Ie 5 To 8 Look Out IE Users of 5 to 8 beware

[Echo_of_thunder 1]

The major press outlets are abuzz this morning with news of a major new security flaw that affects all versions of Internet Explorer from IE5 to the latest beta of IE8. The attack has serious and far-reaching ramifications -- and they're not just theoretical attacks. In fact, the flaw is already in wide use as a tool to steal online game passwords, with some 10,000 websites infected with the code needed to take advantage of the hole in IE.

I just read this and as much as I do love my IE It scares me to death and back. To read the full story

Click here Thank goodness for FF

[truefusion 3]

It's hard to tell from the articles themselves of where or what the exact problem is, but intuition tells me it has to do with ActiveX. This makes more sense when the article talks about gaming websites, as ActiveX can and has been used for gaming purposes. And ActiveX has been known to be a potential security flaw, which all Internet Explorer browsers support, therefore making it Internet Explorer version-independent. But if my assumption is correct, then it is easily avoidable and one need not worry about it.

---

"At present, this exploit only seems to affect 0.02% of internet sites," said Mr Curran [head of Microsoft UK's Windows group]. "In terms of vulnerability, it only seems to be affecting IE7 users at the moment, but could well encompass other versions in time."

Can anyone make sense of this statement? What's 0.02% of the internet? Also, if we assume that IE7 is the most used version of IE out there, then it is easy to conclude that IE7 is the one that is most effected.

[Echo_of_thunder 1]

well last nite after posting this, I got talking with a buddy of mine, he said it was due to being able to save and store your passwords and screen names when you go to sites. Not a good Idea to do anyways but as we all know there some that do that. he thought that, that was how these hackers found the way to get into all the IE's not through other parts of windows.

[Saint_Michael 3]

Yep, I been keep somewhat tabs on this and the critical flaw has to do with retrieving passwords after getting infected and I highly doubt .02% are affected if this has been a very old problem. Especially since this flaw is hitting every version of Internet Explorer and then Microsoft either did nothing or tried to keep it as quiet as possible about this. Either way this is going to hurt Microsoft for not fixing a problem as old as this and I doubt to many will be flocking to Internet Explorer 8 after this since who knows what other global browser problems there are with Internet Explorer.

[miladinoski 1]

What Secunia has to say about this:

Description:

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

 

The vulnerability is caused due to a use-after-free error when composed HTML elements are bound to the same data source. This can be exploited to dereference freed memory via a specially crafted HTML document.

 

Successful exploitation allows execution of arbitrary code.

 

NOTE: Reportedly, the vulnerability is currently being actively exploited.

 

The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3 and in Internet Explorer 6 on a fully patched Windows XP SP2, and reported in Internet Explorer 5.01 SP4. Other versions may also be affected.

 

Solution:

Do not browse untrusted websites or follow untrusted links.

 

The vendor recommends disabling the use of Oledb32.dll. Please see vendor advisory for additional information.

 

Provided and/or discovered by:

Reported as a 0-day.

 

Additional information provided by Secunia Research.

 

Changelog:

2008-12-11: Added additional information provided by Microsoft.

2008-12-11: Updated the "Other References" section. Added more information and "Microsoft Internet Explorer 6.x" to the list of affected products based on additional research performed by Secunia Research. 2008-12-12: Added "Microsoft Internet Explorer 5.01" to the list of affected products. Updated "Solution" section with workaround information.

http://secunia.com/advisories/33089/

To clarify three common incorrect assumptions about this vulnerability:

 

Assumption: Only Internet Explorer 7 is vulnerable.

Correction: No, at least Internet Explorer 6 is also affected, but not by the public exploits that are currently available. According to Microsoft's updated advisory, IE 5.01 is also affected. We have not confirmed this yet, but it seems plausible.

 

Assumption: The core problem is related to XML processing.

Correction: No, it's related to data binding. Working exploits can be created nicely without using XML.

 

Assumption: Setting the security level to "High" for the "Internet" security zone or disabling "Active Scripting" support protects me against attacks.

Correction: Technically no. It is still possible to trigger the vulnerability. However, it does make exploitation trickier as it protects against attacks using scripting.

http://blogs.flexerasoftware.com/vulnerability-management/2008/12/internet-explorer-data-binding-0-day-clarifications.html

 

---

What do I think about this?

 

Simple, I just recommend everyone who is reading this with his IE (and it's his main browser), just switch pal. Internet Explorer is not worth the hassle. Trust me.

[adriantc 0]

I'm not sure it's for this problem, but yesterday Microsoft released a security patch. It's good they fixed it but I am wondering why it took so much time to find it. Since all versions are exposed to this vulnerability a huge amount of people may have been unknowing victims. And why is it so specifically used to steal game passwords?It's a long time since I switched to Firefox and I'm glad I sticked with it. Microsoft can never compete with the power of an open source community!

[Saint_Michael 3]

miladinoski that is interesting must have been on top of that as well, but again it has to do with passwords and if your banking online HTML and the data source is a big part of the password problem. It wasn't the matter of finding it, the odds are it was difficult to fix, shockingly as that may sound.

[Echo_of_thunder 1]

Yep, I been keep somewhat tabs on this and the critical flaw has to do with retrieving passwords after getting infected and I highly doubt .02% are affected if this has been a very old problem. Especially since this flaw is hitting every version of Internet Explorer and then Microsoft either did nothing or tried to keep it as quiet as possible about this. Either way this is going to hurt Microsoft for not fixing a problem as old as this and I doubt to many will be flocking to Internet Explorer 8 after this since who knows what other global browser problems there are with Internet Explorer.

If microsoft knew of this and did keep it quiet for all these years, wouldnt that be well, unlawful? I do find this very strange for all of the IE's to have this flaw. If they knew of it, why did they not fix it in the 1st place. Secondly why are we really just hearing of all this now, and not when IE 5 came out. Things do sound a little fishy. Maybe a browser war starting here between Microsoft and FF? I don't know. But for something to have had a flaw for so long and not be fixed, something just is not right here.

[laniczech 0]

I have always had problems with IE, but i need it for things like netflix and other IE Dependent software so i guess ill have to live with it, i mostly use google chrome for every thing else

[Lyon2 0]

This is not that kind of virus/worm/trojan or system/program vulnerability that scares me at all, if you take extreme care and atention to the following things/tasks, you will most likely be safe of it all, including this one: . Never save passwords nor usernames on internet explorer, only in programs like roboform; . Never use a pirated system, buy a computer which already has a windows, or use a linux/unix system, or buy a windows os; . Always update your windows operative system, all updates, important and not important; . Use a internet security suite, like norton internet security suite 2009, which is the best in my opinion, it is worth your money . Use a good browser, google chrome, maxthon, firefox, opera, which are all free. . Use the windows baseline tool, which is free; . Use the advanced system care tool, which is free; . et cetera, no time to continue now.