Feeds

back to article Redmond promises emergency IE bug fix on Friday (zero day + 5)

Microsoft is promising to release an emergency patch that tackles a zero-day vulnerability in Internet Explorer on Friday. In the meantime, the software giant is pointing customers towards a temporary fix, issued on Wednesday. The stop gap fix uses Redmond's "application compatibility shim mechanism" as a sort of battlefield …

COMMENTS

This topic is closed for new posts.
Silver badge
Windows

Somehow, the public security issues are not the ones I am worried about. It is the ones not in the public domain that worry me.

Where's the horse? Better close the stable door.

1
0

One of the reasons I use Linux is purely trust. I don't trust Microsoft to (a) produce secure software (b) to put in back doors (c) fix known issue quickly.

When there are security issues with Linux you generally know what has caused them plus the fixes are usually far faster - sometime distro X may be slow to release fixes however you ALWAYS have the choice to patch it yourself.

5
2
Silver badge

I agree with you yossarianuk - a lot of people realised this decades ago, but we get called all sorts of names for thinking it and then the reasons we state get misconstrued to things like "if we can see the code, it's somehow magically more secure even if it's crap". It's not a question of security, or business, or affordability, or readability, or features, or even neat coding tricks.

The question of who you rely on is a big one in computing and, in my history, Microsoft is not a front-runner. I honestly can't guarantee that my Windows servers will be running tomorrow, even if I don't count hardware failure as a possibility. And I can't even say how long it would take to get a fully-functional replacement up and running either. And it's because of my lack of trust in Microsoft products given my experience with them.

Browsers are probably THE most important application that I allow to traverse my firewalls - they act on untrusted input all day long and have to do so fast, efficient and change constantly to keep up with standards. As such, I haven't used IE since, literally, IE4. It was just that bad. I was on Netscape before most people had ever even heard of the Internet (I remember my CS teacher being flabbergasted that I got an email from someone in Canada because they'd downloaded one of my games, and they read it out in class they were so overawed!) and from the first days, IE was always a heap of junk. It takes a lot more than "making good" those problems I find myself to get me to use it again, after that amount of bad history.

I have a sort-of-plan at the moment to write a video game. I have lots of code running already, and the expertise to make it work, and I don't think it will be anything fabulous or fantastic but, hey, I might sell a few copies in the style of some shareware-type games from back-in-the-day even if it's just as a smartphone app or an indie bundle game or something.

And occasionally I get to dreaming about how I'd scale up if it sold millions. Employ programmers and artists, setting up a compile farm, testing environments, distribution channels, payment processing, server hosting, version control, software patching, etc.

First item on the wishlist would be linux desktops, linux server, linux hosting, linux cross-compliation, linux virtual-machine hosts. The only MS-reliant item I'd have would be a real home PC with Windows on it as a sort of acid-test (because I would not like to think that making something "Windows compatible" would go out to the public without at least one real-world test on the intended OS). I literally would actually go out of my way, if I had enough funds, to avoid anything to do with "that" company even if I was writing games for their platform. I'm not even sure it would cost more or cause a lack of features on my end if I did either. But for sure, the productivity of updates, security and the simple things in life (like having a fecking desktop work how ****I****, the user, want it to) would be worth any hassle I did encounter.

I honestly don't trust MS to make a game that I won't hate to install any more. Just how do people trust it to run their most-critical and attack-vulnerable piece of software? I spend half my time setting up new PC's to turn off lots of the MS junk and install things that I know will do a better job (AV is one, software firewall is another, browser is another).

I don't get people that still use IE. Hell, at absolute maximum, I'd run it with settings that prevented it from accessing anything external whatsoever. A hole sitting in it for a week or so is nothing compared to the nightmares that it's experienced over the years.

On a side-note: My employer has just asked me to block anything IE talking out at the proxy that controls the web filtering (even though it's not accessible in any of our standard disk images). Totally unrelated to this vulnerability, and we've been a Firefox shop for years now, but just one of those things that even non-techies are starting to pick up on. It's just too much of a liability to have around and to trust to work how you expect.

9
1
Anonymous Coward

Really?

"The question of who you rely on is a big one in computing and, in my history, Microsoft is not a front-runner. I honestly can't guarantee that my Windows servers will be running tomorrow, even if I don't count hardware failure as a possibility. And I can't even say how long it would take to get a fully-functional replacement up and running either. And it's because of my lack of trust in Microsoft products given my experience with them."

Given your experience with them... Which given the rest of the paragraph, I'd say is basically none. I could say all the same about linux (well, I couldn't because I work with linux all the time, but for arguments sake) and it wouldn't mean it's true, just that I don't know how to use it.

4
4

@ Lee Dowling

"I honestly can't guarantee that my Windows servers will be running tomorrow"

If your employeer would like an admin that can let me know.

Based in that statement alone I fear the problem are less technical and more perception and knowledge.

2
1
Anonymous Coward

I always use IE because ..

RICHTO told me it was the safest -Oh wait !

0
1

Partial quotations for the win....

The BSI only recommends the use of an alternate Browser until the flaw in IE has been fixed. It does not recommend to ditch IE.:

Daher empfiehlt das BSI allen Nutzern des Internet Explorers, so lange einen alternativen Browser für die Internetnutzung zu verwenden, bis der Hersteller ein Sicherheitsupdate zur Verfügung gestellt hat.

https://www.bsi.bund.de/ContentBSI/Presse/Pressemitteilungen/Presse2012/Internet%20Explorer%20Warnung%2017092012.html

This is done because the work-around published by MS, EMET, is only available in English and not in German or any other language.

2
0
Bronze badge
Mushroom

Yes it wouldnt make sense to switch permanently if security is your concern. IE 9 has had significantly fewer security vulnerabilities since launch than Chrome, Safari, Firefox or Opera have in the same period.

0
4
Anonymous Coward

Arghhh

Why don't MS just jack up the name IE and slide a new browser in underneath?

1
0
Silver badge

Re: Arghhh

What do you think it would cost them to license Google Chrome?

0
0
JDX
Gold badge

Re: Arghhh

yeah that would work, hackers won't simply focus all their efforts on chrome. we've seen a big rise in non-IE exploits recently, almost as if hackers noticed them getting popular...

2
2
Facepalm

Re: Arghhh

Even worse they would have to learn better hacking skills to defeat non-IE browsers.... Becoming a race of super hackers..... You heard it here first.

1
0
Silver badge
Thumb Down

Re: Arghhh

we've seen a big rise in non-IE exploits recently

Source perhaps? We'd probably have to trawl with the release notes of the various patch releases, but as a user of Opera, Firefox, Chrome and Internet Explorer I'm pretty sure that I've had more patches of IE in the last 12 months than of the others.

All browsers suffer from exploits but the makes deal with them very differently. Google is currently pimping its security credentials by offering bounties for discovered vulnerabilities. More importantly, perhaps, is the system of silent delivery of patches that they have established. Like it or not, it's probably the most effective way to get patches out to the great unwashed masses out there.

But even if exploits are discovered for other browsers, it's a relatively simple and painless operation to replace one browser with another and deinstall if desired. This is not an option with Internet Explorer because it is part of the Windows operating systems. That has always been Microsoft's biggest mistake.

5
1
Anonymous Coward

Re: Arghhh

"... I'm pretty sure that I've had more patches of IE in the last 12 months than of the others...."

So what you're saying is that a piece of software which has no patches is totally secure and bug free? Or maybe it's not well maintained?

0
0
Silver badge

Re: Arghhh

So what you're saying is that a piece of software which has no patches is totally secure and bug free? Or maybe it's not well maintained?

No, I was only countering the assertion that recently there has been a "big rise" in exploits for browsers other than Internet Explorer. All my browsers have been patched as opposed to being updated.

0
0
Anonymous Coward

Re: Arghhh

@Charlie Clark - look at the trend micro analysis referenced in the article - based on 2011, patching ie actually appears to be more secure than chrome & firefox (less exploits), and they are all comparable on zero days.

0
0
Bronze badge

@ your confusion

AC, the article you refer to cites some numbers (for which no sources are offered BTW) The author is not talking about exploits, he is talking about some vulnerabilities, where severity is taken into account. See the difference?

I'd like to see at least one exploited (severe) vulnerability in the wild to be found in both FF and Chrome(ium). Google can afford to pay cash for every (purely browser) exploitable vuln. A wise policy. They are pretty confident that such vulns are scarce. So, if one takes your and the authors' point of view, google must have been bankrupt a long time ago.

I myself prefer firefox on GNU/Linux. It is as secure as Chromium. However, it has a richer set of plug-ins, like noscript (making it more secure), adblock and flashkiller (making me so much less annoyed) and others. I also enable apparmor profiles for it.

2
0
Bronze badge
Mushroom

Re: Arghhh

Not really, Safari is generally hacked first every year at the Pwn to Own competition....

0
0
Bronze badge
Mushroom

Re: Arghhh

You are very much mistaken (except for maybe Opera) or you need to update to IE9 then. See Secunia.org:

http://secunia.com/advisories/product/34591/

http://secunia.com/advisories/product/30282/

http://secunia.com/community/advisories/search/?search=chrome&page=1

http://secunia.com/advisories/product/28698/

0
2

This post has been deleted by its author

Gold badge

Actual vulnerabilities

Well, not really. I didn't find the Trend Micro Analysis terribly useful; it just lists numbers of vulnerabilities patched, while not mentioning severity. The fact of the matter is, in IE blackhats and researches keep finding one hole after another that completely subverts security, sometimes even in kernel mode. The vast majority of the Firefox holes were like "We found a potential problem in the source code" and it's fixed without necessarily even knowing if it's exploitable.

1
1
Bronze badge

different approaches

Google and Microsoft use different approaches. The former pays for discovering exploitable 0-day vulns, the latter pays for embellishing their own image damaged by exploits actively used in the wild.

2
0
Bronze badge
Mushroom

Re: Actual vulnerabilities

IE doesnt have any components that run in kernel mode....

0
3
This topic is closed for new posts.