“An unpatched vulnerability on Internet Explorer is so bad that security expert Secunia has had to add a new category of danger to its rating system,” Nick Farrell reports for The Inquirer. “Instead of being just critical, Secunia says that the unpatched hole is now ‘extremely critical’ which means that Microsoft were extremely stupid to sit on it for six months.”
Farrell reports, “S. Pearson, of computerterrorism.com, has worked out that if a Javascript prompt box was of the right size and form to allow the insertion of custom shellcode a remote attacker can execute arbitrary code embedded into an otherwise normal looking Web page. You can have a look at it in action at http://www.computerterrorism.com “
Full article here.
Larry Loeb reports for Security IT Hub, “The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4. IE 5.x is also considered to be vulnerable… Since MS has not addressed this issue in IE, the only way to mitigate is to disable active scripting for non-trusted sites. Or don’t use IE.”
Full article here.
Advertisements:
The New iMac G5 – Built-in camera and remote control. From $1299. Free shipping.
Apple USB Modem. Easily connect to the Internet using your dial-up service. $49.00.
In related non-news, Microsoft still sucks.
Related MacDailyNews articles:
Apple releases Security Update 2005-009 for Mac OS X – November 29, 2005
SANS Institute lists Apple’s Mac OS X as ‘major security threat’ – November 29, 2005
Computer columnist: anti-virus software purely optional for Apple Macs, not so for Windows – November 01, 2005
Microsoft apologists and why Apple’s Mac OS X has zero viruses – October 24, 2005
$500 bounty offered for proof of first Apple Mac OS X virus – September 27, 2005
How to avoid viruses and malware? Dump your Windows PC and get an Apple Macintosh – August 22, 2005
Do Apple Mac OS X users need antivirus software? – August 22, 2005
ZDNet: How many Mac OS X users affected by the last 100 viruses? None, zero, not one, not ever – August 18, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
Intel CEO Otellini: If you want security now, buy a Macintosh instead of a Wintel PC – May 25, 2005
There are no viruses for Apple’s Mac OS X – May 13, 2005
Apple touts Mac OS X security advantages over Windows – April 13, 2005
97,467 Microsoft Windows viruses vs. zero for Apple Mac’s OS X – April 05, 2005
Apple’s Mac OS X is virus-free – March 18, 2005
Cybersecurity advisor Clarke questions why anybody would buy from Microsoft – February 18, 2005
Security test: Windows XP system easily compromised while Apple’s Mac OS X stands safe and secure – November 30, 2004
Microsoft: The safest way to run Windows is on your Mac – October 08, 2004
Information Security Investigator says switch from Windows to Mac OS X for security – September 24, 2004
New York Times: Mac OS X ‘much more secure than Windows XP’ – September 18, 2003
that’s some mighty powerful stuff… glad i banshed IE from my computer years ago… Mac or no Mac.
Amazing. But where are all the class action lawsuits?
MW: no WAY
Hrmmm… tested it on Safari and it was a bit annoying. When you get that huge Javascript dialog it’s way larger than the screen with no Close box or any menu. Just press Escape if it pops up a few times and try to close the little Safari popup that allows it. Eventually it’ll go away.
Yep, that’s Microsoft.
A whole new category of SUCK, just for them.
seriously is there something in the licenceagreement that prevents users from suing?
Be proud, Patchers® everywhere.
Be oh soooooo proud.
Like the guy says don´t use IE.
Use Firefox.
Or go the Mac route.
Steve Ballmer – you gotta admire the guy.
Sputnik, oh Sputnik . . .
Where are you and the “real IT world” on THIS one?
(The silence is DEAFENING out there!)
what’s so new about that?
Just because someone can break into windows doesnt mean that the way they break into it is a FLAW in Windows. If your house gets broken into through one of the windows because someone used a hammer, it doesnt mean that your house has a security flaw, your house was never designed to prevent that type of forced entry. All of these people are being over critical on Microsoft. They need to phrase these “security problems” differently.
i love gates and his wanky banky, it pays the bills, whaddya say?
But I thought OS X was the only OS that was insecure.
No exploits, just insecure.
There were no exploits for this unpatched hole in IE either.
What’s the difference?
emax,
What if the contractor who built your house neglected to put locks on any of your doors?
What if he left a gaping hole in the back wall of your bedroom?
What if your roof was made of tissue paper?
Who would you blame THEN?
THAT’s the analogy you should be looking at.
I work at a financial services agency that uses only IE on our desktops (yes, poor me). Our internet access has been shut down all week because of this.
I hear other high security companies have done the same. I’m surprised this isn’t getting bigger headlines – this is a BIG problem.
I think its time to put MS on “double secret probation”
Hey Steve Ballmer – fat, stupid and drunk is no way to go through life, son.
MDN word: thinking
If you’re still using IE, I’m thinking that you are going to get what you deserve.
that is a real shame Windows users have to suffer so much, I dont think many using OSX bother with Explorer, if there was a way to shed light on PC (pronounced pissy) users ghastly experience… perhaps Safari could be advertised… the catch being you have to buy a Mac
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
“Microsoft Windows Internet Explorer flaw ‘extremely critical, worse than expected'”
Should be followed by “Microsoft Windows Internet Explorer has flatlined, not expected to recover without massive brain damage”
(source code will be accepted in lieu of flowers)
MDN still likes to make Mac users sound like infants instead of rational people who chose the better OS.
Not sure why they do that.
Cracking on the “other guy”–that’s hilarious! Keep up the commentary. Making fun of MS is fair game.
But “M$ sux” and talking about other CEOs being overweight and the like just sound petty. Not MDN’s best work. It alienates people without being funny.
“MacDailyNews Take: In related non-news, Microsoft still sucks.”
MDN continuing to enhance it’s cache with 14yr old fan-boys… That’s the way to attract a readership and expand revenue!
Oops, the quote was supposed to be:
“Fat, drunk, and stupid is no way to go through life, son.” – Dean Wormer
http://en.wikiquote.org/wiki/Animal_House
emax said: “All of these people are being over critical on Microsoft. They need to phrase these “security problems” differently.”
How about theft of $$$, personal identities, intelectual property, etc.? Nasty hole easily exploited. Seriously, what kind of crap code uses hardcoded windows that allow arbitrary code to be executed if you have the right size? Sounds like somebody was extremely lazy – or nepharious.
Is there an exploit in the wild which takes advantage of this vulnerability? I have not heard of any.
Should Microsoft have fixed this long ago? Yes.
However…
There are security vulnerabilities in every OS, Mac OS X and Windows in all its variations. Apple sends out security updates semi-regularly to fix them as they find them and devise solutions. So far no one has unleashed an exploit of any of those Mac OS X vulnerabilities IN THE WILD.
Microsoft sends out security updates too, however many exploits happen before Microsoft gets the fixes out (if they ever get them out). There are thousands of exploits in the wild on Windows and Windows unique software (e.g., IE 6.x). Those are truly critical and crucial security issues.
This is a significant vulnerability. Nothing more. IF someone comes up with an exploit before MS fixes it (if MS ever fixes it) THEN we can all sit back and point fingers at Microsoft for not dealing with it sooner. Until that happens this vulnerability is only marginally different than the vulnerabilities in Mac OS X.
We all start looking like the crazed cult many claim we are when we point to a Windows vulnerability with no exploits and denigrate Microsoft then turn around and whine about “cluless” reporters who do the same with Mac OS X.
There are more than enough exploits for Windows to point to and laugh at. This isn’t one of them — YET.
In related news: Normally I would agree with you.
However, and I have posted this before, indeed, years before: It never ceases to amaze me that MS has not been held responsible, either civilly or criminally) for its repeated failure to fix its product. MS is a global corporation, and as such, is presumbed to be competent in its duty to provide a product that is at least a merchantable, despite what their EOLA states. MS’s inability to do so, is either evidence of complete and total incompetence (nonfeasance) or intentional malfeasance.
I don’t say this lightly: MS is evil and the heads of MS are evil. I firmly believe that MS is not totally incompetent, but is instead, intentionally perpetuating these problems. (No, I don’t wear a tinfoil hat) The question is why?
maczac
Love the MDN Take
“IF someone comes up with an exploit before MS fixes it”
How about WHEN (if not already because we haven’t heard about it yet)?
How about tjc’s response where the financial services company that s/he works at considers it dire enough to shut down Internet access?