Consider Switching From Internet Explorer, Says US Homeland Security (lifehacker.com) 46
Slashdot reader SmartAboutThings writes: While Microsoft Edge is right on track to replace Internet Explorer, it seems that the last one is a bigger security liability then you may think. In a newly released advisory, the Cybersecurity and Infrastructure Security Agency (CISA) [an agency within America's Department of Homeland Security] is warning users about an IE vulnerability.
To keep your personal data safe and don't expose your PC to dangerous malware, the agency further recommends "Consider using Microsoft Edge or an alternate browser until patches are made available." As a reminder, this is not the first international agency that ranks IE's security very low, as Germany's BSI shared a couple of months back a similar study.
Lifehacker's senior technology editor notes that the new vulnerability affects "various permutations of Internet Explorer 9, 10, and 11 across Windows 7, 8.1, and Windows 10 (as well as various editions of Windows Server).
"The bad news is that Microsoft won't likely patch this problem until February -- when the next major batch of security updates hits." But they offer a work-around of their own until then which involves opening an administrative command prompt to restrict access to the deprecated JScript library used by the exploit.
Otherwise, don't click on links from strangers, and if you're using IE switch to Edge. And Microsoft explains what will happen if you used Internet Explorer to visit a web site designed to exploit the vulnerability. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
To keep your personal data safe and don't expose your PC to dangerous malware, the agency further recommends "Consider using Microsoft Edge or an alternate browser until patches are made available." As a reminder, this is not the first international agency that ranks IE's security very low, as Germany's BSI shared a couple of months back a similar study.
Lifehacker's senior technology editor notes that the new vulnerability affects "various permutations of Internet Explorer 9, 10, and 11 across Windows 7, 8.1, and Windows 10 (as well as various editions of Windows Server).
"The bad news is that Microsoft won't likely patch this problem until February -- when the next major batch of security updates hits." But they offer a work-around of their own until then which involves opening an administrative command prompt to restrict access to the deprecated JScript library used by the exploit.
Otherwise, don't click on links from strangers, and if you're using IE switch to Edge. And Microsoft explains what will happen if you used Internet Explorer to visit a web site designed to exploit the vulnerability. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Someone should create a website which (Score:2)
Installs Firefox or Chrome, and links them to the IE icon:
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Re: (Score:2)
IE is less the problem than running any browser under Windows.
Ma Nature needs a STANDARD browser! NOT (Score:1)
This is a deliberate attempt to direct the discussion towards the deeper issues. On Slashdot? I don't know what I'm smoking, but I better cut back.
There is a reason Ma Nature doesn't have a standard species. Actually many reasons, but almost all of them apply more or less directly to the underlying foundation of of this story. I'm deliberately focusing on one particular reason because it came up yesterday in relation to Trump's Space Force fantasies related to fighting extremely illegal aliens.
In diversity
Use IE at work (Score:2)
Re: (Score:2)
There are a few systems we have at work who only work correctly with IE. Would never use it outside that context.
So so sorry. The only other possible use case for IE or Edge (non-Chrome version) is to download Firefox or regular Google Chrome.
Re: (Score:2)
I just bought an outdoor surveillance camera from a good company that records in 4k and the x265 codec. The only way to view the video in a browser is to access it under IE11 in compatibility mode. The instructions say Chrome needs a plugin which is deprecated now. It launches its own browser like window and doesn't even work. What the fuck? The video streams fine to VLC but to tweak any settings you need the browser.
Re: (Score:2)
Yeah, it sure sounds like you know what a "good company" is! LOL
Re: (Score:2)
Lorex for what it’s worth. It does color video in low light settings.
Re: (Score:2)
You just described them as being awful, sorry for you that you have such low standards for yourself.
Even after being told that, you just plow forwards.
Re: (Score:2)
Which company makes that camera? I'd like to avoid them in the future.
In my case, I just upgraded the firmware on my Amcrest 2K and it *removed* the need for a plug-in. Codecs are h.264 baseline, normal, and high. It works great with Zoneminder, as an ONVIF device, or accessed directly via a browser.
It now suggest Chrome, as audio doesn't seem compatible w/Firefox. I haven't dug into that, yet.
Re: (Score:2)
DoD. Parts of their systems are only "supporting" IE. When informed there are web standards and if they just supported those, then they would be supporting Mac and Linux by default, they claim they do not support Mac and Linux. End-O-Discussion from their point of view.
More to the point, the jokers who built those sites have left and they don't have the faintest of fuzzies about how they work or how to update the software.
IE only browser supported in office (Score:1)
Re: (Score:1)
Still get IE 6 hits in my logs (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
how many of those IE 6 hits are other browsers, pretending to be IE 6 for whatever reason?
Pfft. (Score:2)
Consider Switching From Internet Explorer
Someone tell Homeland "Security" that they're twenty fucking years out of date.
Great advice (Score:5, Funny)
I started following it 25 years ago.
Re: (Score:3)
Funny how the advise is issued only when it suits M$, no matter how many years of shit hitting the fan go by.
Uh, this is past 9day (Score:2)
Traditionally, Microsoft releases security patches in a monthly "Patch Tuesday" event. But, when there's a released exploit, they used to step up and patch right away. So, why hasn't this been patched already?
Re: (Score:1)
Traditionally, Microsoft releases security patches in a monthly "Patch Tuesday" event. But, when there's a released exploit, they used to step up and patch right away. So, why hasn't this been patched already?
Sounds like Homeland security is trying to pull a fast one on the NSA here. Being able to pwned Internet Explorer traffic is a wonderful easy to use feature for them.
The javascript library exploits on IE have been screwed over, patched messed around, updated till they are so convoluted that high priority .net security updates are such a piece of shit that they regularly cause update failures, endless reboots and all sorts of bandwidth download issues on the Windows update pipeline. The last 4 of the on Wi
The Dept. of Homeland Security still using IE? (Score:2)
Re: (Score:2)
And these are the people tasked with making sure that the USA is safe?
No.
There is no US Federal mandate that requires the USA to be "safe."
Not a thing. Maybe in China they have that?
Wait... I'm confused.... (Score:2)
Browser bugs in 2020 (Score:1)
Re: (Score:2)
What does this mean? (Score:3)
"If the current user is logged on with administrative user rights,...
What does this mean with respect to UAC and Admin Approval mode? Does the vulnerability allow UAC to be bypassed? Does it mean someone actually running the browser as Administrator with already elevated privileges? Does it mean someone who has disabled the UAC prompts?
default administrator (Score:2)
The initial user created on a new PC (Windows and many Linux distributions) has default administrator rights. Unlike me, most home users just use that first account. I suspect that many small businesses do the same. Larger IT departments generally have a setup process that precludes most users from ever having such rights.
This is one of the reasons Windows has terrible security. Microsoft (and the offending Linux distributions) should make it clear that initial user created should NEVER be one that is u
Re: (Score:2)
Unless things have changed with Windows 10, in order to use those administrator rights, the user has to clock "OK" on a UAC prompt. Does this vulnerability bypass UAC?
Re: (Score:2)
Users are conditioned by click-through licenses to just click "OK" whenever one appears. Without administrator rights, that won't work; they have to enter the administrator password which gives them a moment's pause. Nothing is perfect, if the user knows the password, but it does, at least, try to jog the "something odd is happening" alarm.
I still use IE11 and like it (Score:2)
I still use IE11 for certain applications because this is the only browser where font rendering looks halfway reasonable when blurry type is disabled.
Older versions of Firefox worked fine until they changed some rendering engine bits years ago. Now its impossible to change it back regardless of about:config settings. Without clear type Firefox is often terrible and so I prefer IE11 for some mostly internal applications.
Perhaps I need to collect some raster fonts and use those to selectively bypass clearty
Even M$ says IE isn't a real browser (Score:2)
Switch, indeed (Score:2)
>"Otherwise, don't click on links from strangers, and if you're using IE switch to Edge [from IE]."
Nope, switch to Firefox. Just as fast [overall], less spying, more control, less power and control for Google AND Microsoft. Stop contributing to creating a new IE era while you still can...
We already did 20 years ago (Score:2)
But thanks anyway.
Still around? (Score:2)
I can't! (Score:2)
Will citibank be liable if it forces us to use IE? (Score:2)
Re: (Score:2)
Firing up IE only when you need a new virtual number and shutting it down is a much safer option.
blocking jscript.dll will mess up mmc UI (Score:1)
Note that when I applied that jscript disabling workaround on Vista to block CVE-2018-8653, it caused MMC's UI to fall apart slightly. It would also spread to anything hosted in mmc (gpedit, services).
This also happens on Win7 and I wouldn't be surprised if it is still present in Win10. If you see the extended mmc view not looking quite right, this is why.
Comment (Score:2)
I have one great word for DHS... (Score:2)