Hackers start exploiting Patch Tuesday vulnerability

Earlier on this week, Neowin.net covered the Patch Tuesday vulnerability fixes; now Symantec has reported that hackers have begun to exploit the bug on un-patched machines. Reports suggest that the hackers were successful in exploiting the vulnerability only three days after Patch Tuesday

Usually when vulnerabilities are published in Microsoft's reports regarding Patch Tuesday, there is the expectation that hackers will use that information and usually be successful within 30 days. However in this case, there has been some surprise that the individuals have done it in a significantly less amount of time.

The vulnerability itself stems from Microsoft's Internet Explorer browser, version 8 and below, that was originally discovered back in January by a bounty hunter according to InfoWorld. The IE bug, which was placed as the most important update on Patch Tuesday by security analysts, causes issues due to its ability to automatically download malicious files. Symantec's Joji Hamada stated that, "we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present".

While for a minority who use other browsers and operating systems, a large amount of worldwide browser usage remains with Internet Explorer six, seven and eight. This incident only highlights the importance of updating a computer's files as soon as a patch becomes available because the longer a security hole is left exposed, the more risk there is to the user.

Image Source: pcworldme.net

Report a problem with article
Previous Story

LulzSec offers aid to Sega after network breach

Next Story

Corporate Desktop: Windows 7 gaining ground, XP still at 60 percent

41 Comments

Commenting is disabled on this article.

Only a fanboy of some other browser would say IE is a horrid browser. Has NEVER been anything wrong with IE, although I thought IE7 stunk to high heaven, if it's patched and you half way know what you're doing to begin with.

I've NEVER actually changed the setting for making any other browser my default browser, although I use Seamonkey and Opera quite often also and never had an issue with IE.

Hmm?

Somehow this post didn't appear under smooth3006's thread even though I clicked reply under that post.

smooth3006 said,
IE is a horrid browser IMO. i just use firefox as my main and opera or chrome as a secondary.

IE9 is a fine browser IMO. I just use IE as my main and chrome as a secondary.

smooth3006 said,
IE is a horrid browser IMO. i just use firefox as my main and opera or chrome as a secondary.
Really? So explain why Chrome gives me BSoD, Firefox crashes if i go to mozilla.org and why Opera is painfully slow. Yet IE9 is the only browser that runs smooth on my PC, and doesn't crash on it's own website..

Xerax said,
Really? So explain why Chrome gives me BSoD, Firefox crashes if i go to mozilla.org and why Opera is painfully slow. Yet IE9 is the only browser that runs smooth on my PC, and doesn't crash on it's own website..

you sound like an IE fanboy soo im not even going to argue with you... apparently you missed the "IMO" part.

smooth3006 said,

you sound like an IE fanboy soo im not even going to argue with you... apparently you missed the "IMO" part.

Not an fanboy, at all. I hated IE until IE9, it's just the only browser that works and i've started to like it

Xerax said,
Not an fanboy, at all. I hated IE until IE9, it's just the only browser that works and i've started to like it

I use IE9 too, but a BSoD is most likely a hardware problem.

KavazovAngel said,

I use IE9 too, but a BSoD is most likely a hardware problem.

actually, with chrome's WebGL support, it's likely a graphics card problem... but it's google's fault for allowing low level access to system devices.

Errr, you guys saw the part where Microsoft patched the venerability, right? So no one's forcing anyone off anything -- the post only says that ie9 wasn't susceptible to begin with, now neither are earlier versions. give hackers enough time and a large enough audince and they'll find holes in any software, which should give you guys the shivers on low market share products bout how open your software must be.

So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

SpyderCanopus said,
So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

Your fault for using a 10 year old OS that's now in extended support?

SpyderCanopus said,
So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

and iphone 3G?

nope unsupported ,you Fail

SpyderCanopus said,
So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

MS shouldn't support aging software

SpyderCanopus said,
So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

What do you mean? There is a patch available for IE8 on Windows XP that fixes this. You don't -have- to do anything. Yet.

SpyderCanopus said,
So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

Have you been living under the rock? XP is 10 years old!

KavazovAngel said,

Have you been living under the rock? XP is 10 years old!

And you probably are older than that and still living and getting support. /s

SpyderCanopus said,
So basically... I -have- to update to the latest version of Windows since IE9 is only for vista and 7... That's totally BS! Microsoft needs to support their products longer than 5 years. I like the unified iOS strategy when reading stuff like this...

longer that 5 years?... wow i didn't know xp was released on 2006... yeah it was released in 2001. thats 10 years... you know 2001 - 2011 are 10 years, because 1+10 = 11

the bad news is that many companies are still stuck with IE6 and XP becuase of old hardware and are due to recession, which is still nagging in Europe, not able to upgrade.

WAR-DOG said,
the bad news is that many companies are still stuck with IE6 and XP becuase of old hardware and are due to recession, which is still nagging in Europe, not able to upgrade.

Windows ThinPC comes out in under 20 days.

SpyderCanopus said,

Why haven't I read about this? It should be all over Neowin


Give it about a week. Takes about that long for the news folks to catch on to breaking news

SpyderCanopus said,
Why haven't I read about this? It should be all over Neowin

Probably because it's large companies with SAA ties with MS only .
Though the RC is still available to anyone that wants it on microsoft connect and you don't need an SAA to try it.

WAR-DOG said,
the bad news is that many companies are still stuck with IE6 and XP becuase of old hardware and are due to recession, which is still nagging in Europe, not able to upgrade.

What has hardware got to do with the version of IE installed on XP? Also in case you were not aware, the update to IE8 for XP and subsequent security patches are 100% free.

Max Norris said,
Yet another reason to stop fooling around with XP and get with a modern OS.

Forgive me if I missed something, but isn't this an issue with IE? What has it got to do with the OS you're running?

TCLN Ryster said,

Forgive me if I missed something, but isn't this an issue with IE? What has it got to do with the OS you're running?
This exploit only works on IE8 and lower, so upgrading to a modern version of Windows and installing IE9 will eliminate this and other exploits.

TCLN Ryster said,

Forgive me if I missed something, but isn't this an issue with IE? What has it got to do with the OS you're running?

ehmmm... maybe because IE9 is vista/7 only?... so to use IE9 you have to use vista or 7. simple as that

Arkose said,
This exploit only works on IE8 and lower, so upgrading to a modern version of Windows and installing IE9 will eliminate this and other exploits.

this exploit only works on UNPATCHED versions of IE8. No need to upgrade to IE9, just run windows update!

IE8 fully patched with last tuesday security updates is not affected by this vulnerability (the patch that fixes this vulnerability has been decompiled by hacker to help them find where the flaw was on previously unpatched IE files)

Athlonite said,
Phew thankfully I run Opera exclusively NO IE on my PC

Opera suffers from the same vulnerabilities that all browsers do... Try searching for "opera drive-by vulnerability"

Athlonite said,
Phew thankfully I run Opera exclusively NO IE on my PC

actually opera is WAY less secure than IE!
no sandbox, and no real code examination from security experts.

Worse, flash vulnerabilities are easily exploited on unsandboxed browsers like Opera/firefox/safari.
On IE on vista/7, IE users are protected from 0day flaws in flash/adobe reader.

boogerjones said,
So a malicious website can force an auto-download. But the user still needs to run the untrusted file, correct?

Or use it in conjunction with an escalation of priveledge attack to launch the file from a known location.