Slashdot Mirror
IE 6 & 7 Unpatched Exploit Goes Wild
Kolargol00 writes "Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework."
That's why we in the know sticks to IE5.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
From the Google Translation: "For the new security hole in Internet Explorer 6 p.m. to 7 p.m..." I do most of my porn browsing much later in the day, I'll be fine.
When non-security geeks nag about metasploit lowering the threshold for malicious behavior, it's like watching someone complain about gun laws in a warlord-ruled third world hellhole. It doesn't matter, and you're being silly. Besides, metasploit is geared a lot more towards rapid exploit prototyping, and is clearly designed with this in mind; only the already skilled can use it in this manner because you already need to be able to do it "manually" to take advantage of the framework. Hell, it's even harder to use the (ruby) framework than to code perl exploits; but you can do it faster and the shellcode part of the framework allows you to make complicated shellcode in a reliable fashion. It's not like one of those make-your-own-malware kits.
Emotions! In your brain!
It's great to know not to use IE if you're supporting yourself and your parents. It's a completely different world when you're supporting an entire organization.
In that case, it's not like you can do anything about it anyways. If you had the power to change that, hopefully you would have done it by now.
If you are still using IE, then a mere goatse is not going to change your mind.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
We are talking IE6 here, it is a decade old by now. Do you still use 10 year old PC's? Do you use 10 year old cars?
Oh, you yourself might not be the problem, the real issue is IT management who keeps trying to cut costs by going for the lowest support contract and guess what costs the least to support? NO.
That is it, the word NO is simplest.
"Can I get an open port to SSH to our external servers?" "NO" Time spend: 0.5 seconds.
"Can I install software X that I do actually need?" "NO" Time spend: 0.5 seconds.
"Can I get a license for virtual window machines so I can test software in a safe environment?" "NO" Time spend: 0.5 seconds.
"Can we upgrade our software at least with in say half a decade of release so we are not completely behind the times?" "NO" Time spend: 0.5 seconds.
The problem is very simple, it is a constant cost factor to keep up-to-date. New versions are released so often after all, nearly every 2-3 years. Who can keep up? And it is oh so tempting to skip an upgrade. Why do all the compatibility testing during the beta and release candidates of a new product when you can let everyone else test it for you? Because sherlock, that doesn't test it for you. And that is the testing you need. So you save some money now, but are building up the future migration costs, till those costs become so high that you can no longer afford them no matter what.
It is all about budgets and promotions, you get promoted for keeping you budget low this year, and by then it is the next guys problem if he inherits the hidden costs.
And all because people have become more interested in management then actually doing their job. Because those incompatibilities between IE versions? Those are your fucking JOB. That is why you are paid system monkey, to sort these things out. What next? A car mechanic explaining why he hasn't replaced the brakes on a vehicle that crashed because it was such a hassle and they were covered in dirt and he just didn't want to get his hands dirty? That is exactly what you are saying. Oh my job is so hard, I can't be blamed for not doing it.
Sadly, big companies seem to attract your kind, who is more interested in their performance rating then actually just doing their fucking job. If I let my servers get so out of date they are hacked, well my customers kick me very very hard. I make sure to keep up with the alpha and beta's so that I know the issues with a new release, know the developers know them and can fix them and then am ready to implement them, so that at least then when a problem hits, I don't first have to upgrade several releases in order to not find every issue with a "solved in version X". And you know what, by staying on the edge, you often beat the bad guys. They after all are aiming for the largest mass, and the largest mass is guys like you who can straight faced give an excuse for running a decade old browser.
Really, how can you standup and claim your earned your keep when you still haven't managed to retire IE6. Do you still have a punch card reader for that essential piece of accounting software? Still use floppies because you might need one? Have word perfect installed for an old word file? No? You upgrade stuff like that? Then why does the browser, a piece of software that by its nature faces the whole nasty outside world, not get updated?
Yeah yeah, legacy system needs it. No it doesn't because such systems should be upgraded as times change. You aren't still running windows NT 3.5 are you?
Frankly, I see this problem far to often. You get asked to work on a problem and then find the software is several releases out of date and then have to find a way to bill a client for essentially doing what their own admins should have done. Admins are to afraid of having to say to their boss "why yes sir, the system is running perfectly but I still need resources to make sure it keeps doing that in the future" and developers are more interested in chasing glory then keep their past projects maintained.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.