• Critical zero-day bug in Internet Explorer under active attack
    55 replies, posted
[QUOTE]Researchers have uncovered active malware attacks that exploit a critical and previously unknown vulnerability in the latest versions of Microsoft's Internet Explorer browser. The attacks are being waged by the same malware group that recently exploited a separate, zero-day vulnerability in Oracle's Java software framework. The attacks install the Poison Ivy backdoor trojan when unsuspecting people browse a booby-trapped website using a fully patched version of Windows XP running the latest versions of IE 7 or IE 8, according to a blog post published Monday Morning b Jaime Blasco, a researcher with security firm Alien Vault. The underlying vulnerability can be exploited on many computers running Windows Vista and Windows 7, and it also affects version 9 of the Microsoft browser, said HD Moore, CSO of security firm Rapid7 (and the chief architect of the open-source Metasploit tool kit used by penetration testers and hackers). He said a Metasploit module researchers already added to the framework works against the later operating systems when Oracle's Java Standard Edition 6 or Microsoft's Visual C runtime library is installed. The software add-ons make otherwise protected systems vulnerable by allowing attackers to bypass a malware defense known as ASLR, or address space layout randomization, that debuted in Windows Vista. "What may be most worrying is that Windows Vista and 7 don't protect you," Moore told Ars. "This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got to work across every one of these platforms." The exploits circulating in the wild may be relying on other methods to override the more limited defenses included in the Service Pack 3 version of Windows XP. According to Eric Romang, the researcher who disclosed the IE attacks over the weekend, they require the victim to be running Adobe's Flash Player, possibly to carry out what's known as a "heap spray" (another technique for bypassing ASLR). The attacks are being carried out by the same gang that waged the recent stealth attacks against critical vulnerabilities in Java. The files used in the latest wave of attacks (cataloged here, here, here, and here) had little or no detection by the 34 most widely used antivirus programs, at least at the time Romang published his blog post. It wouldn't be surprising for detection to ramp up quickly in the next few hours. Yunsun Wee, director, Microsoft Trustworthy Computing, said in a statement that Microsoft is aware of "targeted attacks potentially affecting some versions of Internet Explorer" and are investigating. "We have confirmed that Internet Explorer 10 is not affected by this issue," she wrote. She went on to recommend customers install EMET 3.0. Short for Enhanced Mitigation Experience Toolkit, the Microsoft utility brings enhanced security protections to Windows, particularly earlier versions of the operating system. Windows users should avoid using IE until more is known about the vulnerability. As Ars has counseled before Java should be kept up-to-date or uninstalled altogether if users don't rely on it to enable other software to work. For users who are unable or unwilling to uninstall Java, updating to Java Standard Edition 7 appears to be another way to remain protected from this threat, although it immediately opens users up to a separate critical vulnerability in Java that Oracle has yet to publicly acknowledge. Moore said the attacks are exploiting a use-after-free vulnerability in IE that allows attackers to create an image URL that references uninitialized memory. The in-the-wild attacks appear to be targeting only Windows XP systems. But with release of Metasploit code that works on a much wider array of platforms, it wouldn't be surprising to see attacks target those systems as well. Even when people don't actively use IE, many utilities and third-party applications make use of IE code. That opens the possibility that people on public WiFi systems and other unsecured networks could inject malicious code into a victim's Web traffic in an attempt to exploit the vulnerability. "Just keep in mind that even if you don't use IE for day-to-day browsing, a lot of tools you use do embed IE and those are vulnerable," Moore said.[/QUOTE] [url]http://arstechnica.com/security/2012/09/critical-zero-day-bug-in-microsoft-internet-explorer/[/url] lets just stop using the internet
lets just stop using IE
[QUOTE=jordguitar;37704680]lets just force the illiterates stop using such a shit browser[/QUOTE] I think this would be the better solution.
[QUOTE=wickedplayer494;37704703]I think this would be the better solution.[/QUOTE] [QUOTE]"Just keep in mind that even if you don't use IE for day-to-day browsing, a lot of tools you use do embed IE and those are vulnerable," Moore said.[/QUOTE]
What's an Internet Explorer? I use google
[QUOTE=PassTheBong;37704718]What's an Internet Explorer? I use google[/QUOTE] no you dont
[QUOTE=jordguitar;37704713]-quote-[/QUOTE] Then we'll ditch those too. Most of those tools would probably be shit from the first place.
Clippit's revenge
[QUOTE=wickedplayer494;37704724]Then we'll ditch those too. Most of those tools would probably be shit from the first place.[/QUOTE] have fun with that
They should update IE to 10 then?
[QUOTE=jordguitar;37704731]have fun with that[/QUOTE] I will, thank you very much.
The latest IE is decent, if not great. The only reason I'm not using it is because I'm used to chrome and they're now both pretty similar performance wise. Also it only affects WinXP SP3 users if I'm reading this correctly.
[QUOTE=wickedplayer494;37704724]Then we'll ditch those too. Most of those tools would probably be shit from the first place.[/QUOTE] Like steam? [editline]17th September 2012[/editline] [QUOTE=-Get_A_Life-;37704769]The latest IE is decent, if not great. The only reason I'm not using it is because I'm used to chrome and they're now both pretty similar performance wise. Also it only affects WinXP SP3 users if I'm reading this correctly.[/QUOTE] No, it affects Vista and 7 users too.
[QUOTE=neos300;37704790]Like steam?[/QUOTE] Steam uses Webkit for it's browser.
[QUOTE=neos300;37704790]Like steam? [editline]17th September 2012[/editline] No, it affects Vista and 7 users too.[/QUOTE] steam is using webkit now it used to use ie for things
[QUOTE=neos300;37704790]Like steam? [/QUOTE] Steam runs on the CEF, if I'm not mistaken.
[QUOTE=-Get_A_Life-;37704769]The latest IE is decent, if not great. The only reason I'm not using it is because I'm used to chrome and they're now both pretty similar performance wise. Also it only affects WinXP SP3 users if I'm reading this correctly.[/QUOTE] it affects xp vista and 7 no idea on 8 but they are headlining xp because they are fear mongering to get people off xp
[QUOTE=neos300;37704790]Like steam? [/QUOTE] Afaik last year they changed the render to webkit.
[QUOTE=jordguitar;37704825]it affects xp vista and 7 no idea on 8 but they are headlining xp because they are fear mongering to get people off xp[/QUOTE] It says it doesn't work in IE10, which is Windows 8's metro version of IE, but that's probably because it doesn't run (and won't run) flash.
My bad guys, I'm out of the times.
Wait does this include Internet Explorer on windows phone? [editline]17th September 2012[/editline] Oh never mind only XP, well people should be using a different browser if they're on IE, 8 is shit
[QUOTE=and;37704902]It says it doesn't work in IE10, which is Windows 8's metro version of IE, but that's probably because it doesn't run (and won't run) flash.[/QUOTE] Nope, IE10 is the latest version of IE it doesn't run on Metro.
[QUOTE=Wootman;37704936]Nope, IE10 is the latest version of IE it doesn't run on Metro.[/QUOTE] What? From the article: [quote]"We have confirmed that Internet Explorer 10 is not affected by this issue," she wrote.[/quote] The desktop version of IE in Win8 is still IE9, though.
It's actually labeled as IE10 but nothing from my view has changed
[QUOTE=and;37704952]What? From the article: The desktop version of IE in Win8 is still IE9, though.[/QUOTE] [img]http://puu.sh/168HZ[/img]
I don't use IE I use Facebook
[QUOTE=wickedplayer494;37704703]I think this would be the better solution.[/QUOTE] The problem isn't necessarily IE when it comes to this group. Yeah, IE's complete shit, but smart users forced to run IE for whatever reason can still browse without getting destroyed, and the idiots will find a way to malware up their machine even with a good browser trying to protect them from themselves.
The fact of the matter is, its impossible now to stop using IE. There are many websites out there that everyday companies use for their business that are only fully functional in IE. I wish it were possible today to completly rid ourselves of IE and go to Chrome or fire fox even. Sadly, IE still has its uses.
IE full of holes? Surprise surprise.
[QUOTE=gamefreek76;37706854]IE full of holes? Surprise surprise.[/QUOTE] if you read it, you'll notice that it's a vulnerability due to Flash being super shitty.
Sorry, you need to Log In to post a reply to this thread.