IE Patch For Google Attack Flaw Coming

[HardOCP News]

Microsoft is working on an out of cycle patch for that "Google attack" flaw. In the mean time, the company recommends everyone update to IE8 and use the workarounds and mitigations for this issue.

Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6. We continue to recommend customers update to Internet Explorer 8 to benefit from the improved security protection it offers. We also recommend customers consider deploying the workarounds and mitigations provided in Security Advisory 979352.

 

[ProfessorKaos64]

Unfortunately in large businesses, IE6 is still used for old applications :/ Google is sure under alot of fire lately

 

[niconx]

I wonder how long it will take these IE6 shops to install this patch...

 

[viqas]

Microsoft is sure taking its time to push out this update!

 

[ICOM]

Microsoft is sure taking its time to push out this update!

At the risk of sounding flippant, who cares about IE.

 

[jeremyshaw]

At the risk of sounding flippant, who cares about IE.

not you

 

[devil22]

At the risk of sounding flippant, who cares about IE.

The 60% of internet users that use it maybe? Frankly, I don't care about and am tired of hearing about, browsers that portend to care about security but don't even use techniques like sandboxing that IE has been using for 3+ years. But to each, his own.

 

[fightingfi]

I Recomomend everyone NOT use IE bit google chrome or Firefox

 

[anthrex]

Arg I wish updates could be forced onto these computers like it does with Firefox and Chrome. Otherwise it will be like niconx was saying that these computers won't be updated because otherwise people wouldn't be on IE 6

 

[nilepez]

Microsoft is sure taking its time to push out this update!

Taking it's time? It's been what, a week since the zero day attack was known? I'm not sure how long it takes you to thoroughly test software, but for a security patch that will likely affect millions of users, I think it's worth making an effort to ensure that the patch doesn't break anything and that it fixes the issue.

I Recomomend everyone NOT use IE bit google chrome or Firefox

FF is my favorite browser, but it sure seems like there are more security issues with it than IE8.

Seriously, I don't know how anyone can bitch too much about a problem with IE6. I'm not sure that Mozilla supports 3.0, much less 1.0 or 2.0.

I use FF almost exclusively, but I'm not sure it's safer than IE8....I'm fairly certain that if I uninstall NoScript, it's less safe.

 

[TheCommander]

I Recomomend everyone NOT use IE bit google chrome or Firefox

Firefox also has problems.

http://www.hardforum.com/showthread.php?t=1479118&highlight=firefox

 

[MrGuvernment]

ya, i love that everyone BLINDLY assumes FF is the safest ever browser, it is as bad as apple zealots assuming they are safe from the world.

Sorry, but get a clue.

 

[Parmenides]

FF is very safe... at least with noscript.

 

[pgaster]

Taking it's time? It's been what, a week since the zero day attack was known? I'm not sure how long it takes you to thoroughly test software, but for a security patch that will likely affect millions of users, I think it's worth making an effort to ensure that the patch doesn't break anything and that it fixes the issue.

QUOTE]

A week? I am sure this has been known for more than a week.

If not the same exact issue, this one was also serious and is from late November:

http://www.computerworld.com/s/article/9141363/Microsoft_confirms_IE6_IE7_zero_day_bug

Microsoft confirms IE6, IE7 zero-day bug
No word on patch plans; disable JavaScript, say researchers
By Gregg Keizer
November 23, 2009 04:03 PM ET
Comments(7)Recommended(13)DiggTwitterShare/EmailMore

Security Alert
Microsoft confirms IE6, IE7 zero-day bug

Computerworld - Microsoft today confirmed that exploit code published last week can compromise PCs running older versions of Internet Explorer (IE), but said its security team has not yet seen any in-the-wild attacks.

 

[LoneWolf]

I Recomomend everyone NOT use IE bit google chrome or Firefox

Yes, because it's so easy to patch Chrome and Firefox in a corporate environment.

In the enterprise world, all you need is a WSUS server, and you have your IE browser patches managed. Heck, even a small business can run WSUS off a Microsoft SBS box with minimal effort. Updating Chrome and Firefox isn't quite as easy.

If Chrome or Firefox ever come up with an enterprise-version browser that allows for dedicated patch management, sign me up. Until then, they are great individual browsers, but poor corporate ones.

 

[eeyrjmr]

Sod that what abt this hole!!!

http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-908917.html

Microsoft isn't having an easy time of it these days. In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week. The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

 

[Azhar]

At the risk of sounding flippant, who cares about IE6.

fixed

Microsoft is too busy working on current software to give a 7 year old software priority.

 

[gravityparade]

Updating browsers works great for home users but lots of people are trapped with IE6 in the business world. Although, part of the blame lies with business who refuse to step into the current decade.

 

[nilepez]

Updating browsers works great for home users but lots of people are trapped with IE6 in the business world. Although, part of the blame lies with business who refuse to step into the current decade.

I agree, but it's 2 versions back. I switched to Windows 8 during beta 1 and it worked with most apps by default, and virtually all of the others if I switched to compatibility mode. I mostly use FF, but when FF doesn't work, IE 8 always does.

With that said, I've had friends that don't update their browser either.

MS probably needs to take a page from FF and stop supporting older browsers sooner, rather than later. of course one of the reasons companies are scared to change is because they're tied into MS's old non-standard web pages.

 

[pgaster]

It turns out Microsoft knew about this flaw in September:

http://threatpost.com/en_us/blogs/microsoft-knew-ie-zero-day-flaw-september-012110

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

 

[Cyrilix]

How is this even news? Just like for all the other flaws in all the other pieces of software that exist, patches are... you said it... coming!