Exploits in the wild for IE6 flaw growing! Hardware-enforced DEP promising!
Posted by George Ou @ 1:41 am
Digg This!

Ok it's late Friday night but it's been a rough day for us security folks especially Microsoft. As I warned in my last blog "zero-day exploit for IE6 flaw released", this is VERY serious and it has all the markings of another WMF nightmare for Internet Explorer 6. There are probably more than 100 sites using the latest IE6 flaw on the loose and it's growing!

According to a Microsoft spokesman I talked to, an out-of-band patch is on the table but nothing has been confirmed yet and they're watching the situation closely to see if an outbreak occurs. Well I think the time for monitoring is over and it's obvious that a public outbreak is on the loose. It's time for Microsoft to hurry up and finish testing their patch and release the fix as soon as possible, yesterday if possible!

Right now there are some reasonably feasible solutions for Windows PC users:

* Disable active scripting, for Enterprise and for the home.
* Enable hardware-enforced DEP if you have the right hardware. See my DEP guide.
* Use an alternate browser like Opera or Firefox.
* Do not run Windows as an Administrator.

Each one of these solutions are less than desirable in one aspect or another. Here is a explanation of the options.

* Disabling active scripting is the official workaround from Microsoft. It does work 100% of the time, but it also breaks a lot of websites and you'll have to individually add legitimate sites that need active scripting to your trusted IE zone.
* Enabling hardware-enforced DEP and enabling it for all services and programs seemed to work like a charm. When I tested a malicious site, hardware-enforced DEP protected me 7 out of 7 times! Without the hardware-enforced DEP, the malicious website successfully launched a massive number of exploits 2 out of 2 times. Hardware-enforced DEP works preemptively without any patches to the OS or anti-virus software which is extremely desirable. The problem is that only the newest computers have it. The problem with hardware-enforced DEP is that not everyone has the right CPU. There are still some new computers being sold today that don't have hardware-enforced DEP capability. Most old computers don't have the capability. Again you should see my DEP guide and see if you can use it to protect yourself because it's great if you have it. The WMF exploits were also stopped dead in their tracks by hardware-enforced DEP.
* Using a browser like Opera or Firefox at least for the time being if the last two options aren't feasible to you is probably a good idea at least until the storm blows over and a patch is available. Opera seems to be the least flawed of the bunch and Firefox has actually had more flaws per month than Internet Explorer, but Internet Explorer is still a favorite target because of how ubiquitous IE is. The only issue with Firefox and Opera is that it won't run on some websites and Intranet applications.
* Not running as Administrator is always a good idea on any computer or operating system you use. The problem with this on the Windows XP platform is that not all software is compatible with non-administrative access and Windows XP defaults to Administrator mode.


http://blogs.zdnet.com/Ou/?p=178

 

I swear by Firefox now. Granted it fucks up a few sites here and there, but I can count them on one hand.

If nothing else, it loads a hell of a lot faster.

 

yeh...FF all the way. I'm seeing less and less site screw ups as they release newer versions.

I suggest to all to keep your FF updated. They actually improve with releases as apposed to Microsoft.

 

why does everyone always talk about ff and ie? Am I the only one that uses opera?

 

fyi; nine times out of ten (or more), it's the site that is coded incorrectly, not firefox displaying it wrong.

 

opera's good, too. i like the built-in mouse gestures, and it's pretty smooth. but for whatever reason, it's not seen as a serious threat to IEs market share, whereas firefox is.

 

true...they use "workarounds" that ie doesn't care about...they don't encode the way the standards say they should.

 

eh, i use ie. firefox always took longer to load the program itself for some reason. i got my new laptop and tried it the day i got it.. same thing

 

Well, yes and no. Firefox really doesn't take that long to load. IE loads abnormally fast as compared to other applications because microsoft made it part of windows. So it takes windows an extra second or two to start up when you first bootup, but then IE doesn't take as long to load once you are in windows.

It's a perception thing really. Yes it takes longer from double clicking on the FF icon to when you can start surfing than IE, but really it's because IE is already preloaded by windows. It's really that IE has an unfair advantage and FF has to start from scratch just like any other app.

 

werd. ff sux.