Slashdot Mirror
US and UK Governments Advise Avoiding Internet Explorer Until Bug Fixed
martiniturbide (1203660) writes "Reuters is reporting that 'The U.S. and UK governments on Monday advised computer users to consider using alternatives to Microsoft Corp's Internet Explorer browser until the company fixes a security flaw that hackers used to launch attacks.' The article states that 'The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system.'"
How are people going to download Firefox?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Downloading Mosaic as we speak!
Obliteracy: Words with explosions
And nothing of value was lost.
How many government employees have no choice but to use IE themselves?
you could have stopped after "explorer" and had just as valid a recommendation...
Just because you're paranoid doesn't mean they aren't out to get you
... Internet Explorer 8 is the only authorized browser that my workplace (a government agency) lets us use.
About three words too many.
Just in time for XP to go out of support for most people, now you get this 'well publicized' bug that wont get patched, in effect. I expect only the latest version of IE to be patched, which will NOT run on XP even if you wanted to.
---- Booth was a patriot ----
... avoid IE completely
that pesky Visual Basic in all those hack apps...
if this is supposed to be a new economy, how come they still want my old fashioned money?
I can't remember the last time I used IE(some version), seriously...I can't...must be like 8-10 years ago, or the numerous times I used a Windows computer...tried to follow an e-mail link that wanted me to use IE....when I denied it...just wanted to fire up my FireFox, so many times MS tried to force me to use IE, and I always ignored it because it never gave me what I want in the first place. Good riddance. RIP IE.
What this world is coming to - is for you and me to decide.
A 0-day for Adobe Flash was also patched today.
For some reason I had three different and separate updates I had to do to fix this:
1) Chrome automatically updated something and was running the latest version when I checked
2) The plugin that Firefox uses only seems to look for updates when I reboot. I found this guide to trigger the update manually, which basically then resulted in it just opening a browser window & making me download an update .exe.
3) Even after that, IE still reported running the older version. I ran Windows Update manually and discovered there was an separate patch in there for Flash for IE.
Pretty awesome.
a) Don't buy garbage, stuff that works only in a specific version of a specific browser.
b) 90%+ plus, you can just set the user agent header in Seamonkey, Firefox, or Chrome to SAY it's IE and things work just fine.
AC because my boss reads /.
My boss, in all his good business instincts and mostly great technical attributes, insists on installing java and downgrading all computers to ie9 instead of going with 11. Now I know 11 had issues with compatibility from time to time, but I am hard pressed to believe that running ie9 with Java is a great way to stay virus free.
Then again we are in the small business and home user repair market maybe he is just trying to go for reoccurring client repairs
could lead to "the complete compromise" of an affected system
= any browser that isn't Firefox+NoScript.
You can have my SIG when you pry it from my cold, dead hands.
Use your Android device to download the Firefox for Windows installer, then connect the device to your PC through USB. Or use a computer at a public library to download Firefox to a USB flash drive.
Is that Microsoft has already indicated that existing, fully-patched versions of IE 10 and 11 are immune to this attack if they have either a) activated Enhanced Security Configuration or b) installed EMET 4.1 or newer.
It's a little strange / odd that THAT little piece of information isn't getting included with most of the scare-mongering that's racing around the internet today... As for the XP idiots, wtf were people expecting?! -- Surely anyone with a brain would realise that malware producers would have been sitting on a cache of known vulnerabilities for the last half year or more KNOWING that after April 8th, legions of demonstrably idiotic XP users would be susceptible to such attacks FOREVER. How is anyone surprised that this kind of stuff would start cropping up after XP's end-of-life?
-AC
Couldn't they have just said "Don't use Internet Explorer, anytime, anywhere, ever?" That's so much easier.
You can dance if you want to.
Firefox or Chrome. Get either, install, don't ever go back, and suddenly 100 million viruses have no home. Seriously, how is it that people still use Internet Exploder? Crappy excuses like "oh my company needz it so bad, just so bad" means the people running the company don't have enough of a clue to run a company.
"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds."
But don't confuse that with recommending not to use the browser.
Be in no doubt, Microsoft riddles their products with purposely coded exploits for the NSA, GCHQ and friends. At some point, an exploit (usually via Israeli Intelligence agents leaking knowledge of the hole, for profit, to their 'friends' in Ukrainian cyber-crime gangs) starts seeing use outside the West's intelligence community. Then, if the exploit is 'useful' enough, it becomes the tool of the dumber/down-market criminals and plain, outright vandals, at which time Microsoft issues a patch to close their hole (and introduce a bunch of new replacement holes, starting the cycle all over again).
There are programming practices that are forbidden at Microsoft, because they would limit the ability to exploit the OS and applications. Windows, especially Windows 8, is utterly broken by design. However, sadly, we have all recently seen how well the NSA can use its agents to build just-as-bad exploits into open-source solutions as well.
The NSA, GCHQ, and the Eugenicist Bill Gates, are a cancer on Human society. Gates' inBloom database system (developed in partnership with Rupert 'Fox News' Murdoch) was designed to track every aspect of every child's life in the USA. Gates has moved the inBloom project to the NSA FULL SURVEILLANCE computer facilities, and inBloom now draws its primary sources of data from NSA spying on computer systems used by individual schools (obviously, this is most straightforward and complete when schools use the fully compromised 'cloud' services to hold their private records).
At the same time, Bill Gates had his people issue LYING press releases describing how inBloom was being killed off. One can now assume the initial public nature of inBloom was a carefully devised strategy designed by Gates to 'prove' to senior politicians that such obscene spying MUST be done by the NSA in secret, to avoid public backlash.
What is the recommended free browser to install on an old XP machine, preferably along with an IE-like skin for the older generation?
Of course, it is a bit dated, and some of the bits may be rusty.
You are being MICROattacked, from various angles, in a SOFT manner.
> When your employer chose to adopt one
If your employer did that before you arrived, or over your strong objections, then you followed my advice - you didn't buy garbage. Unfortunately someone else did.
However, I've dealt with a few different businesses and can't think of such a situation where all three leading solutions are ActiveX / IE only. I can think of one where for the GUI, you had to choose between ActiveX, Java, or a local client. A network CLI was also available. I'm curious what case you have in mind?
If I ddid run into a theoretical situation where a critical piece of software would rely on ActiveX, and therefore put the enterprise at the mercy of changing IE versions, I'd look at the broader picture and evaluate the business processes that are setting up that risk.
Not the FULL story, but quite complete: Microsoft Windows XP "end of life": What to do?. Short version: Microsoft makes more money if there are more vulnerabilities.
I'm sorry you got fucked. To avoid putting yourself in that situation again, you might want to do two things. First, recognise that vendor lock-in is a risk to the enterprise, and that risk has an accountable cost. When you choose to be locked into TWO vendors, the software vendor AND a supported version of IE, your risk is the multiple of two components.
Secondly, when you find yourself in a situation where such a risk seems unavoidable, broaden your perspective to look at the business processes that create that context. Perhaps there is no acceptable software that meets the defined requirements. In that case, you can take another look at the requirements from a broader enterprise perspective.
As you may know, I've been running businesses for 25 years, and we've NEVER put ourselves in the position of sole-vendor risk like that. It takes forethought, but it absolutely is possible to avoid that situation.
playing my heart bleeds for you.
Inheritance is the sincerest form of nepotism.
Now try building almost an entire computer out of one kind of logic gate and a $#!+ ton of wires. But it still won't help you get on the Internet.
I don't allow Internet explorer to run, nor have I since Win 3.x. To do so is an equivalent of Russian roulette, it may be good today, but tomorrow it's in the news for a hack out a week ago.
My first use of IE was to log on to Microsoft. I went to the downloads, found a game that sounded good and downloaded it. Only it didn't download, it started installing itself; I unplugged the computer.
It went against everything I saw as safe hex. I know now it was due to ActiveX another bad news MS creation.
I went to Netscape, then to Opera (neither run ActiveX) - Now I guess FireFox as Opera has stepped out.
I use Winpatrol and disable all ActiveX (but two that are required for a game I play (for features I don't use)). My firewall is set to block IE (first thing I do), it will load but it can't cause any damage.
Just avoid Internet Explorer all the time.
I am anarch of all I survey.
The UK Government mandated IE as the browser-de-jour for accessing their bloody websites..
Does this advisory from the U.S. and UK governments extend to finding alternative operating systems to Microsoft Windows as the IE browser is basically the File Explorer amongst other things
Browse in a VM
I think its clear Microsoft made some huge mistakes with XP. From doing a extended support cycle to appease cheap enterprise and governments from having to upgrade and because they allowed XP to be installed in the first Netbook's which ended up being flops anyway.
Now of course they take heat for not supporting a patch for IE on XP. Maybe the constant nagging of end of support for a year was not enough?
Eventually support ends on everything. Get over it and move on.
Fix on XP or I will never buy another Microsoft product.
I noticed that US-CERT changed it site. It said "the complete compromise", but now the web site says "could allow unauthorized remote code execution."
It said "US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available. ", now it says "US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser."
Check the Google cache against the versus actual site.
"Note that this vulnerability is being exploited in the wild. Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible. "
Just open up IE to filezilla, download, install, and you're done. simple.
I'm no computer geek, but I have a difficult time grasping why someone can't come up with an invulnerable and secure web browser. One would think that after a quarter century of computer coding and the WWW that someone would realize all potential vulnerabilities and devise a simple and secure code to use. Perhaps it would entail redesigning the infrastructure or whatever.
Internet Explorer as used by most Windows users is totally unnecessary
have agreed
Please seek an alternative Operating System to Windows as IE is part of the system/file explorer, help system, after the monopoly commission issues.