New un-patched IE flaw found a day after latest hotfix

Only a day after the recent out-of-band Internet Explorer vulnerability patch, a new un-patched Internet Explorer flaw could leave thousands of users at risk.

The new attack uses smaller un-patched vulnerabilities in Internet Explorer, small enough they couldn’t compromise a system, but together they can overwhelm Internet Explorer and give access to a users machine if the individual clicks on a malicious link. Jorge Luis Alvarez Medina said to Reuters, "There are three or four ways to conduct this type of attack." Alvarez Medina is a security consultant with Boston-based Core who have been researching Internet Explorer weaknesses.

The smaller exploits triggers four or five minor exploits at the same time, by three or four different methods to trigger the attack.

Alvarez Medina said that the attack uses a string of four or five minor exploits in Internet Explorer.  The vulnerability will be demonstrated at the yearly Black Hat Security conference, which will take place on February 2, 2010.

Thanks to franzon for the news tip

Report a problem with article
Previous Story

Taking notes from Bill Gates

Next Story

Pope advises priests to take advantage of technology

79 Comments

Commenting is disabled on this article.

Foe a company with the power of MS I think updates for IE should be a lot faster. If people on Neowin know where loads of holes in the browser are (I don't mean the IE6 post) then I'm sure MS can find them too. I would be on the warez sites each day looking at what they were trying to do to the browser then making sure by the end of the day I had a solution. If it took too much time then I would get more people. IE is front line with a huge powerbase behind it. Im a total fan of IE but I expect more.

Orange Battery said,
Foe a company with the power of MS I think updates for IE should be a lot faster. If people on Neowin know where loads of holes in the browser are (I don't mean the IE6 post) then I'm sure MS can find them too. I would be on the warez sites each day looking at what they were trying to do to the browser then making sure by the end of the day I had a solution. If it took too much time then I would get more people. IE is front line with a huge powerbase behind it. Im a total fan of IE but I expect more.

They can't be much faster, as patches need to be tested properly before release.

I'm sure MS do exactly what you suggest, tbh.

Orange Battery said,

True

Also MS tries to keep Updates to a cycle to keep big Businesses happy, if MS wanted too they could have a new update every night, but how many people/businesses want their computers rebooting every night for new updates ?

Orange Battery said,
Foe a company with the power of MS I think updates for IE should be a lot faster. If people on Neowin know where loads of holes in the browser are (I don't mean the IE6 post) then I'm sure MS can find them too. I would be on the warez sites each day looking at what they were trying to do to the browser then making sure by the end of the day I had a solution. If it took too much time then I would get more people. IE is front line with a huge powerbase behind it. Im a total fan of IE but I expect more.

Do you really think we don't do that? Or that we don't have throngs of penetration testers (both internal and vendors) trying everything they can to find vulnerabilities?

Something I don't understand. Microsoft has the money, power and knowledge to really make Internet Explorer safe and secure. Internet Explorer is one of their products that is out there on the front line, security holes in this software can cause its users so severe issues.

Why do MS deal with security on IE in the same way that I would expect a small 3rd party app developer to? Any software is going to have issues and holes but why isn't MS right there straight away fixing problems and constantly looking for new ones for their users that trust them to make them safe online?

MS has a lot of people dedicated to security - but it doesn't mean they can catch everything. They do patches every month, and sometimes more frequently.

Orange Battery said,
Something I don't understand. Microsoft has the money, power and knowledge to really make Internet Explorer safe and secure. Internet Explorer is one of their products that is out there on the front line, security holes in this software can cause its users so severe issues.

Why do MS deal with security on IE in the same way that I would expect a small 3rd party app developer to? Any software is going to have issues and holes but why isn't MS right there straight away fixing problems and constantly looking for new ones for their users that trust them to make them safe online?

Since the start of IE7 MS has upped the security in IE quite a bit, plus other OS level changes which further help things if IE fails. The thing is nothing will be perfect, every browser has it's share of holes (others often have more than IE, at least documented ones anyways).

The fact is that IE8 is way more secure than IE6 and also a bit more secure compared to IE7. I expect IE9's security will be even better as well.

Orange Battery said,
...
For every flaw that's found by a 3rd party, MS will have found and fixed 10 themselves.. And this goes for all software makers.. the idea that they just wait for someone to tell them there is a problem is simply false.

Orange Battery said,
Something I don't understand. Microsoft has the money, power and knowledge to really make Internet Explorer safe and secure. Internet Explorer is one of their products that is out there on the front line, security holes in this software can cause its users so severe issues.

Why do MS deal with security on IE in the same way that I would expect a small 3rd party app developer to? Any software is going to have issues and holes but why isn't MS right there straight away fixing problems and constantly looking for new ones for their users that trust them to make them safe online?

Is this a joke? Microsoft is the industry leader in this respect. That's why other software vendors look to Microsoft for guidance in developing secure software.

When you are going to realise " no one should ever use IE" ???
Btw Pc makers: if you sending IE preinstaled send some alternativ is well. A lot of people out there thinks IE means internet

Give me a break. If adobe would get off their ass and come out with flash for 64 bit OS's. Then I would use IE 64 exclusively.

clwright5 said,
Give me a break. If adobe would get off their ass and come out with flash for 64 bit OS's. Then I would use IE 64 exclusively.

Is using a 64 bit browser with 64 bit flash as he types this.

majortom1981 said,
The thing i dont understand is why only publish ie flaws. why not publish firefox flaws? Isnt firefox as popular nowadays?

They do, in a way, but nothing makes big press headlines like a new IE hole. FF or Chrome or Safari bugs? Nah, not so much.

majortom1981 said,
The thing i dont understand is why only publish ie flaws. why not publish firefox flaws? Isnt firefox as popular nowadays?

No IE is still the most popular.

majortom1981 said,
The thing i dont understand is why only publish ie flaws. why not publish firefox flaws? Isnt firefox as popular nowadays?

Obviouisly Firefox is NOT as popular as even IE 7; otherwise, it would be targeted far more than it is. Flaws in IE 7 are publicized far more than are flaws in Firefox (even when Firefox has more flaws). A more popular browser (or plug-in) will be exploited more often due to that popularity (bad guys looking to take advantage of a point of entry will go after the largest POE). As long as even IE 7 has twice the marketshare of all versions of Firefox, if I were a bad guy, why would I bother chasing Firefox vulnerabilities? IE will be targeted more often due to its marketshare and popularity. Period.

PGHammer said,
Obviouisly Firefox is NOT as popular as even IE 7; otherwise, it would be targeted far more than it is. Flaws in IE 7 are publicized far more than are flaws in Firefox (even when Firefox has more flaws). A more popular browser (or plug-in) will be exploited more often due to that popularity (bad guys looking to take advantage of a point of entry will go after the largest POE). As long as even IE 7 has twice the marketshare of all versions of Firefox, if I were a bad guy, why would I bother chasing Firefox vulnerabilities? IE will be targeted more often due to its marketshare and popularity. Period.
One flaw with your argument: do you have a single shred of evidence for it?


I do not believe Firefox has less market share than IE7. Judging by http://en.wikipedia.org/wiki/Usage_share_of_web_browsers and http://en.wikipedia.org/wiki/Template:Msieshare1 IE7 appears to be around 20%, Firefox around 25%.

Edited by Kirkburn, Jan 24 2010, 9:01pm :

the fact that the security flaw was reported at all , means that its a part of safety... what about the vulnerabilities which dont get reported , but used in 0-days? not just of IE, but the other browsers...

I can see no reason for a home user to ever IE. If you are in the Enterprise and is forced then yes but other than that no reason. I know IE8 is pretty secure and most of these attacks are going after IE 6_7. Microsoft is making the Internet less safe IMO. No matter how careful I try to be, then someone can come in and hack my information from the cloud (Goog) by exploiting some hole in IE6, just **** me off. They are reaping the folly of a closed system. I believe if they opened up the code for IE, most of these vulnerability would be fixed in no time. That's why FF, Chrome, is so much better. Lots of eyes looking at the code.

waldenasta said,
I can see no reason for a home user to ever IE. If you are in the Enterprise and is forced then yes but other than that no reason. I know IE8 is pretty secure and most of these attacks are going after IE 6_7. Microsoft is making the Internet less safe IMO. No matter how careful I try to be, then someone can come in and hack my information from the cloud (Goog) by exploiting some hole in IE6, just **** me off. They are reaping the folly of a closed system. I believe if they opened up the code for IE, most of these vulnerability would be fixed in no time. That's why FF, Chrome, is so much better. Lots of eyes looking at the code.
Lots of eyes looking for holes, too. [I say this as an Fx user]

In any case, you praise IE8 for being secure on one hand, but on the other say MS are making the internet less safe? They're asking people to upgrade, but they can't force people to. What else do you want?

Edited by Kirkburn, Jan 24 2010, 2:15am :

waldenasta said,
...
Good thing FF, Safari, Chrome, and Opera have never had any security holes in their browsers..

Oh.. wait.

This is becoming a joke. Microsoft fixes a flaw, and the day after another one is found.

How about fixing them all up at once Microsoft? To hard for you?

sexypeperodri said,
This is becoming a joke. Microsoft fixes a flaw, and the day after another one is found.
How about fixing them all up at once Microsoft? To hard for you?

Oh do you think they knew about it and just left it there, waiting for someone to use it? Please.

sexypeperodri said,
This is becoming a joke. Microsoft fixes a flaw, and the day after another one is found.

How about fixing them all up at once Microsoft? To hard for you?

Stupid comment of the day.

sexypeperodri said,
This is becoming a joke. Microsoft fixes a flaw, and the day after another one is found.

How about fixing them all up at once Microsoft? To hard for you?

*Slaps Forehead*

sexypeperodri said,
This is becoming a joke. Microsoft fixes a flaw, and the day after another one is found.

How about fixing them all up at once Microsoft? To hard for you?


LOL, yeah, because that's how it works. There are a ton of holes to patch, but MS can't be arsed to fix them. :D

However, I do agree with you regarding the currently well-known exploits. There are more than this one too, four of them last time I checked.

Edited by Northgrove, Jan 23 2010, 11:43pm :

cybertimber2008 said,

Oh do you think they knew about it and just left it there, waiting for someone to use it? Please.

Yeah, it's not like Microsoft to not patch a vulnerability once they've been notified of it [rolls eyes]...

http://secunia.com/advisories/product/11/
IE 6; 16% (23 of 144 Secunia advisories unpatched) . The oldest of which remains unpatched dates back to 2003 - http://secunia.com/advisories/10155/

http://secunia.com/advisories/product/12366/
IE7; 24% (10 of 42 Secunia advisories unpatched). The oldest of which remains unpatched dates back to 2006 - http://secunia.com/advisories/20449/

http://secunia.com/advisories/product/21625/
IE 8; 38% (3 of 8 Secunia advisories unpatched). The oldest of which remains unpatched dates back to 2007 - http://secunia.com/advisories/24314/

Edited by thommcg, Jan 23 2010, 11:48pm :

thommcg said,

Yeah, it's not like Microsoft to not patch a vulnerability once they've been notified of it [rolls eyes]...


Facts, it's hard to go against those, but some still try to make a "valid point" overlooking them.

Edited by Lechio, Jan 24 2010, 12:42am :

thommcg said,

Yeah, it's not like Microsoft to not patch a vulnerability once they've been notified of it [rolls eyes]...

http://secunia.com/advisories/product/11/
IE 6; 16% (23 of 144 Secunia advisories unpatched) . The oldest of which remains unpatched dates back to 2003 - http://secunia.com/advisories/10155/

http://secunia.com/advisories/product/12366/
IE7; 24% (10 of 42 Secunia advisories unpatched). The oldest of which remains unpatched dates back to 2006 - http://secunia.com/advisories/20449/

http://secunia.com/advisories/product/21625/
IE 8; 38% (3 of 8 Secunia advisories unpatched). The oldest of which remains unpatched dates back to 2007 - http://secunia.com/advisories/24314/

Nice post, however microsoft have repeatedly asked people to upgrade to IE7/8 and to stop using 6 because it is no longer supported. The IE7 exploit works on XP SP2, the latest version is SP3. The IE8 explot works only on XP.

So I think the point should be, how about upgrade to the latest version of whatever program it is instead of complaining about old versions having exploits

Edited by -Razorfold, Jan 24 2010, 12:27am :

thommcg said,

Yeah, it's not like Microsoft to not patch a vulnerability once they've been notified of it [rolls eyes]...

http://secunia.com/advisories/product/11/
IE 6; 16% (23 of 144 Secunia advisories unpatched) . The oldest of which remains unpatched dates back to 2003 - http://secunia.com/advisories/10155/

http://secunia.com/advisories/product/12366/
IE7; 24% (10 of 42 Secunia advisories unpatched). The oldest of which remains unpatched dates back to 2006 - http://secunia.com/advisories/20449/

http://secunia.com/advisories/product/21625/
IE 8; 38% (3 of 8 Secunia advisories unpatched). The oldest of which remains unpatched dates back to 2007 - http://secunia.com/advisories/24314/


You missed the words *new* *IE* *Flaw* didn't you?
My point still valid, it was a unknown issue. Even they didn't catch it, and its their JOBS to.

cybertimber2008 said,

You missed the words *new* *IE* *Flaw* didn't you?
My point still valid, it was a unknown issue. Even they didn't catch it, and its their JOBS to.

Just like it's the job of the whole open source community/mozila to catch bugs/exploits before a new version ships but, oh look, do they? Hardly. You're point is pointless. No one can catch everything, that's why even after months of beta testing you'll still find new bugs, saying it's MS's JOB to find them doesn't change this fact at all.

/- Razorfold said,

Nice post, however microsoft have repeatedly asked people to upgrade to IE7/8 and to stop using 6 because it is no longer supported. The IE7 exploit works on XP SP2, the latest version is SP3. The IE8 explot works only on XP.

So I think the point should be, how about upgrade to the latest version of whatever program it is instead of complaining about old versions having exploits

Where did you get this info ? Are you reading only Microsoft's PR statements ?
both IE7 and IE8 on Vista and Win7 were patched yesterday for what Microsoft stated as High-Security-Risk. A POC has demonstrated how you can bypass ASLR and DEP.

ilev said,

Where did you get this info ? Are you reading only Microsoft's PR statements ?
both IE7 and IE8 on Vista and Win7 were patched yesterday for what Microsoft stated as High-Security-Risk. A POC has demonstrated how you can bypass ASLR and DEP.

You have a link to this POC info about turning ASLR and DEP off? I have heard nothing of the sort.

ilev said,

Where did you get this info ? Are you reading only Microsoft's PR statements ?
both IE7 and IE8 on Vista and Win7 were patched yesterday for what Microsoft stated as High-Security-Risk. A POC has demonstrated how you can bypass ASLR and DEP.

If you actually click the links he posted some say which systems are affected.

Also how do you disable DEP when its a hardware thing?

Edited by -Razorfold, Jan 24 2010, 11:35am :

/- Razorfold said,

If you actually click the links he posted some say which systems are affected.

Also how do you disable DEP when its a hardware thing?

Looking up some older info about DEP and ASLR from back when IE8 was first released there was a early POC that took advantage of some hole to bypass (note, not turn off but just side-step) DEP and ASLR. That has sense been long fixed.

sexypeperodri said,
This is becoming a joke. Microsoft fixes a flaw, and the day after another one is found.

How about fixing them all up at once Microsoft? To hard for you?

You, of course, do everything right the first time, and never have to go back and fix anything, right ? Ya, that's what I thought..

Nothing is ever without flaws ( except maybe Scarlet Johanson ). It's not like MS has a big list of security holes..

/- Razorfold said,
Nice post, however microsoft have repeatedly asked people to upgrade to IE7/8 and to stop using 6 because it is no longer supported...

Well, no support for IE6 hasn't ended... http://blogs.msdn.com/ie/archive/2009/08/10/engineering-pov-ie6.aspx "The engineering point of view on IE6 starts as an operating systems supplier. Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product. We keep our commitments..."

cybertimber2008 said,

You missed the words *new* *IE* *Flaw* didn't you?
My point still valid, it was a unknown issue. Even they didn't catch it, and its their JOBS to.

My point is, even when they are informed it's not necessarily fixed.

So they won't give details about the vulnerability until the next Patch Tuesday? That means we have to wait until March to get the fix...

It's still by far the most secure browser apart from the security flaws? Hmmmm... I'll let that one percolate in my brain a little.

EddiePwnsYou said,
No flaws will stop me from using IE. It's still by far the most secure browser, (IMO).

Huh? There are competing browsers with fewer known open security holes.

thommcg said,
It's still by far the most secure browser apart from the security flaws? Hmmmm... I'll let that one percolate in my brain a little.

It is the most secure browser, only if you use Vista/7 and leave UAC enabled. Everything in the browser runs in a sandbox so it becomes most secure browser.

MeLoveYouLongTime said,

It is the most secure browser, only if you use Vista/7 and leave UAC enabled. Everything in the browser runs in a sandbox so it becomes most secure browser.

Wrong, Chrome is actually more secure than IE on Vista and Windows 7.

"On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does."

http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443

Edited by Saburac, Jan 24 2010, 1:05am :

Saburac said,

Wrong, Chrome is actually more secure than IE on Vista and Windows 7.

"On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does."

http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443

Uhm, I'd let this pass, but sighting your source as Inforworld? Come on, you've got to do better than that.

That said, I still believe IE8 is the most secure, as also asserted by recent [independent?] researches conducted. I could be wrong, but not until I see another evidence, a la report, that states otherwise.

Tola1005 said,

Uhm, I'd let this pass, but sighting your source as Inforworld? Come on, you've got to do better than that.

That said, I still believe IE8 is the most secure, as also asserted by recent [independent?] researches conducted. I could be wrong, but not until I see another evidence, a la report, that states otherwise.

Do you dispute or have evidence showing that Chrome does not work as stated in the article?

In what way is IE more secure?

Edited by Saburac, Jan 24 2010, 2:11am :

EddiePwnsYou said,
No flaws will stop me from using IE. It's still by far the most secure browser, (IMO).

I lol'd. I'm sure if you [i]believe[/i] in it, it'll become the most secure ever!

Edited by hotdog963al, Jan 24 2010, 4:49am :

EddiePwnsYou said,
No flaws will stop me from using IE. It's still by far the most secure browser, (IMO).

I agree that IE8 in Protected Mode in Windows 7 is the most secure way to browse and I will continue to do so. Chrome is also very secure, but Firefox is the most vulnerable browser. I won't touch Firefox with a ten-foot pole.

hotdog963al said,

I lol'd. I'm sure if you [i]believe[/i] in it, it'll become the most secure ever!

Well, we could all be running Macs and just call it a day, you know, using Safari.

GP007 said,

Well, we could all be running Macs and just call it a day, you know, using Safari.


lol. Yeah. Because Safari is also very secure :P

I think all of you need to get over the whole my-browser-is-more-secure-than-yours mindset. All browsers are vulnerable. One may have less publicly known vulnerabilities than others, but for the majority of people who use the net, that is almost irrelevant. There are so many other factors besides a browsers publicly known vulnerabilities. The OS it is run on, the popularity of the browser, 3rd party add-ons etc. Also, Firefox probably has more known vulnerabilities due to the fact that it's open-source and so anyone can look at the code to find problems. Chrome may seem more secure, but the lack of people using it means it won't be heavily targeted by security researches and malware creators.

Everyone likes their browser for different reasons, but claiming that you use it because it's more secure than others is kind of blind. IE only gets targeted so much because of it's popularity.

pezzonovante said,

I agree that IE8 in Protected Mode in Windows 7 is the most secure way to browse and I will continue to do so. Chrome is also very secure, but Firefox is the most vulnerable browser. I won't touch Firefox with a ten-foot pole.

Got anything to backup your claim on Firefox being the most vulnerable browser? or your just spreading misinformation. Firefox is just as secure as Chrome and Opera.

Saburac said,

Wrong, Chrome is actually more secure than IE on Vista and Windows 7.

"On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does."

http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443


After reading that article, I see nothing in it that could imply it was more secure than Internet Explorer.

Sub_Zero_Alchemist said,

Got anything to backup your claim on Firefox being the most vulnerable browser? or your just spreading misinformation. Firefox is just as secure as Chrome and Opera.

What is needed to back this up? You obviously read this forum. It's been posted here about a million times, is all.

Where exactly do you get your mis-information about Firefox? Firefox is NO WAY as secure as Opera. Chrome I don't know about. Don't and won't use that Google infested thing.

DonC said,

After reading that article, I see nothing in it that could imply it was more secure than Internet Explorer.

Well let's see, Chrome runs on Vista and 7 the same way as IE's protected mode, so they're even on that front. Then it goes on to explain how Chrome is more restrictive than IE on Vista. So exactly how is IE more secure?

I'm not sure if Safari uses protected mode or not on Vista, but Firefox does not.

Edited by Saburac, Jan 24 2010, 3:18pm :

Saburac said,

Wrong, Chrome is actually more secure than IE on Vista and Windows 7.

"On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does."

http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443

well, you're wrong...

You forgot to read this sentence:
"Any supplementary browser add-ons are run in a separate, medium-integrity (or higher-integrity) process. "

this means that flash player, adobe reader plugin run OUTSIDE the sandbox, (medium integrity level = user mode read and write access!)

since there are frequently 0day flaws in adobe reader plugin and flash player, it means that firefox, chrome, safari, and opera users are more exposed than IE users.

Plugins like flash and adobe reader run within the IE sandbox. This means that IE users are safe from any 0day exploit trying to install malwares on their user profile. Users of other browser are vulnerable to these 0day attacks... last month there have been 0day flaws exploited in adobe reader. This means that most firefox/chrome/safari/opera/IE(XP only) users were highly vulnerable for a whole month.

Saburac said,

Well let's see, Chrome runs on Vista and 7 the same way as IE's protected mode, so they're even on that front. Then it goes on to explain how Chrome is more restrictive than IE on Vista. So exactly how is IE more secure?

I'm not sure if Safari uses protected mode or not on Vista, but Firefox does not.

They claim that Chrome denies read permission to medium IL directories (i.e. most user directories) whereas IE does not. Theoretically this could help prevent a hijacked Chrome browser from reading sensitive data in the user's Documents folder and such, whereas IE's protected mode won't. However, both block writes, which blocks attackers from installing things onto your machine or deleting your stuff.

My guess is that IE probably allows read access to the tab process for add-in compatibility reasons, but that's just a guess.

I just hope that this "researcher" has already disclosed the information responsibly to Microsoft, ahead of their publicity-seeking "demonstration" in Feb.

markjensen said,
I just hope that this "researcher" has already disclosed the information responsibly to Microsoft, ahead of their publicity-seeking "demonstration" in Feb.

they have, apparently