dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
998
share rss forum feed


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia

1 edit

Massive bug in IE

Microsoft is rushing to fix a bug in IE v6 to 11 that will allow hackers to take over a PC.

Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.

And people wonder why I say not to use IE, it's got so many security holes a truck could drive through it.

»www.kb.cert.org/vuls/id/222929

Edit: Clarified IE versions to avoid confusion
--
My Name is Wiley E Coyote, Super Genius


Msradell
P.E.
Premium
join:2008-12-25
Louisville, KY

I believe that IE 6 has been not recommended for use for a long time. Granted all versions of IE as well as all software in general has problems but staying with recent versions certainly minimizes them. At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them.
--
Written using Dragon NaturallySpeaking



therube

join:2004-11-11
Randallstown, MD

> IE 6 has been not "recommended"

But isn't IE6 still fully "supported" (even if not recommended).



therube

join:2004-11-11
Randallstown, MD
reply to elwoodblues

Security thread, Microsoft releases Security Advisory 2963983.



Msradell
P.E.
Premium
join:2008-12-25
Louisville, KY
reply to elwoodblues

Upon further investigation I misinterpreted the OP. The problem is with all versions of IE from version 6 up to version 11.
--
Written using Dragon NaturallySpeaking



Skipdawg
The Original
Premium,ExMod 2001-03
join:2001-04-19
Mount Vernon, WA
reply to elwoodblues

Oh wonderful. Hope they get it fixed quickly.


robman50

join:2010-12-14
reply to elwoodblues

Glad I use FireFox.



therube

join:2004-11-11
Randallstown, MD

> Glad I use FireFox

And did you put in today's security update for Flash (for both IE & FF) .



Boricua
Premium
join:2002-01-26
Sacramuerto
reply to Msradell

said by Msradell:

At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them.

Do you seriously believe that!?!? There are still security holes from years ago that hasn't even been patched and Microsoft has been warned.
--
Illegal aliens have always been a problem in the United States. Ask any Indian. Robert Orben

robman50

join:2010-12-14

1 edit
reply to therube

Never gave me that popup yet. Might going to download it manually.

And updated.



deke40
Premium
join:2003-01-23
Texas
reply to elwoodblues

Just to be safe I downloaded EMET 4.1 and hopefully configured it right.

Found this on the net:

"FireEye recommended that users disable Adobe Flash, saying "the attack will not work" in that case. But Adobe posted its own advisory on Monday, offering users a security update that it said will fix the problem. "

I downloaded the latest version of Flash Player-13.0.0.206.

Does this truly mean I am now alright or should I leave EMET installed for added protection?



Razzu12345

@69.204.156.x
reply to elwoodblues

IE11 patch already out for this flaw.

»www.computerworld.com/s/article/···wn_holes

And yet nobody bat an eye.



digitalfutur
Sees More Than Shown
Premium
join:2000-07-15
BurlingtonON
kudos:2

Patched faster than you can say...Apple tax !



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to deke40

> Adobe posted its own advisory on Monday, offering users a security update that it said will fix the problem

As far as I can see, these are different problems, both (Adobe) Flash related, but different, & today's Adobe update does not fix this "massive bug in IE", CVE-2014-1776.

> IE11 patch already out for this flaw

And I didn't see anything related to that in the linked article.
And the above MS article say nothing of a fix.



digitalfutur
Sees More Than Shown
Premium
join:2000-07-15
BurlingtonON
kudos:2

1 edit

3 recommendations

KB2961887 for the zero day IE exploit.

»technet.microsoft.com/library/se···/2755801

quote:
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 recommendation

Looks to only apply to Win8/Server 2012, not Win7.
(Not sure if anything earlier even applies to this, CVE-2014-0515, issue?).

And again, we're confusing, intermingling two totally separate bugs here.

The "massive bug in IE" has not (yet) been patched by MS.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to digitalfutur

said by digitalfutur:

...

quote:
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is.

Or... they could hack a legitimate site that folks visit all the time, create a malicious ad that is placed on such a site, or sneak a link to malware onto such a site. These disclaimers always seem to omit those very real possibilities...
--
The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- A. de Tocqueville


maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:3

said by Blackbird:

said by digitalfutur:

...

quote:
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is.

Or... they could hack a legitimate site that folks visit all the time, create a malicious ad that is placed on such a site, or sneak a link to malware onto such a site. These disclaimers always seem to omit those very real possibilities...

Exactly. I can tell you it happened to me. That is, I run a website for my wife's business, and a few years ago I was running it on Joomla. I myself was responsible for making sure Joomla was up to date, and at some point some exploit was found in the Joomla software allowing someone to place files on the website somewhere, and using a link to lure visitors to download it.

Now, people are a lot more likely to click on a link provided by a small business they may have purchased from in the past, or done business with in some form or another. Nothing happened with any of my wife's clients as far as i know, but I didn't notice I needed to upgrade Joomla until a few months after the exploit was revealed.

And there are MILLIONS of those websites out there. Small businesses that have a website they may update every once in a while, and if a link with that small business's address shows up in your email, and you know them.... you may be a lot more inclined to click on it.

These kinds of exploits are real, and happen every day. I would not underestimate the risks.

One should also know that this bug will not be patched on Windows XP. So time to upgrade
--
"I reject your reality and substitute my own!"


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia
reply to digitalfutur

What it seems to me, is that when an exploit is linked to a social engineering scam, it's not considered a "bug"

I received an email from a client yesterday about "fixing" their Logmein security certificate (yeah ok.,.) I clicked the link on my phone, and sure enough it tried to download payload inside a Zip file.

So if this payload exploited a bug inside Windows,and because the end user is a dummy and clicked on the link and opened the zip file, is it a bug or is social engineering?
--
My Name is Wiley E Coyote, Super Genius



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to elwoodblues

In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website...
It's a bug, plain and simple; invoking social engineering is a straw man. The real difficulty I find is that this typically-worded MS disclaimer assumes that unless an attacker somehow "forces" a user to visit a malicious site (which they can't without a gun at a user's head), there's no real user risk outside the user's control... the threat is "mitigated". But that totally ignores both the realms of "drive-by" infections and URL referrals from "legitimate" sites to malicious sites. IM and eMail messages are not the only pathways to reach a specially-crafted infection site carrying this exploit. But the disclaimer gives a smooth-veneer impression that messaging safe-hex will keep a user safe, and that veneer acts to quiet the using public's concerns.

However, the reality is that folks who use a browser to... uhmm... "browse" will routinely visit a variety of websites, many of them popular and regularly-visited, others less popular but still "plain vanilla" and innocuous. But if any of those sites get compromised (hacked, allow a malicious ad to be run on their rented ad-space, or have a malicious link somehow sneaked onto their "respectable" site), "browsing" users will readily find themselves suddenly up close and personal with this very exploit - without ever having clicked links in eMail or IM messages.

These kinds of disclaimer messages are simply unreal in terms of how even cautious folks use computers in the real world, and they give a false sense of security to the naive reader. In this case, the only 100% proof against this exploit in terms of browsing habits is to turn off IE or use a competing browser - but that looks bad in print, so we instead get the message as it currently stands. This mealy-worded disclaimer is not something new, but something MS has honed to a fine art over the years.
--
The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- A. de Tocqueville


elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia

But that is the thing, they write it off to social engineering in order to mitigate the fact that a bug has existed in their software for the last decade or and they never addresssed it.

I like how FF/Mozilla have moved all extensions and add ons to a separate process that has nothing to do with the browser.
--
My Name is Wiley E Coyote, Super Genius



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

quote:
I like how FF/Mozilla have moved all extensions and add ons to a separate process that has nothing to do with the browser.

Explain?

AFAIK, extensions can do anything the browser can do. They have full control & are not sandboxed. Plugins may run under a separate process, though they still have much to do with the browser. Plugin sandboxing pretty much depends on the Plugin (& its settings).

The separate process that may run Plugins is not there so much for security reasons, but rather to the lessen the impact of Plugin crash taking down the browser.


gzt7d8
Aliens live amongst us
Premium
join:2001-07-13
Swartz Creek, MI
reply to elwoodblues

The fix has been posted. There is another thread on this forum with the details.

Wow that was quick.



elwoodblues
Elwood Blues
Premium
join:2006-08-30
Somewhere in
kudos:2
Reviews:
·VMedia
reply to therube

In the case of this particular exploit, from what I read, flash ran in the same process as IE, which allowed the exploit.

So I'm thinking that by putting the flash plugin into a different process this kind of exploit wouldn't be possible.
--
My Name is Wiley E Coyote, Super Genius



Jackorama

join:2008-05-23
Kingston, ON
reply to maartena

On Win XP and I got the update yesterday through WU, but I use FF anyways.



Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
kudos:2
Reviews:
·Time Warner Cable
reply to Boricua

said by Boricua:

said by Msradell:

At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them.

Do you seriously believe that!?!? There are still security holes from years ago that hasn't even been patched and Microsoft has been warned.

How will the NSA or FBI access your computer if they fix it?
--
Live Free or Die Hard...