back to article Redmond slips out temporary emergency fix for IE 0-day

Stepping outside its normal Patch Tuesday cycle, Microsoft has rolled out an emergency fix to an Internet Explorer bug that was under active malware attack. This advisory provides access to “Fix it For Me”, with a more detailed outline of the CVE-2013-3893 vulnerability here. All versions of IE 6 to 10 are affected. As …

COMMENTS

This topic is closed for new posts.
Coffee/keyboard

ActiveX?!

I thought that died in 1997!

Why the hell is ActiveX even allowed AT ALL in a modern iteration of Internet Exploder?

If anyone is unfortunate/lazy enough to need such an abomination they should have to confirm exactly which HTTPS certificates are allowed to run it, a bit like what Java is doing.

7
0
Silver badge

Re: Why the hell is ActiveX even allowed

HTML 5 is the future.

0
0

Re: ActiveX?!

I am sure there are other cases, but one of the more common method of parsing XML (such as from an ajax response) in <= IE8 requires activeX. It isn't the best approach, but it is the one adopted even by jQuery up to v1.9.

PS, I wouldn't use java as a benchmark for security approaches - apart from the obvious - their signing approach is deeply flawed (krebs: http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/).

0
1
Bronze badge
Coffee/keyboard

Most people seem to insist on using Flash...

last I read that flash uses active X for Interet Explorer - that's what I read anyway, I'm not a coder. If that is true, then it is a pretty common vector.

0
0
Silver badge

Re: Most people seem to insist on using Flash...

ActiveX is the plug-in architecture for IE, Flash is a plug-in.

0
0

But why?

I simply do not understand why *anyone* still uses this known, proven, demonstrated, abundantly documented horrorshow of a browser. Sorry, I simply don't get it. Given that we have Firefox, Opera, Chrome, Seamonkey, and various better than half-decent others, and that each and every one of these named alternatives is demonstrably superior in nearly all respects - never mind the constant security nightmares that they *don't* have - what possible rational reason could one advance for using Internet Explorer at all? It seems to be beyond all explanation.

8
3
Silver badge

Re: But why?

Corporate drones - they have no choice but to use the IT department's image.

Corporations that have screwed up IE6/7 only internal systems, where the users have to use IE and it becomes a dirty (or enforced) habit on t'Internet as well.

5
0

Re: But why?

All software has bugs. Good luck trying to find a browser that doesn't have them.

Take Firefox as an exanple. FF24 fixed seven critical vulnerabilities (defined as "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing"). FF23 fixed four, FF22 fixed four, FF21 fixed three, FF20 fixed three.

FF was released on 19 Feb this year, or 211 days ago. Since then, there have been 21 critical bugs (see definition above) found and fixed, or 1 every 10 days. Given that, it seems very unlikely that FF25 has no critical vulnerabilities in it.

Bug source: https://www.mozilla.org/security/known-vulnerabilities/firefox.html

6
1

Re: But why?

TLS1.2 support for a start...

0
0
Bronze badge

Re: But why?

One of my clients use it. They have to use it because they are a reseller of a monopoly's wares (which happens to be overseas). They can only order the item via an Active-X control which can only run in IE6.

Any requests to the firm in question to update this are met with "If you don't like it then there will be always someone else who wishes to be a preferred seller in the UK"

That's the reason why one of my clients uses it. They simply have to.

0
0

IE can be managed

Group policy makes it very easy to manage and lock down. Firefox doesn't have a easy way of doing this. Chrome does have group policy templates though they are not as detailed as ie's.

4
0
Silver badge

Re: IE can be managed

The IT bods at out place seem to be able to manage Firefox okay. Just as well as we're otherwise stuck with IE 8 for the foreseeable future.

1
0
Silver badge
Facepalm

The reason it is still in use IMHO

is because developers are too lazy to do it any other way.

Prime example of idle coding: British Gas home top up.

If you have a pre payment meter (like myself as i live in rented accomodation and am tied to using one as part of the tenancy agreement) you can top up from home.

You are sent a reader/writer that:

A: ONLY works on IE 8 (spoofing the version of IE doesn't work anymore)

B:ONLY works on x86 versions so no x64 (why you need a x64 version of IE i don't know)

C:Only works with ActiveX.

Thats not a fault of windows, thats just idle bastard coding, even i know that and i cant code at all.

7
0

Re: The reason it is still in use IMHO

I'm confused - what exactly are you "sent". A link? Some software to install?

0
0

Re: The reason it is still in use IMHO

you are sent a usb device that the key goes into to allow you to add funds to it.

very clever apart from the fact that you couldn't use the latest version of IE in it (still can't for that matter) which wasn't so bad as it worked in IE mode in Firefox.

sadly it doesn't any more so you have to roll back to an earlier version of IE to get it to work.

0
0
Angel

Re: The reason it is still in use IMHO

Ewww.

This dongle enumerates as what, a USB Network interface? Then you take the dongle and plug it into the meter?

Could be an interesting hack!

Btw, what happens if you run out of funds and the meter turns off. How do you put more funds in it then?

0
0
Anonymous Coward

NSA finished with it?

0
0
Bronze badge

Turn off scripts?

Or even a firewall that rips scripts out of all sites that aren't on a whitelist or delivered by HTTPS.

0
0

Why bash IE? This would be a non-issue if you configured your browser proper.

I'm probably going to down-voted quite a fair bit for saying this, but lets be honest here... your choice of an "alternate" browser doesn't suddenly make you "all so security savvy". What matters is how you browser is configured along with your browsing habits.

Based on Microsoft's advisory I'm pretty much unaffected by this vulnerability. My standard Internet Explorer configuration involves custom security zones configured with ActiveX very disabled, many other features I do not require also disabled, all default IE plugins disabled and Internet Explorer running in enhanced security mode (which forces 64 bit, ASLR and et cetera).

As already mentioned every browser encounters security vulnerabilities and bashing Internet Explorer exclusivity every time Microsoft releases a security advisory is childish. I could even go as far to say that Internet Explorer is actually FAR more customizable than Chrome from its user interface from a security perspective (primarily due to the decent amount of options offered when customizing a security zone though quite a few other security related options can also be found in the Advanced tab).

This perpetual Internet Explorer bashing is slowly becoming old.

4
3

Re: Why bash IE? This would be a non-issue if you configured your browser proper.

You can go on denying IE's long and unglorious history of massive problems till the Arctic has finished melting - and you probably will - but the brutal reality is that IE has more problems and it has bigger ones.

Is it possible to reduce IE's high risk factor by reconfiguring it in various expert ways? Of course it is, exactly as it is possible to drive a grossly unroadworthy car with extra care and (mostly) avoid bad accidents. But practically no-one out there in the real world has the ability or the knowledge or the time or the motivation to perform those tweaks of yours. With real-world people, the most you can hope for is that if you nag them often enough they might eventually learn to say "yes" to basic stuff like browser and Flash Player auto-updates and "no" to other stuff unless they know what it is and avoid replying to mail from that nice general chap in Nigeria or opening zip files attached to the warning from the FBI.

It is not "childish" to criticise the worst, least secure browser on the planet. It is downright stupid to defend it despite the overwhelming mountain of hard evidence showing that it is by far the worst mainstream browser product. Further, it is grossly irresponsible to encourage your users to browse with it when there are at least four well-known, well-supported, demonstrably safer products readily available.

0
2

Re: Why bash IE? This would be a non-issue if you configured your browser proper.

Are those facts or merely your personal opinions? I do not typically stay on top of which browsers have suffered the most security vulnerabilities but doing a quick search online reveals a number of articles showing that there was at least one year where both Chrome and Firefox had over two times more high risk vulnerabilities than Internet Explorer. Each.

Internet Explorer was an absolutely crap browser all the way till 9. Which was decent. But with 10 Microsoft has certainly gotten their act together. I used to use Firefox during the earlier days of IE until the release of IE9 as Firefox dev seems to have suffered a number of quality assurance problems during that time (plenty of crashes, infinite loops, memory leaks, and et cetera). Things have gotten better for Firefox recently, however. Just like how Microsoft has improved Internet Explorer.

My only criticism of Internet Explorer (or Microsoft, really) is that from 9 onwards it is no longer provided to users of Windows XP. I actually aggressively recommend Firefox to Windows XP users. For those on 7 however I simply say "well, it's really down to your personal preference".

0
0

Re: Why bash IE? This would be a non-issue if you configured your browser proper.

>> the worst, least secure browser on the planet

Do you have any evidence of this? Tests carried out by independent third parties, for example? Or is this just one person's rant?

0
0
This topic is closed for new posts.

Forums