New IE Vulnerability Used In Targeted Attacks; IE9, IE10 Users Safe

An anonymous reader writes "Criminals are using a new Internet Explorer security hole to attack Windows computers in targeted attacks, though the vulnerability could end up being more widely exploited. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are. It's great to see that the latest versions of IE are immune, but this new vulnerability is still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft's browser. 'We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,' Dustin Childs of Microsoft Trustworthy Computing told TNW. 'We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.'"

I do feel sorry for XP users

I tried out IE 10 and it was great. It downloaded firefox and chrome even better than ever. People who haven't updated should. Too bad XP users can't use it though.

Re:I do feel sorry for XP users

[ClaraBow]

I know you were joking, but IE remains the only major browser that runs on one platform only. I'm sure Microsoft will port it to other platforms someday!

Re:I do feel sorry for XP users

[chronokitsune3233]

That's true, but IIRC Macs weren't affected by such vulnerabilities usually. After all, Macs were different that they needed their own separate engine (Tasman) apart from Trident, which was used on MS Windows, Solaris and HP-UX. To be honest, I remember being a kid and playing in IE on a Mac at school. IE used to be cool. Now I know better. Still, IE/Mac rocked in its day!

Re:I do feel sorry for XP users

[Trilkin]

Funny how this comes from a community that complains about walled gardens and vendor lock-in.

Re:I do feel sorry for XP users

[kthreadd]

Where is the walled garden and vendor lock-in? Ubuntu distributes a lot of software to its users, that doesn't take away any rights to run any other software. Just build it from source or install a prebuilt binary.

Re:I do feel sorry for XP users

[kiddygrinder]

sudo apt-get winetricks
winetricks ie8
unfortunately ie versions later than 8 are not supported in linux, you should upgrade to a superior operating system if you wish to experience the same bullshit you've been putting up with for 10 years (sorry, i'm a web dev)

Re:I do feel sorry for XP users

[phantomfive]

Basically, and I've tried to think of a nice way to say this, Fuck you and anyone else who comes up with such a horrid solution. It's not even a complete solution since you can only install some software through that method, you can't install any software you like.

This has been the pain I've had with the iphone since it was released (that is, eight months after it was released when the dev kit came out).

Re:The remaining (ironic) reason I still use IE

[jones_supa]

Try using a 10.x version from Adobe's Flash Player Archive.

Gotta love the summary

[MyLongNickName]

Title: New IE Vulnerability Used In Targeted Attacks; IE9, IE10 Users Safe
Sentence Two: While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are
Then: "We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,"
Then: People using Internet Explorer 9-10 are not impacted.""

Could someone please tell me which versions are vulnerable and which ones are not?

Re:Gotta love the summary

[Nyder]

Title: New IE Vulnerability Used In Targeted Attacks; IE9, IE10 Users Safe
Sentence Two: While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are
Then: "We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,"
Then: People using Internet Explorer 9-10 are not impacted.""

Could someone please tell me which versions are vulnerable and which ones are not?

It clearly states multiple times that IE 6-8 is affected and 9 & 10 aren't.

Arrogant Computing Users

[tuppe666]

Anyone still using IE6 or IE7 deserves to get hacked anyway. I might have a crocodile tear for IE8 users

I not a doctor - Do I deserve to get sick, I'm not a mechanic - Do I have to walk..How about fixing leaky tap!...how about making a violin!!. I am not an expert in everything, and have been rarely been out of education, some things take years to learn. The truth is why should everyone be executed to be experts at computing.The sad fact is the world is moving towards electronics away from general purpose computers...making experts like you redundant!

Re:Arrogant Computing Users

[Velex]

The sad fact is the world is moving towards electronics away from general purpose computers...making experts like you redundant!

There's nothing sad about this. Not everybody needs a general purpose computer. What they want is a Facebook machine, a Tumblr machine, a Youtube machine, and a Netflix machine. And give it to them. I'm sick and tired of hand-holding users who can't handle a general-purpose computer that can run more than 1 thing at once. I don't run Windows at home. I don't get paid to do support. When something blows up, I get called over to read over the dialogs and apply common sense, because I'm the "computer guy," and apparently anything on a computer is illegible to anyone who isn't a "computer guy." Maybe there's a small hope that when folks get their MyFace device, they'll take responsibility for knowing how to operate it themselves.

Where your post really baffles me is this:

I not a doctor - Do I deserve to get sick, I'm not a mechanic - Do I have to walk..How about fixing leaky tap!...how about making a violin!!. I am not an expert in everything

When your doctor tells you to stop eating unhealthy foods because you're at risk of diabetes, do you give him shit like that? When your mechanic tells you that you need to bring your car in to get an oil change on time, do you throw your hands up in the air and bitch about not being an expert?

Back when I used to try to help people improve their computing experience, I would regularly recommend Firefox and install it for them after cleaning up a ton of malware.

Then a month later when they were drowning in malware again, what did I find? They were back to using IE.

I'm afraid GP is correct, but partially. If a home user is still using IE on XP, they've probably already been warned multiple times by experts, and they deserve whatever happens to them.

However, as others have pointed out, the most likely to be affected by this is corporate users. I've started to run into web apps at work that refuse to work under IE 8, but guess what? Installing Firefox or Chrome isn't even an option because we have vendor lockin to a call center vendor that insists on using IE 8 despite what the default browser is. I also have a feeling that there's no way the company will pay to upgrade about 30 agent stations from XP to 7. After all, why should they? The vendor we're locked into considers Vista support experimental, and it's not like XP's gotten rusty and is breaking down or anything.

This is just a sad, sad tale of vendor lockin and short-sightedness by closed-source corporate software developers. Welcome to the world of closed-source! Yes, we know it's broken, but shit we can do about it! It's closed-source, and the vendor I was talking about, Microsoft, and any other closed-source vendor doesn't give a shit how much pain they cause end users.

Obligatory update patch

[linebackn]

Obligatory: Get the update patch here: http://www.mozilla.org/en-US/firefox/new/

Poor method of Gaining Customers.

[tuppe666]

Microsoft has wanted for ages that those users upgrade.
Would they resort to this method to scare people into upgrading?

Microsoft aren't even getting a sales bump from launching a new version of their platform, providing a shitty experience on their platform has them running to any other platform, and have yet to transition to the new world, where they are not the Daddy!. Android is set to surpass them next year. I'd argue it was more to provide advantages over previous versions of their OS when really their is very little real advantages present. Simply leaving the older unmaintained version insecure is simply a bonus.

Re:I don't feel sorry for those IE users

[Kergan]

Why would anyone deserve to get hacked for just running an old version of a software?

Because the immense majority of them are corporate users whose IT managers should know better.

Not an Update Patch

[tuppe666]

Obligatory: Get the update patch here: http://www.mozilla.org/en-US/firefox/new/

Its a work around.

Re:The remaining (ironic) reason I still use IE

[Kergan]

Have you tried actually uninstalling Flash? When you do, YouTube serves an html5 video.

People use IE?

[Gothmolly]

Who uses IE?

Re:People use IE?

[PNutts]

Who uses IE?

I'd throw out some numbers but they are skewed towared the site measuring them. Wikipedia pulls some sites together in one place.

What about Compatibility View?

[93+Escort+Wagon]

Compatibility View seems to turn IE 8-10 into IE 7... And I find people using it all the bloody time (and for no good reason other than they didn't like how the newer version CORRECTLY rendered some random page they were used to seeing broken!). So is Compatibility View immune to the exploit? I'm unclear whether IE has a separate engine for this or just uses some bizarre CSS definitions to achieve the brokenness...

Earlier Submission

[deeqkah]

The better story about this vulnerability is the fact that the entire delivery of the malware (from a compromised US foreign policy think tank, no less), was limited to people with the ability to view English (American English), Russian, Japanese and traditional Chinese characters. It's supected of being a 'watering hole' attack. Read more from the earlier submission which didn't include bullshit link bait for advertising dollars.

It has to be said.

[AliasMarlowe]

TFA implies that IE9 and IE 10 users are not vulnerable to this attack. Well, neither are Firefox users, nor Opera users, nor Chromium users, nor Safari users, nor ... and the list goes on and on. Oh and obviously people using BSD or Linux or Mac are not vulnerable either.

Portablility a feature

[tuppe666]

They are past tense.

It shows that their code was [and maybe he potential to be ]portable, admittedly last version for the Mac was 9 years ago 5.2.3 http://en.wikipedia.org/wiki/Internet_Explorer_for_Mac. Microsoft admit their own inadequacy by not just producing code incompatible with other platforms, but even versions of its their own platform. The sad fact is they have lost half their market to competing platform even though though they bundle it with their monopolistic product. Nobody would ever install it on alternative platforms. Although Microsoft not doing so is a sign that they are not planning on competing though improving their products.

Re:Portablility a feature

[disambiguated]

Negative. The Mac and *nix versions of IE were completely separate code bases, developed by completely separate teams.

URL

[DrYak]

http://youtube.com/html5
to manually enable/disable HTML5 video.
if you're logged in, this preference can even be saved.

Youtube automatically detects which codecs are supported (Chrome and Firefox both support WebM. Chrome also supports H.264. Older versions of Firefox don't (due to licensing restrictions), newer version of Firefox will tap into whatever system codecs is available for firefox to use: GStreamer on Linux, DirectShow in Windows, hardware codecs wherever supported).

Also, video ads require flash to play.

Is installing new software hard :)

[tuppe666]

But no I wouldn't expect the average user to be able to change a CPU, but installing a new web browser is something every computer user should be able to do

Here is the thing I disagree. Windows is crap in he context of this discussion, and Linux is a dream(and Android /iOS). Because installing is hard. Let me paint a typical scenario...Windows is running slowly!! The problem is not one thing; its everything, There is 4 unused bittorrent clients, A half uninstallled version of MobileME (how do you get rid of that icon...what is Mobile ME), there is a dozen links to defunct printers; scanners; wireless dongles and additional crap it installs. There is a whole host of things running in the background Bollox.exe is using a lot of CPU. There is Firefox 3.6, and IE with several toolbars how did they get there...both Yahoo and Google. A typing Tutor Program, that records every damn keystroke, and several programs that update and load Adobe/Office products in the background to speed up its loading while crippling everything else...and that outdated virus scanner...still searches, but never fixes or updates...until it gets fed some money!...and this is the EVERY PC.

Please don't pretend things are easy because they are for you.

Ubuntu has PPAs, and Android has the same thing

[tepples]

Ubuntu lets a machine's owner install a third-party repository called a PPA after the owner has decided to trust the PPA's operator. Android allows the same thing: owners of devices with Google Play Store can turn on "Unknown sources" and install SlideME and Amazon Appstore, and owners of Kindle devices can turn on "Unknown sources" and install SlideME. Windows RT, the "Modern UI" environment of Windows 8, iOS, and the consoles, on the other hand, don't let a device's owner add repositories.