Zero-day exploit for IE6 flaw released!

Zero-day exploit for IE6 flaw released!

Summary: This IE6 flaw looks serious enough that Microsoft should consider an out-of-cycle patch before the next monthly patch. Microsoft was forced to release an emergency patch for the WMF vulnerability in January.

SHARE:
TOPICS: Security
109

A new critical flaw in Microsoft Internet Explorer 6.0 has been fully disclosed to the Internet along with proof-of-concept code.  Secunia released a detailed advisory here.  This latest flaw allows the execution of arbitrary code which means a Windows XP computer running Internet Explorer 6 can be completely compromised by visiting a malicious website.  IE6 users are advised to use the following workarounds until an official patch is released.

This is a temporary solution and may cause certain sites to not work. In order to make them work, you'll need to add those legitimate sites that needs to have Active Scripting working to the trusted zone in IE.  This is not a simple or desirable solution but it is the only solution that Microsoft gives you as a temporary workaround.  This IE6 vulnerability is serious enough that Microsoft should immediately create an out-of-cycle patch before the next monthly patch and spend less time lecturing about Apple's missteps.  Microsoft was forced to release an emergency patch for the WMF vulnerability in January.  Waiting for next months cycle for a zero-day critical flaw is unacceptable.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

109 comments
Log in or register to join the discussion
  • This story, once again, shows one thing...

    No more monthly patches!

    Release them as they're ready to go!
    Anti_Zealot
    • For critical things like this, yes

      If there is a proof-of-concept out in the wild, release the patch ASAP. Other than that, keeping an orderly patch schedule is a good thing.
      george_ou
      • Baloney, George.

        An "orderly schedule" on ANYTHING helps the bad guys. Whether it be assassins or coding black hats, the mere of existence of a schedule helps them in their search for vulnerabilities: a pattern ALWAYS helps you figure things out.

        Keep the public face of your internal structure as random as possible; it is tougher to figure out a tangle of ethernet cables than it is a nice, neat bundle of 'em poked into your cable management.
        Judas I.
        • Depends on What's Critical

          Obviously an exploit that allows you to see information or log keystrokes of a particular machine is more deadly than one that causes a crash to a system.

          The bad guys still need to be able to exploit the problem in time. Problem is, we can still play the game of patch as fast as you can, but you are only creating better bad guys.

          Evolution is a beautiful thing.
          nucrash
          • Exactly my point, nucrash.

            If you TELL the bad guys, publicly, what your schedule is, heck, you might as well include them as an activity and a resource in your CPM schedule!

            "The bad guys still need to be able to exploit the problem [i]in time[/i]." (Emphasis is mine.) You're helping them develop the exploits [i]in time[/i] if you give 'em too much information by doing a once-a-month update; that can help them turn what would be a non-critical update into a critical one!
            Judas I.
      • George, can you explain further?

        ---Other than that, keeping an orderly patch schedule is a good thing.---

        This is something I've always found confusing. Why is it better to have to wait on a patch at all, whether it's critical or trivial? If a company wants to patch their own machines on a regular, monthly schedule, why can't they just do that? Why must the software provider hold back on patches?
        tic swayback
        • It's obvious to IT folks

          IT departments barely can keep up with the monthly cycle. There is a lot of testing evolved before IT departments will implement any patch. If you drop the orderly cycle and you have patches every week or just random, it will result in chaos. What?s needed is a flexible approach that if a critical exploit is responsibly disclosed without enough details or PoC, then the best thing to do is leave the cycle intact. But if a PoC is already available then we need to break out of the cycle because it?s an emergency situation. This IE6 flaw is an emergency.
          george_ou
          • I still don't see it

            I understand the concept, but still don't understand why it's preferable to have the software company force everyone to be on the same schedule. Obviously there's some demand for this, but I don't get it. If my company only wants to update monthly, can't we set up our own internal schedule to do that, and if company X wants to update weekly, shouldn't they have that option?
            tic swayback
          • Because once the patch is out, it's full disclosure

            The minute the patch is released, it's easy to reverse engineer and see how to exploit the original flaw. So if you release the patch without a schedule, you force everyone to patch immediately which is not practical for 90% of the businesses out there.

            But if the PoC is already out, this concern is out the windo and a patch should immediately be issued.
            george_ou
          • Thanks George

            Ah, thanks, got it now. I was looking for the reasoning behind the scheduling and that's a good one.
            tic swayback
          • C'mon, George, think about this:

            If you announce what your schedule is for patches, it is just like the ambassador who is the target of an assassin taking the same route to work, at the same time of time, every day. The assassin can pick how and when he wants to attack; the target is playing by HIS (the assassin's) rules.

            Gone are the days when the black hat was a pimply faced teenager who was a one-trick-pony just out for grins. Today's cracker is a professional who has a SELECTION of exploits of a particular target. If you let him know you're only going to patch once a month, then the day after you release the patch for Vulnerability A, and there is NO patch in that release for Vulnerability B, then he knows he has a whole month to use and refine his exploits for B.

            I'm not saying you shouldn't have a schedule, but you shouldn't make that schedule public. Otherwise, it is just like the coach of one football team telling the opposing coach "On every series of four downs, 1st down will be a running play, 2nd down will be a short pass, 3rd down will be a long bomb and, of course, 4th down will ALWAYS be a punt!"
            Judas I.
          • You can't call it a schedule then

            If you don't announce the schedule, what does it matter? If it's on a schedule that's consistent, it would take 2 months to figure out the cycle.
            george_ou
          • You're right, it's NOT a schedule for the PUBLIC ...

            ... it's a schedule for your patch coders.

            With something like these security patches you can't make a PUBLIC schedule for release. It would be like advertising your battle plan for Iraq in an Al Jazeera blog!
            Judas I.
  • Wow, that sucks (again) for those who use IE6 (nt)

    ..
    Letophoro
  • Other options - interesting

    I was just thinking about the Linux momentum and also the problems with all the New Windows, where you always lose something, and quite often a lot (eg hardware items).
    Then I thought about the young folks starting out with computers. They aren't as shackled to being compatible with Windows. Is it possible for them to take off on Linux, instead of taking in the new Vista? Basically, all they need is something that is completely compatible with MS Word and MS Excel. OpenOffice isn't quite there yet, but it's close.
    Surfing, the main task - Firefox is as good as IE, so no problems there.
    zdnet reader
    • Linux is not age discrimanatory

      Linux is ready for prime-time.
      Not sure re your OpenOffice isn't quite there, but, not to digress from the topic, for sure Firefox is up to the task as a permanent replacement for IE6.

      The only impediment to moving to Firefox might be for websites that place emphasis on Active Scripting/ActiveX technology functionality--some features may not work in Firefox, but for my personal purposes that has never been an issue.

      I can see it being one though for the business setting.
      D T Schmitz
      • Linux prime time?

        I think it's only in a businesses interest (just read the article(s)) to get right over to Firefox. Very foolish/irresponsible if they don't.

        It's mainly the Office progs that seem like the main hurdles - mainly Word, Excel, maybe Outlook.

        Surely people aren't tied to MS Powerpoint.

        No, OpenOffice Writer has some better features than Word, but it isn't fully compatible with Word docs.
        Can students realistically get by with Linux, skip the Vista, continue into life with Linux and be free from the M$ toll?
        Linux is real close.

        If people are tied to MS Project, they aren't doing any real work.
        zdnet reader
        • Get by with a little help from my friends

          [i]Close[/i] only counts in horseshoes.
          Linux is here, now!

          Ask not what your country can do for you...nevermind. ;)

          Just curious. What's your experience level with Linux?

          If you haven't, then reserve judgement and give it a whirl! If you hadn't noticed from my other threads, I use SuSE.

          Thanks again zdnet reader for your very thoughtful replies!
          D T Schmitz
          • Oh puleeeze...

            [b]Close only counts in horseshoes.
            Linux is here, now![/b]

            ...And handgrenades and nuclear weapons.

            [b]Ask not what your country can do for you...nevermind.

            Just curious. What's your experience level with Linux?

            If you haven't, then reserve judgement and give it a whirl! If you hadn't noticed from my other threads, I use SuSE.

            Thanks again zdnet reader for your very thoughtful replies![/b]

            Is it just me, or does this entire thread seem a bit FISHY? Fishy as if "Dietrich" and "ZDNet Reader" were either one and the same person posting what amounts to being a "Why Linux is bitchin'" FAQ or is two posters in collusion to the same effect.

            They're almost as bad as Linux_Geek... Sheesh.
            Wolfie2K3
          • You are taking the trouble to follow my threads?

            I am flattered.
            Feel free to express yourself!
            Or, TalkBack, to use the 'jargon'.
            Everyone else does.
            That was good.

            Thanks Wolfie2K3 for your reply!
            D T Schmitz