Slashdot Mirror
Zero-Day IE Exploit In the Wild
Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
← Back to Stories (view on slashdot.org)
There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).
The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
It can also be mitigated by using firefox.
The theory of relativity doesn't work right in Arkansas.
You shouldn't blame the language. Blame their implementation of that language.
Do you like German cars?
Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.
It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary.
The only reason I can think of is ignorance. But even then, most people likely know somebody who could help them install Firefox or Opera for the first time. Maybe each one of us should pledge to tell one other person who isn't aware of the alternatives about them. Make a pact with that person: if they are pleased with their new browser, or it keeps their Windows system free of malware, have them tell one new person about Firefox or Opera.
Very rapidly, many people will be able to find out about the alternatives, and it'll benefit us all. Us geeks won't have to help relatives and friends with their malware-infested systems. Those users won't have to ask us to help them, or in the worst case, call the Geek Squad or otherwise bring theirs systems in for expensive and inconvenient "decontaminations" (often performed by fools). Plus the private data of those users is far more safe. In short, we all benefit.
Don't be silly. The problem is implementation, not the language itself. The language was designed to do things like open windows, add popups, and manipulate strings. The reason there are security holes is that it was implemented as a fully-priveleged com service, as was IE (via shdowvw). Basically the problem is that Javascript in IE can do anything that IE can do, and that IE can do just about anything, including installing software and monkeying around with files. It's possible to implement IE and Javascript in sandboxes just like you describe java. That's why (for the most part) Firefox is ok. It's only when FFX uses some core windows libraries (like WMF) that it gets into trouble. Now: it should be said that this isn't. strictly speaking, Microsoft's fault. They built a very open. flexible system, which was subsequently exploited by a lot of people who want to do you harm. Nevertheless, in the modern internet environment, they should really lock down what they're doing.
No, it stems from the fact that they tied explorer into IE.
They wouldn't have been damned if they didn't, they just would have had to compete on merits instead of pushing product.
ActiveX is what really kicked Netscapes ass because that is what the masses liked, not IE's implementation of JS.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
Don't you mean switched off and encased in a few cubic meters of concrete?
There is no such thing as "100% secure".
Fast, cheap & reliable. Pick two.
actually, what 'kicked netscape's ass' is the fact that you didn't *need* to download netscape... you already had a browser that the majority of other people used, so why download another one? by the way, i despise the fact that this was done by microsoft, in case you think i was arguing in favour of ie...
You do realise that would result in *less* security? The 'Trusted Sites' zone has far less security restrictions that the 'Internet' zone.
What you propose would require people to add the likes of Slashdot and Hotmail to the 'Trusted Sites' zone to function correctly. This effectively gives such sites far more access than you would probably like, much more than without playing with your 'zones' at all.
thats a daft proposal.
I.O.U One Sig.
Uh, no, what "kicked Netscape's ass" is that
In a word, what killed netscape is that MSIE was, at the time, a much better browser than Navigator
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
It's Zonk's way to correct his spelling mistakes, you see. First he posts, then he dupes, but the second time the spelling mistakes are gone.
Religion is what happens when nature strikes and groupthink goes wrong.