Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare …
Is Steam client in the picture?
How about some more facts
Every PC in our company now has Firefox as the default browser. I have been waiting to deploy Firefox and thanks to the BBC's coverage it was a walk in the park.
Good idea AC
Good idea AC. Go investigate and report back.
<smacks his head>
'Although the exploit was at first contained to warez and porn sites'
So that wasn't a problem then?
Makes you wonder why its a problem now.
Broken to fixed in...
8 days right?
Not too bad.
GOOD OR BAD
is ie 8 good
At long last...
But it's a bit late, a wide open vuln like that in the wild for so long, I foresee a dip in IE market share...
Thank you saint MS, each time you do something like that you're bringing me closer to my secret pledge, which is to reduce the use, by my assigned herd of lusers, of MS crapware by 50% during my reign (and I'm including the OS. Bring it on!). With this kind of news plus the stupid licensing scheme that complicates the redeployment of machines, the lock-in is more and more looking like a lock-out.
As they say...
Patch Tuesday followed by zero-day Wednesday. Release the exploit the day after patches come out and you get a whole month before the next patches are leased... well, in most cases.
code reviews anyone?
I read somewhere that the bug was caused by the classic buffer overrun situation.
So why wasn't this issue detected in peer reviews of the source code during development?
Don't Microsoft do code reviews?
I have serious doubts about their quality control processes.
What I never quite figured out, I recall in years gone by how potential recruits told me of the selection process for Microsoft employees, how technically challenging the process was, and yet, t he quality of Microsoft products is terrible. You'd have thought that if their selection process was so selective as to select the very best candidates this would show up in better quality products being developed.
At long last... By Anonymous Coward
"licensing scheme that complicates the redeployment of machines"
Whats so complicated about the licensing - you stick the key in a syspreped machine and fire the image over the network..
Maybe youre in the wrong job?
Round and Round and Round
"IExplorer vulnerability. Let's switch to Firefox."
"We can't use Firefox, some of our web apps only run on IExplorer."
"Should we allow ourselves to get locked into one vendor? Our web apps should be compliant with web standards. Then we could use any browser we wanted."
... and back to the start.
Bad News Day for Microsoft
I was surprised yesterday when I woke up to hear on the national radio people being told they should stop using IE. This was on Morning Ireland which has the biggest listenership, so I imagine the message got out to people who don't normally hear about security issues. Hopefully it will make them think.
firefox in the domain?
Are you a fool?
What will you do when people start installing addons and/or when a security flaw is found in firefox? Good luck to you in the future! I think it was a big mistake to roll out firefox..
Although I use firefox on my home/work/any PC I would never allow (I expressively deny) it on my domain, You cannot manage it properly or ensure its working as you would like. I guess you don't use Sharepoint or OWA in your company.
You are much better off protecting the clients at the gateway, Then you don't need to be concerned about users so much and why do you want them to use it? Is it going to make your life (as an admin) any better?
Have also forced everyone in the company to upgrade to Firefox. Have been trying to roll it out for ages and they've all said they prefer IE. Now I'm not giving them the option - I wish I could disable IE completely though.
Any way to stop IE running through group policies? We're a Windows network here...
The IE security flaw even made it to Radio 1 'news'beat yesterday, impressive!
PS - quite funny that the Firefox spell checker doesn't think Firefox is a word.
NO IE for me
These bugs are specifically why I do not use MSIE.
Fortunately I am the guy at work who manages the unix routers and servers, but I sit in the same cube farm as the windoze support folk. It's been interesting listening in on their calls in the last couple of days. Lots of "download firefox" advice being doled out.
And non-techies wonder why I refuse to use IE except at work, and even then not much.
Firefox all the way. Hopefully this incident will have damaged MS's market share, mainly because it would force sites to stop being designed to work propperly only in IE (several sites I have been on try to tell me "most people use IE, so thats what we design for. Try using IE")
Oh and @AC WRT "closer to my secret pledge, which is to reduce the use, by my assigned herd of lusers, of MS crapware by 50% during my reign":
Thats a damn good idea.
I revel in my...
...FireFoxy, NoScripty, AdBLocky, Flachblocky goodness. After about 4 months of no checks, fulls cans with SpyBot Search&Destroy and AdAware last night found: *nothing*.
Join the revolution you IE luddites! (And even if your software demands IE, just use IETab).
Paris, 'cause she likes to be open as well.
Why oh Why oh why...
Are people still using IE?
I have yet to see a single reason for sticking with it. If you've got legacy sites on your Intranet, add Firefox with the IETab extension, and a sensible filter list, and enjoy a better all-round browsing experience!
Kudos to Microsoft for pushing out a patch in a reasonable time frame.
Patch has been released.
Go Grab it: www.opera.com
It also fixes future problems too..
Re: <smacks his head>
The problem now is that people were being encouraged to switch to alternative browsers. This was, after all, the main reason for kick-starting the development of IE to produce version 7 after many years of neglect.
No - IE8 is not only vulnerable to the same flaws as all the other IE browsers, the add-ons are completely lame and untrustworthy.
Not to mention that because it is in Beta 2 most sites have some compatibilty problem which means that you have to click on a little button beside the address bar to allow 'compatibility mode' to sort it out so you can use the website properly.
Opera is good but uncustomisable, Chrome is the same, and Firefox 3 is the best.
My workplace is introducing Firefox at last (take a brown alert to get them to shift, but they did it) and because Mozilla are going to cut support for Firefox 2 that is probably the version they will install (sod's law) when they should install Firefox 3.
Oh, and they'll probably ban extensions, add ons and access to about:config if I'm any judge of the IT dept's paranoia.
Paris Hilton, because I believe she's open source.
If you use the IEtab extension then YOU ARE STILL USING IE !!!!
A little knowledge has truly demonstrated itself to be a dangerous thing for you.
Your argument is utterly bizarre. Of course you can lock down Firefox if you want to. And of course flaws will continue to be found across all browsers.
Do a bit more research.
BFD ... everybody uses Firefox anyway. Right?? Huh??? Oh well .... "If you're going to be dumb, you better be tough".
"Have also forced everyone in the company to upgrade to Firefox. Have been trying to roll it out for ages and they've all said they prefer IE. Now I'm not giving them the option - I wish I could disable IE completely though"
What a total cheese. Have you actually looked at the stats on how much more secure Firefox is than IE? (i.e. it's not at all more secure).
@ code reviews anyone?
I'm a Brit who has managed US developers in the Pacific North West (Oregon in my case). Compared to UK and Japanese engineers I was shocked by their disdain for reviews, verification and anything customer related - the engineers seemed to regard non-design/coding activities as demeaning.
I also suspected that some anomalies in certain Chipzilla products developed up there stemmed from similar traits. Chipzilla developed some similar products in California and by contrast they were all very high quality and superbly verified and supported.
I wonder if there is something in the Pacific Northwest psyche that makes them want to be white-hot designers/play lead guitar and shun non-limelight activities? It might explain the apparently crappy verification on MSIE.
Oh for fu...
Quite why this particular vulnerability made it to the news in such a big way is beyond me. I can only assume that there are two mindsets in action in the news media. Firstly there are the plagiasists who don't actually write stories their only research is to copy stories frome elswhere, this seems particularly prevalent on internet news sites. Secondly there is the fear factor, it seems that people in the news media are terrified of missing a story, "Why are the BBC covering just another web browser flaw? Is it more important than it seems? What if this turns out to be really big and I missed it? Hold the front page!"
Also I'm getting f**king sick of all these Firefox fanboys, to listen to them you would think Firefox had never had a security vulnerability. Kind of like listening to Mac fanboys. Every browser has had loads of vulnerabilities and will have loads more, I'm sure there are plenty of undiscovered vulnerabilities lurking in live code right now. So don't be so confident that Firefox is secure. So you rolled out Firefox to your entire estate today? What will your MD think of you if a bigger flaw turns up if Firefox tomorrow?
At least administrators who's users all have IE can use WSUS and GPOs or whatever to roll out tonights patch across their entire estate entirely painlessly tomorrow morning. How would you handle a similar update for Firefox. I really am sick of the Mozilla Foundation and their Google funded smugness. Are they 100% sure that the Google cash wasn't some way of getting at MS? And what is the future of that funding if Chrome gets wide acceptance?
Oh and BTW before you assume I'm some sort of MS fan don't be fooled. I'm Ubunu and Opera, and yes I know all about the Opera vulns they quielty fixed yesterday. Coincidence? Or did they slip the fixes out under cover of the IE news furrore?
Unfortunately IE does work well as a corporate solution because of the way it can be centrally managed. Nothing else works as well in that respect.
Oh and FWIW with 5000+ users our IPS hasn't seen a single attempt to exploit this vuln.
re: Opera is good but uncustomisable
Want to expand that? Having used both browsers, Opera has a massive amount of customization options, many more than Firefox. In addition, it does not support the security nightmare that Extensions create.
I don't believe Firefox can do this...
Re: Patch has been released.
"Go Grab it: www.opera.com. It also fixes future problems too."
Poor timing, young cowboy...
Ahh a user?
Can I ask a question. Do you keep detailed change control lists to all those things you just mentioned that the IT dept deny access to because of "paranoia"?
I thought not. So allowing you access to them so that you can call up and say xxx has happened, (without the IT bods knowing all the details) is the reason why they deny access.
I have so many users that think they know what they are doing and will deny they did anything until the cows come home. They always say I run this and that and that at home but can they tell you how it all works and why? Nope. Anyway these incidents always turn out that the user did this or that because "I've never used this thing before" or "I thought it was meant to do this" something similar.
Anyway on subject. We use IE because that is what our group heads decide. I also have Firefox deployed (yes with controls on use) because I prefer it and it is more useful for many of my users.
Bangs head on door...
So one flaw in i.e hits the headlines
yet Opera has others, barely a mention.
I'm sooo fucking tired of this fanbitch shit...it's got a flaw, woopee doo...
I use Firefox on Linux and it crashes far more often than i.e does on Windows, but I'm sure others experience it the other way around.
To be honest, those that have an orgasm at MS having a flaw really, really, need to get a life, if that is what gets you so excited, then good for you, but for the majority of us, you are really dull !
New Year Resoloution:
I will be positive in all my comments...until then. ...get a life you sad bastards!
Re. 'ripe stilton'
Yes, it is more secure. Definitely. And particularly since we're using it with scripting disabled, and banner ads blocked (major source of spyware/malware).
I'm much happier now we're using it, I have been on about it for ages (since it's my job to decide which software the company uses) but office politics have prevented it being rolled out.
As I said, I'm glad it made the news, as it forced the department heads who think they know more about computers than I do to sit up and take notice of how shit IE is.
The two departments who have been on Firefox for over a year are the departments whose computers are _never_ infected with spyware. Every time I get a report from WebRoot that a machine's infected, it's from one of the other two departments. Who use IE. YMMV.
Obviously I don't depend on using Firefox alone to offer me security, it is deployed in conjunction with a tightly locked down firewall, WebRoot AV/anti-malware and a Barracuda web filtering box. I'm not an idiot.
"Whats so complicated about the licensing - you stick the key in a syspreped machine and fire the image over the network..."
I think you missed the "re" in REdeployment. Thanks for trying.
Re. Re. 'ripe stilton'
"Yes, it is more secure. Definitely" - oh dear oh dear. You honestly believe that don't you?
"And particularly since we're using it with scripting disabled, and banner ads blocked" - and you control your users' manual settings configuration how?
"(major source of spyware/malware)" - thanks for that - we'd always wondered.
"(since it's my job to decide which software the company uses)" - does your company not have any qualified IT staff?
"I'm not an idiot" - and I'm not commenting any further.
Suddenly I see everyone posting here ducking for cover!
Anyone gone and read the Firefox updates article?
Stop being so f**king complacent about your software people - you are sounding more and more about the Apple and Linux users everyday. Learn about the possibilities of being cracked and exploited and act accordingly... my pr0n machine gets thoroughly deloused once a quarter on top of weekly deep scans and nothing personal or sensitive sits on it; whereas my personal business machine is protected to a paranoid level; and my gaming machines don't sit on the network often so are protected to a lesser extent (still full firewall/AV/Spybot/ports closed/doesn't respond to much poking, pinging or probing).
For the record, I normally use FF3 with the usual blockers, ofttimes dabble in Opera too and rarely touch IE, Chrome and Safari as not noticed any advantages there.
Re: Broken to fixed
Not quite. Publically acknowledged to fixed in 8 days. Slightly different. The flaw has been around a very long time; either MS knew nothing of it (these things are spotted more quickly with FOSS) or they sat on it (sitting on them is in nobody's interest with FOSS).
So either way, looks like FOSS is the answer.
Heard on BBC radio…
They said that IE is "the world's most populAR browser".
It's the world's most populOUS browser.
@ Matthew Bartlett
Quite right, I am a user; so no need for me to log every event.
Point taken, I can definately see how the majority of users could be taken to be as ignorant and trouble causing as you described - although our IT department solves all this by simply preventing us from downloading anything whatsoever.
Maybe I should have said 'justifiably paranoid'.
Wot Update ?
Wed. 16:49 GMT
Is there something wrong inherently with the way that I do things ?
The only update/download available to me is, Windows Malicious Software Removal Tool !
Don't know how many times I've installed this little beauty, but according to the Windows Update server, my IE 7 would seem to be properly patched, even though Automatic Updates has been turned off for weeks, until a moment ago.
Oh, XP. sad as it is, this is wot my kids have been trained to use and so they use IE7 too, NOT me.
Well, sure I'll expand on that.
In Firefox you can find add ons very easily, all in one place.
In Opera by contrast, unless I've missed a recent development or my Google-fu is particularly weak today, you can't. You have to go to non-Opera websites as with IE8 and hope for the best.
As for the customising buttons, well you can customise that and more with Firefox if you want.
Re security nightmare with Firefox add ons - I wouldn't know. At work for example, I trust that my fantastic and justifiably paranoid IT dept will have decent security on their web server and that their 'websense' filter will prevent me from downloading anything or reading any websites which are blocked.
I also trust that they will know how to lock down Firefox whilst not missing out on decent aspects of it such as No Script which can block all advertisements, flash images and java script whilst still allowing most 'top level' content/functionality from main pages.
'cause Firefox is the saviour right?
Quite funny to see all the FF fanboys proclaiming how they are somehow now justified, and all the crap about how now they can fulfill their plans to get all their supported staff using FF over IE.
Wake up guys, you think FF is that much better? Ha, emergency patch pushed out for FF just today!
Also, if you knew anything you'd know that with its protected mode mechanism IE can actually be more secure than the rest.
This is just another fuss caused by media getting hold of a story and making it far worse than it would of been and a load of would be geeks who think that being a geek means you have to love FF and hate everything MS does for the sake of it...
RE:RE: "Ripe stilton"
He said she said,
Pick your handbags up on the way out darling, get a grip FFS.
But then i am finding this whole "i am not an idiot" argument quite amusing. And seriously, if you actually have to qualify your comment with a statement like that, then really........you are an idiot.
Paris cos she so totally like just loves handbags
@ Techies here
Just one more thing.
I have spoken ill of my IT dept because I am a user an ignorant of the issues they have to face and deal with on a daily basis, and I suppose that they must know a lot of things that I don't and I don't think of.
However, saying that; I do rely on them to keep my computer and all aspects of our network safe from viruses, root kits, spyware and adware by using firewalls (on servers and nodes, probably Windows firewall for nodes and appropriate firewalls for servers and switches) and antivirus/malware software. I expect this to be updated, and I expect that it shall be necessary for blacklists to be updated too.
I expect our techies to know which extensions and add-ons are security risks and which aren't, and I expect them to tell me that because they don't want users phoning them up and deluging them with calls and requests to undo themes or extensions they don't want anymore that there is no business case for such; and therefore privilages for downloading and installing such would be removed at user level.
This would be especially true of about:config and having users muck about with pipelining or max-requests-per server settings, although I can't see much damage being done by setting paint delay to 0.
Not that removing things is a problem, it isn't - it's just a matter of preventing calls from users for non-critical issues and having more time to work on projects, functionality issues, compatibility and security issues. This is logical and easy to understand.
I think that techies would be well advised to issue a network message or have a page on the intranet in their function pages explaining this, to save any misconceptions or prevent users (or L-Users) from thinking the techies are being condecending in any way.
@ Re. Re. 'ripe stilton'
Of course Firefox is more secure than IE, just like Macs are more secure than Windows based PCs, for the simple reason that the large install base of IE (and the same for Windows) is a far more attractive target for malware.
Given that we cannot inspect the source of IE, it is impossible to know which browser is inherently more secure by design, but I'd be willing to hazard a guess.
As for control over user settings - you have really missed the point here haven't you. Firefox is open source - you can compile it with whatever features, or lack of them, you want. And with options preinstalled. Even rename it as "My Company's browser".
And if that's too hard, there are a bunch of builds with typical options locked down already out there under maintenance from very reputable sources.
Honestly, Firefox can be whatever you want it to be, including hobbled. Your objections are purely based on ignorance.
Well where ......
is the MS update ?????. Its 8.10 pm and still no news from MS
Firefox vs IE
One has direct hooks into the OS kernel and one doesn't. Which one is inherently more dangerous?
WGA - how to reduce security
Not having done much Windows updating for a while, I went to their website tonight and found that I can't get any updates unless I'm willing to install a piece of MS spyware on my PC. Looks like I'm just going to have to do without any updates then. I suspect that quite a few other people will be doing the same. Are MS really trying to make life easier for malware writers?
@ Firefox fanbois
MUHA HA HA HA HA HA HA HAAAAA!!
To those rolling out Firefox on your domain - words fail me, seriously stop and think about what you're doing. Where did you get your MCSA - the back of a box of Cornflakes?!
@Wot Update ?
I couldn't find the update either. Did a sudo apt-get update and nothing showed up. I'm definitely missing something here...