Friends don't let friends use Internet Explorer – advice from US, UK, EU Microsoft has warned of a new security flaw in all versions of its Internet Explorer web browser for Windows PCs. A patch has yet to be released for the crocked code. Vulnerability CVE-2014-1776, to give the problem its formal name, allows miscreants to hijack at-risk Windows computers. It's all due to “the way Internet …
It was unusual also for being a very simple coding error, something that all those eyes that look at open source software should have spotted?
I think there's complacency in the open source community thinking others will test or fix their code for them. It's why Linus is always ranting at Linux developers who check-in half-arsed code.
What's the difference between this and heartbleed?
Both are out of memory area bugs.
What's the difference between a heart attack and cancer? Both can kill you.
When you use a sufficiently broad generalization, there isn't any difference. That's how generalizing works.
A use-after-free bug is rather different from a simple buffer overrun, in terms of cause and control flow. In the particular case of Heartbleed the effect was similar to a read-only use-after-free, due to OpenSSL's suballocator, but that's not normally the case with a buffer overrun. And this IE error apparently has malicious code execution potential, which Heartbleed definitely does not.
So quite a lot, actually.
Ahhh, yes ... the legendary "Enhanced Mitigation Experience Toolkit"
1. Wiped WinXP from the wife's old brick; that killed IE 8 (and lingering traces of IE 6 & 7)
2. Attempted install of Win IE 8 on new OS
3. Synaptic refused IE 8: "Unrecognized Fault"
4. Attempted "Enhanced Mitigation Experience" via BASH
5. Brick flamed. Wife flamed. Mitigation Experience concluded.
It also aids productivity because it ensures (*) that you concentrate on one thing at a time rather than continually flit like a geriatric lunatic between different tabs and downloads.
* as in, it could only do one thing at a time itself, therefore that is how you had to operate. No downloading in the background, no seeing the page until it was loaded, no tabs (don't remember an "open in new window feature" either)... and no .png support, no scripting... errr... I'll just load up lynx thanks. Did it even support marquee and flashing text?
So, just as XP is declared "unsafe", the first chicken that comes home to roost is a IE flaw that hits across all the OS's. Nice thing then that M$ is showing us how much safer we would be with their new supported OS rather than their old unsupported OS as they probably won't be issuing a fix for IE versions that still work on their old unsupported OS.
Then again, we could just dump IE, fixes a lot of exploits, current and future, as it goes out the door ...
1995 - that's when Internet Explorer first came out. And after nearly 20 years they STILL can't get it right?
Just how many bugs in that software have I had to expend time on squashing since then? Is it many hundreds or many thousands?
How many man-hours globally have been lost to updating this pile of crap?
Will I still be required to update it in 2035?
"planes from dropping out of the sky"
Ah! so _that's_ what happened to MH370! They set their clocks wrong!
"ATM's from spitting cash into the street"
This would be a problem only for those who didn't have the foresight to bring along a bucket.
"and tinterwebs from becoming self aware"
It couldn't possibly do worse than the current infestations in Congress and Parliament.
This seems to be yet another problem with the ghastly security hell-in-a-box that is everything ActiveX, with maybe a bit of Microsoft's not-javascript, IE only scripting thrown in for good measure. Disable both (permanently and for all profiles and security levels), and you shouldn't suffer from this. However Microsoft are unlikely to issue a notice describing that as a workaround.
"Just how many bugs in that software have I had to expend time on squashing since then? Is it many hundreds or many thousands?
How many man-hours globally have been lost to updating this pile of crap?"
Actually open Source Software is generally worse for security vulnerability counts and big holes - just look at that Open SSL major screw up. And IEs closest rivals generally have lots more holes and require more patches (especially Chrome)
At least if I read this correctly and the only way the exploit can work across all versions. Unbelievable really that, despite all the good work put into developing IE 9 and beyond, Microsoft has still left the abscess that is Active X essentially untouched. A bit like how they've resurrected the Silverlight walled garden as Metroland.
They really ought to be sued for not taking Active X out back and replacing it with a proper sandbox system.
They really ought to be sued for not taking Active X out back and replacing it with a proper sandbox system.
No. They really ought to sued for ignoring everyone with the slightest bit of ITSEC understanding who told them long and loud that ActiveX Was A Really Bad Idea. Their feeble, pathetic response was "it's what our users want". I don't think their users really wanted their machines pwned. Perhaps they asked their users the wrong question.
The history of ActiveX ever since it escaped has been trying to fix all the holes that everyone told them it would have.
Stop slagging them off. They brought us tiles FFS. And that seamless, streamlined customer experience across all Windows platforms that we all enjoy and love. That Xbox Live tile on my business workstation is a Godsend.
Yeah, how stupid do ya feel now huh MS haters?
Obvious sarcasm is obvious Here have an up vote for your effort!
I assume IE6 runs on Server 2003.
Remember, just because the consumer/cheap version of the OS has gone out of support doesn't mean that MS aren't still publishing exploits (er, patches) for the identical-codebase-but-more-expensive server version.
In fact, one way to get around XP's demise would be to find (if you can) someone who would sell you a licence for Server 2003. That, of course, would set you back a few hundred, but the possibility means that MS can't charge more than "a few hundred" for ever-extended support for XP.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
