New vulnerability found in every single version of Internet Explorer

[george]

New vulnerability found in every single version of Internet Explorer

According to a confirmation by Microsoft late last night, a new zero day vulnerability has been found to affect every version of Internet Explorer. In other words—over a quarter of the entire browser market.

Attacks taking advantage of the vulnerability are largely targeting IE versions 9, 10, and 11 in something called a "use after free" attack. Essentially, the attack corrupts data as soon as memory has been released, most likely after users have been lured to phony websites. Microsoft explains:

The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Microsoft is currently investigating the issue and will likely release an out-of-cycle security patch to take care of the problem. Let's just hope it comes soon, because according to security firm Fire Eye, this means that about 26 percent of the entire browser market is at risk.

And since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance.

-- Gizmodo.com 2014-04-28

http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903

[Guest]

And since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance.

Brilliant timing indeed. Microsoft is old school which tries to monetize it's customer base as long as it still is possibility.

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Both the core software (which you might call Windows) and the applications like browsers and way way more, automatically check their security status and upgrade themselves automatically. Pretty handy actually.

There is no waiting for upgrades to be installed as everything is done in background. There is no forced reboots - in cases the core (or kernel as we like to call it) is upgraded, the system will suggest to reboot, but never forces it. It's not uncommon to go days before the reboot as there is not really needs to shutdown the laptop every now and then. Simple sleep and wake up in few seconds is enough.

The pricetag to upgrade to Linux? - it's free of charge.

[dharmabm]

Bummer. Thankfully I haven't used IE since like, 1999!

Sent from my Galaxy Nexus SlimKat using Tapatalk

[Guest]

This image always makes me giggle. Not because there has been browser "wars", but because over the years I was forced to make my browser to fake to be Windows based IE to be able to use some internet banking sites.

This is just part of the sweet revenge. Bad corporate practices do face karma at some point.

[Chicog]

And since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance.

Brilliant timing indeed. Microsoft is old school which tries to monetize it's customer base as long as it still is possibility.

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Both the core software (which you might call Windows) and the applications like browsers and way way more, automatically check their security status and upgrade themselves automatically. Pretty handy actually.

There is no waiting for upgrades to be installed as everything is done in background. There is no forced reboots - in cases the core (or kernel as we like to call it) is upgraded, the system will suggest to reboot, but never forces it. It's not uncommon to go days before the reboot as there is not really needs to shutdown the laptop every now and then. Simple sleep and wake up in few seconds is enough.

The pricetag to upgrade to Linux? - it's free of charge.

Why keep spouting this nonsense when simply using Chrome or Firefox mitigates this particular risk? Linux isn't the be all and end all, it's a reasonable alternative that has its own flaws.

http://www.theregister.co.uk/2014/04/28/ubuntu_power_user_crash/

Canonical says it is working to fix a problem that's crippling some Ubuntu PCs after they've been upgraded to the latest version of the Linux distro.

A spokesperson for the company told The Reg it is aware of a "small number" of "power users" are seeing their PCs crash following the move to 14.04.

[bendejo]

IE stands for "incredibly evil" and has for a long time. The platform of choice for people developing invasive web stuff. One of the first things after doing a win install is to get rid of it, or at least block it.

I still say MS should put XP up as open source and let it live on as legacy small-footprint Windows. I'm not holding my breath for that one!

[Sirbergan]

Bummer. Thankfully I haven't used IE since like, 1999!

Sent from my Galaxy Nexus SlimKat using Tapatalk

Apart from the few times you are forced to use it, I don't see any reason why someone would even consider to click on the IE Icon. It's not even worth mentioning, as Chrome, Opera and FireFox are better in every possible way.

Edited April 29, 2014 by Sirbergan

[WhizBang]

Who cares about IE? Useless piece of crap. I have been using Opera for years. Way better than IE in every respect. Today there is lots of choice.... chrome, firefox, seamonkey, maxthon, avant, to name but a few.

Only the clueless would be using IE, and that is only because it came with windows. Even my mother uses firefox.

[Cow San Load]

Linux isn't the be all and end all, it's a reasonable alternative that has its own flaws.

http://www.theregist...wer_user_crash/

ubuntu isnt the be all and end all of linux.

Edited April 29, 2014 by Cow San Load

[Pib]

Don't know if this was a fix, but Microsoft released this IE Flash related "Important" update yesterday for Win 8.1/Win 8.0. Didn't show anything for other common versions of Windows like Win 7, etc....maybe Win 7 don't have the issue or a Win 7 update hasn't been released yet Yesterday U.S. time means the update would be arriving Thailand-based computers today/29 March. I just checked my Win 8.1 Update History and it apparently installed when I first turned on my computer this morning. But like I said, I don't know if this has anything to do with the vulnerability being talked about. Chrome is my primary browser with IE as my backup/secondary.

While no one likes a vulnerability to appear in their browser, you know vulnerabilities appear in all browsers (ie.., IE, Chrome, FF, etc) but it seems Microsoft IE is the only browser which will rate media attention....probably just because its the Big Bad Microsoft. For the other browsers it seems vulnerabilty info is much harder to come, if any info comes at all....updates to the browsers occur to fix the problem just like IE but like I said the media may not have jump on the vulnerability and you could actually been at risk for a good while and never have known about it due to lack of media attention.

And the security software (ie.., firewall/antivirus) companies are also having a field day right now and helping to drum up the fear factor with XP's update support ending on 8 Apr 14/a few weeks ago...with XP support getting a LOT of media attention the security software companies know this is a rare chance to pump up the fear factor media blitz and software sales while the end-of-XP-support is still getting a lot of free media attention.

[noodle]

 

I still say MS should put XP up as open source and let it live on as legacy small-footprint Windows. I'm not holding my breath for that one!

Please not, I like XP just the way it is.

[Guest]

Why keep spouting this nonsense when simply using Chrome or Firefox mitigates this particular risk? Linux isn't the be all and end all, it's a reasonable alternative that has its own flaws.

I guess it depends which way you wish to go to solve the problems. A bit like debate of medicine. Some people are happy to fix the symptoms which arise every now and then, others wish to treat the root cause.

[wandasloan]

What is Internet Explorer? Is that the DOS version of Google Chrome?

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Oh, for.... I hate these stupid "my system is safe" posts because they are ridiculous, way worse than "my word processor is better than yours" because the fact is that NO computer or device that's connected in any manner to the internet is safe. Missionaries are considered tiresome, boring and annoying by almost all the world because... because they are all of the above, not to mention how mistaken they are.

The last major vulnerability in Linux, in March, the "GnuTLS bug" was (and is) by far the worst vulnerability of the year in my opinion, no competition, and I'm including the Heartbleed. GnuTLS lets attackers simply stroll past the SSL (security sockets layer) on any website using Linux, which means one heck of a lot of websites. It makes this Microsoft problem totally insignificant in all ways, if only because all Microsoft versions running on websites are NOT vulnerable to this new browser problem, simply because they run in restricted mode.

Here for your amusement is a list of 237 still-unfixed vulnerabilities in Linux today, exploitable by hackers who can't be bothered looking for Internet Explorer users. After all 237 are fixed, and after every single Linux machine worldwide is fixed, Linux will STILL be insecure, simply because it accesses the internet.

.

Edited April 29, 2014 by wandasloan

[Rorri]

oilinki, on 28 Apr 2014 - 22:39, said:

QuoteAnd since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance.

Brilliant timing indeed. Microsoft is old school which tries to monetize it's customer base as long as it still is possibility.

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Both the core software (which you might call Windows) and the applications like browsers and way way more, automatically check their security status and upgrade themselves automatically. Pretty handy actually.

There is no waiting for upgrades to be installed as everything is done in background. There is no forced reboots - in cases the core (or kernel as we like to call it) is upgraded, the system will suggest to reboot, but never forces it. It's not uncommon to go days before the reboot as there is not really needs to shutdown the laptop every now and then. Simple sleep and wake up in few seconds is enough.

The pricetag to upgrade to Linux? - it's free of charge.

I currently run both "Linux Mint" and "Windows"...why, well Linux is still not suitable for the mass market, eg, try setting up a printer, or webcams (yes, I know most should work out of the box but there is no software to drive the), try updating your mobile phone...can not be done, try running anything that requires ActiveX, there are still too many reason that you cannot do without "Windows," sucks yes, but that is reality. Most of us will be stuck with "Windows" for some time. Not many manufactures support Linux, hopefully it will change.

[Chicog]

Don't know if this was a fix, but Microsoft released this IE Flash related "Important" update yesterday for Win 8.1/Win 8.0.

Yes, it was a fix for the already in-the-wild security holes Adobe just patched in Flash Player.

So you'll see an update for Chrome as well.

Microsoft will probably issue an out-of-band patch for the one in the OP, but in the meantime use another browser, or just be judicious in your choice of links and don't be logged in with Admin privileges if you don't need to be.

[Chicog]

Linux isn't the be all and end all, it's a reasonable alternative that has its own flaws.

http://www.theregist...wer_user_crash/

ubuntu isnt the be all and end all of linux.

I never said it was, I was using it as an example.

There is not one OS I know of that doesn't have or won't eventually have security holes. It's simply that Windows, by dint of being the most prevalent OS out there, is the most attacked.

And before that gets the Apple phanbois a-squealing....

http://www.theregister.co.uk/2014/04/22/apple_ios_7_1_1_os_x_security_updates/

[Guest]

What is Internet Explorer? Is that the DOS version of Google Chrome?

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Oh, for.... I hate these stupid "my system is safe" posts because they are ridiculous, way worse than "my word processor is better than yours" because the fact is that NO computer or device that's connected in any manner to the internet is safe. Missionaries are considered tiresome, boring and annoying by almost all the world because... because they are all of the above, not to mention how mistaken they are.

The last major vulnerability in Linux, in March, the "GnuTLS bug" was (and is) by far the worst vulnerability of the year in my opinion, no competition, and I'm including the Heartbleed. GnuTLS lets attackers simply stroll past the SSL (security sockets layer) on any website using Linux, which means one heck of a lot of websites. It makes this Microsoft problem totally insignificant in all ways, if only because all Microsoft versions running on websites are NOT vulnerable to this new browser problem, simply because they run in restricted mode.

Here for your amusement is a list of 237 still-unfixed vulnerabilities in Linux today, exploitable by hackers who can't be bothered looking for Internet Explorer users. After all 237 are fixed, and after every single Linux machine worldwide is fixed, Linux will STILL be insecure, simply because it accesses the internet.

.

I do agree that Linux does not have so many viruses because it's not being used by the masses yet. There might be some later on.

Linux does constantly check if there is security or other updates and then installs those. As an end user I don't have to check if my apps are up to date. I don't know if Windows currently offers the same service. I hope it does.

Another security feature is one place where most of the applications can be found. When I trust the "App store" I can get what I want from there. Therefore I don't have to find Firefox specific website to install the application. Or if I wish to install/try a new editor, I don't need to download it from some site, which I don't really trust.

The common repository has it's downside as well. If someone manages to include a code to some widely used application, which for example encrypts the computer's documents on 4.2.2015.

[Chicog]

Why keep spouting this nonsense when simply using Chrome or Firefox mitigates this particular risk? Linux isn't the be all and end all, it's a reasonable alternative that has its own flaws.

I guess it depends which way you wish to go to solve the problems. A bit like debate of medicine. Some people are happy to fix the symptoms which arise every now and then, others wish to treat the root cause.

Yes, so people simply need to be aware of the alternatives and not listen to spurious claims about them.

I was simply pointing out a spurious claim.

[katana]

What is Internet Explorer? Is that the DOS version of Google Chrome?

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Oh, for.... I hate these stupid "my system is safe" posts because they are ridiculous, way worse than "my word processor is better than yours" because the fact is that NO computer or device that's connected in any manner to the internet is safe. Missionaries are considered tiresome, boring and annoying by almost all the world because... because they are all of the above, not to mention how mistaken they are.

The last major vulnerability in Linux, in March, the "GnuTLS bug" was (and is) by far the worst vulnerability of the year in my opinion, no competition, and I'm including the Heartbleed. GnuTLS lets attackers simply stroll past the SSL (security sockets layer) on any website using Linux, which means one heck of a lot of websites. It makes this Microsoft problem totally insignificant in all ways, if only because all Microsoft versions running on websites are NOT vulnerable to this new browser problem, simply because they run in restricted mode.

Here for your amusement is a list of 237 still-unfixed vulnerabilities in Linux today, exploitable by hackers who can't be bothered looking for Internet Explorer users. After all 237 are fixed, and after every single Linux machine worldwide is fixed, Linux will STILL be insecure, simply because it accesses the internet.

.

BKK Post's Wanda Sloan? ...

[crazydrummerpauly]

Ah well....i've been using Maxthon for years, the design of which makes I.E. look like a school IT project. BUT - there are ways that i still get forced back to I.E. - some companies (no idea what %age) insist on I.E. for their systems to work - a prime example being PARCELFORCE.com in the UK, who's collection-ordering and label-printing processes relied on users accessing the site via I.E., and though they might have added another browser to their 'allowed' list, i still cannot use Parcelforce through Maxthon. Much closer to here, ToT - who i had to call several times today because of DNS death - also ask the user to get onto I.E. for accessing the ToT site. So there's still some arm-twisting going on out there, but not that much. I like Maxthon a lot and feel good being away from the might of Google and all its attempts to run the planet, such as Google+, which i will not join.

Edited April 29, 2014 by crazydrummerpauly

[dharmabm]

http://www.huffingtonpost.com/2011/08/01/internet-explorer-users-dumber_n_914903.html

[Chicog]

http://www.huffingtonpost.com/2011/08/01/internet-explorer-users-dumber_n_914903.html

I would think that the people who believed that rank lower than the ones they were mocking.

[dharmabm]

i didn't say i believed it, i just like to occasionally poke a sharp stick....

[Chicog]

Well you'll be pleased to hear that not only have M$ released the patch, but they've released it for XP users as well.

Do a Windows Update and you should find it.

[Pib]

Well you'll be pleased to hear that not only have M$ released the patch, but they've released it for XP users as well.

Do a Windows Update and you should find it.

Yeap, one of my laptops still has XP and it downloaded/installed the security patch. From the MS website I see the patch covers IE versions 6 thru 11. Link

[Gats]

And since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance.

Brilliant timing indeed. Microsoft is old school which tries to monetize it's customer base as long as it still is possibility.

Fortunately there are far better alternatives compared to the Microsoft products. Let me introduce you to the the Linux family, where the operating system as well as applications get their security updates with ease.

Both the core software (which you might call Windows) and the applications like browsers and way way more, automatically check their security status and upgrade themselves automatically. Pretty handy actually.

There is no waiting for upgrades to be installed as everything is done in background. There is no forced reboots - in cases the core (or kernel as we like to call it) is upgraded, the system will suggest to reboot, but never forces it. It's not uncommon to go days before the reboot as there is not really needs to shutdown the laptop every now and then. Simple sleep and wake up in few seconds is enough.

The pricetag to upgrade to Linux? - it's free of charge.

BWAHAHAHAHA!

A browser vulnerability that can only be visited by a site designed to exploit it that could give temporary high level access if you are not behind a firewall is a faaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaar cry from Linux's latest one.

Can you say heartbleed? Read chunks of ram off a supposedly secure server at will?

..... lucky it just automatically updated in the background to make sure you exposed anything in ram to anybody who wanted it for the last 2 years. You must be so proud of your technology advice.

Edited May 4, 2014 by Gats