This title is a bit misleading. This exploit will not be able to fully exploit anyone running on Vista or Windows 7, since Internet Explorer renderers run in low integrity processes on those operating systems (essentially, they are sandboxed). No one has released a second exploit that would escalate privileges outside of this sandbox.
If you are running IE on Windows XP and you've taken no other steps to protect yourself (like running EMET, SandboxIE, or another mitigation), then it's your own damn fault that you got owned. On the other hand, take a look at how many exploits for IE that Rapid7/Metasploit has that support Windows 7: 0.
"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
What's more, most people run with administrator privileges on Windows 7/Vista/XP because that's the default.
Yes, I'm sure that my analysis was correct. IE8+ on Vista+ run IE renderer's in Low Integrity, which means read-only access. It's not possible to further compromise (ie, install malware) on the exploited machine without a second exploit that escalates integrity levels to medium.
Computers can get compromised simply by visiting a malicious website
Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers.
The long release cycle of internet explorer is a very big problem for ie users, unfortunately most of them don't even now what a browser is.
The long release cycle for new versions of IE is irrelevant. Internet Explorer security patches get pushed regularly through Windows Update, which Microsoft encourages users to set up for automatic installation. So this problem will get fixed for the average user as soon as Microsoft sends out the patch. It requires no more knowledge than updating Chrome does.
Note that I'm not recommending that anybody use IE. I'm just pointing out that it does get automatic updates, just like other browsers.
True, but there is an important difference between Chrome background updates and Windows Updates: Windows Updates are easy to disable, and, in our experience, frequently are disabled by users for various reasons.
Users find that they hate trying to reboot (or start up) one day and then wait for 30 minutes while their computer does nothing more than display a "Now installing update 3 (of 30)..." screen. (This is especially obnoxious on big Windows Server installations where this process can take a server down for an entire weekend.) Or they hate being nagged all the time that there are updates available. Or they hate having their computer insist every five to ten minutes that it needs to be restarted now. Or they're gun-shy about it because an update once changed the layout of Windows Live Mail and left them completely confused about why it was suddenly so different even though they hadn't changed anything.
In one fun case, we had a corporate client disable automatic updates for their entire research lab because one night Windows update decided it needed to automatically reboot every single system there. They were running overnight experiments and came in the next morning to find that all of the night's data was missing or corrupted, costing them a day on a tight schedule.
Microsoft does software updates in a very, very wrong way, and that means that a rather large number of people think it's better to just ignore the updates.
Windows Update is very configurable, both through AD policies and on a per user basis. If a machine shouldn't be auto-updating, set it to manual reminders. Plain and simple.
As for updates, in my experience they are generally small and fast to install once you have gotten over the initial update push of a clean Windows installation.
And of course in domains, you can setup custom update roll outs, no need to use MS's update servers.
Finally, for servers, install the OS onto an SSD. Updates will take seconds. Problem solved.
While it would be nice if more components could update without restarts (and I think people forget how much better things are now than they used to be!), the fact is every major piece of software out there requires restarts to install updates. Of course there are awesome-cool Linux and other OSs that do not require restarts (IBM obviously has had that tech for ages, really cool stuff), but with how Windows is designed (back-compat first), that isn't likely coming any time soon.
I've also had long running work disrupted by Windows update. The simple solution was to check "Ask before installation". Problem solved.
(And to be honest, Browser restarts are just as troubling to me now days as rebooting my entire PC!)
Everything you said is technically correct, and helpful to some people, but it doesn't change the fact that most users opt to simply disable automatic updates in one fashion or another. Manual updates, and "download-but-don't-install" are both different from the Chrome example, and in both cases, will cause IE to not be immediately patched for all of its users even once Microsoft pushes an update for it.
And, if I may push back just a little bit more: "install an SSD" should ideally never, ever be a serious solution to the problem of software updates. I'd like to think that I'd have the good grace to be completely embarrassed if I ran a software company that had advocates telling other people that my long update process could be "solved" by installing an SSD.
>but it doesn't change the fact that most users opt to simply disable automatic updates in one fashion or another
Most people disable auto updates? Do you have a reference for that or is that just your personal anecdote? Most people and PCs I've been auto update. Normal users don't even care to take the time to find out if they can be disabled.
You can only force users so much. Installing updates and restarting is a default and people who go out of their way to prevent it deserve to take some responsibility, it's their machine after all, not Microsoft's nor yours. If Windows forced everyone to update and restart automatically without a way to turn it off, a lot of people will raise hell over it. Some people don't like even browsers autoupdating under them.
Oh, so you wanted to SSH over your GSM tethered connection? Here, take this chrome update too! Don't mind that you'll never get it down this session.
Also if you don't restart your computer you probably won't restart chrome either => no updates.
Yes, chrome is probably more efficient but we truly need a way to signal that this connection is slow/expensive so don't do any heavy updates on it. Especially when we have no way of saying that we aren't interested in an update and don't care about any security issues within an application that won't be executed anyway.
A friend of mine had a bad experience with steam which ate his 1 GB monthly quota in mere minutes (internet was down so he used his phone instead, didn't think much about having steam running in the background).
Hopefully app stores will be in charge of updates. I don't feel like having a separate update service for every application running all the time.
Quotas are definitely a problem but I disagree with your complaint about not restarting: Chrome has UI badges (and will eventually prompt) for pending updates. This is about as good as you can get short of forcing the user to restart.
And windows update have balloon tooltips and an icon to inform me that an update is available... I update chrome and windows the exact same way. I get informed of an update and when I'm ready I let it proceed (yet I have no control over when chrome downloads an update).
Chrome is a bit harder to disable, but eventually I figured it out once, when I got updated without my consent to a version that started breaking key websites that I use.
There is no one right answer to how to update end users.
That's extremely funny and ironic, given that Chrome needs to restart to actually run the update. If you don't restart Chrome for a few days you're still vulnerable to the exploits while you're browsing.
I left Chrome on my laptop for weeks on end a few times and it displayed an icon in the toolbar requesting(annoying!) me to restart Chrome and load all my 100 tabs super slowly again!
And why are you comparing browser updates to OS updates which need to be much more robust?
Here's Google updating Chrome OS dev build breaking things.
>This is especially obnoxious on big Windows Server installations where this process can take a server down for an entire weekend.
Really? Any references to this? I have seen a Windows 2003 small business server running on hardware from 7 years ago and it never took more than 10 minutes for it to apply updates even 3 or 4 months late.
sigh It's only funny and ironic if you think that Chrome needing a restart is exactly the same as Windows needing a restart. You're a smart guy, I'm sure you don't think that.
But, for what it's worth, I do think Chrome's update process could be even better. I have a copy of Joe Zobkiw's "A Fragment of Your Imagination" gathering dust on one of my bookshelves; it was a primer on building applications with plugin-style ('code fragment') architectures for MC68k and PPC. It was written in 1995, and with just a little bit of tweaking, it would have been possible to use the text in the book to build applications which could do hot upgrades.
So this was a solved problem, in 1995 at the very least. And that's ignoring the microkernel example that Linux has blessed us with for so many years.
That 17 years have passed and companies with Google's resources still can't build their applications that way makes me really grumpy.
> I have seen a Windows 2003 small business server running on hardware from 7 years ago and it never took more than 10 minutes for it to apply updates even 3 or 4 months late.
Never mistake your experiences for everyone else's experiences!
OK, story time. Quick background: a good corporate client of ours got a new administrative manager, he accepted bids for a big-deal network & server upgrade instead of sticking with the relationship we had with the client, they ended up going with another outfit which sold them a wickedly overpriced server running SBS 2008, Active Directory, Exchange, the works. Some of the knobs were turned the wrong direction and even after sinking a lot of money into it the server couldn't do what the client wanted it to do in the first place. So we inherited a mess not of our design.
We eventually get everything back to a stable state, and decide a while later that we should probably get the server caught up on updates. Now, the one nice thing about SBS 2008 updates is that the server will continue its AD and sharing services while it's preparing for shutdown and installing updates. The bad thing about it is that it doesn't give any time estimate and there's no sane way to cancel the update process once it's started. So, we make arrangements with the client -- they don't have failover for this -- and start the update process on a Friday afternoon.
8 hours later the update process finishes. I had a really unhappy tech at that point. It's a secure facility, we're not supposed to have any external or remote access, somebody needed to babysit the stupid thing on-site the entire time. Plus, we bill by the hour, so client's not super happy either. But, industry says we can't not install updates, right?
So, a week later, we schedule the next round of updates. And it looks like it's going to do the same stupid thing again. Again, no ETA, no way to do just some of them and the rest later. No, it's just, "Now installing update 5 (of 70)...". For hours. I don't want to ruin my tech's Friday night for the second week in a row, so I tell him to go home and I make arrangements to be there first thing Monday morning to make sure everything's copacetic.
On Monday morning, it wasn't. The update process had stuck somehow, somewhere around 59 of 70 or something like that. The server had never rebooted, we couldn't tell if it was truly stalled or if the update process was still continuing but just really really slow. Despite the huge warnings to the contrary, we had little choice but to hard reboot the stupid thing and do damage control afterward. Everything turned out OK, but there's nothing that'll move your breakfast through your bowels quite like rebooting a big client's "everything under one roof" server in the middle of an update.
So.
Go ahead and tell me how Chrome's update process is just like that. :-)
>Never mistake your experiences for everyone else's experiences!
Perhaps you should do the same thing! The said Windows 2003 SBS server running from 2005 running AD never had any issues, not even a hardware one which is very surprising and is up to date to this date.
There can be very many reasons for your experience including software configuration, corrupted files, bad RAM etc., but which one of our experiences is typical? Yours or mine?
>Despite the huge warnings to the contrary, we had little choice but to hard reboot the stupid thing and do damage control afterward. Everything turned out OK, but there's nothing that'll move your breakfast through your bowels quite like rebooting a big client's "everything under one roof" server in the middle of an update.
Operating systems are extremely complex beasts and some have issues even with something as tightly controlled hardware and software like OS X or iOS. Comparing them to a browser is not really fair.
>In one fun case, we had a corporate client disable automatic updates for their entire research lab because one night Windows update decided it needed to automatically reboot every single system there. They were running overnight experiments and came in the next morning to find that all of the night's data was missing or corrupted, costing them a day on a tight schedule.
That is a small edge case on a consumer OS running on a billion PCs, maybe they should have had some half-competent people running the lab instead of having defaults that are meant for normal users?
WSUS lets them have full control over updates and restarts. Most decent enterprises and univertisies use it.
>Microsoft does software updates in a very, very wrong way
Pray, tell us the right way. What would you have wanted Microsoft to do if there was this vulnerability that came today and the lab was running the research experiment for the next 3 days?
I am not the GP but I am curious about your proposed solution. You were comparing a browser updates to Windows Server, which could be running IIS running a bank website, Exchange server for mail or Lync/Communicator server.
Does Apache do automatic updates for critical vulnerabilities? I hope you can either give better examples than Chrome for comparison, or actually give a solution to this problem which is not isolated to Windows, most distributions require restarts for kernel updates,. With that perspective, your post was the one that seemed to be grandstanding and railing at Windows Update without providing specific solutions.
I have absolutely no influence at Microsoft. Why are you asking me to talk further over how I would do their software architecture differently? There is absolutely no hope of changing anything, at all, by doing that. It's a waste of time. That's why there was no "proposed solution" anywhere in my comment.
Let's recap.
1: A new 0-day has just been released that affects IE 7, 8, 9, etc.
2: givan points out that the long release cycle for Internet Explorer means that this will probably be a viable exploit for a long time to come. (And he's right.)
3: greenyoda says, no, Windows Update will fix this. Especially, "[IE] does get automatic updates, just like other browsers."
4: I jump in -- something I am becoming more and more convinced was a huge mistake -- and point out some of the reasons why Windows automatic updates are not just like other browsers.
Have I gone wrong somewhere yet? Do you really think that Windows automatic updates are "just like other browsers"? Why do you want me to accept that Windows updates have to suck just because Windows is a huge complicated piece of software? Does any of that invalidate any of the reasons I mentioned for why users turn off automatic updates?
Or is it your argument that people don't turn off Windows automatic updates? Because even Coding Horror has a rather popular post from 2005 on how to disable it (http://www.codinghorror.com/blog/2005/05/xp-automatic-update...), and that's targeted at a technical audience, so frankly I'm not yet convinced that anybody who thinks that disabling Windows automatic updates isn't a popular thing to do is someone that I should spend any time debating this with.
Does Apache do automatic updates for critical vulnerabilities? No. Could it? Sure. I bet half the people on this forum alone could write a cron job to do just that. But more importantly: who cares?
The fact alone that Microsoft pushes browser updates through the exact same channel as kernel updates makes their update process very wrong. I don't think I have to spend any time at all going out on a fishing expedition finding you examples of software that does it right to argue that at this point browser updates should be getting their own channel from MS. (Just in case I really have to spell it out: treating operating system updates as exactly equivalent to browser updates is stupid. Not doing so would solve your number one rebuttal, which seems to be that Microsoft can't do updates better because software is hard.)
If you insist on having me come up with an entirely new way to engineer software for Microsoft, I expect to be paid for that.
And I'm still reading patio11's latest post on kalzumeus, so my rates just went up.
>I have absolutely no influence at Microsoft. Why are you asking me to talk further over how I would do their software architecture differently? There is absolutely no hope of changing anything, at all, by doing that. It's a waste of time. That's why there was no "proposed solution" anywhere in my comment
You compared Chrome favorably to Windows Updates and criticized WU throughout your post, which lead me to believe you had some insight on how to make updates painless beyond "Microsoft, just make it better.".
>Or is it your argument that people don't turn off Windows automatic updates? Because even Coding Horror has a rather popular post from 2005 on how to disable it (http://www.codinghorror.com/blog/2005/05/xp-automatic-update...), and that's targeted at a technical audience, so frankly I'm not yet convinced that anybody who thinks that disabling Windows automatic updates isn't a popular thing to do is someone that I should spend any time debating this with.
First, Windows 7/8 are much better than XP in this regard. Second, the point of difference between us is that you're not ascribing any blame on the user at all for turning off updates.
Here's the dialog box for turning it off. It states the following:
> Never check for updates, not recommended. Your computer will be more vulnerable to security threats and performance problems without the latest updates.
To go to a car analogy, updating your OS is like servicing your car which comes with inconveniences such as having to find a few hours in your busy life and not having access to your car for a few hours, having to take a taxi or bus to home or work, or skipping gym, watching TV or going to a movie. Who's fault is it primarily if the car catches fire on the highway because it wasn't serviced because taking car to service was too much work?
Your arguments amount to something like, "it's solely the car makers' fault to require expensive service that takes a long time that leads to users not servicing cars for months, they should learn to make cars that don't need service, do I need to take my bicycle for service? They should learn from that."
If my friends or relatives either turned off automatic updates or stopped servicing their car, I would strongly recommend them not to do that. You may be of a different opinion regarding updates i.e "yes they suck and are a waste of time, no need to do it".
Another point of contention is your anecdote of "most users turn off automatic updates". Most? Can you come up with some reference to that beyond your personal anecdote?
>The fact alone that Microsoft pushes browser updates through the exact same channel as kernel updates makes their update process very wrong
That's a better idea, but should we have different channels for Remote Desktop? Windows Media Player critical updates? Why are these any less critical than IE updates? I guess that would further confuse normal consumers some of which don't even know what a browser is.
If you're an admin, you can already pick and choose updates.
Should Microsoft make updates better? Yes.
Should user not turn off automatic updates even if it's "annoying"? Yes.
>If you insist on having me come up with an entirely new way to engineer software for Microsoft, I expect to be paid for that.
>And I'm still reading patio11's latest post on kalzumeus, so my rates just went up.
Thanks for graciously agreeing to insighfully comment on HN for all of us. I feel obliged to pay your for amazingly modest comments with no grandstanding or condenscenion for which we're all very grateful , do you accept Paypal?
I don't think I'd compare Windows Updates (the most broken updating system I've ever seen) to how Chrome manages updates. I've fixed computers running IE7 and with WU disabled. I ask why and I'm told "because the popups are annoying, and because upgrading IE is a pain in the ass." I agree. When I install Chrome for them, then later point out that it has updated 10 times in the past few months, they say "I never saw anything." As it should be.
I find Windows update to be the most reliable update of any software. Since 2005 I can't even imagine how many updates I have run on thousands of computers that never once "broke" because of an update. MS worked out how to test updates years ago and now , unless you have malware, its probably not going to break anything.
Also keep in mind that if Chrome was released in 1998 with its current update model it would of failed with people screaming to governments that Google was spying on them.
I disable the automatic updates as soon as I install Windows. I find them very annoying, and unless there's a serious issue with that version of Windows, I'd rather just wait a couple of years for the next service pack or something, before I install the updates.
There are serious issues on an extremely frequent basis with Windows and all it's applications. Whether it's the OS, Office, or IE, it's rare for there not to be critical updates on a monthly basis. This month was the first time in four years that my team had the option to defer patching til next month.
"Most of the don't even now (sic) what a browser is."
Bullshit. Its time for us to get off our high horses and realize its not 2001 anymore. Users know what a web browser is, its the thing they use "to surf the internet." Just like MS Word is the thing they use to write a document.
They may know intuitively what a browser is, but they don't always know it as a "browser". When I did public-facing tech support, I found I encountered much less confusion when I told people to "pull up Google" or "go to Yahoo" versus "start your browser".
Doing tech support work interacting with the generally computer non-literate is like civil service for the tech world. It's not pleasant but it expands your perspective, and many HN readers would do well to go through it.
I wish you were right, but sadly I don't believe it. My crappy anecdotal evidence is that less than 50% of my non-dev friends know what a browser is. They generally use the default browser that comes with their system (Safari or IE), and they call it "The Internet".
I think you may have hit reply on the wrong link. I did not include any data or anecdotes. Maybe you meant to reply to the parent "a stronger claim would have included any supporting data"?
Every HN reader is sophisticated enough to decide which browser to use and why. And trust me, in 2012, there's nothing you want from someone using IE[6-9] with Windows Update disabled and no antivirus software installed.
Could someone who understands them explain the screenshots to me like I was 5? I'm familiar with ruby, internet explorer, and virtual machines, but I can not make any sense of these images.
He's running a web server process w/ Metasploit, configured to serve/run the exploit module. Then he issues a GET request to the server w/ the affected browser and gets a session in Metasploit (framework). The screenshots are basically proof showing that the session (connection to compromised machine w/ high-level/root access) has been created.
Yeah fair point that this exploit gives privs @ the level of the browser's current user. In that parenthetical, I was basically trying to explain what "session" means in Metasploit parlance in general.
Ignoring that most users run their main windows login as administrator, if we pretend it's just a guest account, how much of an impediment would that to them disrupting any anti-virus and installing a some malware?
Can't say I'm ever surprised when exploits like this pop up, but it's definitely valuable to know. I don't use IE nor manage users on IE so I know I'm fine, but those of you out there using it or managing users that use it should probably take this as an opportunity to re-educate users on security best practices including email attachments and visiting unfamiliar websites.
Also important to note that some websites you may be familiar with could become compromised and attack-code added within iFrames is very common, so it's best to just not use IE at all until a patch is released.
www.google.com/chrome dont leave 127.0.0.1 without it.
I find packaging up 0-day's into point-click downloads for metaspliot and the likes akin to giving a small child a loaded gun, but thats me I guess. Will only encourage the digital-vandals (media calls them hackers, bless).
In addition to giving security professionals tools to see how vulnerable their infrastructure is to real-world attacks, releasing exploits like this actually creates significant pressure for vendors to patch vulnerable software.
Take the recent Java 1.7 vuln (3 weeks or so ago). Oracle released a patch 4 days after that exploit was rolled into Metasploit. I'm sure they'll tell you that's a coincidence, but it's still nice to see happen completely out-of-band from their normal patch process. Word around the campfire is that Oracle knew of that vuln for months w/out a patch. Then along comes big bad Metasploit and you've got a patch for everyone on Java 1.7. I call that a win.
Oh your dead right, but security profesionals have access to less public sources of tools and testing abilities, just don't have to be so easily accessable for those who could perhaps fail at unpacking a tar file.
As for embarassing the vendor and highlighting there sloppyness, well there may be some millage in that. Though you would of thought vendors were a little bit more proactive.
Still it's out there now and in that evolution is a wonderous thing to behold at work, some will learn and some will not.
I sure hope this exploit gets a lot of attention, in this way most people will understand the importance of upgrading their browser and thus... we, web developers, will not have to support crappy browsers (IE7 I'm looking at you!) :D
ms08-067 you could simply attack the host and root it though. This requires you get them to click a link and assume they are using a vulnerable browser.
If you are running IE on Windows XP and you've taken no other steps to protect yourself (like running EMET, SandboxIE, or another mitigation), then it's your own damn fault that you got owned. On the other hand, take a look at how many exploits for IE that Rapid7/Metasploit has that support Windows 7: 0.