After Google hack, Microsoft asks users to abandon IE6, XP

[videobread]

http://arstechnica.com/microsoft/news/2010/01/microsoft-wants-you-to-ditch-windows-xp-...r-security.ars

After Google hack, Microsoft asks users to abandon IE6, XP

Microsoft is using a widely publicized flaw in Internet Explorer as a way to push users to upgrade both their browsers and operating systems.

On its Security Research & Defense blog, Microsoft explains that while IE7 and IE8 on Windows Vista and Windows 7 both include the flawed code that was exploited in the recent Chinese attacks on Google, the publicly published exploit code only works against IE6 on Windows 2000 and Windows XP. So the company is urging users to think about upgrading their version of IE, or even their OS (which also results in a newer version of IE).

"As you can see, the client configuration currently at risk is Windows XP running IE6," the blog post reads. "We recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows."

Microsoft's relationship with IE6 and XP is complicated. On the one hand, the company refuses to drop support for IE6 and won't force users to upgrade away from it, and it still makes sure to offer businesses add-ons like Windows XP Mode as well as MED-V. On the other hand, the software giant runs mini campaigns and pushes for users to upgrade away from the ancient applications, usually citing security.

Still, this is the first time we've seen Microsoft actually recommend users upgrade because of a specific flaw, and not just away from IE6 but away from Windows XP completely. Microsoft doesn't say that newer versions of Internet Explorer and later Windows releases are invulnerable to the flaw, but it does explain that they have "reduced risk to the exploit" due to platform mitigations such as IE Protected Mode and Data Execution Prevention.

The company first explained these mitigations last week when it admitted that its own investigations into the highly organized hacking attack in late December had concluded that a Remote Code Execution vulnerability in IE was used by the perpetrators. That vulnerability is triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element; attack code may be executed if it is successfully placed in a random location of freed memory. Microsoft has yet to issue a patch.

[deadrats]

i suppose it would be too simple for microsoft to advise their customers to use a different browser altogether.

you have to love the microsoft marketing department, any excuse to talk up the latest OS release.

[genki500]

Never. No way.

[edDV]

Begs the question ... Why is Google Inc. still using IE6+XP?

[guns1inger]

If you are still using IE 6 when Firefox has been available for so long, more fool you.

[zoobie]

There's also something screwed with IE8...a lot of lightboxes don't work...I had to go back into my bulletinboard and tell it to recognize IE8 as IE7 with a snippet of code

[Tedness]

Makes me glad I own a Mac

[lordsmurf]

Makes me glad I own a Mac

Why? To use an equally quirky Safari?

[videobread]

I switched to Firefox several years ago when the Department of Fatherland Security recommended that we stop using IE. I'm not surprised that France and Germany now say stop using IE6. I don't know who would be using an old browser anyway.

What gets me is that Microsoft is saying dump XP! Is XP not defensible either? I remember when Bill Gates said he was going to fix "The Microsoft Problem". WOW! What's wrong with this picture? Is this extortion or what? How many times can we be expected to buy a new platform? It's just the platform!

[ron spencer]

this obviously directed towards the idiots of the world (I guess most peole are). Who would trash a perfectly good OS when just using Firefox will solve all your problems....I guess MS really thinks the majority of their client base it stupid...that, or maybe, sales of 7 are not as good as they state LOL

[videobread]

Is Windows a Protection Racket? Microsoft is not saying you have to upgrade but, if you don't you might have problems.

(per Wiki) A protection racket is an extortion scheme whereby a criminal group or individual coerces other less powerful entities to pay protection money which allegedly serves to purchase protection services against various external threats, usually violence or property damage - sometimes perpetrated by the racketeers themselves.

In some cases, the "protection" is little more than extortion, with no real service rendered unto the victim. Otherwise, the racketeers will warn other criminals that the client is under their protection and that they will punish anyone who harms the client. Services that the racketeers may offer may include the recovery of stolen property or punishing vandals. The racketeers may even advance the interests of the client, such as muscling out unprotected competitors.[1]

The protection money is typically collected by a "bag man". Although the organization might be particularly coercive in obtaining protection money, it is usually careful to shelter its "mark" from attacks by competitor organizations that similarly attempt to solicit or threaten the targeted individuals or businesses. Disputes between organizations concerning territory consequently arise from two competing organizations attempting to extort from the same "clients".


This has been going on since 1985 and made Bill the richest man in the world. How many of these OS's have you bought - Windows version 1.01, 2.03, 2.10, 2.11, 3.0, 3.1x, Windows for Workgroups 3.1, NT 3.1, Windows for Workgroups 3.11, 3.2, NT 3.5, NT 3.51, 95, NT4.0, 98, 98SE, 2000, Me, XP, XP64, Server 2003, XP Pro 64, Widows Fundametals (legacy), Vista, Home Server, Server 2008, 7, Server 2008 R2 and Windows 8 (2012?).

Remember the Wintel monopoly - you had to keep buying new OS's to run the newest Intel processors. Now that processors have effectively peaked it's just plain extortion! Buy my new OS or something bad might just happen to you. Be afraid. Be very afraid!

[usually_quiet]

Let's not forget Firefox isn't perfect. Some serious security issues have been found. One was reported in July of 2009.

I switched from IE to Chrome a couple of months ago as my primary browser. Firefox is #2. There are things about Chrome's user interface that I just like better than the others and it is possibly more secure than Firefox. I now use IE mostly to save pages in .mht format.

I just upgraded to IE8 again today, since apparently IE7 has some unfixable problems too.(I used IE8 for a while, but went back to IE7, when I began having problems with it after an update.)

Vista and Windows 7 have some modest security features built into them that XP lacks. I presume that is the reason why Microsoft suggests upgrading.

Why would anyone use IE6? IE6 is the newest MS browser available for Windows 98, Windows Me, Windows NT 4.0 and Windows 2000. The people still using those operating systems (and there are still lots of them) can't upgrade to IE7 or IE8. Maybe they can't afford a new computer to run a newer OS, or perhaps they prefer to use them for other reasons. I suspect even some XP users haven't ever heard of Firefox, let alone go to the trouble of installing it.

[orsetto]

Makes me glad I own a Mac

Why? To use an equally quirky Safari?

That's for sure: I'm even less likely to use Safari on my Macs then IE on my Windows boxes (Firefox is one of the few applications that cures drama on both Windows and Mac platforms). So much for the theory that OS creators were "better equipped" to engineer web browsers than dedicated independent web developers. Amazing how many folks thought it was a brilliant move for MS to hijack the browser and lard it with proprietary MS code all those years ago: that worked out just great for all of us, didn't it? Apple and Jobs' cynical hatching of the bug-ridden Safari wasn't much better. Firefox is far from perfect, but if you're managing a cross-platform environment used by employees with widely varying degrees of common sense it beats the factory-issued alternatives.

[edDV]

...
Why would anyone use IE6? IE6 is the newest MS browser available for Windows 98, Windows Me, Windows NT 4.0 and Windows 2000. The people still using those operating systems (and there are still lots of them) can't upgrade to IE7 or IE8. Maybe they can't afford a new computer to run a newer OS, or perhaps they prefer to use them for other reasons.

My point was why is Google, Inc. keeping trade secrets and sensitive user files on a machine running IE6?

[aedipuss]

...
Why would anyone use IE6? IE6 is the newest MS browser available for Windows 98, Windows Me, Windows NT 4.0 and Windows 2000. The people still using those operating systems (and there are still lots of them) can't upgrade to IE7 or IE8. Maybe they can't afford a new computer to run a newer OS, or perhaps they prefer to use them for other reasons.

My point was why is Google, Inc. keeping trade secrets and sensitive user files on a machine running IE6?

wasn't the computer and exploit over in china? probably the most advanced machine in the office there

critical patch for mac osx out today also. m.s. isn't the only one with drive-through windows in the software.

http://threatpost.com/en_us/blogs/apple-patches-12-serious-mac-os-x-vulnerabilities-01...campaign=Today

[edDV]

Makes me glad I own a Mac

Why? To use an equally quirky Safari?

I get more Safari crashes (on Mac) than IE (on Windows). This is particularly bad when streaming media and surfing at the same time. FireFox is OK on the Mac.

[MOVIEGEEK]

I still use XP because it's stable and all video programs work on it, it's going to be supported until 2014. I do however use IE8 and recommend that everyone ditch IE6.

[edDV]

...
Why would anyone use IE6? IE6 is the newest MS browser available for Windows 98, Windows Me, Windows NT 4.0 and Windows 2000. The people still using those operating systems (and there are still lots of them) can't upgrade to IE7 or IE8. Maybe they can't afford a new computer to run a newer OS, or perhaps they prefer to use them for other reasons.

My point was why is Google, Inc. keeping trade secrets and sensitive user files on a machine running IE6?

wasn't the computer and exploit over in china? probably the most advanced machine in the office there

critical patch for mac osx out today also. m.s. isn't the only one with drive-through windows in the software.

http://threatpost.com/en_us/blogs/apple-patches-12-serious-mac-os-x-vulnerabilities-01...campaign=Today

From what I've been reading, Goolge doesn't keep user info on their China servers. They were hacked on their US corporate machines. That is why they are so upset.

[DarrellS]

The company first explained these mitigations last week when it admitted that its own investigations into the highly organized hacking attack in late December had concluded that a Remote Code Execution vulnerability in IE was used by the perpetrators. That vulnerability is triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element; attack code may be executed if it is successfully placed in a random location of freed memory. Microsoft has yet to issue a patch.

We've known this for years. Every browser is susceptable to attack from scripting. That's how attackers use malicios code, scripting. Most people don't have a clue that all you have to do is turn off scripting and cookies when surfing the internet and you're 99.9% safe. It also helps to use a firewall and Antivirus program. You don't need to change your OS or your browser, you just need to learn how to use them. Most people are either too lazy or too stupid to learn so they just switch browsers and operating systems, thinking they are more secure until some techy tells them that there is a security flaw with scripting in their browser so they look for a newer safer browser instead of turning off scripting in their browser.

I have Firefox installed on my machine but mostly all I use is IE6. There will come a day when I'll have to dump IE6 but it won't be because of security issues but because of compatability issues with websites dropping support and moving to newer browsers.

[usually_quiet]

...
Why would anyone use IE6? IE6 is the newest MS browser available for Windows 98, Windows Me, Windows NT 4.0 and Windows 2000. The people still using those operating systems (and there are still lots of them) can't upgrade to IE7 or IE8. Maybe they can't afford a new computer to run a newer OS, or perhaps they prefer to use them for other reasons.

My point was why is Google, Inc. keeping trade secrets and sensitive user files on a machine running IE6?

They probably weren't. I don't know much of anything about hacking and haven't read that much about this incident, but I would guess they just used the machine running IE6 to access Google's internal networks.

[rallynavvie]

You realize that M$ is fixing this exploit tomorrow for IE6+:
http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

[deadrats]

We've known this for years. Every browser is susceptable to attack from scripting. That's how attackers use malicios code, scripting. Most people don't have a clue that all you have to do is turn off scripting and cookies when surfing the internet and you're 99.9% safe. It also helps to use a firewall and Antivirus program. You don't need to change your OS or your browser, you just need to learn how to use them. Most people are either too lazy or too stupid to learn so they just switch browsers and operating systems, thinking they are more secure until some techy tells them that there is a security flaw with scripting in their browser so they look for a newer safer browser instead of turning off scripting in their browser.

here's the rub, a properly coded browser should not be able to get it's "hooks" into any critical OS functions, the job of a web browser is to, wait for it, browse the web, not be a conduit by which a hacker/trojan/virus can compromise the system.

scripting within a browser has some very valid uses, in terms of enhancing a web page but the browser should "trap" the script in code (<--this is programing jargon for wrapping the main application code in a condition that prevents unwanted behavior).

this would effectively mean that the browser runs in a type of simplistic virtual sandbox and in fact i think that there is a browser that does employ this programming technique, namely google's chrome.

[aedipuss]

if you really need to wear that double layer tinfoil hat, here is the win32 lynx browser for you. html text only.
http://pachome1.pacific.net.sg/~kennethkwok/lynx/

[Rudyard]

here's the rub, a properly coded browser should not be able to get it's "hooks" into any critical OS functions, the job of a web browser is to, wait for it, browse the web, not be a conduit by which a hacker/trojan/virus can compromise the system.

scripting within a browser has some very valid uses, in terms of enhancing a web page but the browser should "trap" the script in code (<--this is programing jargon for wrapping the main application code in a condition that prevents unwanted behavior).

this would effectively mean that the browser runs in a type of simplistic virtual sandbox and in fact i think that there is a browser that does employ this programming technique, namely google's chrome.

I got a question, reading what you wrote sounds so simple.....if it is indeed that simple to protect everyone from web based attacks, why dont they do it? What is stopping it? IE, FF, Saf, etc etc

[aedipuss]

tin hat folk can always run their browsers in sandboxie, it's been around for years.
http://www.sandboxie.com/

[lordsmurf]

sandboxie isn't user friendly. I don't understand it readily, and there's too much stuff to read.

A VM is easier.