New IE 8 Zero Day Discovered

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

why are they taking so long?

[wulper]

this IS a critical bug... onehundredandeighty days... 180 zero days. why? MS wants to drive up marketshare of competing browsers incompetence? MS employees acitvely exploiting the bug?

Re:why are they taking so long?

[wulper]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

Re:why are they taking so long?

[Jumunquo]

From ZDI advisory:
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed

Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

Re:why are they taking so long?

[Billly+Gates]

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.

Re:why are they taking so long?

You forgot to add to your timeline:

4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

Re: why are they taking so long?

[MotherErich]

Why is anyone still using IE8?

Re:why are they taking so long?

[Skarjak]

To think that my last comment on how there was no reason to use IE in this day and age got modded as flamebait...

Re:why are they taking so long?

[BradMajors]

Computers that are still running XP almost certainly can not be upgraded to Windows 7 or 8 because they have additional hardware requirements. Microsoft has failed their customers by not providing a way to upgrade their software and forcing them to stay with XP.

Re:why are they taking so long?

[lennier1]

The NSA probably wanted more time to exploit it.

Re:why are they taking so long?

[wulper]

surely anybody who hasn't updated ie8 until now probably won't install a patch when it comes out either. I didn't think about that.

Re:why are they taking so long?

Microsoft was still heavily pushing Windows XP for netbooks in 2009.
So make that not even 5 years.

Re:why are they taking so long?

[DrXym]

Says who? Other operating systems including popular dists of Linux have well defined end of lifes on their products. Why should Microsoft be expected to support their product indefinitely?

Re:why are they taking so long?

[hairyfeet]

Or maybe its the fact that the only one this really affects is Windows XP and since XP is EOL there is no point? Vista has IE 9, the rest can upgrade to current so the only version of Windows stuck with IE 8 is XP. I'm sorry but if you are surfing the net with a 13 year old OS? Then you deserve what you get, after all nobody would expect a 13 year old copy of Debian or OSX to get patches so why should Windows?

Re:why are they taking so long?

[toddestan]

This issue was disclosed to Microsoft while XP still had almost six months of support left. They should have fixed it, not let it go figuring by the time it was disclosed publicly XP would be out of support.

Though the funny thing is, Microsoft is still on the hook to fix it as they still support IE8 on other versions of Windows, including (off the top of my head) Server 2003 and Vista.

Enough already

I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.

Re:Enough already

[CFBMoo1]

I installed an HP Dodo Rockjet Printer with my abacus and the stone tablet prints are really nice quality. Wilma really likes it as well and she prints out all her pictures to it.

Re:Enough already

[jones_supa]

You can buy a cheap dodo printer, but the hidden costs are in the crackers, which you need to acquire to keep the printer running. A bag of crackers costs more than the dodo.

Re:Enough already

[Black+LED]

Just wait until some hacker starts drawing images of gaping anuses and penises on your Etch-a-Sketch.

October?!

[anarkhos]

Can't Balmer spare any developers developers developers?

Re:October?!

[sjames]

I think they're all lost in the poppies, poppies, poppies!

IE EIGHT?

[PopeRatzo]

Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

Re:IE EIGHT?

[xlsior]

Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.

Re:IE EIGHT?

Right. And the other $500 for the other puter'. oh, and the $300 for the app upgrades. Oh, and the $100 for a printer that has drivers. Or, M$oft, you could just patch what's broke for the common good. Eventually all good chipsets come to an end, and they move off. But until then...

Re:IE EIGHT?

[msobkow]

So use Firefox or Chrome. No big deal.

Re:IE EIGHT?

[xlsior]

So use Firefox or Chrome. No big deal.

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.

Re:IE EIGHT?

[blindseer]

Bad car analogy. Software fixes don't take up warehouse space like auto parts, and the incremental cost to patch another computer is so close to zero that computing it be pointless.

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP. They use serial and/or parallel ports to talk to the computer. The software that runs everything is one of a kind. Replacing all of that would cost tens of thousands of dollars that we don't have. They are behind a firewall to keep the shop workers from surfing porn on the computers but the system has to have some access to the internet for some functions.

Microsoft might want to consider extending support for XP because if we cannot get what we need from Microsoft I might be asked for alternatives from the people that run the shop. Considering the cost of Microsoft products I will offer solutions to the powers that be that do not include Microsoft. You may not be bothered by that. I won't be bothered by that. Microsoft should be bothered by this if they are not already.

At work Windows 7 is tolerated. Windows 8 and Vista makes the boss's eye twitch, the GUI bothers him as does the price. No XP could mean no Windows. I'm the new guy on the crew and I'd be happy to suggest Macintosh and Linux solutions. With this coming up my recommendation may come up today. If Microsoft doesn't mind our getting Apples instead of Dells then all is well. If Microsoft wants our money then they will produce a fix so we can keep going.

I'm talking 100+ desktops running XP. If Microsoft says we need to buy Vista or 8.1 to fix our problems then we must look at alternatives. That might mean replacing the Server 2003 systems too. I imagine we are not unique. Microsoft can patch this and keep our business, or not and lose our business.

I'm not demanding they provide a fix, just showing the problems they have if they don't.

Re:IE EIGHT?

[reikae]

Will switching to Macs solve the problem though? I was under the impression that Apple supports old OS X versions for a shorter period than Microsoft supports old versions of Windows. Snow Leopard was released in 2009, XP SP3 in 2008. According to Wikipedia Snow Leopard isn't supported anymore, let alone anything released in 2001 when XP first came out.

With a libre software solution you would have the option to pay someone to backport security fixes so you could run the current versions for a long time, but I guess this would be too expensive to do properly.

Re:IE EIGHT?

[Lennie]

The right answer is:

Stop using IE on Windows XP, use Firefox or Chrome, they get updates.

Or better yet: stop using Windows XP.

Re:IE EIGHT?

[Lennie]

Scrap that, if you read the advisory they mention turn off ActiveX.

So basically, it's an ActiveX exploit, so turn that off.

Re:IE EIGHT?

[LordSnooty]

The car analogy would work if MS were forced to release the source code once their support ends. That's how an old car would be dealt with - parts from the manufacturer until they stop making them, meaning a third party can step in and make the parts if there is a demand for them. the 'open' nature of a car allows this to happen. An open-source OS also permits this. A closed-source OS is different.

Re:IE EIGHT?

[chuckugly]

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP.

And on those machines you surf the WWW using IE?

Re:IE EIGHT?

[blindseer]

If we switch away from Microsoft then we're not likely to ever switch back. Perhaps their next version of Windows won't suck as bad as 8.x and we upgrade then.

Re:IE EIGHT?

[blindseer]

And on those machines you surf the WWW using IE?

At home, yes. I'll surf the web for answers to questions that pop into my head with whatever computer I happen to be using at the time. With IE being the default browser then it tends to get used. Even if I install a different browser the IE engine is so intertwined with the OS that other software will use it for things like help files.

At work the people will use those computers for all kinds of crazy things. The primary use is for running the equipment but they'll use them to check e-mail or whatever, and the IE engine tends to be used to render HTML formatted messages.

Re:IE EIGHT?

[blindseer]

The bosses won't invest in Windows 8.1 because it has a really bad UI. They don't like how it looks and works so they are going to stick with Windows 7 and XP as long as possible. Microsoft dropping support for XP and offering 8.1 as a replacement is not going over very well. It sounds like if they have to give up XP because of lack of support then they'd consider Linux or Apple rather than going to Windows 8.1 because the UI is just that bad.

Re:IE EIGHT?

[blindseer]

Right now our choices are, keep XP, move to Windows 8.1, or choose an OS that Microsoft does not make. Only one person at work has asked for Windows 8, everyone else wants XP or 7. For a variety of reasons Windows 8 is not an option for widespread adoption. If Microsoft removes the choice to keep XP then the choice to move to something not made by Microsoft becomes that much easier.

Even though the desktops may stay on Windows XP there are still servers that need to be upgraded. We can move the Server 2003 boxes to Server 2008 or Server 2012 so long as XP stays. If we can't keep XP then the servers might move to Linux or Apple. Once we break that barrier to an OS not made by Microsoft then moving the next server or desktop to something other than Microsoft gets easier.

If we can't keep using IE on the computers because of security issues then we'll probably use Chrome instead. Once people get used to Chrome then moving to some other operating system that runs Chrome becomes easier. Outlook uses the IE engine to render HTML messages, if IE is broken then so is Outlook. If we can't use Outlook then we'll use something else. If people aren't using Outlook then do we need to run Exchange Server anymore? No.

AutoCAD runs on Mac OSX just as well as Windows, we can switch. Same goes for anything offered by Adobe. Microsoft Office runs on Windows and Mac OS X. So long as Office runs on XP we'll keep using it. If we make that leap to Apple systems then how long will we keep running Microsoft Office? Maybe once we switch the OS we might decide to switch our word processors and spreadsheets too. Maybe not.

The longer we can run XP the longer it makes sense to keep the other Microsoft products. If whatever version of Windows that follows 8.1 does not suck as bad then we might buy that one. It does not sound like we'll ever switch to Windows 8, it's just that bad. If Microsoft decides to force a choice out of us they might not like what we choose.

Re:IE EIGHT?

[chuckugly]

Machines used for MMI are connected to the internet? I think I see what we like to call a root cause here.

Re:IE EIGHT?

[blindseer]

I had the same question. The response I got was that the software license control system needed an internet connection. Locking the network down wasn't really a big issue to worry about. Having internet access meant security updates could be installed easily, meaning the systems were arguably more secure because of the internet access. Loss of security updates from Microsoft changes that obviously.

IE8 Last for Windows XP

[BBCWatcher]

Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?

These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.

Re:IE8 Last for Windows XP

[AmiMoJo]

You would be crazy to run IE8 on XP anyway. A vulnerability like this on Vista or later wouldn't be such a big deal because IE runs with low permissions, so the arbitrary code can't do much other than screw with IE itself. DEP probably mitigates it a lot too.

XP is fucked from a security point of view. Sorry, but it just is, and we need to move past it.

Re:IE8 Last for Windows XP

[gradinaruvasile]

Well there are plenty user-level malware programs out there - typycally ransomware run with user level privileges (admin is a bonus, but to screw up the current user, its not necessary). For example, cryptolocker can work without administrative permissions too since it messes up your personal files.

Re:IE8 Last for Windows XP

[toddestan]

The stupid thing is that it's not really a Windows XP exploit. It's an IE8 exploit, which Microsoft still supports on other versions of Windows such as Server 2003 and Vista. So Microsoft is still on the hook to fix it anyway, so it's not like they gained a whole lot by dragging their feet on this.

Do NOT use MIcrosoft products

They give NSA all of their backdoors months in advance. Do not use Microsoft products!

Who thinks we are really safe today online?

[0x537461746943]

It is really a sad state that computer systems are in nowadays. Every year multiple vulnerabilities are published showing how easy it is for someone to find critical vulnerabilities in software used every day by citizens and government officials. I bet the NSA is into Chinese government systems and China already has access to american government systems. The underground hacker/criminal scene certainly already has access to corporate and government systems too if you think about how many vulnerabilities are found every year and the underground market to sell not yet published vulnerabilities. Obviously not only the good guys who publish the vulnerabilities find vulnerabilities. I wonder what the ratio is but I bet the good guys don't have that much of a lead. Maybe we are going about this wrong and instead of making people think they are secure they should assume all governments are not secure. This would bring about a cold war. China won't critically bring down American government systems because they know that America would just do the same to them :). With articles being published that show that the NSA is putting trojan software in exported systems you can certainly bet that other countries are doing the same. Are you sure that USB drive you ordered from China is only a USB drive? We need a revolution in computing when it comes to security. While we have seen improvements in security over the years we don't seem any closer to solving security issues than we were 10 years ago when it comes to the apps that every day users use.

American Date Format

[labnet]

American Date Format :DIE Already!!!!!!!!!!!
American Imperial Units: DIE Already!!!!!!!!!!
American Imperialism : .....[shhh the nsa is listening]

Re:American Date Format

[PsychoSlashDot]

American Date Format :DIE Already!!!!!!!!!!!

Sorry, but as a non-American I have to admit I find that date format the most comfortable. Things are likely different globally, but here people tend to say "May 10th, 2014" much more often than "the 10th of May, 2014". Adding two bonus words so you can satisfy some "most granular to least granular" fetish doesn't fit.

For instance, the catastrophe that happened in the US over a decade ago is called "September 11th", not "the 11th of September".

Frankly I'd be okay with a compromise... 10(5)14 is May 10th, 2014 or the 10th of May, 2014. But as long as everyone insists on using commas, DMY will never have my vote.

Re:American Date Format

American Date Format :DIE Already!!!!!!!!!!!

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

• 2013/10/11 - Case disclosed to vendor
• 2014/02/10 - Vendor confirmed reproduction
• 2014/04/09 - Original predicted disclosure (180 days)
• 2014/05/08 - ZDI notified the vendor of the intent to publicly disclose
• 2014/05/21 - ZDI publicly disclosed

But, otherwise, I don't really see the point.

Re:American Date Format

[harperska]

Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

Re:American Date Format

[bill_mcgonigle]

I speak in the American format and write in the ISO format. To me they're the best of breed, one for spoken communication, one for written. But don't forget that we're surrounded by OCD-ish folks (like the GP) who are so crazy-obsessed with EvEnNeSs. I did that last one just to piss them off.

Re:American Date Format

[QuasiSteve]

Remember, Remember, November 5th.

This day, July 4th, is our Independence Day.

Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

Re:American Date Format

[Dynedain]

Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.

Re:American Date Format

[compro01]

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

That's what ISO 8601 specifies. YYYY-MM-DD.

Re:American Date Format

[Megane]

Right on, and fuck the European date format too. YYYY-MM-DD 4evah!

Re:American Date Format

[Antonovich]

And you are a non-American (as in the continents) native speaker of English? I'm from NZ and it's the other way round, or at least was until I left 10 years ago... The "dialect" has undergone very strong Americanisation over the last few decades though. Your "for instance" is also a little ridiculous - a non-American would never say "nine eleven" meaning "the eleventh of September" (or even "eleven nine"). I also can't remember anyone ever saying "September eleventh" but plenty of people saying "September eleven" regarding the attacks on the WTC. The "nine eleven" term has a much stronger relation to the actual date for Americans (US-only?) than it does for non-Americans.

Re:American Date Format

[LordWabbit2]

Sorry, but as a programmer different dates formats are a bloody pain in the ass. Say it like you want to (while putting a pancake on your head, I don't give a shit) but store it (ie. type it) in ISO format. YYYY-MM-DD

There are a lot of systems which transmit data as strings (xml, json, csv) which need to get parsed back into datetime and a simple thing like YYYY/MM/DD instead of YYYY-MM-DD can cause a cluster fuck of note. If everyone just used the ISO format my job would be a lot easier.
As a developer who helped fix the Y2K issues that would have happened at a major bank I am well and truly tired of different date formats.

Re:American Date Format

[gl4ss]

third of the fifth? or fifth day of the third?

month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.

even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.

Re:American Date Format

[Crash42]

If you want to go for the lazy option, use the Dutch system: the tenth of May 2014 is just "ten May twothousand fourteen"
It really is DMY.

Re:American Date Format

[RabidReindeer]

I've heard "10th May, 2014" or even "10 May, 2014". And actually, the common US reference isn't so much "September 11th" as it is "Nine-eleven", written 9/11.

My preferred date format is "2014-05-10". It collates better.

Re:American Date Format

[praxis]

nobody else will start saying or writing the year first

lolwut

You need to get out in the world more.

You know many people who start with the year when they are referencing a specific date? "We are planning a trip in 2015-07-20".

Saying and writing are two different things. People do write the year first; in fact it's a very popular format.

Re:American Date Format

[markhb]

As an American, for that particular day, there is an added significance to the number itself as 911 is our universal emergency telephone number, similar to the European 112 or 999. I would typically write today's date as 22 May 2014, but when I do so I am being consciously pretentious. Otherwise I'd use 5/22/2014 (I was the Y2K guy at my previous job; it cured me of 2-digit years for good).

Re:American Date Format

[GuB-42]

Obligatory XKCD : http://xkcd.com/1179/

Re:American Date Format

[Dynedain]

Reread my comment, I was responding to someone who likes M-D-Y because that's how he speaks: "event happened on May fifth, 2001"

I'm completely in agreement that it's stupid in written and datestamp formats and leading to confusion. I always use YYYY-MM-DD to avoid ambiguities.

My point was that the grandparent's argument only holds true for English. In many other common languages, the day comes first: "event happened on fifth of May", so the natural inclination of making written dates match speaking order doesn't apply.

Re:American Date Format

[Zaiff+Urgulbunger]

The problem I have with the US date format is simply that it's often ambiguous when used on the internet - it being international and all.

The way people "say" dates is fine, so if someone likes "May 10th" or "10th of May", I'm easy - there's no ambiguity. But writing 05/10/2014 on a website is a bit crap because it is ambiguous. Either go with writing the month name or 3-letter abbrev. or go with ISO format 2014-05-10 - you're still allowed to say it in whatever order you like! So when I read an ISO format date, in my head, I'm not saying "twenty-fourteen oh-five ten" - I still read it as 10th of May.

Have we forgotten how to hyphenate?

What's with all the illiteracy these days? It's not a "zero day"; it's a "zero-day". Zero-day is an adjective and must be hyphenated.

Zero-day attack

No no no.

[Captain+Coolwater]

It's "640k 0 days should be enough for anybody". I'm not going to tell you again.

It is not a zero day.

[140Mandak262Jamuna]

According to the timeline it is a -180 day.

Re:It is not a zero day.

[PhilHibbs]

Has it been exploited? A zero-day attack is an exploit on the same day that the information is released. No-one has said anything about an attack. If it gets attacked today, it's a zero-day. If it's already been attacked, then it's an already-exploited vulnerability, there's no point in attaching positive or negative numbers to it. An exploited bug that never gets detected would be a minus infinity day attack!!!! Anyway that's a "zero-day attack", I don't know what a "zero-day vulnerability" is, the term doesn't make any sense. I think people are just saying "zero day" because it sounds cool.

Re:It is not a zero day.

[140Mandak262Jamuna]

Very true. The way the term originated, if an attack is mounted today it would be 180 day attack. N day attack originally meant the number of days it took for someone to exploit a vulnerability after it was known. But when you are shooting for funny ....

Huh? Naming problem?

[grep+-v+'.*'+*]

"Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 ... The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch.

So then wouldn't that make it a minus 180 day vuln instead? </snark>

Oh -- it was found 180d ago so that's be a plus 180. Wrong orientation base there, sorry.

Don't blink this time MS

[Dega704]

Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.

Re:Don't blink this time MS

Fuck you! XP FOREVER!!!!!

Everyone should stop using Internet Explorer

Doesn't matter even if it is a newer version e.g. IE10, IE11.

If you're in a corporate environment and some legacy in-house apps only play nice with IE, cough out some money and upgrade or port those apps.

It's time to let IE go the way of Realplayer: once annoyingly ubiquitous, now a mere footnote in tech history.

Zero Day? Duh...

OK, first I was confused because I read IE 8 as Windows 8.

So a bug is discovered in IE 8, which has been deployed for a long time... but...

Somehow the meaning of "Zero Day" has changed over the last few years. It used to mean a vulnerability that was discovered before a version of software even went live.... ouch.

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

Zero-Day allowing the attacker run arbitrary code

[buchner.johannes]

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

Re:Zero-Day allowing the attacker run arbitrary co

[Antique+Geekmeister]

> Or does this warning assume the worst case, where all these other features are turned off?

It seems not. But remember that Internet Explorer was written to be inseparable from the operating system itself, with effectively bare metal access to provide Microsft-only speed, power, and enforced reliance on Microsoft's system libraries. It was designed _not_ to be lmodular, and designed _not_ to be clealy segregated from the underlying operating system so that it would be impossible to remove or replace on a Windows system.

IE8

[A+Non-MS+Coward]

In IE8, Internet explores YOU.

Re:Zero Day? Duh...

[Teresita]

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

And a "new" zero day at that. That's a relief, it could have been an old one.

Re:Zero-Day allowing the attacker run arbitrary co

[EmperorArthur]

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

The NX bit, and DEP forced us to develop Return Oriented Programming https://en.wikipedia.org/wiki/... Basically because function arguments and return pointers are on the stack you can make the code that's already there do the work for you. It's not as easy as just writing a little shell code and tends to be more specific as far as the version of the software the victim is running, but it's really quite neat and hard to stop.

IE8 is officially so what.

[gelfling]

IE8 no longer needs to exist. The only technical reason for it is Windows Updates for XP which are no longer available.

Re:Zero-Day allowing the attacker run arbitrary co

[toddestan]

Windows XP supports the NX bit, which came in with a service pack. Maybe you're thinking of Windows 2000? Though by default I believe Windows XP won't use it unless you specifically turn it on. And of course, you need to have a processor that has the NX bit in the first place. Windows Vista defaulted it to on (though only for the 64-bit versions), and Windows 8 requires it to the point where it won't boot on a processor that lacks the NX bit.

Re:TAG: NOTNEWS

[jbo5112]

It also boasts a worst in class standards support. When building advanced web services, Chrome's lack of support is a big enough pain. IE 11 is still about 3x as bad, but it is getting better. IE 10, in particular, was a huge improvement, but I often wonder why they still bother trying to build a browser from scratch.