Nasty Data-Stealing Bug Haunts Internet Explorer 8

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

Ie9 ?

how about ie9?

Re:Ie9 ?

[davester666]

You're asking if it's been fixed in an pre-release, unsupported version of IE?

Re:Ie9 ?

[symbolset]

IE9 may as well be Mac software for most people. It will only work in Windows 7 and Vista.

Re:Ie9 ?

Isn't that all of them?

Re:Ie9 ?

[KingMotley]

I think you mean that it'll run on every version of windows released in the past 8 years.

Re:Ie9 ?

[symbolset]

Paint it pretty as you like. They're either unable or unwilling to build it for 70% of the world's platforms. Neither speaks well for the company or the product.

Re:Ie9 ?

[KingMotley]

I would say that it runs on the current majority of Windows platforms (outside of China). Most windows systems in North America and Europe are currently running either Windows Vista or Windows 7 with Windows XP market share continuing to drop 1-2% each month. Since IE 9 isn't expected to be released until sometime in 2011, XP market share will likely drop another 6-10% before then. Seems Microsoft actually has people that know their market better than slashdot UID #646467. But I understand, your post wasn't about what the market wants, just that you can't afford $50 every 8 years to upgrade your OS. Sorry, but XP isn't supported any more, please stop trying to hold back progress and upgrade.

Market share taken from: http://gs.statcounter.com/#os-na-monthly-200908-201008 and http://gs.statcounter.com/#os-eu-monthly-200908-201008

Re:Ie9 ?

[symbolset]

Seems Microsoft actually has people that know their market better than slashdot UID #646467.

Snirk. Yeah, that would totally explain Vista and Kin, Plays For Now, Zune and Bing. They have Vision. They have Skills. They are Learned in the arts of the graphs and the Powerpoints. If they only spend a few more tens of $Billions on awkward ads, they can put it over. You so totally dominated me with your argument I must defer to your superior knowledge.

At this point there's nobody reading this but you and me so it's ok to get a little off-topic.

When you're finding in the charts the information you want to find regardless of the later outcome, you might as well be looking at Tarot cards or bird entrails. It's clear you and I are not going to agree on how to project the uptake curve of W7 against XP. I see W7 at 15 to 20% at the end of July, nearly a year after RTM, and having gotten nearly all of that from the much reviled and structurally similar Windows Vista. The plateau is plain as day. Though the Vista base continues to erode, adoption by XP users is levelling off and it never was much. To expect to get from 20% to 50% in another year would presume an upward curve to the line rather than the levelling one that is shown. I'll go ahead and project that W7 will not achieve 50% share on an average of the top five metrics in CY2011. Hell, I'll go ahead and say it won't get 40% as measured in the single month December 2011 in an average of the top five metrics. I'd go as far as to bet a beer on it. A risky thing, this fortune telling is. I can't delete this slashdot comment, so if I'm wrong you'll be able to throw it in my face forever after, and that means a lot to me.

Microsoft has renewed the family pack offer for W7, but you still have to have W7 capable hardware in order to be even slightly interested. Some people may be buying new hardware and unable to avoid W7, but they're handing their old hardware down mostly, so each unit should count only as a half-step rather than a whole one. To get a whole step that old PC has to go in the landfill rather than being given away or resold on Ebay, and I don't see that happening. XP may be discontinued, but "W7 pre-downgraded to XP" seems to be a popular netbook option even today, particularly on Intel Atom netbooks which don't run W7 well. Considering that XP is in fact still selling well at retail calls the lie to its demise in the context of browser share. Those are backsteps that cost double. Microsoft may want us to let go of XP, but internally one must presume they are conflicted since W7 doesn't work well on a netbook and they don't want to dismiss the migration to mobile because that's where the crowd is going. If the OS is still for sale on emerging platforms today, how dead could it be? A lot of users still use W2K because they have apps from dead companies that they still need to do what they do, and W2K had a relatively brief moment of dominance compared to XP. XP in actual use is going to be a significant share for a very long time, even if people have to license W7 to get it.

And then there's the migration to mobile. We're going to ARM. We're giving up on Intel, the storied company that brought forth the computer revolution, founded by the inventor of the transistor, just to get away from you. That's got to make you proud.

But yeah, internally in Redmond go ahead and spread the word that W7 is being embraced by the masses, that XP is seen by the bloggerati as completely croaked. We need you to be oblivious to Android on the desktop and as a VDI solution so that when it's time to lead you out behind the barn you come along meekly. The more you make your own apps incompatible with your own operating systems the better off we are.

Re:Ie9 ?

[KingMotley]

Seems Microsoft actually has people that know their market better than slashdot UID #646467.

Snirk. Yeah, that would totally explain Vista and Kin, Plays For Now, Zune and Bing. They have Vision. They have Skills. They are Learned in the arts of the graphs and the Powerpoints. If they only spend a few more tens of $Billions on awkward ads, they can put it over. You so totally dominated me with your argument I must defer to your superior knowledge.

Ah yes, and I see your vast fortunes outweigh Microsofts, and all the great things you've done make Microsoft seem insignificant. How foolish of me to have compared you to them.

When you're finding in the charts the information you want to find regardless of the later outcome, you might as well be looking at Tarot cards or bird entrails. It's clear you and I are not going to agree on how to project the uptake curve of W7 against XP. I see W7 at 15 to 20% at the end of July, nearly a year after RTM, and having gotten nearly all of that from the much reviled and structurally similar Windows Vista.

I see W7 at 20.68% at the end of August, and Vista at 24.67%, with a combined total of 45.35%. XP having a share of 40.61%, does mean that currently IE 9 supports over 50% of the windows market, with that market increasing every month.

The plateau is plain as day.

What plateau? XP has gone from 51.82% to 40.61% over the past year, noone in their right mind would call that a plateau.

Though the Vista base continues to erode, adoption by XP users is levelling off and it never was much. To expect to get from 20% to 50% in another year would presume an upward curve to the line rather than the levelling one that is shown. I'll go ahead and project that W7 will not achieve 50% share on an average of the top five metrics in CY2011. Hell, I'll go ahead and say it won't get 40% as measured in the single month December 2011 in an average of the top five metrics. I'd go as far as to bet a beer on it. A risky thing, this fortune telling is. I can't delete this slashdot comment, so if I'm wrong you'll be able to throw it in my face forever after, and that means a lot to me.

I didn't say W7 would have a market share of it's own of 50% my dec 2011. I said the combined Vista + Win7 is already larger than the XP market share. I don't care about your prediction, what you think will happen over the course of the next year, and I sure as heck won't remember this thread 15 months from now.

Microsoft has renewed the family pack offer for W7, but you still have to have W7 capable hardware in order to be even slightly interested. Some people may be buying new hardware and unable to avoid W7, but they're handing their old hardware down mostly, so each unit should count only as a half-step rather than a whole one.

First, most hardware running XP is capable of running Win 7, not all, but the vast vast majority, and most will run it very well if you add some memory when you upgrade. Second, that is exactly how the units are counted, so I don't see your point.

And then there's the migration to mobile. We're going to ARM. We're giving up on Intel, the storied company that brought forth the computer revolution, founded by the inventor of the transistor, just to get away from you. That's got to make you proud.

As a side note, Intel owns ARM.

But yeah, internally in Redmond go ahead and spread the word that W7 is being embraced by the masses, that XP is seen by the bloggerati as completely croaked. We need you to be oblivious to Android on the desktop and as a VDI solution so that when it's time to lead you out behind the barn you come along meekly. The more you make your own apps incompatible with your own operating systems the better off we are.

Ah, the year of Android on the desktop. That's the year after linux on the desktop, right?

Re:Ie9 ?

[Lotunggim+Ginsawat]

When you're finding in the charts the information you want to find regardless of the later outcome, you might as well be looking at Tarot cards or bird entrails. It's clear you and I are not going to agree on how to project the uptake curve of W7 against XP. I see W7 at 15 to 20% at the end of July, nearly a year after RTM, and having gotten nearly all of that from the much reviled and structurally similar Windows Vista. The plateau is plain as day. Though the Vista base continues to erode, adoption by XP users is levelling off and it never was much.

Citation needed. What is your source?

Re:Ie9 ?

[KingMotley]

Sorry, I guess I should make the distinction.

Intel is/has acquired Infineon Wireless, which is the manufacturer of ARM based CPUs in the iPhone and Android. Intel doesn't own ARM itself, just the (largest?) manufacturer of ARM based CPUs.

Re:Ie9 ?

[euphemistic]

Not the OP, nor is this probably the most definitive scientific source for such statistics, but the w3c at least has been reporting XP use as levelling off and dropping. http://www.w3schools.com/browsers/browsers_os.asp

Re:Ie9 ?

[Lotunggim+Ginsawat]

Actually symbolset implies two things 1. W7 growth is attributed primarily by the defection of Vista users, and 2. Windows XP users doesn't adopt W7. From my observation, symbolset is wrong in both counts, and your link at least shows symbolset being wrong on claim no.2.

Let me the first to say.....

....BWAHAHAHAAAAAAAA!!!

Internet Explorer: mainlining malicious code into YOUR OS for 30 years, and counting.

Re:Let me the first to say.....

[straponego]

Eh, more like 15, but who's counting?

Re:Let me the first to say.....

[AnonymousClown]

Well, now, using Einstein's time dilation equations and multiplying by the number of years that IE has existed, the internet, the speed of the signals around the net, that 15 years from our perspective is actually 30 by IE's perspective.

Steve Hawking goes into a little more depth in his new book and Greene actually says String theory supports it too.

We're on our way to a Unified Theory all thanks to IE and Microsoft.

Re:Let me the first to say.....

[hedwards]

To be fair, it's an honest enough mistake. It just seems like it's been 30 years, what with all the waiting and the retro styling for all those years.

Re:Let me the first to say.....

[PapayaSF]

The disparity in years is just IE misinterpreting the dimension of time, like the box model bug.

Re:Let me the first to say.....

[FatdogHaiku]

Hey! It's 30... if you did the math on a Windows PC...

Re:Let me the first to say.....

[camperslo]

>15 years from our perspective is actually 30 by IE's perspective.

The there are those that feel it should be measured in dog years

Re:Let me the first to say.....

Eh, more like 15, but who's counting?

Internet Explorer is not one browser, but a legion of browsers.

Versions of IE still in use (not counting minor, but still mutually incompatible and in use, versions, or old Mac IE):
IE 4: 13 years
IE 5: 11 years
IE 6: 9 years
IE 7: 4 years
IE 8: 1 year
============
IE: 29 years

30 years sounds like a good estimate.

Re:Let me the first to say.....

IE's box model was never a bug. The W3C changed their definition of how widths of certain elements worked vs how they worked in HTML 3.2 and prior, and both IE and netscape (both major browsers at the time) implemented it for backwards compatibility. The W3C finally (sort of) fixed their "mistake" in CSS3 where they have a specific property to say how the box model works, although they still didn't make that default as they should have to allow full backwards compatibility and change the definition. Poor planning on their part.

No way!

[bragr]

IE as well know, unpatched security vulnerabilities? Thats so surprising!

Re:No way!

[itlurksbeneath]

Yeah, but what is surprising is that it has been a known issue for 8 months and still is an issue. Other major browser vendors patched and moved on.

Re:No way!

[hitmark]

would not surprise me if some major corporations intraweb (or whatever the term is) package makes use of this as a feature in their design. As such, Microsoft needs to find a way to block the issue without destroying the workings of said package.

Re:No way!

Using undocumented "features" to build your *web is a risk seldom worth taking.

What?

[lennier1]

People still use MSIE?

Re:What?

[dandart]

I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.

Re:What?

Yes. You know this. Don't you have a fucking original thing to contribute to the conversation? I figured as much.

Re:What?

[0123456]

People still use MSIE?

I used it last week on a friend's computer, and was amazed to discover that this product of a multi-billion dollar software company doesn't even support multicolumn rendering or HTML5 video tags. It felt like I'd fallen through a time warp into the 1990s.

Re:What?

I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.

Agreed: only people who don't know any better use MSIE. That and MS fanboys. Yes, they all have their vulnerabilities, but experience (12 years worth) tells me that getting off of IE is the first step to getting rid of malware.

Re:What?

[$RANDOMLUSER]

People still use MSIE?

Yes, and there are women who stay with abusive husbands because "he said he's sorry, and he loves me, and it'll never happen again".

Re:What?

[lennier1]

Don't be surprised. It took them long enough to finally interpret the alpha information stored in PNG images.

Re:What?

I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.

Fuck 'em. Their stupidity isn't remotely painful enough for them. Really, they resist every last effort to educate them so they 100% deserve everything they get. The only unfortunate side-effect is that their compromised machines are used in botnets that attack and spam the clueful.

Re:What?

[hedwards]

I'd agree with you were it not for the fact that their computers often times end up in botnets attacking services I want to use, or just generally gobbling up bandwidth which is then not available for myself and others of legitimate purpose. Now, if they'd install an arm which would fold out and slap them whenever they did something stupid like that, perhaps then we could get some change. Either that or we could suggest that they make better use of their cup holder.

Re:What?

[Jorl17]

And yet, I'm pissed off at the fact that they keep saying all over the Web that IE9 kicks other browsers' ass. My family all wants to try the new MS product because of those FUCKING PROMOTIONS.

Re:What?

[Beelzebud]

At least they get told "sorry, I love you, it won't happen again".

People using IE don't even get that much!

Re:What?

[$RANDOMLUSER]

Sure they do: "It's the most secure Windows, ever!".

Re:What?

[oldspewey]

I use FF as my everyday browser, but I can tell you there are plenty of corporate portals, etc. I have to deal with that only render properly in IE. I'm not defending the practice, and I think anyone who deliberately codes a page that breaks standards should be shot, but that doesn't change the fact I have to use IE (and hence windows) at various times throughout the week.

Re:What?

Welcome to the world of marketing. Contrary to popular opinion, advertisement works.

Re:What?

[Firehed]

As a web app developer, I welcome IE9 with open arms. I'm certainly not going to be switching to it for personal use, but it promises to at least catch IE up with the browsers of three years ago.

Perfect? Not even close. Acceptable? Sure. Any time I spend fighting with it will be over minor CSS3 graphical enhancements, not basic rendering. And yes, I'd prefer if MS just bit the bullet and switched to an open rendering platform like Webkit, but if IE9 ends up living up to the claims, it's as good as I can hope for.

Re:What?

Windows has a very smart security model, where they double security with every release.
2*0=0.

Re:What?

[Blakey+Rat]

So it doesn't support standards that aren't finished? Wow, how criminal.

Look, if you're going to blame someone for holding up the web, blame the W3C... it's their job. The only reason HTML5 is going ahead at all is because an outside group did most of the work.

It's unfair to gripe at Microsoft for not supporting unfinished standards, considering:
1) How much they got burned by implementing CSS1 early, then having the box model "clarified" out from under them when their implementation was already in released software.
1) Despite that, they *do* have support for both of those in the next version of the browser due... next month? Or really really soon now.

Re:What?

What was the last MS product that lived up to the claims? Has there ever been one? I'm being absolutely serious here. It isn't [entirely] the fault of the coders at MS, either. Marketing has far, far too much power at that company.

Re:What?

So HTML5 is complete? Must have missed that.

Re:What?

windows 7 is pretty damn nice. best yet.

Re:What?

My dog's last poop was pretty nice, best yet.

Re:What?

[0123456]

So it doesn't support standards that aren't finished? Wow, how criminal.

Browsers have always supported standards that aren't finished, at least since I started using them in the early 90s; heck, many of the standards themselves co-opted features that browsers had implemented themselves.

And every other major browser I'm aware of already supports those things, which puts IE well into the second rank in terms of features as well as security.

Re:What?

[Blakey+Rat]

Browsers have always supported standards that aren't finished, at least since I started using them in the early 90s; heck, many of the standards themselves co-opted features that browsers had implemented themselves.

Oh, I agree with you completely. But you can't *blame* them for it.

The complaint sums to: "they didn't go as much above and beyond as other browsers have."

Re:What?

[zuperduperman]

There have been a bunch of vulnerabilities that were rendered completely ineffective by IE's protected mode which, I think, is still unmatched by other browsers. I think IE has evened the game up a lot now, and there's a reasonable argument that since IE is pretty much forced to be on the computer anyway you are best limiting the surface area of attack by not installing any more browsers or other software that you don't need.

Now, as it happens, IE is so much more unpleasant to use (mainly speed, but other features too) that I'm more than happy to go with the risk of a slightly increased security threat to get a much nicer browser (in my case, Chrome). But that is more based on features and speed than security these days.

Re:What?

..and then there're husbands that stay with their abusive wives because leaving them would be financial suicide. I think this is the more apt analogy...at least as far as buisness goes.

Re:What?

[haruchai]

Which twat modded this Flamebait? Mod it Funny, twat or don't mod it at all.

Re:What?

[blai]

not only that, but 94% of CUSTOMERS of my company use IE. And we're a -big- company.

Re:What?

Chrome uses the same low-integrity mode technique for its tab processes that IE does. Has there even been a non-plugin-based exploit made for either browser which managed to escape the newly-introduced sandbox protections? It would probably have to take advantage of a flaw in either browser's implementation; defeating the Windows process integrity security is likely to be far more challenging.

Re:What?

I'd agree with you were it not for the fact that their computers often times end up in botnets attacking services I want to use, or just generally gobbling up bandwidth which is then not available for myself and others of legitimate purpose. Now, if they'd install an arm which would fold out and slap them whenever they did something stupid like that, perhaps then we could get some change. Either that or we could suggest that they make better use of their cup holder.

so uh, did you not read the last sentence of my four-sentence post? good job.

Re:What?

[Hylandr]

Civilization is the Bane of Society, as stupidity is no longer fatal.

- Dan.

Re:What?

How do you know they are? Are you relying on what the browser says it is? That can easily be spoofed, especially by default on a lot of machines as the web site requires IE and users can't be bothered to keep switching between what they are really using or pretending to be using IE.

Re:What?

Probably a MS fanboy.

Re:What?

[smash]

No, not necessarily. If you have sharepoint (or a million other different legacy apps) in the workplace, IE is a necessity.

If you want to easily roll out configuration settings in an MS environment, you use IE.

And given the above, to maintain a sane, controlled, easy to maintain and troubleshoot environment - you roll ONE standard browser and keep that maintained. Anything else = unsupported.

If you happen to be on Windows, IE is already there anyway. Adding another browser simply means 2 sets of security settings and updates to maintain.

So, IE gets rolled out.

If you secure it properly with a content filtering firewall, security zones, and locked down secure configuration settings for the zones, IE security is bearable.

And given it is the ONLY browser that works with a lot of intranet type web-applications from the late 90s and early 00s, that is "good enough".

By which i mean that the work involved in securing the fleet of PCs and rebuilding the odd one that does end up getting broken is FAR less than the work involved in supporting a bunch of other browsers, their updates, configuration settings, etc.

I hate IE as much as the next guy, and only run it for internal intranet type sites - but as an SOE component, its what I and pretty much 95% of the rest of the corporate world has to deal with.

Re:What?

[smash]

+1 to this. All our new office machines are Windows 7 64 bit with IE8 in protected mode, and sites locked down into security zones. IE 8 is a mandatory install on all the old XP boxes.

And yes, javascript performance (and web performance in IE8 in general) is pretty abysmal, but IE is already there, and installing anything else in addition to that is simply increasing your exposure, configuration and patch maintenance, etc.

Re:What?

[smash]

Ditto. However I think microsoft are trapped by their own success. There is that much legacy content out there on corporate intranets, etc that they can't change rendering engines. They need to keep all the old cruft in there so that they can fall back to IE6 mode to render content generated by their own software (eg, sharepoint, etc) properly.

I'm certainly looking forward to IE9 as it means I'll have a half-decent standards compliant (or certainly better than current) browser that I can lock down with group policy, and works with the corporate intranet.

Re:What?

[smash]

DOS 5 (built in EMS/XMS support, upper memory use). Windows 2000 (those who weren't administering MS networks before active directory have no idea on the improvement), Windows 7.

Were those products best in class? No, but they were huge improvements that worked with your existing MS stuff, and made your life a hell of a lot easier if you were in a microsoft shop (as most corporates are).

Re:What?

So your defense is, "yeah, they are clearly the worst of the bunch but you can't blame them for it". I guess it would be easy to agree with you if the result hadn't been so destructive to the progress of the whole internet.

I don't understand what you want W3C to do by the way... they've tried the "let's standardize first and wait for implementations later" before and it's failed miserably.

Re:What?

[Decker-Mage]

You shouldn't have been modded troll and I've been modding for years. Anyone who complains that any program doesn't fully support a draft standard is Loony-Toons. In a perfect world, the draft and the approved standards would be the same but as I've noticed over the last three decades, this world is a far piece from perfect. The only excuse for that mod is sheer anti-MS bias. Stupid.

As a (multi-disciplinary) systems engineer, I deal in reality and I'm nobodys fanboi but I know when the ideal meets the real that a train-wreck is about to happen. Maybe HTML 5 won't be a train-wreck but I definitely won't hold my breath until a perfectly compliant browser, especially without a massive dev team, is released. Been there, done that, burned the t-shirt and myself with it too many times.

Re:What?

[Decker-Mage]

A far more apt analogy! Those that don't work in large organizations, and I have worked in two of the largest on the planet, know about the legacy effect. SOA exists for a reason and that reason has everything to do with that legacy hangover.

Re:What?

[Dr.Ruud]

Users of Microsoft software always remind me of the first little pig, the one that builds a house of straw.

http://en.wikipedia.org/wiki/Three_Little_Pigs

Re:What?

[dandart]

>IE (and hence windows)
I don't think that's needed.

> plenty of corporate portals
That should be shot. And programmed properly. If I'd come across one, if it was not vital, I'd refuse to use it. On accounts of it forcing me to use an insecure browser. If it was vital, I'd complain loudly and demand to use someone else's PC for it.

Sound disrespectful? Not as disrespectful as the programmers.

Re:What?

[Lennie]

And still it will not help with this problem.

This is not an attack where it tried to infect your windows installation or anything like that.

This is an cross-domain information leakage problem.

Where someone can get information from domain x by inserting something from domain y and use that to do thing on domain x or do session hijacking.

Session hijacking would mean if you logged in on some site, someone else from somewhere else can login while you were logged in.

Come back when you understand web-development.

Re:What?

[Adambomb]

Contrary to popular opinion, advertisement works.

I think my head just exploded.

Re:What?

[smash]

Did I say it would help with this particular problem? No, it won't. However security problems are NOT exclusive to IE, and there is plenty you can to do mitigate issues that you can't easily do with other browsers.

Come back when you understand application security.

Re:What?

[KingMotley]

Most people aren't geeks that know how to change their User Agent String (Other than perhaps Safari which has it right in the menu). While technically true, your statement is so highly unlikely that it isn't not even worth pursuing.

Re:What?

[Blakey+Rat]

I guess it would be easy to agree with you if the result hadn't been so destructive to the progress of the whole internet.

IE's been caught up for like ... 4 years now. They're not holding shit back anymore, and haven't been for a long time.

Now, companies (and individuals) that refuse to upgrade from IE6-- those are (potentially) holding sites back. But don't blame Microsoft for that! Microsoft's doing everything they can to get people to upgrade, short of sabotaging their own software or weaseling out of support contracts. Depending on your target audience, though, you can probably drop IE6 compatibility-- I mean a lot of large sites like blackberry.com have done that, and it doesn't seem to have hurt them.

Blame where blame is due.

I don't understand what you want W3C to do by the way... they've tried the "let's standardize first and wait for implementations later" before and it's failed miserably.

Yah, we've also tried the: "let's not bother with standards at all and just let browsers do whatever the hell they want" and it worked even *worse*. Or do you simply not remember before IE and Netscape up to about version 5?

So I guess the question is this: do you want to go back to the IE4/Netscape 4 days? Because that seems to be what you're asking for. Those who don't know history are doomed to repeat it?

All I want from the W3C is this:
1) Stop working on pointless, retarded standards that do nothing but waste everybody's time. Like XHTML2. (Fortunately, they've mostly already done this, too bad all those years were wasted on it previously.)
2) Start moving at the speed everybody else wants them to move at. This they're still bad at-- HTML5 was going great until the W3C got a hold of it, now it's going nowhere slow.

In short, I want them to MOOOOOOOOVE. There's nothing wrong with what they're doing, it's just so. fucking. slow. They introduce a nice cool feature to CSS3, and it's literally a DECADE until browser makers can implement it. Ridiculous.

CSS3 has been in the works since 2005. Chrome has gone from "non-existent" to version 6 in that amount of time.

Look, what it really comes down to is that the only party holding up the web right now is the W3C.

Chrome, Safari, and to a lesser extent Firefox are busy implementing standards that aren't finalized-- kudos to them, but don't act as if they are "caught up" and IE is "behind". The reality is they are "above and beyond" and IE is "perfectly fine".

Last time IE tried implementing standards that weren't finished, they got completely fucked over by the W3C, so I can completely understand their reluctance to do it. There's a non-zero chance that Chrome/Safari could be fucked-over by the W3C changing a standard out from under them, as well.

Re:What?

[Blakey+Rat]

Don't worry about it, I always get modded troll. I have some guy with a grudge and tons of mod points following me around or something, I dunno. (I had a karma bonus for like 5 solid years, and this guy has removed it in a couple of weeks. Slashdot's karma system is broken beyond belief.)

Re:What?

[Bert64]

If one machine gets infected, that infection may spread... If all the workstations are part of a domain and share authentication details it becomes far easier to spread too.

The fact IE comes by default, and isn't easily removable is even more reason not to use it, it shows that it cant (and never could) stand on its own merit as a browser, they have to use dirty tricks like this to get people to use it.

Re:What?

[Bert64]

So people will make do with an inferior browser, because its more efficient than the only other alternative of having an inferior browser *AND* a better one at the same time. Does that not sound extremely stupid to anyone else?

So basically the most secure configuration of windows is still weaker than that of any other platform.

Glad i don't use windows, and can therefore have only the browser(s) i want installed and can easily remove anything which is unwanted therefore having even less exposure, configuration and patch maintenance.

Re:What?

[Bert64]

Don't rely on group policy to "lock down" anything, the best you can hope for with group policy is to distribute a set of defaults... DO NOT rely on it for any kind of security whatsoever.

Re:What?

[Bert64]

It's perfectly fair to gripe, when for several years now not just one but several other browser makers have been light years ahead...
Why can't MS at the very least try to be in the same league as webkit/opera/mozilla?

Re:What?

[Bert64]

They haven't caught up, IE8 is still way behind the current releases of other browsers... They've shrunk the gap slightly, but they're woefully far behind. Look at their acid3 score, or the html5test site, or there was another site which showed what percentage of the various standards were supported by various browsers... Whatever metric you use, IE comes up laughably short compared to all the other major browsers.

Re:What?

[Bert64]

The problem is that the standards process moves too slowly, and the web has traditionally moved very fast (except for the few years when IE6 was stifling progress)...
Not implementing a draft standard is one thing, but not implementing the same fully documented standards, draft or not, that are implemented by everyone else is just ridiculous.

Re:What?

[Bert64]

Not at all, ditching windows would be like divorcing a leeching spouse who is only there for your money...
The divorce settlement may cost a lot, but its a one off payment and once you're free you won't be hemorrhaging cash year on year.

Re:What?

[Blakey+Rat]

Wait a month. IE9 is on-par with every other browser, and ahead of Firefox 3.6. (Not 4, though.)

It's not like Microsoft is 5 years behind, they're at most 9 months behind.

Re:What?

[Bert64]

IE9 is just another attempt at catching up, it's pretty feeble when a browser thats "coming soon" is only going to be "on-par" with whats already available, and will be behind what everyone else has coming soon.

Re:What?

[Blakey+Rat]

IE9 is just another attempt at catching up, it's pretty feeble when a browser thats "coming soon" is only going to be "on-par" with whats already available, and will be behind what everyone else has coming soon.

Well, you're entitled to your opinion. I just wish people wouldn't gripe about a browser not implementing unfinished standards, that's all I was saying.

If you want the web to move faster, you gotta get the W3C off their asses, and you gotta get corporations to upgrade their intranets. Those are the two main problems with the web right now-- griping about IE is not the answer.

Re:What?

[Decker-Mage]

Sorry but that is most definitely not the way I work. Implementing a draft is absolutely stupid in my not so humble opinion. Should something change between the draft and the release you have a broken version out there somewhere, most likely a hell of a lot of somewheres since there are a lot of people, in the millions, who do not update their software when appropriate. Furthermore, I know from the perspective of a systems administrator*, deployment of a new version in any reasonable context is not going to take place until you've kicked the tires and tried to break whatever version is released.

In my world you release a version that complies with documented, extent standards. Perhaps you may allow for a setting within the software to enable draft standard compliance but I'm even leery of that. Where I worked, it wasn't your job on the line, it was your freedom, benefits and if you screw up enough to get someone killed as a result of doing something , probably your life. Did that make me risk adverse? Nope. Just extremely intent on managing risk something that most people just don't get. [Bruce Schneier, et. al.]

[* - At one time, I was responsible for, administered, maintained, and repaired five mainframes, eighteen mini-computers, 575 desktop computers and I never got a real handle on how many laptops but well over two hundred that I had logged. This was in addition to my other duties. And yes being responsible for a laptop population whose absolute total membership I had no control for was not a situation that I was exactly (?!!!) comfortable with. More than a few computers were also TEMPEST certified to keep life even more interesting.]

Re:What?

[Lennie]

OK, the way I put it, I was being an asshole.

But the point was, it did not apply. And you mentioned you didn't want it to.

Fine, I'll shut up about it.

Re:What?

[LordLimecat]

Its possible that it stops malware because when you switch them to a new browser, all the crappy insecure plugins arent switched over (java, acrobat, flash, quicktime) unless you reinstall them.

Im all for lambasting IE8 for the awful awful browser it is, but lets lay blame where its deserved-- most malware is plugin-induced.

Re:What?

[oldspewey]

I'd be curious to know your views on whether a timesheet submission portal is "vital" or not. You can refuse to use it, but then you won't get paid.

And that's just one of them.

Re:What?

[dandart]

I never said refuse to use a timesheet. I'd bring the issue up to management until they fixed it though. Cross-platform and cross-browser compatibility is one thing that almost everyone has got now, and something that shouldn't be overlooked, especially if it sticks you to one OS, one you wouldn't use even if a bear threatened you.

Re:What?

[oldspewey]

I'd bring the issue up to management until they fixed it though

I'm curious what size and what kind of corporation you work for. If I were to repeatedly bring up the issue of administrative portals to management - for as many months as it takes - expecting the company to make it a priority to change those portals, I'd probably be out of a job before a single line of HTML got rewritten.

Bummer

[symbolic]

I just upgraded to IE 8 yesterday to verify a support issue.

Re:Bummer

[davester666]

So, now that you've upgraded, do you have issues with support?

News?

[krzysz00]

IE only browser to leave this unpatched. What a surprise! Everyony but microshaft fixes security bugs promptly while M$ pursues shiny. This is news?

Re:News?

This hole is also still unpatched, all Microsoft's fault.

Re:News?

[smash]

Going for shiny instead of fixing bugs? Have the KDE4 team been taking notes or something?

Times change

[oldhack]

Can't remember the last time I fired up IE (I do have IE8 installed).

Kudos to FF team. Thank god I don't work on webapps anymore.

Re:Times change

[Linkota]

Can't remember the last time I fired up IE (I do have IE8 installed).

Oh? What about windows update?

Re:Times change

[Blakey+Rat]

What year are you from? IE hasn't been used for Windows Update since... well, hell, it was optional even in Windows XP. Going to the site in Vista (almost 4 years old now) or higher just redirects you to the control panel.

It's not 1998 anymore.

Re:Times change

[WrongSizeGlass]

Oh? What about windows update?

I think the updates will find their way to your computer automatically if you select either of two certain radio buttons in a control panel somewhere ... you don't need IE to get them. Also, in case you're a rebel and/or a maverick, you can read the MS security bulletin in a non-MS browser, follow the links and download the updates manually to be installed at your convenience.

Re:Times change

[trapnest]

Getting some updates, or getting the auto-update process started required using internet explorer.

Re:Times change

[Blakey+Rat]

I guess I had the magic version of XP, where all you had to do was check "automatically download and install updates" in the Windows Update control panel.

Re:Times change

Kudos to FF team.

Mozilla Firefox Insecure Library Loading Vulnerability: http://secunia.com/advisories/41095. Potato / Patahto.

Re:Times change

[smash]

Or, if you have more than about 5 PCs on the network, you should install WSUS and control it from there.

IE and Microsoft

[js3]

It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face. I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys. I watch Channel 9 and there are some seriously smart people working at this company and yet this one program has done more to harm the company's reputation like no other.

Re:IE and Microsoft

I rather imagine the executives had to suck some dick to get a team of competent programmers willing to work on IE9.
And by 'suck some dick' I mean promise to stay out of their way and let them implement actual standards.
Seems to have worked, though. The IE9 team almost doesn't appear incompetent at all, by Microsoft standards.

Re:IE and Microsoft

[Zixaphir]

It's a strange thing. It seems the only reason Ballmer exists it to repeated punch Microsoft's reputation in the face. I'm surprised shareholders haven't gotten so fed up and fired the "Monkey Dance" Ballmer or replaced him with a better monkey. I watch Channel 9 and there are some seriously smart people working at this company and yet this one person has done more to harm the company's reputation like no other.

Re:IE and Microsoft

[WrongSizeGlass]

I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys.

Do you have any proof that they haven't been replaced by monkeys?

Re:IE and Microsoft

Do you have any proof that they haven't been replaced by monkeys?

Sure, I am the proof, I work there.

Did you see my banana, it was up here on my tree near the keyboard.

Re:IE and Microsoft

[Nidi62]

Has Microsoft put out any Shakespeare yet? Then there's your proof.

Re:IE and Microsoft

[JonJ]

Mr. Ballmer, you are definitely not proof that there aren't monkeys at Microsoft.

Re:IE and Microsoft

[WrongSizeGlass]

Kwyjibo is that you?

Re:IE and Microsoft

[grcumb]

Has Microsoft put out any Shakespeare yet? Then there's your proof.

I dunno, I consider MSIE to be the of the great tragedies of my lifetime....

Re:IE and Microsoft

[drolli]

Well - you know the big fight they posed about "IE being a core part of Windows". And i guess a selling point for large administrations was "working together very well with the OS" and "supporting you old web applications with active X as long as you want". Yeah sure.

Go to your customers with 10000 licences of Windows (and 10000 licenses of MS Office) and tell them in the face: "Sorry guys, we know we said IE would be working forever and especially well with windows, but you know, we cant afford that team any more, they just suck too much - take care about yourself.".

Good luck with that.

At MS it has always been a policy that if something does not crash immediately and enables the customer to do some work you can put it on a floppy disk/press the cd. To the standard PEBKAC the cuprit is not obvious anyway - if the computer crashes, is hacked, rund slower than before, need more memory than before to do the same work - for sure its not MS fault. However if something visible to the PEBKACs goes missing, then they would blame Microsoft.

Re:IE and Microsoft

[Jedi+Alec]

That's only proof that it's not an infinite amount of monkeys...or that they haven't been given typewriters and are struggling with all of Word's delightful little habits.

Re:IE and Microsoft

tg bn op nml ot ebb ttat si the qwerty qqqqqqqqqqqqqqq

Word is autocorrecting, please wait......

To be or not to bee that is teh question qqq :-( qqq

Re:IE and Microsoft

[exomondo]

It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face.

I question why they bother with a browser at all. What do they really gain from it? Wouldn't the money they spend on IE be better spent on the core OS?

About 80% to 85% of all users worldwide...

IE's world-wide market share is currently around 80% to 85% of all web users.

Alternate browsers have very poor support for properly rendering the text of most Asian languages, while IE has exceptionally good support, so the use of alternate browsers in places like Japan, China, Thailand, Taiwan and the Koreas is virtually unheard of. These markets, which are already far larger than the American or European markets, are still growing.

Don't let the W3Schools stats confuse you. Those are for a small subset of the comparatively small American market, and thus aren't indicative of the global trends.

Re:About 80% to 85% of all users worldwide...

[93+Escort+Wagon]

Don't let the W3Schools stats confuse you. Those are for a small subset of the comparatively small American market, and thus aren't indicative of the global trends.

Just keep fiddling while Rome burns, Nero.

Re:About 80% to 85% of all users worldwide...

[Lanteran]

actually its only 52% and dropping rapidly. If nothing else, at least MS is having to make a modern standards complaint browser. I for one, don't think it'll be enough to gain back much lost market share, but at least it'll make it easier on us web developers. Source: http://en.wikipedia.org/wiki/Internet_Explorer#Market_adoption_and_usage_share

Re:About 80% to 85% of all users worldwide...

[Lanteran]

*52-60%

Re:About 80% to 85% of all users worldwide...

[Xojo]

a modern standards complaint browser.

You got THAT right! ;-)>

Re:About 80% to 85% of all users worldwide...

[RobertM1968]

actually its only 52% and dropping rapidly. If nothing else, at least MS is having to make a modern standards complaint browser. I for one, don't think it'll be enough to gain back much lost market share, but at least it'll make it easier on us web developers. Source: http://en.wikipedia.org/wiki/Internet_Explorer#Market_adoption_and_usage_share

I'd mod you "+1 Damn, I've been dreaming of that day for ages!!" but apparently slashdot doesnt have such a mod.

Re:About 80% to 85% of all users worldwide...

[haruchai]

Beat me to it.

Re:About 80% to 85% of all users worldwide...

[Bert64]

In south korea the problem is because their online commerce system is locked into a proprietary system that requires an ie-only plugin, rather than using standard ssl like everywhere else.

America also has a relatively large percentage of IE users...
Europe however, has far lower IE market share than anywhere else.

you F2ail It..

ggOdbye...she had

If it is broke

why fix it?

So?

[Lanteran]

if you're using internet explorer, you deserve every bug you get. If you're in one of those companies that mandates IE or something, company data theft is their fault and their loss. If you're reading slashdot, chances are you know that entering your personal data on one of those computers is probably a bad idea because besides internet explorer, they also more than likely have company monitoring software installed.

Re:So?

[smash]

This is why you put a content filtering firewall in front of it. As is a good idea to protect the average "blue E = teh intarwebs!!" luser, irrespective of browser selection.

Re:So?

[Lennie]

You policy has to be really strict to have that filtering filewall work against these kind of cross-domain exploits.

I know it might be to much to ask for people to read the article and understand what issue it is about. This is slashdot after all...

Re:So?

[smash]

Again, I'm talking about browser security in general terms, not this specific incident. There will always be specific incidents that fall through the cracks, and IE (when properly configured), Firefox, Safari, etc are not so different in that regard.

Re:So?

[smash]

Plus... ie is already installed. Installing a second browser means you have TWO potential vectors for intrustion to secure and maintain...

Re:So?

[Lanteran]

solution: Uninstall IE.

Wait...

Re:So?

[thijsh]

If you're using internet explorer, you deserve every known bug that M$ neglects to patch for a long long time.

FTFY. All mayor browsers except Opera suffered from this attack vector, but all others patched it fairly fast. This isn't a problem with bugs, this is a problem with the patching of those bugs, and M$ shows how little they care for customers every day they leave exposing bugs like this and many others unpatched for *years*.

all of the major browsers were vulnerable

[networkzombie]

No matter what browser you use you should expect a bug like this. Thinking your browser is secure because it has patched a flaw that Internet Explorer has not is a colossal oversight.

in the wild

[AnAdventurer]

We always hear about "sites controlled by an attacker", any one have a daily updating list of compromised sites?

Re:in the wild

[a_n_d_e_r_s]

Yes there is sites out there where the company behind them send out software that infect your computer and causes it to become open for anyone to take over.

Some of them even pretend to do useful things for you like pretending to be a way to secure your computer from nasty attacks.

For one nasty example check out this site:

http://www.microsoft.com/

Re:in the wild

[dremspider]

Here are some sites that I have used for malicious sites: http://www.malwaredomainlist.com/ http://www.malwareurl.com/ http://iblocklist.com/lists.php https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist http://mtc.sri.com/live_data/malware_dns/ Also if you use Snort you are able to use the rules created over at Emerging Threats as well as others: http://emergingthreats.net/rules/emerging-drop.rules

Below 50% for the last 3 weekends

and it's barely above 50% on weekdays. That'll end soon too.

think about it ...

[jobst]

God's ten commandments aren't adhered to ... well at least a major subset of them. How can you expect the rest of the population to listen to administrators when they suggest "don't use IE"?

Why oh why.

[jeffgtr]

We have Firefox, Chrome, Safari, Opera and people are still using IE. It sure makes one pause for a moment.

Re:Why oh why.

[cboslin]

Even crazier when you consider that there are well over 100 different browsers on the market...I was shocked to discover this, like most people I knew about Firefox, Netscape (no uses that any more right?), Opera, Safari, Konqueror, Gnuzilla, SeaMonkey, Iceweasel, Fennec, Maemo, Lynx...was not surprised when I went to the wikipedia page on browsers and started counting. http://en.wikipedia.org/wiki/List_of_web_browsers. I stopped at 90...well over 100...yet fools still use IE...amazingly crazy (Using the same browser and expecting a different result).

Re:Why oh why.

[VGPowerlord]

And yet, of that list, chances are 90% of them:
1. Use the IE core, or
2. Use the Firefox core, or
3. Use the WebKit core

There are a small handful of browsers that don't use the above, but they are few and far between.

Re:Why oh why.

[Lennie]

I think if you count like that you will probably find that it's 99% or something like that. Maybe a bit less in the mobile space.

Old news

[symbolset]

Here's a nice pdf archived by wikimedia that shows where the problem is: AOL/NCSA Online Safety Study (2004).

I can't believe I'd never seen this before today.

Theft, really?

[noidentity]

There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site.

Data theft is easy to detect, just look for missing data. These sound like data spying/eavesdropping attacks, that is, where the attacker is able to monitor all your data without your knowledge. Nowadays it seems that "theft" has come to mean "something I don't like".

Re:Theft, really?

[Olipro]

Um, when data is stolen, it's copied, you don't copy it and then delete it, that's going to alert the user that you're collecting information.

Re:Theft, really?

Then call it what it is: Data Infringement.

Sheesh, I hate it when people use the wrong terms. It muddies the issue.

Re:Theft, really?

[noidentity]

Um, when data is stolen, it's copied, you don't copy it and then delete it, that's going to alert the user that you're collecting information.

Yes, stealing data will altert the user as to the theft, so you should copy it instead of stealing it. But it sounds like you're saying that copying something is stealing it. Data theft is taking a hard drive full of the only copies someone has of something, or (idiotically) making copies and then deleting the originals. Merely copying that and leaving the original would not be theft, since nothing was removed.

You can "steal" data but can't "steal" songs?

They're just copying 0s and 1s right?

Amazing Slashdot hypocrisy. Well we all know this is a troll zoo but quit making it so obvious to the newcomers!

Browser usage

[Decker-Mage]

Actually I use all of the above save Safari. [Me and Apple related stuff don't get along. I can even crash current Macs just using them normally. Well, normally for me.] Each browser has its virtues and its warts. And in my setting, all of them usually run as a virtual appliance since all of them could, hell probably have, 0-days and currently unpublicized vulnerabilities. Fact of life, deal with it. Since I normally 'power-off' the VA rather than save it, any crack ain't going very far. I've been doing this since VMWare started releasing betas way back around the turn of the millenium. [Its why I virtualized my browsers and servers in the first place. Security and ease of recovery. Consolidation once computers became powerful enough was just a side benefit.]

Here IE is only used on Microsoft sites and in beta-testing. Otherwise, it's usually FF since I have it customized my way. A ton of security extensions, especially Reverse DNS, and my current favorite shadow theme. Opera is just sweet and doesn't get the attention it deserves.

Just my $.02

Re:Browser usage

[Lennie]

While virtual machines add an extra layer, they also add extra code and hardware which can be exploited.

I wouldn't bet my life on it.

Re:Browser usage

[Decker-Mage]

"I wouldn't bet my life on it."

Frankly, I find it highly unlikely that I'll ever become a successful target given my penchant for multiple layers, deep scanning, and extensive (signature and behavioral) monitoring (including honey pots) but given the shoddy state of affairs with software development these days, I have no faith that I'll forever be malware free. I've even found verified infections in software by Fortune 500 companies. Not good.

Speaking as, among many other things, a successful software engineer I don't know what to call the individuals turning out most of the garbage that masquerades as release (gold) software today. Code-jockeys? Amateurs? Whatever. What I created over a quarter century was defect free packages (and they were not small) 'cause I was betting my life every time. Military Justice ain't nice; your punishment was whatever a Court Marshal may direct including life at hard labor or death. As Samuel Johnson put it: "The prospect of being hanged in a fortnight concentrates the mind wonderfully." [Stepping of the Soapbox]

Using a bare-metal hypervisor does add a bit to the complexity of the software but as to the hardware, there's no additional complexity here. Even the iSCSI SAN is just another virtual appliance or custom deliverable (NexentaStor Community Edition is very suitable) and the underlying hardware can be bought at Egghead, Tiger Direct, or their competitors. There's nothing fancy here, just extreme care in component selection and a few tweaks to internal hardware registers when needed. If anything, the hypervisors here act as a reduced attack surface in many respects, are far easier to monitor, if you know what you are doing, and have the positive benefit that if a piece of malware or a determined crack is successful and successfully detected, restoration from a snapshot or golden image reduces the over all "cost" of such an attack.

About the only thing I have to do differently here is that I route the internal virtual network out one physical network connection and back in another one so I can attach my monitoring to something real. There is no way I can afford the virtual switches given a personally funded budget. My whole goal for the last decade has been to operate fairly safely in a hazardous environment and its getting very rough out there. The last time a piece of malware successfully attacked one of my machines was 1989, wasn't even on a PC (it was an Amiga) and occurred while I was insuring that the CompuServe Amiga libraries remained virus free.

"Just because your paranoid doesn't mean they aren't out to get you" ;-).