Feeds

back to article Friends don't let friends use Internet Explorer – advice from US, UK, EU

Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code. Vulnerability CVE-2014-1776, to give the problem its formal name, allows miscreants to hijack at-risk Windows computers. It's all due to “the way Internet Explorer …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Facepalm

And so it begins...

Less than 3 weeks after Windows XP was left unsupported. That didn't take long.

I can't look.

29
2
Silver badge
FAIL

Re: And so it begins...

Completely accidental I'm sure.

9
3
Bronze badge
Happy

Re: And so it begins...

? XP unsupported

The recommended workaround - install EMET 4.1 works on XP-SP3 !

2
1
Silver badge

Re: And so it begins...

And enable Deep Hooks in EMET 4.1 too.

Been installing this on all machines I build for some time now.

Works a treat. No impact on performance.

2
1
Anonymous Coward

Re: And so it begins...

The workaround doesn't prevent the bug being exploited, it simply makes it harder to exploit.

3
1
Anonymous Coward

The recommended workaround

Install Chrome or Firefox??

18
1
Anonymous Coward

Patch is out!

Here ya go:

https://www.google.com/intl/en_uk/chrome/browser/

5
2
Bronze badge

Re: And so it begins...

"I can't look"

I can. <gets popcorn>

7
0
JDX
Gold badge

Re: And so it begins...

Yeah, no vulnerabilities in other browsers. Every time they have one of those hack contests, the other browsers emerge untarnished.

3
3
Silver badge

You run IE on Windows??

Who cares.... it's an IE bug. Just run FF or Chrome or whatever.

This is hardly going to cause people to upgrade to Vista. They'll just switch browsers.

0
1
Bronze badge

Re: You run IE on Windows??

"Who cares.... it's an IE bug. Just run FF or Chrome or whatever."

The reason why I'll be watching and giggling is _precisely_ that it's an IE bug. A very large fraction of those businesses which are still on XP are still there because they use IE6. They _can't_ change browsers, not even to another version of IE, as some/most/all of their web-based software will break on contact with anything except IE6. ActiveX idiocy, mostly.

(Yes, not only are they still on XP, they're on XP SP2, as SP3 installs IE7, which breaks their stuff. They've been out of support for a while now...)

8
0
Alert

Re: You run IE on Windows??

Unfortunately, for the vast majority of the clueless Windows XP users, the big blue "E" IS "the Internet". Getting them to change browser is virtually impossible. I've even heard "IT professionals" describe Internet Exploder as "essential for compatability"...

This particular can of worms is just going to get worse and worse. XP "users" will continue to be abused and exploited - it's just easier now!

3
1
Silver badge

Re: You run IE on Windows??

"They _can't_ change browsers, not even to another version of IE, as some/most/all of their web-based software will break on contact with anything except IE6. ActiveX idiocy, mostly."

Not just 6, but 7 and 8 as well.

And not just Active X, but a LOT of badly written Java as well. And I do mean a LOT.

Or as I like to stay, "Stuck in 6." Both IE and Java ver 6.

Now, as I was saying about XP...

2
0
Anonymous Coward

Re: And so it begins...

Yawn - a patch has already been released for this for supported versions.

0
0
Anonymous Coward

Re: The recommended workaround

"Install Chrome or Firefox??"

Both of which have had more holes than IE. Great.

0
0
Gold badge

This sort of thing doesn't happen

if you use Microsoft. Microsoft is used on more servers than Linux, and it's more secure. And it doesn't have the heartbleed vulnerability. And it's perfect in every way.

Edit: crap, I forgot to push Anonymous Coward. Welp, that's egg on my face, then...

66
6
Silver badge

Re: This sort of thing doesn't happen

Nicely trolled... I'm sure someone will rise to the bait. Have an upvote.

7
2
Silver badge

Re: This sort of thing doesn't happen

Never mind, we can see the sarcasm, and the fact you didn't decide to post "anonymously" is a good indication you're above the anonymous trolls anyway.

(Yes, Heartbleed was damaging, but at least in itself, it wasn't a remote execution exploit, and all the Linux distributions have patched it. I don't think Microsoft are going to patch IE6 on Windows 2000 or XP…)

19
2
Silver badge
Holmes

Re: This sort of thing doesn't happen

...to me.

Because IE hasn't been working AT ALL on Win 8.1 on my machine. Refuses to open. There are lots of complaints about it on the support forums too. Brilliant move M$ - update your OS and bork your browser.

Which is fine - it's crap anyway. The two websites that didn't work well without it - I found I could get along just fine without them.

10
4
Silver badge
Boffin

Re: This sort of thing doesn't happen

...and oh by the way, I tried out the M$ "Enhanced Mitigation Experience Toolkit". It's REALLY GOOD - at SLOWING YOUR COMPUTER to a zombie-death-crawl.

Gives Norton a run for its money.

This is the future of computing - machines that spend 100% of their processing power on security algorithms and that do zero actual work. Correct that - this may actually be the current state of computing.

23
2
Silver badge

@ Andy Prough - Re: This sort of thing doesn't happen

Ah, now I understand why the 'Enhanced Mitigation Experience Toolkit' is available for Windows XP : it should finally kill off any lingering remains.

11
0
Joke

Re: This sort of thing doesn't happen

It's the current state of the state too ....

4
0
Bronze badge
Paris Hilton

Re: "two websites that didn't work well without [IE]"

There are still websites that demand a web browser with just a 10% market share?

Wow, that's true loyalty.

5
2
Bronze badge
Megaphone

Re: This sort of thing doesn't happen

Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??

All software has bugs and flaws, I think the past couple of months have made that painfully obvious - Heartbleed, Mac and iOS, Windows, to name just a few high-profile ones I can think of.

Why not grow up and put some thought in to why it still is that software is released in a work-in-progress way that other industries would never be allowed to get away with, instead of just playing the nerr-nerr game?

17
4
Bronze badge

Re: This sort of thing doesn't happen

If you do want IE working (for whatever reason) try this - go to search 'internet options'. You get the default options that are available in IE but that you probably cannot access. Then go to the advanced tab, and hit the 'reset' button.

I had same issue, IE would just load but everything blank or disabled. This fixed it for me.

0
2
Anonymous Coward

Re: This sort of thing doesn't happen

"forgot to push Anonymous Coward"

Pott, meet Kettle....

(couldn't resist...:) )

BTW, isn't the "Heartbleed" problem also a "use after free" (whatever happened to "uninitialized variable(s)")bug? Of course now M$ is becoming more and more "Use after Fee"....

4
0

Re: This sort of thing doesn't happen

This is the future of computing - machines that spend 100% of their processing power on security algorithms and that do zero actual work. Correct that - this may actually be the current state of computing.

It most definitely is the current state of computing. I well remember Intel suggesting that the advantage of a second core (when the first dual-core CPUs came out) was that it could run the AV software while the first core did real work (since of course no software was multi-threaded back then)

4
0

Re: This sort of thing doesn't happen

... to me either.

Why?

Because I stopped using IE from very the moment I had a choice, first with Opera and then Mozilla. This was around the time I instaled W98SE, if my memory serves me right.

Also blocked IE from doing anything with the firewall I installed.

Easy enough.

Cheers.

3
1
Silver badge
Boffin

Re: This sort of thing doesn't happen

@cap'n - "If you do want IE working (for whatever reason) try this - go to search 'internet options'. You get the default options that are available in IE but that you probably cannot access. Then go to the advanced tab, and hit the 'reset' button."

Nope. Same thing - IE never starts up at all. I've read that it's some corrupted Win process, and I could use DISM.exe from the command line to fix it (MS's "Deployment Image Servicing and Management tool"). I just had to go through a variety of uses of DISM to get Win Update working again, not really looking forward to spending a couple more hours watching DISM spin away and finding the exact correct command line parameters that will get IE working. Especially for a browser I'll probably never use again.

Maybe in a couple weeks, next time I get seriously bored.

1
0
Anonymous Coward

Re: "two websites that didn't work well without [IE]"

Websites no, web applications yes.

Quite a lot of applications were coded back when IE was dominant and their complexity makes supporting multiple browsers costly and time consuming.

0
1
Bronze badge
Facepalm

Re: This sort of thing doesn't happen

Update after I saw your edit: well trolled Trevor, I for one bit! :-\

1
0
Gold badge

Re: This sort of thing doesn't happen

Engage rage before finishing reading?

3
0
Gold badge

Re: This sort of thing doesn't happen

"BTW, isn't the "Heartbleed" problem also a "use after free" (whatever happened to "uninitialized variable(s)")bug?"

It's been several days, but not as I recall. Heartbleed was failing to sanitise external input and consequently exposing a load of memory. It was made worse by the fact that the OpenSSL allocator didn't overwrite-on-free, and so the memory was potentially "interesting".

Overwrite-on-free is trivial-to-code and fairly inexpensive. Its primary purpose, however, is not to render buffer overruns less interesting but rather to make use-after-free much more likely to be fatal. Bugs are therefore caught during development rather than three years after release.

And regarding the "uninitialised variables", that's arguably the complete opposite problem: use-before-allocate. I say "arguably" because although in C initialisation doesn't exist and allocation is considered complete when uninitialised memory is handed to the application, most other languages try to ensure that something like zero-initialisation happens. Again, it is trivial for a debug allocator to ensure that insane-initialisation happens by default and so any bugs in this area show up during development.

Without wishing to slag off Microsoft (coz others have already done that for me) it *would* be interesting to know just how bugs of this nature are making it into the current release of IE, a decade after Microsoft's big splash about secure software development. In the case of OpenSSL it was because they made a conscious decision to bypass all the help that might have found them sooner. With hindsight, that was such a bad decision that OpenSSL may not exist in a few years time (having been replaced by its fork).

In IE's case, no "fork" is possible, but we're long past the time when you had to run IE because most websites didn't work on anything else. Alternative browsers exist and end-users ought to be asking whether IE's development practices are up to snuff.

Edit: In the context of "uninitialised variables" it is perhaps relevant to note that Microsoft's C++ compiler has a long-standing bug in *failing* to initialise built-in types in scenarios where the standard requires it to do so.

2
0
Silver badge

Re: This sort of thing doesn't happen

I wish.

IE is so embedded into windows that even if you don't think you're running it, _something_ ends up making use of its dlls.

Let's not even go into the fact that I can't get my 75yo father to stop using WinXP or IE - because he doesn't see why anyone would attack his connection, all available documentation to the contrary.

1
0
Bronze badge

Re: "two websites that didn't work well without [IE]"

ZOMG. I didn't realize that all internet users went to w3schools.com.... /sarcasm. Puh-leeze. Browser stats/trends from that website are less than meaningless.

Wikipedia has a much larger audience and their stats are quite interesting. Is IE at the top? no, but everyone puts them firmly in the #2 spot. Be sure to read through how those various counters came by their numbers.

http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

0
0
Bronze badge

Re: This sort of thing doesn't happen

BTW, isn't the "Heartbleed" problem also a "use after free"

No. It's a read-buffer overrun. It's not at all hard to understand, and there are explanations aplenty, so why even speculate and appear too lazy to look it up? Is it because you're too lazy to look it up?

(whatever happened to "uninitialized variable(s)")bug?

They're still around, and they're not the same as use-after-free or buffer overrun (though a buffer overrun can be due to an uninitialized variable, and it's conceivable that a use-after-free could be too, due to some sort of convoluted logic).

If you can't tell these types of vulnerabilities apart, I'd suggest programming in a language that provides safeguards against them.

2
2
Silver badge
Trollface

Re: This sort of thing doesn't happen

"No. It's a read-buffer overrun"

Downvotes.

It's like stackoverflow where you have to fight nameless self-appointed wikinazis who don't even understand your question but want to remove it as a "duplicate".

THE INTERNET - A GAME OF DRONES.

1
0
Anonymous Coward

Re: This sort of thing doesn't happen

"Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??"

Hmmm. Microsoft never say you should be using their software rather someone elses, because theirs is better??

If Microsoft didn't indulge in such "playground" tactics then we wouldn't be having a go at them all the time.

2
0

Re: This sort of thing doesn't happen

Correct that - this may actually be the current state of Windoze computing.

1
1
Anonymous Coward

Re: "two websites that didn't work well without [IE]"

IE currently has about 58% market share:

http://thenextweb.com/insider/2014/02/01/ie11-passes-ie10-market-share-firefox-slips-bit-chrome-gains-back-share/

0
0

Re: "two websites that didn't work well without [IE]"

Netscape rules!!

0
0
Silver badge

Re: This sort of thing doesn't happen

Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??

Because 10 year old bugs from a company NOTORIOUS for an extremely vulnerable browser from the very beginning is by definition, crap and deserving of far more than ridicule.

But for some reason, software makers get a pass for bad products causing damage that would get the pants sued off in any other industry in the damn world.

So ridicule is the order of the day.

That's what.

0
0

What's the difference between this and heartbleed?

Both are out of memory area bugs.

4
0
Gold badge

Heartbleed allowed you to attack servers hanging on the net. Anything that presented a vulnerable OpenSSL-backed service, really. This requires the user to go to the site.

Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.

26
4
Silver badge

Heartbleed was unusual because it was so stealthy. This is a more common memory execution bug. It's harder to use, especially without being noticed, but potentially more devastating since it could let an attacker take full control.

6
0
Anonymous Coward

minor improvement on above

The KeepAlive of Heartbleed works both ways.... as a device can ask for 65k from a server hanging on the net, a sever can be configured to ask for 65k from the device which started the session. A condition which might be considered nearly non-patch-able.

6
0
Silver badge

OpenSSL is also used client-side by many applications (VPNs, Android apps etc.), which means a malicious or infected server could also extract data from visiting clients.

2
2
Bronze badge
Headmaster

re: "Microsoft is unicorn farts that tastes like rainbows"

I'm fairly confident that even the most hardcore Microsoft fanboi no longer holds that opinion. That shark is well and truly jumped.

3
3
Gold badge

Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.

I'd stick to writing excellent articles - trolling doesn't really seem to work so well for ya :)

2
8
Bronze badge

Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.

Yeah, but the... flavor... seems... to... be... a bit off with this Window 8 thing it tastes like shit!

10
0

Page:

This topic is closed for new posts.