Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's IE Is the Most Targeted Application By Security Researchers

Posted by Unknown on from the easy-pickings dept.

darthcamaro writes "Though Microsoft hasn't yet patched its Internet Explorer web browser in 2014, it did patch IE at least once every month in 2013. According to HP's 2013 Cyber Risk Report, more researchers tried to sell IE vulnerabilities than any other product vulnerability. 'IE is the most prevalent browser on the systems that attackers want to compromise' said Jacob West, CTO of HP's Enterprise Security Group."

20 of 96 comments (clear)

  1. Bear in mind by Big+Hairy+Ian · · Score: 4, Insightful

    IE is such a piece of crap to start with and that most users use it because it's there by default and they don't know any better (Which is a security issue in itself). Of course most Hac**** sorry I mean security researchers are targeting MS & IE. Just wait for MS to die off then we'll see them targeting Apple, Android and whoever the next big thing is.

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Bear in mind by Anonymous Coward · · Score: 2, Interesting

      Just wait for MS to die off

      You may not have to wait too long.

      The news is full of stories suggesting that investors want to break Microsoft up.

      Microsoft's new leadership could almost double the company's valuation by parting with a good chunk of the businesses it uses to court consumers.
      Jettisoning units such as Xbox video-game consoles and the Bing search engine may be the change Microsoft needs to rejuvenate growth as it prepares to make Satya Nadella chief executive, said Schwartz Investment Counsel, which owns Microsoft shares. The world's biggest software maker should go further by also splitting off Windows and smartphones to focus on providing services to business customers, said Stifel Financial.

      http://www.theage.com.au/it-pr...

      Of course Slasdot won't discuss this, beacuse they're paid not to.

    2. Re:Bear in mind by glavenoid · · Score: 5, Informative

      Not having used IE since ver 7 I was really surprised that IE 10 and 11 are actually decent enough to use for a while when some firefox or chrome update breaks shit, but it still has its fair share of annoyances. Please allow me to enumerate a few of my annoyances with IE 11:

      1. You can block flash fairly easily, but only on a site-by-site basis, and once you whitelist a site you can't remove it without removing *every other site* you've whitelisted. C'mon IE, I only want to allow flash to watch some stupid video on this site this one time...

      1.a Oh yeah, flash is baked in to the browser now, but it seems to be a shitty version that stutters on streaming videos making it a crapshoot whether or not it'll be watchable.

      2. There is a built-in tracking/ad blocker but again, there's no fine-grained control without really dicking around with some ... file.. somewhere. IOW it's not intuitive and it's very difficult to whitelist a particular site's ads without fucking IE's whole ad blocking program.

      3. IE finally renders shit correctly, uhh, except for all the "legacy" shit that was built with workarounds for older versions of IE, like e.g. vBulletin.. And I don't "get" IE well enough to tell it how to tell the site to STFU and give me the firefox version (which renders correctly in IE BTW) since IE doesn't seem to like to play nice with user-agent strings outside of its archaic F12 devtools..

      4. Fucking font rendering SUCKS. Microsoft took an enormous step backwards with their font renderer in windows 8/8.1 and it really shows in IE.

      5. IE is now reliable at recovering the pages when it crashes, which is good 'cause it crashes a lot.

      I'd like to interject that I sometimes use and enjoy IE now, but I just need to get this off my chest.

      6. Private browsing is good, unless you want to have 2 or more private browsers open on the same site like e.g. two or more gmail accounts open simultaneously, which you can't do because the cookies are shared amongst them... Well, you can if you have one open in the standard IE and the other in private mode, BUT NO MORE.

      7. it's finally reasonably secure, or at least the competition is now equally insecure.

      Any more I don't choose a browser because it has features I like, I choose a browser because the competition has pissed me off, and it's an arms race to see which one can get to the bottom first... Firefox is shitty, chrome is shitty, IE is shitty but which one is going to piss me off the most today?

      --
      I, for one, am looking forward to the inevitable /. beta rollout fallout.
    3. Re:Bear in mind by RabidReindeer · · Score: 3, Insightful

      IE is - so Microsoft alleged in the anti-trust trials - "An Integral Part of Microsoft Windows".

      There is absolutely no (technical) reason why this should be, based on the success of competing browsers, but the mere act of close-coupling it with the OS means that there are more ways that exploits to the browser can be converted into exploits for the OS.

      And, since it does come bundled directly with Windows, you can depend on people who either aren't technically-savvy enough or are simply too lazy to take the extra effort needed to secure their systems as IE users.

      So in many ways, IE is the ideal target.

    4. Re:Bear in mind by SuperDre · · Score: 2

      IE isn't a piece of crap, not more than any other browser (most other browsers have more security holes these days than IE has, especially due to situations like this). You're nothing but a troller who only thinks the browser he/she's using is the most secure and best browser around, well think again..
      Developing a secure browser is one hell of a job, especially with freaky hackers who can think up stuff you never ever would have thought up and thought it was secure as hell.. What seems secure by design today can be one big sinkhole tomorrow...

    5. Re:Bear in mind by gigne · · Score: 3, Insightful

      Hey, thanks. what you did there is the browser equivilant of leaving a bag of burning dogshit on my doorstep.

      Opera took a serious wrong turn recently

      --
      Signature v3.0, now with 42% less memory usage.
    6. Re:Bear in mind by glavenoid · · Score: 2

      Although that worked in IE 10 Microsoft, in their infinite wisdom, nerfed that feature in some IE 11 update and AFAIK they haven't surreptitiously added it back yet.

      --
      I, for one, am looking forward to the inevitable /. beta rollout fallout.
  2. Re:But, we just said no one use IE? by Opportunist · · Score: 4, Insightful

    You needn't use IE for it to be useful to attackers. It is the one thing present on EVERY SINGLE system running an OS from MS, and it is the one single thing on every MS OS operated PC that is not only well suited to making connections via internet but also the one that the MS firewall routinely allows to in the default setting.

    The good old "we send the user a bogus EXE in mail" isn't really good anymore because of the MS firewall and UAC. Works like a charm, though, with a bogus script abusing an IE vulnerability since IE is considered a "trusted" application by default.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Give credit where its due by Viol8 · · Score: 4, Insightful

    The low level coders on the ie team did a good job with graphics performance in IE9. Don't tar them with the same brush as the idiot management/marketing layer who think fancy features and bloat are more important than building a secure product from the ground up to start with (and I'm talking about the browser and OS)

    1. Re:Give credit where its due by Big+Hairy+Ian · · Score: 2

      Atleast from IE9 onwards (OK and IE8 a bit) they started to notice that standards are a good thing

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:Give credit where its due by ibwolf · · Score: 4, Insightful

      Atleast from IE9 onwards (OK and IE8 a bit) they started to notice that standards are a good thing

      No, they just stopped being able to ignore standards due to their shrinking market share.

  4. Re:But, we just said no one use IE? by Gunboat_Diplomat · · Score: 2

    You needn't use IE for it to be useful to attackers. It is the one thing present on EVERY SINGLE system running an OS from MS, and it is the one single thing on every MS OS operated PC that is not only well suited to making connections via internet but also the one that the MS firewall routinely allows to in the default setting.

    The good old "we send the user a bogus EXE in mail" isn't really good anymore because of the MS firewall and UAC. Works like a charm, though, with a bogus script abusing an IE vulnerability since IE is considered a "trusted" application by default.

    IE is by default running in protected mode, a significantly less trusted zone than the user. If you already have a script running on the user system you already have higher privileges and less sandboxing than if you try to hand it off to IE.

  5. "Security researchers" by jones_supa · · Score: 4, Insightful

    Ha. I always cringe when black hat crackers are called "security researchers". That's not research, it's malicious destroying of other people's systems and data.

    1. Re:"Security researchers" by Richard_at_work · · Score: 2

      Yup, if they are trying to sell the vulnerabilities then they are not researchers at all, but scum.

      Calling them researchers is Slashdots way of making them out to be the good guys.

    2. Re:"Security researchers" by Viol8 · · Score: 2

      What you have to remember about crackers whether black or white hat is that while they're usually highly intelligent, they're also still mentally rather juvenile. Being called a "researcher" gives these immature basement dwelling mushrooms the gravitas they'd otherwise never achieve.

  6. Sell Xbox unit??? by Viol8 · · Score: 3, Insightful

    Yeah , great idea - sell one of the units making a profit!

    Typical short term hedgefund approach to companies - earn us some money now by selling off collateral then we'll dump your shares before they tank. Fucking parasites.

    1. Re:Sell Xbox unit??? by isorox · · Score: 2

      Typical short term hedgefund approach to companies - earn us some money now by selling off collateral then we'll dump your shares before they tank. Fucking parasites.

      Noo, you're wrong. Liquidity! Trickle Down! Hookers!

  7. Re:But, we just said no one use IE? by dbIII · · Score: 2

    Which is pretty much moot in the malware swamp. It's like using insect repellent to scare off alligators instead of going in bare.

  8. Other shock revalations..... by BestNicksRTaken · · Score: 2

    ...from the feckingobvious department, that yellow disc in the sky is the sun. Slow news day or something guys?

    --
    #include <sig.h>
  9. Re:IE needs a "No Script" add-in! by tripleevenfall · · Score: 2

    Going back to what the summary says, IE is usually present on the systems _that haxors want to compromise_.

    Corporate machines, which have IE because they are chained to legacy systems that once required it.

    Corporate machiens, where access is available to much more valuable data than some grandma's Hotmail password.