• news
  • THURSDAY SEPTEMBER 21 2006 11:30 AM

Microsoft Won't Patch Latest IE Exploit Until October

Submitted by WilWheaton

Edited by WilWheaton

Tags: Internet Explorer, Microsoft, exploits, hackers

Another day, another Internet Explorer exploit. The thing that makes this one different and potentially disastrous, though, is that it can nail fully patched IE browsers.

Malicious software can be loaded, unbeknown to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a website or an email message, several security companies said.

Ken Dunham, director of the rapid response team at VeriSign's iDefense, said in an emailed statement: "Fully patched Internet Explorer browsers are vulnerable. This new zero-day attack is trivial to reproduce and has great potential for widespread web-based attacks in the near future."

This exploit is a nightmare for Internet porn aficionados, too.

Shady adult websites are among the first to exploit the IE vulnerability, Eric Sites, vice president of research and development at spyware specialist Sunbelt Software, wrote on a corporate blog. In one case, a malicious website used the exploit to install "epic loads of adware", according to Sunbelt.

Security nerds are worried that this exploit could explode quickly, because it's included in the latest update of the WebAttacker toolkit, which can be purchased for as little as twenty dollars.

WebAttacker is a modular hacker toolkit that uses a simple Web interface to let attackers choose from numerous exploits -- the VML exploit only the most recent -- to "serve" any visitor of a malicious site. The kit even identifies the operating system, say Windows XP SP2; browser used; and presence of anti-virus software, then chooses the best exploit to run, Symantec said in an entry on its security team's blog Wednesday.

Faced with this possibility, Microsoft is racing to patch the hole immediately, right?

Wrong. Though Microsoft reportedly said an update might be released sooner, "depending on customer needs," we all know that Microsoft's browser and system security take a backseat -- in a different vehicle that's left unstarted in the garage with the tires deflated -- to more important company concerns, like immediately patching cracked DRM, and right now, the company won't address the problem until October 10th, when the next scheduled Windows update will be released.

If you don't want to wait until October 10th, when the Borg say the exploit will be assimilated into a security patch, and you don't want to switch to Firefox, Dark Reading has some steps you can take to protect your system yourself.

  • PERMALINK
  • PRINT
  • Digg This
  • Email To A Friend
 

Previous

PAGE: 

1 | 2

Next

Comments
thefreak

thefreak

NEWSWIRE

Gardner, MA

SEP 21, 2006 12:05 PM

Or, you could switch to Firefox anyway, and not have this kind of problem. I haven't touched IE since I used Firefox, and I haven't had nearly the amount of crashing and adware since.

-TM

mydogfarted

mydogfarted

Oakland, NJ
June 2003

SEP 21, 2006 12:25 PM

SPOILERS! (Click to view)




I had to before someone else did. They're not perfect, but not nearly as awful as Windows.


Snottlebocket

Snottlebocket

Netherlands
March 2004

SEP 21, 2006 12:39 PM

Evermansice

Evermansice

Chicago, IL
July 2005

SEP 21, 2006 12:52 PM

If you don't want to wait until October 10th, when the Borg say the exploit will be assimilated into a security patch, and you don't want to switch to Firefox, Dark Reading has some steps you can take to protect your system yourself.



Why would you not want to switch to Firefox?

mellon

mellon

USA
October 2004

SEP 21, 2006 12:54 PM

This is actually classic. Unfixed exploits are quite common, and not fixing them until the end of the month is par for the course. The only time Microsoft has issued a non-monthly security patch in recent history was when someone figured out a way to bypass Windows Media Player's copy protection. That fix came out the day after the hack was announced. Weird priorities.

Signum

Signum

Germany
August 2006

SEP 21, 2006 01:25 PM

I agree with Snottlebocket

Shroomysmurf

Shroomysmurf

Bremerton, WA
April 2006

SEP 21, 2006 03:08 PM

Firefox FTW!

grimace66

grimace66

Gibbstown, NJ
July 2004

SEP 21, 2006 03:39 PM

Lets be fair here FireFox is not without it's own issues, I'm not saying that M$ is the greatest thing in the world by far, but, none of the browsers are without issues

malkav11

malkav11

Saint Paul, MN
July 2003

SEP 21, 2006 07:32 PM

grimace66 said:
Lets be fair here FireFox is not without it's own issues, I'm not saying that M$ is the greatest thing in the world by far, but, none of the browsers are without issues



I'm not sure what your point is. Nobody's argued that Firefox is a flawless shining beacon of truth and light in our darkest night. It's just better than IE.

dustbuster

dustbuster

San Francisco, CA
OLD SKOOL

SEP 21, 2006 07:43 PM

More to the point, Firefox gets prompt security patches, and they are painless to install. You don't have to treat them as an operating system upgrade, which is what makes IE updates so infrequent and underused.

egorgry

egorgry

Newton, NJ
February 2005

SEP 23, 2006 01:45 PM

opera is pretty close to perfect. I use firefox but opera is a great alternative to consider.
http://secunia.com/product/10615/


Vendor Opera Software

Product Link View Here (Link to external site)

Affected By 1 Secunia advisories

Unpatched 0% (0 of 1 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.





Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 106 Secunia advisories

Unpatched 18% (19 of 106 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 6.x, with all vendor patches applied, is rated Extremely critical





Vendor Mozilla Organization

Product Link View Here (Link to external site)

Affected By 36 Secunia advisories

Unpatched 8% (3 of 36 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Mozilla Firefox 1.x, with all vendor patches applied, is rated Less critical

malkav11

malkav11

Saint Paul, MN
July 2003

SEP 23, 2006 05:41 PM

Wasn't especially impressed with the Mac version of Opera. The PC version is probably better, but either way they're not free. Firefox is free.

egorgry

egorgry

Newton, NJ
February 2005

SEP 24, 2006 08:01 AM

malkav11 said:
Wasn't especially impressed with the Mac version of Opera. The PC version is probably better, but either way they're not free. Firefox is free.



When was the last time you tried Opera? It runs great on Linux and Windows I can't speak for how is performs on the mac but Opera is free... "free as in beer" and has been for a while now, at least a year. If it a gnu "free as in freedom" thing you speak of then yes, opera is not OSS. But let's face it if you were concerned about OSS you wouldn't be using a mac. wink

Cimmerian

Cimmerian

I'm lost
May 2006

SEP 24, 2006 08:06 AM


zoom image


I'm just piling on the obvious, here.

malkav11

malkav11

Saint Paul, MN
July 2003

SEP 24, 2006 11:44 AM

egorgry said:

malkav11 said:
Wasn't especially impressed with the Mac version of Opera. The PC version is probably better, but either way they're not free. Firefox is free.



When was the last time you tried Opera? It runs great on Linux and Windows I can't speak for how is performs on the mac but Opera is free... "free as in beer" and has been for a while now, at least a year. If it a gnu "free as in freedom" thing you speak of then yes, opera is not OSS. But let's face it if you were concerned about OSS you wouldn't be using a mac. wink



It's free now? Okay.

I'm not knocking it, but I still don't really feel any compulsion to change my established browser. Inertia is a powerful force, and all. (I don't even use Firefox on my Mac, but Safari. Which isn't anywhere near as featureful, and all, but I like its UI better.).

Also: does Opera do anything analogous to some of Firefox's plugins, like Greasemonkey, Adblock, and NoScript? (Greasemonkey lets you run scripts to alter webpage display and functionality at your end, Adblock supports auto-updated filters of banner ads as well as being able to manually decide to turn off them and Flash elements, removing them entirely from the page display, not just leaving a box where they used to be. And NoScript allows you to set JavaScript availability by site. )

Previous

PAGE: 

1 | 2

Next

featured interviews