dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5162

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to trparky

Premium Member

to trparky

Re: IE Zero-Day

I'm not big on code, trparky See Profile When I was an IE MVP, I could have asked the IE Team at MS. I no longer have that option accessible to me.

What we have in this thread is the latest information.

I suspect we will know more in the forthcoming days if MS will issue an out-of-band patch or perhaps a FixIt.

StuartMW
Premium Member
join:2000-08-06

1 edit

StuartMW to trparky

Premium Member

to trparky
said by trparky:

Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception?

I haven't looked into it in any detail but apparently there's some rather clever techniques that can be used to access deallocated memory. Take a look at the EMET manual as it has basic explanations of some common tricks.
StuartMW

StuartMW to Juggernaut

Premium Member

to Juggernaut
+1

Juggernaut
Irreverent or irrelevant?
Premium Member
join:2006-09-05
Kelowna, BC

2 recommendations

Juggernaut to redwolfe_98

Premium Member

to redwolfe_98
The only thing I use IE for is DL'ing Win updates.

mmainprize
join:2001-12-06
Houghton Lake, MI

1 recommendation

mmainprize to trparky

Member

to trparky
said by trparky:

said by EGeezer:

What's this "Internet Explorer" people are speaking of?

It's that other browser you use to download Firefox or Google Chrome with.

LMAO, My side hurts

StuartMW
Premium Member
join:2000-08-06

1 edit

StuartMW to EGeezer

Premium Member

to EGeezer
You might know it as Internet Exploder


trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

1 recommendation

trparky to EGeezer

Premium Member

to EGeezer
said by EGeezer:

What's this "Internet Explorer" people are speaking of?

It's that other browser you use to download Firefox or Google Chrome with.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 recommendation

EGeezer to StuartMW

Premium Member

to StuartMW
What's this "Internet Explorer" people are speaking of?

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn to 40757180

Premium Member

to 40757180
said by silentlooker :

I still use ie 5 and extremely happy.

Awesome.
The advisery does not discuss IE5.

StuartMW
Premium Member
join:2000-08-06

StuartMW to La Luna

Premium Member

to La Luna
Well if you're "lucky" you're probably "happy" too

Probably not many bad guys targeting IE5 any more.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

1 recommendation

La Luna to 40757180

Premium Member

to 40757180
said by 40757180:

said by Dustyn:

said by Dustin Childs :

“We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,” Childs said in an emailed statement.

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/

I still use ie 5 and extremely happy lucky.

Fixed.
40757180 (banned)
join:2009-11-01

40757180 (banned) to Dustyn

Member

to Dustyn
said by Dustyn:

said by Dustin Childs :

“We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,” Childs said in an emailed statement.

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/

I still use ie 5 and extremely happy.

StuartMW
Premium Member
join:2000-08-06

StuartMW to therube

Premium Member

to therube
Um...

»Re: IE Zero-Day

therube
join:2004-11-11
Randallstown, MD

therube to redwolfe_98

Member

to redwolfe_98
Microsoft Confirms IE Flaw, Releases Workaround

"Here are Microsoft’s recommendations for those still using Internet Explorer 8 or older:

• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
• Deploy the Enhanced Mitigation Experience Toolkit (EMET) ..."

(Wonder how usable the browser will be with the first two suggestions implemented .)

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW to therube

Premium Member

to therube
said by therube:

And aren't XP users limited to (at most) IE8 (or another browser entirely)?

Yup.

Win2K users can't run anything higher than IE6. I use Firefox v12.0 (the last to run on Win2K) on the rare occasions I browse on that box.

IE 3.01 was the last to run on Win 3.1 and WfWG 3.11 (16-bit OS'es) Netscape lasted until 4.x from memory.

therube
join:2004-11-11
Randallstown, MD

2 recommendations

therube to Dustyn

Member

to Dustyn
> Who the hell cares if IE6 is vulnerable?

Says IE6 - IE8.
(Guess IE5 & earlier no longer count .)

> Microsoft has to stop patching IE6 or people will continue to use it.

And aren't XP users limited to (at most) IE8 (or another browser entirely)?

StuartMW
Premium Member
join:2000-08-06

StuartMW to Dustyn

Premium Member

to Dustyn
said by Dustyn:

Just started yesterday too.

Excellent! That makes 3 of us now
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

3 recommendations

TheMG to La Luna

Premium Member

to La Luna
said by La Luna:

^^^ This. Why anyone would use such an old, outdated, insecure browser is beyond me. I'd like to say they deserve whatever happens, but that would be mean.

Companies that are too cheap to spend the money required to re-code or update the "broken" web applications they are using.

Yes, the company I work for still uses IE6. Several of the intranet web apps don't work properly on any other browser.

Is that a valid reason to still be using IE6? IMHO, it is not. They've had plenty of time and money to upgrade their web applications, instead they waste the budget elsewhere on less important things.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

Dustyn to StuartMW

Premium Member

to StuartMW
said by StuartMW:

quote:
Another alternative - one likely to have less impact on your browsing experience - is to install EMET and enable it to protect Internet Explorer.

Already doing that

Just started yesterday too.

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

trparky to siljaline

Premium Member

to siljaline
Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception? I know that that happens when I try to access Object variables when I've not set it to something with "New Object()".

This happens in VB.NET, C#, and even Java.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to StuartMW

Premium Member

to StuartMW
Some slight duplication of effort never hurt anybody. Better than no information • voila

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW to siljaline

Premium Member

to siljaline
Well I only know 'cause I clicked on both, That's where I got my quote from.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to StuartMW

Premium Member

to StuartMW
Noted

StuartMW
Premium Member
join:2000-08-06

2 recommendations

StuartMW to siljaline

Premium Member

to siljaline
That's the same link that chachazz See Profile posted

(Look in the "quoted" part)

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to redwolfe_98

Premium Member

to redwolfe_98
Also see:
»blogs.technet.com/b/srd/ ··· ers.aspx
Hat Tip to Wilders

StuartMW
Premium Member
join:2000-08-06

2 recommendations

StuartMW to chachazz

Premium Member

to chachazz
quote:
Another alternative - one likely to have less impact on your browsing experience - is to install EMET and enable it to protect Internet Explorer.

Already doing that

chachazz
Premium Member
join:2003-12-14

chachazz to redwolfe_98

Premium Member

to redwolfe_98
Microsoft Research & Defense: New vulnerability affecting Internet Explorer 8 users
quote:
In this particular vulnerability, IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically the following:
• Javascript to trigger the Internet Explorer vulnerability
• Heap spray or similar memory preparation to ensure the memory being accessed after it has been freed is useful
• A way around the ASLR platform-level mitigation
• A way around the DEP platform-level mitigation

Internet Explorer 9 or 10 do not include the vulnerable code. And the IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product. ...read full article

Microsoft Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
»technet.microsoft.com/en ··· /2794220

StuartMW
Premium Member
join:2000-08-06

3 recommendations

StuartMW to Dustyn

Premium Member

to Dustyn
said by Dustyn:

Who the hell cares if IE6 is vulnerable?

19579823 See Profile ?

I rather like using IE 3.01 on my Windows 3.1 system

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

2 recommendations

La Luna to Dustyn

Premium Member

to Dustyn
said by Dustyn:

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/

^^^ This. Why anyone would use such an old, outdated, insecure browser is beyond me. I'd like to say they deserve whatever happens, but that would be mean.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 recommendation

Dustyn to redwolfe_98

Premium Member

to redwolfe_98
said by Dustin Childs :

“We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,” Childs said in an emailed statement.

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/