Comments | matgb: Run Windows Update. NOW.

matgb

Run Windows Update. NOW.

Dec 18, 2008 00:09

Seriously, there's a major security hole in Internet Explorer that also opens up vulnerabilities in other browsers. Even if you rarely if ever use IE, you need to secure your system if you're running Windows. If you don't know how to, Yahoo! Tech has a handy guide. It's fairly major, several popular websites have been hijacked, one well known ( Read more... )

zero hour, web security, firefox, internet explorer, safari, opera, firefox extensions, foxit, microsoft, chrome

Comments 32

matgb December 18 2008, 00:12:58 UTC

NB, if you work in an office and don't have admin abilities, definitely check with the IT department ASAP to confirm they're up to date.

Those of you fighting the "can we switch to a better bit of software please" fight may find this useful extra ammo. Those of you just putting up with using IE at work, seriously, start putting pressure on bosses and IT.

Using IE could really mess up your company's bottom line.

js84 December 18 2008, 01:18:20 UTC

(From BBC website article)

Said [third-party security advisor] Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

What about all the other flaws?

and what's the vulnerability that affects PDF files?

matgb December 18 2008, 12:35:21 UTC

The Zero Day exploit works by remote running files, thus it tells IE to boot Adobe Reader to get access to the XML thingy.

Or something.

MS has to say don't switch. Believing them is up to the guy paying the bills.

(The comment has been removed)

matgb December 18 2008, 12:47:54 UTC

I'm told it defaults to send the user agent as IE-it definitely did when I installed it ages back, haven't done a fresh install for ages. It may be they've switched that stupidity off (seriously, telling your software to pretend it doesn't exist thus you don't show up in stats is an interesting idea, but reverse marketing isn't my idea of good practice).

The actual problem is in the IE XML buffer, which Opera apparently uses. If that means stuff to you, great.

fridgemagnet December 18 2008, 00:53:42 UTC

I'm not sure what you mean about Opera; iirc Opera does have a "use IE to view this page" option, but there are Firefox modules that do the same and neither are at all common except with web developers.

matgb December 18 2008, 12:45:55 UTC

This will probably make more sense to you that me: Specifically, he got infected from running Opera on Windows, wherein Opera exports their XML data binding functions to the published operating system engine, which is dun-dun-da-daaaaa the one that IE uses (Remember the bit about how IE was inextricably part of Windows? Yeah. Great design decision.) which is Microsoft's. The exploit basically uses a set of XML code that builds data objects in memory that sit in IE's memory space within the OS, carefully crafted data objects that bear binary code. The exploit then specifically exploits the fact that the XML rendering engine, when told to get rid of the data objects, doesn't perform proper memory management and garbage collection, and doesn't run in a sandbox /per se/ with lowered data execution privileges and operating system resources but in fact runs as whatever level the user runs IE at. Which is almost always with permissions to install software. This is a classic memory buffer overflow exploit, and is entirely Microsoft's fault ( ... )

fridgemagnet December 18 2008, 13:02:44 UTC

That makes sense. I'm quite surprised that Opera does that actually, but in this instance it was unwise.

The thing is of course that while in this instance Opera trusted Windows not to be vulnerable to buffer overflow attacks when it was, there's nothing to say that Firefox or Chrome or whatever other browser isn't also trusting some other Windows service which is vulnerable.

Unfortunately you sort of _have_ to trust some of the services of the OS you're running on, and while some companies trust very few of them (Opera for instance does a whole load of stuff on its own, which is why it looks slightly odd and I was surprised to see this) they're all going to trust a few. In this instance Opera is vulnerable and other browsers which don't use that service aren't, but that's not indicative of some sort of long-term issue with Opera IMO.

tiredstars December 18 2008, 01:02:54 UTC

Someday my office may upgrade from IE6. :/

tiredstars December 18 2008, 01:06:40 UTC

Strangely, most of the headings in the side-frame on the windows update page appear to be in Korean at the moment.

paulgregory December 18 2008, 02:05:00 UTC

if the default behaviour is to pretend to be IE and open up vulnerabilities
That's slightly misleading. The pretend-to-be is user-adjustable but it's mainly useragent stuff and possibly some box-model interpretation. From what I understand, the vulnerabilities from XML rendering are not due to "default behaviour" in the same sense; I doubt there is another XML rendering option. (I may be wrong, I don't touch desktop Opera).

matgb December 18 2008, 12:49:10 UTC

Ah, I'm conflating stuff again. More digging reveals you're right, it's the XML buffer. Meh, not my area of expertise, I just pass on important stuff when I see it.