Hi,

Found this on the web. I think it would be a good idea to share it on here as it could effect so many people who have contact with windows internet explorer. Here is (http://news.cnet.com/8301-1009_3-10120341-83.html) the link I was looking at.

Ash R

IE (blahblahblah) compatible with all the web pages out there

When did this happen?

When did this happen?

a couple of days ago. i only found out about it today because i don't generally keep an eye on whats happening in windows land..

a couple of days ago. i only found out about it today because i don't generally keep an eye on whats happening in windows land..

No, he was talking about how one of the people that commented on the article said that Internet Explorer is compatible with all websites.

He wasn't asking when the exploit was discovered.

Right, I found out some more info HERE (http://securitylabs.websense.com/content/Blogs/3263.aspx)

Check out BBC website, Microsoft are advising users to use another browser as a major security flaw has been found....gloat at leisure !:lolflag:
Bilbo

It's not Microsoft advising this.

http://www.microsoft.com/technet/security/advisory/961051.mspx

I've looked for sources but it seems to be some unnamed "experts"...

http://www.pocket-lint.co.uk/news/news.phtml/19868/20892/view.phtml


However, some experts have advised users to use an alternative browser until Microsoft issues a patch for the problem.

http://www.itpro.co.uk/609228/another-wave-of-attacks-target-internet-explorer

.

From the Microsoft website:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

See people - even Microsoft knows you shouldn't be asking for root login tutorials!

they are desperate to create an emergency patch and it affects all version of IE.
I am convinced they will fix it, BUT, these holes are deep and wide and keep on appearing, enough to scare knowledgeable people, but many windows users are compromised without being aware. Botnets are another hidden menace to windows PC. The security imperfections of windows is a symptom of deeper code troubles pervasive to the platform.

But there's always another "study" having the opposite spin:

http://www.dailytech.com/Firefox+Most+Risky+App+to+Businesses+in+New+Study/article13669.htm

story says FF is a potential problem, while IE story tells of a proven problem.

AND THIS IS NEW NEWS???

:lolflag:

Ironic of M$ :lolflag:

Ironic of M$

OP is incorrect.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

http://news.bbc.co.uk/1/hi/technology/7784908.stm



.

its not just one flaw but many that should cause people to switch, and what about the ones yet to be revealed?
People write malware and have easily profited from the many problems which are structurally basic to MS.
I guess most of them simply put up with this.

But there's always another "study" having the opposite spin:

http://www.dailytech.com/Firefox+Most+Risky+App+to+Businesses+in+New+Study/article13669.htm
Not to sidetrack the discussion, but you know, if you follow the links all the way through to the original site giving Firefox a black eye, their criteria for a sketchy application seems to describe anything popular that isn't manually controlled by Microsoft.
Each application on the list has the following characteristics:

• Runs on Microsoft Windows.
• Is well-known in the consumer space and frequently downloaded by individuals.
• Is not classified as malicious by enterprise IT organizations or security vendors.
• Contains at least one critical vulnerability that was:
o first reported in January 2008 or after,
o registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
• Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
• The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.
http://www.bit9.com/news-events/press-release-details.php?id=102

And if I understand it correctly, that site is a whitelisting service, so they want you to buy a network manhandling -- oops, I mean network management program (http://www.bit9.com/products/parity.php). Rather like complaining about how dangerous cars are, while selling seat belts.

And Acrobat Reader, Skype, iTunes and MSN Messenger are also on the list. It's like a who's-who of popular software, so long as it has a bug.

From the BBC article:
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

Well, duh.

Hi,

Found this on the web. I think it would be a good idea to share it on here as it could effect so many people who have contact with windows internet explorer. Here is (http://news.cnet.com/8301-1009_3-10120341-83.html) the link I was looking at.

Ash R

Ok I thought all the new security of Vista and IE 7 being in a sandbox on Vista was supposed to make this sort of thing impossible?

Whats up with that?

their criteria for a sketchy application seems to describe anything popular that isn't manually controlled by Microsoft

And Acrobat Reader, Skype, iTunes and MSN Messenger are also on the list. It's like a who's-who of popular software, so long as it has a bug.

That's what I found amusing - every study contains owner bias, and every press release hides an agenda.

IMHO, an open source browser is just the least-worst option, on average -
there are no guarantees.

More news on the subject:

http://blog.wired.com/business/2008/12/ie-fans-beware.html

It might be a good idea to start using Firefox if you aren't already.

I doubt Microsoft will fix this bug, they are putting too much effort into IE8 to care. Which, IMHO is a good thing. Why waste time with a bug in a version that's about to lose support?

I doubt Microsoft will fix this bug, they are putting too much effort into IE8 to care. Which, IMHO is a good thing. Why waste time with a bug in a version that's about to lose support?

Lose support? IE7 will continue to be supported with security patches until Vista's retired in 2012.


Edit: Patch scheduled for release tomorrow (http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx).

Makes me glad I use Ubuntu and Firefox. :)

There seems to be a security flaw in IE7 which is being exploited but there is no immediate solution - other than using Firefox.

It is big enough to be reported in mainstream news rather than on the "geek" pages,

Daily Telegraph;
http://www.telegraph.co.uk/scienceandtechnology/technology/microsoft/3793365/Internet-Explorer-security-alert-Microsoft-says-all-users-at-risk.html

A pundit says ;

“Problems like this are found all the time but Microsoft always has a fix. What’s new about this situation is that there is no fix. "

One more excuse I can use to convert IE users to Firefox :D

That is one poorly written article. I mean, wow... That's bad.

That is one poorly written article. I mean, wow... That's bad.

Indeed.

What's the big deal?

If you use Windows you know things like this can happen.

"While many of the compromised sites are pornographic, many are legitimate, mainstream web pages."
:|

Yeah, anyways. This got my mom to start using Google Chrome as her default.

"While many of the compromised sites are pornographic, many are legitimate, mainstream web pages."
:|

Yeah, anyways. This got my mom to start using Google Chrome as her default.

They need to get that ported ASAP.

This made me twitch a little, this is the head of Microsoft UK marketing answering questions to the BBC:

http://www.bbc.co.uk/blogs/technology/2008/12/is_it_safe_to_explore.html

3. Shouldn't you switch to another browser until the patch come out?

This has been the advice of a number of security firms - who of course are also touting their latest anti-virus products - but you won't be surprised to hear that Mr Curran disagrees. He told me he had recently seen a report which listed another browser as having the highest number of vulnerabilities. "it would not be advisable," he said,"to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities."

Terrific, isn't it?


.

i just like that theres a big hoo-ha about how wonderful microsoft are for breaking their monthly patch cycle to fix this bug without waiting till the first tuesday of next month.

THEY (USUALLY) WAIT TILL THE FIRST TUESDAY OF EACH MONTH BEFORE THEY FIX CRITICAL VULNERABILITIES?!

it would be much better practice to always release patches as soon as they are ready. their customer-base would be better protected that way.

Hmmm. I would love to know what report Mr Curran has seen. I am slightly worried that it still has not been fixed though. Thankfully I don't usually use windows or IE (windows version) regularly.

On a side note, I do have internet explorer running on Ubuntu. Should I not use it for the time being?

P.S Can a mod please change the Title of this thread as i meant to type " Latest Zero Day Exploit For Internet Explorer" when i created this tread. Many thanks!

Terrific, isn't it?

Well, when it comes to the question "should users switch to a different browser until the patch comes out?", Microsoft would be shooting itself in the foot no matter what answer it gave.

If Microsoft were to say that yes, a user should switch to a different browser, they would be taking a risk that those users would actually like the other browser better than Internet Explorer, and that they wouldn't come back to Internet Explorer even if the patch was out.

If Microsoft were to say that no, a user should not switch to a different browser, they are putting a lot of customers at risk of being affected by this exploit.

This may be a dumb analogy, but it would be like Heinz releasing a statement that their ketchup contains E.coli. If they were to tell customers to temporarily switch to, say, Hunts ketchup, they would be risking losing their customers to Hunts. If they were to tell customers to continue using Heintz, they would be endangering the health of their customers.

And about the "multiple vulnerabilities" claim: it's really not surprising. Ever since Firefox started becoming popular, Microsoft has been throwing bogus claims about it's vulnerabilities left and right.

Just as a note: please do not post links or sources to text that explains how to use this flaw. IT IS ILLEGAL to compromise another user's system, regardless of who wrote the software, and most definitely not supported on these forums. I support discussion on this topic, but please be aware that you walk a fine line in such debates - any encouraging or technical discussion about the use of exploit will result in your post being jailed and further administrative action being take against you, including but not limited to infractions and/or loss of privilege to post on these forums.
Thank you.

Well this has been the last straw!! I have sent my team out to switch ALL 256 PC's we have to Firefox. For the ODD occasion where either Firefox wont handle the site of User Switching Agent can't fool the site, restricted access will be given to the users to run I.E.

Stories like this will I have NO doubt, lead to a greater degree of Linux adoption not only in the workplace, but in home PC's.

Hey, looks like its fixed

Link1 (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123758)

Link2 (http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx)

Ash, the first link goes nowhere to addressing or discussing the exploit. The second link confirms that Microsoft has a patch. Fact of the matter is, the day the flaw was known, Microsoft released the patch to automatic updates. I am a network administrator in an AD environment (that is changing slowly but surely..each of our team has Ubuntu running in one form or another...and our mail server is Ubuntu). And while I was patching each of the machines in our environment, I checked AU and indeed, the patch was there. WSUS needs to be implemented.

yes, we are moving to Firefox too. Its faster and not quite so vulnerable. I am just looking forward to not being forced into buying another upgrade for another piece of software needed because Microsoft has not released a fix before the fire storm breaks out. Being proactive instead of reactive is so much better and easier in my line of work. :popcorn: