the world is weird now
good move Microsoft. Hard to believe I wrote that I know, but one has to encourage good decisons. M$ has so few of them
Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java. Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and …
I've been administering different versions of Windows safely and productively for many, many years now, including quite a few current instances of Win 8.1. I also use different flavors of Linux, Android, and Chrome OS when I need them - also safely and productively. The right tool for the right job.
If you can't figure out how to do the same, that reflects more poorly on you than on anything M$ has or hasn't done.
While sometimes a bit slow and cranky, Windows has been a completely adequate OS since XP. The folks who have problems are the ones downloading pirated music, movies and warez - and it's hard to feel much sympathy.
Bullshit.
The folks who have trouble are the many, many people who have computers and don't know how to avoid those problems.
They are folks for who a computer is a calculator with a screen, and they already have trouble with calculators.
They are people who have had this clunky, noisy thing plopped on their home desk by relatives telling them that they can see their grandchildren with it, and it works - more or less, but it is really confusing.
Not everyone is an IT engineer and you shouldn't have to be one to use a PC. Unfortunately, these days you do if you want to avoid trouble. And most people just don't have either the time or the inclination to do that.
Reducing the world to a bunch of pirates or saintly YOU reflects very poorly on your level of humanity.
Sure, for many people it's just a tool - but they want it full of any software they can put their hands on - even if they will rarely use it, or are utterly unable to use it properly. Of fill it with music and movies "just because there are sites when you can get them for free".
Although it is true you can be compromised visiting legitimate web sites which got compromised as well, it's also true lot of troubles comes from people visiting "unsafe" (just to be polite) web sites, installing a lot of pirated software and looking for it, as well looking for pirated media contents.
Also "I'm running a pirated copy of Windows, because I'm smart I'll turn off Windows Update so Microsoft can't track me!" - same for Office, Photoshop, etc. etc.
Too many think "any software and media should come for free - it's easy to copy, why should I pay for it?" - it varies from country to country - but it's always a big percentage, crooks know, and take advantage of it. Especially now compromised machines and their data have a good "commercial value".
Human kind is greed enough to be its own nemesis...
IE blocks blocked Active X controls. Has done so for what, decades? The list of blocked Active X controls is updated regularly. Repeatedly. All the time.
To restate: IE is "automatically blocking old, insecure add-ons", and has been since I was in short pants.
So WTF is actually going on ???
I could guess that the list of blocked ActiveX controls is now going to include old versions of Java, but that would be only guessing, since, like the rest of the echo chamber that is the internet, this article includes no checkable resources: the author has clearly repeated some other unsourced report, all of which are saying the same thing, none of which are giving references.
Calm down, love. You're causing a scene.
From Microsoft's IE Blog (it's linked in the article):
"As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls."
The keyword here is "out-of-date". Yes, IE blocks dodgy ActiveX controls but what's significant here is that MS has decided to rule out all but the very latest Java plugins. So if you'd OK'd an earlier version, tough: it's now out of date.
C.
Missed the link. My Error. Sorry. Would have written that differently if I had found the link. Would not have said "WTF" if I had found the link and read the link. Would have been calmer. My reaction was totally only based on reading the article.
Instead, would have pointed out that the new feature was the button helping you to update a supported third-party Active-X control.
Slowly, the article, total nonsense before, starts to come into focus. FF already has, and has had for a long time "a feature that prompts you to update supported third-party addins".
Prior to this release, IE could only throw lousy old Java into the abyss. Now, like competing products, it can notify you about upgrades.
But old versions of IE will still only be able to alert users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.
Enhanced third party support from MS is a newsworthy step. It will be interesting to see what the business analysts make of this announcement
and the track record of the other browsers is ....what again? There is no such thing as a secure, bug-free browser, and as soon as browser [x] becomes popular it becomes a target for exploitation.
Many, many of the security-minded crowd tend to forget that security through obscurity has worked wonders for them over the years. Small user fractions are simply not interesting targets.
Linux and the alternative browsers used to have such a tiny market percentage that the black hats simply did not bother at all with them, thus raising a false sense of security, and quite a bit of hobnobbery about it. With the rise of popularity of the linux platform and the "alternative" browsers those systems suddenly did become attractive for exploitation, and bugs and vulnerabilities did prove to exist in said software. Just like in Windows/IE.
Which is when much sniggering ensued about the gnashing of teeth of those who had to eat their own rantings over the past decades.
Can you not phrase your headline in a slightly more accurate way? This is related to buggy ActiveX controls. Its not about Java. Java is the USEFUL thing that this ActiveX control provides, and as it is so USEFUL and EXCELLENT that it is ubiquitous enough for the ActiveX control to be worth attacking. If you make such silly statements then uneducated people like david12 above will start parroting what you are saying.
"This just in: the world's least secure browser blocks a third party plugin. Nice try, Microsoft. IE is still swiss cheese."
But still better at blocking malware and phishing than most other browsers. And has been for at least 5 years:
http://www.eweek.com/c/a/Windows/Microsofts-IE-8-Effective-at-Blocking-Phishing-Malware-Report-Says-225292/
It makes sense when you consider that Cisco's most recent security audit report found that 91 per cent of all web-based exploits in 2013 took advantage of Java vulnerabilities.
Errr ... as long as the OS on which it's running is ... (fill in appropriately)
I for one would welcome comments from authors of plugins for said OS as to why they could be difficult to secure
Yes .... Even if it turned out later that the sandbox was leaking all over the place. Imagine what would have happened if Microsoft had managed to push its own "optimized" version.
Anyway, these days interactive stuff is running as JavaScript in the browser (and what amazing stuff it is) and the whole application stack complete with MVC core is moving back from the server to the browser so I expect the attack surface to increase markedly there - unless people now know what they are doing. Hah.
Next sandbox: run the whole browser in its own VM.
… I'm extremely surprised Microsoft didn't take a dump on Java in IE years ago!
For newbies, some background: See the section 'Sun's litigation against Microsoft" in the following article:
http://en.wikipedia.org/wiki/Visual_J++
BTW: Some surprising Java news this week: Oracle has now begun babysitting Java on the Internet by deactivating it's JRE at the time of any new security update, or after a pre-configured time period. Profoundly embarrassing to stupid Oracle, but a necessary step seeing as Oracle destroyed Java sandboxing, the fools.
"While that may sound harsh, it's actually generous."
It actually sounds a bit disingenous to have Java as the ONLY thing on the list; what about insecure Flash versions, old/insecure Silverlight versions, those ActiveX Office plugins of various types, and a slew of other ActiveX with serious security problems? But *shrug*, anyway, it's true they at least are not blocking current version.
" Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure."
All ActiveX controls will be blocked by default? Woot!
"Microsoft will maintain the list of verboten ActiveX controls itself and will update it as new versions are released or new vulnerabilities are uncovered."
Oh... So typical Microsoft crap. They have a good idea and, as usual, barely implement the important bits.