Ramblings of an old Doc
UPDATE
Published on December 23, 2010 By DrJBHL In Personal Computing

 

I wasn't planning on posting today, but when I read this, I felt I should whip something up quickly.

Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.

Microsoft late Wednesday confirmed that all versions of Internet Explorer (IE) contain a critical vulnerability that attackers can exploit by persuading users to visit a rigged Web site. The site can then hijack personal data and install malicious code and/or malware. This will bypass all security software and Windows 7 protestion. Network Administrators and IT Professionals can download EMET 2.0 from MS who claim it can be configured to protect servers.

MS Security Advisory (2488013) HERE.

Although the company said it would patch the problem, it is not planning to rush out an emergency update.

The next regularly-scheduled Patch Tuesday is Jan. 11, but because Microsoft usually updates the browser every other month, and just did so last week, it's possible the vulnerability won't be addressed until February.

Microsoft's usual practice is to release an emergency fix only if attacks appear and then grow in strength. Microsoft has never revealed how it sets the point at which a rush patch is triggered.

The vulnerability in IE6, IE7 and IE8 surfaced several weeks ago when French security firm Vupen disclosed a flaw in IE's HTML engine.

The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine, however the vulnerability was noted and explained earlier in a Chinese trade publication.

Doc suggests using Firefox, Opera, or any non iE based browser until this vulnerability is patched.

 

 


Comments (Page 1)
7 Pages1 2 3  Last
on Dec 23, 2010

Thanks for the heads up. As an aside, does anyone know why they call them Zero-day vulnerabilities? I've always wondered.

on Dec 23, 2010

IE sucks. IE (and Microsoft in general) is and always has been the primary target for most hackers, malware, etc. Today there are too many great alternative browsers (FireFox, Opera, Safari, etc.) for anyone to be using it....

on Dec 23, 2010

Lightof Abraxis, it's called that "zero-day" -- because the flaw becomes public before a patch is ready to stop its exploitation.

Oh yes, you're welcome.

navigatsio
IE sucks. IE (and Microsoft in general) is and always has been the primary target for most hackers, malware, etc. Today there are too many great alternative browsers (FireFox, Opera, Safari, etc.) for anyone to be using it....

I agree Navagatsio, especially now that it's the buggiest and slowest of the browsers.

on Dec 23, 2010

Never used IE any version. Always had Firefox. MS will never learn. Dopes!

on Dec 23, 2010

The safest way to surf the web is through a Virtual PC session with whatever browser you choose.

As long as you disgard all changes when you close out your Virtual PC, there's no chance of infections or malware.

on Dec 23, 2010

Tried BufferFree but didn't like what it did to the rest of my software.

 

on Dec 23, 2010

Virtual PC session

Please elaborate. Virtual PC session?

on Dec 23, 2010

Thanks again Doc, and thanks for including the link to the Advisory - it's well worth reading.

I keep thinking about trying out FireFox, mainly just for fun, now could be a good time.

on Dec 23, 2010

The 3.8 Beta is out...lotsa great extensions for earlier builds...not ready for the 3.8 yet.

The ff 4.0 should be out in January.

Opera 11 is blazing fast, and has really good extensions, too.

on Dec 23, 2010

blazing fast

Well now that certainly sounds like a nice change from IE 

on Dec 23, 2010

I've been test driving FF4 Beta 7 & 8.  Initial/home page loads fine but page loads in additional tabs are hanging for 20-30 seconds during which time FF is entirely unresponsive.  Recovers but then happens again with the next page load.

FF3.6.13 is doing the same thing only when it hangs it stays crashed & has to be killed with TM.

No such troubles with IE7 on same pages.

I think I'll grab a copy of Opera & use it for a little while till FF gets things sorted out.

on Dec 23, 2010


Virtual PC session


Please elaborate. Virtual PC session?

Microsoft Virtual PC 2007

 

It' also called XP Mode in Windows 7.

on Dec 23, 2010

IE with vulnerabilities ... never. /sarcasm

The only thing stopping my move from FF to Opera is Noscript. I hope someone will make an extension like it for Opera.

Opera does have problems with some web sites, but they are few and far between.

I have not had any major problems with FF4 Beta 7, only some add-ons won't work and my password manager dies. But with a beta of a browser you can't expect safe browsing. 

Until then my clunky old FF will have to do.

on Dec 23, 2010

My ff doesn't do that Daiwa, but Opera is really great. I think you;ll love it. 

on Dec 23, 2010

Not sure why the hangs/crashes are occurring here with FF3 & FF4, either, obviously.  I've reported them to Mozilla so we'll see.  First started to happen with 3.6.10 I believe.  Had been using FF exclusively (with IE Tab 2 for those occasional finicky pages that just don't cotton to FF) for a long time and never had similar problems, even with 10 or more open tabs (doesn't happen often, but 5-6 is routine).  They've made both FF3 & FF4 unusable during the workday, just no time to deal with reloads, repeat logins, etc.

I'm liking what I see of Opera so far (using it for this reply), but a real workday will tell the tale.

7 Pages1 2 3  Last