New IE Vulnerability Used In Targeted Attacks; IE9, IE10 Users Safe 169
An anonymous reader writes "Criminals are using a new Internet Explorer security hole to attack Windows computers in targeted attacks, though the vulnerability could end up being more widely exploited. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are. It's great to see that the latest versions of IE are immune, but this new vulnerability is still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft's browser. 'We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,' Dustin Childs of Microsoft Trustworthy Computing told TNW. 'We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.'"
I do feel sorry for XP users (Score:5, Funny)
I tried out IE 10 and it was great. It downloaded firefox and chrome even better than ever. People who haven't updated should. Too bad XP users can't use it though.
Re: (Score:1, Funny)
Re: (Score:3)
Re: (Score:1)
There used to be versions for Mac, Solaris, and HP-UX
Re: (Score:2)
Re: (Score:1)
It rocked because it was a completely different browser from IE on x86. The only thing it had in common with the Windows version was that it was non-standard in similar [but not the same] ways.
Re: (Score:1)
Anyone else noticed that for years the MacOSX version of Office was so much better and prettier than on Windows?
I wondered for awhile which side the developers on Redmond were on? Granted today Office 2010 and IE 10 for Windows have caught up. I guess the old Windows apis must have been really bad if they couldn't get them to be as good as another competitors OS.
Portablility a feature (Score:3)
They are past tense.
It shows that their code was [and maybe he potential to be ]portable, admittedly last version for the Mac was 9 years ago 5.2.3 http://en.wikipedia.org/wiki/Internet_Explorer_for_Mac [wikipedia.org]. Microsoft admit their own inadequacy by not just producing code incompatible with other platforms, but even versions of its their own platform. The sad fact is they have lost half their market to competing platform even though though they bundle it with their monopolistic product. Nobody would ever install it on alternative pl
Re:Portablility a feature (Score:4, Informative)
Re: (Score:2)
With a completely seperate rendering engine with different quirks, too, at least in the case of the Mac version.
Re: (Score:2)
I know you were joking, but IE remains the only major browser that runs on one platform only. I'm sure Microsoft will port it to other platforms someday!
You haven't heard? Microsoft has been working hard to finish porting IE6 to Linux. They seem to be targeting their ads mostly to business clients whom use Active X. I wonder why Microsoft would support the Linux community, have they gave up being evil???
Re: (Score:2)
IE is cross-platform. x86, x64, XP, Vista, Windows 7, Windows 2003, Windows 2008, etc.
Re: (Score:2)
Serious post - I'm sure microsoft will re-port IE to other platforms if/when Windows looks like losing significant market share. The OS is becoming irrelevant, and the browser is becoming more and more important as a platform for application development.
Eventually, I'm sure they'd prefer to have a higher share of the browser market by supporting multiple platforms, than seeing the browser share shrink with Windows. With the epic failure of Windows 8, it may happen sooner than we expect.
Re: (Score:2)
www.codeweavers.com/compatibility/search?name=internet+explorer&search=app
I actually had to for my friend. He loves using Ubuntu since I converted his work laptop, then all his home computers, but there was some stupid IE only website that he had to use to make reservations for his business.
It is not perfect, but it gets the job done, and works much better than Virtual Box on his old laptop. Much less pwnage running under Wine too.
Cheers!
Re: (Score:2)
Re: (Score:2)
IIRC it loads some kind of IE only plugin to do the 'secure' ordering and reservations, but I will give that a try. I gotta pay him a holiday visit anyways. I didn't see him@ Target this Christmas eve. First time since Target opened here about 10 years ago:) I can't imagine he had all his shopping done ahead of time!
What better way to say happy holidays than to remove the last remaining piece of Microsoft software from his life and update his 10.04 Ubuntu install to Mint 14!
Thanks and Happy New Year!
Re: (Score:3)
winetricks ie8
unfortunately ie versions later than 8 are not supported in linux, you should upgrade to a superior operating system if you wish to experience the same bullshit you've been putting up with for 10 years (sorry, i'm a web dev)
Re: (Score:2)
It's here [von-thadden.de]. You also can get it from your distro's reposotory.
It's very usefull to test pages in development. Also, you can install several versions of IE at the same Ubuntu computer. But it probably won't emulate this bug, so you won't have the complete experience of having your computer owned (by this exploit).
Re: (Score:2, Troll)
You call it a problem. I see that as a tremendous advantage. Instead of installing my OS, then searching my drawers and closets for CD's and floppies, or downloading stuff from random sites, I just go to my trusted repository to install everything I need. All my downloads come from a single place, all of it having been vetted for malware and/or security holes. It's really great, IMHO. All updates come from the same source, there's no need for me to have my system tray loaded with icons that continuousl
Re: (Score:3, Insightful)
Funny how this comes from a community that complains about walled gardens and vendor lock-in.
Re: (Score:3)
Re: (Score:2)
Ubuntu has PPAs, and Android has the same thing (Score:3)
Re: (Score:2)
Funny how this comes from a community that complains about walled gardens and vendor lock-in.
Take a look at these screen shots of the Ubuntu Software Center. [canonical.com] Looks a lot like the Windows Store, doesn't it?
Heck, most of the apps featured here are available for the Windows platform.
It is necessary to explain the Ubuntu isn't targeting the geek who compiles from source or is willing to navigate the depths and complexities of app-get?
Mind you, I was not a happy camper when installing the simplest of Internet radio apps and the Chromium browser Software Center did not install the essential (and dif
Re: (Score:2)
Take a look at these screen shots of the Ubuntu Software Center. Looks a lot like the Windows Store, doesn't it?
Try this: Edit > Software Sources > Other Software > Add, then paste in the apt line from a publisher's web site. How do you do that in Windows Store? Oh wait, you can't without an expensive sideloading license.
Re: (Score:2)
But they don't so, I don't.
Re: (Score:3)
This has been the pain I've had with the iphone since it was released (that is, eight months after it was released when the dev kit came out).
Re: (Score:2)
Re: (Score:2)
If you don't have root on your device, there are certain APIs you can't call. You can't write your own shell because you don't have fork(), for example. You can't launch other applications. I'm pretty sure you can't call the automation/Accessibility APIs without root either. You also can't have a process running constantly in the background. You can't access the voice-reading APIs. I'm pretty sure you can't disable the button, but I haven't tried on a non-rooted d
Re: (Score:2)
All the proplems of a walled garden go away when you remove the walls. Everybody likes having a well maintainted garden to play.
I don't feel sorry for those IE users (Score:2, Interesting)
Anyone still using IE6 or IE7 deserves to get hacked anyway. I might have a crocodile tear for IE8 users
Arrogant Computing Users (Score:5, Insightful)
Anyone still using IE6 or IE7 deserves to get hacked anyway. I might have a crocodile tear for IE8 users
I not a doctor - Do I deserve to get sick, I'm not a mechanic - Do I have to walk..How about fixing leaky tap!...how about making a violin!!. I am not an expert in everything, and have been rarely been out of education, some things take years to learn. The truth is why should everyone be executed to be experts at computing.The sad fact is the world is moving towards electronics away from general purpose computers...making experts like you redundant!
Re: (Score:2)
But then, your argument completely falls apart because these users are mostly corporate users whose IT managers should know better.
Households users either worry about it and upgrade themselves, or have more savvy family or friends who do it for them. Do you leave your grand parents, parents or friends with a batshit crazy outdated browser lying around? Of course not. You upgrade it when you notice, and you ideally configure the PC to do so automatically in the future.
Re: (Score:2)
The truth is why should everyone be executed to be experts at computing.
One does not simply avoid getting Malware. Only the dead can know peace from this evil.
Re: (Score:3)
The sad fact is the world is moving towards electronics away from general purpose computers...making experts like you redundant!
There's nothing sad about this. Not everybody needs a general purpose computer. What they want is a Facebook machine, a Tumblr machine, a Youtube machine, and a Netflix machine. And give it to them. I'm sick and tired of hand-holding users who can't handle a general-purpose computer that can run more than 1 thing at once. I don't run Windows at home. I don't get paid to do support. When something blows up, I get called over to read over the dialogs and apply common sense, because I'm the "computer g
Re: (Score:2)
When your doctor tells you to stop eating unhealthy foods because you're at risk of diabetes, do you give him shit like that? When your mechanic tells you that you need to bring your car in to get an oil change on time, do you throw your hands up in the air and bitch about not being an expert?
pretty sure the op struggles to get food to dock with his food hole
Re: (Score:1)
When your doctor tells you to stop eating unhealthy foods because you're at risk of diabetes, do you give him shit like that? When your mechanic tells you that you need to bring your car in to get an oil change on time, do you throw your hands up in the air and bitch about not being an expert?
pretty sure the op struggles to get food to dock with his food hole
The big boys at work who buy these $100,000 SAP, Oracle, Kronos, Manpower, Siebel, and other crapware do so because they get a ROI. Bitch about being geeky to this non tech user who just blew $500,000 upgrading everything from IE 6 to cutting edge IE 8 (in his mind) will fire you with such a doctors analogy on the spot. That or he will look at you funny and ask if you replaced the toner on his printer yet? ... pff cost center peon.
This man writes your paycheck and he tells you what you support you either su
Re: (Score:2)
Re: (Score:1)
heh, they ask for a piece of shit and they get a piece of shit, what does that have to do with anything?
That POS you call it, does wonders to productivity. You are looking at it through a geek lense of HTML 5 features and multimedia support. My boss looks at it though how much can IT raise the shareprice. These corporate apps might not look as pretty as www.engadget.com on a HTML 5 browser with cool effects, but can display and automate business processes well.
They wont support anything above IE 8 yet (maybe 1 or 2 do as of the last 6 months) because XP wont die and IE 8 is the common gateway that runs on bot
Re: (Score:2)
Thank you for your example. (Score:2)
Terrible analogies. Before you go around driving a car by yourself, you typically learn how to drive a car with the help of others so you don't put others in danger, right?
...but not replace the engine.
Except is not a car analogy... (Score:2)
This is where car analogies fall apart, the engine of a computer is the CPU, but they are usually much easier to change than a car engine except when then are surface mounted. But no I wouldn't expect the average user to be able to change a CPU, but installing a new web browser is something every computer user should be able to do, it isn't really any harder than sticking a new satnav to your windscreen and plugging the cord in the cigarette lighter socket.
....Its a skill analogy...It could have been butcher; baker and marine biologist. This week indirectly I paid hundreds of people for their skills, some as basic as *packing*,and vast majority of them were completed better than I ever could, and many would require thousands of hours to become an expert.
As a side note the CPU in the Car...is part of the driver ;)
Is installing new software hard :) (Score:3)
But no I wouldn't expect the average user to be able to change a CPU, but installing a new web browser is something every computer user should be able to do
Here is the thing I disagree. Windows is crap in he context of this discussion, and Linux is a dream(and Android /iOS). Because installing is hard. Let me paint a typical scenario...Windows is running slowly!! The problem is not one thing; its everything, There is 4 unused bittorrent clients, A half uninstallled version of MobileME (how do you get rid of that icon...what is Mobile ME), there is a dozen links to defunct printers; scanners; wireless dongles and additional crap it installs. There is a whole h
Re: (Score:2)
Well, clearly MS disagrees. In fact, a week or so ago I reported a security bug that only affects IE7 (as far that I have tested) to ZDI. I will not reveal any more details until it is patched, of course.
Re:I don't feel sorry for those IE users (Score:4, Insightful)
Why would anyone deserve to get hacked for just running an old version of a software?
Because the immense majority of them are corporate users whose IT managers should know better.
Re: (Score:2)
Re: (Score:2)
Why would anyone deserve to get hacked for just running an old version of a software?
Because the immense majority of them are corporate users whose IT managers should know better.
IT Managers manage the entire attack surface area, which is why corporate users are typically behind a number of defenses that shield them from malware. And corporations often have policies in place that govern use of the browser/internet. Yes, it's still possible to go out and get zapped. Where I work that person will have a visit from the Security Dept. to be reminded of our policies and explain their browsing / download history. IMHO it boils down to more of a user problem than an old version technology
Re: (Score:2)
Re:mod parent up! (Score:1)
This user is precisely why IE 8 is still high, besides a few gray hair surfers with XP who click on the blue E like they normally since 2001 all the users are corporate. Many have finally just left IE 6 and to them IE 8 is a GREAT improvement sadly enough.
Geeks who do not work in corporate IT do not get it as these systems are not like their own pcs in their dorm rooms where it is free and easy to switch.
The same bean counters who sign for these $$$$ IE 8 only apps also sign your paycheck! If your cool brow
For Microsoft, vulnerabilities are profitable. (Score:2, Insightful)
With so little U.S. government supervision of abuses, having a virtual monopoly allows many tricky ways of making money.
Conspiracy theory (Score:1)
Would they resort to this method to scare people into upgrading?
Poor method of Gaining Customers. (Score:3)
Microsoft has wanted for ages that those users upgrade.
Would they resort to this method to scare people into upgrading?
Microsoft aren't even getting a sales bump from launching a new version of their platform, providing a shitty experience on their platform has them running to any other platform, and have yet to transition to the new world, where they are not the Daddy!. Android is set to surpass them next year. I'd argue it was more to provide advantages over previous versions of their OS when really their is very little real advantages present. Simply leaving the older unmaintained version insecure is simply a bonus.
Re: (Score:1)
Gotta love the summary (Score:5, Funny)
Title: New IE Vulnerability Used In Targeted Attacks; IE9, IE10 Users Safe
Sentence Two: While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are
Then: "We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,"
Then: People using Internet Explorer 9-10 are not impacted.""
Could someone please tell me which versions are vulnerable and which ones are not?
Re: (Score:3)
Title: New IE Vulnerability Used In Targeted Attacks; IE9, IE10 Users Safe
Sentence Two: While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are
Then: "We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,"
Then: People using Internet Explorer 9-10 are not impacted.""
Could someone please tell me which versions are vulnerable and which ones are not?
It clearly states multiple times that IE 6-8 is affected and 9 & 10 aren't.
Re: (Score:2)
What if I'm running IE10 in IE8 mode?
Re: (Score:2)
It is called a joke. Sorry you didn't get it, but I promise not to make fun of slow individuals like yourself.
Obligatory update patch (Score:4, Interesting)
Obligatory: Get the update patch here: http://www.mozilla.org/en-US/firefox/new/ [mozilla.org]
Not an Update Patch (Score:3)
Obligatory: Get the update patch here: http://www.mozilla.org/en-US/firefox/new/ [mozilla.org]
Its a work around.
People use IE? (Score:2)
Who uses IE?
Re: (Score:2)
noobs
Re: (Score:3)
Who uses IE?
I'd throw out some numbers but they are skewed towared the site measuring them. Wikipedia [wikipedia.org] pulls some sites together in one place.
Re:Uh, every business on the planet! (Score:1)
Until Oracle, Kronos, Siebel, DerpMaster, Manpower, Sap, and about 85% of all intranet app makers support anything above IE 8 the answer to any recent or different browser is a resounding NO!
Part of me feels they do so on purpose to hurt Microsoft so they can sell cloud solutions and make the pc platform and internal intranet apps higher TCO (Sap and Oracle) and we all need to suffer in the process by not having HTML 5 yet.
College kids reading this. Be prepared for disappointment in the real world as your p
What about Compatibility View? (Score:5, Interesting)
Compatibility View seems to turn IE 8-10 into IE 7... And I find people using it all the bloody time (and for no good reason other than they didn't like how the newer version CORRECTLY rendered some random page they were used to seeing broken!). So is Compatibility View immune to the exploit? I'm unclear whether IE has a separate engine for this or just uses some bizarre CSS definitions to achieve the brokenness...
Re: (Score:2)
Don't forget that IE also has a selectable document mode. So, I'd like to see a full matrix of browser modes and document modes that are effected (if it applies).
Re: (Score:1)
I wonder that too.
Many corps who use IE 9 (still few) but it in IE 7 mode typically because of one tiny app used by HR wont render right so they make a group policy for the whole company. This eliminated youtube and facebook support which the PHBs even like!
Earlier Submission (Score:2)
Microsoft Trustworthy Computing. (Score:2)
LOL. What?
The only way to make Microsoft software trustworthy is to cut power to the computer.
I supposed it won't do any good to mention this (Score:2)
Older browser version with vulnerability -> JavaScript -> Flash ActiveX -> Java -> sad clown face. Should anyone be surprised? Here's a link to the CERT KB [cert.org] for more information.
While some may know of these exploits, many don't (Score:2)
Recently http://battlelog.battlefield.com/ [battlefield.com] (Battle Field 3 web interface)
stopped supporting IE 8.
http://battlelog.battlefield.com/bf3/news/view/2832654782553529670/ [battlefield.com]
A clan member asked what they could do about it, I told her to use a different browser.
they came back: I suppose you expect everybody to have two browsers installed.
Actually I did, the only browser they used was an out of date IE. Playing games on-line,
having a functioning chat system installed; one would think they'd have an above average
knowled
Re: (Score:3)
Re: (Score:1)
It is not old flash. The issue is GPU acceleration. Chrome auto updates to the latest flash.
One of the reasons to retire XP is its horrible GPU acceleration which will become more and more of a deal as phones and tablets offer the best smooth scrolling and visual experiences with the xception of Windows 8. Windows 7 is smoother but still flickers due to WDDM 1.1.
Intel makes some very crappy graphics a half decade ago. 915 is the IE 6 of directX and OpenGL developers with so many shit needing quirks due to I
Re: (Score:2)
Intel makes some very crappy graphics a half decade ago. 915 is the IE 6 of directX and OpenGL developers with so many shit needing quirks due to Intel wanting everything in software to sell more expensive CPUs. It simply cant handle h.264 and 1080p with motion blur, smooth font rendering, and other things mixed with an 11 year old GDI XP subsystem.
GMA 915 is also a pile of garbage because it could not handle WDDM, thus could not run Aero, and Intel bullied Microsoft into considering GMA915 "Vista capable". I also have some old Pentium III's with GMA 815. That's a real pile of shit too. Can't support VESA modes higher than 640x480x16 color, and just flat out garbage. Apparently Intel tried selling it as a standalone GPU on a daughter card at some point.
The GMA 500 found on Atom Z series was a steaming pile of crap too. A PowerVR design with decent spe
Re:The remaining (ironic) reason I still use IE (Score:4, Informative)
Have you tried actually uninstalling Flash? When you do, YouTube serves an html5 video.
URL (Score:3)
http://youtube.com/html5 [youtube.com]
to manually enable/disable HTML5 video.
if you're logged in, this preference can even be saved.
Youtube automatically detects which codecs are supported (Chrome and Firefox both support WebM. Chrome also supports H.264. Older versions of Firefox don't (due to licensing restrictions), newer version of Firefox will tap into whatever system codecs is available for firefox to use: GStreamer on Linux, DirectShow in Windows, hardware codecs wherever supported).
Also, video ads require flash t
Re: (Score:2)
I believe those fall back to Silverlight mode.
Try Gnash.
--
BMO
Re: (Score:2)
It was a joke...
You were supposed to laugh.
*bmo pouts*
--
BMO
Re: (Score:2)
But how will that work on popular YouTube-like sites that aren't really YouTube?
Most larger sites tend to serve html5 video due to the 250 million or so iOS users.
Not all of them do so properly yet, however. Specifically, a number of sites still check the user agent, rather than for Flash presence. On Safari, you can work around this by enabling the developer toolbar in the settings -- you use it to make the browser advertise itself as an iPad, which reloads, and more often than not things will then work without a hiccup. Being based on Webkit, I'd be surprised if Chrome doesn't have a
This video is not available on mobile (Score:2)
Not all of them do so properly yet, however. Specifically, a number of sites still check the user agent, rather than for Flash presence.
And other sites check for Flash Player and HTML5 and raise an error "This video is not available on mobile" if HTML5 is detected but Flash Player is not. Still other sites support only AVC, which won't work on browsers that support only the freely licensed VP8. Presence of Flash Player guarantees presence of AVC.
Re: (Score:2)
Chrome comes with a built-in, supported-by-google. inline-process version of Adobe Flash. Yes, even in Linux, in fact that is the only supported Linux version of Flash going forward. Sounds to me like you have a misconfigured Chrome with it using the separate Adobe Flash Netscape-type plugin, the one you have for Mozilla-based products. Chrome's built-in Flash works fine, even on relatively low-resource machines. Since you are on Windows, you should be able to use it without problems on anything approximati
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Your lithium is wearing off.
Re: (Score:2)
Nothing wrong happened.
Redmond, CEO office. Ballmer is practicing chair throwing against a human wall of Microsoft interns.
Fling......
"OUCH! THANK YOU SIR MAY I HAVE ANOTHER ONE SIR!"
Fling.....
A well dressed executive gets in, and says: "Your Sanctity, I have some bad news and some good news. We have a new vulnerability on IE"
Ballmer mutters among himself: "Damn, with the undisclosed ones it's the fifth one today... and it's only 10 am..."
The chairs get thrown with more energy. The human wall crumbles.
Final
Re: (Score:2)
Firefox addons give you site-by-site preferences. Take a look at NoScript. I'm pretty sure some others do as well, but I use NoScript all the time. It's probably not the best thing since sliced bread, but it comes close.
Seriously... (Score:1)
Who uses Windows?
...Yes...Seriously? (Score:2)
who uses IE?
...about 54% according to Net Application, and has been rising for the past four months. Thank god for Mobile computing is all I can say.
It has to be said. (Score:5, Insightful)
TFA implies that IE9 and IE 10 users are not vulnerable to this attack. Well, neither are Firefox users, nor Opera users, nor Chromium users, nor Safari users, nor ... and the list goes on and on [wikipedia.org]. Oh and obviously people using BSD or Linux or Mac are not vulnerable either.
Re: (Score:2)
Unfortunately a lot enterprises use web applications internally that are dependent on specific IE versions. No, not a good idea, but still true.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
An exploit in Lynx which allowed an attacker to execute arbitrary code was patched in the latest Ubuntu releases just last month.
Re: (Score:2)
Re: (Score:2)
In an article about an IE-specific exploit, Firefox, Chrome, Safari, Dolphin, Iceweasel, Opera, etc are irrelevant. My car isn't vulnerable to the exploit either.
If the article title was "most browsers vulnerable to blah zero-day" then sure, mentioning non-vulnerable non-ie browsers would be relevant.
Re: (Score:2)
Sorry if this is a dumb question, but what does the monthly cost of internet access have to do with it?
Re: (Score:2)
lol - I completely missed that.
Re: (Score:2)
MS's security record isn't all that great either
And the understatement of the year award goes to Anonymous Coward.
Re: (Score:1)
Good idea. Risk getting malware by not installing an anti-malware tool and a current version of a browser. Providing any reason for your actions would make your tin foil hat harder to see.
Re: (Score:2)
Re: (Score:2)