homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
Forum Library, Charter, Moderators: bill

Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10) Forum

Vulnerability in Internet Explorer Could Allow Remote Code Execution

 3:42 pm on Dec 11, 2008 (gmt 0)

Vulnerability in Internet Explorer Could Allow Remote Code Execution [microsoft.com]
Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

At this time, we are aware only of limited attacks that attempt to use this vulnerability. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.



 1:08 am on Dec 12, 2008 (gmt 0)

Yeah, this is a scary one. I've seen several tech sites recommend that you simply don't use IE until they find a fix for this...and they weren't joking.


 1:52 pm on Dec 14, 2008 (gmt 0)


Initially it appeared that the vulnerability was only in Internet Explorer 7, but after further analysis it seems as if all currently-supported versions of IE are affected, including the betas of IE8.

Receptional Andy

 2:03 pm on Dec 14, 2008 (gmt 0)

For those determined to use IE regardless, technet has published some "workaround" steps:


Not for the faint-hearted though!


 4:51 pm on Dec 14, 2008 (gmt 0)

Just don't use IE - it's inherently flawed, inferior to other browsers, and as the largest market share will always be the largest target. Choose FireFox, Opera, or Chrome (I don't personally like Chrome, but it seems OK) and you should be fine (Safari has some major problems as well)


 7:15 pm on Dec 14, 2008 (gmt 0)

Just always assume "Internet Explorer Could Allow Remote Code Execution", period.

I use it so rarely I forget to cross test my webpages in it.

(and Chrome is still phoning home, constantly)


 12:08 am on Dec 15, 2008 (gmt 0)

With the huge increase in 'attack' type sites, I can see this being a really serious problem. Will be a tough call for companies who keep IE 'for legacy intranet applications' - potentially lose everything, or have someone fix the intranet.


 1:11 am on Dec 15, 2008 (gmt 0)

A warning, a long read but this is very recent experience.

Not using IE is not the "end of problem" solution many believe it to be. Some viruses introduced and launched by IE can continue to alter your Firefox browser experience even if you have IE turned OFF. Once some viruses are live... they don't need the open door anymore even if you reboot and they WILL attack whichever browser is running from then on. Here is how I know that.

About 3 weeks ago my IE began replacing ads on whatever webpage I was visiting with a different set of ads. The ads were high quality and the execution was flawless, I only noticed something was wrong when I was in my email account and I saw the universally known (despised?) smilies and emoticons ad and thought it weird that this email service would use that ad.

I was in firefox at the time and I moved my mouse over the ad and sure enough it wasn't the ad server used by that email service. I used every free adware and spam ware and virus protection scan I could to be safe and only ONE of them detected the infection and it could not remove it. Even knowing where it is I can do nothing to prevent it from doing it's thing right now.

Like everyone I assumed using Firefox would protect me but the virus does it's thing in Firefox if it has been run, it apparently CANNOT launch itself if it's not running and you use Firefox but it can infect firefox if it is already running.

The windows firewall and virus scanners I have running did not stop this virus from being installed from the net. To block this virus I had to launch in safe mode and manually stop everything but the core files from running. The virus removal scan then worked and I did the following to make sure it can't be remotely launched via IE again...

Go to your internet connections from your IE browser, set the browser to run on a proxy and set the proxy address to use This will effectively completely disable IE from connecting to the net by any program. After doing that I had to repeat the entire process of shutting everything down and scanning several times to only STOP the virus, it's still there but is neutered for now.

Visit a popular email service like Yahoo and hover over an ad to see if its being served by Yahoo or BlueLithium to see if you're infected too. It will only swap out ads on the first pageload or a set period of time on a domain name so check when you first get in.

edit: I want to add that this is extremely inconvenient as a webmaster because I can no longer check to see that my websites are rendering properly in IE.

[edited by: JS_Harris at 1:16 am (utc) on Dec. 15, 2008]


 1:51 am on Dec 15, 2008 (gmt 0)

How about avoid shady sites too, no?

I've used IE predominantly since its inception and have never had a virus or spyware, and I would consider myself beyond a power user.


 3:09 am on Dec 15, 2008 (gmt 0)

That's a popular (partial) misconception carguy84, it helps of course, but hackers and spammers target non-shady sites to set up shop on too.

A harmless little forum image on a forum you've visited a million times before is capable of infecting your computer with the latest round of security issues.

Good advice though, yes.


 9:01 am on Dec 15, 2008 (gmt 0)

Vulnerability in Internet Explorer Could Allow Remote Code Execution

Many years ago. Was at a bar. Guy next to me had a strange face, like the Joker from a deck of cards. Moments later a crackhead with bloodshot eyes and cotton-thick spittle across his lips stormed up and thundered, "YOU'RE GOING DOWN!"

I jumped off my barstool three inches. Expected a knife to flash and the Joker on the ground spraying blood. The entire bar ground to a pause waiting for the next move.

The Joker didn't react. Not a muscle moved. He finished sipping his drink then casually swiveled his head to the crackhead. His face was deadpan. No reaction at all.

The Joker said, Again?

Flash forward to today:

Vulnerability in Internet Explorer Could Allow Remote Code Execution

And my casual response is... "Again?"


 12:51 pm on Dec 15, 2008 (gmt 0)

JS Harris
Firefox cannot protect you once your system is infected, it can only help stop your system becoming infected in the first place.

The issue you described would probably have affected every browser on your computer (by operating at more or less the same level as a firewall).



 3:46 pm on Dec 15, 2008 (gmt 0)


Yes, that was my point. Webmasters often turn on IE to check their websites and then turn it off again to browse with another browser type. A false sense of security ensues.

edit: I removed a specific browser name and replaced it with "another browser".

[edited by: JS_Harris at 3:47 pm (utc) on Dec. 15, 2008]


 4:24 pm on Dec 15, 2008 (gmt 0)

Webmasters often turn on IE to check their websites

A good solution is virtualisation - keep clean images of XP+IE6 and XP+IE7 backed up read only to replace the ones you use for testing regularly.


 7:30 pm on Dec 15, 2008 (gmt 0)

Webmasters often turn on IE
What's this "turn on/off" palava?

Firefox is my default browser. If I want to test with Opera and/or Internet Explorer I just start them. Where does "turning on or off" come into anything?

So far as I am aware, no one has ever suggested that an infection that enters through Internet Explorer is somehow locked to that browser. A remote code execution fault normally means that the browser might do anything that is capable within the security context of the process (i.e. the browser). For instance, under XP running as an adminstrator, it could delete all your files, or trash the registry. This is the main reason Microsoft introduced User Account Control in Vista (but got it horribly wrong).



 9:00 pm on Dec 15, 2008 (gmt 0)

I make no promises as to the benefits, but users of XP might try the following...

1) Locate the file program files\Internet Explorer\IExplore.exe
2) Create a shortcut to it on the Desktop
3) Right-click and select Run as... from the popup menu.
4) Select user Guest in the following dialog. (You may need to enable/create the guest user).

Thus Internet Explorer should run with minimum privileges. So far as I am aware, there is no way to create a shortcut that will perform this action with a single click.



 11:08 pm on Dec 15, 2008 (gmt 0)

>A good solution is virtualisation - keep clean images of XP+IE6 and XP+IE7 backed up read only to replace the ones you use for testing regularly.

This problem didn't affect IE itself. It used IE to corrupt the basic operating system configuration. So having a pristine version of the program that corrupted the OS in the first place, isn't going to help you recover a safe OS configuration.


 12:38 am on Dec 16, 2008 (gmt 0)

So having a pristine version of the program that corrupted the OS in the first place, isn't going to help you recover a safe OS configuration.

A virtual PC would have a pristine copy of everything ideally. Clean OS, clean browser install, etc. Regardless, if a virtual machine gets infected you just delete it and start another. It won't impact your machine's OS or other programs because everything runs in a virtual sandbox.


 9:52 am on Dec 16, 2008 (gmt 0)

Kaled - It's palaver, not palava, and by turning something on I mean launching it, making it work, activating it, beam me up Scoty... etc.

If you don't like my posts, don't read em!

Back to the topic however - there was a patch tonight to fix a vector based image security problem. Did that have anything to do with the problem described in the article ?


 12:02 pm on Dec 16, 2008 (gmt 0)

The talk is spreading to mainstream media. BBC writes:

Serious security flaw found in IE [news.bbc.co.uk]

Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.


 12:34 pm on Dec 16, 2008 (gmt 0)

TO : JS_Harris
Thanks for the spelling correction...

In computer-speak, turning something "on" or "off" usually equates to enabling/disabling a feature. The terms "Open" and "Close" are more normally used for "launching" and "unlaunching?" a program. Since novices read these forums, a correction/clarification was required with respect to your post which was, by any standards, misleading/confusing.

I seem to remember a Microsoft executive saying that Vista was so secure it could be run without anti-virus software. I wonder if he still holds that opinion!



 2:26 pm on Dec 16, 2008 (gmt 0)

That's a popular (partial) misconception carguy84, it helps of course, but hackers and spammers target non-shady sites to set up shop on too.
A harmless little forum image on a forum you've visited a million times before is capable of infecting your computer with the latest round of security issues.

This is exactly how I got a nasty piece of malware on my home machine about a month ago. It was replacing top Google and Yahoo results with this lousy MFA shopping site.

Thanks to somebody here at WebmasterWorld I was able to clean it off but my machine is still a little funny. Not sure it is perfectly clean even now.

So even just going to your regular websites that you have been to a thousand times will not stop these things.


 3:56 pm on Dec 16, 2008 (gmt 0)

A BBC article says the following
As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.


Can someone who is following this development closely please indicate, what form does this compromising take?

Basically, I am asking, what do spammers do to sites in order to infect them?

Is there ways to check if my site has been compromised?

Thank you very much


 4:13 pm on Dec 16, 2008 (gmt 0)

The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough.

I'd like to echo the sentiments of the previous post.. how are sites being compromised, and how can one verify a clean site? It's not enough to trust that my host will simply provide the necessary security - that's akin to trusting M$ to build a safe browser.

I do what I can to provide a safe website, but I don't stay on top of developing trends with a personal site, as I would with a commercial site.


 5:33 pm on Dec 16, 2008 (gmt 0)

If the mechanism of this attack involves a carefully crafted image file, then presumably, enabling hardware data execution prevention should stop it dead. However, since MS does not appear to be pushing this solution, it may not work in this case. Nevertheless, I would still recommend taking this action (but exceptions may be required for older software).



 9:29 pm on Dec 16, 2008 (gmt 0)

MS has published a list of workarounds however not for new user :) although well explained!

WORKAROUNDS [microsoft.com]

scroll down to "workarounds"

after reading the few MS pages
asides setting IE security to high, the rest is impacting on your browsing
for example after editing the reg some XML embeded in HTML might not properly render..
and more of the same
if you decide to go that route
The undo as I read it is even tougher on a new MS "tweaker"


 12:20 am on Dec 17, 2008 (gmt 0)

The problem is worse than originally reported and the "switching to high security settings" + "workaround steps" solutions offered by Microsoft have been tested and they don't work.

Of course you should follow them but you still won't be fully protected.

All of the major news outlets are reporting new stories tonight that anyone who has any interest in the internet is advising everyone to switch away from Internet Explorer immediately. Everyone that is, except Microsoft who says they can't tell users to do that "just yet". No solution is yet on the horizon from this MAJOR security issue.

There is also very little in the way of recourse to find the culprit because the code can be embeded into ANY website according to tonights reports and it very effectively grabs passwords and anything else you type in.

The reports state "gaming passwords" are the major target so far but now that hackers everywhere are wanting a piece of this it won't be long before bank accounts, phone records and everything else is vulnerable.

This virus got onto over 10,000 every day websites without anyone noticing so CHANGE YOUR PASSWORDS ASAP! That's my best advice except.. if your computer is infected the only solution is NOT to use any of them for now or they'll get copied. What a pain in the arse!


 2:36 am on Dec 17, 2008 (gmt 0)

Having read the information that MS has provided, it looks to me that the fault probably results from invalid markup (or form structure) relating to common controls such as listboxes and textboxes. It looks as though garbage collection fails at some point (possibly when the page closes or the user navigates away from the page).

Given that DEP does not appear to provide protection, I can only assume that data is stored in memory areas marked as executable - OOPS.

Having said that, this sentence is interesting...
This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
This suggests a deep architectural problem may exist and that this exploit may be just the first of many.

I'm not familiar with the "data-binding" technology that appears to be at the root of the problem, but it is interesting to note that Windows 2000 is not listed as being vulnerable. So my guess would be that other browsers don't use this technology and therefore would not be vulnerable to similar attacks.



 2:51 am on Dec 17, 2008 (gmt 0)

The following message was cut out to new thread by engine. New thread at: microsoft_windows_os/3809503.htm [webmasterworld.com]
2:27 pm on Dec. 17, 2008 (utc 0)

Global Options:
 top home search open messages active posts  

Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved