Users told: Get rid of Internet Explorer (again)
Internet Explorer users have been told to ditch the application and switch to another browser, pronto. The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites). …
This topic is closed for new posts.
Exploit?
Internet exploder has an exploit?
Windows has an exploit?
I'M SHOCKED!
It could be a joke, but we all know it isn't (*SIGH*)!
Re: Exploit?
Herby, I would like to thank you personally for your allowing us to share in your enlightened, intelligent and well constructed thoughts.
I wish I could say it was a pleasure and an education, alas...
Re: Exploit?
You lie! According to the fancy new commercials on TV in the US, IE is the only game in town. And tell me would Microsoft waste millions on advertising instead of development if their product was not perfect?
Pardon me...
... but what is this "again" business you refer to...?
This is why...
...I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier.
I also used to use IE8 out of dogged determination to follow the local IT rules on the principle that if the tools I was required to use reduced my efficiency that was my employer's problem. But eventually I just had no choice but to move on to FireFox or get no work done at all!
Re: This is why...
"I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier."
As a former IT support analyst your statement intrigues me.
In what way would you having admin privileges on your account make life easier for anyone except yourself? There really is no reason to have such privileges unless one IS an administrator, quite the opposite in fact, as anyone with the ability to stuff unauthorised, untested applications and generally interfere with the PC is the stuff of the IT department's nightmares. Believe me, as the saying goes "A little knowledge is a dangerous thing."
No, unless you have some absolutely desperate need for hands-on control of your PC leave that pleasure to the poor souls who are paid to do the job. Even then get the support of the IT department when contemplating any changes to your set-up whatsoever.
Think of it as an insurance policy. If you mess up the machine someone somewhere is going to have to pay for it to be put right. If the IT department messes up, it's up to them to fix it under the SLA at no cost to you.
In answer to namatoad:
I used to work in the IT department at my university (shudder). Now I am out in the faculties, some of the IT people would love nothing more than for me to fix my own problems and install my own software so they don't have to (to be fair, they are genuinely understaffed). I would like nothing less - I never wanted to mess around with computers at that level, it is something I will do (quite well according to my manager there) for money, but not for 'fun'! Certainly not for free. Definitely not Wlndows!!!
I know all about the dodgy stuff that academics think they are qualified to install, having pulled enough data-recovery miracles after-the-fact in my time, and given enough "well, that's why we don't want people doing that" talks ten times as often (we are talking data worth potentially hundreds of thousands of dollars and several years' work - no, a USB drive from the local office shop isn't going to be as reliable as the expensive tripple-off-site system you balked at paying for space on, there is a place in Melbourne that can scan the dis-assembled platters in a clean room if the data is worth enough...).
Probably my experience with such things is why they would trust me (and the fact that I actually keep my data on the right storage volumes where they are protected from local machine failures, etc. etc.). I am probably one of the last people in the university to submit the required use-case to get firefox finally installed (not a program I am particularly keen on either, but at least it renders the pages I need).
Re: This is why...
nematoad:
Since you are a former It support analyst, I'm surprised that you forgot that on XP some software won't run w/o admin priviledge.
Re: This is why...
Well you can run most programs without admin rights, but then its the realm of having to give users write access to the program folders which if a user knows about can be abused. It just takes some time as generally the developers of the program after saying, "Why do you write temp files to the root of C, why not use a temporary folder like everyone else" will request lots of money for their software no-one in the IS/IT department likes.
Re: This is why...
Can be as simple as, "the damn software is run by four people, has monthly updates which require 30 minutes on each system to install, and since they change the install parameters every month, can't be easily automated, so it's easier to just give them admin privileges to install the updates."
Or, as was the case after we just finished creating our first "standards compliant secure Windows 2000 environment," you discover that MS's new release of the programming tool every programmer in the office needs REQUIRES administrative privileges for the software to run.
Re: on XP some software won't run w/o admin priviledge
I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them.
Moreover, the reason for such behavior is often outright stupid, such as the software wanting to write to some file (usually in the install dir) to which only users in the admin group have write privilege. If the author of the software can't even get this sort of things right, the software isn't worth the diskspace it occupies.
Re: on XP some software won't run w/o admin priviledge
"I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them."
I got the impression that's most bought in specialist apps in the NHS.
Good thing you don't work for them is it not?
"The attack bypasses ASLR"
Curious if that has something to do with IE essentially being part of the OS.
At least this one stays in the user context...
Re: "The attack bypasses ASLR"
IE being "part of the OS" is one of those confused ideas that gets blamed for much that doesn't make sense. It's only "part of the OS" in the sense that it is packaged as a shared library that other applications and services can use. Beyond that it's just a user-mode application like anything else.
As for bypassing ASLR, I'm not convinced that's too big a deal - it's never been a particularly strong way of protecting an OS anyway. It'd be rather more useful to know whether the exploit can break out of Protected Mode IE (whereby IE normally runs with less permission than a standard user as long as UAC is enabled) as neither the Rapid7 post or MSFT's advisory is entirely clear on that one.
Re: "The attack bypasses ASLR"
El Andy,
Not trying to be disagreeable, but the rumor/FUD/whatever-you-want-to-call-it that IE exists at a lower security context than a normal application is an old, well established one... so is there any way to verify (source?) that "it's just a user-mode application like anything else" and does not make use of what would normally be restricted calls and methods?
Regards.
Crusty scab
And there is me, using IE(64bit) for the first time in a few years just to see...
Re: I'll keep using..
"Firefox... safe and no ads ftw !"
There is no such thing as a 'safe' browser... ftw!
Re: I'll keep using..
Although what you said is true I'm downvoting you for replying to a trollface icon person correcting their deliberate error.
Rapid7 might look a bit more knowledgeable in all this if they actually managed to make their own website correctly detect browsers, instead of putting up an "Attention IE6 user, you need to upgrade your browser" when visited in IE10. What exactly is the point of an advisory that the very users you're supposedly warning can't read because you don't know how to write HTML properly??
Unfortunately many browser sniffers that are copied and pasted into code can't parse browser versions greater than 9 properly (10 is read as 1).
The problem will fix itself when we're up to Chrome and Firefox 70 or thereabouts, probably by the end of the year.
Hmm... remote binary code execution....
....sounds exactly like Active X to me.
IE? Who uses that shit ?
Seriously, we have prime-time adds on TV for that pile of shit - it is clearly the most widely known bad, broken, and bloated piece of software.
Don't use, don't use, did I say don't use ????
Re: IE? Who uses that shit ?
IE? Who uses that shit ?
Sadly, my customers.
Re: IE? Who uses that shit ?
Hey, don't complain. It's keeping you in paid employment!
Re: IE? Who uses that shit ?
It's widely known and widely used but IE9 is just fine thanks. I hope IE10 continues the trend but unlike other commentards I won't pass judgement on something I never used.
Re: IE? Who uses that shit ?
Anyone who is subject to the PHBs two levels above my department whose policy requires the use of financial software that is only certified to work with IE (and a soon to be obsolete version of Java).
I prefered reading this on slashdot where it didn't sound like low quality tabloid journalism.
... attack works on IE 7 through 9!
Another 'reason' for the UK government to keep on using IE6.
Re: ... attack works on IE 7 through 9!
"Another 'reason' for the UK government to keep on using IE6."
I wondered if anyone would come up with this ideal con-tractor line.
Well spotted.
Re: ... attack works on IE 7 through 9!
according to heise.de it works on ie6 as well.
http://www.h-online.com/security/news/item/Microsoft-and-Germany-s-BSI-warn-against-using-IE-1710058.html
So...
Because a browser has a security bug we should stop using it? What do we do when FireFox has an exploit? Move to Chrome? Then what when Chrome has a bug?
Software gets exploited, the important thing is that the bugs get addressed not that they exist.
Re: So...
'Because a browser has a security bug we should stop using it? '
...'Software gets exploited, the important thing is that the bugs get addressed not that they exist.'
Yes and no. You don't scrap your car and buy a new one if it breaks down once, but if it breaks down every week and every other car by the same manufacturer breaks down every week, then maybe it's time to buy one from someone else don't you think?
Re: So...
"then maybe it's time to buy one from someone else don't you think?"
Let every vendor or developer who has only ever truly written exploit and bug free code step forward...
Re: So...
"Let every vendor or developer who has only ever truly written exploit and bug free code step forward..."
Let everyone who has not read the post reply to it.
Application portability. Microsoft style
3 generations of browser.
1 exploit to pwn them all.
Do you get the felling their software development process is some how IDK not right?
Re: Application portability. Microsoft style
Why would an exploit on newer versions NOT work on older ones? Do you think they start each browser totally from scratch?
Re: Why would an exploit on newer versions NOT work on older ones?
Because the vulnerability affects functionality that was not implemented in the older browsers?
IE10 isn't just IE6 with some of the broken bits fixed. It's a whole new turd sandwich - the bread maybe the soggy, mouldy exterior that we are familiar with, but you can notice the smell isn't quite as bad and the brown colouring of the filling is more pleasant on the eye.
Odd didn't we read the other week...
...that i.e. is less susceptible to a certain attack than many of the other browsers...
Ooo look here it is.
http://www.theregister.co.uk/2012/08/21/tesco_ico/
(following link to)
http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html
Quote:
"Just on the browser compatibly for that XSS: IE9 and IE10 are actually pretty good and will warn you about it without exexuting it. All other browsers tested – Chrome, Firefox and Safari (desktop and iOS) – will happily parse it and allow the exploit to occur."
So lets face it, use one browser your screwed one way and use another and your screwed another way.
So we can't use Java, because...
...that has bugs, now not IE (taking a pop at the favourite browser again) because that has a bug which can infect your machine when you browse to dodgy, badly maintained sites.
What about all the other software with bugs in it?
I'm not saying IE is better than the others, I'm used to it and am well aware that other browsers can be better and can be worse. Security of software it a process, not a state. My money is on Microsoft at the moment when it comes to process and support and the feed through to consumer and the enterprise.
Can someone tell the government please
Recently I had cause to contact the DWP and had difficulty with their on-line form. The contact centre refered me to this link.
http://www.direct.gov.uk/en/Pensionsandretirementplanning/StatePension/DG_183111
Unfortunately it turned out that my PC isn't old enough to discuss pensions.
Operating systems and browsers
The service is not currently available using Macs or other Unix based systems even though you may be able to input information.
Our service currently works with the following operating systems and browsers:
Microsoft Windows 98:
Internet Explorer versions 5.0.1, 5.5 and 6.0
Netscape 7.2
Microsoft Windows ME
Internet Explorer version 5.5 and 6.0
Netscape 7.2
Microsoft Windows 2000
Internet Explorer version 5.0.1, 5.5 and 6.0
Netscape 7.2
Firefox 1.0.3
Mozilla 1.7.7
Microsoft Windows XP
Internet Explorer 6.0
Netscape 7.2
Firefox1.0.3
Mozilla 1.7.7
Re: Get rid of Internet Explorer
Of course it is.
All PC's I have used in the last 8 years have been completly I.E free.
see www.distrowatch.org for a list.
Re: Get rid of Internet Explorer
Thanks for trying help, but I develop in a windows environment, so that doesn't really count as a getting rid of IE solution.
Fragmentation
Its really hard to seriously address this.
First issue is that at some point, as others have said, every browser has a "oooooooo nooooooooooos exploit" moment. Thats life, thats software, the bastards are always out to get you.
Second issue is that for things other than random website browsing, browser brand and version become a massive headache. I've got MSIE, Firefox and Chrome on my work PC just to be able to make the websites and applications I need to use work correctly.
Combine those two things together and all you can hope for are fixes for issues as they come along and to be honest, all of the three I use do do that.... maybe not in time for some nasty 0day, but nobody protects you against 0day.
The new IE advert is false advertising
Its "super fast" yet on my PC I open it and it crashes
Why do they even advertise this hunk of junk
Death to IE
Re: Its "super fast" yet on my PC I open it and it crashes
But I'll bet it crashes 10 times faster than it did on your old system, thus saving you time and money!
here is the exploit in action
the bad thing about it is no user interaction just going to a web site
https://www.youtube.com/watch?v=2UlN9W6NGqY&feature=player_embedded
those not wanting to click links just do a youtube search for “0-Day exploit in action” or “crushkittykitty”
This topic is closed for new posts.
