Comments on: Exploit in the Wild for New Internet Explorer Flaw http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/ In-depth security news and investigation Wed, 23 May 2012 01:40:28 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: PJ http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-506 PJ Sun, 17 Jan 2010 16:26:33 +0000 http://www.krebsonsecurity.com/?p=498#comment-506 Wasn't there some speculation about Microsoft source code that was viewed by China? Wasn’t there some speculation about Microsoft source code that was viewed by China?

Like or Dislike: Thumb up 0 Thumb down 1
]]> By: lembark http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-505 lembark Sun, 17 Jan 2010 15:45:13 +0000 http://www.krebsonsecurity.com/?p=498#comment-505 I'm noticing a pattern: In the last year a significant number of your articles note security holes in all available version of IE. The usual fix is to not use IE version-X (or altogether) "until" MS fixes the problem. Catch: There is always a new "problem" soon after. Perhaps the real problem is that IE is fundamentally insecure because of its design criteria: MS simply considers cute features more important than security. This offers an alternative fix for you to suggest: There are enough alternatives available on the market today -- many of them free -- that the only reasonable fix is to replace IE permanently. I’m noticing a pattern: In the last year a significant number of your articles note security holes in all available version of IE. The usual fix is to not use IE version-X (or altogether) “until” MS fixes the problem.

Catch: There is always a new “problem” soon after.

Perhaps the real problem is that IE is fundamentally insecure because of its design criteria: MS simply considers cute features more important than security.

This offers an alternative fix for you to suggest: There are enough alternatives available on the market today — many of them free — that the only reasonable fix is to replace IE permanently.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: Stardance http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-496 Stardance Sun, 17 Jan 2010 07:08:09 +0000 http://www.krebsonsecurity.com/?p=498#comment-496 The Microsoft Security Advisory about this vulnerability that Brian included in his entry on January 14 says that I.E. 8, as well as I.E. 7 and I.E. 6, are among the affected versions: http://www.microsoft.com/technet/security/advisory/979352.mspx The Microsoft Security Advisory about this vulnerability that Brian included in his entry on January 14 says that I.E. 8, as well as I.E. 7 and I.E. 6, are among the affected versions:

http://www.microsoft.com/technet/security/advisory/979352.mspx

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: Steve http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-490 Steve Sun, 17 Jan 2010 00:00:07 +0000 http://www.krebsonsecurity.com/?p=498#comment-490 This is something I just saw on a telecom e-mail list I subscribe to . . . ----- Official German warning regarding use of Internet Explorer http://bit.ly/8AYPpE (Federal Office for Information Security - Bonn, Germany) http://bit.ly/8VkQsA (Google translation into English) This is something I just saw on a telecom e-mail list I subscribe to . . .

—–

Official German warning regarding use of Internet Explorer

http://bit.ly/8AYPpE (Federal Office for Information Security – Bonn, Germany)

http://bit.ly/8VkQsA (Google translation into English)

Like or Dislike: Thumb up 0 Thumb down 1
]]> By: yuk bon http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-482 yuk bon Sat, 16 Jan 2010 20:29:13 +0000 http://www.krebsonsecurity.com/?p=498#comment-482 the google attacks were against dissidents, no? I can't see how anyone other than the chinese government would bother with that. the google attacks were against dissidents, no? I can’t see how anyone other than the chinese government would bother with that.

Like or Dislike: Thumb up 2 Thumb down 1
]]> By: Rick http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-481 Rick Sat, 16 Jan 2010 20:11:16 +0000 http://www.krebsonsecurity.com/?p=498#comment-481 This doesn't seem to be a 'reaction' to anything. This doesn’t seem to be a ‘reaction’ to anything.

Like or Dislike: Thumb up 1 Thumb down 2
]]> By: Rick http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-480 Rick Sat, 16 Jan 2010 20:09:53 +0000 http://www.krebsonsecurity.com/?p=498#comment-480 Ah yes the Honkers. They've been around a long time... ;) Ah yes the Honkers. They’ve been around a long time… ;)

Like or Dislike: Thumb up 0 Thumb down 1
]]> By: Rick http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-479 Rick Sat, 16 Jan 2010 20:08:09 +0000 http://www.krebsonsecurity.com/?p=498#comment-479 Servers, yes. But the individual boxes which might be directly accessible or through a targeted mail attack... Servers, yes. But the individual boxes which might be directly accessible or through a targeted mail attack…

Like or Dislike: Thumb up 1 Thumb down 1
]]> By: Rick http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-478 Rick Sat, 16 Jan 2010 20:05:20 +0000 http://www.krebsonsecurity.com/?p=498#comment-478 Or Safari for OS X even. Then you're really secure! Or Chrome or FF for Linux or OS X or Camino for OS X. There are so many good alternatives! Or Safari for OS X even. Then you’re really secure! Or Chrome or FF for Linux or OS X or Camino for OS X. There are so many good alternatives!

Like or Dislike: Thumb up 2 Thumb down 0
]]> By: M Henri Day http://krebsonsecurity.com/2010/01/exploit-in-the-wild-for-new-internet-explorer-flaw/comment-page-1/#comment-475 M Henri Day Sat, 16 Jan 2010 19:36:06 +0000 http://www.krebsonsecurity.com/?p=498#comment-475 George Kurtz's «McAfee Security Blog» has the following to say on the matter : «Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.» The above isn't what one would call pellucid, but I interpret it to mean that *all* versions of IE, including IE8 which is installed by default on Windows 7, are affected. Google China may well have been testing websites and services on IE6, as, according to StatCounter's statistics (http://preview.tinyurl.com/y933y5o ), as many as 60 % of Chinese users are still running this ancient, and very unsafe browser (in a country where the domination of IE is total - perhaps the Chinese would do well to test other browsers ?). But I find it hard to believe that Google employees, as aware as they must be of security concerns, would have been using the browser for anything other than the purposes described above. And Google's servers run Linux OS, so I find it difficult to imagine that IE, and in particular, IE6 could have been used as an attack vector to access privileged data, which presumably would not be available on computers used for testing how websites render. There are a fair number of factors in reports being promoted on the web that, to me at least, don't seem to add up.... Henri George Kurtz’s «McAfee Security Blog» has the following to say on the matter :

«Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.»

The above isn’t what one would call pellucid, but I interpret it to mean that *all* versions of IE, including IE8 which is installed by default on Windows 7, are affected. Google China may well have been testing websites and services on IE6, as, according to StatCounter’s statistics (http://preview.tinyurl.com/y933y5o ), as many as 60 % of Chinese users are still running this ancient, and very unsafe browser (in a country where the domination of IE is total – perhaps the Chinese would do well to test other browsers ?). But I find it hard to believe that Google employees, as aware as they must be of security concerns, would have been using the browser for anything other than the purposes described above. And Google’s servers run Linux OS, so I find it difficult to imagine that IE, and in particular, IE6 could have been used as an attack vector to access privileged data, which presumably would not be available on computers used for testing how websites render. There are a fair number of factors in reports being promoted on the web that, to me at least, don’t seem to add up….

Henri

Like or Dislike: Thumb up 2 Thumb down 0
]]>