ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft confirms 'detailed' Windows 7 exploit

By | November 16, 2009, 10:25am PST

Summary: Exploit code for the vulnerability was released by researcher Laurent Gaffié after failed attempts to get Microsoft’s security response center to acknowledge that this was an issue that needs to be patched.

Microsoft has issued a security advisory to acknowledge a crippling denial-of-service flaw affecting its newest operating systems — Windows 7 and Windows Server 2008 R2.

Exploit code for the vulnerability was released by researcher Laurent Gaffié after failed attempts to get Microsoft’s security response center to acknowledge that this was an issue that needs to be patched (SEE UPDATE BELOW).

Following the publication of Gaffié’s exploit, Microsoft swiftly released Security Advisory 977544 with pre-patch mitigations and a confirmation that the “detailed” code could provide a roadmap for hackers to cause Windows 7 and Windows Server 2008 R2 systems to stop responding until manually restarted.

Here’s an explanation of the cause of the vulnerability:

The kernel in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers to cause a denial of service (infinite loop and system hang) via a (1) SMBv1 or (2) SMBv2 response packet that contains a NetBIOS header with an incorrect length value.

The vulnerability can be exploited via the Web:

In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user’s system to stop responding until manually restarted. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker’s site.

In the absence of a patch, Microsoft recommends that affected users block TCP ports 139 and 445 at the firewall.  Windows users should also block all SMB communications to and from the Internet to help prevent attacks.

UPDATE: Gaffié wrote in to clarify that his decision to release this exploit was related to Microsoft’s stance on a different vulnerability, which is also unpatched.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Denial Of Service, Web, Attacker, Vulnerability, Microsoft Corp., Web Site, Small And Medium Business, Microsoft Windows 7, Microsoft Windows, Smb/Sme, Channel Management, Microsoft Windows Server 2008, Web Site Development, Security, Operating Systems, Software, Marketing, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

208
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft confirms 'detailed' Windows 7 exploit
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
Ummm interesting....
Ceridan Updated - 16th Nov 2009
so just block 139 and 445...

445? great that port aggain.


Is SMB blocked to/from internet by th firewall by default?
0 Votes
+ -
Typically not blocked
honeymonster Updated - 16th Nov 2009
Is SMB blocked to/from internet by the
firewall by default?

No, typical SOHO routers typically allow all
traffic initiated from the inside.

In this case - because the "attack" would
require the user to click on the malicious link
on a malicious web page - the request would
actually be initiated by the local machine.

To block this you would need to block traffic
targeting port 445 at the perimeter firewall.
This is typically already done on corporate
firewalls.

Local OS firewalls (on each machine) can also
be set to block such traffic. But that may
disrupt regular file sharing on corporate or
home networks. If using Vista or Windows 7 this
can be mitigated to only block the ports on
"public" networks.

However, this is NOT a serious bug. A malicious
website can freeze your machine if they can
fool you into 1) visiting the site AND 2) click
on the malicious link.

But that is ALL they can do. Once you realize
that a certain site "freezes" your machine you
will probably stop visiting it, eh?

An infinite loop can not be used for malicious
payload. This is NOT an arbitrary code
execution bug. It is not a memory
corruption bug, stack overflow or anything like
that.
0 Votes
+ -
so 445 and 139...
Ceridan 16th Nov 2009
Is always allowed on public networks?

bah... at least it's just some infinit loop....


Just in case though I will go block 445 and 139 for internet access on my father's computer...
0 Votes
+ -
No, they are always blocked
honeymonster Updated - 17th Nov 2009
for incoming traffic on perimeter
firewalls such as SOHO routers and corporate
firewalls. Always.

Actually, I just checked Windows 7 outbound
rules, and it is by default set to not
allow file sharing traffic (SMB1 and-2) on
designated public networks.

Which means that the only "vulnerable"
(remember - this one cannot infect you with
aanything it can merely freeze the machine)
configuration will be

1) a machine on a designated "home" or
"work/domain" network where the perimeter
firewall DOES NOT block 445 and 139 outgoing
(in this case the machine firewall will allow
outgoing SMB requests).

2) a machine in a non-default configuration
where the admin has misconfigured the firewall

3) a machine where the user has answered the
public/home/work network question wrongly.

Bring your machine to a coffee shop and hook it
up to the wifi and it will not be
vulnerable to this DOS attack. EDIT:
Because the Public profile in the
firewall will block the ports both incoming
and outgoing.
0 Votes
+ -
Tought so...[NT]
Ceridan 16th Nov 2009
0 Votes
+ -
you should qualify "will not" in the sentence used
TG2 17th Nov 2009
You really need to qualify the "will not be vulnerable" in the sentence where you use it.

You mean: Bring your machine to a coffee shop, hook it up to the wifi, and set that network connection as a PUBLIC location, and then you won't be vulnerable to this DOS attack.

which would also normally beg to have the "because" .... followed by... the public location setting will disable 139/445 by default where as home and office choices won't. ... etc....
0 Votes
+ -
You are correct. Thanks
honeymonster 17th Nov 2009
0 Votes
+ -
Good follow-up
djchandler 17th Nov 2009
I like the way you followed up on this. Good job.

And you got it right, in every conceivable way.

It's not surprising that Microsoft ignored this until the exploit was published. All it does is crash a session if it ever occurs. It should never happen to anybody who has the least idea what they're doing. I suppose some data lose could occur if it does, but only because of having to perform an improper shutdown.

This so-called exploit is pretty far-fetched. You really do have to go out of your way to make your LAN vulnerable on purpose. Use VPN to access your LAN via internet.
0 Votes
+ -
No, that's simply wrong in every way.
TripleII-21189418044173169409978279405827 16th Nov 2009
Local OS firewalls (on each machine) can also
be set to block such traffic.

Nope, a default firewall on a client machine should block EVERY SINGLE listening port, and you only open if you need them. Of all the windows users out there, probably 80% never share a thing.

Also,
However, this is NOT a serious bug

Until they use this in a different way.

Any firewall by anyone (and I would lambaste ANY default firewall in Linux on a client machine) that doesn't block all incoming ports is wrong.

TripleII
0 Votes
+ -
If you're going to correct someone
LiquidLearner 16th Nov 2009
you should perhaps understand the issue at hand. Again, incoming traffic from "public" networks, ie the internet, is blocked on all ports. Only ones you specifically allow are open and listening. However that is not the bug AT ALL.

You have to navigate to an IP address on a Windows file share that has the exploit enabled. So you'd have to go to \\4.2.2.2 and it would have to be triggered from your own machine. Whatever ports you are listening on makes absolutely no difference, this is not a remote execution attack on your home PC. It also doesn't cause any elevated priviliges or ability to run code on a remote PC. It simply locks up the PC.

While I think it needs to be fixed you should probably understand what is going on before you tell someone they're wrong.
0 Votes
+ -
Just Curious
dev-null 18th Nov 2009
what made you pick 4.2.2.2 ?
0 Votes
+ -
Yep, you are wrong
honeymonster 16th Nov 2009
The default firewall should (and does) block
every single listening port, unless you
are sharing resources, like on a home
network. In that case it should allow only
those ports . And that is exactly what
Windows Vista/7 firewalls do. They are aware of
to what type of network they are connected
(home/public/corporate).

Let me repeat this: An infinite loop cannot
be exploited in any other way than to eat up
CPU . Got that?

Repeat: This bug can not be exploited to pwn
a single machine. None, zilch, nada.
0 Votes
+ -
You were unclear.
TripleII-21189418044173169409978279405827 16th Nov 2009
I wrote the question below. I don't have Windows of any flavor, but what you wrote led me to question...

for incoming traffic on perimeter
firewalls such as SOHO routers and corporate
firewalls. Always.

Implying it wasn't a problem because of that so default incoming open was OK, which it isn't, so we all agree, lol.

All the rest of your post is outbound discussion. Now, I know what an endless loop is, however, nobody has leveraged one exploit to find another, which was my long term concern if the firewall is open on incoming by default.

TripleII
0 Votes
+ -
I apologize
honeymonster Updated - 17th Nov 2009
There are so many MS detractors swarming the
talkbacks on any MS subject and most of them
are willfully ignorant. They just want to
spread FUD and don't care much for the
technical details.

I answered you in a little too brisk way. I
apologize for that.

Let me see if I can explain this.

1) A infinite loop has never and will never
be able to carry malicious payload . The
"worst" it can achieve is to eat up CPU *or* if
it happens inside a critical section it can
hold a crucial lock on a system forever.
Suggesting that new details can emerge which
can make this more serious is simply FUDing.
There is nothing to suggest such thing. Never
has been.

2) All Windows machines except those on
corporate/home networks and which are sharing
files/printers/media for others to use
block these ports incoming . This means
that attacks can not be launched from the
Internet without user intervention against
any machine on a corporate/home network.
Windows Vista/7 on public network also
blocks the ports incoming.

3) If a machine inside a corporate/home
network came under the control by an attacker
(through some other attack as this one can not
be used to pwn a machine), an attacker
could use this vuln to denial-of-service
attack 2008R2 file sharing servers and Windows7
machines sharing files. If the attacker has
control of a machine in your network, this is
probably the least of your concerns.

4) Windows 7 firewall blocks the relevant ports
outgoing on public networks. It also by
default blocks them outgoing on
corporate/home networks until the user wants to
use shared resources elsewhere, at which point
it turns on "network file sharing".

Conclusion:

A. The default settings of Windows7 and the
normal practices on corporate network firewalls
and SOHO routers will block any attack
from the outside . Bar some gross
misconfiguration, an attacker from the Internet
cannot attack any machine without social
engineering.

B. An attack is possible by leveraging social
engineering combined with this bug. To be
successful

1. The PC must be on a home network (or a
corporate network with a weak perimeter
firewall) and "network file sharing and
discovery" has to be turned on.

2. The attacker must then trick the user into
visiting a maliciously constructed web page.

3. On that page the attacker must trick the
user into clicking a malicious constructed
(SMB) link.

4. At that point the users PC will reach out
through the firewalls and contact the
server of the attacker. This server will
respond with an invalid and malicious packet.
When handling the response the attacked machine
will enter an infinite loop.
0 Votes
+ -
Actually..
AzuMao 1st Dec 2009
..it can also be used to exacerbate race
conditions in poorly designed code.
0 Votes
+ -
Yay, looks like MS finally did it right this time, with Windows 7.. oh wait
AzuMao 16th Nov 2009

  • Flagged
0 Votes
+ -
Re: Yay.................
Disgruntled M$ User 17th Nov 2009
Just like "Mac" did!!

http://blogs.zdnet.com/security/?p=4870&tag=nl.e550

"Mac OS X patch covers 58 security vulnerabilities!"

You do realize people in glass houses "shouldn't throw stones!!"

Now, tonight, when you go to bed repeat this little prayer to your Mac god. Mac is good, Mac is great, and we thank you for the "HYPE!" Amen.
  • Flagged
0 Votes
+ -
**** your stupid little Macs.
AzuMao 17th Nov 2009
They're almost as bad as Windows.
  • Flagged
0 Votes
+ -
RE: Microsoft confirms 'detailed' Windows 7 exploit
lovedong 13th Sep
This is a pretty cool post,thanks replica watches
0 Votes
+ -
It's started already.
bjbrock 16th Nov 2009
I don't think MS could release a bigger sieve if they tried to. And to think, a person has to pay for such insecurity. 7 is a POS. From the user interface down to the core. At least Vista had a decent UI. 7 will prove to be the worse offering yet from MS.
0 Votes
+ -
Doubtful.
CobraA1 16th Nov 2009
"I don't think MS could release a bigger sieve
if they tried to."

Everybody is a sieve. It's only really a matter
of how many people want to find holes in it.
Microsoft happens to be a favorite target.

"And to think, a person has to pay for such
insecurity."

The benefits of using Windows 7 outweigh the
risks in many cases.

"7 is a POS."

7 is great.

"From the user interface down to the core."

The interface is the best I've seen. The core
is actually quite good - most exploits you hear
of are generally not in the core. This just
happens to be an exceptional case.

. . . and exceptional cases are generally what
drives the news, hence why it's on ZDNet.

"At least Vista had a decent UI."

Most people like 7's UI better than Vista. I
think it's a great UI.

" 7 will prove to be the worse offering yet
from MS."

It's already growing far faster than Vista did
at the same point, and from what I'm seeing,
most people think it's far better than Vista.
0 Votes
+ -
From what I've seen....
bjbrock 16th Nov 2009
Vista is a better business platform that 7. Less clicks to get things done and more intuitive.

I haven't found anything in 7 that makes me think it's better than Vista.
0 Votes
+ -
One word: BUILT WITH SECURITY IN MIND
Lerianis10 16th Nov 2009
Not that it won't have bugs.... but the security
in Vista and 7 has been ramped up so that most bad
things have a VERY hard time getting on the
system, unless the user is running in admin mode
and he/she is braindead enough to click 'yes' when
Vista or 7 says "Do you wish to let this program
run?" even though she/he isn't installing anything
nor running anything that said FLAT OUT it would
need admin mode to run.
  • Flagged
0 Votes
+ -
Well what do you think most Windoze users are?
Wintel BSOD 16th Nov 2009
They're the Joe & Jane Blow idiots who are braindead enough to click 'yes' when Vista or 7 says "Do you wish to let this program run?" even though she/he isn't installing anything nor running anything that said FLAT OUT it would
need admin mode to run.
  • Flagged
0 Votes
+ -
Sure...
Sleeper Service 17th Nov 2009
...just as the same people will enter their password on a Linux or OS X box.

You can't legislate for human stupidity.
  • Flagged
0 Votes
+ -
"Sure..."
AdventTech67 Updated - 17th Nov 2009
"...just as the same people will enter their password on a Linux or OS X
box.

You can't legislate for human stupidity."

Here's the thing, you have to be smart to use OS X or Linux. Like the
Microsoft crowd says, you have to be a geek to run OS X or Linux. We
aren't that gullible enough to type a password and just let something like
that cause problems to our Machines.

Your logic blows dude.
  • Flagged
0 Votes
+ -
Yeah but that won't work as its not "root"'s password
deaf_e_kate Updated - 18th Nov 2009
and then you have to give it execute permissions unlike windows where it will run because its got ".exe" on the end
0 Votes
+ -
That doesn't bode well for UAC, now does it
Wintel BSOD 17th Nov 2009
Not to mention they've probably never even heard of Linux let alone were able to install it, like many of you clowns can't.
  • Flagged
0 Votes
+ -
erm not quite
JamesDoyle 17th Nov 2009
OS X or linus requires you to be a geek to use?

no it doesn't. not at all.

to fix linux if something goes wrong? most definately. but to use it? easy enough.
0 Votes
+ -
Re: "You can't legislate for human stupidity."
AzuMao Updated - 18th Nov 2009
Actually, it can and
has
been done.
  • Flagged
0 Votes
+ -
& yet the Division of Motor Vehicles issues these same folks
AdventTech67 17th Nov 2009
a drivers license to drive on the roads. Deal with it, it's all about the
money.
  • Flagged
0 Votes
+ -
Oh I've accepted that fact a long time ago
Wintel BSOD 17th Nov 2009
But then, I don't go around making outrageous claims in favor of UAC either.
  • Flagged
0 Votes
+ -
Maybe because so many legit programs need it in Windows?
AzuMao 1st Dec 2009
It's not like in *nix-based OSs where you only
need root to mess with the kernel.
0 Votes
+ -
That;s a phrase, not a word.
wolftalamasca 17th Nov 2009
It is also not nice to call the average user braindead simply for falling victim to dialog overload. PEBKAC, of course, is always prevalent.

The UAC in vista was universally regarded as, at best, annoying and, at worst, so frequent as to cause even seasoned admins to click yes before reading, let alone average users just trying to get on with their work.

Anyone still defending UAC in it's vista form must absolutely enjoy the feeling of the OS asking for their approval.

That said, it was not a bad idea.. just an over-zealously driven one, with, perhaps, the element of showmanship to it... ie. 'see? it's asking you.. it asks a lot.. it's paying attention.. We have lots of security'

The UAC dialogs many times give little to no information as to what is being authorized... which means people are clicking Allow/Deny boxes for things they can only assume they initiated. I have personally run into this on USB devices and many device drivers.

Plus, again, it is compounded by programmers ancient use of keeping user files outside their user directory, making it more common to need to elevate user privs to add/change items to installed applications. This is a multiuser OS, the old school days of keeping your modules, addons, logs, plugins, etc in the /Program Files/App/ location is from Single User days, yet it is still common practice.
0 Votes
+ -
Ramped up?
AzuMao 1st Dec 2009
It got ramped down.
Programs can bypass UAC by default in Windows 7,
with no user interaction.
0 Votes
+ -
Examples??
CobraA1 16th Nov 2009
"Less clicks to get things done and more
intuitive."

I don't find that to be the case. I'm doing
less clicks in Windows 7. Do you have any
examples of anything that takes more clicks?

"I haven't found anything in 7 that makes me
think it's better than Vista."

Here's a nice list of some of the improvements:

http://windows.microsoft.com/en-
US/windows7/products/features
0 Votes
+ -
OH BOY!
AzuMao 1st Dec 2009
WINDOWS SEARCH AND 64BIT SUPPORT! HELL YA! YOU
STUPID WINDOWS XP LOSERS WILL NEVER GET THESE
AMAZING WINDOWS 7 ONLY FEATURES!!!!!
0 Votes
+ -
You're kidding, right?
lehnerus2000 16th Nov 2009
Compare the number of clicks required to "Personalize" the desktop.

In my experience:
XP had the least.
Vista required at least 3x as many as XP.
7 requires about 1.5x as many as XP.

I did have some problems:
I found that setting up a network between a Linux PC and Windows 7 was awful.
The "Public Folders" didn't work as advertised (I had to manually set the permissions before they would work).
The worst thing about 7 is the useless "Help" files and dialog boxes (in fact I would say that if MS fixed this problem, Windows 7 would be totally awesome).

lehnerus2000
0 Votes
+ -
I've heard this somewhere before.
AdventTech67 17th Nov 2009
Oh yeah, now I remember.

Broken Promises


http://www.apple.com/getamac/ads/
  • Flagged
0 Votes
+ -
umm...
Ceridan 16th Nov 2009
sorry but windows 7 UI is not horrendus... why are you thinking that?

Oh and Win7 feels less bulky... I actually might get it for my own PC before SP1... unlike I usualy do.
0 Votes
+ -
It's started already.
Rob.sharp@... 16th Nov 2009
Have you even used Windows 7? It's commical how people that slam MS act like the other solutions don't have problems. MS takes a lot of heat but that's because it's the mainstream product people prefer. Didn't Apple just patch 56 vulnerabilities? Maybe they can work that into their next commercial!
0 Votes
+ -
Yes, but Apple at least patched their vulnerabilities...
jasondlnd Updated - 30th Mar 2010
Microsoft just denies their own until they become a major issue.
0 Votes
+ -
You mean the Trolling? You're right.
John Zern 16th Nov 2009
Which is about the only thing fools like you can get right. happy

0 Votes
+ -
garbage
enjeruookami 16th Nov 2009
I have owned and operated windows vista ultimate, I love windows vista's UI. I find it very easy to use, and configures very nicely. I have played around with and saw videos of 7's UI, and I am excited for it! I believe that it will be an improvement for UI. The sticky windows, and the file managament systems to the search and run features. I believe MS has done a wonderful job. The other aspect to 7, if you don't like it, you can switch to the other many os's that you liked over the years and use it like that. That UI feature alone is amazing. As for the security issue, I am excited that MS is being proactive in fighting this issue.
0 Votes
+ -
RE BJ brock
j-mccurdy@... 17th Nov 2009
OH god you're so smart, how do you know so much stuff?
0 Votes
+ -
RE: Microsoft confirms 'detailed' Windows 7 exploit
mmcgowan1 16th Nov 2009
Ports 139 and 445 are blocked by default for Internet access by Windows firewall in Windows 7 and any commerical hardware firewall. They are enabled only for private networks. The SMB protocol is very inefficient over WANs in any case.
0 Votes
+ -
And I thought the Mac commercial was lame
davidr69 16th Nov 2009
I accused Apple of FUD with their "Trust me, this time it will be different" commercial. Was I wrong?
0 Votes
+ -
Just ask Apple
andtherestofus 16th Nov 2009
Dosne't matter what Microsoft does there will be issues, just ask Apple to acknowledge the holes in their new browser and OS.
0 Votes
+ -
Ummmmm...howbout some real info?
No More Microsoft Software Ever! 16th Nov 2009
Can't do that mean you have nothin'on Apple!
REST IN PEACE MICROSOFT!
0 Votes
+ -
Think again?
chitwndave 16th Nov 2009
No.... I think Apple "Nailed it" I don't think it was FUD. I remember all those iterations and I don't trust "Billy G". While I think Windows 7 is better Than XP (I never installed Vista) I am still using Linux on all but one of my machines (I have to use Windows one one machine because some of the tools of my trade only run under Windows).

From now on it's Linux for me when I get the choice. I don't "Trust" Microsoft.
0 Votes
+ -
RE: Microsoft confirms 'detailed' Windows 7 exploit
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix