Users told: Get rid of Internet Explorer (again)
It’s more like an exploit than a browser
Internet Explorer users have been told to ditch the application and switch to another browser, pronto.
The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites).
Visiting a malicious site gives the attacker the same privileges as the current user, according to Rapid7’s post, here. Although the published exploit targets XP, Rapid7 says the attack works on IE 7 through 9 running on XP, Vista and Windows 7.
The discoverer of the exploit, Eric Romang, says the zero-day drops a file, Exploit.html, on the target. This, in turn, creates files with img and swf suffixes, which IE treats as Flash.
Romang claims the exploit was created by the same group – Nitro – that recently released a Java zero-day into the wild.
Rapid7’s HD Moore, also chief architect of Metasploit, told Ars that he’s surprised to see the exploit work across Windows Vista and 7: “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS”, he said. The attack bypasses ASLR – address space layout randomization – that’s meant to help defend the newer operating systems against attack.
Microsoft is looking at the exploit now, and has stated that it will “take the necessary steps” once it has a fix ready. ®
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
COMMENTS
Odd didn't we read the other week...
...that i.e. is less susceptible to a certain attack than many of the other browsers...
Ooo look here it is.
http://www.theregister.co.uk/2012/08/21/tesco_ico/
(following link to)
http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html
Quote:
"Just on the browser compatibly for that XSS: IE9 and IE10 are actually pretty good and will warn you about it without exexuting it. All other browsers tested – Chrome, Firefox and Safari (desktop and iOS) – will happily parse it and allow the exploit to occur."
So lets face it, use one browser your screwed one way and use another and your screwed another way.
So...
Because a browser has a security bug we should stop using it? What do we do when FireFox has an exploit? Move to Chrome? Then what when Chrome has a bug?
Software gets exploited, the important thing is that the bugs get addressed not that they exist.
Re: IE? Who uses that shit ?
IE? Who uses that shit ?
Sadly, my customers.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM Implementer’s Checklist
Steps to Take Before Choosing a Business Continuity Partner
