as when examining search results.


RE: Bit late?
By theendofallsongs on 12/17/2008 3:23:29 PM , Rating: 5
What do you think the AP is? They just repost stories from their members, while all their member newspapers repost stories from them. It's how the game works.


RE: Bit late?
By Yawgm0th on 12/17/2008 1:27:10 PM , Rating: 4
I read this story last night. Almost a word-for-word copy, too. This is the fourth version I've read of this story from the fourth writer, and it says the same damn thing on every one, including this one. This, however, is basically copied, pasted, and rearranged from the BBC. Sure, a few words are changed, a couple plugs for previous DT stories are dropped, but there's nothing new here.

The real problem is this: "Some experts recommend switching, but others don't, etc." Some version of this takes up about half of every story a like, and it's useless to the technically adept and the clueless alike. I'd hope for a tech site (i.e. DailyTech) to take a less vague and "unbiased" position than this.

I had to actually dig to find out what the vulnerability is really about and come to a conclusion. You'd think at least DailyTech would have gone into details.


RE: Bit late?
By TomZ on 12/17/2008 1:48:21 PM , Rating: 2
I agree - and I throught it was odd to talk about "experts" suggesting to install other browsers in the meantime. I mean, what kind of advice is that, considering Microsoft planned a release for later the same day ?!?

Downloading and installing a different browser instead of just waiting a few hours and running Windows Update is pretty silly. Or better yet, run it now (as I did) and find out that the update is already available.


RE: Bit late?
By mars777 on 12/17/2008 10:49:04 PM , Rating: 2
It really isn't the same day. God know for how long this was misused until somebody out of MS found it. It was reported yesterday and MS plans to do a patch for tomorrow.

That's the caveat of closed source. You never know for how long something was misused. It could have been misused from day one of IE7 because nobody reported it and nobody could have reviewed IE7 code to ensure it is safe. Surely the first finder of the bug did not report it but rather chose to exploit :)


RE: Bit late?
By Quiescent on 12/17/2008 10:54:39 PM , Rating: 3
I have been telling my mother since day 1 to use another browser. She didn't listen to me until last night. I had Firefox installed on her computer, and now she's finally using it. I would have her use Google Chrome, but she needs addons for Firefox. I don't need them too much.


RE: Bit late?
By Quiescent on 12/18/2008 1:08:54 PM , Rating: 2
Oh yeah, but get this: I got my stubborn dad to use Firefox since the day I requested that he did. I put it on his business computer and told him that since he doesn't have AV software currently, that he is safer using Firefox than IE. However, for some reason I am more apt to convince my dad about using software now that my boyfriend has built his business computer and he seems to like computers now that he doesn't have to deal with a crappy eMachine. He doesn't listen to my step mother anymore, just my boyfriend and I.

But I suppose I finally got someone who is stubborn with computers to use a different browser, so this issue with IE has made it possible for me to show my mother the benifits of firefox, but I do hope she doesn't go crazy on the addons and themes, lol.


RE: Bit late?
By randy915 on 12/17/08, Rating: -1
RE: Bit late?
By mfed3 on 12/17/2008 7:06:26 PM , Rating: 2
Checked Windows Update, 0-day patch for IE v5,6,7 and 8 beta already patched before the article came out here.


RE: Bit late?
By Aloonatic on 12/19/2008 5:46:50 AM , Rating: 2
I posted a link to the story a couple of hours after it came through on my RSS feed from the BBC Technology site.

http://www.dailytech.com/article.aspx?newsid=13699...

Admittedly, it was stuck at the bottom of an article about MS knowing about the DVD scratching problem with the xBox 360 but I thought it was pretty important :)

being 5 or 6 hours ahead gives the UK a slight advantage when it comes to this sort of thing, but other articles were posted on DT after this news broke.

Maybe DT take the time to check up on things themselves before posting a story? Even if the content is a copy & paste affair perhaps they want to make sure that what they are copy and pasting is remotely true?


Solution
By GoodBytes on 12/17/2008 1:35:34 PM , Rating: 4
Once I install Windows, I don't install anti-spyware, anti-virus programs, nor even update windows. I just install myself viruses, trojans, warms, and several malwares. Like this I am already affected, and I have not to worry. I mean it's like your body right? It makes my computer immune system stronger this way. Right?




RE: Solution
By spread on 12/17/2008 1:53:37 PM , Rating: 2
That's right. With enough viruses on your PC, they'll defend your PC from other viruses ensuring that you still can't use it for a simple task like browsing a website.


RE: Solution
By notolerance on 12/17/2008 6:42:09 PM , Rating: 2
If it gets to that state, one could then call it a multipurpose device. Attach a rope to the system, and it becomes a quite effective boat anchor..


RE: Solution
By kelmon on 12/18/2008 9:52:52 AM , Rating: 2
Well, hackers have been known to write viruses that delete the viruses written by their "competitors", as well as doing whatever nefarious thing they were written for. Odd.


RE: Solution
By Gzus666 on 12/17/2008 2:55:11 PM , Rating: 2
This reminds me of the Simpsons episode where Mr. Burns goes to the doctor and finds out he has everything, ha. Then he shows them how the germs are all stuck at the door to his body with those novelty stuffed germs. CLASSIC!


RE: Solution
By Jellodyne on 12/17/2008 5:46:21 PM , Rating: 4
Mr. Burns: So what you're saying is, I'm indestructible!
Doctor: Oh, no, no, in fact, even slight breeze could --
Mr. Burns: Indestructible.


Where did you get this information?
By the goat on 12/17/2008 1:09:30 PM , Rating: 1
quote:
Even the security of major open source software, not a popular target for hackers who heavily use such software, was recently brought into question when a major encryption scheme was found to be broken.


Do you have a source for this statement? I strongly doubt most hackers use open source software.

Also stop harping on the Debian OpenSSL library mistake? It was not a huge issue at all. Repeating it over and over only makes Dailytech look ignorant.




RE: Where did you get this information?
By amanojaku on 12/17/2008 1:18:19 PM , Rating: 2
I disagree with both of your statements. Most hackers would user open source software or pirated commercial software: either way, they aren't paying for it and most aren't good enough to write their own compilers, assemblers, etc...

The OpenSSL issue was small because of luck, pure and simple. The exploit was around for two years and few people knew about it; had it been a Windows library you can be sure that would have been exploited before it left the building. It's popularity, not security, that kept that hole from becoming a problem.


By the goat on 12/17/2008 2:15:25 PM , Rating: 2
quote:
Most hackers would user open source software or pirated commercial software: either way, they aren't paying for it and most aren't good enough to write their own compilers, assemblers, etc...


I never said hackers pay for the software they use. If they are using pirated commercial software then they are not using open source software.


RE: Where did you get this information?
By Yawgm0th on 12/17/2008 1:33:41 PM , Rating: 2
quote:
Do you have a source for this statement? I strongly doubt most hackers use open source software.
If you had a clear idea of the definition of "hacker" outside of what the mainstream media uses, you'd realize virtually all hackers use open-source software, particularly open-source operating systems. It's almost a requirement to be considered a hacker.

If you are referring to malicious attackers, i.e. crackers, script kiddies, and the like, they still use open source software. This isn't because of any love of open source, per se, but because UNIX-like systems offer a far superior development platform for virtually any cracking tool. That doesn't give them too many choices outside of open source.

quote:
Also stop harping on the Debian OpenSSL library mistake? It was not a huge issue at all. Repeating it over and over only makes Dailytech look ignorant.
DailyTech loves to link to its own stories whenever they are remotely relevant. Mick in particular seems to do it frequently.


RE: Where did you get this information?
By Clauzii on 12/17/2008 1:58:45 PM , Rating: 1
"DailyTech loves to link to its own stories whenever they are remotely relevant. Mick in particular seems to do it frequently."

... which makes it extremely easy to track down a specific topic. Nice :)


RE: Where did you get this information?
By ebakke on 12/17/2008 3:34:48 PM , Rating: 2
So does the search bar in the top right. And that doesn't clutter the articles of interest to me.


RE: Where did you get this information?
By Clauzii on 12/18/2008 9:55:10 PM , Rating: 1
Clutter? Where??


By Clauzii on 12/19/2008 1:42:43 PM , Rating: 2
LOL, You guys are funny :)


By Jellodyne on 12/17/2008 5:34:03 PM , Rating: 2
Yeah, and there's a huge world of difference between "a major encryption scheme was found to be broken" and "an implementation of a major encryption scheme was found to be flawed" -- the second is what happened "recently", assuming you want to call March "recent". I mean its a big deal and all, but no worse than a bunch of Microsoft vulnerability, and easily patched.


Whats the exploit?
By ZachDontScare on 12/17/2008 2:19:42 PM , Rating: 2
I wish these articles would tell us what the actual exploit was. I'm not talking the code, but what component is being exploited. Is it in scripting? html rendering? Image decoding? favicons? bookmarks?




RE: Whats the exploit?
By GaryJohnson on 12/17/2008 3:45:13 PM , Rating: 2
I'm thinking it's another buffer-overflow attack.


RE: Whats the exploit?
By Smilin on 12/17/2008 6:05:11 PM , Rating: 2
It's a bad pointer reference, not a buffer overflow.

Buffer overflows don't get very far today on Vista at least.

It allows code to run with logged on user privledges. If Vista I believe you may still be limited to the non-admin part of the security token by UAC. I'm not positive on this part but it's a good assumption.

It's also not something that can self propogate. It still requires each user visiting a hacked/malicious site or being tricked into clicking a link in email. If it's outlook they click the link in, it will run the page in the restricted zone so there isn't much trouble that can be caused.

There is a webcast on the vulnerability available now. It looks like a flaw that had some potential to be ugly on a single user basis but MS jumped on it pretty quick (9 day turnaround basically)


RE: Whats the exploit?
By GaryJohnson on 12/17/2008 11:12:24 PM , Rating: 2
quote:
Buffer overflows don't get very far today on Vista at least.


But they do in XP...


RE: Whats the exploit?
By Smilin on 12/18/2008 10:47:16 AM , Rating: 3
Sure to some degree as long as you don't bump into DEP. If you are still running a almost 6 year old OS then you should expect 6 year old security.


What's New?
By Nakecat on 12/17/08, Rating: 0
RE: What's New?
By Screwballl on 12/17/2008 3:29:53 PM , Rating: 2
Try using Windows Update, it has been available since around noontime EST


RE: What's New?
By Nakecat on 12/17/2008 4:57:34 PM , Rating: 2
hmm I don't think I ever said I can't update.

I just want to point out this hole wasn't just discovered yesterday. It's been a while.

Do you really think microsfot will issuse the update today if it wasn't on bbc yesterday? They did emergency patch today because the company is on the news... again.


RE: What's New?
By Smilin on 12/17/2008 6:11:13 PM , Rating: 1
Automatic -1 for the "$".

BTW, just some constructive feedback here as parts of your post had some worth...

When I see someone typing M$ or "windoze" or some other such tripe I immediately think of some pimple faced angry little 10y/o l337 script kiddie who is stuck in 1995. If this description doesn't match you it doesn't matter much. I can only see what you type and I know nothing else about you.

If you are going to be an MS hater do so with some maturity and reason. It will further your cause.


RE: What's New?
By mars777 on 12/17/2008 10:57:13 PM , Rating: 1
M$. Not because i hate them but because i like to joke with their corporative incompetence in some business sectors :)

And what i think of you is:

Poor guy that has to go defend a lucrative company that does not pay him for his actions just because he is insulted by a dollar sign :D


RE: What's New?
By StevoLincolnite on 12/18/2008 3:34:49 AM , Rating: 2
You pretty much proved his point.


IE needs to go away ...
By otispunkmeyer on 12/17/2008 7:37:00 PM , Rating: 2
seriously, its garabge. we have to use IE7 at university and it could well be the gash viglen computers or the not quite so perfect network system but whatever... IE on our computers is next to hopeless. its constantly crashing, like thats the only thing it can actually do.

if you middle click a link (to open in a new tab) on trustedreviews.com the whole caboodle just drops its pants and disappears. same happens occasionally with streaming video.

if you even think about trying to operate IE7 as fast as you would normally operate FF or Safari or Opera, IE just cant handle it, you get long pauses and sometimes it just stalls.

then again, i even made MS paint crash on these computers so god knows whats going on




RE: IE needs to go away ...
By michal1980 on 12/18/2008 8:39:05 AM , Rating: 2
I think your school PC's have issues, I really cant remeber the last time I had IE7 crash, and I normal have 2-3 sessions open, with multiple tabs in each.


RE: IE needs to go away ...
By kelmon on 12/18/2008 10:02:19 AM , Rating: 2
It possibly depends on which sites you are accessing. We've got a couple of ActiveX web applications at work that have caused IE7 to lockup on occasion. It happens but with any crash you need to give it a situation that it doesn't like.


Patch Available Now
By TomZ on 12/17/2008 1:18:34 PM , Rating: 3
I just ran Windows Update, and the patch for IE7 is already available right now.




RE: Patch Available Now
By Screwballl on 12/17/2008 3:25:53 PM , Rating: 2
Yep installed it via WU on several XP machines and my Vista x64 setup that is rarely used.


Apple....a virus!?!...Holy hole in a donut Batman!
By Dreifort on 12/17/2008 2:03:41 PM , Rating: 2
quote:
The report ironically follows fast on a report that Firefox is a dangerously vulnerable application for businesses. Apple's Safari has also been blasted within the last year for poor security and patching.


But according to the guy in the Apple store (who had his collar flipped up and wearing bright white sneakers and asking everyone if they have seen the tennis courts) said that Mac's can't get a virus! WTH? He was preaching something about lack of a kernel in Mac OS and therefore it can't be attacked.

Working for an Apple competitor it is fun to watch customers talk to Apple reps, then speak to me. They actually argue with me ...as if they are now Apple experts since speaking to an "authorized" Apple rep... anyway, they argue with me that Apple's can't get a virus.

I ask them when was the last time someone attacked Canada. Just because Canada doesn't get attacked doesn't mean they are impervious to it. See...people have things to gain by attacking the USA. But not Canada.




By kelmon on 12/18/2008 10:30:54 AM , Rating: 2
Oh, for crying out loud, not this old chestnut again? How do you know that the Mac can catch a virus? So far we've seen nothing that isn't anything beyond the Amish Virus that requires the user to effectively delete their own hard drive (i.e. trojans). Sure, it's possible to write an application that destroys the data on a hard drive (heck, pretty much anyone can write one) but so far they all require the user to do something in order for something bad to happen.

As and when a virus appears for the Mac OS, then I'll concede that it is possible. Until then this is just theory and those people who want to maintain a virus-free computer would do better with a Mac (or Linux, for that matter) for the simple reason that there aren't any today. Perhaps tomorrow there will be gazillions of viruses for the Mac but right now there aren't any. You can't catch a bug that doesn't exist...

The problem with both the Apple and PC brigade is that each wants to skew the truth to the benefit of their own platform because they think the sky will fall in if people don't all use their platform. It's really rather sad.


Correction
By gstrickler on 12/17/2008 3:25:31 PM , Rating: 2
quote:
Only Microsoft Internet Explorer 7 is vulnerable to this latest attack.

Then why did they also release a patch for IE6? You might want to check your facts before publishing. IE 5.01 - IE 8 beta are affected.

http://www.microsoft.com/technet/security/bulletin...




RE: Correction
By Ihmemies on 12/17/2008 7:26:18 PM , Rating: 2
Wow.. they released a patch for IE5 too - a browser released nearly 10 years ago.


gamers lose sleep everywhere!
By omnicronx on 12/17/2008 2:44:36 PM , Rating: 2
quote:
ick Ferguson, a senior security adviser at security firm Trend Micro says thus far the hole has only been exploited to steal online game passwords
'In other news Network admins have been having sleepless nights in fear that they would have nothing to do at work if their WOW accounts were compromised.'

When I read the title, I actually thought there was cause for concern..




By majorpain on 12/17/2008 4:06:21 PM , Rating: 2
Obvious news is obvious
By Rodney McNaggerton on 12/17/08, Rating: 0
RE: Obvious news is obvious
By Clauzii on 12/19/2008 8:30:42 AM , Rating: 2


(fixed bolding)


patch is here
By Totally on 12/17/2008 11:57:00 PM , Rating: 2
--------------------------------------------------- -------
Security Update for Internet Explorer 7 in Windows Vista for x64-based Systems (KB960714)

Installation date: ?12/?17/?2008 11:53 PM

Installation status: Pending

Error details: Code 80242014

Update type: Important

Security issues have been identified that could allow an attacker to compromise a system running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this item, you may have to restart your computer. This update is provided to you and licensed under the Windows Vista License Terms.

More information:
http://go.microsoft.com/fwlink/?LinkId=137030

Help and Support:
http://support.microsoft.com

-----------------------------------------------
now moving along people nothing to see here




"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki