back to article On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE

Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers. The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser's scripting engine. Visiting a malicious website abusing this bug with a vulnerable version of IE is …

  1. Waseem Alkurdi
    Linux

    Internet Explorer patches

    Party like it's 2004 again!

  2. Anonymous Coward
    Anonymous Coward

    More patches than the scouts or the guides.

  3. ITS Retired

    You'd think IE would be iron clad bullet proof by now.

    One might think, but you'd still be wrong.

    1. Publik_Emily_Numba_1

      Re: You'd think IE would be iron clad bullet proof by now.

      It's the same as with 491 scams, users have preselected themselves as not that savvy, and thus easier to scam.

      1. Robert Carnegie Silver badge

        419 not 491

        See https://en.wikipedia.org/wiki/Advance-fee_scam unless for some reason you did that on purpose.

        "The number 419 refers to the article of the Nigerian Criminal Code dealing with fraud."

    2. Anonymous Coward
      Anonymous Coward

      Re: You'd think IE would be iron clad bullet proof by now.

      Let me introduce you to my friend "flash"

  4. Wisteela

    Really?

    People still use it?

    1. Fungus Bob Silver badge
      Devil

      Re: Really?

      Only for downloading Chrome....

    2. mrobaer

      Re: Really?

      Oddly enough, IE has more market share than Edge does.

    3. NeilPost

      Re: Really?

      Widespread in Corporate-land, with crummy Intranet sites, Remote Access tools (that should have been updated) and Sharepoint - where none work properly with Chrome, Firefox or Wdge.

      1. Disgusted of Cheltenham

        Re: Really?

        And how else do you use an employer's system that calls for silverlight?

    4. Anonymous Coward
      Anonymous Coward

      Re: Really?

      Netflix 1080 in Windows 7, yes I know I can do it in Chrome but I like the "back to the future" feeling of clicking the blue E of doom.

      1. Brenda McViking
        Trollface

        Re: Really?

        It's pronounced "Internet Exploder"

        1. Robert Helpmann?? Silver badge
          Childcatcher

          Re: Really?

          It's pronounced "Internet Exploder"

          I would have corrected you in times past that it is instead "Internet Exploiter" but as the main competition is Chrome, I think IE has been surpassed in that capacity.

      2. arctic_haze Silver badge

        Re: Really?

        On Windows 7 Netflix works fine with Firefox.

        When I started with the time-slurping website, the support page stated that I needed Silverlight. Luckily the reverse was true and Netflix worked on Firefox only natively.

  5. Lorribot

    It's about time...

    ...there was an option to uninstall it.

    1. elvisimprsntr

      Re: It's about time...

      there is...

      format c: /s

      1. Hans 1 Silver badge
        Windows

        Re: It's about time...

        Nope, does not work, for me:

        C:\WINDOWS\system32>format c: /s

        The type of the file system is NTFS.

        WARNING, ALL DATA ON NON-REMOVABLE DISK

        DRIVE C: WILL BE LOST!

        Proceed with Format (Y/N)? y

        Formatting 237.3 TB

        Format cannot run because the volume is in use by another

        process. Format may run if this volume is dismounted first.

        ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.

        Would you like to force a dismount on this volume? (Y/N) y

        Cannot lock the drive. The volume is still in use.

        Format failed.

        1. Sir Runcible Spoon Silver badge

          Re: It's about time...

          "Nope, does not work, for me:"

          Classic :D

        2. Anonymous Coward
          Anonymous Coward

          Re: It's about time...

          Hans 1,

          SCOKTROFL*

          We have a Winner !!!!!!

          You have won the Internet !!!!

          Do you want it gift wrapped ???

          :) :)

          * Spit Coffee Over Keyboard Then Roll on Floor Laughing !!!

    2. Hans 1 Silver badge
      Facepalm

      Re: It's about time...

      Windows 98 Lite ?

  6. Sjwavfc

    So MS have pulled the advisories... no clue as always... dll files dont have everyone anyway

    Anyone know whats going on?

    1. diodesign (Written by Reg staff) Silver badge

      "MS have pulled the advisories"

      Are you sure - the webpages are still up, and you can download the updates by hand if they're not in Microsoft Update.

      Eg, for Windows 10 build 1809:

      https://www.catalog.update.microsoft.com/Search.aspx?q=KB4483235

      Windows 7 / 8:

      https://www.catalog.update.microsoft.com/Search.aspx?q=KB4483187

      C.

      1. Colonel Mad

        Re: "MS have pulled the advisories"

        KB4483235 reset my search engine to Bing, I now can't find my arse with both hands!

        1. Paul Crawford Silver badge

          Re: "MS have pulled the advisories"

          I now can't find my arse with both hands!

          Ah, such a schoolboy error! You need a map and both hands to find it.

      2. Hans 1 Silver badge
        Windows

        Re: "MS have pulled the advisories"

        And if like me, 1809 bricks your device, here are the links for 1803 (not the same KB number, helpful, that!):

        https://www.catalog.update.microsoft.com/Search.aspx?q=KB4483234

  7. The Aussie Paradox
    Holmes

    Surprisingly

    I used IE the other day for the first time in a long time.

    I was very surprised...

    that nothing had changed and how unclean I felt afterwards.

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprisingly

      It probably wasn't the browser, it probably might have been the old tumblr vids you were looking at ..

      1. The Aussie Paradox
        Joke

        Re: Surprisingly

        Shhhhhhhhhh.... I told the wife I was watching pr0n, not using IE.

  8. herman Silver badge

    If this goes on, I'll have to use Lynx on OpenBSD to browse the web.

    1. robpomeroy
      Thumb Up

      ...with the added bonus that, without JavaScript, you won't be able to log onto any Google service anymore!

    2. BinkyTheMagicPaperclip Silver badge

      You may be amused/horrified to know that Lynx is no longer in OpenBSD base (should be in ports though).

      The reason for this is that the OpenBSD team found too many security holes.

      FTP in OpenBSD is capable of fetching via HTTP/HTTPS though.

  9. Wincerind

    Just love these comments

    Woo woo lets bash IE & Microsoft.

    Like Chrome on version seventy something and Firefox on version sixty something have never issued security patches.

    1. Anonymous Coward
      Anonymous Coward

      Hey now this is el'reg even those of us who occasionally use IE and constantly use Windows like to pretend we're hard core Linux fan boys.

    2. Charlie Clark Silver badge

      The numbering scheme has nothing to do with this, just count the updates. MS has had security patches for IE in nearly every montly service pack and several out of bound.

      The security model for scripting in Internet Explorer is inherently more dangerous than the other browsers. The embedding of the browser in the OS also adds risks: MS could release Edge (which doesn't suffer from this problem) for older versions of Windows but chose not to do so. So, yes, it is fair to bash MS about this.

  10. DoctorPaul

    Initializing installation... done!

    Why would you trust programmers who seem to need an exclamation mark when things actually work as intended?

    1. rmason Silver badge

      Re: Initializing installation... done!

      They should go full 95/98 on us and make it play a little "Ta-Da" .wav file when it works.

      1. DoctorPaul

        Re: Initializing installation... done!

        Ah, that takes me back!

  11. bombastic bob Silver badge
    Devil

    remote-code execution hole in the browser's scripting engine.

    and THIS is why I use NOSCRIPT. Because, you never know when "yet another" script vulnerability will end up spreading malware to YOUR computer, and so it should be disabled by default on all but THE most trusted web sites, and that list should be very, very, very small [and exclude ALL advertisers and CDNs].

    From the article: "A possible alternative is to not use Internet Explorer, of course."

    exactly!

    1. Anonymous Coward
      Anonymous Coward

      Re: remote-code execution hole in the browser's scripting engine.

      Mmm Hmm. Because non of the other browsers ever had any vulnerabilities?

      1. tiggity Silver badge

        Re: remote-code execution hole in the browser's scripting engine.

        AC - yes all browsers have vulnerabilities. Hence best to use one that can be (if necessary via addons) locked down as much as possible.

        All browsers are flawed, but at least some other browsers make it easier for you to limit your risk than IE does and so are better, albeit far from perfect.

    2. TheBully

      Re: remote-code execution hole in the browser's scripting engine.

      I use noscript on Firefox but it is a pain in the gulliver it keeps forgetting that I have whitelisted some sites and I keep having to go twiggle with the little icons in the top right only to then get the cookie warnings and paywalls. If I want to say book a ticket and buy something and I want the payment to go through I switch to chrome as otherwise I will be faced with endless barriers and refreshes.

  12. Ochib
    Headmaster

    The First day of Christmas

    Is December 25, we are still in Advent

    1. mark l 2 Silver badge

      Re: The First day of Christmas

      Or if you go by the dates the shops use, Christmas starts at the beginning of September. At least that is when I saw Christmas decorations for sale in stores near to me.

      I can only guess that people aren't using IE by choice but they are forced to for various reasons, as it seems very dated and basic now compared to more modern browsers.

      Whether MS will eventually kill it off completely remains to be seen since there are still lots of expensive CMS that were bought by big businesses that won't work in anything other than IE.

      1. Teiwaz Silver badge

        Re: The First day of Christmas

        Or if you go by the dates the shops use, Christmas starts at the beginning of September. At least that is when I saw Christmas decorations for sale in stores near to me.

        Christmas decorations for sale can be easily ignored - it's when the xmas loop tape gets dug out, dusted of fluff to be played instore constantly from then on.

  13. Boris the Cockroach Silver badge
    Windows

    Good news everyone

    well for everyone who doesn't use an m$ product to surf the web or read e.mail

    for everyone else

    ha-ha

  14. steviebuk Silver badge

    Not appearing

    On our WSUS setup.

    1. MrFacePalm

      Re: Not appearing (on wsus)

      M$ still haven't updated wsusscn2.cab - http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab is still flinging a version with "Last-Modified: Tue, 11 Dec 2018 11:39:53 GMT"

  15. Colonist-in-IT

    Christmas IT Cover songs (Yankovich-like)

    Love the article title cover song. We should have more!

    The Reg is the perfect venue for hosting a Christmas Songs Cover event. Sorta like....'Jingle Bells, Excel Cells, Coding all the way......". (i forget the rest of the traditional song, but you know what i mean.).

  16. vmistery

    Bets on how many large corporates and public sector orgs are not going to patch this before the new year?

  17. Anonymous Coward
    Anonymous Coward

    Caution: May contain raw code

    IE without exploits, would be like swiss cheese with no holes.

    The contamination isn't desired, but nevertheless expected.

  18. Anonymous Coward
    Anonymous Coward

    Don't get to bent out of shape.

    It good to know they keep it as safe as they can, considering (LOL). Fact of life, hello, some companies have built internal systems using IE. Microsoft is a least paying attention to it.

  19. steviebuk Silver badge

    Can they make it anymore confusing?

    So am I supposed to be searching for KB KB4483187 or fing KB4470199

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019