And so it begins...
Less than 3 weeks after Windows XP was left unsupported. That didn't take long.
I can't look.
Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code. Vulnerability CVE-2014-1776, to give the problem its formal name, allows miscreants to hijack at-risk Windows computers. It's all due to “the way Internet …
"Who cares.... it's an IE bug. Just run FF or Chrome or whatever."
The reason why I'll be watching and giggling is _precisely_ that it's an IE bug. A very large fraction of those businesses which are still on XP are still there because they use IE6. They _can't_ change browsers, not even to another version of IE, as some/most/all of their web-based software will break on contact with anything except IE6. ActiveX idiocy, mostly.
(Yes, not only are they still on XP, they're on XP SP2, as SP3 installs IE7, which breaks their stuff. They've been out of support for a while now...)
Unfortunately, for the vast majority of the clueless Windows XP users, the big blue "E" IS "the Internet". Getting them to change browser is virtually impossible. I've even heard "IT professionals" describe Internet Exploder as "essential for compatability"...
This particular can of worms is just going to get worse and worse. XP "users" will continue to be abused and exploited - it's just easier now!
"They _can't_ change browsers, not even to another version of IE, as some/most/all of their web-based software will break on contact with anything except IE6. ActiveX idiocy, mostly."
Not just 6, but 7 and 8 as well.
And not just Active X, but a LOT of badly written Java as well. And I do mean a LOT.
Or as I like to stay, "Stuck in 6." Both IE and Java ver 6.
Now, as I was saying about XP...
Never mind, we can see the sarcasm, and the fact you didn't decide to post "anonymously" is a good indication you're above the anonymous trolls anyway.
(Yes, Heartbleed was damaging, but at least in itself, it wasn't a remote execution exploit, and all the Linux distributions have patched it. I don't think Microsoft are going to patch IE6 on Windows 2000 or XP…)
...to me.
Because IE hasn't been working AT ALL on Win 8.1 on my machine. Refuses to open. There are lots of complaints about it on the support forums too. Brilliant move M$ - update your OS and bork your browser.
Which is fine - it's crap anyway. The two websites that didn't work well without it - I found I could get along just fine without them.
...and oh by the way, I tried out the M$ "Enhanced Mitigation Experience Toolkit". It's REALLY GOOD - at SLOWING YOUR COMPUTER to a zombie-death-crawl.
Gives Norton a run for its money.
This is the future of computing - machines that spend 100% of their processing power on security algorithms and that do zero actual work. Correct that - this may actually be the current state of computing.
This is the future of computing - machines that spend 100% of their processing power on security algorithms and that do zero actual work. Correct that - this may actually be the current state of computing.
It most definitely is the current state of computing. I well remember Intel suggesting that the advantage of a second core (when the first dual-core CPUs came out) was that it could run the AV software while the first core did real work (since of course no software was multi-threaded back then)
There are still websites that demand a web browser with just a 10% market share?
Wow, that's true loyalty.
ZOMG. I didn't realize that all internet users went to w3schools.com.... /sarcasm. Puh-leeze. Browser stats/trends from that website are less than meaningless.
Wikipedia has a much larger audience and their stats are quite interesting. Is IE at the top? no, but everyone puts them firmly in the #2 spot. Be sure to read through how those various counters came by their numbers.
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
If you do want IE working (for whatever reason) try this - go to search 'internet options'. You get the default options that are available in IE but that you probably cannot access. Then go to the advanced tab, and hit the 'reset' button.
I had same issue, IE would just load but everything blank or disabled. This fixed it for me.
@cap'n - "If you do want IE working (for whatever reason) try this - go to search 'internet options'. You get the default options that are available in IE but that you probably cannot access. Then go to the advanced tab, and hit the 'reset' button."
Nope. Same thing - IE never starts up at all. I've read that it's some corrupted Win process, and I could use DISM.exe from the command line to fix it (MS's "Deployment Image Servicing and Management tool"). I just had to go through a variety of uses of DISM to get Win Update working again, not really looking forward to spending a couple more hours watching DISM spin away and finding the exact correct command line parameters that will get IE working. Especially for a browser I'll probably never use again.
Maybe in a couple weeks, next time I get seriously bored.
... to me either.
Why?
Because I stopped using IE from very the moment I had a choice, first with Opera and then Mozilla. This was around the time I instaled W98SE, if my memory serves me right.
Also blocked IE from doing anything with the firewall I installed.
Easy enough.
Cheers.
I wish.
IE is so embedded into windows that even if you don't think you're running it, _something_ ends up making use of its dlls.
Let's not even go into the fact that I can't get my 75yo father to stop using WinXP or IE - because he doesn't see why anyone would attack his connection, all available documentation to the contrary.
Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??
All software has bugs and flaws, I think the past couple of months have made that painfully obvious - Heartbleed, Mac and iOS, Windows, to name just a few high-profile ones I can think of.
Why not grow up and put some thought in to why it still is that software is released in a work-in-progress way that other industries would never be allowed to get away with, instead of just playing the nerr-nerr game?
"Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??"
Hmmm. Microsoft never say you should be using their software rather someone elses, because theirs is better??
If Microsoft didn't indulge in such "playground" tactics then we wouldn't be having a go at them all the time.
Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??
Because 10 year old bugs from a company NOTORIOUS for an extremely vulnerable browser from the very beginning is by definition, crap and deserving of far more than ridicule.
But for some reason, software makers get a pass for bad products causing damage that would get the pants sued off in any other industry in the damn world.
So ridicule is the order of the day.
That's what.
"BTW, isn't the "Heartbleed" problem also a "use after free" (whatever happened to "uninitialized variable(s)")bug?"
It's been several days, but not as I recall. Heartbleed was failing to sanitise external input and consequently exposing a load of memory. It was made worse by the fact that the OpenSSL allocator didn't overwrite-on-free, and so the memory was potentially "interesting".
Overwrite-on-free is trivial-to-code and fairly inexpensive. Its primary purpose, however, is not to render buffer overruns less interesting but rather to make use-after-free much more likely to be fatal. Bugs are therefore caught during development rather than three years after release.
And regarding the "uninitialised variables", that's arguably the complete opposite problem: use-before-allocate. I say "arguably" because although in C initialisation doesn't exist and allocation is considered complete when uninitialised memory is handed to the application, most other languages try to ensure that something like zero-initialisation happens. Again, it is trivial for a debug allocator to ensure that insane-initialisation happens by default and so any bugs in this area show up during development.
Without wishing to slag off Microsoft (coz others have already done that for me) it *would* be interesting to know just how bugs of this nature are making it into the current release of IE, a decade after Microsoft's big splash about secure software development. In the case of OpenSSL it was because they made a conscious decision to bypass all the help that might have found them sooner. With hindsight, that was such a bad decision that OpenSSL may not exist in a few years time (having been replaced by its fork).
In IE's case, no "fork" is possible, but we're long past the time when you had to run IE because most websites didn't work on anything else. Alternative browsers exist and end-users ought to be asking whether IE's development practices are up to snuff.
Edit: In the context of "uninitialised variables" it is perhaps relevant to note that Microsoft's C++ compiler has a long-standing bug in *failing* to initialise built-in types in scenarios where the standard requires it to do so.
BTW, isn't the "Heartbleed" problem also a "use after free"
No. It's a read-buffer overrun. It's not at all hard to understand, and there are explanations aplenty, so why even speculate and appear too lazy to look it up? Is it because you're too lazy to look it up?
(whatever happened to "uninitialized variable(s)")bug?
They're still around, and they're not the same as use-after-free or buffer overrun (though a buffer overrun can be due to an uninitialized variable, and it's conceivable that a use-after-free could be too, due to some sort of convoluted logic).
If you can't tell these types of vulnerabilities apart, I'd suggest programming in a language that provides safeguards against them.
Heartbleed allowed you to attack servers hanging on the net. Anything that presented a vulnerable OpenSSL-backed service, really. This requires the user to go to the site.
Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.
It was unusual also for being a very simple coding error, something that all those eyes that look at open source software should have spotted?
I think there's complacency in the open source community thinking others will test or fix their code for them. It's why Linus is always ranting at Linux developers who check-in half-arsed code.
What's the difference between this and heartbleed?
Both are out of memory area bugs.
What's the difference between a heart attack and cancer? Both can kill you.
When you use a sufficiently broad generalization, there isn't any difference. That's how generalizing works.
A use-after-free bug is rather different from a simple buffer overrun, in terms of cause and control flow. In the particular case of Heartbleed the effect was similar to a read-only use-after-free, due to OpenSSL's suballocator, but that's not normally the case with a buffer overrun. And this IE error apparently has malicious code execution potential, which Heartbleed definitely does not.
So quite a lot, actually.
Ahhh, yes ... the legendary "Enhanced Mitigation Experience Toolkit"
1. Wiped WinXP from the wife's old brick; that killed IE 8 (and lingering traces of IE 6 & 7)
2. Attempted install of Win IE 8 on new OS
3. Synaptic refused IE 8: "Unrecognized Fault"
4. Attempted "Enhanced Mitigation Experience" via BASH
5. Brick flamed. Wife flamed. Mitigation Experience concluded.
It also aids productivity because it ensures (*) that you concentrate on one thing at a time rather than continually flit like a geriatric lunatic between different tabs and downloads.
* as in, it could only do one thing at a time itself, therefore that is how you had to operate. No downloading in the background, no seeing the page until it was loaded, no tabs (don't remember an "open in new window feature" either)... and no .png support, no scripting... errr... I'll just load up lynx thanks. Did it even support marquee and flashing text?
So, just as XP is declared "unsafe", the first chicken that comes home to roost is a IE flaw that hits across all the OS's. Nice thing then that M$ is showing us how much safer we would be with their new supported OS rather than their old unsupported OS as they probably won't be issuing a fix for IE versions that still work on their old unsupported OS.
Then again, we could just dump IE, fixes a lot of exploits, current and future, as it goes out the door ...
1995 - that's when Internet Explorer first came out. And after nearly 20 years they STILL can't get it right?
Just how many bugs in that software have I had to expend time on squashing since then? Is it many hundreds or many thousands?
How many man-hours globally have been lost to updating this pile of crap?
Will I still be required to update it in 2035?
"planes from dropping out of the sky"
Ah! so _that's_ what happened to MH370! They set their clocks wrong!
"ATM's from spitting cash into the street"
This would be a problem only for those who didn't have the foresight to bring along a bucket.
"and tinterwebs from becoming self aware"
It couldn't possibly do worse than the current infestations in Congress and Parliament.
This seems to be yet another problem with the ghastly security hell-in-a-box that is everything ActiveX, with maybe a bit of Microsoft's not-javascript, IE only scripting thrown in for good measure. Disable both (permanently and for all profiles and security levels), and you shouldn't suffer from this. However Microsoft are unlikely to issue a notice describing that as a workaround.
"Just how many bugs in that software have I had to expend time on squashing since then? Is it many hundreds or many thousands?
How many man-hours globally have been lost to updating this pile of crap?"
Actually open Source Software is generally worse for security vulnerability counts and big holes - just look at that Open SSL major screw up. And IEs closest rivals generally have lots more holes and require more patches (especially Chrome)
At least if I read this correctly and the only way the exploit can work across all versions. Unbelievable really that, despite all the good work put into developing IE 9 and beyond, Microsoft has still left the abscess that is Active X essentially untouched. A bit like how they've resurrected the Silverlight walled garden as Metroland.
They really ought to be sued for not taking Active X out back and replacing it with a proper sandbox system.
They really ought to be sued for not taking Active X out back and replacing it with a proper sandbox system.
No. They really ought to sued for ignoring everyone with the slightest bit of ITSEC understanding who told them long and loud that ActiveX Was A Really Bad Idea. Their feeble, pathetic response was "it's what our users want". I don't think their users really wanted their machines pwned. Perhaps they asked their users the wrong question.
The history of ActiveX ever since it escaped has been trying to fix all the holes that everyone told them it would have.
Stop slagging them off. They brought us tiles FFS. And that seamless, streamlined customer experience across all Windows platforms that we all enjoy and love. That Xbox Live tile on my business workstation is a Godsend.
Yeah, how stupid do ya feel now huh MS haters?
Obvious sarcasm is obvious Here have an up vote for your effort!
I assume IE6 runs on Server 2003.
Remember, just because the consumer/cheap version of the OS has gone out of support doesn't mean that MS aren't still publishing exploits (er, patches) for the identical-codebase-but-more-expensive server version.
In fact, one way to get around XP's demise would be to find (if you can) someone who would sell you a licence for Server 2003. That, of course, would set you back a few hundred, but the possibility means that MS can't charge more than "a few hundred" for ever-extended support for XP.
The default settings in question being "you must add each and every site to some whitelist before it gets loaded", you know, the feature window cleaners turn off immediately.
I almost wet myself when I read that ... that, sir and with all due respect, was bad reporting. It would be greatly appreciated if those who are supposed to write up these articles took 5 minutes to think about what they're writing ....
"The upside, if there is any, is that Windows Server's default settings make it hard to create the kind of honeypot website that could exploit this flaw."
It's a good think that all the servers run Windows then, huh?
If you rely on Microsoft for your critical business infrastructure, you deserve everything you get.
That's what I'm telling IT Security right now.
"If you rely on Microsoft for your critical business infrastructure, you deserve everything you get.
That's what I'm telling IT Security right now."
And they will probably point out that Windows actually has far fewer security holes that are on average fixed faster than say commercial Linux distributions.
"It's a good think that all the servers run Windows then, huh?"
It certainly is for internet facing stuff - far less likely to be hacked than Linux. And a much more secure web services stack than LAMP. Both Apache and Nginx have had to patch security holes this year - and IIS has had zero holes. Hence partly why IIS / Windows is about to overtake Apache / Linux for overall webserver market share:
http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html
..... you can see why this troll is anonymous!
No version of IIS is in any way secure. Every version, even with every possible patch installed, is as leaky as a sieve.....
MS now have NO viable products. Win 8 is useless for business (and fails to run many games), their server products are so broken and insecure that they are a nightmare to even try to administer.... Even Win 8 for phones is broken!
"No version of IIS is in any way secure. Every version, even with every possible patch installed, is as leaky as a sieve....."
Just google 'Defacement Statistics' to find that in fact IIS is far more secure than Apache / Linux. Or look at the respective vulnerability counts over the past couple of years...
@Justice
"I work for an incredibly large insurance company... "
Dear God I hope it's not my insurance company...
Let me guess, you have several legacy programs that were designed for Windblows 9x/2000 and they barely run on XP, let alone Windoze Vista, 7 8.x and the vendor is no longer around.
You can hope but that's likely the case with every large insurance company. Large swathes of the Fortune 500 haven't yet adjusted to the new speed at which IT must upgrade or patch in the post mainframe world. If they were capable of doing IT at today's pace would cloud providers have so many customers?
"Let me guess, you have several legacy programs that were designed for Windblows 9x/2000 and they barely run on XP, let alone Windoze Vista, 7 8.x and the vendor is no longer around."
If that really is their problem, I would have thought by now they would be running these legacy apps in some sort of sandbox - like a virtual machine or similar container type technology, hosted inside a modern version of whatever OS works best for them?
That could be an excellent product - "XP/IE6 in a wrapper" - probably a violation of the license agreement to migrate the running OS into such a wrapper, but if they choose Windows on the outside, I cannot imagine Microsoft being too bothered by that.
It depends on how you link it. If you resolve all external dependencies and statically link all library routines, and do not rely on any runtime services (like dbus etc), then it is perfectly possible for a binary compiled today to run on any Linux system as long as it is the correct processor type and the kernel API doesn't change.
In fact, looking at it, I would expect that many Linux programs compiled 15 years ago would still run, as many of them that old may well not have been linked against shared object files, and certainly would not have used dbus, dcop, bonobo et. al. Possibly more of them than were compiled 5 years ago.
The dependency on dynamically linked shared objects and runtime services is in my view one of the worst things that ever happened to Linux. It makes building programs that you want to work int the future without having to recompile more difficult than it needs to be.
Interestingly, but on a different note, I picked a binary of one of my tools off of one of my archives from a 32 bit AIX 4.1.4 system from about 1998, and successfully ran it without re-compiling it on an AIX 7.1 64 bit system.
Going all the way back to the release of IE version 7, Microsoft has never played well with others and does not conform to many browser rendering standards adopted by Firefox and Chrome. And it's not like Microsoft has not had the chance to get it right... Microsoft is 'just plain lazy aka bad management.
Microsoft has a bad habit of releasing their problems and then let the public sort out the problems. Six months after the release of IE 10 we had 5 clients contact us with a variety of IE 10 problems; links
that stopped working, thumbnails that disappeared, forms that would not open, data that would not display and the list goes on and on. I quickly did a search over Google "Problems with IE 10" and found over 2,500,000 million references.
Now we have reports of a huge security problem with IE. If you can't uninstall IE, just don't use it and download Chrome and Fire Fox as your primary browsers and never look back.
Go all the way back to ver 3.
It's always been like this.
I used netscape the instant I found it and have stayed the hell away from IE at home and anywhere else I can. Businesses on the other hand, still haven't figured this out.
Here's another dirty secret about IE: it doesn't actually clear the temp cache unless you manually force it.
It gets better: even if you use FF or Chrome, the POS STILL holds temp files in its browser cache from those browsers!
Surprise!
For all you visual learners out there or to anybody who wants to learn about the whole Internet Explorer Zero Day Vulnerability in general AKA the biggest reason not to be using IE right now, here's a great Khan Academy style informational video all about it w/ details on the high level mechanics, best practices, and where you can get more info:
http://info.elastica.net/2014/04/ie-zero-day-cve-2014-1776-high-level-mechanics/