back to article Users told: Get rid of Internet Explorer (again)

Internet Explorer users have been told to ditch the application and switch to another browser, pronto. The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites). …

COMMENTS

This topic is closed for new posts.

Page:

  1. Herby
    Joke

    Exploit?

    Internet exploder has an exploit?

    Windows has an exploit?

    I'M SHOCKED!

    It could be a joke, but we all know it isn't (*SIGH*)!

    1. Anonymous Coward
      Anonymous Coward

      Re: Exploit?

      Herby, I would like to thank you personally for your allowing us to share in your enlightened, intelligent and well constructed thoughts.

      I wish I could say it was a pleasure and an education, alas...

    2. asdf
      FAIL

      Re: Exploit?

      You lie! According to the fancy new commercials on TV in the US, IE is the only game in town. And tell me would Microsoft waste millions on advertising instead of development if their product was not perfect?

  2. Graham Marsden
    Devil

    Pardon me...

    ... but what is this "again" business you refer to...?

  3. Anonymous Coward
    Anonymous Coward

    This is why...

    ...I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier.

    I also used to use IE8 out of dogged determination to follow the local IT rules on the principle that if the tools I was required to use reduced my efficiency that was my employer's problem. But eventually I just had no choice but to move on to FireFox or get no work done at all!

    1. nematoad
      WTF?

      Re: This is why...

      "I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier."

      As a former IT support analyst your statement intrigues me.

      In what way would you having admin privileges on your account make life easier for anyone except yourself? There really is no reason to have such privileges unless one IS an administrator, quite the opposite in fact, as anyone with the ability to stuff unauthorised, untested applications and generally interfere with the PC is the stuff of the IT department's nightmares. Believe me, as the saying goes "A little knowledge is a dangerous thing."

      No, unless you have some absolutely desperate need for hands-on control of your PC leave that pleasure to the poor souls who are paid to do the job. Even then get the support of the IT department when contemplating any changes to your set-up whatsoever.

      Think of it as an insurance policy. If you mess up the machine someone somewhere is going to have to pay for it to be put right. If the IT department messes up, it's up to them to fix it under the SLA at no cost to you.

      1. Anonymous Coward
        Anonymous Coward

        In answer to namatoad:

        I used to work in the IT department at my university (shudder). Now I am out in the faculties, some of the IT people would love nothing more than for me to fix my own problems and install my own software so they don't have to (to be fair, they are genuinely understaffed). I would like nothing less - I never wanted to mess around with computers at that level, it is something I will do (quite well according to my manager there) for money, but not for 'fun'! Certainly not for free. Definitely not Wlndows!!!

        I know all about the dodgy stuff that academics think they are qualified to install, having pulled enough data-recovery miracles after-the-fact in my time, and given enough "well, that's why we don't want people doing that" talks ten times as often (we are talking data worth potentially hundreds of thousands of dollars and several years' work - no, a USB drive from the local office shop isn't going to be as reliable as the expensive tripple-off-site system you balked at paying for space on, there is a place in Melbourne that can scan the dis-assembled platters in a clean room if the data is worth enough...).

        Probably my experience with such things is why they would trust me (and the fact that I actually keep my data on the right storage volumes where they are protected from local machine failures, etc. etc.). I am probably one of the last people in the university to submit the required use-case to get firefox finally installed (not a program I am particularly keen on either, but at least it renders the pages I need).

      2. fishman

        Re: This is why...

        nematoad:

        Since you are a former It support analyst, I'm surprised that you forgot that on XP some software won't run w/o admin priviledge.

        1. Captain Scarlet Silver badge
          Facepalm

          Re: This is why...

          Well you can run most programs without admin rights, but then its the realm of having to give users write access to the program folders which if a user knows about can be abused. It just takes some time as generally the developers of the program after saying, "Why do you write temp files to the root of C, why not use a temporary folder like everyone else" will request lots of money for their software no-one in the IS/IT department likes.

        2. The Flying Dutchman
          Stop

          Re: on XP some software won't run w/o admin priviledge

          I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them.

          Moreover, the reason for such behavior is often outright stupid, such as the software wanting to write to some file (usually in the install dir) to which only users in the admin group have write privilege. If the author of the software can't even get this sort of things right, the software isn't worth the diskspace it occupies.

          1. John Smith 19 Gold badge
            Happy

            Re: on XP some software won't run w/o admin priviledge

            "I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them."

            I got the impression that's most bought in specialist apps in the NHS.

            Good thing you don't work for them is it not?

      3. Anonymous Coward
        Anonymous Coward

        Re: This is why...

        Can be as simple as, "the damn software is run by four people, has monthly updates which require 30 minutes on each system to install, and since they change the install parameters every month, can't be easily automated, so it's easier to just give them admin privileges to install the updates."

        Or, as was the case after we just finished creating our first "standards compliant secure Windows 2000 environment," you discover that MS's new release of the programming tool every programmer in the office needs REQUIRES administrative privileges for the software to run.

  4. Anonymous Coward
    Anonymous Coward

    "The attack bypasses ASLR"

    Curious if that has something to do with IE essentially being part of the OS.

    At least this one stays in the user context...

    1. El Andy

      Re: "The attack bypasses ASLR"

      IE being "part of the OS" is one of those confused ideas that gets blamed for much that doesn't make sense. It's only "part of the OS" in the sense that it is packaged as a shared library that other applications and services can use. Beyond that it's just a user-mode application like anything else.

      As for bypassing ASLR, I'm not convinced that's too big a deal - it's never been a particularly strong way of protecting an OS anyway. It'd be rather more useful to know whether the exploit can break out of Protected Mode IE (whereby IE normally runs with less permission than a standard user as long as UAC is enabled) as neither the Rapid7 post or MSFT's advisory is entirely clear on that one.

      1. Anonymous Coward
        Anonymous Coward

        Re: "The attack bypasses ASLR"

        El Andy,

        Not trying to be disagreeable, but the rumor/FUD/whatever-you-want-to-call-it that IE exists at a lower security context than a normal application is an old, well established one... so is there any way to verify (source?) that "it's just a user-mode application like anything else" and does not make use of what would normally be restricted calls and methods?

        Regards.

  5. AfternoonTea
    Meh

    Crusty scab

    And there is me, using IE(64bit) for the first time in a few years just to see...

  6. Combat Wombat
    Trollface

    I'll keep using..

    Firefox...

    safe and no ads ftw !

    1. Anonymous Coward
      Anonymous Coward

      Re: I'll keep using..

      "Firefox... safe and no ads ftw !"

      There is no such thing as a 'safe' browser... ftw!

      1. Anonymous Coward
        Anonymous Coward

        Re: I'll keep using..

        Although what you said is true I'm downvoting you for replying to a trollface icon person correcting their deliberate error.

  7. El Andy
    FAIL

    Rapid7 might look a bit more knowledgeable in all this if they actually managed to make their own website correctly detect browsers, instead of putting up an "Attention IE6 user, you need to upgrade your browser" when visited in IE10. What exactly is the point of an advisory that the very users you're supposedly warning can't read because you don't know how to write HTML properly??

    1. Dan 55 Silver badge

      Unfortunately many browser sniffers that are copied and pasted into code can't parse browser versions greater than 9 properly (10 is read as 1).

      The problem will fix itself when we're up to Chrome and Firefox 70 or thereabouts, probably by the end of the year.

  8. Christian Berger

    Hmm... remote binary code execution....

    ....sounds exactly like Active X to me.

  9. Hans 1
    Mushroom

    IE? Who uses that shit ?

    Seriously, we have prime-time adds on TV for that pile of shit - it is clearly the most widely known bad, broken, and bloated piece of software.

    Don't use, don't use, did I say don't use ????

    1. Real Ale is Best
      FAIL

      Re: IE? Who uses that shit ?

      IE? Who uses that shit ?

      Sadly, my customers.

      1. Anonymous Coward
        Anonymous Coward

        Re: IE? Who uses that shit ?

        Hey, don't complain. It's keeping you in paid employment!

    2. JDX Gold badge

      Re: IE? Who uses that shit ?

      It's widely known and widely used but IE9 is just fine thanks. I hope IE10 continues the trend but unlike other commentards I won't pass judgement on something I never used.

    3. Anonymous Coward
      Anonymous Coward

      Re: IE? Who uses that shit ?

      Anyone who is subject to the PHBs two levels above my department whose policy requires the use of financial software that is only certified to work with IE (and a soon to be obsolete version of Java).

  10. Anonymous Coward
    Anonymous Coward

    I prefered reading this on slashdot where it didn't sound like low quality tabloid journalism.

  11. JaitcH
    Thumb Up

    ... attack works on IE 7 through 9!

    Another 'reason' for the UK government to keep on using IE6.

    1. John Smith 19 Gold badge
      Happy

      Re: ... attack works on IE 7 through 9!

      "Another 'reason' for the UK government to keep on using IE6."

      I wondered if anyone would come up with this ideal con-tractor line.

      Well spotted.

    2. christian baier
      Stop

      Re: ... attack works on IE 7 through 9!

      according to heise.de it works on ie6 as well.

      http://www.h-online.com/security/news/item/Microsoft-and-Germany-s-BSI-warn-against-using-IE-1710058.html

  12. JDX Gold badge

    So...

    Because a browser has a security bug we should stop using it? What do we do when FireFox has an exploit? Move to Chrome? Then what when Chrome has a bug?

    Software gets exploited, the important thing is that the bugs get addressed not that they exist.

    1. Alpha Tony

      Re: So...

      'Because a browser has a security bug we should stop using it? '

      ...'Software gets exploited, the important thing is that the bugs get addressed not that they exist.'

      Yes and no. You don't scrap your car and buy a new one if it breaks down once, but if it breaks down every week and every other car by the same manufacturer breaks down every week, then maybe it's time to buy one from someone else don't you think?

      1. Anonymous Coward
        Anonymous Coward

        Re: So...

        "then maybe it's time to buy one from someone else don't you think?"

        Let every vendor or developer who has only ever truly written exploit and bug free code step forward...

        1. Anonymous Coward
          Anonymous Coward

          Re: So...

          "Let every vendor or developer who has only ever truly written exploit and bug free code step forward..."

          Let everyone who has not read the post reply to it.

  13. John Smith 19 Gold badge
    Unhappy

    Application portability. Microsoft style

    3 generations of browser.

    1 exploit to pwn them all.

    Do you get the felling their software development process is some how IDK not right?

    1. JDX Gold badge

      Re: Application portability. Microsoft style

      Why would an exploit on newer versions NOT work on older ones? Do you think they start each browser totally from scratch?

      1. theblackhand

        Re: Why would an exploit on newer versions NOT work on older ones?

        Because the vulnerability affects functionality that was not implemented in the older browsers?

        IE10 isn't just IE6 with some of the broken bits fixed. It's a whole new turd sandwich - the bread maybe the soggy, mouldy exterior that we are familiar with, but you can notice the smell isn't quite as bad and the brown colouring of the filling is more pleasant on the eye.

  14. Anonymous Coward
    Anonymous Coward

    Odd didn't we read the other week...

    ...that i.e. is less susceptible to a certain attack than many of the other browsers...

    Ooo look here it is.

    http://www.theregister.co.uk/2012/08/21/tesco_ico/

    (following link to)

    http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html

    Quote:

    "Just on the browser compatibly for that XSS: IE9 and IE10 are actually pretty good and will warn you about it without exexuting it. All other browsers tested – Chrome, Firefox and Safari (desktop and iOS) – will happily parse it and allow the exploit to occur."

    So lets face it, use one browser your screwed one way and use another and your screwed another way.

  15. Techs UK
    Thumb Down

    So we can't use Java, because...

    ...that has bugs, now not IE (taking a pop at the favourite browser again) because that has a bug which can infect your machine when you browse to dodgy, badly maintained sites.

    What about all the other software with bugs in it?

    I'm not saying IE is better than the others, I'm used to it and am well aware that other browsers can be better and can be worse. Security of software it a process, not a state. My money is on Microsoft at the moment when it comes to process and support and the feed through to consumer and the enterprise.

  16. LastByte
    Unhappy

    Can someone tell the government please

    Recently I had cause to contact the DWP and had difficulty with their on-line form. The contact centre refered me to this link.

    http://www.direct.gov.uk/en/Pensionsandretirementplanning/StatePension/DG_183111

    Unfortunately it turned out that my PC isn't old enough to discuss pensions.

    Operating systems and browsers

    The service is not currently available using Macs or other Unix based systems even though you may be able to input information.

    Our service currently works with the following operating systems and browsers:

    Microsoft Windows 98:

    Internet Explorer versions 5.0.1, 5.5 and 6.0

    Netscape 7.2

    Microsoft Windows ME

    Internet Explorer version 5.5 and 6.0

    Netscape 7.2

    Microsoft Windows 2000

    Internet Explorer version 5.0.1, 5.5 and 6.0

    Netscape 7.2

    Firefox 1.0.3

    Mozilla 1.7.7

    Microsoft Windows XP

    Internet Explorer 6.0

    Netscape 7.2

    Firefox1.0.3

    Mozilla 1.7.7

  17. Crisp

    Get rid of Internet Explorer

    Is that even possible?

    1. yossarianuk
      Linux

      Re: Get rid of Internet Explorer

      Of course it is.

      All PC's I have used in the last 8 years have been completly I.E free.

      see www.distrowatch.org for a list.

      1. Crisp

        Re: Get rid of Internet Explorer

        Thanks for trying help, but I develop in a windows environment, so that doesn't really count as a getting rid of IE solution.

  18. Anonymous Coward
    Anonymous Coward

    Fragmentation

    Its really hard to seriously address this.

    First issue is that at some point, as others have said, every browser has a "oooooooo nooooooooooos exploit" moment. Thats life, thats software, the bastards are always out to get you.

    Second issue is that for things other than random website browsing, browser brand and version become a massive headache. I've got MSIE, Firefox and Chrome on my work PC just to be able to make the websites and applications I need to use work correctly.

    Combine those two things together and all you can hope for are fixes for issues as they come along and to be honest, all of the three I use do do that.... maybe not in time for some nasty 0day, but nobody protects you against 0day.

  19. Wang N Staines

    Can't wait for IE10 to come out.

  20. dougal83
    Thumb Down

    Not got flash installed. I win.

  21. Senior Ugli
    Pint

    The new IE advert is false advertising

    Its "super fast" yet on my PC I open it and it crashes

    Why do they even advertise this hunk of junk

    Death to IE

    1. Tom 13
      Joke

      Re: Its "super fast" yet on my PC I open it and it crashes

      But I'll bet it crashes 10 times faster than it did on your old system, thus saving you time and money!

  22. crushkttykitty

    here is the exploit in action

    the bad thing about it is no user interaction just going to a web site

    https://www.youtube.com/watch?v=2UlN9W6NGqY&feature=player_embedded

    those not wanting to click links just do a youtube search for “0-Day exploit in action” or “crushkittykitty”

Page:

This topic is closed for new posts.

Other stories you might like