posted by Thom Holwerda on Mon 18th Jan 2010 22:00 UTC
IconAh, the security vulnerability that was used in the Google attack. It's been around the internet about a million times now, and even governments have started advising people to move away from Internet Explorer. As is usually the case, however, the internet has really blown the vulnerability out of proportion. I'll get right to it: if your machine and/or network has been compromised via this vulnerability, then you most likely had it coming. No sympathy for you.

That sounds really harsh, so let me back it up with some explanations. The vulnerability in question is Microsoft Security Advisory 979352, and "[it] is an Internet Explorer memory corruption issue triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker's code."

While this all sounds mighty serious, reality is different. If you look at all the brouhaha on the net, you'd think that everyone running Internet Explorer and Windows is vulnerable to this attack, and that it disembowels tiny kittens. Luckily, though, that's not the case - this attack is remarkably low-impact, and if you are affected, than it is probably your own fault.

That's because this vulnerability only affects users of Internet Explorer 6 on Windows XP. If you're still running that configuration by choice, then it's your own fault if you get bitten. It's like complaining Ford's cars aren't safe because you crashed and died while driving one while wearing a blindfold. If your corporate network still uses IE6, the same thing applies. Of course, there are still a number of tools that are designed for IE6, but that's something the developers of those tools should be ashamed of.

Windows XP with Internet Explorer 7/8, Windows Vista, and Windows 7 are all secure, despite the fact that the exploitable code exists in those versions of Internet Explorer too - which sounds weird, until you realise that these newer pieces of software benefit from Microsoft's 2002 Trustworthy Computing initiative, which implemented a company-wide focus on security in the development process.

As you can see, both IE Protected Mode and Data Execution Prevention play a major role in mitigating this flaw, perfectly illustrating why features like this should be part of an operating system: layered security. Due to the proper design of Windows Vista and 7 (there, I said it) a potentially dangerous flaw has been rendered completely useless. Despite currently not at risk, users of Windows XP SP2/SP3, as well as Vista users running IE7, should enable DEP anyway.

By the way, I left Windows 2000 off the chart since it's no longer sold. In case you're curious: yes, IE6 on Windows 2000 is exploitable. Sadly, there's no fix because you can't upgrade to newer versions of IE. Moving solidly into Irrelevantland now: IE5 is not affected.

Microsoft advises users to upgrade to newer versions of IE and/or Windows. "We recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP," Microsoft writes, "Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows." Or, switch to a non-IE browser, or even a non-Windows operating system, of course.

In any case, the outstanding security track record of Windows Vista and Windows 7 remains largly untarnished. I never thought I'd say this, but hats off to the Windows team for (finally) delivering solid, secure products.

Now, if you don't mind, I'm going to see if the pigs at the farms here in my home town are where they're supposed to be.

e p (0)    68 Comment(s)

Technology White Papers

See More