Slashdot Mirror
Zero-Day IE Exploit In the Wild
Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
← Back to Stories (view on slashdot.org)
If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.
Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is the reason why I have two browsers... I use IE7 and Firefox, and if an exploit pops up, I can switch to the other until it is plugged. I generally prefer to use IE7 and keep the Firefox for back-up.
Of course, there are also tons of other browsers out there.. but I recommend to everyone to have two so that they can move to the other when an exploit is found in one of them.
Justin - Don't be afraid of my blog, it won't bite.
Blah blah Firefox
I suppose now is as good a time as any to ask a question.
I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.
Are there any ways to reduce the time to load firefox? I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory. Is this possible? I like a lot about Firefox, but it's startup time and the GUI's "feel" have kept me using IE.
Thanks for any suggestions.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Half his posts contain simple spelling errors a spellchecker could find, and the other half are dupes.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
This is not necessarily a smart idea.
If you simply start afresh, chances are that you're going to end up with all the same exploits all over again.
They either need to do a full security audit of the code (unlikley for microsoft), or they need to start afresh *and* write it in a language/toolkit that is impossible/much harder to attack via buffer-overflow.
I guess my point is that simply starting over (without changes made to the development method) will not help. I'll be interested to see how many issues vista has actually, seeing as they finally got the TCP/IP stack working reasonably well in XP SP2 and have decided to re-write it for vista from scratch :D
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?
One acronym: AJAX.
Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.
Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).
I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.
Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.
I've been running Firefox for four months with "Noscript" installed. Javascript itself is being abused far too much to bypass popup blockers and generally screw around with a browser in a way that shouldn't be allowed. If I want a website to mess with me, I have to whitelist it first. It's annoying, especially around ecommerce sites, but I have peace of mind.
I don't think that's true any more. This time it would be reasonable for Microsoft to rewrite their browser in C#.Net, which theoretically provides the kind of sandboxing protection that prevents buffer overflows.
But would that address evil Java/J/Ecma Scripts? Image file exploits? Any of the vulnerabilities that are actually rooted in the Win32 APIs and the NT kernel?
I do not fail; I succeed at finding out what does not work.
No No No. Using Firefox solves the problem to right? Stop telling people to switch off Javascript just because IE can't solve its security issues as quick as hackers can find/create them. Why? Because I and probably thousands like me, rely on Javascript to access the web.
I use Talklets to help with my reading difficulties, when out and about. Switching off Javascript on public machines will realy cause me issues! So don't. Switch to Firefox. Thanx
Now the web can talk. No really. It can.