The Register® — Biting the hand that feeds IT

Feeds

Redmond promises emergency IE bug fix on Friday (zero day + 5)

Keep calm and carry on, advise security types

By John Leyden, 20th September 2012
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Microsoft is promising to release an emergency patch that tackles a zero-day vulnerability in Internet Explorer on Friday.

In the meantime, the software giant is pointing customers towards a temporary fix, issued on Wednesday. The stop gap fix uses Redmond's "application compatibility shim mechanism" as a sort of battlefield field dressing to fix a flaw in Internet Explorer that is under active attack. The release of the stop gap fix updates an advisory admitting the flaw and explaining possible workarounds first issued earlier this week.

Corporates are probably best advised waiting for a proper patch from Microsoft on Friday, a blog post by Wolfgang Kandek, CTO at Qualys, advises.

"The decision on whether to deploy the FixIt or whether to wait for the final patch should take into account that attacks are not widespread yet; currently attacks using the vulnerability continue to be of the targeted type with low infection rates reported," Kandek writes.

Security researcher Eric Romang discovered a 0-day exploit for Internet Explorer on an attack site in Italy. Analysis of the exploit revealed that it works against IE 7,8 and 9 running Adobe Flash on fully-patched Windows XP, Vista and 7 machines. Attack scenarios simply involve tricking Windows users into visiting a booby-trapped website, Rapid7 (the firm behind the Metasploit pen test tool) warns.

The exploit has been tied to the Chinese hackers behind the recent infamous Java zero-day flaw. AlienVault reports that the zero day is being used in attacks that install the Poison Ivy Trojan, the same payload spread by the earlier Java zero-day flaw.

The appearance of the Java zero-day prompted widespread calls from member of the security community to uninstall Java or at least remove Java plug-ins from browsers.

Java is not required for the majority of websites.

The appearance of the internet Explorer zero-day has also prompted a debate. A German government agency advised citizens to avoid browsing the web with internet Explorer until the software was properly patched. The Federal Office for Information Security (BSI) advised consumers and business to switch to alternative browsers instead.

Rik Ferguson, director of security research & communication at Trend Micro, advises against this type of knee-jerk reaction to the latest IE flaw. Google’s Chrome and Mozilla Firefox, the most popular alternatives to IE, are no more immune to vulnerabilities or zero-days than Microsoft's oft-criticised browser software, Ferguson points out. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (22)
Highly Rated
Lee Dowling
Reply Icon

I agree with you yossarianuk - a lot of people realised this decades ago, but we get called all sorts of names for thinking it and then the reasons we state get misconstrued to things like "if we can see the code, it's somehow magically more secure even if it's crap". It's not a question of security, or business, or affordability, or readability, or features, or even neat coding tricks.

The question of who you rely on is a big one in computing and, in my history, Microsoft is not a front-runner. I honestly can't guarantee that my Windows servers will be running tomorrow, even if I don't count hardware failure as a possibility. And I can't even say how long it would take to get a fully-functional replacement up and running either. And it's because of my lack of trust in Microsoft products given my experience with them.

Browsers are probably THE most important application that I allow to traverse my firewalls - they act on untrusted input all day long and have to do so fast, efficient and change constantly to keep up with standards. As such, I haven't used IE since, literally, IE4. It was just that bad. I was on Netscape before most people had ever even heard of the Internet (I remember my CS teacher being flabbergasted that I got an email from someone in Canada because they'd downloaded one of my games, and they read it out in class they were so overawed!) and from the first days, IE was always a heap of junk. It takes a lot more than "making good" those problems I find myself to get me to use it again, after that amount of bad history.

I have a sort-of-plan at the moment to write a video game. I have lots of code running already, and the expertise to make it work, and I don't think it will be anything fabulous or fantastic but, hey, I might sell a few copies in the style of some shareware-type games from back-in-the-day even if it's just as a smartphone app or an indie bundle game or something.

And occasionally I get to dreaming about how I'd scale up if it sold millions. Employ programmers and artists, setting up a compile farm, testing environments, distribution channels, payment processing, server hosting, version control, software patching, etc.

First item on the wishlist would be linux desktops, linux server, linux hosting, linux cross-compliation, linux virtual-machine hosts. The only MS-reliant item I'd have would be a real home PC with Windows on it as a sort of acid-test (because I would not like to think that making something "Windows compatible" would go out to the public without at least one real-world test on the intended OS). I literally would actually go out of my way, if I had enough funds, to avoid anything to do with "that" company even if I was writing games for their platform. I'm not even sure it would cost more or cause a lack of features on my end if I did either. But for sure, the productivity of updates, security and the simple things in life (like having a fecking desktop work how ****I****, the user, want it to) would be worth any hassle I did encounter.

I honestly don't trust MS to make a game that I won't hate to install any more. Just how do people trust it to run their most-critical and attack-vulnerable piece of software? I spend half my time setting up new PC's to turn off lots of the MS junk and install things that I know will do a better job (AV is one, software firewall is another, browser is another).

I don't get people that still use IE. Hell, at absolute maximum, I'd run it with settings that prevented it from accessing anything external whatsoever. A hole sitting in it for a week or so is nothing compared to the nightmares that it's experienced over the years.

On a side-note: My employer has just asked me to block anything IE talking out at the proxy that controls the web filtering (even though it's not accessible in any of our standard disk images). Totally unrelated to this vulnerability, and we've been a Firefox shop for years now, but just one of those things that even non-techies are starting to pick up on. It's just too much of a liability to have around and to trust to work how you expect.

9
1
Charlie Clark
Reply Icon

Re: Arghhh

we've seen a big rise in non-IE exploits recently

Source perhaps? We'd probably have to trawl with the release notes of the various patch releases, but as a user of Opera, Firefox, Chrome and Internet Explorer I'm pretty sure that I've had more patches of IE in the last 12 months than of the others.

All browsers suffer from exploits but the makes deal with them very differently. Google is currently pimping its security credentials by offering bounties for discovered vulnerabilities. More importantly, perhaps, is the system of silent delivery of patches that they have established. Like it or not, it's probably the most effective way to get patches out to the great unwashed masses out there.

But even if exploits are discovered for other browsers, it's a relatively simple and painless operation to replace one browser with another and deinstall if desired. This is not an option with Internet Explorer because it is part of the Windows operating systems. That has always been Microsoft's biggest mistake.

5
1
yossarianuk
Reply Icon

One of the reasons I use Linux is purely trust. I don't trust Microsoft to (a) produce secure software (b) to put in back doors (c) fix known issue quickly.

When there are security issues with Linux you generally know what has caused them plus the fixes are usually far faster - sometime distro X may be slow to release fixes however you ALWAYS have the choice to patch it yourself.

5
2

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
127
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13