RSSWhat we suddenly don't know about the new IE exploit
By Scott M. Fulton, III | Published December 12, 2008, 10:49 AM
One of the only sources of hard information yesterday about an IE remote code exploit that Microsoft only knew about circumstantially, now says not only is the Web full of misinformation about it, but it blames itself.
Just how many online news sources have to repeat a piece of information before it becomes, by default, true? That's the question faced by literally everyone, including BetaNews, who reported on Microsoft's revelation earlier in the week of what was believed to be the existence of new attacks affecting its Web browsers.
Based on what we thought we knew yesterday, there was evidence of a very old-style remote code execution attack through ActiveX controls, where multiple instances of a control on a Web page, once cleared, failed to clean up after themselves in memory, leaving code that could potentially be executed without privilege. That attack was said to impact Internet Explorer 7 specifically.
"After having published our initial advisory concerning this 0-day, one of my guys was therefore tasked with figuring out the exact nature of the problem," wrote Secunia Chief Security Specialist Carsten Eiram this morning, in a blog post that speaks volumes about the logistics involved when an independent security firm tracks down a problem.
"It turned out that a lot of available information and assumptions were wrong," Eiram continued. "Assumptions usually are, which is also why my department treasures the saying: 'Assumption is the mother of all f**k-ups' (and people claim nothing good ever came out of a Steven Seagal movie)."
Eiram then credited himself with notifying Microsoft, which he says triggered a response by that company of extending the scope of its warning to include all versions of IE. XML is not involved in the data binding process for controls, contrary to Secunia's earlier reports (we actually knew that ourselves, which is why we omitted that reference from our story yesterday); and while setting the security level to High, as Microsoft suggested, reduces the likelihood of an attack through scripting, Secunia is now saying it doesn't eliminate the possibility.
That last revelation suggests that no one actually knows whether a script is involved in this reported attack at all, which now raises suspicion about whether even the initial reports of the exploit's very existence are accurate. Specifically, is what's Microsoft's seeing actually new?
But if an exploit had not existed before, it actually may soon, now that Microsoft has taken the out-of-cycle step -- actually against its revised policy for explicitness -- of explaining exactly what the vulnerable spot in IE might be, in its revised advisory published last night.
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," reads the new advisory. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."
But Microsoft has only seen evidence, the advisory goes on, of attacks on IE7, not any other version. Still, as a precautionary measure, it's now expanded the scope of the advisory to include IE5, IE6 and IE6 SP1, and also IE8 Beta 2.
IE7? You refer to the exploit that opens multiple tabs and doesn't stop at Task Manager usage either? Old news.
Score: 0
|IE? That's so 1997. Windows sufferers, even before you finally wake up and get a Mac, you too can experience the web the way thinking people do: Apple style, with Safari: the fastest, easiest-to-use web browser in the world. With its simple, elegant interface, Safari gets out of your way and lets you enjoy the web instead of fearing it. Once you try it, you'll want to repeatedly punch yourself in the face for ever booting up Internet Exploder. Yes, your OS sucks, but that doesn't mean your browser has to.
Score: 0
|Ah, that wouldn't be the same "APPLE" Safari that unfortunately has the default settings on install to accept "Redirects" to other Web Pages a known circumstance for Malware installation among other malicious things....
(Yeah Apple was really thinking when they allowed that setting for Windows User's installs) So glad their "thinking for me" (Wink)
Oh I have on my system,(for Browser checking) along with "Firefox 3" who's Chief of security it quiting this month after admitting that making a totally "secure" Browser is, I think she said "Impossible", duh??
But hey been telling folks that one for years... And hey I'm Stupid so I'll just keep using My Internet Explorer 7&8 (8 is not affected by exploit) and turn on the "DEP" setting for the total system and "hope for the best" Ha ha ha. (mitigates the active exploit)
Sometimes you have to let the Stupid stay Stupid and look out for yourself. Oh and by the way I'm too Stupid to tell the rest of you all that do run Windows how to turn on the DEP setting.... (And we'll just wait for the Patch or the Killbit to download)
I figured you could just look it up in your favorite Browser of choice... Choice is always good. Look at it as a learning experience, because I think it is outstanding.
Here's that Window Snyder link....check it out and start weeping Firefox faithful...enough said.
http://tech.yahoo.com/ne...curitychiefcallsitquits
BetaNews didn't seem to deem it worthy enough to cover... the Chief of Mozilla's security leaving because she knows you can't totally secure Firefox...nothing of note here.
Score: 0
|just when you thought that mac users weren't c***y, internetworld7 comes along with his uneducated self and tries to justify his retarded self.
"With its simple, elegant interface, Safari gets out of your way and lets you enjoy the web instead of fearing it."
Were you dropped on your head at birth?
You're a ****ing tool, mate.
Score: 0
|I am using Chrome now and it had its security flaws two months ago. I am impressed from the speed and quality in which Google fixed all the known security issues. I wonder why Microsoft can't do the same...
_________________________________________________________________________________
the first tool that helps you comment better: http://commentino.com/Tags/web01
Score: 0
|Well, the security flaws known two months ago were fixed. That was then, this is now.
http://www.info-svc.com/news/2008/12-12/
Score: 0
|Don't see a problem, popped over to the Microsoft page, read their advisory on how to make my version of IE8 beta 2 safe, did what they suggested. Now I will disconnect my machine from the mains, place it in the garden and wait until the panic has subsided.
Score: 0
|IE is finitos...in other news today the auto bailout has failed...Britney's new album is a hit...and Jennifer Aniston turns 40!
Score: 0
|I guess there is only one fair and balanced reporting media... At least Comedy central have some competition...
Duh!!
Score: 0
|Is any news trustworthy on some of these sites. Has anyone heard of verifying before publishing.
Are we in such a hurry to get news out that we fail to care what it says. I have come to get most of my factual news from places such as AP news, CNN,Reuters. These journalist actual check facts first for the most part. The rest I treat as rumors waiting for someone to confirm.
Score: 0
|You are joking, right? Please google these orgs for their various scandals, plagiarism, and botched -- as in NYTimes "made up" -- reporting over the past decade. The AP has been so unreliable that many newspapers have canceled their subscriptions to it this year.
Besides, Microsoft's OS, Office, and IE's insecurities are weekly news around the web, and have been as long as the commercial web has been around.
Score: 0
|http://www.google.com/ho...3TMkPJDuMHiqdQD94F23TG4
http://www.msnbc.msn.com/id/13165165/
http://www.flickr.com/photos/jasonpearce/211733022/
http://www.huffingtonpos...t-least-d_b_137653.html
I truly hope you were being sarcastic...
Score: 0
|You are kidding aren't you? Journalism is almost dead and the "big trusted names" including the ones you mention (well, I can't speak for Reuters) but CNN and AP are a joke when it comes to objectivity and fact-checking.
Honestly, I'd trust National Enquirer over the NYT, although I read neither. Mostly these rags (cable news included) are just vehicles for promoting their politics. Journalism is a peripheral issue at best.
Score: 0
|This is an old exploit. The best way to fix it is to just use firefox. Microsoft has too much integration with the operating system meaning that internet explorer has access to a lot more system folders than a typical internet user should want.
Score: 0
|I don't mean to burst your bubble, but system level access via exploit is possible from any program run on top of an operating system:period.
Score: 0
|FireFox is not immune from vulnerabilities:
http://www.mozilla.org/s...fox30.html#firefox3.0.4
Also, you may want to read up on IE's Protected Mode before you discuss integration.
Score: 0
|i don't believe its the media's fault that stories become distorted.
instead, the problem is the result of the originating source not being willfully forthcoming with issues that concerns us all.
Score: 1
|