Microsoft admits Internet Explorer flaw 'targeted' by hackers

Microsoft admits Internet Explorer flaw 'targeted' by hackers

Summary: CORRECTED: A Windows security vulnerability was exploited by hackers, the software giant noted in its monthly release of software updates.

SHARE:
TOPICS: Security
125
win-rt-cnet-620x363
(Image: CNET)

Microsoft admitted this week that hackers had launched "targeted attacks" against its customers.

The disclosure was relegated to a footnote in its monthly memo about security flaws, dubbed Patch Tuesday.

VeriSign iDefense Labs' researcher Jose Antonio Vazquez Gonzalez reported the Internet Explorer Memory Corruption Vulnerability (CVE-2013-3163).

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," the security bulletin noted.

Editor's Note: The original version of this story, a longer opinion piece, included an error that conflated the fixes for two different flaws. Though the error did not impact the piece's central argument, it was included prominently in the headline and lead paragraph and served to frame the entire post. After consideration, we thought it prudent to reduce this post to just the facts. We apologize for any confusion we may have caused.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

125 comments
Log in or register to join the discussion
  • Irresponsible behaviour

    One of the many reasons Enterprise do not use any Google software
    OwlllllllNet
    • "One of the many reasons Enterprise do not use any Google software"

      Huh, funny thing. I'd say this is one of the many reasons Enterprises do not use Internet Explorer.
      ccs9623
      • Well, you may be correct for some

        but not for all enterprises out there. most of the enterprises still use IE to your shock.
        Ram U
        • not because its good

          because they have to, after years of writing for the non standard IE.
          drwong
      • Try IE11, it destroys all other spyware browsers, security and performance.

        Google spyware browser is losing market share every month
        OwlllllllNet
        • You wish, troll

          CaviarRed
        • Nooooooope.

          Hahaha i had no idea you could buy microsoft flavoured crystal meth.
          Funkmonkey
      • That doesn't sound sensible

        You making that judgement based on Internet Explorer 6? Ask yourself why no companies uses Android phone!
        jonnybr
        • According to who?

          My employer has many employees using Android phones, certainly more than Microsoft phones which would be zero where I work.
          balsover
    • Google Software

      And this flaw in MS software has what to do with Google software?
      This is about a researcher that works for Google that found an existing flaw in MS software..
      He should have told MS first, I guess, but if MS is aware of a flaw of this severity, and does nothing about it, what does that say about MS concern about the security of its software?
      I would say not run MS software on Enterprise systems...would be safer.
      mpaint@...
      • Did he or din't he report it to MS first?

        This article seems to be deliberately confusing. What I'm getting from it isn't that MS wasn't informed, but that it wasn't informed using THEIR process. In reading this it appears to me that Ormandy tried to report it to MS, found their process very user non-friendly (had that issue this MS myself and I'm sure some of you have too)and convoluted waste of his time. So he instead made a limited public disclosure that effectively informed MS and when they ignored that went entirely public.

        For my two cents:
        First MS needs to get their collective heads out of their collective behinds and revise how they treat individuals.
        Second, MS needs to get their fixes out faster and/or acknowledge these things and let the person that reported it know they are working on it (part of First actually).
        Third, Ormandy was a hasty jerk about releasing the full exploit, but seems to be following his companies new policy.
        tpickard869
      • Google Software Affected

        Much of their main business is internet based, therefore anything affecting how people access their business, browsers for example, affects their business directly.
        tpickard869
    • Good Replied

      as Melvin responded I'm shocked that some people able to get paid ($)8363 in four weeks on the computer. did you look at this web link... can99.ℂ­om
      JoanSchmidt
    • Irresponsible behaviour is "Microsoft hadn't patched the flaw."

      Why would they care about fixing a gaping security hole in WindoZe 8 when they know
      no one uses it anyway? So instead of taking responsibility for their blatant failure they
      blame a competitor. What a cry baby mentality. Typical of Chair throwing red faced, fat ass Balmer.

      MicroKlunk is a pitiful inferior excuse for a software company.
      They write junk Klunk Skunk Crap code and screw over every customer who is forced
      to use it due to their Mafia tactics on OEM's. Trillions of dollars have been wasted on
      fixing MicroKlunk's 1980's MS DOS WindoZe viruses and malware.

      The good news is right now Mafiasoft is downsizing aka "Reorganizing" HA HA. Tantamount to a lead balloon falling from the sky due to the reality that they have ZERO mobile market share, WindoZe license sales are down 27%, very few Xp users are upgrading, Office sales are down and NO ONE wants to buy Sesame Street WindoZe 8. Nor will they buy the patch called 8.1

      The Devil in Redmond is in trouble. It's payback time.
      ITJohnguru
      • Wow

        That post is quite impressive... please tell me... you're like what ? 10 years old ? 11 years old ?

        Did you ever learn to spell ?
        nvidiatnt
      • Oh, yeah, and...

        Windoze
        Fat ass balmer
        MicroKlunk
        Mafiasoft
        Klunk skunk crap
        Sesame Street
        Devil in Redmond

        ...you might need to step away from that pipe.
        CalamityRaine
      • Did you read the links?

        It affects all supported versions of Windows and all supported versions of Windows Server. It isn't just about Windows 8.
        benched42
  • 2nd time douchebag Ormandy does this

    The new Google policy (not public at the time of mr Ormandys irresponsible actions) states that 60 days should be in order *unless* the vulnerability is under active attack.

    Well, it was NOT under active attack, that is UNTIL mr Ormandy provided every bad bad out there with working exploit code!

    It is such a blatant breach of official Google policy (and every other agreed-upon policy in the industry) that mr. Ormandy tries to hide behind disclosing "as a private person".

    He did this before, where he gave Microsoft 4 days (!) before he provided attackers with PoC exploit code.

    I think it is evident WHO is "difficult to Work with here". Someones ego is too big.
    honeymonster
    • How do you know it wasn't already under attack?

      It could have been being used for months (if not years), just undetected by MS.

      It is obviously a VERY OLD bug since it shows up in IEv6 and ALL the following versions.
      jessepollard
      • Question really is

        Did mr. Ormandy know the vulnerability was used in attacks. I think that given his record he would have provided us with that info.

        No, mr. Ormandy - like the last time - chose to disclose readily available attack code. And lo and behold someone *did* really use it to attack innocent victims.

        It is the equivalent of driving up to a Taliban training camp and unload a box of shoulder-born anti-aircraft missiles. And then, when a 747 is shot down, point fingers at Boeing and the intelligence community for not providing adequate security.

        mr. Ormandy is a douchebag. He acts irresponsibly again and again, his actions harming innocent victims, all because he has a BIG ego and a grudge against a competitor of his employer. Google cannot unload that jerk soon enough.
        honeymonster