EPC's Computer Recyling Blog » microsoft

Another Internet Explorer Vulnerability (…sigh)

Brian Wahoff — Thu, 04 Feb 2010 22:18:14 +0000

Well, here we are again. A few weeks after Microsoft pushed out a critical patch to all versions of Internet Explorer, Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies provided details of another attack against the beleaguered browser. This time, an attacker “may be able to access files with an already known file name and location.” If that sounds a bit scary, it should. It falls into a class of attacks called “Local File Disclosure” and can be exploited by sending the victim to a malicious site at attempts to access files stored on your computer. The attacks leverage different design features of Internet Explorer that can be combined to do serious damage. Secunia has rated this as “Moderately critical“

So what versions are vulnerable this time? Basically all versions of IE on Windows 2000, Windows XP, and Windows 2003 Server (with Enhanced Security Configuration disabled). Protected Mode – a feature of Internet Explorer on Vista, Windows 7, and Windows 2008, prevents the attack from succeeding.

The Microsoft Security Advisory (980088) does contain a few workarounds for those stuck on a vulnerable platform:

Disable Active Scripting for the Internet Zone
Enable Network Protocol Lockdown for the file:// protocol (Windows XP only)

So far there are no known attacks in the wild, but we recommend that you take steps to protect your computers if using a vulnerable version.

Resources:

Tech News – Internet Explorer 8 Edition Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab...
Microsoft asks users to abandon IE6, kinda Much has been written about the recent hack targeting Google,...
10 very annoying system defaults I was reading 10 seriously annoying default configurations at TechRepublic...

Microsoft asks users to abandon IE6, kinda

Brian Wahoff — Wed, 20 Jan 2010 15:07:37 +0000

Much has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).

In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.

	Windows 2000	Windows XP	Windows Vista	Windows 7
Internet Explorer 6	Exploitable	Exploitable (current exploit effective for code execution)	N/A (Vista ships with IE7)	N/A (Windows 7 ships with IE
Internet Explorer 7	N/A (IE 7 will not install on Windows 2000)	Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7)	IE Protected Mode prevents current exploit from working.	N/A (Windows 7 ships with IE
Internet Explorer 8	N/A (IE 8 will not install on Windows 2000)	DEP enabled by default on XP SP3 prevents exploit from working.	IE Protected Mode + DEP enabled by default prevent exploit from working.	IE Protected Mode + DEP enabled by default prevent exploit from working.

In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.

Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.

Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?

Another Internet Explorer Vulnerability (…sigh) Well, here we are again. A few weeks after Microsoft...
10 very annoying system defaults I was reading 10 seriously annoying default configurations at TechRepublic...
Tech News – Internet Explorer 8 Edition Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab...

Tech News – Internet Explorer 8 Edition

Brian Wahoff — Tue, 24 Mar 2009 12:25:44 +0000

Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab Groups, and Find in Page is now a task bar (finally).
Microsoft Support Flooded with Complaints after IE 8 released. Top issues reported include: website printing, image positioning, slow boot times, and a bug dragging images into Facebook.
Microsoft Released new security assesment tool. The new tool, dubbed !exploitable Crash Analyzer, is considered a “game changer” by Dan Kaminsky, a well-known security researcher.
Insiders hacked Russian ATMs? Diebold released a software patch to Opteva line after it was discovered that several machines were infected by a card skimming trojan.
Diebold admits flaw in voting machines that causes vote tallies to be lost. Admission called a “disturbing revelation” by security auditor.

Another Internet Explorer Vulnerability (…sigh) Well, here we are again. A few weeks after Microsoft...
Tech News: Seesmic Desktop Edition Seesmic Desktop Beta available: Thanks to the great video podcast,...
Microsoft asks users to abandon IE6, kinda Much has been written about the recent hack targeting Google,...