KB960714: Microsoft patches critical IE7 flaw
Microsoft issued an out-of-band emergency patch Wednesday for a zero-day Internet Explorer vulnerability that has opened the door for hackers to install malware on susceptible computers without any user intervention.The flaw, which is given the highest severity rating of critical, affects all versions of Microsoft’s IE Web browser. Specifically, Microsoft’s IE update affects versions of Windows 2000 for IE 5.01: XP, XP Professional, Server 2003 for IE 6; and XP, Server 2003, Vista, Server 2008 for IE 7. The vulnerability was reported after the release of Windows IE 8 Beta 2, but Microsoft still recommends in its MS08-078 advisory that users apply the patch.
The IE security problem is the result of a fundamental flaw in the browser’s data binding function, which ultimately leaves a hole in the memory space that can be accessed by remote hackers. Internet Explorer can then quit unexpectedly while in an exploitable state. Unlike other exploits, users have only to visit a malicious site infused with Trojans or other malware in order to become infected. Hackers can also entice victims to visit a specially crafted site, usually via some kind of phishing or social engineering scheme, or place infected banner ads on legitimate Web sites. Once users open an infected Web page, malicious downloaders are then installed on their computers, which are designed to record keystrokes and steal passwords, credit card numbers, or other financial information. The users’ computer could also become part of a botnet, an infected network of compromised computers, operated by a central command and control center.
Source: CRN
Comments(25)
if you have automatic updates turned on do you get this? or do you have to visit the site to download it? I got an update this morning and just let it install as usual so will that be the ie patch?
The patch will be applied via Windows Updates / Automatic Updates as normal.
It just takes time to distribute over the internet, hense users have instant access to have it installed immediately.
Ummmm……Get linux, then you won’t have to worry about the failings of M$. SPEED, RELIABILITY, SECURE….FREE…
Torrent for IE7 x86
TPB
http://thepiratebay.org/torrent/4584722/Security_Update_for_Internet_Explorer_7_for_Windows_XP_(KB960714
Demonoid
http://www.demonoid.com/files/details/1728699/22650039/
First time ever MS told it’s customers to use someone else’s browser. What next Vista?
what’s IE?
Why the hell are people still using a crap browser like IE anyway.
I use Fire Fox won’t even touch IE whit an 10 foot clownstick
I’ve applied this update already, didn’t know it was bad patch until now. Anyway to remove it?
@9-bad patch? whats wrong with it?
I thought people stopped using IE at the turn of the MILLENNIUM.
“I use Fire Fox won’t even touch IE whit an 10 foot clownstick”
Yeah, you’re far more secure with good old Firefox, lol: -
“Mozilla’s open-source Firefox browser recorded the highest number of severe vulnerabilities among popular consumer applications this year, according to new research from whitelisting firm Bit9 released today.”
http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
Exclusive Internet Explorer V.8 Beta
Screen Shoot From Official Website (Microsoft)
Windows Xp Compatible Version :
http://rapidshare.com/files/174453383/IE8-WindowsXP-x86-ENU-RC1-www.dvd4arab.com.exe
Windows Vista Compatible Version :
http://rapidshare.com/files/174453401/IE8-WindowsVista-x64-ENU-RC1-www.dvd4arab.com.exe
@3: You seem to be mistaken. Linux is a OS, This is about A browser not Microsoft’s OS.
Ironic that a site that has page redirects and page transitions to sites that have malicious scripts embedded in their pages capable of infecting machines with trojans etc reports this story… very ironic indeed.
@ Mr Linux…
“There seems to be a false sense of security among some Linux users. The number of malicious programs specifically written for GNU/Linux has been on the increase in recent years and in the year of 2005 alone has more than doubled: from 422 to 863. Some security consultants will argue that Linux has fewer viruses/malwares because it is less attractive as a target for having a smaller user base (compare ~90.66% Windows vs ~0.93% Linux). You may call me a traitor but I agree with that assessment. There is no reason why we will not see a rise of malware designed for Linux as it becomes more mainstream among ordinary users.
I’ve heard so many times from beginners “do I need an anti-virus?”, “Linux has no viruses”, “There’s no way a virus could infect a Linux box”. This is the false sense of security that many new Linux users are dealing with today. Most are just starting out as Linux users and have no idea about the risks and safe actions to take. Newbie Linux users tends to feel safe with statements they read about how the Linux OS could never be infected and if so could never be executed because of the way files works under Linux…”
You can read the rest at http://www.linuxhaxor.net/2008/11/26/linux-virus-a-false-sense-of-security/
As for Firefox, the bigger it becomes the more of a target it becomes. Look at the Mac…
another fine fk up by microsoft! congratulations!
FF is the only browser for me for almost 4 years especially with ad-block, ie-tab, and no-script add-ons. however i installed ie 8 beta 2 recently and i can say that although it crashes very often,it looks promising for a beta. it is quite fast and if used with ie7pro which has ad and script blocking, mouse movements, etc. options, final release of ie8 can be a real competitor in the world of browsers.
Man, get Opera and start browsing safely…..
I like Opera, but i don’t like having to manually edit files to give me the same functionality of firefox with adblock plus. once google chrome has plugins integratation implemented i will probably use that. firefox has been on the downslide and memory issues have returned
after i read about the flaw i cheked the windows update and there it was
but i dont consider this as a huge problem cos i use 3 dif browsers all the time and FF is the main 1 ….
In the news just 2 hours ago…
Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users’ sensitive information.
Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version 2.0.0.19 of Thunderbird and version 1.1.14 of SeaMonkey.
The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.
According to a research note released Wednesday by security researcher Secunia:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user’s system.
Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
An error when processing the “persist” XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.
One advisory addresses critical security flaws in all three programs (Firefox, Thunderbird, and SeaMonkey) that could arise from memory corruption and result in malicious attackers launching arbitrary code from users computers.
Mozilla also notes that another set of critical vulnerabilities in all three could redirect users from a legitimate site to a malicious one, where users’ private data could be stolen. And a third set of critical flaws noted in all three could lead to the launching of arbitrary JavaScript within a different Web site.
what an earth are you lot going on about , can someone explain the risk in plain english and what action if any needs to be done, its like your speaking a different language sorry guys im just lost
@ Karen…
“Microsoft issued an out-of-band emergency patch Wednesday for a zero-day Internet Explorer vulnerability that has opened the door for hackers to install malware on susceptible computers without any user intervention.The flaw, which is given the highest severity rating of critical, affects all versions of Microsoft’s IE Web browser.”
If your lost and cannot understand that then why are you even bothering to use a computer in the first place? When Windows tells you you need to update your internet explorer because of a security risk to your computer that can infect it with malware and spyware then it cannot be put in any more plain english than that. Unless your an out-sourced call centre operator in India of course.
Of course i shouldnt bash the non tech savvy but if you understand torrents and illegal downloads how can you plead ignorance on a subject such as malware/spyware and viruses, half the torrents are full of them.
Still it is christmas… when all the noobs get laptops and desktops etc. Just buy a copy of “Idiots Guide To…” or “… For Dummies”, thats probably as plain as you can get !
The obvious solution to all this madness is to not use the internet at all.