New IE 8 Zero Day Discovered

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

why are they taking so long?

[wulper]

this IS a critical bug... onehundredandeighty days... 180 zero days. why? MS wants to drive up marketshare of competing browsers incompetence? MS employees acitvely exploiting the bug?

Re:why are they taking so long?

[wulper]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

Re:why are they taking so long?

[Billly+Gates]

Because it's from Ms.

And what a great way to force users to upgrade

Re:why are they taking so long?

[Jumunquo]

From ZDI advisory:
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed

Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

Re:why are they taking so long?

[Billly+Gates]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.

Re:why are they taking so long?

You forgot to add to your timeline:

4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

Re:why are they taking so long?

So, the relevant parties within HP are going to be pursued by the Justice Department just like weev?

Right?

Re:why are they taking so long?

This is quite the contest.

http://www.ning.spruz.com/pt/Pwn2Own-is-a-computer-hacking-contest.5-21-2014/wiki.htm

Re:why are they taking so long?

Because you can fix it by updating to IE 9. Or IE 10. Or IE 11.

Re:why are they taking so long?

Except under (now unsupported) Windows XP, which Microsoft really wants people to stop using anyway...go figure.

Re: why are they taking so long?

[MotherErich]

Why is anyone still using IE8?

Re:why are they taking so long?

[Skarjak]

To think that my last comment on how there was no reason to use IE in this day and age got modded as flamebait...

Re:why are they taking so long?

Microsoft has gone above and beyond the call of duty supporting that ancient OS. Anyone who is unwilling to get with the times, either by upgrading to a newer version of Windows or by switching to another modern OS, deserves everything that they get.

Re:why are they taking so long?

[BradMajors]

Computers that are still running XP almost certainly can not be upgraded to Windows 7 or 8 because they have additional hardware requirements. Microsoft has failed their customers by not providing a way to upgrade their software and forcing them to stay with XP.

Re:why are they taking so long?

Learn to read.

Anyone who is unwilling to get with the times, either by upgrading to a newer version of Windows or by switching to another modern OS

Also, the Windows 8 system requirements:

1GHz CPU
1GB RAM
16GB hard disk space
DirectX 9 compatible video card

How many computers out there right now do you think fall below those specs? Did you also whine about not being able to run Windows XP on a 386 with 4MB RAM?

Re:why are they taking so long?

[lennier1]

The NSA probably wanted more time to exploit it.

Re:why are they taking so long?

[wulper]

surely anybody who hasn't updated ie8 until now probably won't install a patch when it comes out either. I didn't think about that.

Re:why are they taking so long?

[DrXym]

XP was supported for 13 years. A pretty generous term by any measure. At some point a line has to be drawn and further issues should be ignored.

Re:why are they taking so long?

Microsoft was still heavily pushing Windows XP for netbooks in 2009.
So make that not even 5 years.

Re:why are they taking so long?

You don't end support for a product that has millions of users. Especially when most of those users are small businesses that might not be able to afford upgrades all in one shot.

Re:why are they taking so long?

[DrXym]

Says who? Other operating systems including popular dists of Linux have well defined end of lifes on their products. Why should Microsoft be expected to support their product indefinitely?

Re:why are they taking so long?

XP was still available on netbooks in 2010/2011.

Re:why are they taking so long?

[hairyfeet]

Or maybe its the fact that the only one this really affects is Windows XP and since XP is EOL there is no point? Vista has IE 9, the rest can upgrade to current so the only version of Windows stuck with IE 8 is XP. I'm sorry but if you are surfing the net with a 13 year old OS? Then you deserve what you get, after all nobody would expect a 13 year old copy of Debian or OSX to get patches so why should Windows?

Re:why are they taking so long?

You don't end support for a product that has millions of users. Especially when most of those users are small businesses that might not be able to afford upgrades all in one shot.

Those millions of users should have listened and gotten the fuck off their wallet. It's not like EOL was a secret.

And we no longer live in the era of companies leasing desktop systems because they cost so much to buy in the first place, so that's a rather weak excuse too.

Re:why are they taking so long?

The NSA has paid them to keep it open????

Re:why are they taking so long?

Also, the Windows 8 system requirements:

1GHz CPU
1GB RAM
16GB hard disk space
DirectX 9 compatible video card

How many computers out there right now do you think fall below those specs? Did you also whine about not being able to run Windows XP on a 386 with 4MB RAM?

Those requirements make no sense. They're also not complete. According to MS, the CPU also needs to support SSE2, PAE, and NX. The only 1GHz CPUs that I know of that support SSE2 are the Via Nano, Transmeta Efficeon, and a few early Atoms. Not exactly common processors in desktop computers that would be running XP. (The common desktop processors that were 1 GHz were PIIIs, which don't support SSE2.)
On top of that, the Via Nano Wikipedia page has no mention of NX, or PAE, which probably means this one is out.

The Transmeta supports NX with CMS 6.0.4 or newer. I'm no expert on Transmeta architecture, but it sounds like, from Wikipedia, that CMS is a software or firmware layer that translates x86 into VLIW used by the Transmeta processor.

Having said that, I'm typing this on Windows 7 Home Basic (non-Aero) on an Atom 1.6 GHz with 2GB RAM, and it's not quick. I certainly wouldn't want to move to Windows 8 on this machine, even though it beats the requirements by 60% in processor speed, and 100% in memory.

Re:why are they taking so long?

[toddestan]

This issue was disclosed to Microsoft while XP still had almost six months of support left. They should have fixed it, not let it go figuring by the time it was disclosed publicly XP would be out of support.

Though the funny thing is, Microsoft is still on the hook to fix it as they still support IE8 on other versions of Windows, including (off the top of my head) Server 2003 and Vista.

Re:why are they taking so long?

They make perfect sense. There is a baseline of what will work and that is it. Practically any P4 can run Windows 8 very well.

Enough already

I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.

Re:Enough already

[CFBMoo1]

I installed an HP Dodo Rockjet Printer with my abacus and the stone tablet prints are really nice quality. Wilma really likes it as well and she prints out all her pictures to it.

Re:Enough already

[jones_supa]

You can buy a cheap dodo printer, but the hidden costs are in the crackers, which you need to acquire to keep the printer running. A bag of crackers costs more than the dodo.

Re:Enough already

[Black+LED]

Just wait until some hacker starts drawing images of gaping anuses and penises on your Etch-a-Sketch.

0day can happen to anybody

0day can happen to anybody

October?!

[anarkhos]

Can't Balmer spare any developers developers developers?

Re:October?!

Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo!

Re:October?!

[sjames]

I think they're all lost in the poppies, poppies, poppies!

uhh, it's not 'new'

if microsoft has been sitting on the bug report for six fucking months.. it's an old and ignored bug, certainly not 'new'... although since it's 'out there' now, there will be 'new' malware that utilizes it.

IE EIGHT?

[PopeRatzo]

Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

Re:IE EIGHT?

11 actually. My company just dropped IE8 support last month finally. We're one of the last ones to do so, as well.

This is like someone harping on Mozilla for a zero-day found in FireFox 2.0. That's how old IE8 is.

Re:IE EIGHT?

[xlsior]

Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.

Re:IE EIGHT?

Right. And the other $500 for the other puter'. oh, and the $300 for the app upgrades. Oh, and the $100 for a printer that has drivers. Or, M$oft, you could just patch what's broke for the common good. Eventually all good chipsets come to an end, and they move off. But until then...

Re:IE EIGHT?

Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

Doesn't much matter. It's been a crappy, insecure browser as long as it has existed.

Re:IE EIGHT?

...or you could just upgrade for the common good, Typhoid Mary. Your shit computer is obsolete, and that's not Microsoft's fault. Do you demand that the dealership stock free parts and provide free repairs for your 15-year-old Geo Metro?

Re:IE EIGHT?

[msobkow]

So use Firefox or Chrome. No big deal.

Re:IE EIGHT?

[xlsior]

So use Firefox or Chrome. No big deal.

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.

Re:IE EIGHT?

Some enterprise products embed portions of IE for use of rendering various document types instead of writing their own engine or using an available OSS equivalent. The problem with that is you end up with having to upgrade those enterprise products to a version that doesn't break when you upgrade from IE8 to something newer. We have just such a problem where I work now. We haven't upgrade the enterprise product (which I will not divulge) holding us back, because the newer versions of the product do not perform as good as the old product, and we've been waiting for the vendor to fix this in the next release (who knows when that will be). The performance is so horrible, it's just not acceptable, and I'm not sure how anyone else uses this product outside of Citrix let alone inside Citrix. So we have a Citrix environment based on Server 2008R2 which we _should_ be running IE11, but have to stay on IE8 until this last piece of the enterprise puzzle has been upgraded.

Re:IE EIGHT?

[blindseer]

Bad car analogy. Software fixes don't take up warehouse space like auto parts, and the incremental cost to patch another computer is so close to zero that computing it be pointless.

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP. They use serial and/or parallel ports to talk to the computer. The software that runs everything is one of a kind. Replacing all of that would cost tens of thousands of dollars that we don't have. They are behind a firewall to keep the shop workers from surfing porn on the computers but the system has to have some access to the internet for some functions.

Microsoft might want to consider extending support for XP because if we cannot get what we need from Microsoft I might be asked for alternatives from the people that run the shop. Considering the cost of Microsoft products I will offer solutions to the powers that be that do not include Microsoft. You may not be bothered by that. I won't be bothered by that. Microsoft should be bothered by this if they are not already.

At work Windows 7 is tolerated. Windows 8 and Vista makes the boss's eye twitch, the GUI bothers him as does the price. No XP could mean no Windows. I'm the new guy on the crew and I'd be happy to suggest Macintosh and Linux solutions. With this coming up my recommendation may come up today. If Microsoft doesn't mind our getting Apples instead of Dells then all is well. If Microsoft wants our money then they will produce a fix so we can keep going.

I'm talking 100+ desktops running XP. If Microsoft says we need to buy Vista or 8.1 to fix our problems then we must look at alternatives. That might mean replacing the Server 2003 systems too. I imagine we are not unique. Microsoft can patch this and keep our business, or not and lose our business.

I'm not demanding they provide a fix, just showing the problems they have if they don't.

Re:IE EIGHT?

[reikae]

Will switching to Macs solve the problem though? I was under the impression that Apple supports old OS X versions for a shorter period than Microsoft supports old versions of Windows. Snow Leopard was released in 2009, XP SP3 in 2008. According to Wikipedia Snow Leopard isn't supported anymore, let alone anything released in 2001 when XP first came out.

With a libre software solution you would have the option to pay someone to backport security fixes so you could run the current versions for a long time, but I guess this would be too expensive to do properly.

Re:IE EIGHT?

one Win8.1 license costs approx. 100€ an lasts till 2023, that's less than an euro per month.

Are your bosses so cheap that they can't invest this?

With linux and mac you won't have active directory, so central configuration of the machines is a PITA (or at least expensive in man-hours until it works right), but as always these are costs management won't see. In german those are calles "ehda"-costs (because the one doing them is "eh da" (already here)).

Re:IE EIGHT?

[Lennie]

The right answer is:

Stop using IE on Windows XP, use Firefox or Chrome, they get updates.

Or better yet: stop using Windows XP.

Re:IE EIGHT?

[Lennie]

Scrap that, if you read the advisory they mention turn off ActiveX.

So basically, it's an ActiveX exploit, so turn that off.

Re:IE EIGHT?

[LordSnooty]

The car analogy would work if MS were forced to release the source code once their support ends. That's how an old car would be dealt with - parts from the manufacturer until they stop making them, meaning a third party can step in and make the parts if there is a demand for them. the 'open' nature of a car allows this to happen. An open-source OS also permits this. A closed-source OS is different.

Re:IE EIGHT?

That seems as economically prudent as refusing to change the oil in your car until it dies.

Re:IE EIGHT?

[chuckugly]

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP.

And on those machines you surf the WWW using IE?

Re:IE EIGHT?

> Microsoft can patch this and keep our business, or not and lose our business.

I'm not sure I understand what you mean by "lose your business" if you're already committed to never upgrading your 100+ desktops. Microsoft only gets to keep you as a "customer" provided they don't ask you to pay for their services?

> Apples instead of Dells

Get the Dells. You can buy 10 copies of Windows 8 for each one, for the same price.

Re:IE EIGHT?

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well,

Well, I'm safe - I use IE6 on XP!!!!!!

Re:IE EIGHT?

If Microsoft doesn't mind our getting Apples instead of Dells then all is well. If Microsoft wants our money then they will produce a fix so we can keep going.

You don't seem to be buying anything new from them, so why should they care what you do, one way or the other?

Re:IE EIGHT?

[blindseer]

If we switch away from Microsoft then we're not likely to ever switch back. Perhaps their next version of Windows won't suck as bad as 8.x and we upgrade then.

Re:IE EIGHT?

[blindseer]

And on those machines you surf the WWW using IE?

At home, yes. I'll surf the web for answers to questions that pop into my head with whatever computer I happen to be using at the time. With IE being the default browser then it tends to get used. Even if I install a different browser the IE engine is so intertwined with the OS that other software will use it for things like help files.

At work the people will use those computers for all kinds of crazy things. The primary use is for running the equipment but they'll use them to check e-mail or whatever, and the IE engine tends to be used to render HTML formatted messages.

Re:IE EIGHT?

[blindseer]

The bosses won't invest in Windows 8.1 because it has a really bad UI. They don't like how it looks and works so they are going to stick with Windows 7 and XP as long as possible. Microsoft dropping support for XP and offering 8.1 as a replacement is not going over very well. It sounds like if they have to give up XP because of lack of support then they'd consider Linux or Apple rather than going to Windows 8.1 because the UI is just that bad.

Re:IE EIGHT?

[blindseer]

Right now our choices are, keep XP, move to Windows 8.1, or choose an OS that Microsoft does not make. Only one person at work has asked for Windows 8, everyone else wants XP or 7. For a variety of reasons Windows 8 is not an option for widespread adoption. If Microsoft removes the choice to keep XP then the choice to move to something not made by Microsoft becomes that much easier.

Even though the desktops may stay on Windows XP there are still servers that need to be upgraded. We can move the Server 2003 boxes to Server 2008 or Server 2012 so long as XP stays. If we can't keep XP then the servers might move to Linux or Apple. Once we break that barrier to an OS not made by Microsoft then moving the next server or desktop to something other than Microsoft gets easier.

If we can't keep using IE on the computers because of security issues then we'll probably use Chrome instead. Once people get used to Chrome then moving to some other operating system that runs Chrome becomes easier. Outlook uses the IE engine to render HTML messages, if IE is broken then so is Outlook. If we can't use Outlook then we'll use something else. If people aren't using Outlook then do we need to run Exchange Server anymore? No.

AutoCAD runs on Mac OSX just as well as Windows, we can switch. Same goes for anything offered by Adobe. Microsoft Office runs on Windows and Mac OS X. So long as Office runs on XP we'll keep using it. If we make that leap to Apple systems then how long will we keep running Microsoft Office? Maybe once we switch the OS we might decide to switch our word processors and spreadsheets too. Maybe not.

The longer we can run XP the longer it makes sense to keep the other Microsoft products. If whatever version of Windows that follows 8.1 does not suck as bad then we might buy that one. It does not sound like we'll ever switch to Windows 8, it's just that bad. If Microsoft decides to force a choice out of us they might not like what we choose.

Re:IE EIGHT?

[chuckugly]

Machines used for MMI are connected to the internet? I think I see what we like to call a root cause here.

Re:IE EIGHT?

[blindseer]

I had the same question. The response I got was that the software license control system needed an internet connection. Locking the network down wasn't really a big issue to worry about. Having internet access meant security updates could be installed easily, meaning the systems were arguably more secure because of the internet access. Loss of security updates from Microsoft changes that obviously.

Doesn't matter what OS or browser you use

Face it: There's an element of risk online. Has been for decades. You take your chances. You also take risks like it everyday (driving an automoble for Pete's sake - so let's be realistic here). Just learn to be cautious on how to use any of them more safely.

APK

P.S.=> Use this or the resultant file from it to aid in doing so (it works for added speed, security, reliability, & even anonymity) -> APK Hosts File Engine 9.0++ 32/64-bit: http://start64.com/index.php?o...

... apk

Re:Doesn't matter what OS or browser you use

I gave it a shot in a VM, and my DNS client service takes 10 seconds to start. It also consumes about 80 MB of RAM according to Process Explorer. That's 10 times more than the entire svchost container it runs in consumes without the gigantic hosts file.

I think if you're going to use APK's hosts file, you should run it on an upstream DNS server on your network. This kills a single Windows PC. I don't think the DNS service was designed for such a large hosts file.

JC

PS => Maybe a dedicated linux box running DNS with this hosts file would be good for your network. ... jc

IE8 Last for Windows XP

[BBCWatcher]

Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?

These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.

Re:IE8 Last for Windows XP

[cavreader]

Oh by all means lets get the government bureaucrats involved in policing software security. What could possibly go wrong? Stop looking to the government to protect you and start taking some responsibility for your own actions. You want guaranteed online security then just unplug your network cable because that is the only thing that will make you 100% secure from online attacks. There is not a browser on the market that doesn't have exploitable flaws if you really smart, motivated, and look hard enough. But alas even unplugging can be circumvented by simply inserting a USB drive of questionable origin into your system. Stuxnext infected the Iranian system using an infected USB drive in combination with the good ole sneaker net. If unplugging is not practical for you then you can start paying attention and stop clicking on links in the unsolicited e-mails you receive. Make sure your computer has a properly configured firewall. Use script inhibiting add-ons for your browser. Make sure your user accounts are properly privileged instead of running everything as an administrator. Setup a proxy if you want to make it harder for someone looking to infringe your anonymity. Even these precautions can be circumvented by falling for online social engineering attacks. Which by the way is the primary vector used today for bootstrapping malware.

Re:IE8 Last for Windows XP

[The+Cisco+Kid]

Or people could just quit using this crap.

Re:IE8 Last for Windows XP

[AmiMoJo]

You would be crazy to run IE8 on XP anyway. A vulnerability like this on Vista or later wouldn't be such a big deal because IE runs with low permissions, so the arbitrary code can't do much other than screw with IE itself. DEP probably mitigates it a lot too.

XP is fucked from a security point of view. Sorry, but it just is, and we need to move past it.

Re:IE8 Last for Windows XP

[gradinaruvasile]

Well there are plenty user-level malware programs out there - typycally ransomware run with user level privileges (admin is a bonus, but to screw up the current user, its not necessary). For example, cryptolocker can work without administrative permissions too since it messes up your personal files.

Re:IE8 Last for Windows XP

[toddestan]

The stupid thing is that it's not really a Windows XP exploit. It's an IE8 exploit, which Microsoft still supports on other versions of Windows such as Server 2003 and Vista. So Microsoft is still on the hook to fix it anyway, so it's not like they gained a whole lot by dragging their feet on this.

Do NOT use MIcrosoft products

They give NSA all of their backdoors months in advance. Do not use Microsoft products!

Who thinks we are really safe today online?

[0x537461746943]

It is really a sad state that computer systems are in nowadays. Every year multiple vulnerabilities are published showing how easy it is for someone to find critical vulnerabilities in software used every day by citizens and government officials. I bet the NSA is into Chinese government systems and China already has access to american government systems. The underground hacker/criminal scene certainly already has access to corporate and government systems too if you think about how many vulnerabilities are found every year and the underground market to sell not yet published vulnerabilities. Obviously not only the good guys who publish the vulnerabilities find vulnerabilities. I wonder what the ratio is but I bet the good guys don't have that much of a lead. Maybe we are going about this wrong and instead of making people think they are secure they should assume all governments are not secure. This would bring about a cold war. China won't critically bring down American government systems because they know that America would just do the same to them :). With articles being published that show that the NSA is putting trojan software in exported systems you can certainly bet that other countries are doing the same. Are you sure that USB drive you ordered from China is only a USB drive? We need a revolution in computing when it comes to security. While we have seen improvements in security over the years we don't seem any closer to solving security issues than we were 10 years ago when it comes to the apps that every day users use.

Re:Who thinks we are really safe today online?

"Are you sure that USB drive you ordered from China is only a USB drive?"

Yes, honey, the package I received today was a Chinese made USB drive.

(snickers) "It was a Fleshlight!"

American Date Format

[labnet]

American Date Format :DIE Already!!!!!!!!!!!
American Imperial Units: DIE Already!!!!!!!!!!
American Imperialism : .....[shhh the nsa is listening]

Re:American Date Format

[PsychoSlashDot]

American Date Format :DIE Already!!!!!!!!!!!

Sorry, but as a non-American I have to admit I find that date format the most comfortable. Things are likely different globally, but here people tend to say "May 10th, 2014" much more often than "the 10th of May, 2014". Adding two bonus words so you can satisfy some "most granular to least granular" fetish doesn't fit.

For instance, the catastrophe that happened in the US over a decade ago is called "September 11th", not "the 11th of September".

Frankly I'd be okay with a compromise... 10(5)14 is May 10th, 2014 or the 10th of May, 2014. But as long as everyone insists on using commas, DMY will never have my vote.

Re:American Date Format

American Date Format :DIE Already!!!!!!!!!!!

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

• 2013/10/11 - Case disclosed to vendor
• 2014/02/10 - Vendor confirmed reproduction
• 2014/04/09 - Original predicted disclosure (180 days)
• 2014/05/08 - ZDI notified the vendor of the intent to publicly disclose
• 2014/05/21 - ZDI publicly disclosed

But, otherwise, I don't really see the point.

Re:American Date Format

[harperska]

Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

Re:American Date Format

[bill_mcgonigle]

I speak in the American format and write in the ISO format. To me they're the best of breed, one for spoken communication, one for written. But don't forget that we're surrounded by OCD-ish folks (like the GP) who are so crazy-obsessed with EvEnNeSs. I did that last one just to piss them off.

Re:American Date Format

[QuasiSteve]

Remember, Remember, November 5th.

This day, July 4th, is our Independence Day.

Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

Re:American Date Format

I work in engineering that needs drawings used by different countries, so I do 10MAY2014, 05APR2014 and so on

Re:American Date Format

Even the Brits do it though! See 7/7

Re:American Date Format

[Dynedain]

Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.

Re:American Date Format

[compro01]

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

That's what ISO 8601 specifies. YYYY-MM-DD.

Re:American Date Format

[Megane]

Right on, and fuck the European date format too. YYYY-MM-DD 4evah!

Re:American Date Format

Spelling out the month and using a 4 digit year is my favorite also.

Re:American Date Format

[Antonovich]

And you are a non-American (as in the continents) native speaker of English? I'm from NZ and it's the other way round, or at least was until I left 10 years ago... The "dialect" has undergone very strong Americanisation over the last few decades though. Your "for instance" is also a little ridiculous - a non-American would never say "nine eleven" meaning "the eleventh of September" (or even "eleven nine"). I also can't remember anyone ever saying "September eleventh" but plenty of people saying "September eleven" regarding the attacks on the WTC. The "nine eleven" term has a much stronger relation to the actual date for Americans (US-only?) than it does for non-Americans.

Re:American Date Format

[LordWabbit2]

Sorry, but as a programmer different dates formats are a bloody pain in the ass. Say it like you want to (while putting a pancake on your head, I don't give a shit) but store it (ie. type it) in ISO format. YYYY-MM-DD

There are a lot of systems which transmit data as strings (xml, json, csv) which need to get parsed back into datetime and a simple thing like YYYY/MM/DD instead of YYYY-MM-DD can cause a cluster fuck of note. If everyone just used the ISO format my job would be a lot easier.
As a developer who helped fix the Y2K issues that would have happened at a major bank I am well and truly tired of different date formats.

Re:American Date Format

[gl4ss]

third of the fifth? or fifth day of the third?

month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.

even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.

Re:American Date Format

[Crash42]

If you want to go for the lazy option, use the Dutch system: the tenth of May 2014 is just "ten May twothousand fourteen"
It really is DMY.

Re:American Date Format

Hey I'm from NZ too. We should hang out sometime.

Re:American Date Format

YYYY-MM-DD is also good for geeks since it matches lexicographical order (earlier dates will come before more recent date). So this is the way to go for file names and anything else where you need to sort by date (which is pretty much everything). None of the other formats (MM-DD-YYYY or DD-MM-YYYY) give sensible results with lexicographical sorting.

Re:American Date Format

there is only ONE date abbreviation format which is effectively unambiguous:
THU22MAY2014
see, you can even run it together, and it is totally understandable...
fuck your stupid ambiguous numbers, GIVE ME AN ABBREVIATION WHICH IS UNDERSTANDABLE BY HUMANS, not computers...

Re:American Date Format

[RabidReindeer]

I've heard "10th May, 2014" or even "10 May, 2014". And actually, the common US reference isn't so much "September 11th" as it is "Nine-eleven", written 9/11.

My preferred date format is "2014-05-10". It collates better.

Re:American Date Format

nobody else will start saying or writing the year first

lolwut

You need to get out in the world more.

Re:American Date Format

nobody else will start saying or writing the year first

lolwut

You need to get out in the world more.

You know many people who start with the year when they are referencing a specific date? "We are planning a trip in 2015-07-20".

Re:American Date Format

Plus time is a great extension that follows the same order. So Now() for me currently equals 2014-05-22 10:52:32 CDT.

Re:American Date Format

[praxis]

nobody else will start saying or writing the year first

lolwut

You need to get out in the world more.

You know many people who start with the year when they are referencing a specific date? "We are planning a trip in 2015-07-20".

Saying and writing are two different things. People do write the year first; in fact it's a very popular format.

Re:American Date Format

[markhb]

As an American, for that particular day, there is an added significance to the number itself as 911 is our universal emergency telephone number, similar to the European 112 or 999. I would typically write today's date as 22 May 2014, but when I do so I am being consciously pretentious. Otherwise I'd use 5/22/2014 (I was the Y2K guy at my previous job; it cured me of 2-digit years for good).

Re:American Date Format

[GuB-42]

Obligatory XKCD : http://xkcd.com/1179/

Re:American Date Format

[Dynedain]

Reread my comment, I was responding to someone who likes M-D-Y because that's how he speaks: "event happened on May fifth, 2001"

I'm completely in agreement that it's stupid in written and datestamp formats and leading to confusion. I always use YYYY-MM-DD to avoid ambiguities.

My point was that the grandparent's argument only holds true for English. In many other common languages, the day comes first: "event happened on fifth of May", so the natural inclination of making written dates match speaking order doesn't apply.

Re:American Date Format

I'm not American either, but to me phrasing this particular date as nine-eleven doesn't have so much to do with date format for the 11th day on the 9th month (September) as it has to do with how the imagination pictures those numbers in your head... 9-1-1...These events were a tragedy, and with tragedy most people would dial 911 on their phones in the case of an emergency...

Since "nine-eleven" sounds better phonetically than "nine-one-one", it's also a better propaganda tool against terrorism...

Just my thoughts...

Re:American Date Format

[Zaiff+Urgulbunger]

The problem I have with the US date format is simply that it's often ambiguous when used on the internet - it being international and all.

The way people "say" dates is fine, so if someone likes "May 10th" or "10th of May", I'm easy - there's no ambiguity. But writing 05/10/2014 on a website is a bit crap because it is ambiguous. Either go with writing the month name or 3-letter abbrev. or go with ISO format 2014-05-10 - you're still allowed to say it in whatever order you like! So when I read an ISO format date, in my head, I'm not saying "twenty-fourteen oh-five ten" - I still read it as 10th of May.

Have we forgotten how to hyphenate?

What's with all the illiteracy these days? It's not a "zero day"; it's a "zero-day". Zero-day is an adjective and must be hyphenated.

Zero-day attack

Ain't that the last IE that works on XP?

Up shit creek w/o paddle.
Somebody done burned old dixie down.

No no no.

[Captain+Coolwater]

It's "640k 0 days should be enough for anybody". I'm not going to tell you again.

It is not a zero day.

[140Mandak262Jamuna]

According to the timeline it is a -180 day.

Re:It is not a zero day.

[PhilHibbs]

Has it been exploited? A zero-day attack is an exploit on the same day that the information is released. No-one has said anything about an attack. If it gets attacked today, it's a zero-day. If it's already been attacked, then it's an already-exploited vulnerability, there's no point in attaching positive or negative numbers to it. An exploited bug that never gets detected would be a minus infinity day attack!!!! Anyway that's a "zero-day attack", I don't know what a "zero-day vulnerability" is, the term doesn't make any sense. I think people are just saying "zero day" because it sounds cool.

Re:It is not a zero day.

[140Mandak262Jamuna]

Very true. The way the term originated, if an attack is mounted today it would be 180 day attack. N day attack originally meant the number of days it took for someone to exploit a vulnerability after it was known. But when you are shooting for funny ....

Huh? Naming problem?

[grep+-v+'.*'+*]

"Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 ... The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch.

So then wouldn't that make it a minus 180 day vuln instead? </snark>

Oh -- it was found 180d ago so that's be a plus 180. Wrong orientation base there, sorry.

Don't blink this time MS

[Dega704]

Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.

Re:Don't blink this time MS

Fuck you! XP FOREVER!!!!!

Everyone should stop using Internet Explorer

Doesn't matter even if it is a newer version e.g. IE10, IE11.

If you're in a corporate environment and some legacy in-house apps only play nice with IE, cough out some money and upgrade or port those apps.

It's time to let IE go the way of Realplayer: once annoyingly ubiquitous, now a mere footnote in tech history.

Zero Day? Duh...

OK, first I was confused because I read IE 8 as Windows 8.

So a bug is discovered in IE 8, which has been deployed for a long time... but...

Somehow the meaning of "Zero Day" has changed over the last few years. It used to mean a vulnerability that was discovered before a version of software even went live.... ouch.

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

TAG: NOTNEWS

[The+Cisco+Kid]

IE is a vulnerable pile of crap and always will be.

Everyone that doesn't live under a rock already knows this.

No amount of "ZOMG! NEW HACK FOUND IN IE!" announcements is going to get through the skulls of those that still use it.

Please, no more stories about IE vulnerabilities. Consider it a standing notice "IE is a POS"

Re:TAG: NOTNEWS

It's not a complete pile of crap anymore. It's very fast, multithreaded, secure, runs web pages in a sandboxed environment, has excellent zooming functionality, and very responsive touchpad pixel scrolling. Did I mention that it also makes coffee and a beautiful serving of ice cream with tropical fruits.

Take look at the vulnerabilities databases. There are terrible vulnerabilities found in other browsers all the time too, but because they are based on open source code, Slashdot does not report them.

Re:TAG: NOTNEWS

Internet Explorer, in addition to being closed source, still uses the Trident rendering engine.

On top of that, it attempts to push Microsoft's dog food down your throat: Bing, Skype, Hotmail (Outlook), MSN.

Despite the improvements, still a piece of crap.

Re:TAG: NOTNEWS

Yeah? You could as well say that Firefox still uses the Netscape engine, or that Chrome uses KHTML. What comes to those shoving-down-the-throat features, the search engine defaults and things like that can be easily changed.

The truth is that since version 9, Internet Explorer has been essentially as good as the other big browsers.

Re:TAG: NOTNEWS

[jbo5112]

It also boasts a worst in class standards support. When building advanced web services, Chrome's lack of support is a big enough pain. IE 11 is still about 3x as bad, but it is getting better. IE 10, in particular, was a huge improvement, but I often wonder why they still bother trying to build a browser from scratch.

You must not have used my app

It WARNS YOU AT BUILDTIME OF HOSTS TO TURN OFF DNSCACHE in its SAVE tab... thus, you didn';t use my app, or you don't read & follow directions.

That's also widely documented online by the way -To turn off usermode slow faulty with large hosts files dnscache service.

* It causes a lag with larger hosts files - it's a KNOWN issue!

(Nice part is that when you turn off dnscache service, you stop that "lag" & also save CPU cycles, RAM, & other forms of I/O it uses: double-bonus!)

APK

P.S.=> I regain indexing lost via its feature that allows "hardcoding" your favorite sites - I do 24 of them here @ the TOP of my custom hosts file... that equates to approximately 2-3 million indexed seeks AND seeks those favorites of yours as FAST as possible cached into RAM via the kernelmode diskcaching subsystem working in combination with TCP/IP itself also in PnP kernelmode design (higher CPU priority privelege than usermode, thus faster) in combination with DNSSEC secured EXTERNAL OpenDNS... apk

Zero-Day allowing the attacker run arbitrary code

[buchner.johannes]

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

Windows Update still broken for many

I'm a sales guy at a soon to be bankrupt company who has been tasked with light IT work because the boss is too cheap to hire a real one. Finally scared him enough to upgrade to Win7 (and pay for it lol). Everything went great updates/drivers seemed to install fine. All of them except for Internet Explorer! To which windows update says Error(s) found Code 9C59 Windows Update has encountered an unknown error. Spent a month on MS forums doing all kinds of voodoo and fixes still nothing. Offline installer package gives same thing. New updates download and install just fine, but were doing all our business on IE 8 which is insane. Anyone ran into this lately?

Re:Windows Update still broken for many

No one gives a crap about your lame Windows deployment.

Re:Zero-Day allowing the attacker run arbitrary co

[Antique+Geekmeister]

> Or does this warning assume the worst case, where all these other features are turned off?

It seems not. But remember that Internet Explorer was written to be inseparable from the operating system itself, with effectively bare metal access to provide Microsft-only speed, power, and enforced reliance on Microsoft's system libraries. It was designed _not_ to be lmodular, and designed _not_ to be clealy segregated from the underlying operating system so that it would be impossible to remove or replace on a Windows system.

IE8

[A+Non-MS+Coward]

In IE8, Internet explores YOU.

Re:Zero Day? Duh...

[Teresita]

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

And a "new" zero day at that. That's a relief, it could have been an old one.

Re:Zero-Day allowing the attacker run arbitrary co

[EmperorArthur]

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

The NX bit, and DEP forced us to develop Return Oriented Programming https://en.wikipedia.org/wiki/... Basically because function arguments and return pointers are on the stack you can make the code that's already there do the work for you. It's not as easy as just writing a little shell code and tends to be more specific as far as the version of the software the victim is running, but it's really quite neat and hard to stop.

Re:Zero-Day allowing the attacker run arbitrary co

Except this exploit is only in XP which lacks DEP and NX, based on your own sentence even... So your comment about features failing?

IE8 is officially so what.

[gelfling]

IE8 no longer needs to exist. The only technical reason for it is Windows Updates for XP which are no longer available.

Windows Update still broken for many

I don't know if your problem was the same as mine, but I had a problem where I couldn't repair, or re-install IE11 for someone on Windows7 because it wouldn't update properly... I went to this website:

http://support.microsoft.com/kb/923737

and downloaded the automatic wizard... It seemed to reset the IE settings and it was smooth sailing after that...

Direct link for the file (MicrosoftFixit50195.msi) is:

http://go.microsoft.com/?linkid=9646978

Give it a try and I hope it works for you...

Despite your testing error

http://it.slashdot.org/comment... what you saw is a HUGE margin less than AdBlock eating 5gb of RAM & tearing up CPU terribly -> https://blog.mozilla.org/nneth... by way of comparison.

APK

P.S.=> I still don't believe you used my program, since it tells you (no matter what way you go to do it on SAVE) to turn off usermode slow faulty with large hosts files dnscache service (and gives you the services.msc tool to do it directly)... apk

Re:Zero-Day allowing the attacker run arbitrary co

[toddestan]

Windows XP supports the NX bit, which came in with a service pack. Maybe you're thinking of Windows 2000? Though by default I believe Windows XP won't use it unless you specifically turn it on. And of course, you need to have a processor that has the NX bit in the first place. Windows Vista defaulted it to on (though only for the 64-bit versions), and Windows 8 requires it to the point where it won't boot on a processor that lacks the NX bit.