back to article Friends don't let friends use Internet Explorer – advice from US, UK, EU

Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code. Vulnerability CVE-2014-1776, to give the problem its formal name, allows miscreants to hijack at-risk Windows computers. It's all due to “the way Internet …

COMMENTS

This topic is closed for new posts.
  1. Dan 55 Silver badge
    Facepalm

    And so it begins...

    Less than 3 weeks after Windows XP was left unsupported. That didn't take long.

    I can't look.

    1. Anonymous Coward
      FAIL

      Re: And so it begins...

      Completely accidental I'm sure.

    2. Roland6 Silver badge
      Happy

      Re: And so it begins...

      ? XP unsupported

      The recommended workaround - install EMET 4.1 works on XP-SP3 !

      1. jason 7

        Re: And so it begins...

        And enable Deep Hooks in EMET 4.1 too.

        Been installing this on all machines I build for some time now.

        Works a treat. No impact on performance.

      2. Anonymous Coward
        Anonymous Coward

        Re: And so it begins...

        The workaround doesn't prevent the bug being exploited, it simply makes it harder to exploit.

      3. Anonymous Coward
        Anonymous Coward

        The recommended workaround

        Install Chrome or Firefox??

        1. Anonymous Coward
          Anonymous Coward

          Re: The recommended workaround

          "Install Chrome or Firefox??"

          Both of which have had more holes than IE. Great.

    3. Anonymous Coward
      Anonymous Coward

      Patch is out!

      Here ya go:

      https://www.google.com/intl/en_uk/chrome/browser/

    4. James O'Shea

      Re: And so it begins...

      "I can't look"

      I can. <gets popcorn>

      1. JDX Gold badge

        Re: And so it begins...

        Yeah, no vulnerabilities in other browsers. Every time they have one of those hack contests, the other browsers emerge untarnished.

    5. Charles Manning

      You run IE on Windows??

      Who cares.... it's an IE bug. Just run FF or Chrome or whatever.

      This is hardly going to cause people to upgrade to Vista. They'll just switch browsers.

      1. James O'Shea

        Re: You run IE on Windows??

        "Who cares.... it's an IE bug. Just run FF or Chrome or whatever."

        The reason why I'll be watching and giggling is _precisely_ that it's an IE bug. A very large fraction of those businesses which are still on XP are still there because they use IE6. They _can't_ change browsers, not even to another version of IE, as some/most/all of their web-based software will break on contact with anything except IE6. ActiveX idiocy, mostly.

        (Yes, not only are they still on XP, they're on XP SP2, as SP3 installs IE7, which breaks their stuff. They've been out of support for a while now...)

      2. AlbertH
        Alert

        Re: You run IE on Windows??

        Unfortunately, for the vast majority of the clueless Windows XP users, the big blue "E" IS "the Internet". Getting them to change browser is virtually impossible. I've even heard "IT professionals" describe Internet Exploder as "essential for compatability"...

        This particular can of worms is just going to get worse and worse. XP "users" will continue to be abused and exploited - it's just easier now!

      3. ecofeco Silver badge

        Re: You run IE on Windows??

        "They _can't_ change browsers, not even to another version of IE, as some/most/all of their web-based software will break on contact with anything except IE6. ActiveX idiocy, mostly."

        Not just 6, but 7 and 8 as well.

        And not just Active X, but a LOT of badly written Java as well. And I do mean a LOT.

        Or as I like to stay, "Stuck in 6." Both IE and Java ver 6.

        Now, as I was saying about XP...

    6. Anonymous Coward
      Anonymous Coward

      Re: And so it begins...

      Yawn - a patch has already been released for this for supported versions.

  2. Trevor_Pott Gold badge

    This sort of thing doesn't happen

    if you use Microsoft. Microsoft is used on more servers than Linux, and it's more secure. And it doesn't have the heartbleed vulnerability. And it's perfect in every way.

    Edit: crap, I forgot to push Anonymous Coward. Welp, that's egg on my face, then...

    1. Mark 85

      Re: This sort of thing doesn't happen

      Nicely trolled... I'm sure someone will rise to the bait. Have an upvote.

    2. Anonymous Coward
      Anonymous Coward

      Re: This sort of thing doesn't happen

      Never mind, we can see the sarcasm, and the fact you didn't decide to post "anonymously" is a good indication you're above the anonymous trolls anyway.

      (Yes, Heartbleed was damaging, but at least in itself, it wasn't a remote execution exploit, and all the Linux distributions have patched it. I don't think Microsoft are going to patch IE6 on Windows 2000 or XP…)

      1. Anonymous Coward
        Holmes

        Re: This sort of thing doesn't happen

        ...to me.

        Because IE hasn't been working AT ALL on Win 8.1 on my machine. Refuses to open. There are lots of complaints about it on the support forums too. Brilliant move M$ - update your OS and bork your browser.

        Which is fine - it's crap anyway. The two websites that didn't work well without it - I found I could get along just fine without them.

        1. Anonymous Coward
          Boffin

          Re: This sort of thing doesn't happen

          ...and oh by the way, I tried out the M$ "Enhanced Mitigation Experience Toolkit". It's REALLY GOOD - at SLOWING YOUR COMPUTER to a zombie-death-crawl.

          Gives Norton a run for its money.

          This is the future of computing - machines that spend 100% of their processing power on security algorithms and that do zero actual work. Correct that - this may actually be the current state of computing.

          1. Anonymous Coward
            Anonymous Coward

            @ Andy Prough - Re: This sort of thing doesn't happen

            Ah, now I understand why the 'Enhanced Mitigation Experience Toolkit' is available for Windows XP : it should finally kill off any lingering remains.

          2. fajensen
            Joke

            Re: This sort of thing doesn't happen

            It's the current state of the state too ....

          3. Mike Pellatt

            Re: This sort of thing doesn't happen

            This is the future of computing - machines that spend 100% of their processing power on security algorithms and that do zero actual work. Correct that - this may actually be the current state of computing.

            It most definitely is the current state of computing. I well remember Intel suggesting that the advantage of a second core (when the first dual-core CPUs came out) was that it could run the AV software while the first core did real work (since of course no software was multi-threaded back then)

          4. AlbertH

            Re: This sort of thing doesn't happen

            Correct that - this may actually be the current state of Windoze computing.

        2. Oh Homer
          Paris Hilton

          Re: "two websites that didn't work well without [IE]"

          There are still websites that demand a web browser with just a 10% market share?

          Wow, that's true loyalty.

          1. Anonymous Coward
            Anonymous Coward

            Re: "two websites that didn't work well without [IE]"

            Websites no, web applications yes.

            Quite a lot of applications were coded back when IE was dominant and their complexity makes supporting multiple browsers costly and time consuming.

          2. chris lively

            Re: "two websites that didn't work well without [IE]"

            ZOMG. I didn't realize that all internet users went to w3schools.com.... /sarcasm. Puh-leeze. Browser stats/trends from that website are less than meaningless.

            Wikipedia has a much larger audience and their stats are quite interesting. Is IE at the top? no, but everyone puts them firmly in the #2 spot. Be sure to read through how those various counters came by their numbers.

            http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

          3. Anonymous Coward
            Anonymous Coward

            Re: "two websites that didn't work well without [IE]"

            IE currently has about 58% market share:

            http://thenextweb.com/insider/2014/02/01/ie11-passes-ie10-market-share-firefox-slips-bit-chrome-gains-back-share/

            1. lambda_beta

              Re: "two websites that didn't work well without [IE]"

              Netscape rules!!

        3. Anonymous Coward
          Anonymous Coward

          Re: This sort of thing doesn't happen

          If you do want IE working (for whatever reason) try this - go to search 'internet options'. You get the default options that are available in IE but that you probably cannot access. Then go to the advanced tab, and hit the 'reset' button.

          I had same issue, IE would just load but everything blank or disabled. This fixed it for me.

          1. Anonymous Coward
            Boffin

            Re: This sort of thing doesn't happen

            @cap'n - "If you do want IE working (for whatever reason) try this - go to search 'internet options'. You get the default options that are available in IE but that you probably cannot access. Then go to the advanced tab, and hit the 'reset' button."

            Nope. Same thing - IE never starts up at all. I've read that it's some corrupted Win process, and I could use DISM.exe from the command line to fix it (MS's "Deployment Image Servicing and Management tool"). I just had to go through a variety of uses of DISM to get Win Update working again, not really looking forward to spending a couple more hours watching DISM spin away and finding the exact correct command line parameters that will get IE working. Especially for a browser I'll probably never use again.

            Maybe in a couple weeks, next time I get seriously bored.

        4. oiseau

          Re: This sort of thing doesn't happen

          ... to me either.

          Why?

          Because I stopped using IE from very the moment I had a choice, first with Opera and then Mozilla. This was around the time I instaled W98SE, if my memory serves me right.

          Also blocked IE from doing anything with the firewall I installed.

          Easy enough.

          Cheers.

          1. Alan Brown Silver badge

            Re: This sort of thing doesn't happen

            I wish.

            IE is so embedded into windows that even if you don't think you're running it, _something_ ends up making use of its dlls.

            Let's not even go into the fact that I can't get my 75yo father to stop using WinXP or IE - because he doesn't see why anyone would attack his connection, all available documentation to the contrary.

    3. NogginTheNog
      Megaphone

      Re: This sort of thing doesn't happen

      Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??

      All software has bugs and flaws, I think the past couple of months have made that painfully obvious - Heartbleed, Mac and iOS, Windows, to name just a few high-profile ones I can think of.

      Why not grow up and put some thought in to why it still is that software is released in a work-in-progress way that other industries would never be allowed to get away with, instead of just playing the nerr-nerr game?

      1. NogginTheNog
        Facepalm

        Re: This sort of thing doesn't happen

        Update after I saw your edit: well trolled Trevor, I for one bit! :-\

        1. Trevor_Pott Gold badge

          Re: This sort of thing doesn't happen

          Engage rage before finishing reading?

      2. Anonymous Coward
        Anonymous Coward

        Re: This sort of thing doesn't happen

        "Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??"

        Hmmm. Microsoft never say you should be using their software rather someone elses, because theirs is better??

        If Microsoft didn't indulge in such "playground" tactics then we wouldn't be having a go at them all the time.

      3. ecofeco Silver badge

        Re: This sort of thing doesn't happen

        Oh FFS. What is it with all the "my fave OS or application is so much better than yours!" playground crap??

        Because 10 year old bugs from a company NOTORIOUS for an extremely vulnerable browser from the very beginning is by definition, crap and deserving of far more than ridicule.

        But for some reason, software makers get a pass for bad products causing damage that would get the pants sued off in any other industry in the damn world.

        So ridicule is the order of the day.

        That's what.

    4. Anonymous Coward
      Anonymous Coward

      Re: This sort of thing doesn't happen

      "forgot to push Anonymous Coward"

      Pott, meet Kettle....

      (couldn't resist...:) )

      BTW, isn't the "Heartbleed" problem also a "use after free" (whatever happened to "uninitialized variable(s)")bug? Of course now M$ is becoming more and more "Use after Fee"....

      1. Ken Hagan Gold badge

        Re: This sort of thing doesn't happen

        "BTW, isn't the "Heartbleed" problem also a "use after free" (whatever happened to "uninitialized variable(s)")bug?"

        It's been several days, but not as I recall. Heartbleed was failing to sanitise external input and consequently exposing a load of memory. It was made worse by the fact that the OpenSSL allocator didn't overwrite-on-free, and so the memory was potentially "interesting".

        Overwrite-on-free is trivial-to-code and fairly inexpensive. Its primary purpose, however, is not to render buffer overruns less interesting but rather to make use-after-free much more likely to be fatal. Bugs are therefore caught during development rather than three years after release.

        And regarding the "uninitialised variables", that's arguably the complete opposite problem: use-before-allocate. I say "arguably" because although in C initialisation doesn't exist and allocation is considered complete when uninitialised memory is handed to the application, most other languages try to ensure that something like zero-initialisation happens. Again, it is trivial for a debug allocator to ensure that insane-initialisation happens by default and so any bugs in this area show up during development.

        Without wishing to slag off Microsoft (coz others have already done that for me) it *would* be interesting to know just how bugs of this nature are making it into the current release of IE, a decade after Microsoft's big splash about secure software development. In the case of OpenSSL it was because they made a conscious decision to bypass all the help that might have found them sooner. With hindsight, that was such a bad decision that OpenSSL may not exist in a few years time (having been replaced by its fork).

        In IE's case, no "fork" is possible, but we're long past the time when you had to run IE because most websites didn't work on anything else. Alternative browsers exist and end-users ought to be asking whether IE's development practices are up to snuff.

        Edit: In the context of "uninitialised variables" it is perhaps relevant to note that Microsoft's C++ compiler has a long-standing bug in *failing* to initialise built-in types in scenarios where the standard requires it to do so.

      2. Michael Wojcik Silver badge

        Re: This sort of thing doesn't happen

        BTW, isn't the "Heartbleed" problem also a "use after free"

        No. It's a read-buffer overrun. It's not at all hard to understand, and there are explanations aplenty, so why even speculate and appear too lazy to look it up? Is it because you're too lazy to look it up?

        (whatever happened to "uninitialized variable(s)")bug?

        They're still around, and they're not the same as use-after-free or buffer overrun (though a buffer overrun can be due to an uninitialized variable, and it's conceivable that a use-after-free could be too, due to some sort of convoluted logic).

        If you can't tell these types of vulnerabilities apart, I'd suggest programming in a language that provides safeguards against them.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: This sort of thing doesn't happen

          "No. It's a read-buffer overrun"

          Downvotes.

          It's like stackoverflow where you have to fight nameless self-appointed wikinazis who don't even understand your question but want to remove it as a "duplicate".

          THE INTERNET - A GAME OF DRONES.

  3. Anon the mouse

    What's the difference between this and heartbleed?

    Both are out of memory area bugs.

    1. Trevor_Pott Gold badge

      Heartbleed allowed you to attack servers hanging on the net. Anything that presented a vulnerable OpenSSL-backed service, really. This requires the user to go to the site.

      Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.

      1. Anonymous Coward
        Anonymous Coward

        minor improvement on above

        The KeepAlive of Heartbleed works both ways.... as a device can ask for 65k from a server hanging on the net, a sever can be configured to ask for 65k from the device which started the session. A condition which might be considered nearly non-patch-able.

      2. big_D Silver badge

        OpenSSL is also used client-side by many applications (VPNs, Android apps etc.), which means a malicious or infected server could also extract data from visiting clients.

      3. Oh Homer
        Headmaster

        re: "Microsoft is unicorn farts that tastes like rainbows"

        I'm fairly confident that even the most hardcore Microsoft fanboi no longer holds that opinion. That shark is well and truly jumped.

      4. Fred Flintstone Gold badge

        Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.

        I'd stick to writing excellent articles - trolling doesn't really seem to work so well for ya :)

      5. Michael Habel

        Also: Linux is evil cancer that only nerds with no lives would ever use and Microsoft is unicorn farts that tastes like rainbows.

        Yeah, but the... flavor... seems... to... be... a bit off with this Window 8 thing it tastes like shit!

      6. Anonymous Coward
        Trollface

        Microsoft is unicorn farts that tastes like rainbows.

        I've always thought that Microsoft was rather drab and bland… given rainbows are just rain droplets, it all makes sense now. Just like water, Microsoft has no taste!

        1. Anonymous Coward
          Anonymous Coward

          "Just like water, Microsoft has no taste!"

          That's never been a handicap for the meat in MacDonald's burgers...taste it by itself one day if you never have! Cardboard in a bun....

          1. Anonymous Coward
            Anonymous Coward

            You're eating it wrong. You're supposed to eat the outer parts with the print on.

            That thing inside is just to stop it blowing away.

    2. Old Handle

      Heartbleed was unusual because it was so stealthy. This is a more common memory execution bug. It's harder to use, especially without being noticed, but potentially more devastating since it could let an attacker take full control.

      1. Anonymous Coward
        Anonymous Coward

        It was unusual also for being a very simple coding error, something that all those eyes that look at open source software should have spotted?

        I think there's complacency in the open source community thinking others will test or fix their code for them. It's why Linus is always ranting at Linux developers who check-in half-arsed code.

    3. Anonymous Coward
      Anonymous Coward

      > Both are out of memory area bugs.

      Heartbleed wasn't an "out of memory area" bug.

      1. Ken Hagan Gold badge

        "Heartbleed wasn't an "out of memory area" bug."

        Indeed not. It *should* have been, but they were using an allocator that turned it into a "in memory area" bug.

        Then again, for all we know, this latest IE bug might be similar.

    4. Michael Wojcik Silver badge

      What's the difference between this and heartbleed?

      Both are out of memory area bugs.

      What's the difference between a heart attack and cancer? Both can kill you.

      When you use a sufficiently broad generalization, there isn't any difference. That's how generalizing works.

      A use-after-free bug is rather different from a simple buffer overrun, in terms of cause and control flow. In the particular case of Heartbleed the effect was similar to a read-only use-after-free, due to OpenSSL's suballocator, but that's not normally the case with a buffer overrun. And this IE error apparently has malicious code execution potential, which Heartbleed definitely does not.

      So quite a lot, actually.

  4. Robert E A Harvey

    Cleverness

    it seems to me that any badhat capable of discovering and exploiting this is sufficiently clever to have a proper job. Meaning that the blackhats who do exploit it are likey to work for theybuggerm in the government.

    1. Alan Brown Silver badge

      Re: Cleverness

      "it seems to me that any badhat capable of discovering and exploiting this is sufficiently clever to have a proper job."

      Or is being paid very well by other blackhats.

  5. Gray
    Angel

    Mitigated Experience

    Ahhh, yes ... the legendary "Enhanced Mitigation Experience Toolkit"

    1. Wiped WinXP from the wife's old brick; that killed IE 8 (and lingering traces of IE 6 & 7)

    2. Attempted install of Win IE 8 on new OS

    3. Synaptic refused IE 8: "Unrecognized Fault"

    4. Attempted "Enhanced Mitigation Experience" via BASH

    5. Brick flamed. Wife flamed. Mitigation Experience concluded.

  6. Anonymous Coward
    Anonymous Coward

    It's OK for me!

    Never used IE in the last 14 years, except of course for Windows Update.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's OK for me!

      "Never used IE in the last 14 years"

      It's by far the fastest browser these days. It's come a long way since then.

      1. Dan 55 Silver badge
        Trollface

        Re: It's OK for me!

        Now now, Trevor, don't go overboard.

      2. John Tserkezis

        Re: It's OK for me!

        "It's by far the fastest browser these days. It's come a long way since then."

        Agreed. It takes up absolute zero CPU cycles here.

        1. Will Godfrey Silver badge
          Pint

          Re: It's OK for me!

          Nice one!

          Have one of these, as well as an upvote :)

        2. M132

          Re: It's OK for me!

          Because it eats GPU, not CPU

      3. Anonymous Coward
        Anonymous Coward

        Re: It's OK for me!

        "It's by far the fastest browser these days"

        Oh yes, I used it to download Chrome very quickly!

  7. silent_count
    Happy

    Luckily for me

    "Internet Explorer 6 through 11 are all vulnerable"

    See! And people look at me strangely when I tell them that I use IE 1 because it's more secure.

    1. Nick Ryan Silver badge

      Re: Luckily for me

      It also aids productivity because it ensures (*) that you concentrate on one thing at a time rather than continually flit like a geriatric lunatic between different tabs and downloads.

      * as in, it could only do one thing at a time itself, therefore that is how you had to operate. No downloading in the background, no seeing the page until it was loaded, no tabs (don't remember an "open in new window feature" either)... and no .png support, no scripting... errr... I'll just load up lynx thanks. Did it even support marquee and flashing text?

  8. Tank boy
    Facepalm

    Good article.

    When I bought my new laptop I used IE once. To download Chrome. The nice part is that they are 'fessing up to the problem rather than just playing it off.

  9. Nuno trancoso

    So, just as XP is declared "unsafe", the first chicken that comes home to roost is a IE flaw that hits across all the OS's. Nice thing then that M$ is showing us how much safer we would be with their new supported OS rather than their old unsupported OS as they probably won't be issuing a fix for IE versions that still work on their old unsupported OS.

    Then again, we could just dump IE, fixes a lot of exploits, current and future, as it goes out the door ...

    1. Anonymous Coward
      Anonymous Coward

      "Then again, we could just dump IE"

      To use what? Chrome has far more vulnerabilities and far more often for instance than IE.

      1. Anonymous Coward
        Anonymous Coward

        Chrome has far more vulnerabilities and far more often for instance than IE.

        Ssssssh - don't upset the people who still think that Google does no evil.

  10. Lostintranslation

    1995 - that's when Internet Explorer first came out. And after nearly 20 years they STILL can't get it right?

    Just how many bugs in that software have I had to expend time on squashing since then? Is it many hundreds or many thousands?

    How many man-hours globally have been lost to updating this pile of crap?

    Will I still be required to update it in 2035?

    1. king of foo

      2038

      That'll be the least of your worries. You'll have less than 3 years to prevent planes from dropping out of the sky, ATM's from spitting cash into the street and tinterwebs from becoming self aware...

      1. James O'Shea

        Re: 2038

        "planes from dropping out of the sky"

        Ah! so _that's_ what happened to MH370! They set their clocks wrong!

        "ATM's from spitting cash into the street"

        This would be a problem only for those who didn't have the foresight to bring along a bucket.

        "and tinterwebs from becoming self aware"

        It couldn't possibly do worse than the current infestations in Congress and Parliament.

    2. Nick Ryan Silver badge

      This seems to be yet another problem with the ghastly security hell-in-a-box that is everything ActiveX, with maybe a bit of Microsoft's not-javascript, IE only scripting thrown in for good measure. Disable both (permanently and for all profiles and security levels), and you shouldn't suffer from this. However Microsoft are unlikely to issue a notice describing that as a workaround.

    3. Anonymous Coward
      Anonymous Coward

      "Just how many bugs in that software have I had to expend time on squashing since then? Is it many hundreds or many thousands?

      How many man-hours globally have been lost to updating this pile of crap?"

      Actually open Source Software is generally worse for security vulnerability counts and big holes - just look at that Open SSL major screw up. And IEs closest rivals generally have lots more holes and require more patches (especially Chrome)

  11. Potemkine Silver badge

    In MS universe, is 'Enhanced Mitigation Experience Toolkit' codename for Firefox or Chrome?

    1. CDK

      Having a Microsoft Weekend. And it's Monday.

      Wish I were there!

  12. Charlie Clark Silver badge
    Thumb Down

    Active X is the root of all evil

    At least if I read this correctly and the only way the exploit can work across all versions. Unbelievable really that, despite all the good work put into developing IE 9 and beyond, Microsoft has still left the abscess that is Active X essentially untouched. A bit like how they've resurrected the Silverlight walled garden as Metroland.

    They really ought to be sued for not taking Active X out back and replacing it with a proper sandbox system.

    1. Mike Pellatt

      Re: Active X is the root of all evil

      They really ought to be sued for not taking Active X out back and replacing it with a proper sandbox system.

      No. They really ought to sued for ignoring everyone with the slightest bit of ITSEC understanding who told them long and loud that ActiveX Was A Really Bad Idea. Their feeble, pathetic response was "it's what our users want". I don't think their users really wanted their machines pwned. Perhaps they asked their users the wrong question.

      The history of ActiveX ever since it escaped has been trying to fix all the holes that everyone told them it would have.

  13. Major Ebaneezer Wanktrollop

    Stop slagging them off. They brought us tiles FFS. And that seamless, streamlined customer experience across all Windows platforms that we all enjoy and love. That Xbox Live tile on my business workstation is a Godsend.

    Yeah, how stupid do ya feel now huh MS haters?

    1. Michael Habel

      Stop slagging them off. They brought us tiles FFS. And that seamless, streamlined customer experience across all Windows platforms that we all enjoy and love. That Xbox Live tile on my business workstation is a Godsend.

      Yeah, how stupid do ya feel now huh MS haters?

      Obvious sarcasm is obvious Here have an up vote for your effort!

  14. MJI Silver badge

    So is XP OK?

    According to the list of OSes it is not affected.

    Anyway I use Firefox

    1. Valeyard

      Re: So is XP OK?

      Firefov?

      you are thinking in Russian, yes?

      1. MJI Silver badge

        Re: So is XP OK?

        Well X and V are a bit near each other

        1. Anonymous Coward
          Anonymous Coward

          Re: So is XP OK?

          Firefov is a vork. Sorry, fork. :)

        2. Michael Habel

          Re: So is XP OK?

          Well X and V are a bit near each other

          Why did I read that as X(P) and V(ista), are a bit near each other?

        3. Will Godfrey Silver badge

          Well X and V are a bit near each other

          ... and I thought I had fat fingers!

    2. El Andy

      Re: So is XP OK?

      XP is mentioned because it's no longer supported, same reason it doesn't mention whether Windows 2000 is vulnerable. It's a reasonably safe bet however, given that Server 2003 is vulnerable, that XP is also vulnerable.

  15. Hans 1

    >Internet Explorer 6 through 11 are all vulnerable, on all versions of Windows from Vista to 8 and Windows Server 2003 to 2012 R2.

    Did not know ie6 ran on Vista, I guess ie 5 and 5.5 are also affected ... lets see if my ie5/Solaris/SPARC is affected.

    1. Ken Hagan Gold badge

      I assume IE6 runs on Server 2003.

      Remember, just because the consumer/cheap version of the OS has gone out of support doesn't mean that MS aren't still publishing exploits (er, patches) for the identical-codebase-but-more-expensive server version.

      In fact, one way to get around XP's demise would be to find (if you can) someone who would sell you a licence for Server 2003. That, of course, would set you back a few hundred, but the possibility means that MS can't charge more than "a few hundred" for ever-extended support for XP.

      1. MJI Silver badge

        I will watch for patches on our server

        Then copy them in!

  16. FSM

    C'mon M$

    Run it through Valgrind!

  17. Your alien overlord - fear me
    Paris Hilton

    What about Lynx

    The text, the whole text and nothing but the text.

    (Paris because she could do with being on the internet more, especially if it became more graphic!!!)

    1. Anonymous Coward
      Anonymous Coward

      Re: What about Lynx

      how is your stink spray going to help?

  18. Lord Lien
    Boffin

    A bug in IE that could potentially...

    ... let some one take control of your machine. History repeating? See you in the comments section about this time next year for the next one.

  19. Joseph Haig

    What?

    XP support has ended? Why wasn't there any warning???

  20. Hi Wreck
    FAIL

    The upside...

    Windows servers default settings make...

    I'm still howling with laughter over that one. As if anyone who could create an exploit would be stopped. Who comes up with this anyway? Get him or her a Pulitzer.

    1. Hans 1
      Windows

      Re: The upside...

      The default settings in question being "you must add each and every site to some whitelist before it gets loaded", you know, the feature window cleaners turn off immediately.

      I almost wet myself when I read that ... that, sir and with all due respect, was bad reporting. It would be greatly appreciated if those who are supposed to write up these articles took 5 minutes to think about what they're writing ....

  21. SimpleIT

    IE on XP? Wow, that's safe!

    If someone is still using Internet Explorer on XP, after even Microsoft said it wasn't safe to use, then they deserve everything they get.

    Surely every XP machine will either Chrome forced on them or have Firefox installed.

    1. MJI Silver badge

      Re: IE on XP? Wow, that's safe!

      I did Firefox on ours.

      Also had the funny situation that the boys PC would only work on one site when running Mint & FF and not XP & FF.

  22. Rick Giles
    Linux

    "The upside, if there is any, is that Windows Server's default settings make it hard to create the kind of honeypot website that could exploit this flaw."

    It's a good think that all the servers run Windows then, huh?

    If you rely on Microsoft for your critical business infrastructure, you deserve everything you get.

    That's what I'm telling IT Security right now.

    1. Anonymous Coward
      Anonymous Coward

      "If you rely on Microsoft for your critical business infrastructure, you deserve everything you get.

      That's what I'm telling IT Security right now."

      And they will probably point out that Windows actually has far fewer security holes that are on average fixed faster than say commercial Linux distributions.

      "It's a good think that all the servers run Windows then, huh?"

      It certainly is for internet facing stuff - far less likely to be hacked than Linux. And a much more secure web services stack than LAMP. Both Apache and Nginx have had to patch security holes this year - and IIS has had zero holes. Hence partly why IIS / Windows is about to overtake Apache / Linux for overall webserver market share:

      http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html

      1. AlbertH

        ..... you can see why this troll is anonymous!

        No version of IIS is in any way secure. Every version, even with every possible patch installed, is as leaky as a sieve.....

        MS now have NO viable products. Win 8 is useless for business (and fails to run many games), their server products are so broken and insecure that they are a nightmare to even try to administer.... Even Win 8 for phones is broken!

        1. Anonymous Coward
          Anonymous Coward

          "No version of IIS is in any way secure. Every version, even with every possible patch installed, is as leaky as a sieve....."

          Just google 'Defacement Statistics' to find that in fact IIS is far more secure than Apache / Linux. Or look at the respective vulnerability counts over the past couple of years...

      2. Hi Wreck

        Except that most of those sites running IIS are parked domains. If one scrolls down the page a tad, one sees that the line for IIS for active sites and million busiest sites is sloping downwards. Nginx seems to be gaining share.

  23. Justice
    Mushroom

    That's all folks...

    *sigh*

    I work for an incredibly large insurance company... all PC and Laptops run Windows XP (despite a Windows Vista license on every desktop) and they all have IE6 running as the defaulty Browser.

    Can't see us being around for much longer.

    1. Rick Giles
      Alert

      Re: That's all folks...

      @Justice

      "I work for an incredibly large insurance company... "

      Dear God I hope it's not my insurance company...

      Let me guess, you have several legacy programs that were designed for Windblows 9x/2000 and they barely run on XP, let alone Windoze Vista, 7 8.x and the vendor is no longer around.

      1. DrGoon

        Re: That's all folks...

        You can hope but that's likely the case with every large insurance company. Large swathes of the Fortune 500 haven't yet adjusted to the new speed at which IT must upgrade or patch in the post mainframe world. If they were capable of doing IT at today's pace would cloud providers have so many customers?

      2. swissrobin

        Re: That's all folks...

        "Let me guess, you have several legacy programs that were designed for Windblows 9x/2000 and they barely run on XP, let alone Windoze Vista, 7 8.x and the vendor is no longer around."

        If that really is their problem, I would have thought by now they would be running these legacy apps in some sort of sandbox - like a virtual machine or similar container type technology, hosted inside a modern version of whatever OS works best for them?

        That could be an excellent product - "XP/IE6 in a wrapper" - probably a violation of the license agreement to migrate the running OS into such a wrapper, but if they choose Windows on the outside, I cannot imagine Microsoft being too bothered by that.

    2. MJI Silver badge

      Re: That's all folks...

      Actually since no one uses Vista why is it still on support?

    3. Field Marshal Von Krakenfart
      Boffin

      Re: That's all folks...

      I work for an incredibly large insurance company...

      Only one thing to do then, go back to the mainframe and put a IBM3270 on everyone's desk (with optional light pen).

      Seriously though people, when was the last time you heard of a mainframe virus????

      1. itzman

        Re: That's all folks...

        I could tell you, but then I'd have to kill you..

  24. Anonymous Coward
    Anonymous Coward

    It's not hard to understand. Windows XP is unsupported. Either upgrade or move to Linux, but don't blame Microsoft for prior support of an OS long after many Linux flavors would have stopped support.

    1. MJI Silver badge

      Backwards compatability

      People are ALWAYS forgetting that the main reason people are hanging onto XP is backwards compatability.

      It was the last MS OS to properly support MS DOS executables. things we have used for many years.

      Will a modern Linux run programs created say 15 years ago?

      1. Piro Silver badge

        Re: Backwards compatability

        Who knows, but for the ultimate in backwards compatibility, maybe they should developed their software on IBM System z.

        Buy one today, backwards compatible with System/360 from 1964.

      2. Peter Gathercole Silver badge

        Re: Backwards compatability @MJI

        It depends on how you link it. If you resolve all external dependencies and statically link all library routines, and do not rely on any runtime services (like dbus etc), then it is perfectly possible for a binary compiled today to run on any Linux system as long as it is the correct processor type and the kernel API doesn't change.

        In fact, looking at it, I would expect that many Linux programs compiled 15 years ago would still run, as many of them that old may well not have been linked against shared object files, and certainly would not have used dbus, dcop, bonobo et. al. Possibly more of them than were compiled 5 years ago.

        The dependency on dynamically linked shared objects and runtime services is in my view one of the worst things that ever happened to Linux. It makes building programs that you want to work int the future without having to recompile more difficult than it needs to be.

        Interestingly, but on a different note, I picked a binary of one of my tools off of one of my archives from a 32 bit AIX 4.1.4 system from about 1998, and successfully ran it without re-compiling it on an AIX 7.1 64 bit system.

        1. MJI Silver badge

          Re: Backwards compatability @MJI

          Well that beats the stupid message vista produces with a VGA mode DOS app.

  25. Anonymous Coward
    Anonymous Coward

    It took less than two weeks after XP support stopped for my mum's laptop to become malware infested. She uses firefox and isn't the most adventurous of browsers.

    1. Anonymous Coward
      Anonymous Coward

      BAD LUCK MUM

    2. Ken Hagan Gold badge

      Re: Mum's laptop

      Given the interval between Patch Tuesdays, I don't think you can blame your mum's infestation on the fact that the Patch Tuesday due in a fortnight "didn't" (ie, won't) contain anything for XP.

  26. st4yr4d

    Conveniently timed to try and make people want windows 8?.......

  27. rickvidallon

    Internet Explorer or IE is the bane of Web Developers

    Going all the way back to the release of IE version 7, Microsoft has never played well with others and does not conform to many browser rendering standards adopted by Firefox and Chrome. And it's not like Microsoft has not had the chance to get it right... Microsoft is 'just plain lazy aka bad management.

    Microsoft has a bad habit of releasing their problems and then let the public sort out the problems. Six months after the release of IE 10 we had 5 clients contact us with a variety of IE 10 problems; links

    that stopped working, thumbnails that disappeared, forms that would not open, data that would not display and the list goes on and on. I quickly did a search over Google "Problems with IE 10" and found over 2,500,000 million references.

    Now we have reports of a huge security problem with IE. If you can't uninstall IE, just don't use it and download Chrome and Fire Fox as your primary browsers and never look back.

    1. ecofeco Silver badge

      Re: Internet Explorer or IE is the bane of Web Developers

      Go all the way back to ver 3.

      It's always been like this.

      I used netscape the instant I found it and have stayed the hell away from IE at home and anywhere else I can. Businesses on the other hand, still haven't figured this out.

      Here's another dirty secret about IE: it doesn't actually clear the temp cache unless you manually force it.

      It gets better: even if you use FF or Chrome, the POS STILL holds temp files in its browser cache from those browsers!

      Surprise!

  28. Christelle
    Alert

    For all you visual learners out there or to anybody who wants to learn about the whole Internet Explorer Zero Day Vulnerability in general AKA the biggest reason not to be using IE right now, here's a great Khan Academy style informational video all about it w/ details on the high level mechanics, best practices, and where you can get more info:

    http://info.elastica.net/2014/04/ie-zero-day-cve-2014-1776-high-level-mechanics/

  29. Paul Coddington

    Is this news?

    So, if you disable the security features in Microsoft software, it is, *gasp*, insecure! Who would have thought?

This topic is closed for new posts.

Other stories you might like