1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Microshaft Won't Fix Latest "MSIE 8" Security Bug. Tells Public To, "Toughen Up!"

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, May 28, 2014.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    819
    Likes Received:
    3,183
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    in other words, kiddies...
    "FU!
    Fondly,
    MS"

    :D

    Redmond Slow To Fix IE 8 Zero Day, Says 'harden up' While You Wait

    Phishers get fresh code execution bait

    Microsoft has decided not to rush out a fix for an IE 8 zero-day first identified seven months ago, instead telling users to harden up their browsers.

    The vulnerability allowed attackers to execute arbitrary code on computers running the older Internet Explorer version 8 through drive-by and phishing attacks.

    Details were made public through HP's Zero Day Initiative vulnerability clearing house after Microsoft failed to patch its much-hacked platform.

    Microsoft was notified two weeks ahead of today's disclosure and has been contacted by El Reg for comment.

    The ZDI disclosure said the use-after-flaw existed in Internet Explorers' handling of CMarkup objects.

    "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file," the disclosure read.

    "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user."

    Users of Microsoft Outlook and Windows Mail were less likely to fall for a phish exploiting the zero day because the apps open emails in the script-blocking 'restricted sites zone'.

    Instead of a patch, Redmond released work-arounds suggesting users harden IE 8 security by changing settings to block and alert use of ActiveX Controls and Active Scripting, and install its Enhanced Mitigation Experience Toolkit (EMET) which makes exploitation of Windows boxes more difficult and expensive.

    http://www.theregister.co.uk/2014/05/22/ie_8_zero_day_dumped_after_7_months_redmond_says_harden_up/
     
  2. proxygo

    proxygo Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 2, 2008
    Messages:
    10,450
    Likes Received:
    8,776
    i have internet explorer 9 disabled on win 7 pc
    and on my xp machine explorer is un-installed never use it
     
  3. Trepanated

    Trepanated Supreme Member

    Joined:
    Sep 18, 2010
    Messages:
    1,395
    Likes Received:
    5,334
    The only time I ever use Internet Explorer is to install Chrome / Firefox whenever I buy a new machine.
     
  4. BaCCa

    BaCCa Junior Member

    Joined:
    Apr 12, 2013
    Messages:
    101
    Likes Received:
    28
    And this is 2014! On average, PC security has gone up over the last decade, but underlying problems are still the same.