elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in 1 edit |
Massive bug in IEMicrosoft is rushing to fix a bug in IE v6 to 11 that will allow hackers to take over a PC. Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible. And people wonder why I say not to use IE, it's got so many security holes a truck could drive through it. » www.kb.cert.org/vuls/id/222929Edit: Clarified IE versions to avoid confusion |
|
Msradell Premium Member join:2008-12-25 Louisville, KY |
Msradell
Premium Member
2014-Apr-28 11:16 am
I believe that IE 6 has been not recommended for use for a long time. Granted all versions of IE as well as all software in general has problems but staying with recent versions certainly minimizes them. At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them. |
|
therube join:2004-11-11 Randallstown, MD |
therube
Member
2014-Apr-28 12:56 pm
> IE 6 has been not "recommended"
But isn't IE6 still fully "supported" (even if not recommended). |
|
therube |
to elwoodblues
|
|
Msradell Premium Member join:2008-12-25 Louisville, KY |
to elwoodblues
Upon further investigation I misinterpreted the OP. The problem is with all versions of IE from version 6 up to version 11. |
|
|
SkipdawgThe Original
join:2001-04-19 Mount Vernon, WA |
to elwoodblues
Oh wonderful. Hope they get it fixed quickly. |
|
|
to elwoodblues
Glad I use FireFox. |
|
therube join:2004-11-11 Randallstown, MD |
> Glad I use FireFox And did you put in today's security update for Flash (for both IE & FF) . |
|
Boricua Premium Member join:2002-01-26 Sacramuerto |
to Msradell
said by Msradell:At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them. Do you seriously believe that!?!? There are still security holes from years ago that hasn't even been patched and Microsoft has been warned. |
|
1 edit |
to therube
Never gave me that popup yet. Might going to download it manually. And updated. |
|
deke40deke40 Premium Member join:2003-01-23 Texas |
to elwoodblues
Just to be safe I downloaded EMET 4.1 and hopefully configured it right.
Found this on the net:
"FireEye recommended that users disable Adobe Flash, saying "the attack will not work" in that case. But Adobe posted its own advisory on Monday, offering users a security update that it said will fix the problem. "
I downloaded the latest version of Flash Player-13.0.0.206.
Does this truly mean I am now alright or should I leave EMET installed for added protection? |
|
|
to elwoodblues
IE11 patch already out for this flaw. » www.computerworld.com/s/ ··· wn_holesAnd yet nobody bat an eye. |
|
digitalfuturSees More Than Shown Premium Member join:2000-07-15 GTA |
Patched faster than you can say...Apple tax ! |
|
therube join:2004-11-11 Randallstown, MD |
to deke40
> Adobe posted its own advisory on Monday, offering users a security update that it said will fix the problem As far as I can see, these are different problems, both (Adobe) Flash related, but different, & today's Adobe update does not fix this "massive bug in IE", CVE-2014-1776. > IE11 patch already out for this flaw And I didn't see anything related to that in the linked article. And the above MS article say nothing of a fix. |
|
digitalfuturSees More Than Shown Premium Member join:2000-07-15 GTA 1 edit
3 recommendations |
KB2961887 for the zero day IE exploit. » technet.microsoft.com/li ··· /2755801quote: In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is. |
|
therube join:2004-11-11 Randallstown, MD
1 recommendation |
therube
Member
2014-Apr-29 12:51 am
Looks to only apply to Win8/Server 2012, not Win7. (Not sure if anything earlier even applies to this, CVE-2014-0515, issue?). And again, we're confusing, intermingling two totally separate bugs here. The "massive bug in IE" has not (yet) been patched by MS. |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN
1 recommendation |
to digitalfutur
said by digitalfutur:... quote: In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is. Or... they could hack a legitimate site that folks visit all the time, create a malicious ad that is placed on such a site, or sneak a link to malware onto such a site. These disclaimers always seem to omit those very real possibilities... |
|
maartenaElmo Premium Member join:2002-05-10 Orange, CA |
maartena
Premium Member
2014-Apr-30 12:20 am
said by Blackbird:said by digitalfutur:... quote: In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website/
Hardly the doomsday that some think it is. Or... they could hack a legitimate site that folks visit all the time, create a malicious ad that is placed on such a site, or sneak a link to malware onto such a site. These disclaimers always seem to omit those very real possibilities... Exactly. I can tell you it happened to me. That is, I run a website for my wife's business, and a few years ago I was running it on Joomla. I myself was responsible for making sure Joomla was up to date, and at some point some exploit was found in the Joomla software allowing someone to place files on the website somewhere, and using a link to lure visitors to download it. Now, people are a lot more likely to click on a link provided by a small business they may have purchased from in the past, or done business with in some form or another. Nothing happened with any of my wife's clients as far as i know, but I didn't notice I needed to upgrade Joomla until a few months after the exploit was revealed. And there are MILLIONS of those websites out there. Small businesses that have a website they may update every once in a while, and if a link with that small business's address shows up in your email, and you know them.... you may be a lot more inclined to click on it. These kinds of exploits are real, and happen every day. I would not underestimate the risks. One should also know that this bug will not be patched on Windows XP. So time to upgrade |
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in |
to digitalfutur
What it seems to me, is that when an exploit is linked to a social engineering scam, it's not considered a "bug"
I received an email from a client yesterday about "fixing" their Logmein security certificate (yeah ok.,.) I clicked the link on my phone, and sure enough it tried to download payload inside a Zip file.
So if this payload exploited a bug inside Windows,and because the end user is a dummy and clicked on the link and opened the zip file, is it a bug or is social engineering? |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
to elwoodblues
In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website... It's a bug, plain and simple; invoking social engineering is a straw man. The real difficulty I find is that this typically-worded MS disclaimer assumes that unless an attacker somehow "forces" a user to visit a malicious site (which they can't without a gun at a user's head), there's no real user risk outside the user's control... the threat is "mitigated". But that totally ignores both the realms of "drive-by" infections and URL referrals from "legitimate" sites to malicious sites. IM and eMail messages are not the only pathways to reach a specially-crafted infection site carrying this exploit. But the disclaimer gives a smooth-veneer impression that messaging safe-hex will keep a user safe, and that veneer acts to quiet the using public's concerns. However, the reality is that folks who use a browser to... uhmm... "browse" will routinely visit a variety of websites, many of them popular and regularly-visited, others less popular but still "plain vanilla" and innocuous. But if any of those sites get compromised (hacked, allow a malicious ad to be run on their rented ad-space, or have a malicious link somehow sneaked onto their "respectable" site), "browsing" users will readily find themselves suddenly up close and personal with this very exploit - without ever having clicked links in eMail or IM messages. These kinds of disclaimer messages are simply unreal in terms of how even cautious folks use computers in the real world, and they give a false sense of security to the naive reader. In this case, the only 100% proof against this exploit in terms of browsing habits is to turn off IE or use a competing browser - but that looks bad in print, so we instead get the message as it currently stands. This mealy-worded disclaimer is not something new, but something MS has honed to a fine art over the years. |
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in |
But that is the thing, they write it off to social engineering in order to mitigate the fact that a bug has existed in their software for the last decade or and they never addresssed it.
I like how FF/Mozilla have moved all extensions and add ons to a separate process that has nothing to do with the browser. |
|
therube join:2004-11-11 Randallstown, MD |
quote: I like how FF/Mozilla have moved all extensions and add ons to a separate process that has nothing to do with the browser.
Explain? AFAIK, extensions can do anything the browser can do. They have full control & are not sandboxed. Plugins may run under a separate process, though they still have much to do with the browser. Plugin sandboxing pretty much depends on the Plugin (& its settings). The separate process that may run Plugins is not there so much for security reasons, but rather to the lessen the impact of Plugin crash taking down the browser. |
|
gzt7d8Aliens live amongst us Premium Member join:2001-07-13 Traverse City, MI |
to elwoodblues
The fix has been posted. There is another thread on this forum with the details.
Wow that was quick. |
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in |
to therube
In the case of this particular exploit, from what I read, flash ran in the same process as IE, which allowed the exploit.
So I'm thinking that by putting the flash plugin into a different process this kind of exploit wouldn't be possible. |
|
JackoramaI Am Woman Premium Member join:2008-05-23 Kingston, ON |
to maartena
On Win XP and I got the update yesterday through WU, but I use FF anyways. |
|
Anonymous_Anonymous Premium Member join:2004-06-21 127.0.0.1 |
to Boricua
said by Boricua:said by Msradell:At least Microsoft acknowledges problems when they are found and provide fixes whereas some other software vendors just ignore them. Do you seriously believe that!?!? There are still security holes from years ago that hasn't even been patched and Microsoft has been warned. How will the NSA or FBI access your computer if they fix it? |
|