Internet Explorer exploit published online

By Andrew Lyle, 22 November 2009 - 20:18  50 comments

An exploit for Internet Explorer was published online yesterday, showing signs of poor reliability. Symantec confirmed that the exploit affects Internet Explorer 6 and 7. Experts believe a fully functional version of the exploit will be made available in the coming weeks.

The exploit requires the hacker to lure the victim onto a malicious website or a compromised webpage. Whatever method is used, the attack requires javascript on Internet Explorer. Symantec found the vulnerability in Microsoft Data Access Components, which could allow a Remote Code Execution on a user's system.

Users are cautioned to disable javascript on Internet Explorer, avoid websites they do not trust, and update their anti-virus definitions immediately. Symantec confirms that they have detected the exploit, Bloodhound.Exploit.129, rating the risk a level 1, very low.

The affected systems are currently Windows 2000, Windows Server 2003 and Windows XP.

4Liked This Report a problem
  • Digg
  • Twitter
  • Facebook
  • Email

Comments (50)

  1. seta-san - 22 November 2009 - 20:59

    learn to update your webbrowser people. IE 8 is out and is unaffected.

  2. still1 - 22 November 2009 - 21:19

    right guys.... If you are still using IE6 or 7. please update your web browser to IE8

  3. Majesticmerc - 22 November 2009 - 23:39

    A lot of corporations have web applications that were written ONLY for Internet explorer 6 (and to some extent 7). Major platfoms such as SAP have interfaces that don't work AT ALL in browsers other than Internet Explorer 6, which basically means that they're trapped. Where I work had some very dubious "developers" working prior to my teams arrival, and most of the code is so badly written that it REQUIRES IE6 (two wrongs make a right in this case) in order to function.

    Its all well and good saying "upgrade to IE8", but for some people (big companies in particular), their systems can be so badly broken that the upgrade from IE6 to IE8 can be as costly as shifting from Windows to GNU/Linux (for example).

  4. +Brandon Live - 23 November 2009 - 00:46

    Majesticmerc said,
    Where I work had some very dubious "developers" working prior to my teams arrival, and most of the code is so badly written that it REQUIRES IE6 (two wrongs make a right in this case) in order to function.


    Hold on a sec. Just because something only works in IE 6 doesn't necessarily mean it's poorly written. Maybe it is. But at the time, IE 6 was the most standards compliant browser you could get. It's not that unreasonable for a business with a functional LOB app to expect it to continue functioning going forward. The main problem is that IE 6 and XP at this point are so out of date and were written for a time when security requirements and expectations were very different.

    So while I'll agree it's time for these companies to make an investment in updating their tools, it's not hard to understand why they wouldn't want to replace something that's generally working.

  5. Majesticmerc - 23 November 2009 - 01:30

    Brandon Live said,
    Hold on a sec. Just because something only works in IE 6 doesn't necessarily mean it's poorly written. Maybe it is. But at the time, IE 6 was the most standards compliant browser you could get. It's not that unreasonable for a business with a functional LOB app to expect it to continue functioning going forward. The main problem is that IE 6 and XP at this point are so out of date and were written for a time when security requirements and expectations were very different.

    So while I'll agree it's time for these companies to make an investment in updating their tools, it's not hard to understand why they wouldn't want to replace something that's generally working.

    There's nothing in the W3C recommendation for HTML 4.0 that states "well written apps are allowed to work only in Internet Explorer 6", in fact it states the opposite.

    Regardless, I'm personally talking about applications written as recently as 2008 that REQUIRE IE6. We're talking about web developers that knew their specialty so poorly that they didn't even use DOCTYPE tags to identify the markup (instant quirks mode right there, DOCTYPE tags are standard practice, even for IE6), and as a result, have written apps that work in IE6, but nothing else.

    This is the case in many places. The Web is still so young (counting from the boom of '97), that demand for web-centric developers until recently outnumbered the number of available trained developers, and as a result the industry ended up with a glut of "self-taught" web developers that didn't know what the W3C was, and HTML was a bunch of angle-bracketed letters that formed a table (or dozens of nested tables) to display content. As a result we have ended up with "The Broken Intranet".

    Its not entirely IE's fault, but the resulting fallout from its broken box model, its proprietary CSS/JavaScript functionality, and its former dominance in the market will cost companies in the near future dearly, and ensure that IE6 and Windows 2000/XP remain in active use until well into the next decade.

  6. Pc_Madness - 23 November 2009 - 02:14

    Brandon Live said,
    But at the time, IE 6 was the most standards compliant browser you could get.

    I'm pretty sure Mozilla would disagree with you. And probably Opera as well?

  7. mocax - 23 November 2009 - 02:50

    do they allow terminals running SAP to access the internets?

  8. +Northgrove - 23 November 2009 - 08:17

    Pc_Madness said,
    I'm pretty sure Mozilla would disagree with you. And probably Opera as well?

    Huh? Mozilla? You mean Netscape??

  9. Majesticmerc - 23 November 2009 - 09:12

    Pc_Madness said,
    I'm pretty sure Mozilla would disagree with you. And probably Opera as well?

    Actually he has a point. When IE6 was released in 2001, it was the most standards compliant browser available. Its just unfortunate that it was the only browser to not receive an update in... oh, say six years.

  10. ilev - 23 November 2009 - 09:32

    still1 said,
    right guys.... If you are still using IE6 or 7. please update your web browser to IE8

    You are so very right :

    Internet Explorer 8’s famous XSS filter can be exploited to perform successful XSS attacks against web sites which would be otherwise safe. In other words, XSS “protection” is helping XSS attackers, oh the irony

    http://hackademix.net/2009/11/21/ies-xss-f...vulnerabilities

    http://www.theregister.co.uk/2009/11/20/in...r_security_flaw

  11. Magallanes - 23 November 2009 - 13:45

    Pc_Madness said,
    I'm pretty sure Mozilla would disagree with you. And probably Opera as well?

    Its true since IE *IS* the de-facto standard.

  12. RealFduch - 23 November 2009 - 14:48

    Majesticmerc said,
    There's nothing in the W3C recommendation for HTML 4.0 that states "well written apps are allowed to work only in Internet Explorer 6", in fact it states the opposite.

    Then why don't Firefox plugins work in Safari/Konqueror?
    Double standards?

  13. Majesticmerc - 23 November 2009 - 16:39

    RealFduch said,
    Then why don't Firefox plugins work in Safari/Konqueror?
    Double standards?

    We're talking about web-based applications (i.e. websites), not plugins, extensions and so on :).

  14. TechGuyPA - 23 November 2009 - 19:38

    mocax said,
    do they allow terminals running SAP to access the internets?


    yes they do. and I'll add one more point to it, so companies dont have an SAP problem, they have a problem with various accounting software that also handle payments and credit cards that is in the same situation. So you can expect more stolen credit card stories because they are using machines with IE6 that access the internet (via IE6) to run your credit cards.

  15. IceBreakerG - 22 November 2009 - 21:08

    Some businesses "can't" upgrade to IE8 because a lot of their web apps are incompatible.

  16. Saburac - 22 November 2009 - 21:51

    Sounds like their web apps are crap then.

  17. Simon - 22 November 2009 - 22:21

    Doesn't mean they can just leave them, Saburac. They should've started the process of moving to something different years ago, but that doesn't mean they have.

  18. Youngy - 22 November 2009 - 22:27

    Saburac said,
    Sounds like their web apps are crap then.

    Sounds like you know nothing about the IT Corporate world. Symantec's own Altiris solution isnt supported in IE8, even their recent v7. Microsoft OWA 2007 has issues with IE8, the list could go on. From an IT System Administrator point of view until major suppliers who build apps into IE start supporting IE8 we cant upgrade, no matter how much web site developers bitch. Its frustrating

  19. agreenbhm - 22 November 2009 - 23:06

    At first some of our websites were incompatible, *cough* Wachovia.com *cough*, but we went about it as "install IE8, ask questions later". We're willing to install any patches MS brings for IE, since many times vulnerabilities equate downtime.

  20. +TCLN Ryster - 22 November 2009 - 23:20

    Youngy said,
    Sounds like you know nothing about the IT Corporate world. Symantec's own Altiris solution isnt supported in IE8, even their recent v7. Microsoft OWA 2007 has issues with IE8, the list could go on. From an IT System Administrator point of view until major suppliers who build apps into IE start supporting IE8 we cant upgrade, no matter how much web site developers bitch. Its frustrating

    Altiris, agreed. However OWA 2007 works perfectly well on IE8 thank you.

Please Log In or Register to post a comment.

Report Comment

Please enter your reason for reporting this comment.

Scenes

Change the look of the header to suit your taste, below are a few selections from Neowin. Just click on a scene to set it as your preference. You may also Submit your own scene.

We respect copyright, if you are the owner of any images please contact us to get it removed.