Exploit found in Internet Explorer 8; IE9 and 10 not affected [Update]

If you still use Windows XP and Internet Explorer 8, you might want to consider upgrading to a new OS and a new version of Microsoft's web browser. A cyber attack has apparently revealed that there is an exploit that affects IE8.

According to the blog of the FireEye software security firm, the website of the Council on Foreign Relations was the subject of a cyber attack earlier this week that caused the site to host malicious content. The blog adds:

We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability.

The blog states that they won't be releasing any technical details of this newly discovered exploit and that Microsoft is still looking into the issue. The exploit appears confined to IE8; IE9 and IE10, both of which use Windows 7 and Windows 8, do not appear to be affected.

IE8 is used on Windows XP PCs and this latest issue shows some of the dangers of using both a web browser and an operating system that are both approaching their deadline until their official support ends. Microsoft will cut off support for Windows XP on April 8th, 2014.

Update: Microsoft has now issued an official security advisory on this exploit, which affects IE6, 7 and 8. Microsoft has some workarounds for people who might be affected by the issue and adds that it is " ... also actively working to package an easy, one-click Fix it solution that will help protect your computer." It should be released "in the next few days."

Source: FireEye via TheNextWeb | Hacker image via Shutterstock

Report a problem with article
Previous Story

Windows 8 Complaints app creator speaks, says he pulled his app

Next Story

Windows Azure still suffering from partial outage

32 Comments

Commenting is disabled on this article.

Torolol said,
just convert into opera browser, it saves you from most MS-IE related problem.

But opens alot of Opera problems/exploits....... Derp

Torolol said,
just convert into opera browser, it saves you from most MS-IE related problem.

I think I'd rather get the virus.

Toysoldier said,

But opens alot of Opera problems/exploits....... Derp

And Opera patches their stuff very fast and can still be used on XP. Same with any of the other browsers!

cork1958 said,

And Opera patches their stuff very fast and can still be used on XP. Same with any of the other browsers!


Any other browsers have the same points of entries because they are OS specific. Even Chrome, Firefox and Opera have these issues. And rely on core functionality in Windows vista/7/8 to claim they are as safe or safer than IE.

Why not just make IE9 available to XP users?! Don't get me wrong, I'm all for pushing for users to upgrade their OS from XP, but many won't - so why not make IE9 available on WinXP? Unless I'm mistaken, the latest versions of Firefox, Chrome, Chrome, and Safari (well, v5 anyway - v6 isn't available to any Win OS) - can all run on WinXP!!

It's probably got something to do with the fact that IE9 is completely rendered via hardware acceleration, not GDI as all previous versions were, and therefore, it requires functionality only provided with the graphics technology upgrades introduced in Windows Vista, hence why it requires Windows Vista and up.

thenetavenger can probably explain it better than I, he tends to do a good job with that

Because IE9 includes technologies not supported by Windows XP. Microsoft completely stripped away all those old underlying technologies in IE9, and replaced them with ones only supported by Vista, and Windows 7.

The "other browsers run on XP" argument has been attempted hundreds, if not thousands, of times, and never got anyone anywhere.

Just letting you know, in case you were thinking you had made a point.

Joshie said,
The "other browsers run on XP" argument has been attempted hundreds, if not thousands, of times, and never got anyone anywhere.

Just letting you know, in case you were thinking you had made a point.


My point is, I develop a web-based app and so I have to continue to support IE8 purely for users of XP who can't upgrade their browser IE9 and who can't use another browser (because their system administrators don't permit them to install other software).

In my opinion, Microsoft need to either A) Kill off XP support NOW - not in 2014, or whenever it is! - hopefully this will force IT departments to upgrade past XP sooner! ... or B) make IE9 available to XP (or if that can't be done due to hardware restrictions, at least an update to IE8 to give it some HTML5/CSS3, etc support, as right now, the continued existence and usage of IE8 is really holding up the future of the web!!

GreatMarkO said,
Why not just make IE9 available to XP users?! Don't get me wrong, I'm all for pushing for users to upgrade their OS from XP, but many won't - so why not make IE9 available on WinXP? Unless I'm mistaken, the latest versions of Firefox, Chrome, Chrome, and Safari (well, v5 anyway - v6 isn't available to any Win OS) - can all run on WinXP!!

Several aspects of IE9/10 depend on specific features in the WDDM/WDM.

WinXP uses the older XPDM, which does not have the lower level functionality necessary for the 'runtime' aspect of the engine nor the full compliment of rendering technologies.

XPDM does not support GPU scheduling or GP-GPU operations, XP also does not have a software based DirectX rendering technology to fall back on.

So on WinXP there is no way for IE9/10 to utilize the GPU as a co-processor when it is handling content.

There is also not an elegant or 'direct' way for IE9/10 to properly render the content because of a lack of an OS composer that it also depends upon. aka The DWM in Vista/7/8.

On Windows 7/8 even if the video card/GPU is not capable of providing assistance to IE9/10, there is a CPU based set of software rendering technologies that can use the CPU and multi-media extensions to 'approximate' the functionality of the GPU. This is the software fallback and 'assistance' that DirectX and the OS uses.

It is more than just fallback, as the OS can notice idle CPU cores and shove a simple GPU operation through that core if it would be faster than waiting on the GPU to perform the operation. **

WinXP just doesn't have the driver model or core kernel technologies needed.

There is also no way to simply slap these technologies on top of WinXP, because the kernel does not understand, nor is it able to handle GPU scheduling and virtualization that 'all' these technologies 'under' IE9/10 need.

This is the same reason DirectX10 cannot run 'properly' on WinXP as the core of the framework and software created for DirectX10 DEPEND on the OS managing the GPU, which XP cannot do.


An additional thing to note is that without the newer security changes in Vista/7/8 the IE Sandbox aka 'Protected Mode' would not be available, and certain exploits would still have the SAME attack vector/entry points that are just not available on Windows 7/8, making IE9/10 far less secure on XP.

Even Google will not stand by Chrome on WinXP, putting Chrome on WinXP in the same class as Chrome on OS X, Linux, and Android for 'sandboxed' level of protection. (Notice that Google will only pay out in hacking contests for Chrome being compromised on Windows 7 x64.)


**(This is also why AMD APUs have had 'issues' as Windows is all too ready to use the extra cores, and AMD APUs don't like for this to happen because of the thermal management of the APU, as heating up the idle cores can then slow the 'in use' cores and also slow the GPU. Which is why AMD and Microsoft had to issue updates to Windows to deal with the APU core cycling, as that specific series of APU/CPUs from AMD are not designed to run all cores and the GPU at full capacity, as it blows the thermal threshold and the CPU starts reducing Ghz to remain stable. )

GreatMarkO said,

My point is, I develop a web-based app and so I have to continue to support IE8 purely for users of XP who can't upgrade their browser IE9 and who can't use another browser (because their system administrators don't permit them to install other software)

I also develop web apps and I don't.

I have a clear message on my website stating that only modern browsers and operating systems are supported. I give a link to each browser that is supported and that's it. If my users choose not to download it, then they lose the content of my site. And since no one offers the services of my site, they cant get it anywhere else. Win win.

GreatMarkO said,


My point is, I develop a web-based app and so I have to continue to support IE8 purely for users of XP who can't upgrade their browser IE9 and who can't use another browser (because their system administrators don't permit them to install other software).

In my opinion, Microsoft need to either A) Kill off XP support NOW - not in 2014, or whenever it is! - hopefully this will force IT departments to upgrade past XP sooner! ... or B) make IE9 available to XP (or if that can't be done due to hardware restrictions, at least an update to IE8 to give it some HTML5/CSS3, etc support, as right now, the continued existence and usage of IE8 is really holding up the future of the web!!


To run XP at least half assed decent. you need 2-3ghz and 512mb of ram, at minimum. Most systems, even the older ones at pretty much every workspace. Go beyond this (not far often, but they get 3ghz and 1gb ram mostly). These systems run Windows 8 just as well as it runs WinXP. And in many cases runs faster then XP.
And the cost of these minimum spec systems is so abysmal nowadays, there is no reason to stay behind.

Seems at the moment this only attacks IE8 or less running English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian:

var h=navigator.systemLanguage.toLowerCase();
if(h!="zh-cn" && h!="en-us" && h!="zh-tw" && h!="ja" && h!="ru" && h!="ko")
{
location.href="about:blank";
}

ExploitShield looks like it blocks it, i would have thought EMET would to (allthough not tried)...

There`s a good artical on it here:

Edited by Riggers, Dec 30 2012, 12:26am :

And that's clearly why we should have never upgraded from Windows 98 and IE5.5. Now... where did I put my Netscape 3.5 floppies again?

If you're on a version of windows that let's you upgrade to ie9 you should do so. Heck on win7 I'd upgrade to the latest ie10 rc.

GP007 said,
If you're on a version of windows that let's you upgrade to ie9 you should do so. Heck on win7 I'd upgrade to the latest ie10 rc.

I've been using IE10 Preview on W7 since it was made available with no problems.

Studio384 said,
No, it's because IE9 and 10 just don't have this exploit.

Actually both are relevant due to the nature of the attack. The attack vector is not available on Windows Vista/7/8, and the subsequent exploit is not in IE9/10.

Even if the IE9/10 had the exploit, it still could not be triggered because of the Sandbox security that IE7/8/9/10 use on Windows Vista/7/8.

This is why IE8 on Windows 7/8 cannot be affected in the same way while protected mode is left enabled.


So both aspects are important.

yowanvista said,
So does IE8. Sandbox/Protected Mode was implemented since version 7.

XP doesn't have UAC, so no protected mode.