Microsoft To Ship Emergency IE Patch

Grotendo writes "Microsoft plans to release an emergency patch for Internet Explorer very soon to counter targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser. The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend." Microsoft has downplayed the seriousness of the IE zero-day, and insisted that it affects only IE6 even as security researchers close in on exploits for IE7 and IE8. Microsoft has had no comment about the firestorm that Google unleashed by directly accusing the Chinese of cyber espionage. ShadowServer has up a sobering post on the massive extent of the problem of "groups that can be referred to as the Advanced Persistent Threat."

Enough is enough!

[LostCluster]

I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

Re:Enough is enough!

[MrEricSir]

Why not just exploit their browser's security flaws and wipe their hard drive?

That way they learn their lesson about safe browsing the old fashioned way.

Re:Enough is enough!

[NotBorg]

Sorry, but I need them alive! Muhahahahahahahh! Nom Nom Nom Nom!

Re:Enough is enough!

[H0p313ss]

Pro

• Amusing
• Might solve problem

Cons

• Illegal
• Immoral

Counter proposal: have you tried carpet bombing a small third world country today?

Re:Enough is enough!

[A+Friendly+Troll]

I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE.

Five.

It's missing Opera, which globally has more users than Chrome, for example, and wtfpwns both IE and Firefox combined market share in certain countries. In most European countries, Opera has more users than Safari and Chrome.

While the concept is neat, the choices aren't, and they are both offensive and ignorant.

Re:Enough is enough!

[Archangel+Michael]

I'm running similar code on my site, and yet many of the "visitors" are still using IE6. I suspect most of those are bots, because of the traffic pattern looking for Registration and Forum pieces.

It is sad when you can spot a bot by the UserAgent.

Re:Enough is enough!

[jhoegl]

One doesnt need to carpet bomb when their buildings are made of a concrete deck of cards.

Re:Enough is enough!

[Nerdfest]

Serious question here: does the Chrome frame for IE6 protect users from this attack? It would be interesting to know, as MS stated that it increased the security exposure (which is true in theory, but generally false in practice from what I've seen, as all attack surfaces are not created equal.)

Re:Enough is enough!

[stuckinphp]

its wikipedia..

Re:Enough is enough!

[ArhcAngel]

Considering how many single purpose devices I work on that still use IBM/MS DOS 3.3 I suspect IE6 will be dominant until corporations are forced to migrate to Win7/8. Big companies are spending their money on things that make them MORE money. Upgrading to IE 7/8 is NOT free and since IE6 "works" in the eyes of the boss there is no "need" to upgrade. I'm not aware of an enterprise deployment feature for FireFox or Chrome. I believe Opera may have one but I don't think it is free. Since XP and IE6 for the majority of enterprises is good enough nothing short of Microsoft pulling the plug on XP and thus IE6 will get those entities to address the issue of their IE6 locked web site / application. That time is coming barring any further extensions from Microsoft but it is still years away (currently 4/8/2014). Where I work they have taken 2 years rewriting our intranet web applications to work with IE7 but as of yet have no plans to migrate anyone and simply roll IE7 to new builds...of XP Pro. But feel free to continue to deride IE6 users sternly to your hearts content as they stare back with that deer in the headlights gaze.

Re:Enough is enough!

[dgatwood]

No. Chrome frame is only active if a page specifically codes for it. Otherwise, it does nothing. An attack page would not typically include code for a workaround.

Re:Enough is enough!

[NatasRevol]

Just drop carpets!

Re:Enough is enough!

[GF678]

I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

I'm sure corporate users who have IE6 forced upon them will appreciate it if they try to view your site.

I'm sure your response would be "well they can bring it up with their IT department and use it as a way to persuade the upgrade". Doesn't work like that in the real world, particularly if old IE6-only compatible web apps are still in use.

Re:Enough is enough!

[Ogive17]

I've asked our local IT guy (contractor) if the company had any plans to upgrade from IE 6 and he said no. Our HQ is on the left coast and that's where the ISD dept. resides. There are probably a couple applications that won't work properly with any other browser and that's keeping us with 6. Around the country we probably have a couple thousand work stations.

I don't know anyone else who uses IE and hasn't upgraded to IE8.

Re:Enough is enough!

[stokessd]

That's a very good point. And all corporations will tell you that the only surfing you should be doing should be work related, so if you follow that rule, your chances of getting owned even on IE6 are pretty low.

Now I'm posting to slashdot during work hours, and I'm not even an IT guy, so you can see how followed that policy is. At least I'm on firefox.

Sheldon

Re:Enough is enough!

[Drethon]

Could you also convince my place of buisness that making IE6 the manditory browser and not allowing installation of any other browser is a very lousy idea?

Re:Enough is enough!

[Culture20]

I don't know anyone else who uses IE and hasn't upgraded to IE8.

I know several companies and some university departments. IE6 intranet applications are the dumbest thing in the world, but the "If it ain't broke don't fix it" mantra doesn't consider security when gauging levels of "broke", only whether the intended purpose still works, and that's a business decision, not Infosec/IT decision.

Re:Enough is enough!

I believe you need to read this.

http://www.d-e-f-i-n-i-t-e-l-y.com/

Re:Enough is enough!

[PopeRatzo]

Opera, which globally has more users than Chrome

By "globally" do you mean "in your head"?

According to marketshare.hitslink.com, as of December 2009 Safari had 2.4% of the browser market share. Chrome had 4.63%

Over at gs.statcounter.com, as of January 10, 2010 Opera had 1.98% and Chrome had 5.88%.

Re:Enough is enough!

[zonky]

Rubbish. There exploits are commonly deployed via ad networks or 0wned legitimate sites. There is no such thing as a "safe" page and/or site.

Re:Enough is enough!

[H0p313ss]

* /me adds "Defiantly Amusing" as a bullet point to his CV*

Re:Enough is enough!

[denis-The-menace]

You must have a lot of pull or have a competent PHB.
Most places that start to consider FF stop when they find out there is no MSI *created by* the makers of FF.

You can get GPOs and pre-built MSI for FF but again, NOT by the makers of FF.

But this will soon be moot.
When Google *does* release an MSI for Chrome, FF will not be able to get into Corps because by then it will be too late.
Wake-up Mozilla!

Re:Enough is enough!

[RajivSLK]

No Save IE6! It keeps us employed!

http://www.saveie6.com/

Re:Enough is enough!

[Dumnezeu]

Why not slip a copy of Firefox as their default browser and remove the Internet Explorer shortcuts, by exploiting the bug? Of course, this depends on the laws of the country where you host your website.

Re:Enough is enough!

[Beardo+the+Bearded]

I'm using IE6 right now, you insensitve clod.

Why, you ask, is an Electrical Engineer -- one who reads /., has acted as a sys admin for two start-ups, uses Linux at home (and Puppy for the kids, that's right, my 6-year-old uses Linux) and has over 25 years of programming and networking experience)-- using IE6, a browser that MS itself has said, "oh god, please ditch it"?

Because I'm at work and some of the legacy applications here require it.

Have you got a solution? I'd love to hear it because I'd get a big fat bonus for a process improvement.

Re:Enough is enough!

[A+Friendly+Troll]

By "globally" do you mean "in your head"?

No, I mean "globally".

See this for an example: http://my.opera.com/haavard/blog/2010/01/02/odd-browser-stats

Google *themselves* claim 40 million Chrome users. Opera Mini alone has more users than Chrome, not to mention the desktop version. And yet Chrome is represented by having ten times Opera Mini's market share according to those stats sites. Right...

There's also this http://my.opera.com/dstorey/blog/2009/03/16/a-look-at-desktop-market-share-cis-edition this http://my.opera.com/dstorey/blog/2009/03/16/desktop-market-share-former-yugoslavia-edition and this http://my.opera.com/dstorey/blog/desktop-market-share-baltic-edition and this http://my.opera.com/dstorey/blog/desktop-market-share-central-eastern-europe-edition ...

Whether you like it or not, Opera is *massive* in Europe and has a far greater market share than you'd like to believe.

For that reason, the stupid code on "IE6 No More" site is insulting.

Re:Enough is enough!

[Mister+Whirly]

That wouldn't be very defiant now, would it? Maybe it is YOU who needs spelling lessons. "Defiantly" is a word, and is spelled correctly. And (completely unintentionally most likely)the meaning actually works in this case.

Re:Enough is enough!

[anexkahn]

or exploit their flaw to install a better browser :)

Re:Enough is enough!

[twidarkling]

I love you in a completely platonic fashion.

Re:Enough is enough!

[bunratty]

Opera is massive in Eastern Europe. On Russian, Ukrainian, and Polish sites it makes sense to push Opera. But does it make sense to push Opera to English users, based on Opera usage on mobile devices, when most visitors to the site are using a desktop browser? A study done by a Mozilla employee shows users are more willing to switch to Chrome or Firefox. Few users of non-Opera browsers are willing to switch to Opera.

Re:Enough is enough!

[bunratty]

You can also get the FrontMotion Firefox MSI. Mozilla is also working on their own MSI builds of Firefox.

Re:Enough is enough!

[LostCluster]

What's the app and why does it insist on IE6? Can it be tested on one IE8 virtual machine? If the app vendor was still around they most likely would love to sell an upgrade...

Re:Enough is enough!

[FictionPimp]

That is no longer a valid excuse. The cost of upgrading to apps that support a recent version of IE should be significantly less then the cost of cleaning up after IE6.

Of course their not going to do it until it bites them in the ass over and over, which is why I am happy every time I see an IE6 user get exploited. I've spent the last year of my life re-writing applications to be browser neutral for my job, so at least some companies are getting it.

Re:Enough is enough!

[FictionPimp]

We are looking to migrate to IE8 in the next 3 months actually. We are currently on IE7. All of our applications work in any browser now. The only main issue is testing that the IE8 push won't break any workstations.

Re:Enough is enough!

[FictionPimp]

How about you gauge the cost of a security breach that will eventually happen against the cost of not using legacy applications.

Re:Enough is enough!

[washu_k]

Not in my experience. We still have IE6 on over 90% of the desktops where I work, mostly due to legacy apps. While we do get the occasional problem with it, 90%+ of the drive by downloads are from buggy JREs from Sun that we can't upgrade due to other legacy apps. Most of the Java apps are still far newer than the IE6 ones and less likely to be replaced anytime soon.

Most of the remaining drive by downloads are Adobe Flash or Reader related. IE6 is really a small problem and cost in comparison.

Re:Enough is enough!

[PopeRatzo]

Oh, an Opera website says it's widely used on in the former Yugoslavia!

Tell you what: Find some market share data not on an Opera website and we can talk.

What's really funny is, if you click on the first link in the story on the Opera website, do you know what it links to? (wait for it...)

That's right, the first link in the Opera article about how they have more users than Chrome links to the market share data that I sited above, which shows Chrome at more than twice Opera's market share.

In fact, the story that the Opera story links to breaks out the market share for Opera Mini (0.53%), which, if you add it to the market share for Opera (2.43%) still comes to considerably less than Chrome's 4.63%. And those are December numbers. If you look at more recent numbers (see the link in my comment above) Chrome's lead is bigger.

Maybe it's possible to have more users and still less market share, but it's more probably that Opera is being a little bit, um, exuberant in their analysis of the statistics. It wouldn't be the first time that a company painted an extra-rosy picture of the facts.

Re:Enough is enough!

[Gilmoure]

Yup, my company has had to spend some cash on developers to upgrade various web apps that only work with IE6. We were warning them about this in 2007 but it took transitioning to Vista and IE7 to finally get them to cut loose with the $$$. Silly management.

Re:Enough is enough!

[Runaway1956]

Platonic? What new form of deviancy is this? Next, we'll be hearing of platonic rights, and platonic marriages, and platonic tax deductions! There should be a law!

BTW - to all you virgins out there: THANKS FOR NOTHING!!

Re:Enough is enough!

[LostCluster]

If Google started saying "You can't search until you upgrade!" they'd get the clue rather quickly. Google has reason to kill off IE6... it was the weapon used to attack them in China. Your IT desk likely uses Google multiple times a day... so a Google outage would get attention rather quickly.

Re:Enough is enough!

[binary+paladin]

Tell that to YouTube.

Thankfully, next-gen webapps are going to be the death of IE6 because in another year nothing is going to support it anymore. IE7 will die at a much faster pace.

Re:Enough is enough!

[Runaway1956]

"If it ain't broke don't fix it"

Correct. And, it's time to make the decision makers understand that it's broken. If it isn't broken enough to convince them, then LET'S BREAK IT MORE!!

Most of the rest of what I read here today is just so much whining and sniveling, from one side or the other.

Re:Enough is enough!

[Hurricane78]

If you got more free CPU power than all super-computers combined, you would just throw that away?

I don’t think so... ^^

I’d go straight to cracking every important security code on the planet. Federal reserve, CIA, every intelligence agency of every important country, every military lab, every weapons remote control (especially for nukes). And then I’d start making one single demand. One that would be impossible to undo, and would change the world forever.
Meet it or you’re done.

Pff, you gotta think big! You’re just not made to join my Evil (actually Good) Overlord World Domination Club!

Re:Enough is enough!

[h4rr4r]

You do realize you can make your own msi's right?
Very easy, there is even free software to do it.

Re:Enough is enough!

[icebraining]

Using IE6 for that app, other browser for all the rest. Unless you're prohibited from running another browser; then having sites lock IE6 off can accelerate the transition, so they're helping you in the long run.

Re:Enough is enough!

[Beardo+the+Bearded]

I don't have admin rights and USB devices are restricted.

I had to get permission to plug in a USB-charged bike light.

Re:Enough is enough!

[FatdogHaiku]

Why not just exploit their browser's security flaws and wipe their hard drive?

That way they learn their lesson about safe browsing the old fashioned way.

Because I like my asshole at it's current diameter, and I fear that blatantly violating the law could soon be followed by someone blatantly violating said asshole...

What I do is go to every machine I am asked to look at and I add this reg key (with owners permission):
_______________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe] "Debugger"="cmd.exe /c echo %time% %date% >> c:\\ExecBlocked.log"
_______________________________
You can delete it manually or just put a minus inside the first square bracket to remove the block...

Re:Enough is enough!

[ikarigullwing]

Hear hear!

Re:Enough is enough!

[indi0144]

>> have you tried carpet bombing a small third world country today?

Why not, seem to be the latest fad, but just until MTV does a reality for that.

More on topic, You can recover your data, but you can't recover human lives. If you kill someone to teach him a lesson, well... If you fuck the productivity/pocket for someone for a few days SURE they will get the facts. Illegal? maybe the same as vendor lock some PHB to IE6 powered crap, Immoral? Stopping web development for years it is.

That said, let there be an idea storm:

http://slashdot.org/comments.pl?sid=1515018&cid=30816840

I bet this all reduces to the fact that if we bitch too loud IE6 will lower marketshare and scrip kiddies will be on emo mode.

Re:Enough is enough!

[v1]

I don't have admin rights and USB devices are restricted.

So you're telling us that your company's security relies on telling their employees what usb devices not to plug in?

Isn't that like replacing your deadbolt with a "DO NOT ENTER" sign?

Re:Enough is enough!

[aliddell]

Sweet deal. You missed the point, unfortunately. Language involves consciously conveying your meaning through your choice of medium, not stumbling onto an unrelated meaning entirely by accident.

Re:Enough is enough!

[jhol13]

My reply would be: "I hope you are happy with Windows 95, and, btw, thanks for not competing with us."

Re:Enough is enough!

[Hucko]

Mutation in action baby; not much to say now that your intelligent design has been trumped?

Re:Enough is enough!

[Killjoy_NL]

whoops, replying to undo a troll mod, I missclicked, sorry, wanted to go for funny.

Re:Enough is enough!

[myspace-cn]

Damn good thing you didn't install PROTOOLS cause IE8 breaks that.

Re:Enough is enough!

[aliddell]

Probably need a few thousand generations to find out one way or another. See you then.

Re:Enough is enough!

[H0p313ss]

Slashdot: Rise of the Mutants

No comment?

[VojakSvejk]

I think microsoft have commented on the firestorm... wonder why Ballmer wanted to make it out as no big deal?

Re:No comment?

[LostCluster]

Yep... Microsoft will never shut down or not censor bing.cn... er, wait a second!

Quoth the TFA

[McBeer]

targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser

IE 6 hasn't been Microsoft's flagship browser for 4 years.

Re:Quoth the TFA

[LostCluster]

Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.

Re:Quoth the TFA

[poetmatt]

it does, however, share the same vuln with IE7 and IE8. So maybe it's more appropriate as "microsoft's web browser" (irrespective of version) is at fault.

Re:Quoth the TFA

[igadget78]

Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.

Maybe not, but when you work at a hospital in the IT department and your patient critical applications are still relying on IE6 because the vendor who wrote it sucks and can't figure out how to make it work with an updated browser, you appreciate that Microsoft, however insistant they are on dropping that old clunker of an app, is at least trying to resolve it.

Re:Quoth the TFA

[IshmaelDS]

True IE 6 hasn't but if you read the microsoft bulletin it also says that IE 7 and 8 share the vulnerability. http://www.microsoft.com/technet/security/advisory/979352.mspx "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable."

Re:Quoth the TFA

[c-reus]

are IE6 and IE8 different browsers or different versions of the same browser?

Re:Quoth the TFA

[thetoadwarrior]

Because some companies have contracts with MS that have them on Win2k until (if I recall correctly) until the extended support is over which is this summer so MS can't really tell IE6 users to fuck off completely.

I'm sure they could get out of the contract at an unnecessary cost. MS made this mess and unfortunately we're stuck with it for awhile longer. Hopefully once the extended support is over then companies will start dumping their old stuff and upgrading.

In my opinion this shouldn't matter to most sites because they're not meant for business customers. It doesn't matter if Youtube, for instance, works on IE6 as far as I'm concerned. Anyone on IE6 for their home PC should be excluded until they get a real browser.

Re:Quoth the TFA

[PopeRatzo]

you work at a hospital in the IT department and your patient critical applications are still relying on IE6

Do you mind sharing the name of the hospital so I can tell the ambulance driver where not to go the next time I choke on a cheesy poof?

If they're using IE6 for "critical patient apps" there's probably a good chance that they'll try to cure my blocked windpipe by putting leeches on me or trepanning me or something.

Re:Quoth the TFA

[Antiocheian]

I am using XP and I "almost" feel guilty after reading your post.

Re:Quoth the TFA

[twidarkling]

I'd say IE 8 is a different beast on the same underlying engine, like a game running on the UT III engine is different than UT III. 7, though, is just 6 with a facelift.

Re:Quoth the TFA

[LostCluster]

And I'm sure Microsoft is regretting those agreements now... they'd much rather sell 7 than support 2000.

Re:Quoth the TFA

[Hurricane78]

To be fair, IE6 can’t be defined as a browser for 4 years anyway. ;)

Re:Quoth the TFA

[gmhowell]

While your point is made and understood, there are actually a few studies showing that both leeches and trepanning (or a modern day equivalent) have some valid therapeutic uses. No, I'm not going to bother with a cite as they're from some medical journals (dead tree, father is a traditionalist) which are at home.

Countering attacks?

[jhol13]

Microsoft is not "countering the targeted attacks".

Unless of course the German and France CERT teams recommendation to ditch IE is considered one.

I have the patch details:

[rehtonAesoohC]

It uninstalls all versions of Internet Explorer and installs Firefox with Adblock pre-installed.

Bravo Microsoft!

Re:I have the patch details:

[NotBorg]

Typical Microsoft patch. It side steps the real issue: not having Noscript pre-installed too.

Re:I have the patch details:

[Monkeedude1212]

It also sets the DNS to itself and caches anything you might have had saved in your browser history.

That way, you still seemingly visit the same sites you always do, just they never get updated, and you are completely secure from everything on the net!

IE is only good at one thing...

[jameskojiro]

And that is running Windows Update and it isn't that good at doing that....

Re:IE is only good at one thing...

[meheler]

The sound of Windows update running is drilled into my mind forever.. Click.. click click click.. click. click.. click click click click click.
My mind constantly asking "what the.. i haven't clicked a damned thing"

Re:IE is only good at one thing...

[indraneil]

Just an FYI, but Windows update does not need IE on Vista and beyond

Re:IE is only good at one thing...

[Quantumstate]

All I know is that three certain windows updates have been drilled into my Vista boot process for ever. Did someone really intentionally program an update process so that if it failed it would just try again?

Re:IE is only good at one thing...

[QuantumRiff]

Shh, don't tell anyone...

>wuauclt /detectnow

Forces the update.exe agent to check.

Re:IE is only good at one thing...

[Enderandrew]

I really enjoy that in Vista and 7, Windows Update is a standalone app. I don't have to fire up IE to grab updates.

Re:IE is only good at one thing...

[Nightspirit]

You clearly haven't used IE in years, or you are just trolling. IE8 handles tabs much better than Chrome or Firefox, and unlike firefox IE is sandboxed (this exploit doesn't affect ie8 in win7), to get similar functionality in firefox you have to install noscript and individually handle every single new website you go to. The problem with IE isn't its compliance to standards or acid tests (no one cares except web developers) it is that its snail slow. The UI is atrocious but firefox really isn't any better. So I'm not accused of astroturfing my main browser is firefox (it used to be chrome, but I got tired of the horrible bookmark system).

Re:IE is only good at one thing...

[jameskojiro]

How many people on slashdot still run XP to avoid the bloat of Vista/7.

Quite a few I would imagine....

Re:IE is only good at one thing...

[dedazo]

And that is running Windows Update

Welcome to 2004, where we run WU as a standalone service that does not require IE at all.

What other unnecessary things do you do with IE? We stopped bathing the cat with it as well. In 2002, if I recall.

(actually the only thing I use it for these days is OWA, but OWA is so nice that I don't mind at all)

Re:IE is only good at one thing...

[Nakor+BlueRider]

I don't know, that is probably fading slowly with time. When I bought my laptop it had Vista on it, and rather than downgrade to XP to get the most out of my system, I just installed Ubuntu to speed things up instead. It's probably not all that uncommon of a solution (at least among those who would consider changing their OS in the first place).

Re:IE is only good at one thing...

[recoiledsnake]

Windows 7 is actually almost as fast as XP. That's really good accounting for the numerous improvements made to the OS in the intervening 9 years. Almost every new software release requires better hardware, including Gnome and KDE.

Re:IE is only good at one thing...

[jim_v2000]

7 isn't particularly bloated.

Re:IE is only good at one thing...

[hairyfeet]

And you, dear nightspirit, didn't read TFA did you? Here, let me highlight a relevant passage for you..."While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."

TL:DR? IE8 is totally pwned as well. They just haven't released the script into the wild yet. When they do any script kiddie can pwn ANY MSFT browser, from 6 on up, DEP or not. So I really wouldn't be recommending IE to...well anyone at this point.

Re:IE is only good at one thing...

[Yvanhoe]

To be fair it is also a good firefox downloader.

Re:IE is only good at one thing...

[uassholes]

How is requiring faster hardware an improvement?

Re:IE is only good at one thing...

[recoiledsnake]

Err did you fail Reasoning 101? You forget all the new features, UI and security in Windows 7 compared to Windows XP which take up lots of resources. It's the same case with almost any other software, as hardware becomes more powerful, more features are added. If you want ultimate speed, go run Windows 95 or DOS 6.22 or Windows 3.1 on modern hardware, but dont' complain when USB ports don't work.

Re:IE is only good at one thing...

[recoiledsnake]

Read my post again. Improvements like better UI, better security, more features etc. etc. need faster hardware.

Re:IE is only good at one thing...

[ITJC68]

I would second that. I have three installations at home of windows 7. Two systems upgraded from Vista. That was by far the best update you could get for windows. Vista = bloated and slow before the service packs and even then was slower. Windows 7 much faster and what Vista should have been to begin with.

Re:IE is only good at one thing...

[Nightspirit]

Wow, big surprise, security company creates an exploit for money. That doesn't change the fact that the current 0 day doesn't affect IE8 on windows 7. Exploits are found and patched all the time in firefox, safari, and chrome. Hell in the Pwn2Own contests safari is always first to be cracked, Chrome currently has an unpatched critical vulnerability (secunia), and firefox actually has been doing quite well but still really requires noscript to be safe which cripples browsing the internet.

Re:IE is only good at one thing...

[Antony-Kyre]

And how many on slashdot are stuck with XP SP1 because SP2 causes too many problems? Of course, this means they're stuck with IE6 I believe (as opposed to upgrading to IE7 and IE8).

But, I think the key lesson is here... why don't we have ActiveX controls and Active Scripting disabled by default? IE is so popular, it is targetted. When FireFox takes IE's place as leading web browser of the world, what do you think will happen? (Maybe not to the same extent as IE.)

Re:IE is only good at one thing...

[e2d2]

Psh I don't need a video out. That's just more bloat!

Re:IE is only good at one thing...

[Hurricane78]

But only in a frame, inside Firefox. (Just disable the cookie transfer feature. That’s a really stupid idea.)

Re:IE is only good at one thing...

[icebraining]

It depends on your definition of "better". If "better" UI is flashier, yes, it does.

And security? Really? Why would you need faster hardware for that? Oh, and don't tell me "better encryption", even my P3 can handle that.

Re:IE is only good at one thing...

[mstahl]

This is something I've never really understood. What is the rationale, if any, for making it so that the web browser updates the system? If you uninstall IE, can you still update your system?

Re:IE is only good at one thing...

[cbhacking]

You seem to be confusing DEP with the Protected Mode sandbox that Nightspirit was actually referring to. On Vista (SP1 or higher) or Win7, using IE8 (which enables ASLR, an additional protection on top of DEP that makes exploits vastly harder), with Protected Mode (requires UAC, and runs th browser at sub-user permissions) enabled, I very much doubt the exploit works.

In fact, while the article makes no explicit references to ASLR (Address Space Layout Randomization, a defense against DEP work-arounds), it only mentions exploiting IE8 being exploitable on XP. XP doesn't support ASLR (even if a program, such as IE8, is compatible with it). This is one of the many ways in which Vista/Win7 are more secure than XP.

Additionally, and shame on the article authors for this, they suggest "sandboxing" the browser using the techniques of Chrome... which are in fact a direct copy of the behaviors of IE8 (low-integrity process a.k.a. "Protected Mode" which prevents access to system settings or user files). Note that it never mentions the words "Protected Mode" but suggests that Chrome's sandboxing should be adopted, which makes the author either a pro-Google or anti-MS fanboy, or simply an ignorant lout who didn't do the homework.

TL;DR? You and the article author both missed the point; IE8 has only been shown to be vulnerable when run without the sandboxing that Vista and Win7 include.

Re:IE is only good at one thing...

[Ihmhi]

Running Mac to avoid Bloat is like eating pizza to lose weight.

Re:IE is only good at one thing...

[hairyfeet]

The problem with your thinking is this- while I am currently using Windows 7 both you and the above poster are making a BAD assumption, that Vista and Windows 7 have been widely adopted. They HAVE NOT. Last I checked both Vista and 7 together make up less than 25% of the landscape, which the vast majority running XP, which as you pointed out doesn't have the protections that will keep IE8 from getting pwned.

So your argument is "Well if everyone has a brand new car then breakdowns will never occur" except you ignore that 75% of the population do NOT have the new car and therefor are vulnerable to breakdown. See the problem? In my own area it is 8 out of 10 users on XP, one on Vista, and one on Windows 7. So by your reasoning ONE user ( the Windows 7 one, as IIRC ASLR is "opt in" on Vista) is safe, one possibly safe, and 8 totally boned. Doesn't sound too good in that light does it? Contrast that with if all 10 users switch to FF or Chrome or Opera or any other browser you are looking at 10 out of 10 protected from this zero day, and well I think the choice is clear, don't you?

This is why I think raising the price of Windows 7 HP right before Xmas and killing the family packs just proves Ballmer is incompetent and needs a good firing. MSFT NEEDS to get as many of their consumer base away from XP as possible, as quick as possible, so they don't have to deal with all the bad press and pwned browsers. Once converted they can then upsell them to Windows 7 Pro or as you point out brag about the much more secure IE and keep them in the MSFT camp. Instead they raised prices which will ensure IMHO that XP will still be the dominant MSFT OS for years, possibly until 2014 or even later as many PCs have passed "good enough" as far as customers are concerned and shops like mine can keep XP clean and going for ages.

So ultimately yours and the above posters argument doesn't really hold water unless you can get Windows 7 above 50% marketshare (let's face it, ain't nobody buying Vista) and I just don't see that happening before 2014, if then. Even I, the classic early adopter "loves the bleeding edge" type, only have one machine out of the 5 in my family running Windows 7, and thanks to the price hike the other 4 will continue to run XP, along with FF and ABP to cut down on the risk my family members will get pwned. So thanks MSFT, for ensuring that with your greed 3 out of the 4 machines that are capable of running Windows 7 and by extension a safe IE won't be seeing it. Saved me $150 right there you did.

Contribute to the death of IE 6 on your site...

[MikeRT]

Make it painfully clear to IE6 users what they're doing.

My version, which is more educational for them.

Re:Contribute to the death of IE 6 on your site...

[mjwx]

My version, which is more educational for them.

Suggested improvements:

IE 6 is "insecure", not "unsecure". Insecure denotes that it lacks security, unsecure denotes that security is simply not switched on (or that it needs to be nailed down, people using IE6 will likely be computer illiterate).

If you are using it for reasons other than your company's IT department forces you to use it

Kind of redundant. If this is the reason they already know and in that case there is little they can do.

"and badly implements web standards."

Web Standards are something few people using IE6 will know or care about.

"holding the web back,"

This makes you sound pretentious, it'll make the fogies and luddites indignant and give them an excuse to forgo upgrading.

IMHO, it's too long. A good idea to be sure but most people using IE6 don't want or need such an explanation. You should narrow it down to something like this.

Internet Explorer 6 is obsolete and insecure. You should upgrade your browser, simply click on any of the links above to begin.

How to create exploit for IE7-8

[tokul]

Microsoft only has to say that IE6 is vulnerable and IE7-8 can't be exploited using same attack. The net will do the rest.

The IE Patch

[Bigbutt]

Do you find yourself mysteriously waking up in a back alley more than once a week?

Do you find empty HTML pages littering your desktop and you have no idea where they came from?

Do you discover new directories on your computer?

Get the IE Patch!

It comes in 4 strengths so you can be gradually weaned from the habit.

Week 1. IE 6 Patch. Internet cravings are pretty intense the first week so the IE 6 Patch is there to help you learn how to just say "NO".

Week 2. IE 7 Patch. It's easier to avoid launching IE. You still need to check Amazon or e-Bay from time to time but the edge has been honed down a bit.

Week 3. IE 8 Patch. You find it a lot easier to avoid clicking on the 'e' although you still lapse when you aren't thinking.

Week 4. Firefox. You've mastered the addiction. You're free to browse the Internet worry free. Even looking at the 'e' makes you nauseous.

Congratulations on taking the first step to breaking the IE addiction.

[John]

No Opera, and external resources? Oi.

Funny - that site's little code examples don't include Opera as one of the modern browser options. What's the author got against the big o?

Also.. adjust the code so it pulls all its data from your local server; there's no need for that site to know who your visitors are, and there's no need for your page to load any more slowly due to external connections than is absolutely necessary.

So glad

[goldaryn]

I'm so glad I upgraded from XP to Windows 7; with multi-core optimisations and improved app performance, I'm compromised faster than ever before!

Re:So glad

[GaryOlson]

You forgot the most important part of The Compromise Toolkit: Adobe Reader

...malicious PDFs over the last few years and back tracked a number of compromises .... to know this is a huge problem

Worst Job Ever

[cpscotti]

This comes in handy to define the worst job a human can get!
Fixing major flaws in a 10 y.o. completely flawed browser...
You could call it: "Senior Ancient Flaws Engineer" or whatever!..
.. not that maintaining IE8 would be much better but I can bet they pay u more!

Re:'flagship webbrowser'

[MightyMartian]

Ten points, m'lad, for Non Sequitur of the Day!!!

Re:'flagship webbrowser'

[spuke4000]

Uhhh... yes the do (as of a few days ago): http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OfficialGmailBlog+(Gmail+Blog)

To little to late

[koan]

And what's going to happen to all those "IE only" web sites the government, public schools and other agencies like to use?

Re:To little to late

[Professor_UNIX]

Also, what about all of us that can't use anything other than IE6 because that's the latest version that Windows98 supports?

Re:To little to late

[koan]

WHy are you using Windows 95? Get a linux variant. (did I miss the joke?)

Re:To little to late

[Culture20]

And what's going to happen to all those "IE only" web sites the government, public schools and other agencies like to use?

They'll still exist, but the error page might get changed to:
"This page is IE only. Type '?browser=firefox' at the end of the URL to be automatically moved to the non-IE page. Safari users type '?browser=firefox' too. There are no other browsers *Jedi hand wave*."

Re:To little to late

[burkmat]

They'll be rewritten to actually work?

Tbh, I think it's already reached the point where any entity creating a new fancy website these days has to comply with standards, simply due to the percentage of users who aren't using IE anymore. All that remains is for the archaic IE-only websites to go extinct.

Re:To little to late

[LostCluster]

If they were designed when IE6 was current... they're overdue to be rewritten. Another case of not budgeting for the geek jobs until they're broken.

Stop the madness

[xednieht]

Instead of releasing more trash - recall IE. Problem solved.

Re:'flagship webbrowser'

[KlomDark]

I think you might gotten trolled. But I'm not entirely sure. But yes, GMail is now SSL by default.

Flawed stats

[SmallFurryCreature]

Opera is on the Wii, DS and of course many a mobile phone whose own browser sucks, but often with a fake user_agent string.

"Emergency" reaction

[burkmat]

Wow, so that's... 4 days after full disclosure that they announce their response.

"Could be here as soon as this weekend", which is still more than a week from the exploit being published. That's swell.
Anyone else grateful MSFT doesn't run the fire department?

Re:"Emergency" reaction

[The+End+Of+Days]

You're right, it would be so much better if they slammed something together and rushed it out the door without testing it.

Re:"Emergency" reaction

[burkmat]

QA 9 years too late.

On a more serious note, you're right of course that they should test it and have it working before pushing it, but bashing Microsoft is trendy and all the cool kids are doing it, so I can't help but complain it's taking over a week to patch.

Re:Maybe not so glad about WMP

[Old+Flatulent+1]

I just updated to 9.3 after having shut off the reader auto update! However after reading the specifics of how reader before version 9.3 was compromised it is rather telling that the attack vector was a call to a WMP that left open space. It left buffers open but not in the Reader section of the malloc. This would indicate that there might just be another un-patched hole in external program calls to Windows Media Player or perhaps in WMP itself. It would not surprise me if the Reader exploit was actually another WMP exploit involving bad memory allocation practices from Microsoft!

Re:Regarding that so called sobering post.

[rickb928]

And what entity in the U.S. is protecting us from Chinese cyber attacks?

Just curious. Who would be putting us at risk by 'letting their guard down'?

Oh I feel much better now

[handfullofsausage]

ie = internet exploiter -- I think a can of cat food has more security than anything MS produces ....

Hindsight

[omb]

Browser independence, is what you should have done/insisted on in the first place, which would have resulted in push back on M$ non inter-operable crap.

Re:Hindsight

[natehoy]

Yes, but recall that:

1. Intranets and corporate applications don't really value browser independence, because their audiences are captive and their desktops are controlled.
2. IE6 was in the days of Microsoft toolkits that wrote shitloads of code that only ran on IE6. "Embrace, Extend, Extinguish"
3. Most companies that run an intranet don't run a large Internet site, and/or they are run by different divisions, frequently on different platforms.
4. Most vendors don't give a shit about portability, they want to code something for the customer FAST, that runs, get their money, and get the hell out.

Once a few critical apps or an Intranet are out there based on IE6, they aren't really all that easy to upgrade. You can't just import them into a magic tool and make the Microsoft gungy stuff go away, you have to recode. And that costs money. Money many major corporations would rather spend on details like shipping stuff to their customers and other trite irrelevancies.

"If it ain't broke" is a serious business case. Maybe not a correct one long-term, but...

So that's what it takes to get a patch out, MS?

[Hurricane78]

At least two governments officially stating to avoid IE, others in fear, every single web developer on the country hating you, Google getting hacked, and every security expert on the planet laughing at you?

Wow. Just wow.

May I extrapolate from that, what it would take, to get a real Bugzilla for IE and make it follow recent standards?
My guess: Inter-dimensional time war with Lovecraft’s the old ones, lead by Cthulhu, fighting the Shrike and its army, armed with gamma ray bursts and black holes, using giant stars as ammunition.

On the other hand: That would be awesome!

The Most Popular Meme

[omb]

Has been stated and rebutted literally millions of times, the problem with M$ crap is not that it is popular, it is that it is criminally defectively by design, and because of Backward Compatibility, and secret api's shared only with valued customers they absolutely can never fix it. Anyone tells you about OS secrets is selling snake oil.

1. There are 3,500 Windoze api calls, POSIX < 200, Linux ~ 250, new functionality over 10 years,

2. Windoze will execute any crap base on ".ext" so it will just execute ".exe" files, no question, no request permission,

3. COM automation, the keys to the system,

I operate a number of linux boxes, connected directly to the net, and after a while I realised that firewalls were a waste of time and too much a blunt instrument, and that I could trim and lock down most services better on an ad hoc basis. eg TCP wrappers and some, 6 IPTABLES rules. The only thing, recently, is attempted SSH brute force attacks and the suggested, and contorted response to them, which was SysAdmin gone mad. SSH can be patched to restore the retry-delay and back-off algorithms which are used for normal logins, and to tar-pit the attacker, and in my experience this works real well, the botnets go, and dont return.

MSFT surrenders to France?

[dmckeon]

Way to go, citizens. March on!

Re:Nothing wrong with that

[icebraining]

Yes, there is. If you have a capped internet connection, downloading 100MB of updates can be annoying, but you allow it. Then you return and find out it actually consumed 300MB and it still failed to install it.

I want it to ask me before retrying!

Ignorent Fanboi/Astroturfer

[omb]

1. Tabs are Tabs,

2. You only need a sandbox if you have open wounds, IE6 or are Immune Compromised that ie: Windoze* IE*,

3. You don't need NoScript,

4. ACID is a database test, and has nothing to do with HTML compliance, your ass and ignorance is showing!

5. We do care about HTML compliance and a commitment to inter-operate properly since it reduces complexity and simplifies testing, both of which cost a lot of money.

Isn't it time you moved out of your mother's basement?

Re:Ignorent Fanboi/Astroturfer

[Nightspirit]

1. A browser is a browser. Yes, that is just as retarded as what you said.

2. You obviously don't use windows. That's fine, but firefox is quite happy to let programs hijack your computer as well (the infamous windows xp antivirus exploit).

3. You do if you want any sort of protection from drive-by-advertising exploits such the exploit mentioned above. Adblock helps but I've still had things go through that noscript blocks.

4+5. Makes no difference to the end user. No one switches to firefox because of better web compliance.

It's not IE you need to beware of, it's Google

[ysth]

or at least that's the message someone picked up, leading them to pass this warning along to acquaintances:

Speaking of Google, apparently somone has put a virus on Google for anyone who goes there with Internet Explorer.
You have been warned.

I thought that was a really slick marketing twist on someone's part.

Crap

[omb]

It should RUN for 10 years on stable HARDWARE.

Only a complete M$ dummy would pull that naive crap, there are SunOS 4 systems still running reliably in server rooms.

I just despair at your credulousness and stupidity.

Best patch for IE?

[Lost+Penguin]

www.mozilla.com

IE6...sends chills down my spine!

[motang]

Sane people don't use IE 6 anymore, that browser needs to die!

I like these "Your browser is out of date" sites

[L4t3r4lu5]

They look totally different to the popup-style messages on compromised websites saying "Your Anti Virus is out of date! Download our version!" or "You have been infected by Win32.BullRubbish.exe.foobar! Upgrade to New Anticrap UberVirusWare 2011!"

You're training them to download stuff from the web, from sites they don't regularly visit / don't trust, because a popup told them to.

Well done.

They're just jealous.

[vegiVamp]

Isn't "browse and we own you" the brunt of the IE EULA, anyway ?