TRUE OR FALSE:

1.  Even if an alternate browser is used (eg. Firefox), and IE still remains on the system, that system is still vulnerable.

2.  One can be safe from IE vulnerabilities only when IE is removed completely from the system.

3.  Removing IE completely from the system will not in anyway harm the system.

A system is vulnerable with any browser.

aeligos:

Microsoft has issued an advisory for an unpatched vulnerability affecting all versions of Internet Explorer on all platforms. The vulnerability could allow a malicious Web page to trigger a denial of service or remote code execution in the context of the IE user. Exploit code for the vulnerability has been published, but there are no reports yet of active exploits in the wild.

The vulnerability is of a type known as "use-after-free" and is in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. Multiple @import calls in the attack document trigger the vulnerability. It was first reported by wooyun.org.

The exploit bypasses Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by taking advantage of a library it loads (mscorie.dll). This was not compiled with the /DYNAMICBASE option that enables ASLR and therefore loads predictably at the same address. Microsoft doesn't say why this, and apparently other libraries, weren't compiled with this option, but suggests that you use its Enhanced Mitigation Experience Toolkit (EMET 2.0) to force all loaded DLLs to dynamically rebase. This change should make the exploits highly unlikely to succeed. A video on the Microsoft Web site demonstrates the process.

Microsoft also stresses that protected mode in Internet Explorer 7 and 8 on Windows Vista, Windows 7, and Windows Server 2008 mitigate the vulnerability by limiting the privileges of attack code that succeeds in exploiting the vulnerability.

--------------------------------------------------

1. Mitigates does not mean prevents. It means 'decreases'. They don't say how much.

2. Highly unlikely also does not mean you are safe.

He mentioned something about not installing Flash. I have Flash player. Is that the open door?

Flash is vulnerable to other things:

Latest Vulnerabilities in Flash Player:

A recent vulnerability in the latest Adobe Flash version lead to a massive attack yesterday (12/24/10).

More than 220,000 pages on the Internet have been hacked most likely with an automated tool using a SQL injection attack. Those pages, some of well respected companies such as Nokia but also many non-profit organizations and town websites, redirect the user to websites that host the exploits for the Flash vulnerability.

If the system meets the requirements the exploit is used to download and execute trojans that steal information and droppers that download additional trojans. Information that are stolen are for example World of Warcraft account information while the droppers download files that add the computer to a botnet. (according to Trendmicro)

Most antivirus companies have already updated their software to disable the possibility that this exploit can be used on the computer the software is running on.

Your best bet if you do not use antivirus software is to either disable Flash for now or use an extension like NoScript to block Flash on every domain but trusted ones.

What if I just get rid of Flash player? If it isn't there no vulnerability ... right? I could uninstall it.

Correct Savyg. Sorry not to have responded sooner. Here are the latest patches/fixes for Mozilla browsers/email vulnerabilities. You'll note these problems have been addressed and fixed.

Opera vulnerability:

http://www.infoworld.com/d/security-central/opera-software-patch-browser-vulnerability-soon-046 

Mozilla vulnerabilities:

http://blogs.pcmag.com/securitywatch/firefox/ 

http://www.mozilla.org/security/announce/ 

Trivia: The date on the Opera link is March 2010.  The date on the MS Advisory in OP is December 2010.  Seems like the MS Advisory should have included: "We further advise that you do not hold your breath while waiting on us to patch this." 

(still loving my new Opera toy )

I upgrade FF to version 3.6.13 yesterday. So far so good. Have a question about Opera though. When I open it the browser goes to the last page it remembers not to the current page like FF does. Why is that?

Uvah, just follow the numbers in the screenshot.

One of the nice things about open source software, they are honest about the problems with the software.

Something you don't get with closed source software, they have a commercial interest to protect the brand.

People have been complaining about flash for years. DO IT.

Or like me you could run Opera on linux in a virtual machine. .oO (but that's a bit sad) 

Correct.

If I may, and this should probably go without saying, the user, no matter what browser they use still needs to be intelligent about searching the web, just don't click on buttons so you can get to the next page. 

No amount of 'secure' software can protect your computer from, sorry for this, the user being dumb. 

Exactly, Philly.  The I-d10-T  error can be fatal.

This is true. Which is why I 86'd Flash. Buh bye!

Amen, brother!

While true, a person can become victimized innocently. I do caution care in browsing and opening emails from people you don't know, but errors happen and even large, respectable websites can fall prey as well as a regular person browsing for information.

Antiviral software and firewalls won't protect until someone works out a patch for this problem.

I advise reading the MS Security Advisory.

If IE were not at the top of the food chain it would not be attacked as much. Most other browsers also get attacked that is why we have updates.

Update

Microsoft has confirmed that a zero-day vulnerability exists in Windows XP, Vista, as well as Server 2003 and Server 2008. The bug, which first emerged in mid-December 2010, has evolved since the exploit was posted publicly.

The bug was first discussed on December 15 at a security conference in South Korea. Since no one had yet exploited the vulnerability, there was not significant cause for concern. That's changed now that researcher Joshua Drake has released an exploit module via open-source penetration testing project, Metasploit.

Exploit Opens Door to Total System Takeover

Metasploit has stated that the exploit can be used to compromise virtually any Windows PC. Hackers could then install malware which would then ransack and extract critical personal data, including addresses, phone numbers, and credit card information.

Reports also suggest a hacker could use the exploit to create a new Windows user account for themselves on the host PC, cutting off a system's rightful owner. (Source: crn.com)

Windows Flaw Infects Windows Thumbnails

The flaw is related to the way Windows' graphics rendering engine handles thumbnail images. It can be exploited if a targeted user views folders containing specially designed and malicious thumbnails via Windows Explorer.

"Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder," said Microsoft (Source: computerworld.com)

Windows 7, Server 2008 R2 Not Affected

In response to the threat, Microsoft has issued a security advisory noting the affected operating systems. All operating systems including Windows XP, Server 2003 / 2008, and Vista are affected by the exploit. Windows 7 and Windows Server 2008 R2 are not affected.

"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said in the advisory. (Source: computerworld.com)

The Redmond-based firm also noted that it does not currently plan to release an "out-of-band" (or unscheduled) emergency patch for the flaw. While it's true that an exploit method now exists and is publicly available, Microsoft still cites the fact that no one has yet used it for an attack.

So in their infinitely warped wisdom Microstuff will wait until someone's system, be it XP or Vista, is seriously compromised or worse before they'll put a stop to it. WTG Mr. Gates.  

No, Uvah. Windows 7 is apparently OK, for other MS OS's there is EMET 2.0 to patch until they (MAPP) can produce a patch.

I have weened almost all my non-technical friends and family off of IE.  I am pushing Firefox.  While I have not had the problems Daiwa mentioned all the time, I have seen it on occasion (the stutter step).  I also have Safari (eh, a browser) and Chrome (Definitely not the fastest).  I will have to check out Opera.

These types of alerts (although I missed this one due to Christmas) are excellent!  Please keep them up.

Thanks Doc. I know W7 is Ok but I know of some who run both XP and Vista and they could benefit from this info. I've been passing it along.

Uvah, that's the ticket! If you email them, use the link to WC...who knows who might get interested!

Dr Guy: I plan to do just that.

Makes me just want to run out and buy more stuff from Microsoft.  Mooooo.