Unpatched Internet Explorer exploit hits the Web

By on March 11, 2010, 4:33 PM
Israeli security researcher Moshe Ben Abu has published the exploit code of an unpatched Internet Explorer security hole. With the help of a McAfee blog post, Abu pinpointed the vulnerability in about 10 minutes. Microsoft warned on Tuesday that the bug could allow an attacker to take control of a computer, and advised users of IE 6 and 7 to install version 8 as soon as possible.

CNET asked Abu how dangerous the vulnerability is, and his response was in line with Microsoft's recommendation of updating to IE8. Abu also noted that the exploit is quite unstable, with about 60% to 70% success rate, and confirmed that it is critical to older builds of IE. Microsoft provided additional workarounds in its advisory for users who can't upgrade to the latest browser version.

Although information in McAfee's sped up the process, Abu said he would have found the vulnerability anyway. McAfee said the post in question did not contain enough information to directly lead anyone to the hole, but the firm's future blog posts will undergo "additional sanitization" to avoid giving exploit writers a starting point when hunting for exploit code.




User Comments: 53

Got something to say? Post a comment
TomSEA TomSEA, TechSpot Chancellor, said:

Just say "no" to IE! Too many other better browsers around to mess with that and worry about the countless security issues.

buendia said:

For regular users, no need for IE. There's plenty of very good alternatives (Firefox, Opera,Chrome). Provided you really want to use IE, always upgrade to the latest version and regurarly install updates.

Guest said:

Oh, so nothing new?

Timonius Timonius said:

Guest said:

Oh, so nothing new?

yeah pretty much.

As for businesses still using IE6...you better get your act together soon...and if you're big enough you need to try to eliminate the dependancy on someone else's browser technology.

ludoboss said:

A lost war! Microsoft must be directed to win the search engine war ad let other do browsers. Chrome, Opera and Firefox is over the top. MS u cannod do all better. U make win7: TNX!

Guest said:

well if people would simply update their computers then they would already have IE8 insytalled. Its not that hard people.

Guest said:

Why should people tolerate all the problems with IE when they have paid for a software that is suppose to be superior. Seems that Microsoft creates products with holes to try and force people to upgrade their products. People are paying for the right to be test subjects.

Relic Relic, TechSpot Chancellor, said:

Guest said:

Oh, so nothing new?

Heh ya, first thing that came to mind when I read the headline too.

elroacho72 said:

I like IE8, I still can't believe there is that many people stuck back on IE6or7.Wait yes I can My Dad still uses Madia player 9, why, why just update and live a little.Thank, You that is all.

rajmond said:

I can understand some people who use IE 8 (because it's part of the most used operating system) but I don't know who uses still IE 6 & 7. It's nothing new that there if a new hole in Microsoft Internet Explorer. The best choice would be to change to a new browser ( Firefox or Chrome)

CodePhoeniX said:

Hmm.. I cant remember why i use Firefo.... oh... nevermind.

Kovach said:

What's on my mind right now is why people still keep using IE after all these exploits coming? There are a lot of options to choose, but no, people are lazy to install another browser.

compdata compdata, TechSpot Paladin, said:

Kovach said:

What's on my mind right now is why people still keep using IE after all these exploits coming? There are a lot of options to choose, but no, people are lazy to install another browser.

Come on. We know that there are exploits in every browser. More issues are found in the common ones becuase they are the ones that get targeted. The real issue here is that people don't keep their computers up to date and so they are vulnerable.

Kibaruk Kibaruk, TechSpot Paladin, said:

I haven't used IE since forever... although there are some specific sites that are only for IE even nowadays which is kind of prehistoric, but still IE 8 isn't affected according to this.

jrronimo said:

Kovach said:

What's on my mind right now is why people still keep using IE after all these exploits coming? There are a lot of options to choose, but no, people are lazy to install another browser.

Not everyone has a choice -- Some of the web-based-systems that some of my users log into don't support IE8 yet. Sometimes they'll run... sometimes they'll run in Firefox, but not always. So they stick it out with IE7.

Luckily, there are workarounds for this published by Microsoft. Obviously the vendor of the web-software needs to update, but until they do we can only wait.

Kovach said:

compdata said:

Kovach said:

What's on my mind right now is why people still keep using IE after all these exploits coming? There are a lot of options to choose, but no, people are lazy to install another browser.

Come on. We know that there are exploits in every browser. More issues are found in the common ones becuase they are the ones that get targeted. The real issue here is that people don't keep their computers up to date and so they are vulnerable.

Yes, I agree with you about updates and that there are exploits in every browser. But please, IE is hole without the end. It has more announced exploits than any other browser. Am I right?

seefizzle said:

What's internet explorer?

Kovach said:

jrronimo said:

Kovach said:

What's on my mind right now is why people still keep using IE after all these exploits coming? There are a lot of options to choose, but no, people are lazy to install another browser.

Not everyone has a choice -- Some of the web-based-systems that some of my users log into don't support IE8 yet. Sometimes they'll run... sometimes they'll run in Firefox, but not always. So they stick it out with IE7.

Luckily, there are workarounds for this published by Microsoft. Obviously the vendor of the web-software needs to update, but until they do we can only wait.

Yes, you are completely right. I was thinking about people that has choice and being lazy about choosing another browser, safer and faster.

GACrabill said:

Kovach said:

Yes, I agree with you about updates and that there are exploits in every browser. But please, IE is hole without the end. It has more announced exploits than any other browser. Am I right?

No ... I don't think that you are correct.

We just don't hear about the Firefox holes.

Hasn't Firefox had more security fixes for two years in a row now than IE has had?

Do some research ... lots of Firefox security fixes occur that we never hear about ... blame the media, or start blaming Mozilla.

zyodei said:

Hahah..just got done showing my coteacher a few of the basic features of Opera.

Here in Korea, IE6 is still the standard - used on 90%+ of computers.

I'm serious.

She was BLOWN AWAY by tabbed browsing :P

My current computer is a C2D with 2 Gigs of RAM..and came OEM with XP (good) and IE6 (hahaha..but irrelevant anyway)

pipopaz said:

TomSEA said:

Just say "no" to IE! Too many other better browsers around to mess with that and worry about the countless security issues.

You just gave the perfect solution! I agree as well that IE has way to many vulnerabilities exploited in the past.

Yoda8232 said:

Solution? Don't use IE, but in all honesty after using all 5 major browsers I use Firefox as my main browser (secure and very customizable), Chrome as a backup (extremely fast), and IE if needed because it's compatible with all the websites because basically all the websites are made for IE because it's WAS the most popular browser.

ToastOz said:

First mistake was using IE.

elroacho72 said:

People are not as lazy as they are scared of new things new ways of doing the same thing. Old people (my parents) just don't like change.

arkantos said:

give chrome a chance. you'll get use to it in a little span of time.

ansarimikail said:

Kind of pointless reporting it here, I mean most people who read these tech posts are probably using another browser.

Kovach said:

No ... I don't think that you are correct.

We just don't hear about the Firefox holes.

Hasn't Firefox had more security fixes for two years in a row now than IE has had?

Do some research ... lots of Firefox security fixes occur that we never hear about ... blame the media, or start blaming Mozilla.

I didn't stated in my post that other browsers (And why you said Firefox? You can't know exactly wich of those browsers is "leading" with number of exploits discovered) doesn't have security holes....look closely at my post and read careful. Still, I like here on TechSpot that they (mods and tech stuff) are not favorite any hardware or software, just writing news just like it should be, not on the way they like. So, If you are following news here on daily basis, you will see that there are a lot of other exploits, from other browsers, published here.

EduardsN said:

I trust google chrome for best security

slh28 slh28, TechSpot Paladin, said:

I used to work for one of the UK's biggest companies in terms of employees and they only just upgraded to IE7 from IE6. Most businesses just see it as too much of an effort to upgrade software.

Serag said:

@ slh28,

Yes, in fact most of the comments here and in general when it's a new exploit in IE are from an individual using point of view, while most big corps use IE6/7 and have been doing that for ages, and they find it too hard and resources-demanding to upgrade to 8 not to mention changing to an alternative browser,

hence is why IE is staying for a little longer...

windmill007 said:

Well in corporate environment it's hard to go with alternatives.We also have to run IE7 because IE8 drops support for active desktop on WindowsXP and we use it to display our Intranet on all our computers desktop screens. If it was up to me I would switch everyone over but there is so much resistance to change it would take a security breach of some kind to force the issue.

salbar1981 said:

if IE is so full of holes, what would you expect from Windows ?

yangly18 yangly18 said:

lol...I didn't know people still used IE....I'm pretty sure everyone that knows anything about the internet knows that IE is horrible on the security side of things. I'm glad someone's gone out and shown publicly just how easy it is to break IE. google chrome ftw!

Docnoq said:

Guest said:

Why should people tolerate all the problems with IE when they have paid for a software that is suppose to be superior. Seems that Microsoft creates products with holes to try and force people to upgrade their products. People are paying for the right to be test subjects.

People never have and most likely never will pay for IE. They pay for Windows, and IE just happens to be the browser loaded with Windows. In the European Union, they can actually install a different browser by default thanks to the ballot screen.

At any rate, it is not as if Microsoft purposefully leaves holes in older products and is able to have people find them at a time that coincides with the release of a newer product.

TorturedChaos, TechSpot Chancellor, said:

Sadly I still have to drag out IE at work since there are a good chunk of sites we need to access that wont work in anything but IE or are just extremely unstable in anything but IE. I have sent emails to most of the site managers saying they really need to make their site compatibly with the 4 other major browsers, or at least firefox....but they don't

TorturedChaos, TechSpot Chancellor, said:

Sadly I still have to use IE for a few sites we access at work, like isqft and other builders exchange sites, gotta see what the competition has u know .

DryIce said:

Another reason not to use Internet Explorer. (As if we needed one.)

flocka said:

DryIce said:

Another reason not to use Internet Explorer. (As if we needed one.)

+1 agreed.

only reason to use this browser is for web based apps only supporting IE

Richy2k9 said:

Relic said:

Guest said:

Oh, so nothing new?

Heh ya, first thing that came to mind when I read the headline too.

LOL, same here ...

i use IE8 on one of my Windows install, yet i prefer to use Chrome & Firefox, i just hate it when some sites doesn't display same on the browsers.

cheers!

Wagan8r Wagan8r said:

It still boggles my mind at how slow and insecure IE is, but what really blows my mind is the fact that SO many people are still using it! Why can't MS just start completely from scratch and create a solid browser?

gary4gar said:

I wonder why IE6 does not die or become obsolete as it has been heavily criticized

Zenphic said:

Hmmm, time to upgrade to IE8 on my Windows XP build!

jasonk1229 said:

i love firefox

techsp10 said:

Internet Explorer has a good performance and I don't agree that the only way is to migrate to other web browsers. Why not using Internet Explorer 8 and this software is pretty good.

Just upgrade your browsers do that you will not left behind with the pace of the technology right now.

bcnu147 said:

After all these years, MS is still patching holes in IE; they are just too numerous! There are problems with the other browsers, true, but IE ... is anyone really surprised that 'yet another hole' has been found.

I only use IE for sites that won't display correctly in Opera (my 1st choice) or Firefox.

Eddo22 said:

MS needs to can IE8 and start from the ground up with a new browser imo.

Thompson said:

Insanely

Exploitable

Just use Firefox, Chrome, Opera or Safari. Please.

rskapadia2294 said:

who's using IE?

everybody should use chrome or opera!

atleast i expect that all of the techspot readers are not using IE!

burnunit burnunit said:

Goes without saying these days, but if you use Microsoft stay up to date on updates and patches. While no guarentee, its your best bet without switching OS's.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.