Feeds

back to article Users told: Get rid of Internet Explorer (again)

Internet Explorer users have been told to ditch the application and switch to another browser, pronto. The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites). …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Joke

Exploit?

Internet exploder has an exploit?

Windows has an exploit?

I'M SHOCKED!

It could be a joke, but we all know it isn't (*SIGH*)!

13
15
Anonymous Coward

Re: Exploit?

Herby, I would like to thank you personally for your allowing us to share in your enlightened, intelligent and well constructed thoughts.

I wish I could say it was a pleasure and an education, alas...

1
1
Silver badge
FAIL

Re: Exploit?

You lie! According to the fancy new commercials on TV in the US, IE is the only game in town. And tell me would Microsoft waste millions on advertising instead of development if their product was not perfect?

3
0
Silver badge
Devil

Pardon me...

... but what is this "again" business you refer to...?

4
0
Anonymous Coward

This is why...

...I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier.

I also used to use IE8 out of dogged determination to follow the local IT rules on the principle that if the tools I was required to use reduced my efficiency that was my employer's problem. But eventually I just had no choice but to move on to FireFox or get no work done at all!

10
4
Silver badge
WTF?

Re: This is why...

"I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier."

As a former IT support analyst your statement intrigues me.

In what way would you having admin privileges on your account make life easier for anyone except yourself? There really is no reason to have such privileges unless one IS an administrator, quite the opposite in fact, as anyone with the ability to stuff unauthorised, untested applications and generally interfere with the PC is the stuff of the IT department's nightmares. Believe me, as the saying goes "A little knowledge is a dangerous thing."

No, unless you have some absolutely desperate need for hands-on control of your PC leave that pleasure to the poor souls who are paid to do the job. Even then get the support of the IT department when contemplating any changes to your set-up whatsoever.

Think of it as an insurance policy. If you mess up the machine someone somewhere is going to have to pay for it to be put right. If the IT department messes up, it's up to them to fix it under the SLA at no cost to you.

3
4
Anonymous Coward

In answer to namatoad:

I used to work in the IT department at my university (shudder). Now I am out in the faculties, some of the IT people would love nothing more than for me to fix my own problems and install my own software so they don't have to (to be fair, they are genuinely understaffed). I would like nothing less - I never wanted to mess around with computers at that level, it is something I will do (quite well according to my manager there) for money, but not for 'fun'! Certainly not for free. Definitely not Wlndows!!!

I know all about the dodgy stuff that academics think they are qualified to install, having pulled enough data-recovery miracles after-the-fact in my time, and given enough "well, that's why we don't want people doing that" talks ten times as often (we are talking data worth potentially hundreds of thousands of dollars and several years' work - no, a USB drive from the local office shop isn't going to be as reliable as the expensive tripple-off-site system you balked at paying for space on, there is a place in Melbourne that can scan the dis-assembled platters in a clean room if the data is worth enough...).

Probably my experience with such things is why they would trust me (and the fact that I actually keep my data on the right storage volumes where they are protected from local machine failures, etc. etc.). I am probably one of the last people in the university to submit the required use-case to get firefox finally installed (not a program I am particularly keen on either, but at least it renders the pages I need).

1
0

Re: This is why...

nematoad:

Since you are a former It support analyst, I'm surprised that you forgot that on XP some software won't run w/o admin priviledge.

2
1
Bronze badge
Facepalm

Re: This is why...

Well you can run most programs without admin rights, but then its the realm of having to give users write access to the program folders which if a user knows about can be abused. It just takes some time as generally the developers of the program after saying, "Why do you write temp files to the root of C, why not use a temporary folder like everyone else" will request lots of money for their software no-one in the IS/IT department likes.

0
0
Anonymous Coward

Re: This is why...

Can be as simple as, "the damn software is run by four people, has monthly updates which require 30 minutes on each system to install, and since they change the install parameters every month, can't be easily automated, so it's easier to just give them admin privileges to install the updates."

Or, as was the case after we just finished creating our first "standards compliant secure Windows 2000 environment," you discover that MS's new release of the programming tool every programmer in the office needs REQUIRES administrative privileges for the software to run.

2
0
Stop

Re: on XP some software won't run w/o admin priviledge

I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them.

Moreover, the reason for such behavior is often outright stupid, such as the software wanting to write to some file (usually in the install dir) to which only users in the admin group have write privilege. If the author of the software can't even get this sort of things right, the software isn't worth the diskspace it occupies.

1
0
Gold badge
Happy

Re: on XP some software won't run w/o admin priviledge

"I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them."

I got the impression that's most bought in specialist apps in the NHS.

Good thing you don't work for them is it not?

0
0
Anonymous Coward

"The attack bypasses ASLR"

Curious if that has something to do with IE essentially being part of the OS.

At least this one stays in the user context...

5
0
Bronze badge

Re: "The attack bypasses ASLR"

IE being "part of the OS" is one of those confused ideas that gets blamed for much that doesn't make sense. It's only "part of the OS" in the sense that it is packaged as a shared library that other applications and services can use. Beyond that it's just a user-mode application like anything else.

As for bypassing ASLR, I'm not convinced that's too big a deal - it's never been a particularly strong way of protecting an OS anyway. It'd be rather more useful to know whether the exploit can break out of Protected Mode IE (whereby IE normally runs with less permission than a standard user as long as UAC is enabled) as neither the Rapid7 post or MSFT's advisory is entirely clear on that one.

5
0
Anonymous Coward

Re: "The attack bypasses ASLR"

El Andy,

Not trying to be disagreeable, but the rumor/FUD/whatever-you-want-to-call-it that IE exists at a lower security context than a normal application is an old, well established one... so is there any way to verify (source?) that "it's just a user-mode application like anything else" and does not make use of what would normally be restricted calls and methods?

Regards.

1
0
Meh

Crusty scab

And there is me, using IE(64bit) for the first time in a few years just to see...

1
0
Trollface

I'll keep using..

Firefox...

safe and no ads ftw !

4
6
Anonymous Coward

Re: I'll keep using..

"Firefox... safe and no ads ftw !"

There is no such thing as a 'safe' browser... ftw!

1
1
Anonymous Coward

Re: I'll keep using..

Although what you said is true I'm downvoting you for replying to a trollface icon person correcting their deliberate error.

0
0
Bronze badge
FAIL

Rapid7 might look a bit more knowledgeable in all this if they actually managed to make their own website correctly detect browsers, instead of putting up an "Attention IE6 user, you need to upgrade your browser" when visited in IE10. What exactly is the point of an advisory that the very users you're supposedly warning can't read because you don't know how to write HTML properly??

7
1
Silver badge

Unfortunately many browser sniffers that are copied and pasted into code can't parse browser versions greater than 9 properly (10 is read as 1).

The problem will fix itself when we're up to Chrome and Firefox 70 or thereabouts, probably by the end of the year.

3
0
Silver badge

Hmm... remote binary code execution....

....sounds exactly like Active X to me.

3
0
Bronze badge
Mushroom

IE? Who uses that shit ?

Seriously, we have prime-time adds on TV for that pile of shit - it is clearly the most widely known bad, broken, and bloated piece of software.

Don't use, don't use, did I say don't use ????

9
5
FAIL

Re: IE? Who uses that shit ?

IE? Who uses that shit ?

Sadly, my customers.

7
0
Anonymous Coward

Re: IE? Who uses that shit ?

Hey, don't complain. It's keeping you in paid employment!

0
0
JDX
Gold badge

Re: IE? Who uses that shit ?

It's widely known and widely used but IE9 is just fine thanks. I hope IE10 continues the trend but unlike other commentards I won't pass judgement on something I never used.

1
2
Anonymous Coward

Re: IE? Who uses that shit ?

Anyone who is subject to the PHBs two levels above my department whose policy requires the use of financial software that is only certified to work with IE (and a soon to be obsolete version of Java).

1
0
Anonymous Coward

I prefered reading this on slashdot where it didn't sound like low quality tabloid journalism.

0
1
Silver badge
Thumb Up

... attack works on IE 7 through 9!

Another 'reason' for the UK government to keep on using IE6.

3
0
Gold badge
Happy

Re: ... attack works on IE 7 through 9!

"Another 'reason' for the UK government to keep on using IE6."

I wondered if anyone would come up with this ideal con-tractor line.

Well spotted.

0
0
Stop

Re: ... attack works on IE 7 through 9!

according to heise.de it works on ie6 as well.

http://www.h-online.com/security/news/item/Microsoft-and-Germany-s-BSI-warn-against-using-IE-1710058.html

0
0
JDX
Gold badge

So...

Because a browser has a security bug we should stop using it? What do we do when FireFox has an exploit? Move to Chrome? Then what when Chrome has a bug?

Software gets exploited, the important thing is that the bugs get addressed not that they exist.

9
2

Re: So...

'Because a browser has a security bug we should stop using it? '

...'Software gets exploited, the important thing is that the bugs get addressed not that they exist.'

Yes and no. You don't scrap your car and buy a new one if it breaks down once, but if it breaks down every week and every other car by the same manufacturer breaks down every week, then maybe it's time to buy one from someone else don't you think?

2
0
Anonymous Coward

Re: So...

"then maybe it's time to buy one from someone else don't you think?"

Let every vendor or developer who has only ever truly written exploit and bug free code step forward...

0
0
Anonymous Coward

Re: So...

"Let every vendor or developer who has only ever truly written exploit and bug free code step forward..."

Let everyone who has not read the post reply to it.

1
0
Gold badge
Unhappy

Application portability. Microsoft style

3 generations of browser.

1 exploit to pwn them all.

Do you get the felling their software development process is some how IDK not right?

3
3
JDX
Gold badge

Re: Application portability. Microsoft style

Why would an exploit on newer versions NOT work on older ones? Do you think they start each browser totally from scratch?

0
2
Bronze badge

Re: Why would an exploit on newer versions NOT work on older ones?

Because the vulnerability affects functionality that was not implemented in the older browsers?

IE10 isn't just IE6 with some of the broken bits fixed. It's a whole new turd sandwich - the bread maybe the soggy, mouldy exterior that we are familiar with, but you can notice the smell isn't quite as bad and the brown colouring of the filling is more pleasant on the eye.

1
0
Anonymous Coward

Odd didn't we read the other week...

...that i.e. is less susceptible to a certain attack than many of the other browsers...

Ooo look here it is.

http://www.theregister.co.uk/2012/08/21/tesco_ico/

(following link to)

http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html

Quote:

"Just on the browser compatibly for that XSS: IE9 and IE10 are actually pretty good and will warn you about it without exexuting it. All other browsers tested – Chrome, Firefox and Safari (desktop and iOS) – will happily parse it and allow the exploit to occur."

So lets face it, use one browser your screwed one way and use another and your screwed another way.

10
0
Thumb Down

So we can't use Java, because...

...that has bugs, now not IE (taking a pop at the favourite browser again) because that has a bug which can infect your machine when you browse to dodgy, badly maintained sites.

What about all the other software with bugs in it?

I'm not saying IE is better than the others, I'm used to it and am well aware that other browsers can be better and can be worse. Security of software it a process, not a state. My money is on Microsoft at the moment when it comes to process and support and the feed through to consumer and the enterprise.

3
4
Unhappy

Can someone tell the government please

Recently I had cause to contact the DWP and had difficulty with their on-line form. The contact centre refered me to this link.

http://www.direct.gov.uk/en/Pensionsandretirementplanning/StatePension/DG_183111

Unfortunately it turned out that my PC isn't old enough to discuss pensions.

Operating systems and browsers

The service is not currently available using Macs or other Unix based systems even though you may be able to input information.

Our service currently works with the following operating systems and browsers:

Microsoft Windows 98:

Internet Explorer versions 5.0.1, 5.5 and 6.0

Netscape 7.2

Microsoft Windows ME

Internet Explorer version 5.5 and 6.0

Netscape 7.2

Microsoft Windows 2000

Internet Explorer version 5.0.1, 5.5 and 6.0

Netscape 7.2

Firefox 1.0.3

Mozilla 1.7.7

Microsoft Windows XP

Internet Explorer 6.0

Netscape 7.2

Firefox1.0.3

Mozilla 1.7.7

4
0
Silver badge

Get rid of Internet Explorer

Is that even possible?

1
2
Linux

Re: Get rid of Internet Explorer

Of course it is.

All PC's I have used in the last 8 years have been completly I.E free.

see www.distrowatch.org for a list.

5
3
Silver badge

Re: Get rid of Internet Explorer

Thanks for trying help, but I develop in a windows environment, so that doesn't really count as a getting rid of IE solution.

0
0
Anonymous Coward

Fragmentation

Its really hard to seriously address this.

First issue is that at some point, as others have said, every browser has a "oooooooo nooooooooooos exploit" moment. Thats life, thats software, the bastards are always out to get you.

Second issue is that for things other than random website browsing, browser brand and version become a massive headache. I've got MSIE, Firefox and Chrome on my work PC just to be able to make the websites and applications I need to use work correctly.

Combine those two things together and all you can hope for are fixes for issues as they come along and to be honest, all of the three I use do do that.... maybe not in time for some nasty 0day, but nobody protects you against 0day.

0
0

Can't wait for IE10 to come out.

0
0
Thumb Down

Not got flash installed. I win.

1
0
Pint

The new IE advert is false advertising

Its "super fast" yet on my PC I open it and it crashes

Why do they even advertise this hunk of junk

Death to IE

3
2
Silver badge
Joke

Re: Its "super fast" yet on my PC I open it and it crashes

But I'll bet it crashes 10 times faster than it did on your old system, thus saving you time and money!

4
0

here is the exploit in action

the bad thing about it is no user interaction just going to a web site

https://www.youtube.com/watch?v=2UlN9W6NGqY&feature=player_embedded

those not wanting to click links just do a youtube search for “0-Day exploit in action” or “crushkittykitty”

0
0

Page:

This topic is closed for new posts.