 sj |
||
|
||
Tech: Out of Sequence Fix from Microsoft IE8
| JohnInKansas | 09 May 13 - 09:01 AM | |
| GUEST,leeneia | 09 May 13 - 10:54 AM | |
| JohnInKansas | 09 May 13 - 02:24 PM | |
| Stilly River Sage | 16 May 13 - 06:29 PM | |
| Joe Offer | 16 May 13 - 07:15 PM | |
|
|
|
|||||||||||||||||
|
Tech: Out of Sequence Fix from Microsoft IE8
|
Share Thread
|
||||||||||||||||
|
Subject: Tech: Out of Sequence Fix from Microsoft IE8 From: JohnInKansas Date: 09 May 13 - 09:01 AM Microsoft releases fix-it for Internet Explorer 8 vulnerability The vulnerability was used by attackers last week against the U.S. Department of Labor By Jeremy Kirk | 09 May 13 Microsoft has released a temporary fix for a zero-day vulnerability in Internet Explorer 8, which was used by hackers in a prominent attack against the U.S. Department of Labor's website. The problem is particularly dangerous since it can allow an attacker to install malware merely by visiting a tampered web page. Microsoft is still working on a patch, wrote Dustin Childs, group manager for the company's Trustworthy Computing division. "Customers should apply the Fix it or follow the workarounds listed in the advisory to help protect against the known attacks," Childs said in a statement. The vulnerability is described as a problem in the way IE "accesses an object in memory that has been deleted or has not been properly allocated." IE versions 6, 7, 9 and 10 are not affected. Microsoft calls the fix "CVE-2013-1347 MSHTML Shim Workaround." The company normally issues updates for its products on the second Tuesday of the month, but will issue an out-of-schedule patch if the problem is deemed serious enough. Security vendors Invincea and AlienVault found that hackers planted attack code within a U.S. Labor Department web page with information on toxic substances at U.S. Department of Energy facilities. The code redirected people to another infected page within the site, which then attempted to exploit the IE 8 vulnerability. AlienVault said the hacking campaign appeared similar to a known China-based one called "DeepPanda," which installed remote-access trojans (RATs). A large Fortune 500 company was attacked in December 2011 by DeepPanda, AlienVault said. *********** Note that this fix applies ONLY TO INTERNET EXPLORER 8. Versions prior to IE5 might have a similar vulnerability but should not be still in use. Since the earlier ones are considered obsolete, there's no comment from Microsoft. Most users who have "stayed current" likely will be running IE9 or IE10, but the affected IE8 may be still on some machines running older OS versions, possibly including WinXP. There is a link at page linked above (CVE-2013-1347 MSHTML Shim Workaround.), to take you to a "Fixit" button. You have a choice whether to apply (enable) the fix or disable it. Click the enable "Fixit" button and everything should be automatic if you need this. Clicking either button shouldn't hurt anything if you don't need it. Clicking "Help" or the little gear/sprocket icon in IE should get you a dropdown with "About Internet Explorer" and clicking that should tell you what version you have if you're not sure what version is on your machine. This "Fixit" is a temporary workaround, and a permanent patch will be issued later. Patches normally are distributed on the second Tuesday of each month, so the "special distribution" of this implies that there's some urgency for those who need it. It generally is a good idea to keep IE updated even if you don't use it. It is very intimately tied into Windows Explorer and possibly to some other essential OS functions, so you can't really "not have it" on a Windows computer. The rather vague description of the vulnerability at the "Fixit" link suggests that the problem exploited could be???? a Windows Explorer malfunction that I and about 274 others have been complaining about for half a year with no response from Microsoft, but if the Windows Explorer glitch can only be accessed by this malware through Internet Explorer it's still an IE vulnerability, so I guess it doesn't matter much. John |
|
Subject: RE: Tech: Out of Sequence Fix from Microsoft IE8 From: GUEST,leeneia Date: 09 May 13 - 10:54 AM Thanks, John. What does 'zero-day' mean? |
|
Subject: RE: Tech: Out of Sequence Fix from Microsoft IE8 From: JohnInKansas Date: 09 May 13 - 02:24 PM Generally for malware a zero-day threat means there is no fix for the vulnerability. Originally intended to mean the system designers have "zero days" to get a fix developed to avoid infection. Lots of vulnerabilities (a feature that could be exploited to let malware onto the computer) are found before any malware that attacks that vulnerabilty has been found, so a certain amount of delay in getting the vulnerability plugged isn't a problem. Estimating how long you might have to fix it depends on guessing how soon someone will figure out how to use it. An alternate interpretation is that the malware is already out there and nobody has a fix. This IE8 malware is a zero-day thing, since malware using it has already appeared and has been used to infect computers. The "fix" is just a way for the computer to "work around" the problem. (Sort of a sidestep or jump-over the puddle so you don't fall in kind of thing.) It does not eliminate the problem. A "patch" that does remove the vulnerability will be provided for those who need it "later." (Microsoft promises.) John |
|
Subject: RE: Tech: Out of Sequence Fix from Microsoft IE8 From: Stilly River Sage Date: 16 May 13 - 06:29 PM I've used IE 9 for quite a while now, but when I tried upgrading to IE 10 it locked me out of my skydrive area (the browser kept crashing). I can get there with other browsers, just not IE 10, so I uninstalled 10 and am still using 9. I'll try the upgrade again another time. On my work laptop I upgraded and can get to the skydrive, so I suspect there is something going on with my desktop setup that IE 10 doesn't like. I decided to see what I could find in the Microsoft community and this answer has several suggestions. One might work. In case you're curious, Microsoft Community/Internet Explorer answers about all of the versions. The questions for IE 8 start in early 2009. IE 9 questions start in August 2010. IE 10 questions start in late January, 2013. I'm guessing the question start point is the exact point when the new browsers were pushed out to the public. SRS |
|
Subject: RE: Tech: Out of Sequence Fix from Microsoft IE8 From: Joe Offer Date: 16 May 13 - 07:15 PM I had problems printing with Internet Explorer 9, so I kept IE8 on most of the computers I maintain and encouraged users to choose Google Chrome instead. I've started using Internet Explorer 10, and haven't had any problems with it - and I've never had problems with Google Chrome. -Joe- |
| Share Thread: |