back to article Microsoft issues temp fix for serious Windows security bug

Microsoft has warned customers to apply a temporary security fix to protect against a serious, newly discovered security bug in all supported versions of Windows. The vulnerability results from the way Windows processes webpages containing MIME-formatted content. Attackers can exploit the weakness to run malicious scripts that …


This topic is closed for new posts.
  1. Lars Silver badge

    The solution

    is simply to stop using IE and Windows too.

    And that is not difficult at all.

    1. Anonymous Coward
      Anonymous Coward


      Simply stop using IE and Windows? You don't work in enterprise IT do you?

  2. Chas

    Same shit, different day!

    Yet another 0-day vuln. People stupid enough to use Windoze deserve everything they get! Switch to Mac or a nice Linux distro and watch all this shite disappear.


    1. Paul 117


      Everyone should take Chas' advice and switch to one of those OSes.

      It's only Windows that suffers from security vulnerablities after all. And it's only Microsoft that takes ages releasing fixes.

      Oh wait...

    2. amanfromMars 1 Silver badge

      A problem which is unsolveable ... so you have to learn to live with it, and adapt to its ways*?

      "Same shit, different day! .... Chas Posted Saturday 29th January 2011 00:21 GMT

      Yet another 0-day vuln. People stupid enough to use Windoze deserve everything they get! Switch to Mac or a nice Linux distro and watch all this shite disappear."

      Chas, you have completely missed the point if you think that any other operating system and/or smarter box is immune from such as is developed in such circles as probe intelligence and virtual defense protocols.

      Whether the machine used is a MS Windows or an Apple Mac or a nice Linux/Unix distro or even a Colossus of a Big Blue type mainframe/HPC, it makes absolutely no difference at all, whenever plugged into the Internet for the sharing or phishing and phorming of ideas, for all such machines when accessing pages/programs/projects via the Internet/Global Information Grid are just opening Windows onto their work space. It is just that Microsoft use the generic Windows name as a proprietary one. All machines are machines for opening windows onto information and into intelligence.

      You can understand that better if we convert it into a Motor analogy with the four computer types being respectively a VW Beetle, a chic Audi, a solid Porsche and a custom Bugatti. They are all VW machines. All of them do exactly the same thing although some of them quicker and better than others, and all of them will suffer the same fate on a blind hairpin bend if a trap or an obstacle is fallen or laid across their path, or a bridge collapses as they are driving along unaware of structural/architectural/mechanical/programming defects. And such is the same with Operating Systems of whatever configuration and custom build against such as are zeroday vulnerabilities for exploitation/Project and Program Red Team BetaTesting.

      * Find out what it wants and give it whatever it wants, can easily be the cheapest available option in those cases which would threaten to collapse catastrophically vital infrastructure, especially whenever generally unknown and underground, although it is no less severe if the systems are popularly well known.

  3. Anonymous Coward
    Anonymous Coward

    Internet Explorer strikes again.

    So consistently crap, it's hard to even think of an original way to mock IE.

    I guess an analogy is best.

    It's like the free drink that comes with your meal. You don't even really want it but it helps wash down all the other shit that comes with the Windows operating system, I mean meal.

    Everyday the drink has a different funky ass taste that doesn't even taste like cola at all. Sometimes it tastes like bear shit, sometimes it tastes like the meat from a really scatological bear. And sometimes it tastes like something that Heston Blumenthal would make, if Heston Blumenthal was a bear that liked to eat shit and also put it in other people's food.

    I guess what I'm saying is: don't use Internet Explorer okay?

  4. Anonymous Coward


    Active X has a security hole? Who'da thunk it!!

  5. thecakeis(not)alie


    It's still in use?

  6. heyrick Silver badge

    Internet Explorer is the only attack vector for the vulnerability,

    The title says it all, over and over and over.

    I am, however, a bit surprised by the anti-IE-post downvotes. Is there a secret IE fan club or something? Well, not that it matters. A hundred thousand downvotes won't make it all better...

    1. Anonymous Coward
      Anonymous Coward

      re: secret IE fan club

      Not fans, I suspect, so much as people who don't think they can dump it because they're too dependent on stuff that only works on IE, to which I can only say a load of work now may save even more work in the future, but that's probably not a risk they or their employers are willing to take. Or maybe they are fans, because they're employed sorting out the Windows flaws and they think work will dry up if everyone switches to something else (which may be true if they depend on official MS qualifications to get a job).

    2. Anonymous Coward
      Anonymous Coward


      I don't think it's downvoting the criticisms of IE, rather it's the lack of understanding of why people use IE, both currently and historically. This combines with the nature of the comments being self congratulatory and smug, while not actually helpful in any way.

      Case in point 1: My mum and dad used IE until my brother in law installed firefox for them. Without my brother in law they would still be using IE on XP. They have no way of knowing about other browsers and no interest in investigating others, why would they?

      Case in point 2: My company uses IE, we've got over 100k desktops, we're mainly on IE6, but moving to IE8. We require the abillity to configure IE with AD policies, this has been available in firefox for about a month, so not even remotely long enough to roll out to so many desktops or even bother testing. We also require to use older server software which was designed for IE6, there is too much to redesign as a 'big bang' it's a slow process. Furthermore updates to Firefox or Opera don't come on regular scheduled time intervals, so you have to drop everything every time an update is released to get it tested and onto your systems. IE however very rarely has out of schedule updates.

  7. amanfromMars 1 Silver badge
    Paris Hilton

    Novel Vulnerabilities Target Human Operating System Sweet Spots .... and SSXSS in Admin Networks

    "More information about the MHTML Script Injection vulnerability .... By default, the MHTML protocol handler is vulnerable on Windows XP and all later supported Windows versions. Internet Explorer is an attack vector, but because this is a Windows vulnerability, the version of IE is not relevant." ..... ...... Ergo is the browser, any browser, the launch vehicle.

    And with Stealthy Server Side Cross Site Script Injection into randomly selected pages displayable to any browser in an intended information disclosure dump/buffer overflow, is there released into the wild, a Virulent MEME ..... Multipurpose Extranet Mail Extension .... which bypasses Server Message Block Controls.

    The weakest link/access point in ANY and ALL Operating Systems remains the Being Communicating and Processing Input/Output Information at the Keyboard/GUI Controls, for they are all, from the brightest to the dimmest, easily groomed and remotely reprogrammed with the Sublime Promise of ....... Sticky Sweet Virtual Candy ..... SMARTer Enabling and SMARTer Enabled Virtual Machine Intelligence for Advanced and Artificial Intelligence Advantage in the CyberIntelAIgent Fields of Power Command and Elite Control for Fab Great Game Play.

    Earthly Command at Intelligence Levels which Follow/Create Micro Processor Architectures. You might like to also consider that Universal Command and Control/GOD* and God Control is also directed from such Levels/Heights, and whether that be a blasphemy for some or a simple statement of fact to Others would be entirely dependent upon one's own Intelligence Levels, and whether they are grounded and stuck/petrified in a certain position reflecting a past time, or dynamic and fluid, adopting and adapting to every situation and Live Operational Virtual Environment.

    * Global Operating Devices.

    Is Paris an Alien Sweet Spot ...... Sticky Pleasure Vehicle? And would that be a Weakness or a Strength to Exploit and/or Enjoy ? :-)

  8. Anonymous Coward

    Interdent Exploder strikes again...

    The post is required, and must contain letters... however, i have nothing to add.

  9. Anonymous Coward
    Anonymous Coward

    Make The Change

    Why I sat in front of a Windows machine at home for so many years I can not imagine. I'm just glad I stopped.

    Another day, another Windows vulnerability. I don't care any longer.

  10. Ubuntu Is a Better Slide Rule


    ..and then you can even run a crap firefox (say 3.1.0) and do not worry about surfing on the pr0n sites. Just close the browser and restart if for netbanking.

    AppArmor / SE Linux

    will make sure.

    (This is a post in anticipation of the M$ brigade digging up a firefox exploit)

    1. Anonymous Coward
      Anonymous Coward

      Linux != LaLa Land

      And I hope we all know that the world's first worm was a Unix worm.

      But, accepting the possibility of cross-platform, java, etc, possibilities, we *can* say, that we do not use an operating system where *any* sort of security was an afterthought, or a browser that was *designed* to have programs exploit it.

      I suspect that there are users of yet a third OS that may be even more complacent ;) --- but we Linuxboys should not be above an occasional reminder that even we are not inviolate. Or inpuce. Or pink. Or something.

      1. Ubuntu Is a Better Slide Rule

        @Thad: Unix Security, AppArmor

        Indeed, the C language is something very dangerous. Application programmers should not use it. It was sendmail running the worm, not Unix, though.

        My point is that a small system, which can be thoroughly analysed, will protect these stinking heaps of application software used to render HTML, PDF, OpenOffice, MS Word.

        It is much easier to assure correctness of AppArmor than to assure the correctness of all these applications. Including custom-written applications.

        AppArmor could even be mathematically proven to be correct. The effort would be significant, but the benefit could be experienced in many, many Linux installations.

  11. Fuh Quit
    Jobs Horns

    MHTML files have their own security.......

    .........they are so slow to use that you'd sooner be affected by shitty performace and give up with the format. Which saves you from this 0-Dayer!

  12. Anonymous Coward
    Anonymous Coward

    Is netscape still around?

    IE got bugs that allow hackers in so use another browser like Firefox, which will slow your computer down to a crawl after a couple of hours or Chrome and have google steal all your data instead of crims or Opera which will make you hate the internet. All that s left is isAfari, which comes bundled with qUicktime, iTunes, cRapstore etc.

    1. Anonymous Coward
      Anonymous Coward


      No, that is not bugs: it was designed to be that way. It was designed to run programs.

      Firefox is indeed heavy and slow.

      Guess what: it isn't under Linux! :)

    2. Anonymous Coward
      Anonymous Coward

      @ AC - This is a troll, right?

      As subject.

  13. JaitcH
    Gates Horns

    "since IE is the only known vector"

    IE has always been a liability since Version 1.

    I like the way they say: "The vulnerability results from the way Windows processes web-pages containing MIME-formatted content."

    But you can understand MS not wanting to expose IE to the derision it deserves.

    1. Anonymous Coward
      Anonymous Coward

      Any doubt? read this!

      If anyone is in any doubt just how much derision should be poured on Internet Explorer, and on Microsoft, for the way they shove[d] it down our throats, read this and be enlightened:

      There's a lot I didn't know before.

  14. Gert Selkobi

    Potential fixes?

    [quote]The security team is working with website operators, including Google, to explore possible server-side fixes as well. Potential fixes include filtering newline characters out of requests and responses, prepending newline characters onto HTTP responses, and altering the status code of HTTP responses.[/quote]

    So, in essence, part of M$'s thinking for a fix to THEIR problem, is that the rest of the world and its web serving standards need to be tweaked?

    Just fix your problem yourself Redmond and stop expecting the rest of the world to accomodate you.

    As others have said, switch away from IE to get away from this vuln. Better still, switch to an alternative OS and vendor altogether.

    1. Jolyon

      Bitter and wrong

      If there's a potential problem we, all of us, benefit from it being removed by whatever means.

      As it is clearly unrealistic to expect all users of IE to switch to a different browser in the short / medium term it is clearly sensible to explore all avenues when trying to prevent / reduce any real world impact from this vulnerability.

      Windows and Internet Explorer may or may not be useless and responsible for any number of ills but either way it does not mean we have to be irrational about the whole business.

  15. Anonymous Coward
    Thumb Down

    Re: Same shit, different day!

    Yep, still the same Mac/Linux trolls who rush to get first reply on a Windows vuln story.

    1. hplasm

      I don't think you can be a troll-

      If you are right.

  16. Lewis Mettler 1

    not using IE

    The choice not to use IE is a good one.

    But, the better choice is not to purchase IE in the first place.

    Oh, I forgot, that choice is illegally precluded for any and all Microsoft customers. You have to purchase IE.

    It is also commingled illegally. So consumers are harmed deliberately by Microsoft.

    What if you could not purchase IE so as to protect your children from such attacks. No choice for you either. You must purchase IE for your kids.

    What if you could not purchase it for your mom? You know, proptecting her from such attachs? Again, that choice is refused. You must purchase IE no matter what. As a consumer you do not have the right NOT TO PURCHASE IE. Period.

    Remember, if you have a copy of IE, your opinion does not matter. Not one bit. It is required by Microsoft that your opinion can not influence what you purchase from them.

    Talk about being evit. Proven in a court of law that commingling code with the OS is in fact illegal and yet Microsoft continues the illegal practice. Why? Because that eliminates your opinion from having any impact on the marketplace.

    1. heyrick Silver badge

      Why IE is still around

      Have you looked at the Windows filing system interface lately? It is heavily dependent on IE, on core IE parts, and in some places gives a rather IE-like behaviour.

      I guess an interesting question would not be "is IE affected", but rather "what other things may be affected"?

      1. Goat Jam


        "Have you looked at the Windows filing system interface lately? It is heavily dependent on IE, on core IE parts, and in some places gives a rather IE-like behaviour."

        This was a deliberate act by Microsoft in their attempts to convince the courts in their antitrust case that it is not possible to unbundle IE.

        There is no technical reason that Windows should be designed in this way, it was purely done for marketing purposes (microsoft being primarily a marketing driven company after all)

        1. Anonymous Coward
          Anonymous Coward

          @ Heyrick @ Goat Jam

          If you'd keep up with MS, rather than just slagging them off all the time, you'd know that IE has been removed from it's position as being integrated into the OS.

          1. heyrick Silver badge

            @ AC

            Hmmm, how about you actually read the post you are replying to before screaming about how we all slag off IE and we're wrong to say it is tied up in the OS.

            Here's a hint. Find a way to nuke "mshtml.dll". That big ol' DLL is the heart of IE. Lots of stuff won't work properly. No worries, just fire up System Restore and backtrack to fix... oh, wait... it wants mshtml.dll because ta-da, it is written in html/javascript (take a look inside \windows\system32\Restore\rstrui.exe). Perhaps Microsoft have "unbundled" IE from being supplied with Windows, but we are probably talking \Program Files\Internet Explorer\iexplore.exe - unless you really think a complete modern web browser is a 91K program.

            There, in fact, I have highlighted a rather interesting situation. System Restore, helps clean up crappy messes, needs the IE engine to work. As does a bunch of other stuff that is NOT a web browser. Hence my original question - what ELSE would be affected by something that supposedly affects IE, given IE's tight integration with the system.

    2. TeeCee Gold badge

      Re: not using IE

      "...It is also commingled illegally."

      Oh Christ, not that 'tard-sourced bullcrap *again*!

      Try asking yourself this simple question: If it were known to be actually illegal to build a browser into an OS (or vice versa) would Google be doing it?

      1. Anonymous Coward
        Anonymous Coward

        re: would Google be doing it?

        Doing what - building a shell that's a browser that sits on top of a separate operating system? That's rather different from mixing the browser up with the kernel, which is what MS did. Also Google doesn't have market share to leverage in the same way that MS did.

  17. Franklin

    Interesting approach to security.

    "Our browser has a security hole in it. The fix is to change the HTTP protocol, m'kay?"

  18. Martin Erdelen

    Dog Bites Man.

    ...that is all.

  19. Robert Carnegie Silver badge

    What is it

    If they think the nasty people aren't using it yet then it isn't a "zero day vulnerability".

    If it's an Internet Explorer vulnerability then it isn't a Windows vulnerability - well, except for Windows computer systems that have IE as default browser or actively used.

  20. Robert Carnegie Silver badge

    Oh, wait.

    They say "publicly disclosed". So it -is- a zero day vulture ability. My mistake!

    Hoping this finds you as it leaves me, in Opera 11.01.

  21. 32holes


    I do NOT use IE and for good reason. I got slapped with some nasty BHO issues when those first came about. That left a bad taste in my mouth for IE.

    If you still use IE you deserve to get whacked to be honest. That thing is crap and a pain to code for. I got so sick of coding hacks for it that i moved to Wordpress. Now i do not give a hoot if some IE user cant see my page correctly and i tell that to use a diff browser that actually supports proper standards.

  22. Clockworkseer

    Imagine, if you will....

    Now just imagine all those companies that still use IE6 (including several major telecoms companies) because their systems use heavily custom ActiveX and java that won't actually run on anything higher, and it's cheaper to manually bodge things themselves than pay to have those expensive consultants and outsourced software bods rewrite the whole show to run on anything higher.

    Of course, the fun will be in three years, when MS removes IE6 support completely.

  23. mhenriday

    With regard to IE vulnerabilities,

    Microsoft's attitude has always seemed to be that of the wife of the then Bishop of Birmingham, who when informed of Darwin's theory of human descent, is reported to have told her husband :«My dear, let us hope it is not true, but if it is true. let us hope that it does not become generally known»....


    1. amanfromMars 1 Silver badge

      Ok, make your excuses and dream up your reasons to continue the madness.

      "Microsoft's attitude has always seemed to be that of the wife of the then Bishop of Birmingham, who when informed of Darwin's theory of human descent, is reported to have told her husband :«My dear, let us hope it is not true, but if it is true. let us hope that it does not become generally known»...." ... Henri Posted Monday 31st January 2011 11:16 GMT

      In this day and age, Henri, the chances of any information, even that which has been classified way above Top Secret/SCI, being/remaining generally unknown, are so slim as to be virtually impossible. Invariably most secrets are particularly nasty, and solely designed to render an unfair and destructive advantage to a group of psychotic and psychopathic idiots of the first magnitude. With no secret hiding places would such abominations be easily addressed and corrected.

      How much simple to do want World Peace to be? And how much more complicated would idiots want to make their lives to foster such subversive perversions?

      1. mhenriday

        But, dear «amanfromMars 1»,

        I did not claim or anywhere imply that these Internet Explorer vulnerabilites would not become generally known ; I merely stated that Microsoft's attitude toward them seemed to resemble that of the Bishop's wife. Please do reread my post !...

        I must admit that I'm not entirely certain what the first period in your third paragraph, «How much simple to do want World Peace to be ?», which seems to be lacking a grammatical subject, is supposed to mean, so I shall refrain from further comment....


  24. ColonelClaw

    I'd like to know

    I wonder how many people out there who are well aware of all the alternatives, and are in a position to use any browser, actively choose to use Internet Explorer?

    If you're one of those people I'd like to know why

This topic is closed for new posts.

Other stories you might like