back to article MS issues brown alert over unpatched IE 7 flaw

Hackers have upped the ante by launching more attacks against an unpatched IE 7 flaw. Microsoft warned on Saturday that attacks targeting the vulnerability, which affects versions of its flagship browser on all supported versions of Windows, are becoming more widespread. The security bug first came to prominence a week ago, …

COMMENTS

This topic is closed for new posts.
  1. dervheid
    Thumb Down

    Suggested workarounds to defend against the flaw...

    How about "ditch IE, pick another browser, ANY other browser"

  2. Pierre

    "Suggested workarounds...

    ... to defend against the flaw, pending a security patch from Microsoft, include disabling active scripting"

    The only really efficient workaround is to switch to another browser. The other recommended measures are only half-arsed mitigations (as MS admit on their page about the vuln).

  3. Shaun Forsyth
    Thumb Down

    what is the unpatched flaw?

    Its great to tell us that MS have yet again not fixed a problem, but how about telling us what the problem is.. how it affects a user, or even link to an article which does tell us.

  4. Anonymous Coward
    Anonymous Coward

    Brown alert

    It will involve changing the bulb sir

  5. bass daddy
    Linux

    And a brown alert is

    the colour of the IE development team's pants at the moment.

  6. Anonymous Coward
    Flame

    So, Microsoft ...

    ... aren't you so happy that you integrated your browser to tightly to the OS?

    I guess in the run to push up your numbers by bundling, you didn't figure how much money and time it would cost?

    Perhaps if your browser had any sort of concept of separation from the OS, you wouldn't be having to worry about every 1 in 500 of your customers (assuming they're all paying - which might be assuming a lot) to Bad Things.

    I'm not a Firefox/Safari/Mac/Linux fanboi - but come on, hasn't this gone on long enough? Surely someone who works there can figure out how to untangle the browser from the OS and then isolate the OS?

  7. Jodo Kast
    Coat

    re: So, Microsoft...

    Back in 1999, when Microsoft did the integration trick, I saw this coming...

    I remember the response from friends: But, but, but think of all the features if your OS can be controlled from the Internet!

    Security is never considered, it's a shame.

  8. Tris Orendorff
    Happy

    "Brown Alert" Hoo! Hoo!

    You Brits come up with the funniest titles. If tried to emulate your style in Canada I would be defenestrated from the highest igloo in the land.

    Keep up the good work.

  9. Anonymous Coward
    Linux

    ...dum da dum da dum...

    What else I need to say... a fix is available for download. Just Google for the word "Ubuntu". Happily surfing for the last three years with it, happy to report that no security incidents since.

    Oh, yes, neither Ive had any security issues with Windows at work. Mmmmm... must have something to do with the level of computer literacy, I hear you Windows fanboys saying.

    Before dismissing my argument, consider that my Linux box is used by my kids (less than ten years old) While I've not botched beyond repair a WIndows box in my life, my children have been able to do it with every single Windows release since Windows 95 without even trying.

    Not with Linux, however. The reasons to explain that are left as an exercise to the reader.

  10. Uncle Slacky Silver badge
    Boffin

    BBC recommends switching browser

    BBC (World Service at least) is recommending that users switch to another browser until it's fixed - dunno where the advice is coming from, however - this article just says "internet experts" (Elders of the Internet, perhaps?):

    http://news.bbc.co.uk/1/hi/technology/7784908.stm

  11. Anonymous Coward
    Anonymous Coward

    Stop whining and wait for the path...

    .. even firefox gets security patchs you know, just less people bitch about firefox exploits cause it's less fun.

    Also linux DOES have exploits , but they are generally less damaging due to user accounts (more on that in a moment), and less widespread when stuff does happen.

    Oh and "Not with Linux, however. The reasons to explain that are left as an exercise to the reader" <--- you let your kids use a windwos box with admin privlidges, do your kids play about with root on your linux machine as well.

  12. Anonymous Coward
    Anonymous Coward

    To all you MS detractors.

    I'm no fan of MS or Windows (I run xubuntu at home) however all this advice that people should change OS is frankly niaive. If there is such a thing as an anti-fanboy then that's what you saddos are.

    People use MS for all sorts of reasons:

    It's what came with the PC.

    It's what they use at work.

    It's the one that most of the commercially available games work on.

    etc.

    etc.

    etc.

    Normal people are not going to wipe their PC and install a new OS and you are living in cloud cuckoo land if you really expect it to happen. I will happilly fit a car with better components, Honda V-TEC in a Mini? (a real one) No problem, it's a better engine than an A series. However I wouldn't expect most people to do the same, they don't have the knowledge or the skills.

    As for the corporate use of Windows. As long as your IPS is up to date this particular exploit, and indeed most exploits, will have no effect on you. You do have a decebt IPS don't you?

  13. MacroRodent Silver badge
    Linux

    more ..dum da dum da dum...

    News like this make me even gladder I set up my almost totally computer-ignorand aunt-in-law with a laptop running Linux. She mainly uses it for mail and ebanking, which both took some teaching - exactly as much as if the system had run Windows, since she had no prior experience, so no problems with the system not looking exactly like Windows... I'm pretty sure that if it had run Windows, the laptop would now be crawling with worms and trojans.

  14. Doug
    Linux

    another solution ..

    "do your kids play about with root on your linux machine as well", anon

    Well no, but Windows isn't usable unless you are logged in as admin. In this age of phishing and malware epidemic I would suggest using a bootable CD for any kind of online financial transaction ..

    http://distrowatch.com/

  15. Anonymous Coward
    Gates Horns

    re: To all you MS detractors.

    "Normal people are not going to wipe their PC and install a new OS .. I wouldn't expect most people to do the same, they don't have the knowledge or the skills"

    Installing Linux isn't really that much of a hastle and you don't need to wipe anything, the new installation will most happily make room for itself and dual boot with Windows. Before installing you can run it from the bootable CD just to make sure it works. There's a version given away with the computer mags. You can pick one up at most newsagents/bookshops.

    http://distrowatch.com/

  16. Jon Kale
    Flame

    "Windows isn't usable unless you are logged in as admin"

    Can I have some of what you're smoking? Or are you really that much of a fucktard?

  17. Steven Snape
    Coat

    As a non nerdie tech dealing with the public

    I would suggest to Microsoft to release IE as one program like it already is but in three flavours that idiots can understand an deal with:

    RED (no java/no script/no activeX, etc): Use for smut, music, torrents, general browsing and things that are high risk.

    ORANGE: Use for sites that you need to use but cant use on red.

    GREEN (standard IE): Use for banking and shooping and big name sites, bbc, etc

    You can tell the public to download Firefox as much as you like but 50% of them will get a virus trying to do that.

    A stupid idea?? I'll get my coat :)

  18. skymt
    Stop

    re: So, Microsoft...

    You know this vulnerability is a buffer overflow, right? It has nothing to do with ActiveX or any sort of OS integration. It's simple code injection and execution, which can happen (and has happened) with any browser, even Firefox.

    re: Steven Snape

    That's what security zones are for. All Microsoft needs is a simpler UI around them, one that doesn't require going into the settings dialog to add a domain to a white/blacklist. Not that they would have prevented this bug (AFAIK it's in the parser, and exploitable without ActiveX or JavaScript), but they would be generally useful.

  19. Brian Gannon

    BBC and technology news just dont mix.

    Shocking sensationlaist reporting from the BBC. Just don’t go anywhere near porn and warez and you will be OK.

  20. Anonymous Coward
    Anonymous Coward

    @Doug

    What Jon said. We have some 2000 users where I am all running as standard users. Sure, there's the odd stupid app out there but a few registry tweaks and the odd script to set the right security and 99% of them are fine.

    Need to do some admin? That's what runas is for, just like sudo/su. Or of course Vista uses the more Ubuntu like UAC.

  21. Anonymous Coward
    Anonymous Coward

    @AC

    "Stop whining and wait for the path...

    .. even firefox gets security patchs you know, just less people bitch about firefox exploits cause it's less fun."

    Oh right, so that's the answer then, "I know I've got a security flaw in my browser, I know it's a very serious one and I know that literally hundreds of people's machines have been comprised by it and I know there are thousands of websites that have been infected with code to exploit the vulnerability, but I'm not going to do anything about it".

    Yeah man, like that's the right attitude. The right attitude is to take action to prevent your machine from being compromised. If that means using another web browser then one should take such action. Sitting back and doing nothing when being in full posession of the facts is not an option, unless you are stupid.

  22. Moss Icely Spaceport
    Happy

    IE?

    I always thought IE stood for: Infects Everyone

This topic is closed for new posts.

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022