New attacks on IE7 go wild Cybercriminals have begun attacking a critical hole that Microsoft patched in its Internet Explorer 7 browser last week, corroborating the company's warning that the vulnerability would be easy to exploit. The exploit code is spread through a booby trapped Word document that ultimately installs information-stealing malware on …
Not blaming El Reg... IE security stories are newsworthy, I guess. But it's just never anything I actually want to read, because I already know what it's going to say. Furthermore, it's depressing.
Maybe you guys can just maintain a histogram of critical IE holes. Then every time you're thinking about writing an article like this, just put another tick mark on the chart instead. And we can take a meaningful glance at it every so often to assure ourselves that the crackers are still out there working hard.
"... the exploit code was the result of reverse engineering Microsoft's patch ..."
Sure, you can sue security researchers all you like, and shut them up, certainly. But as long as you ship a patch, you're giving away exactly the same info that they're revealing, anyway: secrecy does *not* protect your end users. The only reason for it is to save embarrassment.
This is why the first thing I do on any new windows install (after installing OS updates and a security suite) is to install Firefox and remove the IE icon from the desktop and quicklaunch. Anyone using IE is begging to get reamed. I hope the EU forces Microsoft to uncouple IE from the OS. Forget about antitrust - IE needs to be removed solely on the basis of system security. It's a POS that has become more toxic over time and needs to be tossed in the rubbish bin.
"He went on to say the exploit code was the result of reverse engineering Microsoft's patch."
I think you/Microsoft will discover/would do well to accept that such code does not simply exploit a patched Vulnerability, but their entire code base/Kernel Drive Algorithm.
It can be effectively patched against/mitigated, but is unlikely to be so with the Present Company Drivers and thus are further Vulnerability Exposures and MetaDataBase/Proprietary Code Exploitations invited and inevitable.
And should Microsoft agree with that Shared View/Panoramic Vista, then they would also know where to find its Effective Mitigating Patch. ......... which would be in Essence, a Binary VXXXXine for a Particularly Persistent and Pernicious Problem.
And once again, there's a security alert from Micrsooft where the workaround for both items is "Disable scripting and ActiveX".
Since we disable both of those by default for the vast majority of sites, we can safely ignore these alerts. We actively filter office documents too, so that attack vector is also blocked.
Yes, Microsoft were incredibly dumb adding all this remote scripting into IE (and don't get me started about them then 'integrating' it into the operating system), but the fact remains that there are tools available to disable this technology too.
To be honest, while I love Firefox, after looking into it over the last few weeks, I actually prefer IE now. Group Policy enforced Security Zones offer us the same protection as NoScript, with the added benefit that users can't change the security settings on their own machines. If a script is going to run from any website here, it's going to be one that IT have explicitly authorised.
Now, if Mozilla had a corporate version of firefox that we could rollout, with a way to enforce the add-ons users can use, we'd move to firefox in a shot.
Unfortunately that's not possible, so right now, IE is the more secure system.
Same here.
Only use IE if i realy have to (Piss poor coded sites)
Funny part is most of the Computer repairs i do these days involve removing al the crap out of them (Yes i know we was thinking about windows here)
Spam ware
And why are people so happy to install about 6 toolbars on there browser??
But keeps me busy i suppose lol....
Now time to go andsmirk at me Unbunto box (and teh kids stupid box which is stuck in 800x600)
"This is why the first thing I do on any new windows install (after installing OS updates and a security suite) is to install Firefox and remove the IE icon from the desktop and quicklaunch. Anyone using IE is begging to get reamed. I hope the EU forces Microsoft to uncouple IE from the OS. Forget about antitrust - IE needs to be removed solely on the basis of system security. It's a POS that has become more toxic over time and needs to be tossed in the rubbish bin."
Because Firefox has NEVER had any security holes, and is in fact perfect. And its open source nature doesn't mean that, while security holes can be spotted and fixed by anyone in the commuinity, they can also be more easily spotted and exploited by black hats. Of course, everyone keeps their software up-to-date, so will get these fixes quickly, and won't be exposed to these security holes. Oh wait? Wasn't this IE vulnerability only exploited AFTER it had been patched?
"Another reason to use Firefox or similar with no script running . No wonder the EU want IE removed from Winblows its about as good as a colander is for holding water .."
And, of course, IE doesn't allow you to turn off scripting.
Honestly, it's as if people think that all FOSS software is written perfectly. This code exploits a hole that has already been patched, so if people follow recommendations and leave automatic updates on then they are protected.
Better standards compliance is a good reason to use Firefox. Extensive plugin support is a good reason to use Firefox. A devotion for FOSS is a good reason to use Firefox. Better security is not a good reason to use Firefox as, quite frankly, considering the process Microsoft software is now written using, it doesn't offer it. You all need to stop deluding yourselves.
Could all you ACs take on numbers or something. There are so many of you, it's impossible to tell who is responding to who.
For all I know, you may all be the same person <shock> <horror>. This could even be part of an organised troll campaign <gasp>
P.S.
El Reg, will you please stop highlighting my correctly spelled English words like 'organised'.
There. I feel much better now.
Surely if an ActiveX (aka .dll) can be buried in a Word document and executed, the attacker has at least got control of the account being used. It could attack any vulnerability, not just IE and more or less install what it likes. AFAIK Word executable has full user rights so any ActiveX running in its address space can do ANYTHING that the user can do. Am I missing something. Surely the major hole is in Word???
Almost as bad as the BBC referring to anything remotely technical that goes wrong as a "glitch".
In the case of MS Windoze Internal Explorer, its a whopping great big breach in what was already a fundamentally weak system with no basic security built in. Executable code in a document, WHY?
My problem with Internet Explorer is the depth that its tentacles seep into the OS - it's insecure in principle, but all this story really highlights is the need to keep your system patched up to help make it "as secure as it can be".
Oki, I have one otehr gripe with IE; the number of CSS/JavaScript kludges you have to come up with to get pages to render the same in it as anything else.
However, IE8 RC1 seems to be an improvement as far as the rendering engine is concerned and, despite the general "dodginess" of it ActiveX does have some uses - for instance there's an ActiveX control on the NVidia site that checks your graphics card drivers and tells you what the latest compatible update is.
I have no problems using IE as a "patch manager" - it's just as a browser it falls down somewhat... but it does seem to be getting better... slowly.
Be nice if they did move to a proper threaded comment system. As long as they don't lose the Paris icon ;-)
>P.S. El Reg, will you please stop highlighting my correctly spelled English words like 'organised'.
Er, that's your browser, not El Reg. If you're on Firefox (and not some pile of insecure crap like IE) then you just right-click and change language dictionary. You may need to dig through the plugin list to find a proper English dictionary, instead of the default broken one.
I never understood why MS built a scripting language in to Word documents in the first place.
I'm sure none of the documents I've written use it, so what kind of function does it provide?
And the same goes for MS Outlook Email. Why the f**k did Microsoft embedda scripting language.
Ok, it might provide enriched capability, but I don't f***ng want or need that enriched capability!
Email (which is plain ASCII text) and attachments. That's all we need.
Given that Microsoft are the creators, the architects of these superflous scripting language in these applications, everybody has every right to criticise them.
I know that lots of sites and programs depend on ActiveX (BACs card validation for one) but if it had never been invented it would not be missed.
M$ are buggered as their customers have come to depend on this function so it can't be removed
However thought it was a good idea for remote sites to run programs on PC's needs a slap especially aa when it first came out they could be run without your say so
@By Anonymous Coward Posted Wednesday 18th February 2009 09:15 GMT
your a idiot, did you even bother to read that it is exploiting a PATCHED issue, if people actually bothered to update they would be fine, i must point out that last mozilla patch patched some security holes!
Yes I did read that it was a patched issue I am not blind. Yes Mozilla was patched to fix some security holes, however they were NOT reverse engineered within a day of being released. Unlike that crap software you seem to be in love with. I stick by what I say IE needs to be unbundled from Winblows, and now I see that the much vaunted IE8 wont even render pages properly and you support this kind of shoddy programming you must work for Microshaft
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
