Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Workaround For IE 0-Day

Posted by timothy on from the we-call-these-o'houlihan-patches dept.

Orome1 writes "Microsoft has issued a security advisory with advice on how to patch a Internet Explorer zero-day vulnerability recently spotted being exploited in the wild by attackers that might be the same ones that are behind the Nitro attacks. News that there is a previously unknown Internet Explorer vulnerability that is actively being misused in the wild by attackers that are believed to be the same ones that are behind the Nitro attacks has reverberated all over the Internet yesterday."

22 of 101 comments (clear)

  1. MS advice on how to patch a IE zero-day vulnerabil by Anonymous Coward · · Score: 5, Informative

    Click

  2. Re:doublepost? by mwvdlee · · Score: 5, Funny

    It may be that the same thing is mentioned twice in a very short summary of the story, but that the same thing is mentioned twice in a very short summary of the story does obfuscate the lack of content. That is why the same thing is mentioned twice in a very short summary of the story. Why else would it be that the same thing is mentioned twice in a very short summary of the story?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Load Firefox? by jfdavis668 · · Score: 5, Insightful

    The work around is load firefox or chrome.

  4. Re:incoherent summary by vlm · · Score: 4, Insightful

    What does this even mean? Is it the same 0-day? Is it a different 0-day? Can we get some editing up in this bitch or what?

    There's so many it doesn't really matter. They'll be another next month, and the month after that, and the month after that.... You can safely assume that at any given instant there exists at least one active zero-day infecting IE users.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  5. Workaround is stupid by Anonymous Coward · · Score: 5, Informative

    Disable ActiveX and then demand it runs to "Prompt" in both Internet AND Intranet????? This is NOT a "work-around." A work-around would be how to allow our users to continue running without being prompted to run or not run things they don't understand and don't want to.

    Or install an alternate browser.

    Sheesh, is the Internet really worth this crap? Really?

    1. Re:Workaround is stupid by Robert+Zenz · · Score: 5, Informative

      Fun fact: Forbidding ActiveX and similar things in Internet Explorer yields interesting site effects, f.e. that Visual Studio can't display error messages or the Help anymore.

    2. Re:Workaround is stupid by Anonymous Coward · · Score: 2, Insightful

      Or install an alternate browser with No-Script.

      FTFY.

    3. Re:Workaround is stupid by shutdown+-p+now · · Score: 2

      This shouldn't be the case from VS 2010 onward. The help system there has been reworked completely to be browser-based (rather than requiring its own client as MS Help 2.0 - the thing used in VS 2002-2008 - did), and should work in any browser, not just IE.

  6. Tired of the IE hate... by Anonymous Coward · · Score: 4, Interesting

    Seriously, I don't use IE at home but until Chrome, Firefox, or Opera have tight integration and customization that can be centralled managed (GPO) IE will be the defacto standard browser for a lot of businesses. As an IT Manager I have tried repeatedly to move to a different browser and the tools to manage them just aren't there.

    "Hahaha those losers use IE, they suck they should just switch to chrome" are not helpful comments and show just how little you know about the many current business environments. Your beloved Chrome and Firefox, by their actions, don't want to be the default browsers in business. They just don't. That leaves us with IE which, despite these 0 days and standards issues, is superios in every way in a Windows comprate environment. Until that changes IE will be what many businesses use because browser management is just so easy it's automagic.

    And those Linux folks, switching to Linux isn't helpful either until some sort of same tier GPO management alternative that has simple interpoability is available. We could actually drop Windows and go full linux if I could gain the control I get from a Windows environment.

    Disclaimer: I use Firefox, Opera, Ubuntu, and Mint at home.

    1. Re:Tired of the IE hate... by NatasRevol · · Score: 5, Insightful

      The question is why you need to manage a browser so much.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Tired of the IE hate... by Anonymous Coward · · Score: 3, Informative

      The question is why you need to manage a browser so much.

      Define browser behavior for specific vendor (state, federal governments) websites and zones
      Homepage
      What is allowed to be installed
      Favorites
      Preferences for appearance
      Internet and Proxy settings

      the list goes on and on.

    3. Re:Tired of the IE hate... by Anonymous Coward · · Score: 3, Informative

      Google has an enterprise deployable msi installer of chrome, along with a gpo addin to manage chrome. Your statement is false.

    4. Re:Tired of the IE hate... by gl4ss · · Score: 2, Funny

      I'll feed the AC....

      What is everyone addiction to setting the homepage? I can see defaulting to a company intraweb or some portal. But WTF if someone feels they are more productive with some random web app or other data source or even google as their home page why lock them out of it?

      I guess some sort of Kiosk, but there are better special built kiosk apps that work better than IE. (though they may use IE to render)

      Maybe I'm missing the point.

      well, the reason to use ms's enterprise deployment of ie settings is that then you can make the browsing experience secure.

      oh wait..

      --
      world was created 5 seconds before this post as it is.
    5. Re:Tired of the IE hate... by LordLimecat · · Score: 5, Informative

      Chrome can be deployed by MSI and managed by GPO. They have the ADM templates right on their site.

  7. Re:incoherent summary by Chrisq · · Score: 3, Funny

    What does this even mean? Is it the same 0-day? Is it a different 0-day? Can we get some editing up in this bitch or what?

    With Microsoft you can make every day a 0 day!

  8. Link to actual security advisory by Anonymous Coward · · Score: 4, Informative

    http://technet.microsoft.com/en-us/security/advisory/2757760

    Linking from "Microsoft issued an advisory" to submitter's site is kinda lowbrow.

  9. Re:incoherent summary by LordLimecat · · Score: 3, Insightful

    Last time I had looked into it, IE9 was more secure in several ways than Firefox. It also had comparable number of security holes.

    Have things changed substantially in the last year?

  10. Re:Load Firefox? Can't replace everywhere. by pointyhat · · Score: 3, Insightful

    You speak with authority but do not understand the principles and abstractions.

    It's called COM. Windows is based on COM. It allows components to be reused, which is good design and good practice.

    This is the same concept as WebKit being a shared library on Linux and gnome help, gnome file manager and Epiphany importing it.

    I they discovered a WebKit hole: waah waah whinge whinge there is a hole in Gnome Help - save us all from the 0-day

    That complaining never happens but if Microsoft fall to the same thing, they get slated. Hardly fair is it?

  11. Re:The soluton is don't use Windows ... by pointyhat · · Score: 3, Interesting

    I haven't had a Windows virus since I started using it 24 years ago and I've used IE all that time.

    Then again, I don't go surfing pr0n, cracks, warez, torrents, rapidshare, mp3 sites etc.

    Intimacy with the wrong people is only going to end in an STD regardless of which prophylactic device you or they wear.

  12. Re:incoherent summary by smooth+wombat · · Score: 3, Insightful

    IE9 was more secure in several ways than Firefox. It also had comparable number of security holes.

    Oh really? You might want to check what Secunia has to say on the matter.

    For IE 9

    For Firefox 15

    The two aren't even close in terms of vulnerabilities. Too soon for Fx 15? Let's go with the 14 version:

    Less than half the problems.

    And one more for good measure; Firefox 13. Again, less than half the vulnerabilities of IE 9. Even the unpatched vulnerabilities for Firefox are less critical than the ones for IE 9.

    So yes, things have changed substantially in one year. Either IE 9 has gotten worse or Firefox has gotten better. Take your pick.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  13. Re:Load Firefox? Can't replace everywhere. by pointyhat · · Score: 2

    To be honest they have shipped more boxes than anyone in history.

    WebKit has had its fair share of exploits over the years. I first worked with it when it was known as KHTML and have followed it over the years.

    I work for a corporation that has source access for IE (MS shared source) and it's a remarkably well put together product which equals WebKit.

  14. Re:incoherent summary by LordLimecat · · Score: 2

    The problem is that IE9 doesnt do a rapid-release cycle like Firefox does, so all of its 9 point releases since 9.0 in May 2011 are considered the same product. That total of 60 vulns you see spans a year and a half. Firefox 14s spans about 8 weeks (July 17)-- which makes that "32" a LOT scarier. To boil it down, Firefox 14 had ~4 vulns per week since release, while IE9 has had less than 1 per week.

    To do a more fair comparison you would need to total up the number of unique vulnerabilities for Firefox 5.0-15, and compare it to IE9.0 - 9.09 (which we already know is 60). For the record, Firefox 10 alone (released less than a year ago) had 60 vulnerabilities, all of which were patched-- and then Firefox 14 had another 32.

    So no, things havent gotten better for firefox, and its still a ton easier to hack than IE or chrome (no sandboxing, no process-per-tab, no privilege dropping, no plugin filtering, etc etc etc). Firefox is a fine browser, but recommending it for security reasons is boneheaded as technically IE and chrome are superior. And up until version 14 of firefox (with silent auto update), you were FAR more likely to be stuck with an old firefox than you were with an old IE.