Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online.
Microsoft warned last week that it was aware of public reports that criminal hackers were using the vulnerability — present in IE 6 and IE 7 — in limited attacks. A few days later, a security researcher put together a working exploit for the flaw, based on a snippet of code he said he found referenced on a McAfee blog post (McAfee says it will be closely reviewing future blog posts to make sure they don’t inadvertently help the bad guys).
Redmond is still working on an official update to plug this security hole, but in the meantime it has released another “fix-it” tool that should allow Windows users to disable the vulnerability at issue. To use this tool, click the “Fix It” icon under the “Enable this fix” heading at this link. Microsoft also has a “fix it” tool to help IE6 and IE7 users turn on a feature called data execution prevention (DEP), which can help Windows block certain types of common but harmful software exploits. To enable the DEP, click the “Fix it” icon under the heading “Enable Application Compatibility Database” at this link.
Note that if you are already running IE8 on Windows XP Service Pack or a newer version of Windows, DEP is already enabled (and you don’t have to worry about this particular IE vulnerability). If the “Fix it” tools cause any problems on your system, you can undo the changes by clicking the relevant “Disable this fix” icons.
In other news, Apple has pushed out a new version of its Safari Web browser that includes some important security patches. Updates are available for both Mac and Windows versions of the software. Windows users can grab the update through the Apple Software Update tool, while Mac users can patch via Software Update.
We’re into our third decade of Internet exploits if we count the 1988 Morris worm as the beginning. We now have large criminal enterprises riding on the backs of software problems that should have been engineered out of existence long ago. I’m starting to wonder what will get us to secure systems faster, helping the good guys or helping the bad guys. All we seem to be doing by helping the good guys is letting them avoid responsibility by feeding their reactive reporting systems that don’t address the root causes of these flaws. In these situations where business interests fight tooth and nail against regulation, only a disaster seems to get us the regulation and accountability we need. So, do we want our cyber disaster now, or later when we’re more dependent on these systems? I hope this is a false dichotomy, but I’m starting to lose hope that it is.
Getting everyone to use live CDs would be a good start. Then people could worry about how to create and use secure systems.
Safari 4.0.5: on Mac OS X at any rate it’s turned into a RAM sucker, using up to 1 GB VM when accessing wave.google.com. And why do they archive and hide the previous version on disk when their code has no facility for restoring it?
Thank you for providing really informative posts on your site. How can I find your RSS feed?
Doesn’t this continual fixing of problems indicate an underlying tangled complexity so great that the usually brilliant minds so creative here are always ultimately behind interwoven curves?
Is there such a rush to get competitive products in the market that these new “things” aren’t completely worked through?
Is there an innate competitive urge to sabotage each of these creative efforts as they appear?
We’re never going to see the end of these “fixes” are we?
Sisyphus,
Software is amazingly difficult to write “cleanly” and you can’t absolutely prove that it’s bug-free (at least for anything beyond the simplest code).
From my earliest coding days with Fortran on punch cards, the simplest bugs were ferociously difficult to fix, due to nothing other than the font that the code was presented in! It’s easier now since fonts are better, but try this on for size:
the capital letter for the character between N and P – “O” and the digit that represents a number smaller than 1 – “0”.
Here, it’s relatively clear they are different characters, but imagine a poorly designed font produced by a crappy dot matrix printer where you literally could not tell them apart!
This is an almost trivial example, but scale it up to a program (or Operating System) with millions of lines of code, and there will be bugs, no ifs, ands or buts. Significant effort and better tools can definitely reduce the numbers and severity, but it is literally impossible to completely eliminate bugs.
I’ll take that example of Scott Rabinow’s about fonts as sort of the summing up of where we seem to stand. I won’t even think about “reading” machines or “translating” devices.
Suppose:….. a committee of Biblical scholars huddled over their laptops, heartbeats increasing with increased agitation….or, genetic researchers of just about any trait…..
Stock (…gasp!) market models……
…remember the Archimedes Palimpsest?
A more in-depth discussion of the issue:
http://catb.org/jargon/html/0/numeral-zero.html
@ Scot Rabinow
As I’ve read over the security bulletins posted I seem to see a lot of references to buffer over run or unchecked buffer – would you say that this type of flaw covers most of the security flaws in software? If so why not check every buffer? I’m not convinced that just because a piece of code was produced by company X it is any better or any worse than code produced by company Y or group Z. I think your insights on some of these issues could be informative.
“We’re never going to see the end of these “fixes” are we?”
No. We have a decade of experience which argues that no large software system will be completely fixed before it is replaced by something new that needs new fixing. If the patch approach was working, things would be getting better, but In fact malware is demonstrably worse, both in quantity and power.
Microsoft continues to escape blame for the malware problem, which seems odd since about 93 percent of browsing occurs under Windows. Yes, Microsoft puts a lot of effort into patching user systems, but things are getting worse nevertheless. The current approach has failed, and, yes, there are alternatives:
* Microsoft could develop tools to certify a Windows installation as clean for use in on-line banking.
* Microsoft could develop a fast Windows re-install to over-write and clean up any infection.
* Microsoft could supply a new “live” CD on-line banking operating system (OS).
* Microsoft could support hardware system re-design to prevent infection.
Most Individuals and small businesses seem either uninterested or scared to take action to secure their systems. It is possible right now to run a free OS which stops most current malware. Loading from CD or DVD automatically avoids existing Windows infections. A laptop can even run without a hard drive, which then cannot be exposed or infected, while still working in reasonable comfort.
For online browsing I use Puppy Linux loaded from DVD, and describe it in:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM
After the Puppy DVD is set up, most user time is spent in Firefox, not Linux. My non-technical wife uses and likes it for banking, email and Facebook.
‘Is there such a rush to get competitive products in the market that these new “things” aren’t completely worked through?’
Yes. See Mark Minasi’s The Software Conspiracy. It’s not a screed – it’s a survey and set of interviews with leading software companies.
‘We’re never going to see the end of these “fixes” are we?’
Yes. But only if the mindset changes and only if the underlying OS is not such an easy open target. No browser code is ever perfect but flaws don’t have to lead to eminent destruction.
Third generation exploits? Perhaps. But IT online is still in puberty.
Because when it was first released it had many problems and incompatibilities, and because about the only thing I use IE for is online banking (some banking sites are not fully functional with Firefox), I am still running IE 7. When I tried to print from my bank site’s bill pay page today, I got a “script error” window and was unable to print any part of any page. I’m guessing that’s because of one or both “Fix-its” mentioned in Brian’s post (I installed both). Anyone else run into anything like this? Maybe I should just go ahead and install IE 8…