If there wasn't enough reasons to switch away from IE until now..

[Tony]

Apparently this is all over mass media now.
http://www.microsoft.com/technet/security/advisory/961051.mspx

Looks like the exploit has been present since IE5.01 and affects everything up to IE8b2. I'm kind of impressed by the technical complexity of the exploit:

Quote:

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

According to http://voices.washingtonpost.com/securityfix/2008/12/microsoft_big_security_hole_in.html

Quote:

So far, the exploits appear to be only stealing online gaming credentials

... because I guess World of Warcraft accounts are now more profitable than Credit Card fraud.

But hey, it's predicted that the impact of malware will be upped in the next few days, so go spread some panic.

[DemonWasp]

The sad part is that nobody who needs to hear this message is going to hear it. This isn't broadcast on the evening news, it's not posted in malls. The majority of people can't tell Internet Explorer from a pair of pantaloons, so it's hardly surprising that they can't understand this whole "massive security hole" problem.

Unethical as it may be, the best use for this is probably to have it run arbitrary code that does the following:
1. Installs Firefox (or Chrome or Safari or whatever). Preferably, import settings from IE user accounts in some intelligent fashion.
2. Removes all links to IE, replacing them with links to FF / Chrome / Safari.
3. Unbinds IE usage as much as possible, so that users can't accidentally trip it.

Then maybe we can see this browser die the flaming, screaming death it so richly deserves.

[Dan]

DemonWasp @ 16th December 2008, 1:47 pm wrote:

This isn't broadcast on the evening news.

Acuataly it was on ctv news net. Tho it was a very short segment and had litte infromation.

[wtd]

The lesson kids?

Pay attention to details when you're coding, and test, test, test.

[jernst]

DemonWasp @ Tue Dec 16, 2008 1:47 pm wrote:

it's not posted in malls.

lol @ posting computer security alerts in malls

[Insectoid]

Well, most users are so used to crashes and viruses that they believe it is the norm for all programs and OSes. Actually, I would say maybe half of all IE users (80% of internet users) think Windows is the only OS (stats based on a study involving made-up numbers and no study-related activity).

[btiffin]

Look on the net and you'll see traces of people that believe erasing Windows from a hard drive is an illegal violation of the license.

Cheers

[DemonWasp]

Perhaps more concerning are the people who aren't aware what their operating system is, or even who makes what part of their system, even on a basic level (if you can't tell me what basic operating system, browser and email client you use, you need to know more about the computer).

I wasn't joking about this being displayed prominently, though. This is the sort of thing that should be posted in computer stores and repair shops, to warn people. This is the sort of thing that only us "super-nerds" see, and that's a huge part of the problem. The people who get it have long since abandoned the sinking ship that is IE.

And yes, Dan, occasionally stuff like this does hit the news. You get a short bit like "In tech-related news, Microsoft announced that it had found a major bug in its Internet Explorer software, affecting all current versions of the popular browser. The software giant plans to release a patch soon to fix the issue," then the newscaster switches to a 10-minute segment on some celebrities without batting an eye. The users of IE are reassured that MS has their backs and is working hard on a patch (which they probably are), and promptly forget, not realising that there are thousands of software companies that DON'T wind up on the evening news due to horrific faults in their code.

[andrew.]

insectoid @ Tue Dec 16, 2008 2:21 pm wrote:

Well, most users are so used to crashes and viruses that they believe it is the norm for all programs and OSes. Actually, I would say maybe half of all IE users (80% of internet users) think Windows is the only OS (stats based on a study involving made-up numbers and no study-related activity).

Most people I know don't even know what an OS is and a lot of them don't use anything that is free (e.g. Linux, open source stuff). They believe that you get what you pay for, which is true in some way. I try to convince them that open source software is better though.