Microsoft's IE Is the Most Targeted Application By Security Researchers

darthcamaro writes "Though Microsoft hasn't yet patched its Internet Explorer web browser in 2014, it did patch IE at least once every month in 2013. According to HP's 2013 Cyber Risk Report, more researchers tried to sell IE vulnerabilities than any other product vulnerability. 'IE is the most prevalent browser on the systems that attackers want to compromise' said Jacob West, CTO of HP's Enterprise Security Group."

Bear in mind

[Big+Hairy+Ian]

IE is such a piece of crap to start with and that most users use it because it's there by default and they don't know any better (Which is a security issue in itself). Of course most Hac**** sorry I mean security researchers are targeting MS & IE. Just wait for MS to die off then we'll see them targeting Apple, Android and whoever the next big thing is.

Re:Bear in mind

Just wait for MS to die off

You may not have to wait too long.

The news is full of stories suggesting that investors want to break Microsoft up.

Microsoft's new leadership could almost double the company's valuation by parting with a good chunk of the businesses it uses to court consumers.
Jettisoning units such as Xbox video-game consoles and the Bing search engine may be the change Microsoft needs to rejuvenate growth as it prepares to make Satya Nadella chief executive, said Schwartz Investment Counsel, which owns Microsoft shares. The world's biggest software maker should go further by also splitting off Windows and smartphones to focus on providing services to business customers, said Stifel Financial.

http://www.theage.com.au/it-pr...

Of course Slasdot won't discuss this, beacuse they're paid not to.

Re:Bear in mind

[glavenoid]

Not having used IE since ver 7 I was really surprised that IE 10 and 11 are actually decent enough to use for a while when some firefox or chrome update breaks shit, but it still has its fair share of annoyances. Please allow me to enumerate a few of my annoyances with IE 11:

1. You can block flash fairly easily, but only on a site-by-site basis, and once you whitelist a site you can't remove it without removing *every other site* you've whitelisted. C'mon IE, I only want to allow flash to watch some stupid video on this site this one time...

1.a Oh yeah, flash is baked in to the browser now, but it seems to be a shitty version that stutters on streaming videos making it a crapshoot whether or not it'll be watchable.

2. There is a built-in tracking/ad blocker but again, there's no fine-grained control without really dicking around with some ... file.. somewhere. IOW it's not intuitive and it's very difficult to whitelist a particular site's ads without fucking IE's whole ad blocking program.

3. IE finally renders shit correctly, uhh, except for all the "legacy" shit that was built with workarounds for older versions of IE, like e.g. vBulletin.. And I don't "get" IE well enough to tell it how to tell the site to STFU and give me the firefox version (which renders correctly in IE BTW) since IE doesn't seem to like to play nice with user-agent strings outside of its archaic F12 devtools..

4. Fucking font rendering SUCKS. Microsoft took an enormous step backwards with their font renderer in windows 8/8.1 and it really shows in IE.

5. IE is now reliable at recovering the pages when it crashes, which is good 'cause it crashes a lot.

I'd like to interject that I sometimes use and enjoy IE now, but I just need to get this off my chest.

6. Private browsing is good, unless you want to have 2 or more private browsers open on the same site like e.g. two or more gmail accounts open simultaneously, which you can't do because the cookies are shared amongst them... Well, you can if you have one open in the standard IE and the other in private mode, BUT NO MORE.

7. it's finally reasonably secure, or at least the competition is now equally insecure.

Any more I don't choose a browser because it has features I like, I choose a browser because the competition has pissed me off, and it's an arms race to see which one can get to the bottom first... Firefox is shitty, chrome is shitty, IE is shitty but which one is going to piss me off the most today?

Re:Bear in mind

An Opera enthusiast peeks in and mumbles "I'll just leave this right here" before fleeing the scene.

Re:Bear in mind

They've been targeting the other OS's.

With MS its almost as if they intentionally add more holes when they patch IE. How can you keep finding holes after several patches?

MS is just so untrustworthy to begin with, and every time I 'm online I'm reading about more denial over how big a security risk there software is. And these patches which seem to patch nothing!!

Re:Bear in mind

[pjt33]

Private browsing is good, unless you want to have 2 or more private browsers open on the same site like e.g. two or more gmail accounts open simultaneously, which you can't do because the cookies are shared amongst them...

The version of Chromium I use is the same. Is there a browser which supports multiple simultaneous private sessions?

Re: Bear in mind

As a member of Slashdot, how do I collect my paycheck?

Re:Bear in mind

[RabidReindeer]

IE is - so Microsoft alleged in the anti-trust trials - "An Integral Part of Microsoft Windows".

There is absolutely no (technical) reason why this should be, based on the success of competing browsers, but the mere act of close-coupling it with the OS means that there are more ways that exploits to the browser can be converted into exploits for the OS.

And, since it does come bundled directly with Windows, you can depend on people who either aren't technically-savvy enough or are simply too lazy to take the extra effort needed to secure their systems as IE users.

So in many ways, IE is the ideal target.

Re:Bear in mind

[dbIII]

Is there a browser which supports multiple simultaneous private sessions?

Anything from mosaic onwards on a multiuser operating system. That includes server versions of MS Windows accessed via remote desktop (or hacked copies of Win7 to remove the deliberate nerfing), although that's a pretty ugly hack and getting more than one on the same screen at once is an even uglier hack.

Re:Bear in mind

[SuperDre]

IE isn't a piece of crap, not more than any other browser (most other browsers have more security holes these days than IE has, especially due to situations like this). You're nothing but a troller who only thinks the browser he/she's using is the most secure and best browser around, well think again..
Developing a secure browser is one hell of a job, especially with freaky hackers who can think up stuff you never ever would have thought up and thought it was secure as hell.. What seems secure by design today can be one big sinkhole tomorrow...

Re:Bear in mind

[gigne]

Hey, thanks. what you did there is the browser equivilant of leaving a bag of burning dogshit on my doorstep.

Opera took a serious wrong turn recently

Re:Bear in mind

An fossilized relic of the past who wasn't even right during his kind's heyday peeks in and mumbles "I'll just leave this right here" before fleeing the scene and breaking his hip.

FTFY

Re:Bear in mind

[Big+Hairy+Ian]

Actually I think most of the antitrust stuff was originally to do with ms crippling the api's used by the competition but then bypassing those api's in IE

Re: Bear in mind

[VernonNemitz]

What of the fact that Internet Explorer was "built into" the Windows Operating System? It seems to me that so long as IE is vulnerable, so is Windows itself. So, since lots of crackers want to use the computing capacity of other's machines for their own purposes, IE will remain a major target because Windows is the real target.

Re:Bear in mind

[DarkXale]

Yeah... I'm not leaving the 12.xx branch. Thats for sure.

Re:Bear in mind

[gmuslera]

Also is the low-hanging fruit. IE was designed to be both the local machine desktop environment and the access to internet, and a lot of historical vulnerabilities came from that design choice (in IE3 if you clicked on a direct access file, like a .lnk, it would be executed in the local machine, no question asked). Safari, Firefox and Chrome are more or less pure internet browsers, even in Chrome OS what matters is to work as frontend to internet.

But having an ecosystem with both security by design browsers and a variety of them will make future tries to go against another things that are cross browser and sometimes have problem differentiating between local and remote: java, specially by the users. And considerating the amount of critical remote vulnerabilities that are being "fixed" since Oracle took off, it is becoming another low-hanging fruit.

And, of course, security researches (at least, the non-US ones) will have an plenty to announce just figuring out NSA remote backdoors and inserted or not fixed yet vulnerabilities in almost everything. Malware writers won't announce, will just use them.

Re:Bear in mind

Please allow me to enumerate a few of my annoyances with IE 11:

...

7. it's finally reasonably secure, or at least the competition is now equally insecure.

That one really annoys me too.

Re:Bear in mind

"6. Private browsing is good, unless you want to have 2 or more private browsers open on the same site like e.g. two or more gmail accounts open simultaneously"

1. Create multiple user accounts just for running apps.
2. Use "runas /user" in the command line, or create a shortcut for each user account with a "runas .... iexplore.exe -private" in the executable setting.
3. Bask in the multi-session private browsing goodness.

Re: Bear in mind

[water-and-sewer]

Sorry. Anonymous Cowards work for free!

Re:Bear in mind

[operagost]

You should see the compatibility icon appear on the address bar whenever there are rendering errors (looks like a torn piece of paper). Click it to switch to compatibility mode for that site.

Re:Bear in mind

[Wootery]

I think not. Multiple 'cookie sandboxes' would be nice (especially for purposes of paranoia... ignoring Evercookie and Panopticlick), but it's not happened yet.

Google turned up this, but it's just Firefox's current private-browsing, given a stupid name.

Re:Bear in mind

[Your.Master]

For the multi-session private browsing, open one private window, then go File->New Session.

Now you have two separate, private sessions. You can do this indefinitely.

The cookie sharing presumably exists because websites are broken without it.

Re:Bear in mind

"I'll just leave this right here" before fleeing the scene and breaking his hip.

FTFY

At least he was wearing his football helmet this time.

No concussions for Timmy!

Re: Bear in mind

[Billly+Gates]

Not since IE 6.

True some GDI code might use trident for placements but IE 8 and later have lowrights privledge by default. IE has no access to the file system, system processes or threads, or anything outside %appdata in the users profile. ... however in XP this is not enabled by default due to its ancient 2001 era kernel not recognizing what a sandbox is or anything besides admin and a limited user. Another reason you should be convincing ignorant XP users to upgrade as it frankly is unsafe today.

Firefox lacks this still making it less secure than IE.

Firefox users keep getting infected in my experiecne while those on modern IE and Chrome are fine due to this extra sandboxing.

Re:Bear in mind

[Billly+Gates]

Only IE and Chrome has lowrights by default. This means it can't even access your freaking filesystem, view threads/processes, or do anything outside of %appdata. This is one of the reasons why anything above IE 8 is Windows 7 only. Not because mean old MS decided it is time to upgrade but because security on XP sucks goatballs.

IE is more secure than Firefox and has less exploits if you compare the last few years since it supported process by tab, kernel level sandboxing, and now lowrights. It is not impossible to 0wn IE, but it sure aint easy these days as you can't attach malicious code in admin level threads if you can't see them, can't write anything to the disk, and you are stuck in one tiny process for the tab with no access to whatever else IE is doing.

A lot has changed since 2001.

Re:Bear in mind

[glavenoid]

Although that worked in IE 10 Microsoft, in their infinite wisdom, nerfed that feature in some IE 11 update and AFAIK they haven't surreptitiously added it back yet.

Re:Bear in mind

[glavenoid]

Thank you!! I really appreciate this.

But, we just said no one use IE?

Just a short while ago there was a Slashdot story that IE now had only single-digit market share. Which seems to be in stark contradiction to what is said in this story. Are we now saying those numbers were not really that close to reality, but we went with them anyway?

Re: But, we just said no one use IE?

Yes

Re:But, we just said no one use IE?

[Opportunist]

You needn't use IE for it to be useful to attackers. It is the one thing present on EVERY SINGLE system running an OS from MS, and it is the one single thing on every MS OS operated PC that is not only well suited to making connections via internet but also the one that the MS firewall routinely allows to in the default setting.

The good old "we send the user a bogus EXE in mail" isn't really good anymore because of the MS firewall and UAC. Works like a charm, though, with a bogus script abusing an IE vulnerability since IE is considered a "trusted" application by default.

Re:But, we just said no one use IE?

There's no contradiction there. "IE is the most prevalent browser on the systems that attackers want to compromise" AND "Percent of browsers visiting w3schools dropped below 10% for the first time" can easily be true simultaneously, and probably are. Also, even if we pretend that w3schools traffic is representative of all web traffic, single-digit (nearly 10% in this case) of the entire browser market is still huge, and the fact that it's always there even if the user prefers another browser makes it an attractive target.

Re:But, we just said no one use IE?

There's no contradiction there. "IE is the most prevalent browser on the systems that attackers want to compromise" AND "Percent of browsers visiting w3schools dropped below 10% for the first time" can easily be true simultaneously, and probably are. Also, even if we pretend that w3schools traffic is representative of all web traffic, single-digit (nearly 10% in this case) of the entire browser market is still huge, and the fact that it's always there even if the user prefers another browser makes it an attractive target.

The current story doesn't say that IE has a huge number of users, it says it is the most prevalent browser. That can only align with having 10% market share if all competing browsers have less than 10% share. And the attack scenarios they are talking about in the report is obviously about actively used browsers, not hackers trying to reach a dormant browser on the system.

Re:But, we just said no one use IE?

[Gunboat_Diplomat]

You needn't use IE for it to be useful to attackers. It is the one thing present on EVERY SINGLE system running an OS from MS, and it is the one single thing on every MS OS operated PC that is not only well suited to making connections via internet but also the one that the MS firewall routinely allows to in the default setting.

The good old "we send the user a bogus EXE in mail" isn't really good anymore because of the MS firewall and UAC. Works like a charm, though, with a bogus script abusing an IE vulnerability since IE is considered a "trusted" application by default.

IE is by default running in protected mode, a significantly less trusted zone than the user. If you already have a script running on the user system you already have higher privileges and less sandboxing than if you try to hand it off to IE.

Re:But, we just said no one use IE?

The current story doesn't say that IE has a huge number of users, it says it is the most prevalent browser.

So where's the contradiction? It is the most prevalent. As of a week ago it's estimated to be on roughly 92% of PCs. Are you perhaps picking some alternate interpretation of "prevalent" that I'm not familiar with and assuming that TFA is using that particular interpretation too, while contradicting it at the same time? That wouldn't make much sense.

Re:But, we just said no one use IE?

no we're saying you're using a strawman: the story you're referring to was about a certain *version* of IE that was now in the single-digit market share.

Re:But, we just said no one use IE?

[Gaygirlie]

The current story doesn't say that IE has a huge number of users, it says it is the most prevalent browser. That can only align with having 10% market share if all competing browsers have less than 10% share.

I'd like to point out that the article you're referring to was only about w3schools -- ie. for web-developers and the likes. It was a totally ridiculous way of measuring browser market-share and a thinly-veiled attempt at mocking IE. http://gs.statcounter.com/ provides a much better measure and as you can see, IE is still 2nd up there. On any website that's actually used by Average Jane and Joe IE shows up much higher than "single-digit" numbers.

Re:But, we just said no one use IE?

The current story doesn't say that IE has a huge number of users, it says it is the most prevalent browser.

So where's the contradiction? It is the most prevalent. As of a week ago it's estimated to be on roughly 92% of PCs. Are you perhaps picking some alternate interpretation of "prevalent" that I'm not familiar with and assuming that TFA is using that particular interpretation too, while contradicting it at the same time? That wouldn't make much sense.

Did you read the last sentence of the post you replied to?

Re:But, we just said no one use IE?

[Gunboat_Diplomat]

no we're saying you're using a strawman: the story you're referring to was about a certain *version* of IE that was now in the single-digit market share.

No, it wasn't: http://tech.slashdot.org/story...

Re:But, we just said no one use IE?

[dbIII]

Which is pretty much moot in the malware swamp. It's like using insect repellent to scare off alligators instead of going in bare.

Re:But, we just said no one use IE?

[nightsky30]

Just a short while ago there was a Slashdot story that IE now had only single-digit market share. Which seems to be in stark contradiction to what is said in this story. Are we now saying those numbers were not really that close to reality, but we went with them anyway?

I think that story is largely overblown. Those statistics are gathered from their site (W3Schools), and their site only. All that really shows is that most users who visit W3Schools don't run IE. And that doesn't surprise me. Why would anyone that deals with web development want to use a browser which has historically not followed standards and caused so much heartache for the web development community to support? This article doesn't surprise me either. I thought the target was obvious.

Re:But, we just said no one use IE?

[Billly+Gates]

Which is pretty much moot in the malware swamp. It's like using insect repellent to scare off alligators instead of going in bare.

With Windows 7 and higher in lowrights mode it is very effective. You can't see or write to disk, can't view or access other processes or threads, everything is a tiny sandbox and even if you get out you have ASLR with scrambled ram so you can't pick a .dll to overflow or insert malicious code, with DEP that is another layer in case you figure out the random ram layout and to even get there you need to bypass lowrights which is stuck in your %appdata.

This not impermeable by any sense of the means but saying it is easy is an understatement and is much much more secure than Firefox which does not use these features. Go read hairyfeets blog on randomly yahoo emails being sent out in Firefox whenever someone views porn? Only happens in firefox regardless of an admin or a standard user.

Re:But, we just said no one use IE?

[dbIII]

With Windows 7 and higher in lowrights mode it is very effective

Malware getting in that way argues otherwise.

tried is the word

All I see are researchers trying to sell the new coke equivallent of vulnerabilities...

IE needs a "No Script" add-in!

Turning off scripting in the security zone breaks all web sites that use scripts and people should have CONTROL on what is allowed to run on their machines.

Re:IE needs a "No Script" add-in!

Turning off scripting in the security zone breaks all web sites that use scripts and people should have CONTROL on what is allowed to run on their machines.

They do. They have CONTROL over what OS and applications they install/support/buy/use.

In a work environment it's not under their control, but it is under the control of the very same department that is responsible for system security. It's not rocket science (though getting through to the people with the budgets is often a difficult task).

Re:IE needs a "No Script" add-in!

[tripleevenfall]

Going back to what the summary says, IE is usually present on the systems _that haxors want to compromise_.

Corporate machines, which have IE because they are chained to legacy systems that once required it.

Corporate machiens, where access is available to much more valuable data than some grandma's Hotmail password.

Our software gets all the rape atention

Aren't we proud? - Microsoft.

Re:Our software gets all the rape atention

Women are raped more often than men. Aren't women proud.

We need some gender equality with regards to rape. Women, rape more men!

Re:Our software gets all the rape atention

Sad wanker detected.

Re:Our software gets all the rape atention

Suck on it! Please?

Lol, 1996?

[evanh]

Has anything changed?

Give credit where its due

[Viol8]

The low level coders on the ie team did a good job with graphics performance in IE9. Don't tar them with the same brush as the idiot management/marketing layer who think fancy features and bloat are more important than building a secure product from the ground up to start with (and I'm talking about the browser and OS)

Re:Give credit where its due

[Big+Hairy+Ian]

Atleast from IE9 onwards (OK and IE8 a bit) they started to notice that standards are a good thing

Re:Give credit where its due

[ibwolf]

Atleast from IE9 onwards (OK and IE8 a bit) they started to notice that standards are a good thing

No, they just stopped being able to ignore standards due to their shrinking market share.

Re:Give credit where its due

You both seem to be arguing over who is better at mind-reading. Nice..

Re:Give credit where its due

IE8 does not even have addEventListener(), I'm not sure I can call that "standard."

Re:Give credit where its due

[Billly+Gates]

IE8 is 5 years old.

The fact that people wont upgrade is maddening to any web developer.

IE has one purpose left

IE runs Microsoft Update in Windows XP, for the next 17 months. After that, IE will be useless.

Re:IE has one purpose left

23 months, if you count XP Embedded. IE has almost two years of life left!

IE on Windows easiest to compromise ..

[DTentilhao]

'IE is the most prevalent browser on the systems that attackers want to compromise'

IE on Windows is the easiest system for attackers to compromise ..

Re:IE on Windows easiest to compromise ..

'IE is the most prevalent browser on the systems that attackers want to compromise' IE on Windows is the easiest system for attackers to compromise ..

For a number of years Safari on OSX has been the easiest system for hackers to compromise in Pwn2Own.

http://www.zdnet.com/blog/secu...
http://arstechnica.com/apple/2...

Too many still using old versions

Its clear that IE 10 and IE 11 improved on security. But with so many still using XP and even some using Vista. Both of which cannot run either IE10 or IE11. Microsoft has created a large group of Windows users who simply cannot use a secure IE. The fact enterprise is a big part of XP users also means they are most likely using IE8 or IE9 rather then a more secure and modern browser like Firefox or Chrome. I am not a IE hater but think for many reasons including security. Microsoft should disconnect IE from the OS. Or simply retire IE altogether.

Re:Too many still using old versions

[dj245]

Its clear that IE 10 and IE 11 improved on security. But with so many still using XP and even some using Vista. Both of which cannot run either IE10 or IE11. Microsoft has created a large group of Windows users who simply cannot use a secure IE. The fact enterprise is a big part of XP users also means they are most likely using IE8 or IE9 rather then a more secure and modern browser like Firefox or Chrome. I am not a IE hater but think for many reasons including security. Microsoft should disconnect IE from the OS. Or simply retire IE altogether.

This is going to change in the next couple of years. I work for a very large company stuck on XP. The costs we pay to support and secure XP are exorbitantly high and increasing. We plan to switch to Windows 7 this year. Of course, this date will almost certainly slip, but it will probably be done by the end of 2015.

If the numbers are compelling enough to make us switch, they are undoubtedly compelling to other corporate XP users as well.

Direct Link?

Past the stupid gimme all your info page:
http://images.info.arcsight.com/Web/ArcSight/%7B201bc2e0-26c4-435b-a995-c1273c435c12%7D_HP_Cyber_Security_Risk_Report_FINAL_Client_Review_01_31_14.pdf?elq=e928c1b1855d4d98b6be0455c5e110af&elqCampaignId=4072

If that doesn't work use this: http://app.info.arcsight.com/e/es?s=1098&e=249443&elq=e928c1b1855d4d98b6be0455c5e110af

Re:IE on Windows easiest to compromise ..

Easiest to compromise? Or on the computer that they most wanted to win? The fist contestant to pwn a system gets to own it - that's the point of the contest - and Safari happened to be on the most expensive computer, so the contestants targeted it first to improve their chances at getting the best prize.

Re:IE on Windows easiest to compromise ..

Proprietary software.
More to hide means more to find.

"Security researchers"

[jones_supa]

Ha. I always cringe when black hat crackers are called "security researchers". That's not research, it's malicious destroying of other people's systems and data.

Re:"Security researchers"

[Richard_at_work]

Yup, if they are trying to sell the vulnerabilities then they are not researchers at all, but scum.

Calling them researchers is Slashdots way of making them out to be the good guys.

Re:"Security researchers"

[Viol8]

What you have to remember about crackers whether black or white hat is that while they're usually highly intelligent, they're also still mentally rather juvenile. Being called a "researcher" gives these immature basement dwelling mushrooms the gravitas they'd otherwise never achieve.

Re:"Security researchers"

Maybe they're just.......bored. Cracking shit is a bit of challenge that doesn't require a huge time investment.

Re:"Security researchers"

[Viol8]

Neither does developing small programs or algorithms or 101 other intellectually stimulating tasks. The difference being they don't involve breaking into someone else's computer. Just because someone wants to practice their lockpicking skills, it doesn't give them the right to try to break into my house while doing it regardless of whether they steal anything.

Re:"Security researchers"

Reverse engineering someone else's obfuscated software can be more challenging than, and thus more rewarding than, developing small programs. It's completely unnecessary to break into someone else's computer. You're entitled to break into your own house as often as you like.

Re:"Security researchers"

Yeah, except small programs or algorithms for their own sake are boring. Besides, what the fuck do you think these exploits consist of? My guess, small programs and algorithms.

Think before you open your dick holster

Re:"Security researchers"

Reverse engineering someone else's obfuscated software can be more challenging than, and thus more rewarding than, developing small programs.

Uhh...then develop medium-sized programs if small programs is not challenging or rewarding enough. Still not an excuse to go through the malicious route.

Re:"Security researchers"

Is this true of the medical field as well? if someone finds a bug in a cancer that allows them to destroy it, and they choose to sell the vulnerability rather than keep it for themselves, are they scum? Surely they are not as good as if they gave the cure away for free, but I would not label them scum.

Re:"Security researchers"

[Viol8]

"Yeah, except small programs or algorithms for their own sake are boring"

Oh right, and finding exploits for their own sake arn't?

"Think before you open your dick holster"

I doubt you'd even know how to use one.

Re:IE on Windows easiest to compromise ..

Easiest to compromise? Or on the computer that they most wanted to win? The fist contestant to pwn a system gets to own it - that's the point of the contest - and Safari happened to be on the most expensive computer, so the contestants targeted it first to improve their chances at getting the best prize.

I love this arguments that pops up to explain the poor results for Safari and OSX in Pwn2Own. They winner also win 20.000 USD, but obviously they went for the hardest target, risking their win and those $20k by not taking the easiest route, because they sooo wanted the shiny Macbook.. Not to mind that Charlie Miller, amongst others, have gone in great detail in interviews on why Safari on OSX is easiest to compromise, but those are details lost on many.

Sell Xbox unit???

[Viol8]

Yeah , great idea - sell one of the units making a profit!

Typical short term hedgefund approach to companies - earn us some money now by selling off collateral then we'll dump your shares before they tank. Fucking parasites.

Re:Sell Xbox unit???

[isorox]

Typical short term hedgefund approach to companies - earn us some money now by selling off collateral then we'll dump your shares before they tank. Fucking parasites.

Noo, you're wrong. Liquidity! Trickle Down! Hookers!

Re:Sell Xbox unit???

Yeah , great idea - sell one of the units making a profit!

Investors are well aware that Microsoft can't, um, "persuade" US regulators to turn a blind eye to their transgressions forever.

As always, follow the money. It wasn't a problem while MS was extorting monopoly rents from the paying public, but recently they've started unilaterally changing terms and conditions for enterprise sales in an effort to prop up their falling margins. That's made a lot of big players who can actaully afford their own lobbyists very irate.

The writing is very clearly on the wall, and investors know it. If Microsoft doesn't dismantle itself, the regulators will finally find some balls and step in and do it for them.

Where does it say old versions

[tuppe666]

Its clear that IE 10 and IE 11 improved on security.

Its not clear at all. In fact there is nothing in the article that suggests older versions being the problem. It is a disgrace how Microsoft treats its customers.

Other shock revalations.....

[BestNicksRTaken]

...from the feckingobvious department, that yellow disc in the sky is the sun. Slow news day or something guys?

Re:Other shock revalations.....

The yellow disk in the sky is the "Oracle". They bought Sun years ago.

And this line shows the real problem

[WindBourne]

'IE is the most prevalent browser on the systems that attackers want to compromise' said Jacob West, CTO of HP's Enterprise Security Group."

Supposedly, Chrome is now the most popular browser going. If Windows is the majority desktop (and it is), then chrome must be the most prevalent browser on it.
So, why attack IE? Ease of breaking into.

Re:And this line shows the real problem

[coolmadsi]

The way I interpreted it was that an assumed profile of someone using IE is that of a less-knowledgeable user (so one that would be more susceptible to not noticing something "bad" happening to their computer).

Hah!

NO SHIT, SHERLOCK.

They don't have control

Their OS insisted on using the IE code to render help pages. No chance of changing that.

Their OS insisted on asking if you wanted to turn to IE if it wasn't on, and many "Windows Approved" applications did the same when it was installed.

Their program insisted on running scripts without being able to block or sandbox it.

Their control over the computer was vastly less than Microsoft's central control over the system.

Is it ridiculous because it said 10%?

Or is there some other reason why it is ridiculous? Because I think it's the former.

w3schools is as good as any other site. Intranets have many old applications that cannot be moved from that require IE6, so IE will remain over represented there.

But because nobody USES IE doesn't mean IE isn't INSTALLED on most machines.

And since the OS can decide that such a trusted application as Microsoft's own browser can do stuff even if you didn't tell it to explicitly (e.g. help file display), and since IE by design will "make things simple" and let IE fire up on receipt of an appropriate connection request from the outside world, its installation, NOT USE BY THE OWNER, is all that's necessary.

So installed on 92% of machines, used by 1/9th of those users explicitly is still 100% congruent.

Re:Is it ridiculous because it said 10%?

[Gaygirlie]

Or is there some other reason why it is ridiculous?

Yes, it is ridiculous.

w3schools is as good as any other site.

No, it definitely isn't. w3schools is representative of the tastes of generally tech-inclined people and even there it's only representative of the people visiting that single site. eBay, for example, is used by both tech-inclined people and the luddites and therefore it would be a much better gauge for browser-share, however it would still only track browser-share on eBay's sites. The link that I gave you, however, tracks browser-share across multiple sites and networks and places IE at 22.85% share. You'd be a moron not to see why tracking browser-share only on a single, tech-oriented website that no luddites will ever visit is not going to be representative of the overall market.

All the FUN of AT&T's C and C++

At least 50% of these security issues would be eliminated by using a type-safe language. Algol had this in the 1970s. Then "benevolent" AT&T "gave C and Unix away for free". That very much killed of more robust languages such as Algol and Pascal.

Here's the Greek Analogon:

http://de.wikipedia.org/wiki/Danaergeschenk

Here's my attempt to revive the robustness and efficiency of Algol:

http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/manual.pdf?format=raw

people developing web pages have to cope

people developing web pages have to cope with the users using IE to view their page.

That would be why your assertion is unsupported: " Why would anyone that deals with web development want to use a browser which has historically not followed standards ..."? Because users will use IE to view web pages they produce, therefore they need to check it works with IE.

Unless the developers don't see many viewers of their pages using IE, in which case, they aare reflecting the actual use of IE among the general populace as opposed corporate intranets.

USPS website changes require IE8

The USPS just revised their "print a shipping label" page to ship something via priority mail. The old forms worked fine. The new forms have all sorts of issues that prevent advancing to checkout. Their recent fix was to add "IE7 users must upgrade to IE8 to use this page" at the top.

There was no mention of firefox, linux or mac. Lotsa people are complaining about an inability to ship.

Someone should be fired.

Nope

What of the fact that Internet Explorer was "built into" the Windows Operating System?

IE was built "into" Windows to pull a fast one on the court, in US v. Microsoft (253 F.3d 34).

They knew they were going to lose the case and be forced to offer other browsers in lieu of/in addition to IE, so in order to keep their browser exclusivity, they (quite unnecessarily) integrated a significant chunk of of its code into system DLLs.

Problem solved:

MS: Yer honor, if we remove IE, then Windows itself won't work, because id10t.dll, pebkac.dll and diaf.dll all use IE code and are essential to Windows operation!! Also, IE is required for Windows to be used in a business environment because of the Maximum Throughput Serial Pipeline Bus.

Court: (scratching head) Well, um (cough), it certainly looks that way. Prosecutor?

Prosecutor: (blank stare) Oh, uh... the ... government withdraws

Court: Case dismissed. Please tell Bill Gates that we're sorry we bothered him and please don't blow up our phones and drain our bank accounts with his bleep-bloop codes.

Yup

I love IE it's like a one night stand, I get home take my baby out of the box and fire it up and kick IE on for the first time. We have some drinks, some laughs, and maybe a trip to YouTube and once she's not looking I pistol whip her in the back of the head and run off with Firefox.

IE is not a browser

[symbolset]

IE is an assortment of exploits flying in close formation.

Re:IE is not a browser

[BlindBear]

Perfect summary.