Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Internet Explorer Microsoft Security IT

Microsoft Issues Workaround For IE 0-Day 101

Posted by timothy
from the we-call-these-o'houlihan-patches dept.
Orome1 writes "Microsoft has issued a security advisory with advice on how to patch a Internet Explorer zero-day vulnerability recently spotted being exploited in the wild by attackers that might be the same ones that are behind the Nitro attacks. News that there is a previously unknown Internet Explorer vulnerability that is actively being misused in the wild by attackers that are believed to be the same ones that are behind the Nitro attacks has reverberated all over the Internet yesterday."
This discussion has been archived. No new comments can be posted.

Microsoft Issues Workaround For IE 0-Day

Comments Filter:
  • by Anonymous Coward on Tuesday September 18, 2012 @08:30AM (#41373513)

    Click [firefox.com]

    • by Stan92057 (737634)
      Ya think too small

      http://www.ubuntu.com/download
    • All but one supported edition of IE is affected: 2001s IE6, 2006s IE7, 2009s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide. The only exception is IE10, the browser bundled with the new Windows 8, which does not contain the bug.
  • Load Firefox? (Score:5, Insightful)

    by jfdavis668 (1414919) on Tuesday September 18, 2012 @08:37AM (#41373581)
    The work around is load firefox or chrome.
    • I remember that when Microsoft bound IE to the OS back in Win95, IE is now everywhere. That Windows Explorer window? Now subject to IE attacks. That HTML pane in Outlook? Now subject to IE attacks. That help window in SomeGame 2.0? Now subject to IE attacks.

      I'm not sure how true this is now, but a guess is that it's still much this way.

      • by pointyhat (2649443) on Tuesday September 18, 2012 @10:00AM (#41374353)

        You speak with authority but do not understand the principles and abstractions.

        It's called COM. Windows is based on COM. It allows components to be reused, which is good design and good practice.

        This is the same concept as WebKit being a shared library on Linux and gnome help, gnome file manager and Epiphany importing it.

        I they discovered a WebKit hole: waah waah whinge whinge there is a hole in Gnome Help - save us all from the 0-day

        That complaining never happens but if Microsoft fall to the same thing, they get slated. Hardly fair is it?

        • It allows components to be reused, which is good design and good practice

          It's only good design practice if the shared components dont royally suck.

      • by chrish (4714)

        Unless things have changed in the last ~2 years, Outlook rolls its own HTML/CSS/JavaScript engine to avoid IE issues like this.

        Unfortunately, it opens Outlook up to their own HTML/CSS/JavaScript related bugs, and their implementation is half-assed like old versions of IE (that is, you can't expect HTML and CSS to work normally, even for features that Outlook implements).

        Sorry, PTSD moment from having to "fix" HTML newsletters for Outlook once upon a time...

    • by gman003 (1693318)

      Hey! I use Opera, you ignorant twat!

      • Whahh Whahh! You've got Bugs!!

        I use ESP to surf the web. Works so much better and there's lots of 0.025 cents out there to accumulate.

  • Workaround is stupid (Score:5, Informative)

    by Anonymous Coward on Tuesday September 18, 2012 @08:48AM (#41373673)

    Disable ActiveX and then demand it runs to "Prompt" in both Internet AND Intranet????? This is NOT a "work-around." A work-around would be how to allow our users to continue running without being prompted to run or not run things they don't understand and don't want to.

    Or install an alternate browser.

    Sheesh, is the Internet really worth this crap? Really?

    • by Robert Zenz (1680268) on Tuesday September 18, 2012 @09:00AM (#41373757) Homepage
      Fun fact: Forbidding ActiveX and similar things in Internet Explorer yields interesting site effects, f.e. that Visual Studio can't display error messages or the Help anymore.
      • by GNious (953874)

        try disabling ActiveX on you WAN/ADSL/whatever router - has fun effects on all sorts of things in Windows 7

      • This shouldn't be the case from VS 2010 onward. The help system there has been reworked completely to be browser-based (rather than requiring its own client as MS Help 2.0 - the thing used in VS 2002-2008 - did), and should work in any browser, not just IE.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Or install an alternate browser with No-Script.

      FTFY.

    • by Anonymous Coward
      The equivalent in Chrome/FF is to disable Java, which makes ActiveX looks secure.
  • by Anonymous Coward on Tuesday September 18, 2012 @08:54AM (#41373709)

    Seriously, I don't use IE at home but until Chrome, Firefox, or Opera have tight integration and customization that can be centralled managed (GPO) IE will be the defacto standard browser for a lot of businesses. As an IT Manager I have tried repeatedly to move to a different browser and the tools to manage them just aren't there.

    "Hahaha those losers use IE, they suck they should just switch to chrome" are not helpful comments and show just how little you know about the many current business environments. Your beloved Chrome and Firefox, by their actions, don't want to be the default browsers in business. They just don't. That leaves us with IE which, despite these 0 days and standards issues, is superios in every way in a Windows comprate environment. Until that changes IE will be what many businesses use because browser management is just so easy it's automagic.

    And those Linux folks, switching to Linux isn't helpful either until some sort of same tier GPO management alternative that has simple interpoability is available. We could actually drop Windows and go full linux if I could gain the control I get from a Windows environment.

    Disclaimer: I use Firefox, Opera, Ubuntu, and Mint at home.

    • by NatasRevol (731260) on Tuesday September 18, 2012 @08:58AM (#41373741) Journal

      The question is why you need to manage a browser so much.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        The question is why you need to manage a browser so much.

        Define browser behavior for specific vendor (state, federal governments) websites and zones
        Homepage
        What is allowed to be installed
        Favorites
        Preferences for appearance
        Internet and Proxy settings

        the list goes on and on.

        • by Anonymous Coward

          You are doing it wrong. You are creating a tightly integrated application with IE/browser. Bad idea from the start. Then you are locked in forever till someone funds another tight integration. Your benefiting from IE infrastructure, but the world is messed up b/c you are stuck in 1990s.
          So pls stop doing it or stop calling whatever you created a browser and make sure you exclude them from external network usage so we do not have to fell the pain caused by you decisions.
          BY THE WAY. If you have to control your

        • by sys_mast (452486)

          I'll feed the AC....

          What is everyone addiction to setting the homepage? I can see defaulting to a company intraweb or some portal. But WTF if someone feels they are more productive with some random web app or other data source or even google as their home page why lock them out of it?

          I guess some sort of Kiosk, but there are better special built kiosk apps that work better than IE. (though they may use IE to render)

          Maybe I'm missing the point.

          • Re: (Score:3, Funny)

            by gl4ss (559668)

            I'll feed the AC....

            What is everyone addiction to setting the homepage? I can see defaulting to a company intraweb or some portal. But WTF if someone feels they are more productive with some random web app or other data source or even google as their home page why lock them out of it?

            I guess some sort of Kiosk, but there are better special built kiosk apps that work better than IE. (though they may use IE to render)

            Maybe I'm missing the point.

            well, the reason to use ms's enterprise deployment of ie settings is that then you can make the browsing experience secure.

            oh wait..

          • by beep54 (1844432)
            "What is everyone addiction to setting the homepage?" Guessing you meant 'why' there. Pretty much the first thing I want to go to when the browser comes up is email, so it is handy for it to be there. But if I am feeling more paranoid, I just set it to blank page.
        • by pouar (2629833)

          Define browser behavior for specific vendor (state, federal governments) websites and zones
          Homepage
          What is allowed to be installed
          Favorites
          Preferences for appearance
          Internet and Proxy settings

          I can do that with firefox already

      • The question is why you need to manage a browser so much.

        Quick real-world answer. Java! Not modern java, but the insecure 30+ security hole java 1.4.1, not java 1.4.0, or 1.4.2, but 1.4.1. Kronos requires it and therefore leaves these HR payroll specialists wide open with a bulls eye target. Solution? Create a special GPO just for the HR payroll group with java 1.4.1 only accessible for the intranet kronos site.

        Scenario 2, in the same orgamization java is required for Bank of Montreal for some line of credit apps. Java 7 which is more secure wont work. However, i

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Google has an enterprise deployable msi installer of chrome, along with a gpo addin to manage chrome. Your statement is false.

    • by LordLimecat (1103839) on Tuesday September 18, 2012 @09:51AM (#41374247)

      Chrome can be deployed by MSI [google.com] and managed by GPO. They have the ADM [google.com] templates right on their site.

      • It still can't be patched via WSUS though which means uncontrolled updates.
        • by Anonymous Coward

          *Uncontrolled updates that also saturate your business's expensive WAN link instead of coming from a local server.

        • by NetCow (117556)
          Sure it can:

          The enterprise MSIs are patched in sync with the other updates. Managing Chrome via LUP + the Chrome ADMs is a breeze, since if an "uncontrolled" (LocalAppData) Chrome instance starts and there's a MSI on the machine, the uncontrolled instance will respect the GPO settings.

  • by Anonymous Coward on Tuesday September 18, 2012 @09:03AM (#41373797)

    http://technet.microsoft.com/en-us/security/advisory/2757760 [microsoft.com]

    Linking from "Microsoft issued an advisory" to submitter's site is kinda lowbrow.

  • Workaround != patch.

  • It never ceases to amuse me, the glazed look on peoples faces when they ask me how I deal with Windows viruses and I explain I don't use Windows ..

    Distrowatch [distrowatch.com]
    • by pointyhat (2649443) on Tuesday September 18, 2012 @10:13AM (#41374513)

      I haven't had a Windows virus since I started using it 24 years ago and I've used IE all that time.

      Then again, I don't go surfing pr0n, cracks, warez, torrents, rapidshare, mp3 sites etc.

      Intimacy with the wrong people is only going to end in an STD regardless of which prophylactic device you or they wear.

      • by Anonymous Coward

        There's still the threat of compromised 3rd party ad servers spewing malware from otherwise credible sites. Safe browsing habits won't save you from that. Even if you know what you are doing there's always a chance that you can get hit.

      • Anecdotal evidence is anecdotal. You can get infected using Windows simply by visiting Google, seeing ads on mainstream sites etc. It's happened to us during setting up new installs. It's not too hard to do. We no longer search for drivers until the AV is installed; previously drivers came first.
  • Firefox Issues Workaround for IE 0-Day
    http://getfirefox.com/ [getfirefox.com]

    Chrome Issues Workaround for IE 0-Day
    https://www.google.com/intl/en/chrome/browser/ [google.com]

  • Submitter is a idiot.

    • by fatphil (181876)
      There's nothing stupid about trying to increase the number of page impressions on a site which carries ads.

      A dick, perhaps, but not necessarily stupid.
  • MS suggests to use EMET (a tool that enfonrces ASLR and DEP), but Brian Krebs reports that this does not really plug the hole [krebsonsecurity.com]

Invest in physics -- own a piece of Dirac!

Working...