Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security Windows

Consider Switching From Internet Explorer, Says US Homeland Security (lifehacker.com) 46

Slashdot reader SmartAboutThings writes: While Microsoft Edge is right on track to replace Internet Explorer, it seems that the last one is a bigger security liability then you may think. In a newly released advisory, the Cybersecurity and Infrastructure Security Agency (CISA) [an agency within America's Department of Homeland Security] is warning users about an IE vulnerability.

To keep your personal data safe and don't expose your PC to dangerous malware, the agency further recommends "Consider using Microsoft Edge or an alternate browser until patches are made available." As a reminder, this is not the first international agency that ranks IE's security very low, as Germany's BSI shared a couple of months back a similar study.

Lifehacker's senior technology editor notes that the new vulnerability affects "various permutations of Internet Explorer 9, 10, and 11 across Windows 7, 8.1, and Windows 10 (as well as various editions of Windows Server).

"The bad news is that Microsoft won't likely patch this problem until February -- when the next major batch of security updates hits." But they offer a work-around of their own until then which involves opening an administrative command prompt to restrict access to the deprecated JScript library used by the exploit.

Otherwise, don't click on links from strangers, and if you're using IE switch to Edge. And Microsoft explains what will happen if you used Internet Explorer to visit a web site designed to exploit the vulnerability. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
This discussion has been archived. No new comments can be posted.

Consider Switching From Internet Explorer, Says US Homeland Security

Comments Filter:
  • Installs Firefox or Chrome, and links them to the IE icon:

    "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

    • IE is less the problem than running any browser under Windows.

      • This is a deliberate attempt to direct the discussion towards the deeper issues. On Slashdot? I don't know what I'm smoking, but I better cut back.

        There is a reason Ma Nature doesn't have a standard species. Actually many reasons, but almost all of them apply more or less directly to the underlying foundation of of this story. I'm deliberately focusing on one particular reason because it came up yesterday in relation to Trump's Space Force fantasies related to fighting extremely illegal aliens.

        In diversity

  • There are a few systems we have at work who only work correctly with IE. Would never use it outside that context.
    • There are a few systems we have at work who only work correctly with IE. Would never use it outside that context.

      So so sorry. The only other possible use case for IE or Edge (non-Chrome version) is to download Firefox or regular Google Chrome.

    • I just bought an outdoor surveillance camera from a good company that records in 4k and the x265 codec. The only way to view the video in a browser is to access it under IE11 in compatibility mode. The instructions say Chrome needs a plugin which is deprecated now. It launches its own browser like window and doesn't even work. What the fuck? The video streams fine to VLC but to tweak any settings you need the browser.

      • Yeah, it sure sounds like you know what a "good company" is! LOL

        • Lorex for what it’s worth. It does color video in low light settings.

          • You just described them as being awful, sorry for you that you have such low standards for yourself.

            Even after being told that, you just plow forwards.

      • by chill ( 34294 )

        Which company makes that camera? I'd like to avoid them in the future.

        In my case, I just upgraded the firmware on my Amcrest 2K and it *removed* the need for a plug-in. Codecs are h.264 baseline, normal, and high. It works great with Zoneminder, as an ONVIF device, or accessed directly via a browser.

        It now suggest Chrome, as audio doesn't seem compatible w/Firefox. I haven't dug into that, yet.

    • by gtall ( 79522 )

      DoD. Parts of their systems are only "supporting" IE. When informed there are web standards and if they just supported those, then they would be supporting Mac and Linux by default, they claim they do not support Mac and Linux. End-O-Discussion from their point of view.

      More to the point, the jokers who built those sites have left and they don't have the faintest of fuzzies about how they work or how to update the software.

    • Will MS support their new browser in Excel VBA to access the internet?
    • Same with my employer. We have at least one important COTS system that they need to upgrade so that it doesn't need ActiveX. And they will need time to build a censored version of the new Edge that doesn't allow us to add extensions, just as they did to Firefox.
  • by Arthur, KBE ( 6444066 ) on Saturday January 25, 2020 @08:23PM (#59656516)
    This message will fall on deaf ears, like all the rest of them.
  • Consider Switching From Internet Explorer

    Someone tell Homeland "Security" that they're twenty fucking years out of date.

  • by Brett Buck ( 811747 ) on Saturday January 25, 2020 @08:26PM (#59656522)

    I started following it 25 years ago.

    • by evanh ( 627108 )

      Funny how the advise is issued only when it suits M$, no matter how many years of shit hitting the fan go by.

  • Traditionally, Microsoft releases security patches in a monthly "Patch Tuesday" event. But, when there's a released exploit, they used to step up and patch right away. So, why hasn't this been patched already?

    • Traditionally, Microsoft releases security patches in a monthly "Patch Tuesday" event. But, when there's a released exploit, they used to step up and patch right away. So, why hasn't this been patched already?

      Sounds like Homeland security is trying to pull a fast one on the NSA here. Being able to pwned Internet Explorer traffic is a wonderful easy to use feature for them.

      The javascript library exploits on IE have been screwed over, patched messed around, updated till they are so convoluted that high priority .net security updates are such a piece of shit that they regularly cause update failures, endless reboots and all sorts of bandwidth download issues on the Windows update pipeline. The last 4 of the on Wi

  • And these are the people tasked with making sure that the USA is safe?
    • And these are the people tasked with making sure that the USA is safe?

      No.

      There is no US Federal mandate that requires the USA to be "safe."

      Not a thing. Maybe in China they have that?

  • Are we supposed to trust DHS today, or tomorrow only?
  • Clearly Microsoft should open source Internet Explorer
    • No, please no. If IE or Win7 is open sourced, then Microsoft will blame all security problems on FOSS.
  • by whoever57 ( 658626 ) on Saturday January 25, 2020 @09:51PM (#59656632) Journal

    "If the current user is logged on with administrative user rights,...

    What does this mean with respect to UAC and Admin Approval mode? Does the vulnerability allow UAC to be bypassed? Does it mean someone actually running the browser as Administrator with already elevated privileges? Does it mean someone who has disabled the UAC prompts?

    • The initial user created on a new PC (Windows and many Linux distributions) has default administrator rights. Unlike me, most home users just use that first account. I suspect that many small businesses do the same. Larger IT departments generally have a setup process that precludes most users from ever having such rights.

      This is one of the reasons Windows has terrible security. Microsoft (and the offending Linux distributions) should make it clear that initial user created should NEVER be one that is u

      • The initial user created on a new PC (Windows and many Linux distributions) has default administrator rights.

        Unless things have changed with Windows 10, in order to use those administrator rights, the user has to clock "OK" on a UAC prompt. Does this vulnerability bypass UAC?

        • by dltaylor ( 7510 )

          Users are conditioned by click-through licenses to just click "OK" whenever one appears. Without administrator rights, that won't work; they have to enter the administrator password which gives them a moment's pause. Nothing is perfect, if the user knows the password, but it does, at least, try to jog the "something odd is happening" alarm.

  • I still use IE11 for certain applications because this is the only browser where font rendering looks halfway reasonable when blurry type is disabled.

    Older versions of Firefox worked fine until they changed some rendering engine bits years ago. Now its impossible to change it back regardless of about:config settings. Without clear type Firefox is often terrible and so I prefer IE11 for some mostly internal applications.

    Perhaps I need to collect some raster fonts and use those to selectively bypass clearty

  • You do recall that Microsoft told ZDnet almost a year ago (Feb '19) [zdnet.com] that IE wasn't a browser, right?
  • >"Otherwise, don't click on links from strangers, and if you're using IE switch to Edge [from IE]."

    Nope, switch to Firefox. Just as fast [overall], less spying, more control, less power and control for Google AND Microsoft. Stop contributing to creating a new IE era while you still can...

  • But thanks anyway.

  • I didn't know MSIE was still a thing, even a little thing.
  • I want to. I really want to switch from IE. But I can't. Looked everywhere, no trace of IE on my Ubuntu.
  • The Citi card virtual number generator is based on Flash, only IE still supports it. I am not able to totally disable IE because of that. If I get hacked through IE, can I blame/sue Citi?
  • Note that when I applied that jscript disabling workaround on Vista to block CVE-2018-8653, it caused MMC's UI to fall apart slightly. It would also spread to anything hosted in mmc (gpedit, services).

    This also happens on Win7 and I wouldn't be surprised if it is still present in Win10. If you see the extended mmc view not looking quite right, this is why.

  • Oh, the exploits they were using were leaked? So I guess now they have to pretend to care about end users' safety.
  • Divide and COVFEFE!

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...