Microsoft has confirmed that the unpatched bug in Internet Explorer 7 (IE7) that hackers are now exploiting also exists in older versions of the browser, including the still-widely-used IE6. It adds IE6 and IE8 Beta 2 to the list and recommends disabling the Oledb32.dll to stay safe.A Danish security researcher added that Microsoft's original countermeasure advice was insufficient and recommended that users take one of the new steps the company spelled out.
In a revised security advisory, Microsoft said research confirmed that the bug is within all its browsers, including those it currently supports -- IE5.01, IE6 and IE7 -- as well as IE8 Beta 2, a preview version that the company doesn't support through normal channels.
Microsoft have added that they are actively working with partners in Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. Microsoft is also actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.
It is not an Internet Explorer-specific DLL.
And right next to this article is an ad pushing Chrome.
IE remains a non-standards compliant browser with deep security risks. Why even bother with it when so many superior solutions already exist? Firefox, Chrome, Safari, Opera, etc.
Makes no difference. IE remains the biggest target. If you don't like the ones you listed, use Firefox.
So once the Mac user base is big enough, that can be a target too?
Let me quote what you just said:
IE remains a non-standards compliant browser with deep security risks. Why even bother with it when so many superior solutions already exist? Firefox, Chrome, Safari, Opera, etc.
Care to revise your stance, or at least admit you didn't think that through? You think Chrome and Safari are superior, yet you seemingly admit they have security flaws - but hold that problem solely against IE. At least hold the others to the same standard, please.
So the smuggishness of mac users isn't enough to make some of the 1337 haxors try to prove them all wrong? They can't all blame it on the smaller user base forever!
Remains to be seen. All we can deal with is the here and now.
IE remains a non-standards compliant browser with deep security risks. Why even bother with it when so many superior solutions already exist? Firefox, Chrome, Safari, Opera, etc.
Care to revise your stance, or at least admit you didn't think that through? You think Chrome and Safari are superior, yet you seemingly admit they have security flaws - but hold that problem solely against IE. At least hold the others to the same standard, please.
You're forgetting, LTD wasn't just on about the security aspect of the browser when he mentioned Safari and Chrome. He was also talking about web standards
Internet Explorer 7 cannot render webpages properly when they are designed to follow web standards - fact!
Iexplorer IS the "de facto standard" this matter even more than a inconsistent rules imposed by the w3c.
there are no "web standards" - fact!
There are recommendations by the W3C, but that is all they are, recommendations.
Wonder if vistas UAC stops it
Wonder if vistas UAC stops it
Well I'd expect it to.
Wonder if vistas UAC stops it
It should. UAC is designed for these sorts of things.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Microsoft has tested the following workaround helps block known attack vectors:
Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008
Local Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
2. Click Enable memory protection to help mitigate online attacks.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Microsoft has tested the following workaround helps block known attack vectors:
Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008
Local Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
2. Click Enable memory protection to help mitigate online attacks.
Thanks for that; for some reason I thought it was already on, but it wasn't. You might mention to people that you might have to use the hidden administrator account to activate it; it was greyed out in my regular Admin accounts; only the hidden system admin account was able to turn it on or off. But once activated, it sticks system-wide for all users on that computer. So again, thanks for the heads up.
you don't need to use the hidden administrator account!
Just use the UAC's shield elevation function to get the full privileges: in the quick launch bar right click on IE7 -> Run as administrator
Last edited by UAC on 13 Dec 2008 - 15:47
Just use the UAC's shield elevation function to get the full privileges: in the quick launch bar right click on IE7 -> Run as administrator
Ah, my bad; I forgot you can actually run IE that way (despite I run nearly everything else as an Admin). Now I feel dumb.
Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Microsoft has tested the following workaround helps block known attack vectors:
Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008
Local Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
2. Click Enable memory protection to help mitigate online attacks.
Thanks for that; for some reason I thought it was already on, but it wasn't. You might mention to people that you might have to use the hidden administrator account to activate it; it was greyed out in my regular Admin accounts; only the hidden system admin account was able to turn it on or off. But once activated, it sticks system-wide for all users on that computer. So again, thanks for the heads up.
Again thanks for this info not even I realised this wasnt enabled by default, I wonder why it isnt ? interestingly the 64bit version of IE doesnt have this option in adavnced tab so I wonder if 64bit IE behaves differently ?
Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Microsoft has tested the following workaround helps block known attack vectors:
Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008
Local Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
2. Click Enable memory protection to help mitigate online attacks.
Thanks for that; for some reason I thought it was already on, but it wasn't. You might mention to people that you might have to use the hidden administrator account to activate it; it was greyed out in my regular Admin accounts; only the hidden system admin account was able to turn it on or off. But once activated, it sticks system-wide for all users on that computer. So again, thanks for the heads up.
Again thanks for this info not even I realised this wasnt enabled by default, I wonder why it isnt ? interestingly the 64bit version of IE doesnt have this option in adavnced tab so I wonder if 64bit IE behaves differently ?
If i remember correctly, all 64-bit applications have DEP/NX enabled by default.
I don't think that's true at all. MS stuff generally affects more people, but people still sure as hell bash Apple and other vendors for their security bugs (and somewhat rightly so).
I am a Linux user, and I strongly prefer to not use Microsoft products. Yet you never see me blasting Microsoft for little details.
I will complain when they leave big flaws open for years. But to be affected by a 0-day? It happens to everyone. Yes, even in Linux and Open Source.
They just got done supporting Windows 3.11
IE has ... umm ... a large user base. IE has ... bad debugging tools. IE has ... well, IE doesn't have much other than a large user base.
It's like telling people you can get a free sports car (with free gas for a lifetime!!!), but people don't want to change so they stick with the junker they have, wasting both time and money in the long run (ie: Firefox crashes, you get your tabs back; you click a link on a page with a form by accident, Firefox will return you back when clicking the back button with the form filled in how you left it).
IE gives you what? A new browser Window after a crash/system restart. Doesn't refill your forms in. It gives you nothing but wasted time and frustration.
IE has ... umm ... a large user base. IE has ... bad debugging tools. IE has ... well, IE doesn't have much other than a large user base.
That said, 99% of users couldn't care less about a developers tool option I'd assume.
IE has ... umm ... a large user base. IE has ... bad debugging tools. IE has ... well, IE doesn't have much other than a large user base.
css filter, transition, activex and visual studio debug better with iexplorer rather with other browser.
Because they are ruining the web by not displaying web pages to web standards (up to Internet Explorer 7 which the majority of the public now use) and they have a conscience? Hmm, no, obviously they don't have a conscience, they will just continue ruining people's web pages that they have spent hours designing to conform to web standards...
I've seen maybe a handful of pages that don't display on IE properly, and half of those were intentionally made to break under IE in the guise of "supporting web standards." What sites are you speaking of that are not IE-compatible? (The ACID2 test is not a web site.)
If developers started catering to only the Firefox people and MADE people use Firefox, Safari/Webkit or Oprah the IE base would continue to drop at a much quicker rate. IE use has been falling for the past several years now; it's not going to be forever before it's down to 50% of the world using IE.
That or several web page developers would be filing for bankruptcy given no one would want to employ them and they'd lose huge volumes of traffic to their sites.
Besides IE is definitely heading in the compliance direction. It's not perfect yet but the intentions there.
Developer are not stupid, they developer thinking and focusing mainly in iexplorer then for the rest, for example Dreamweaver fits for iexplorer requirement but its can fail for opera and safari specification.
No it doesnt take a half a joint to figure that out
next problem?
No it doesnt take a half a joint to figure that out
next problem?
You failed to realize that many people don't even know about "other browsers". Many people on the web today just know what comes with their computer, and in the vast majority of cases, that's Windows and IE.
No it doesnt take a half a joint to figure that out
next problem?
You failed to realize that many people don't even know about "other browsers". Many people on the web today just know what comes with their computer, and in the vast majority of cases, that's Windows and IE.
Sadly, I found this is the case yesterday when talking to someone over the phone when I told her switching to Firefox would solve issues with Internet Exploder. She said that she had "never heard of Firefox" ...
No it doesnt take a half a joint to figure that out
next problem?
You failed to realize that many people don't even know about "other browsers". Many people on the web today just know what comes with their computer, and in the vast majority of cases, that's Windows and IE.
Sadly, I found this is the case yesterday when talking to someone over the phone when I told her switching to Firefox would solve issues with Internet Exploder. She said that she had "never heard of Firefox" ...
Burn Firefox onto CDs, and then pass them around like those AOL CDs from years ago. I amassed what, 60 of those back in the day? LOL.
No it doesnt take a half a joint to figure that out
next problem?
You failed to realize that many people don't even know about "other browsers". Many people on the web today just know what comes with their computer, and in the vast majority of cases, that's Windows and IE.
Sadly, I found this is the case yesterday when talking to someone over the phone when I told her switching to Firefox would solve issues with Internet Exploder. She said that she had "never heard of Firefox" ...
Burn Firefox onto CDs, and then pass them around like those AOL CDs from years ago. I amassed what, 60 of those back in the day? LOL.
NOT green.
No it doesnt take a half a joint to figure that out
next problem?
You failed to realize that many people don't even know about "other browsers". Many people on the web today just know what comes with their computer, and in the vast majority of cases, that's Windows and IE.
Sadly, I found this is the case yesterday when talking to someone over the phone when I told her switching to Firefox would solve issues with Internet Exploder. She said that she had "never heard of Firefox" ...
Burn Firefox onto CDs, and then pass them around like those AOL CDs from years ago. I amassed what, 60 of those back in the day? LOL.
NOT green.
An even better idea. But I'm not sure MS would be pleased about that landing page . . . no?
If not, then it's amazing the bug wasn't discovered/exploited since the last century.
[bong hit]then let Microsoft fix it[/bong hit]
Take a hit
I have been using a different browser for months now, the SRware Iron browser. It is built on the same motor as the Google Chromium browser but without the call-backs to Google, which is one of the reasons I started using it in the first place because I didn't like the privacy issues with Chromium.
Anyway, for anyone who wants to give it a try: http://www.srware.net/en/software_srware_iron.php
I have been using a different browser for months now, the SRware Iron browser. It is built on the same motor as the Google Chromium browser but without the call-backs to Google, which is one of the reasons I started using it in the first place because I didn't like the privacy issues with Chromium.
Anyway, for anyone who wants to give it a try: http://www.srware.net/en/software_srware_iron.php
Exactly why I gave up on Chrome almost instantly.
Going to give your suggestion a look over.
Nope. Don't like 2 processes running for one app. Who knows what that process is doing and I'm not taking the time to figure it out. Otherwise, has possibilities.
Thanks
Last edited by cork1958 on 13 Dec 2008 - 13:26
Like this 'moderately critical' flaw (
In reading between that advisory and the related one for IE6 it is apparent to me that it is a flaw in XP. It should still be fixed, mind you.
This is the unfortunate fallout of the Windows/corporate dependency cycle.
Windows was never really designed to do the kind of work it's doing today. Windows came from a single user environment where the notion of security didn't exist. Security in Windows was a bolted-on feature that was suddenly necessary when Microsoft finally got a Windows networking model in place and it became possible for one user to target another user's machine.
Windows was never really designed to do the kind of work it's doing today. Windows came from a single user environment where the notion of security didn't exist. Security in Windows was a bolted-on feature that was suddenly necessary when Microsoft finally got a Windows networking model in place and it became possible for one user to target another user's machine.
NT was a ground up new build based around multi user and security for corporate users, home use if anything has been bolted on.
Windows was never really designed to do the kind of work it's doing today. Windows came from a single user environment where the notion of security didn't exist. Security in Windows was a bolted-on feature that was suddenly necessary when Microsoft finally got a Windows networking model in place and it became possible for one user to target another user's machine.
Wow. I'm speechless after reading that tripe.
Last edited by LTD on 13 Dec 2008 - 16:43
Do you know what does "open port" mean?
Yes. Are you asking because you don't know?
Well, your default Windows XP installation, without starting any programs of your own accord, will have five open ports: 135, 139, 445, 1025, and 3389. The first is where Blaster would have made its entry. The rest included NetBIOS and Microsoft-DS, for example.
Last edited by LTD on 13 Dec 2008 - 17:17
Its only recently Microsoft have concentrated on home user security.
Last edited by jason13524 on 13 Dec 2008 - 19:39
I think LTD is referring to network security with his open ports argument although I dont think he has a valid point as many Linux distros for example ship with the SSH port open and before sudo came to the forefront, a simple root password was all you needed to get into an unsecured machine.
Every OS is gonna have security flaws if you look hard enough and I would have thought LTD was smart enough to know that this is only an issue because Windows is the most widely used OS with probably the least knowledgable user-base. Lets move every average-Joe Windows user over to Linux/Mac and see how secure they become.
What the hell are you talking about? Think you'll find that security permissions on NTFS set through a GUI was in Windows NT4 which was released in 1996.
In addition, when XP SP2 was released to OEM's the default configuration changed - therefore there have been no "open ports" (I think you mean listening TCP sockets) since 2004.
Having a pop at a 7 year OS's original release for having 5 ports listening is somewhat harsh when compared to the year old OSX Leopard that didn't even have it's firewall turned on by default!
In addition, when XP SP2 was released to OEM's the default configuration changed - therefore there have been no "open ports" (I think you mean listening TCP sockets) since 2004.
Having a pop at a 7 year OS's original release for having 5 ports listening is somewhat harsh when compared to the year old OSX Leopard that didn't even have it's firewall turned on by default!
Firewall turned on for what? For the ZERO viruses that existed for OS X's code in 2001??
And we STILL don't need our firewalls turned on in OS X!
Along with the non-compliant IE?
If it weren't for IE we'd be at Web 3.0 by now. The standards are already there. IE 8 will *supposedly" meet them. Finally.
And Firefox is free.
If it weren't for IE we'd be in Web 0.0 by now.
If it weren't for Mozilla we'd be at Web 3.0 by now. The standards are already there. And FurryFox is not going to support them. Even though it's free
Last edited by kinetix63 on 15 Dec 2008 - 18:28
If it weren't for IE we'd be in Web 0.0 by now.
If it weren't for Mozilla we'd be at Web 3.0 by now. The standards are already there. And FurryFox is not going to support them. Even though it's free
What are you talking about?
Firefox 3.1 leaves IE in the dust. By miles. On Acid 3, IE 7 typically scores around 12 while Firefox 3.1 scores around 89. Hell, I think FF 3.1 even scores higher than Safari (current stable build 3.2.1)
But you seem to be trolling against FF and Open Source anyway, so there's little point in continuing.
Last edited by kinetix63 on 15 Dec 2008 - 18:28
And the reality tells me:
Netscape was full of proprietary non-standard features designed to prevent others from creating compatible browsers. If Microsoft didn't create IE we'd be in Web 0.0 now.
Firefox 1, 2, 3 is not standards-compliant and you have just told me so. Mozilla doesn't like fixing bugs or fix non-standard behavior of Firefox. Mozilla refuses to fix dome bugs for 7-8 yesrs (until peple pay them money to fix the bugs).
If Firefox was standards-compliand we'd already be at Web 3.0, the pages would be 3-7 times smaller and the data would be easy to extract from the pages. The more share Firefox grabs the less bright is the future of data-driven web.
If you think that some of the things I sadi are not true then provide some proofs.
P.S. Read Stallman's artice about the "open source™" term.
Uhhh...Mozilla fixes bugs with every subsequent release of Firefox, be it an entirely new version (3.0), or the updates that follow (2.0.0.x, 3.0.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.