Barney's Blog

Blog archive

IE Flaw Found and Exploited

A newly found IE zero-day flaw has been found, publicized and is now being exploited. And this is not the kind of story I like to report.

In walking through this news, I'm hoping you'll help me understand the logic and report back to me and the tens of thousands of Redmond Report readers by writing to dbarney@redmondmag.com.

On Monday Rapid7, a security firm, wasted no time in telling the world that IE 9 and a number of earlier versions had a flaw that impacted XP, Vista and Win 7. The attacks trick a user into clicking on a malicious Web site, giving the attacker access to elevated privileges.

Of course now hackers are exploiting the flaw which Microsoft, given the short notice, hasn't had time to fix.

Why on earth do security firms publicize flaws before they are fixed? To me this is totally irresponsible.

Tell me where I'm wrong or more likely right at dbarney@redmondmag.com. In the meantime, if I get hacked this way, I'll blame Rapid7.

Posted by Doug Barney on 09/19/2012 at 1:19 PM


comments powered by Disqus

Reader Comments:

Fri, Sep 21, 2012 Dennis

As always and with most if not all corporate endeavors it's all about the dollars and the not so hidden agenda for raking in those dollars - at no matter whose expense. To expect something other than this is the new true definition of insanity. For them, the ends justify the means.

Thu, Sep 20, 2012 Paul from Long Island

SInce no browser can be made completely secure, they should all run as a VM with no access to the underlying OS except that needed to operate. SInce Microsoft gives away a VM/OS suite for no extra charge, why isn't their browser set up to run in the VM out of the box?

Wed, Sep 19, 2012 Rich

The Poison Ivy trojan has been using this exploit for a while. This vulnerability has been known and used by hackers before it was found by Rapid7. There is a patch going to be released for the vulnerability this Friday. As for other switching to other browers. They all have vulnerabilities. With IE at least I can deploy patches in mass and know what is in the environment. With the others cant manage them in mass at the corp level.

Wed, Sep 19, 2012

At least now you know there is a vulnerability. No charge.

Wed, Sep 19, 2012

In chage of Security Patch Management, I see alot of other Vendors, Browsers, etc that I'm getting Security Patches on a regular basis. I guess their code has as many vulnerabilities as MS. The more of the Market they get, the more Security patches I see coming from them. As Far as a Security Company releasing the vulnerability before a fix is available. This causes millions of dollars for companies scrambling trying to protect their company assets. Totally irresponsible on their part. Can I send them my IT bill for their early release of information

Wed, Sep 19, 2012

Yes, it would seem that publishing news of a threat will get the internal kettle boiling at Microsoft, but as a person who supports their products in the field I think that this is simply payback for years and years of poorly written code and unsecure applications that allow problem after problem to affect their clients. If they (Microsoft) weren't so intent upon pushing out partially baked products for economic gain, they wouldn't be behind the 8-ball now. Rapid7 is doing their job.

Wed, Sep 19, 2012

On the surface Rapid7 response seems irresponsible. But Hmm, how many years and how many acknowledged professionals have been writing software for Microsoft?. Isn't it irresponsible to rush a defective product out the door because the profit motive is more important? Isn't win7 'superior' to vista, vista to xp and xp to w2k? Yet they haven't delivered an OS yet that doesn't require MANY patches. Who was irresponsible first!

Wed, Sep 19, 2012

I think it is obviously in a security firm's best interest to publicize security holes before they are patched. Most of them offer some kind of solution for a fee, don't they? In fact, it has been speculated upon and I think, in at least a few cases, proven that some of these nice folks are actually the one's who find and exploit security flaws.

Wed, Sep 19, 2012 EVVJSK

Are you sure Microsoft didn't know about it before hand ? Also EMET is listed as a workaround or protection by Microsoft, although some researchers are not sure if EMET would fully protect against this. It would be great if someone at Microsoft would review the recent Zero Day vulnerabilities in IE, Java. Flash, etc... and help IT know if EMET would actually help to prevent these vulnerabilities from being exploited. EMET seem like a decent tool, but only if it is effective.

Wed, Sep 19, 2012 Paul

No excuses for Rapid7 behaving in an irresponsible and neglignet manner. The process and channels for reporting findings like this have been in place for a long time.

Wed, Sep 19, 2012

This was being exploited before Rapid7 released its findings online. The reason to publically disclose something that is being actively exploited is to alert the public to take action while waiting for a security update (in this instance, the temporary solution would be to just use another browser).

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.