dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1204

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

1 edit

elwoodblues

Premium Member

Massive bug in IE

Microsoft is rushing to fix a bug in IE v6 to 11 that will allow hackers to take over a PC.

Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.

And people wonder why I say not to use IE, it's got so many security holes a truck could drive through it.

»www.kb.cert.org/vuls/id/222929

Edit: Clarified IE versions to avoid confusion

Msradell
Premium Member
join:2008-12-25
Louisville, KY

Msradell

Premium Member

I believe that IE 6 has been not recommended for use for a long time. Granted all versions of IE as well as all software in general has problems but staying with recent versions certainly minimizes them. At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them.

therube
join:2004-11-11
Randallstown, MD

therube

Member

> IE 6 has been not "recommended"

But isn't IE6 still fully "supported" (even if not recommended).
therube

therube to elwoodblues

Member

to elwoodblues
Security thread, Microsoft releases Security Advisory 2963983.

Msradell
Premium Member
join:2008-12-25
Louisville, KY

Msradell to elwoodblues

Premium Member

to elwoodblues
Upon further investigation I misinterpreted the OP. The problem is with all versions of IE from version 6 up to version 11.

Skipdawg
The Original

join:2001-04-19
Mount Vernon, WA

Skipdawg to elwoodblues

to elwoodblues
Oh wonderful. Hope they get it fixed quickly.
robman50
join:2010-12-14

robman50 to elwoodblues

Member

to elwoodblues
Glad I use FireFox.

therube
join:2004-11-11
Randallstown, MD

therube

Member

> Glad I use FireFox

And did you put in today's security update for Flash (for both IE & FF) .

Boricua
Premium Member
join:2002-01-26
Sacramuerto

Boricua to Msradell

Premium Member

to Msradell
said by Msradell:

At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them.

Do you seriously believe that!?!? There are still security holes from years ago that hasn't even been patched and Microsoft has been warned.
robman50
join:2010-12-14

1 edit

robman50 to therube

Member

to therube
Never gave me that popup yet. Might going to download it manually.

And updated.

deke40
deke40
Premium Member
join:2003-01-23
Texas

deke40 to elwoodblues

Premium Member

to elwoodblues
Just to be safe I downloaded EMET 4.1 and hopefully configured it right.

Found this on the net:

"FireEye recommended that users disable Adobe Flash, saying "the attack will not work" in that case. But Adobe posted its own advisory on Monday, offering users a security update that it said will fix the problem. "

I downloaded the latest version of Flash Player-13.0.0.206.

Does this truly mean I am now alright or should I leave EMET installed for added protection?

Razzu12345
@69.204.156.x

Razzu12345 to elwoodblues

Anon

to elwoodblues
IE11 patch already out for this flaw.

»www.computerworld.com/s/ ··· wn_holes

And yet nobody bat an eye.

digitalfutur
Sees More Than Shown
Premium Member
join:2000-07-15
GTA

digitalfutur

Premium Member

Patched faster than you can say...Apple tax !

therube
join:2004-11-11
Randallstown, MD

therube to deke40

Member

to deke40
> Adobe posted its own advisory on Monday, offering users a security update that it said will fix the problem

As far as I can see, these are different problems, both (Adobe) Flash related, but different, & today's Adobe update does not fix this "massive bug in IE", CVE-2014-1776.

> IE11 patch already out for this flaw

And I didn't see anything related to that in the linked article.
And the above MS article say nothing of a fix.

digitalfutur
Sees More Than Shown
Premium Member
join:2000-07-15
GTA

1 edit

3 recommendations

digitalfutur

Premium Member

KB2961887 for the zero day IE exploit.

»technet.microsoft.com/li ··· /2755801
quote:
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is.

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube

Member

Looks to only apply to Win8/Server 2012, not Win7.
(Not sure if anything earlier even applies to this, CVE-2014-0515, issue?).

And again, we're confusing, intermingling two totally separate bugs here.

The "massive bug in IE" has not (yet) been patched by MS.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to digitalfutur

Premium Member

to digitalfutur
said by digitalfutur:

...

quote:
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is.

Or... they could hack a legitimate site that folks visit all the time, create a malicious ad that is placed on such a site, or sneak a link to malware onto such a site. These disclaimers always seem to omit those very real possibilities...

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena

Premium Member

said by Blackbird:

said by digitalfutur:

...

quote:
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is.

Or... they could hack a legitimate site that folks visit all the time, create a malicious ad that is placed on such a site, or sneak a link to malware onto such a site. These disclaimers always seem to omit those very real possibilities...

Exactly. I can tell you it happened to me. That is, I run a website for my wife's business, and a few years ago I was running it on Joomla. I myself was responsible for making sure Joomla was up to date, and at some point some exploit was found in the Joomla software allowing someone to place files on the website somewhere, and using a link to lure visitors to download it.

Now, people are a lot more likely to click on a link provided by a small business they may have purchased from in the past, or done business with in some form or another. Nothing happened with any of my wife's clients as far as i know, but I didn't notice I needed to upgrade Joomla until a few months after the exploit was revealed.

And there are MILLIONS of those websites out there. Small businesses that have a website they may update every once in a while, and if a link with that small business's address shows up in your email, and you know them.... you may be a lot more inclined to click on it.

These kinds of exploits are real, and happen every day. I would not underestimate the risks.

One should also know that this bug will not be patched on Windows XP. So time to upgrade

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

elwoodblues to digitalfutur

Premium Member

to digitalfutur
What it seems to me, is that when an exploit is linked to a social engineering scam, it's not considered a "bug"

I received an email from a client yesterday about "fixing" their Logmein security certificate (yeah ok.,.) I clicked the link on my phone, and sure enough it tried to download payload inside a Zip file.

So if this payload exploited a bug inside Windows,and because the end user is a dummy and clicked on the link and opened the zip file, is it a bug or is social engineering?

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to elwoodblues

Premium Member

to elwoodblues
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website...
It's a bug, plain and simple; invoking social engineering is a straw man. The real difficulty I find is that this typically-worded MS disclaimer assumes that unless an attacker somehow "forces" a user to visit a malicious site (which they can't without a gun at a user's head), there's no real user risk outside the user's control... the threat is "mitigated". But that totally ignores both the realms of "drive-by" infections and URL referrals from "legitimate" sites to malicious sites. IM and eMail messages are not the only pathways to reach a specially-crafted infection site carrying this exploit. But the disclaimer gives a smooth-veneer impression that messaging safe-hex will keep a user safe, and that veneer acts to quiet the using public's concerns.

However, the reality is that folks who use a browser to... uhmm... "browse" will routinely visit a variety of websites, many of them popular and regularly-visited, others less popular but still "plain vanilla" and innocuous. But if any of those sites get compromised (hacked, allow a malicious ad to be run on their rented ad-space, or have a malicious link somehow sneaked onto their "respectable" site), "browsing" users will readily find themselves suddenly up close and personal with this very exploit - without ever having clicked links in eMail or IM messages.

These kinds of disclaimer messages are simply unreal in terms of how even cautious folks use computers in the real world, and they give a false sense of security to the naive reader. In this case, the only 100% proof against this exploit in terms of browsing habits is to turn off IE or use a competing browser - but that looks bad in print, so we instead get the message as it currently stands. This mealy-worded disclaimer is not something new, but something MS has honed to a fine art over the years.

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

elwoodblues

Premium Member

But that is the thing, they write it off to social engineering in order to mitigate the fact that a bug has existed in their software for the last decade or and they never addresssed it.

I like how FF/Mozilla have moved all extensions and add ons to a separate process that has nothing to do with the browser.

therube
join:2004-11-11
Randallstown, MD

therube

Member

quote:
I like how FF/Mozilla have moved all extensions and add ons to a separate process that has nothing to do with the browser.

Explain?

AFAIK, extensions can do anything the browser can do. They have full control & are not sandboxed. Plugins may run under a separate process, though they still have much to do with the browser. Plugin sandboxing pretty much depends on the Plugin (& its settings).

The separate process that may run Plugins is not there so much for security reasons, but rather to the lessen the impact of Plugin crash taking down the browser.

gzt7d8
Aliens live amongst us
Premium Member
join:2001-07-13
Traverse City, MI

gzt7d8 to elwoodblues

Premium Member

to elwoodblues
The fix has been posted. There is another thread on this forum with the details.

Wow that was quick.

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

elwoodblues to therube

Premium Member

to therube
In the case of this particular exploit, from what I read, flash ran in the same process as IE, which allowed the exploit.

So I'm thinking that by putting the flash plugin into a different process this kind of exploit wouldn't be possible.

Jackorama
I Am Woman
Premium Member
join:2008-05-23
Kingston, ON

Jackorama to maartena

Premium Member

to maartena
On Win XP and I got the update yesterday through WU, but I use FF anyways.

Anonymous_
Anonymous
Premium Member
join:2004-06-21
127.0.0.1

Anonymous_ to Boricua

Premium Member

to Boricua
said by Boricua:

said by Msradell:

At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them.

Do you seriously believe that!?!? There are still security holes from years ago that hasn't even been patched and Microsoft has been warned.

How will the NSA or FBI access your computer if they fix it?