back to article MS warns over zero-day IE bug

Microsoft warned on Wednesday of a new zero-day vulnerability in Internet Explorer. The flaw creates a means for hackers to inject malware onto vulnerable systems, providing surfers are first tricked into visiting booby-trapped websites. As such the flaw poses a severe drive-by download risk. All established version of IE ( …


This topic is closed for new posts.
  1. McToo


    So the attackers can avoid ASLR because mscorie.dll wasn't compiled with the /DYNAMICBASE option?? Way to go... introduce new security feature, then have one of your own dlls not implement said security feature.

    Face, meet palm.

    1. Ken Hagan Gold badge

      Re: Ugh

      Yes, it's embarrassing, but what will be really embarrassing is if they now spend a month without a patch. After all, they've identified that an essential part of the exploit is MSCORIE.dll not being flagged as dynamically re-locatable, and it must be quite stunningly easy to verify that it would be safe to flip that bit because you actually need to try quite hard to create a DLL that isn't safely relocatable. (To judge from their mitigation advice, they've already done this part.)

      So, Microsoft, how long will it take to create a patch that flips one bit in one DLL header?

  2. Mattyod
    Gates Horns

    You could...

    Follow Microsoft's advice, install extra software, watch a video on how it works and start hacking around so that: "this type of exploit will most likely fail".

    Or you could just use a different browser.

    1. Lewis Mettler 1

      or just not purchase IE at all

      Oh, sorry, you have to purchase it. You were given no choice.

      Just remember if you have a copy of IE, your opinion simply does not matter.

      1. Penguin herder

        RE: or just not purchase IE at all

        "You were given no choice."

        But you DO have a choice - just apparently not one you are willing to make (yet).

  3. FordPrefect
    Gates Horns

    Ways to mitigate against the attack...

    Well I doubt this is the Microsoft approach but the easiest way to defend against this attack is to use another browser!

  4. Elmer Phud


    It's just like the old days -- Windows bugs by the hatful.

    Next they'll have the machine rebooting after every individual fix is installed.

    Makes me (sniff, sniff) remember the good times of 'Windows patches? Put the kettle on and order some pizza, we're here for the long haul'.

    1. g e

      Makes me yearn

      for Windows 3.11 where everything could be fixed using

    2. g e

      Actually I lied

      I yearn not for 3.11

      I use Ubuntu.

  5. hplasm

    Internet Exploiter

    In other news, fire is hot.

  6. Anonymous Coward


    Is it true that Microsoft have never relased any piece of software except "Calculator" and "Solitaire" that doesn't contain a massive security hole?

    1. Franklin


      Not *technically* a security bug in Calculator, but there is a security escalation vulnerability in the Help file for Calculator that in some versions of Windows can be used to open a command prompt or execute other applications that a limited user account is otherwise barred from executing.

  7. Steve Davies 3 Silver badge

    And this is somehow Newsworthy?

    Come on El Reg. I challenge you to go through all your archives and count the number of articles that have said exactly the same thing. 'Zero Day bug for IE'.

    While you are at it and in the spirit of goodwill, how about letting us comment to articles written my AO?

    Why does he not allow the readership to comment on his work? Are you trying to hide something? Will it be leaked to WikiLeaks?

    Come on El Reg, let us know. That will surely be far more interesting than Zerod Day IE Exploits especially at this time of year.

    That's me done until 2011. Off down the Brewery to pick up my order for Advent Ale.

  8. Richard Porter

    A vulnerability in IE?


    1. Mark Aggleton

      A vulnerability in Firefox


  9. BomBom

    Not new

    "a new zero-day vulnerability in Internet Explorer" > "All established version of IE (from 6 to 8) are affected" ... so it's been there a long while, hardly new is it?

  10. Anonymous Coward
    Thumb Down

    So we have to use what to update MS

    So we have to use IE to update a known flaw in IE !

    until we can update MS programs without having to be tied into IE, and forced to have it installed on our machine, then what do we expect.

    1. Ammaross Danan

      Windows Update

      Apparently, you've never seen/used the Windows Update feature baked into WinXP-Win7? Last I checked, IE was only necessary (on WinXP only) to manually download patches from MS. Since Vista, the OS simply uses the Windows Update interface to present patches to install. Even in XP, you can cause Windows Update to manually fetch patches. No need for IE.

    2. Anonymous Coward
      Anonymous Coward


      Windows update in Windows Vista and 7 is a standalone program. Windows update only runs in IE in XP (and earlier versions I guess)..

  11. Tron Bronze badge

    Perfect timing...

    Opera 11 having just been launched.

    Go on, give it a whirl.

    It's non-Google, non-Apple, non-MS, European and free.

    The least you can do is try it.

  12. Rich Webb


    Interesting phrasing in the linked MS technet article "the only public ways to evade ASLR and DEP is through..."

    So, presumably then MS has non-public techniques to get around those protections. Not a real surprise, I guess, but is this another case of security through obscurity? That always works out so well...

    1. Ammaross Danan

      Responsible Disclosure

      The art of Responsible Disclouser means MS is notified before the general public, and thus, they likely have reports of other means of bypassing ASLR and DEP, but are currently working on patches/workarounds before it can become Public Knowledge.

  13. Neil Gardner

    CIO Perspective

    We will be applying new Microsoft patches to all our desktop computers to enhance the security of Internet Explorer 6. Please be aware of corporate policy not to attempt to install unauthorised third party browsers. Non-MIcrosoft browsers are not supported by our IT team or by Microsoft.

    Please refrain from using sites, developed by trendy web designers, known to have issues with IE6, such as Facebook or Google Maps. PLease use Microsoft services instead.

    1. Lewis Mettler 1

      some CIO

      I guess you were being sarcastic.

      But, Microsoft is not. If you have a copy of IE your opinion does not matter. And that is true even if you are a CIO. Or, CIA or any other alphabet.

    2. two00lbwaster

      Nice mention...

      Which is funny, as IE 6 doesn't have ASLR or DEP support and I doubt that the EMET workaround will work for it either.

      I hope that all those corporate security types that love XP/IE6, like HMG, are paying attention to this.

  14. Anonymous Coward

    Ooo arr?

    MS recommends using an alternative browser until IE is not quite as hack-able?

This topic is closed for new posts.

Other stories you might like