Web
Article

Another Day, Another IE Security Warning

By Craig Buckler

IE exploitBarely two months after the suspected Chinese cyber attacks on Google which prompted some Governments to issue IE warnings, Microsoft’s browser has been hit by another security exploit. According to the Microsoft report:

The main impact of the vulnerability is remote code execution.

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of targeted attacks attempting to use this vulnerability.

The exploit targets IE6 and IE7. IE8 and IE5 on Windows 2000 are not known to be affected, but security company Sophos has graded the threat level as “critical”.

Browser exploits are never good news for a vendor, but the timing of this discovery is particularly problematic for Microsoft. The company has embarked on a huge IE publicity campaign to counteract user migration following the introduction of the EU browser choice screen.

Looking on the positive side, the exploit may persuade some users to upgrade to IE8. Although few users know which version they’re running — they could abandon the browser altogether. However, it’s more likely that most IE users will carry on surfing and are totally oblivious to any problems!

If you depend on IE6 or 7 you can always disable scripting. Again.

More:

Free Guide:

7 Habits of Successful CTOs

"What makes a great CTO?" Engineering skills? Business savvy? An innate tendency to channel a mythical creature (ahem, unicorn)? All of the above? Discover the top traits of the most successful CTOs in this free guide.

  • W2ttsy

    IE8 and IE5 on Windows 2000 are not known to be affected

    Who runs either of those combos? What about XP and Vista and Win7? does that mean that these platforms are affected? Seems that “its out by 1 but who cares” has struck again. This little gem was a comment found in the Win2k source code that was illegally released to the net back in 2004, specifically in the NT network security codebase.

    Personally, I believe MS has a more serious problem on their hands than IE exploits. They need to drastically change the way that the software teams are run. Complancy, quality assurance failures, delivery time failures, the list goes on. I sometimes wonder what would happen if they tightened up accountability and adopted a japanese style total quality assurance program. My guess would be that they would end up being an Apple equal. High quality code, high quality products and a high quality respected company.

    The company has embarked on a huge IE publicity campaign to counteract user migration following the introduction of the EU browser choice screen.

    And why does this seem like it should fall into the anti competitive realm? Really they are purposely negating the point of the choice screen by telling others to use their product. You’ve got a choice, but really we want you to ignore that choice and go with us. It seems especially suspicious considering the other vendors have basically no advertising budget to even begin to compete in press and TV with Microsoft.

  • Soniqhost.com

    The security issues are one of the major reasons I stopped used Internet Explorer.

  • http://www.patricksamphire.com/ PatrickSamphire

    Really they are purposely negating the point of the choice screen by telling others to use their product. You’ve got a choice, but really we want you to ignore that choice and go with us.

    That is probably the most ridiculous thing I’ve read for a long time. It’s called advertising. Just about every company does it. If you are suggesting that large companies shouldn’t be able to advertise because small companies can’t compete, then you are going nowhere.

    Pepsi and Coke would be banned right away, followed by just about every major brand you’ve ever heard of.

    The EU has no rules banning advertising just because one company has a larger budget than another.

  • Jeff

    … and this at a time when more and more people are developing sites that require us to enable javascript. Microsoft inadvertently scores another point for progressive enhancement!

    In the past three years I’ve assisted friends and family, and now moving to the outer circle of mere acquaintances, in disinfecting Windows computers riddled with infections. The threats now are more severe and harder to eradicate than anything I’ve seen in almost 30 years of computing. For a few, the aggravation was severe enough to accept the most radical solution of all: discarding Windows, installing Ubuntu. And of those few who did, none are unhappy with the choice.

    I’ve encouraged many people to abandon IE for either Firefox or Opera, but at the same time Microsoft encourages and even requires people to use IE for updates, etc. … Microsoft is cutting its own throat, and if that isn’t clear now, it will be clear in hindsight.

  • NetNerd85

    The only way to be secure is to unplug your cable to the interwebs!

  • W2ttsy

    That is probably the most ridiculous thing I’ve read for a long time. It’s called advertising. Just about every company does it. If you are suggesting that large companies shouldn’t be able to advertise because small companies can’t compete, then you are going nowhere.

    I may not have articulated my point well, but essentially the angle I was going for is this: The EU has asked microsoft to provide users with a choice panel. They have complied. They are now doing heavy rounds of “advertising” to push users in a particular direction. The problem here is that it creates an extremely unfair bias towards their product, which im fairly certain would make the choice screen irrelevant. And since the open source players like Mozilla or Opera, cant or won’t be able afford to match the ads, i believe there is an edge of anti competitiveness to it.

    For example, a luddite user (most computer users) is already familiar with the Blue E equalling the internet. So Microsoft has already got a bit of bias going for them. Then they see ads in the paper, on TV, radio, at the cinema showing other people using IE to surf the net. What do they do when they get the browser choice screen? they click IE.

    Now call it faulty logic if you like, but i believe that its wrong that the EU has gone to so much trouble to create this browser choice condition, yet still allows MS to heavily influence the choices of its users. They may as well have not done the screen to start with, since the whole purpose of it was to create balance.

  • commandnotapple

    @W2ttsy I HATE IE, but I believe Microsoft has every right to advertise and push their browser. The amount of knowledge a user has or the budget of the company is absolutely irrelevant to the fact that this is Microsoft’s product. Period. It’s theirs and if they want to install crapware on crapOS, then that’s their right.

    I think the ‘browser choice screen’ was a horrible idea, but it did what it was intended to do: it put the browsers it lists on an even playing field. So now Microsoft is advertising IE. They’re pushing their own product. That is their right. Just because it’s horrible doesn’t mean they can’t try to get people to use it. There’s this mentality now a’days that the underdog she be given handouts because they are smaller. I one hundred percent disagree. Everyone has to start at the bottom. I can give example after example after example after example where the underdog squelched it’s competition because it played it’s cards right. I can give you example after example after example of where the big dog fell to the little guy. You have to stay relevant. You have to stay real. American politics absolutely proves this in the election of President Obama. If you want something, you have to work for it yourself. No handouts, no freebies, either give it to all or give it to none.

    Also, by your methodology, Google shouldn’t be allowed to push Chrome on YouTube, AdSense, or even the Google homepage. But because it’s rendering engine is open source and well built, it makes it okay for Google to push their own browser? That doesn’t make sense.

    I agree that users need to be made aware of just how awful IE is, but forcing Microsoft into certain business practices crosses so many levels of wrong. Microsoft had better get it’s act together, because it is not all powerful, it is not invincible, it is not invulnerable. Folks are starting to realize how bad IE is, and in the next several years, I really believe we’re going to see IE’s usage percentage fall drastically. Change is a’coming. Whether Microsoft is at the forefront or in the dust of someone else, we shall see.

  • http://logicearth.wordpress.com logic_earth

    You know the sad thing? When everyone moves to Firefox all you are going to hear is how a security nightmare just like IE it is. But I regress.

  • http://www.optimalworks.net/ Craig Buckler

    @logic_earth
    There’s some truth in that, but Firefox does have a significant market share and the source code can be obtained by anyone. I’m surprised there aren’t more Firefox attacks.

    The unique thing about IE is that it’s so ingrained in Windows. That offers some great opportunities to developers and hackers alike.

  • http://www.lunadesign.org awasson

    @Craig:
    I noted the OS/Browsers that are affected (The exploit targets IE6 and IE7. IE8 and IE5 on Windows 2000 are not known to be affected, but security company Sophos has graded the threat level as “critical”) as did W2ttsy.

    Any news about typical XP, Vista or Win7 systems?

    Thanks,
    Andrew

  • http://logicearth.wordpress.com logic_earth

    awasson said, “Any news about typical XP, Vista or Win7 systems?”

    In conjunction with this exploit? IE 8 on Windows XP and above are not effect. Windows 7 only has IE 8, therefore… On Windows Vista with IE 7 the exploit would have almost zero effect as long as Protected Mode is active. (For those that do not know what Protected Mode is, it is a sandbox and requires UAC to be active.)

    More information about it here: http://www.microsoft.com/technet/security/advisory/981374.mspx

  • http://www.lunadesign.org awasson

    Thanks logic_earth,
    That advisory says it all…

    It does not bode well for those IE6 people who are the bane of web developers. Here’s a good reason for people to upgrade their browsers to the most current edition. I wonder if any will.

Recommended
Sponsors
Because We Like You
Free Ebooks!

Grab SitePoint's top 10 web dev and design ebooks, completely free!

Get the latest in Front-end, once a week, for free.