New un-patched IE flaw found a day after latest hotfix

Only a day after the recent out-of-band Internet Explorer vulnerability patch, a new un-patched Internet Explorer flaw could leave thousands of users at risk.

The new attack uses smaller un-patched vulnerabilities in Internet Explorer, small enough they couldn’t compromise a system, but together they can overwhelm Internet Explorer and give access to a users machine if the individual clicks on a malicious link. Jorge Luis Alvarez Medina said to Reuters, "There are three or four ways to conduct this type of attack." Alvarez Medina is a security consultant with Boston-based Core who have been researching Internet Explorer weaknesses.

The smaller exploits triggers four or five minor exploits at the same time, by three or four different methods to trigger the attack.

Alvarez Medina said that the attack uses a string of four or five minor exploits in Internet Explorer.  The vulnerability will be demonstrated at the yearly Black Hat Security conference, which will take place on February 2, 2010.

Thanks to franzon for the news tip

Report a problem with article
Previous Story

Taking notes from Bill Gates

Next Story

Pope advises priests to take advantage of technology

79 Comments

View more comments

majortom1981 said,
The thing i dont understand is why only publish ie flaws. why not publish firefox flaws? Isnt firefox as popular nowadays?

They do, in a way, but nothing makes big press headlines like a new IE hole. FF or Chrome or Safari bugs? Nah, not so much.

majortom1981 said,
The thing i dont understand is why only publish ie flaws. why not publish firefox flaws? Isnt firefox as popular nowadays?

No IE is still the most popular.

majortom1981 said,
The thing i dont understand is why only publish ie flaws. why not publish firefox flaws? Isnt firefox as popular nowadays?

Obviouisly Firefox is NOT as popular as even IE 7; otherwise, it would be targeted far more than it is. Flaws in IE 7 are publicized far more than are flaws in Firefox (even when Firefox has more flaws). A more popular browser (or plug-in) will be exploited more often due to that popularity (bad guys looking to take advantage of a point of entry will go after the largest POE). As long as even IE 7 has twice the marketshare of all versions of Firefox, if I were a bad guy, why would I bother chasing Firefox vulnerabilities? IE will be targeted more often due to its marketshare and popularity. Period.

PGHammer said,
Obviouisly Firefox is NOT as popular as even IE 7; otherwise, it would be targeted far more than it is. Flaws in IE 7 are publicized far more than are flaws in Firefox (even when Firefox has more flaws). A more popular browser (or plug-in) will be exploited more often due to that popularity (bad guys looking to take advantage of a point of entry will go after the largest POE). As long as even IE 7 has twice the marketshare of all versions of Firefox, if I were a bad guy, why would I bother chasing Firefox vulnerabilities? IE will be targeted more often due to its marketshare and popularity. Period.
One flaw with your argument: do you have a single shred of evidence for it?


I do not believe Firefox has less market share than IE7. Judging by http://en.wikipedia.org/wiki/Usage_share_of_web_browsers and http://en.wikipedia.org/wiki/Template:Msieshare1 IE7 appears to be around 20%, Firefox around 25%.

Edited by Kirkburn, Jan 24 2010, 9:01pm :

Give me a break. If adobe would get off their ass and come out with flash for 64 bit OS's. Then I would use IE 64 exclusively.

clwright5 said,
Give me a break. If adobe would get off their ass and come out with flash for 64 bit OS's. Then I would use IE 64 exclusively.

Is using a 64 bit browser with 64 bit flash as he types this.

When you are going to realise " no one should ever use IE" ???
Btw Pc makers: if you sending IE preinstaled send some alternativ is well. A lot of people out there thinks IE means internet

Something I don't understand. Microsoft has the money, power and knowledge to really make Internet Explorer safe and secure. Internet Explorer is one of their products that is out there on the front line, security holes in this software can cause its users so severe issues.

Why do MS deal with security on IE in the same way that I would expect a small 3rd party app developer to? Any software is going to have issues and holes but why isn't MS right there straight away fixing problems and constantly looking for new ones for their users that trust them to make them safe online?

MS has a lot of people dedicated to security - but it doesn't mean they can catch everything. They do patches every month, and sometimes more frequently.

Orange Battery said,
Something I don't understand. Microsoft has the money, power and knowledge to really make Internet Explorer safe and secure. Internet Explorer is one of their products that is out there on the front line, security holes in this software can cause its users so severe issues.

Why do MS deal with security on IE in the same way that I would expect a small 3rd party app developer to? Any software is going to have issues and holes but why isn't MS right there straight away fixing problems and constantly looking for new ones for their users that trust them to make them safe online?

Since the start of IE7 MS has upped the security in IE quite a bit, plus other OS level changes which further help things if IE fails. The thing is nothing will be perfect, every browser has it's share of holes (others often have more than IE, at least documented ones anyways).

The fact is that IE8 is way more secure than IE6 and also a bit more secure compared to IE7. I expect IE9's security will be even better as well.

Orange Battery said,
...
For every flaw that's found by a 3rd party, MS will have found and fixed 10 themselves.. And this goes for all software makers.. the idea that they just wait for someone to tell them there is a problem is simply false.

Orange Battery said,
Something I don't understand. Microsoft has the money, power and knowledge to really make Internet Explorer safe and secure. Internet Explorer is one of their products that is out there on the front line, security holes in this software can cause its users so severe issues.

Why do MS deal with security on IE in the same way that I would expect a small 3rd party app developer to? Any software is going to have issues and holes but why isn't MS right there straight away fixing problems and constantly looking for new ones for their users that trust them to make them safe online?

Is this a joke? Microsoft is the industry leader in this respect. That's why other software vendors look to Microsoft for guidance in developing secure software.

Foe a company with the power of MS I think updates for IE should be a lot faster. If people on Neowin know where loads of holes in the browser are (I don't mean the IE6 post) then I'm sure MS can find them too. I would be on the warez sites each day looking at what they were trying to do to the browser then making sure by the end of the day I had a solution. If it took too much time then I would get more people. IE is front line with a huge powerbase behind it. Im a total fan of IE but I expect more.

Orange Battery said,
Foe a company with the power of MS I think updates for IE should be a lot faster. If people on Neowin know where loads of holes in the browser are (I don't mean the IE6 post) then I'm sure MS can find them too. I would be on the warez sites each day looking at what they were trying to do to the browser then making sure by the end of the day I had a solution. If it took too much time then I would get more people. IE is front line with a huge powerbase behind it. Im a total fan of IE but I expect more.

They can't be much faster, as patches need to be tested properly before release.

I'm sure MS do exactly what you suggest, tbh.

Orange Battery said,

True

Also MS tries to keep Updates to a cycle to keep big Businesses happy, if MS wanted too they could have a new update every night, but how many people/businesses want their computers rebooting every night for new updates ?

Orange Battery said,
Foe a company with the power of MS I think updates for IE should be a lot faster. If people on Neowin know where loads of holes in the browser are (I don't mean the IE6 post) then I'm sure MS can find them too. I would be on the warez sites each day looking at what they were trying to do to the browser then making sure by the end of the day I had a solution. If it took too much time then I would get more people. IE is front line with a huge powerbase behind it. Im a total fan of IE but I expect more.

Do you really think we don't do that? Or that we don't have throngs of penetration testers (both internal and vendors) trying everything they can to find vulnerabilities?

Saburac said,
Why not rewrite the browser from scratch and dump all the old junk they've been slowly building on top of since IE4? Maybe swallow their pride and switch to webkit. I know it would take time to do but it's Microsoft, surely they have the resources to do it.

Webkit is a layout engine. It's only tangentially related to security.

Saburac said,
Why not rewrite the browser from scratch and dump all the old junk they've been slowly building on top of since IE4? Maybe swallow their pride and switch to webkit. I know it would take time to do but it's Microsoft, surely they have the resources to do it.

Webkit could almost be slapped into IE, and it's security situation would be unchanged. Rendering engine has virtually nothing to do with security.

As for why not rewrite from scratch? Because they have their own product design and goals. Sorry, but IE being it's own thing is a GOOD thing for the browser platform. It has always been and will always be a good thing. Competition and competitive bases are GOOD for the internet. The best years of advancing internet technology were the years where there were compeating goals and designs. It sucked a bit for the end consumer, but they were the years when we made great leaps forward.

Commenting is disabled on this article.