Late Saturday, Microsoft confirmed the existance of a new zero-day vulnerability that resides in all versions of Internet Explorer since IE6 has been spotted in the wild. The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. While all versions of the web browser, IE6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm Fire Eye, which first reported the flaw Friday.
This discussion has been archived.
No new comments can be posted.
New Vulnerability in Every Version of Internet Explorer Since IE6
|
Log In/Create an Account
| Top
| 34 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2, Funny) by aristarchus on Monday April 28 2014, @06:31AM
Wow, thank goodness I have never used IE, ever, not since it began to possibly be a contender against Netscape, but I was still using Mosaic then. Wow, what would have happened to me if I used M$ as an operating system? I shudder to think, and then I turn blue, and then, I screen!!!! Blue shuddering screen of Death! (Sorry, can't help it. Hi, NSA guys!)
(Score: 4, Insightful) by tomp on Monday April 28 2014, @07:06AM
Well that didn't take long. Less than a month from end of support to "all XP systems can be infected from a random web site".
(Score: 1) by Horse With Stripes on Monday April 28 2014, @09:11AM
I don't let my Windows users run IE, but if you need to because a website actually requires it, run IE in that no-fun-at-all "Enhanced Protection Mode" or install EMET 4.1 [microsoft.com].
(Score: 2) by elf on Monday April 28 2014, @03:19PM
This isn't XP specific, you could also say the same for any windows version able to run the infected IE 6-11 versions.
Note windows server 2003 already runs IE in as protected mode by default
(Score: 0) by Anonymous Coward on Tuesday April 29 2014, @05:44AM
The point is nobody is going to be fixing XP or the IE8 running within, unlike slightly later versions of each.
I would say turn in your card, but it's obvious you didn't have one to begin with.
(Score: 3, Insightful) by wonkey_monkey on Monday April 28 2014, @07:15AM
Interesting use of the word "new."
And When Did SN Decide To Go With All Capitalised Words in Headlines?
systemd is Roko's Basilisk
(Score: 3, Funny) by lx on Monday April 28 2014, @08:37AM
First Heartbleed and now this. These zero-decade vulnerabilities are getting out of hand.
(Score: 0) by Anonymous Coward on Monday April 28 2014, @09:06AM
Title capitalization - cancer that everybody* likes.
* Defined as a group of people making news sites.
(Score: 2) by tangomargarine on Monday April 28 2014, @02:41PM
Why wouldn't you? It's a title. The Other Site does, too.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Funny) by wonkey_monkey on Monday April 28 2014, @03:14PM
Because People Don't Talk Like That. Nor do they substitute commas for the word "and" in everday conversation, writing.
It makes the text harder (slightly, I'll grant you, but still a bit) to read.
And if the Other Site told you to jump off a cliff? ;)
systemd is Roko's Basilisk
(Score: 2) by tangomargarine on Monday April 28 2014, @03:20PM
It's a long-standing journalistic tradition, I assume to make it catch the eye more. And they title books that way, too (or at least, they should...there are a lot of titles that use a lowercase font these days). The intention isn't to be the same as the way people speak because it's just a single line.
I'm kind of confused by your reasoning.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by cbiltcliffe on Wednesday April 30 2014, @10:17PM
SHUT YOUR FESTERING GOB, YOU TIT! YOUR TYPE REALLY MAKES ME PUKE, YOU VACUOUS, COFFEE-NOSED, MALODEROUS PERVERT!!!
I think people do talk like that. You just don't talk to the right people....
How can the lameness filter block Monty Python? That's got to be the lamest lameness filter I've ever seen. Of course, it's like yelling. It's supposed to be yelling, you snotty-faced heap of parrot droppings!
(Score: 3, Informative) by janrinok on Monday April 28 2014, @07:06PM
The editorial rules of this site state that all summary titles will be in in Title Case. Er, since day 1. Not very observant, are we?
http://wiki.soylentnews.org/wiki/Story_Style#Hea dline_Capitalization
(Score: 4, Funny) by timbim on Monday April 28 2014, @07:27AM
What's the difference between ie5 and ie6? Maybe everyone should switch to ie5 to be safe. Maybe ie1 is the safest browser available in today's world?
(Score: 3, Interesting) by AnonTechie on Monday April 28 2014, @07:50AM
Possibly ... until somebody comes up with another NEW vulnerability with affects IE version 1 to version 5 !!
Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
(Score: 5, Informative) by Hairyfeet on Monday April 28 2014, @08:12AM
Most likely because IE 6 was released at the start of the whole "Web 2.0 lets run everything in a browser" phase of stupid that we are seeing til this very day. I mean sure, put all these extra features to allow a rich app experience in the browser, what could go wrong?
I've said it before and I'll say it again, the whole "lets just run code from anywhere, rich apps in a browser" thing needs to go and we really need to start over, starting with tossing JavaScript. When JavaScript was thought up nobody even thought about what bad actors might do to it, much less that the web would become "monetized" in a way that actively encouraged website owners to take third party code sight unseen from middlemen, and crap like this is the result. All this sandboxing and other crap which keeps pushing up the browser bloat while still letting shit like this happen? Its just bandaids on bulletwounds and does nothing to address that the web is currently working on a retarded model where a single page can have a dozen redirects on it to shit that the person that wrote the website has no clue about.
When I started out a browser easily fit on a floppy and even on 28k pages loaded pretty damned quickly, now we have pipes several orders of magnitude larger and these huge browsers that are more like a mini-OS than the page rendering tools of old yet if anything pages are slower and the experience is worse. Hell so many pages have so much third party shit on them now that surfing without adblock is fricking painful and do these webmasters even have a clue what is being done on their pages from view to view? Nope, hell considering how many ads from conservative companies I've seen in videos reviewing sex toys I seriously doubt the companies buying the ads have a clue either. This whole system seriously needs a do-over, and common sense needs to be used when it comes to the web, though as long as companies and webmasters can make money from this broken design I sadly doubt it'll change.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Funny) by jimshatt on Monday April 28 2014, @08:18AM
(Score: 2) by kaszz on Monday April 28 2014, @09:27AM
Javascript code looks like hell and perhaps should have had some thought in naming to avoid the name confusion with Java (bytecode). The whole system just seems thoughtless.
Sandboxing is likely a necessary evil but as the font bug [slashdot.org] shows. Whenever a external input is processed there are possible unintended consequences.
(Score: 3, Informative) by forsythe on Monday April 28 2014, @01:31PM
For reference, Javascript did have some thought in naming. It was named Javascript precisely so that it would be associated with Java. (For citation, see e.g. W3's [w3.org].
(Score: 2) by kaszz on Monday April 28 2014, @10:46PM
But why is there a need for association with Java? for all I know it could been Javascript + flash instead. If W3 had decided so.
A script language is sure useful but Javascript seems to loosely defined, incompatible between browsers and missing strict type control. Often scripts lack checks of environment capability and often get stuck with 99% CPU usage.. Let's hope this gets fixed.
(Score: 5, Interesting) by Common Joe on Monday April 28 2014, @11:46AM
I wish the right people were saying that. I'm a desktop app developer and right now I'm learning web app development. I've been out of a job for a while and after months of no one giving me the time of day, I decided to look at web technologies because that's all anyone wants. Luckily, at the same time, a small firm has finally said they are thinking about hiring me because they don't want script kiddies and I have decent object oriented experience. Reasonably, they want to see what I can do and how fast I can learn web technologies before they hire me. They gave me the names of a couple of technologies that they use and said, "Good luck, we'll talk to you in a month." Thank goodness I already had some experience in web development from a decade ago. I'm looking at a dozen technologies piled on top of one another.
That's twelve technologies just to produce something akin to Hello World for a modern web page. Symfony2, Twig, Twitter bootstrap, PostgreSQL, HTML5, CSS, JavaScript, jQuery, JSON, YAML, PHP, and Doctrine. Yes, some are easier than others, but I have literally read and studied hundreds of pages of documentation and skimmed thousands of pages in the past two weeks (and I'm not done learning). The cherry on top is the guy bragged they used over 120 different technologies at his tiny firm so I know he wants me to learn more. WTF? Is this what we call normal in the web world?
There is something fundamentally wrong at every level of web development. Even the development environment sucks compared to the desktop environments. The desktop IDE kicks the web IDE's ass even if you're using the same IDE for the different languages. The web languages are structured so that there is little to no type checking and autocomplete is nowhere near the standards that I'm used to.
No wonder why my potential employer can't find anyone who isn't a script kiddie. How does anyone become an expert at this stuff and still have a life?
(Score: 3, Informative) by tibman on Monday April 28 2014, @01:51PM
It probably doesn't help that its all new. DotNet web development is the same soup. C#, XML (configs), CSS, HTML with embedded C# (Razor), Javascript, and i'd like to put Linq/EntityFramework as separate from C#. JSON shouldn't count as it is just an associative array.
HTML is your organization, CSS is your presentation, and Javascript is your business logic. When you look at it that way it's actually quite nice. If you are doing TestDriven development then type checking won't even matter. AutoComplete will probably always lag behind what you're used to though : / But i'll bet you come to rely on it a lot less. If your desktop IDE was visual studio (i'm guessing) then you can try a php extension. You'll be able to debug code and use IntelliSense exactly like you use to. http://www.devsense.com/products/php-tools [devsense.com]
I have no doubt that your marketable value will go up if you learn all this stuff this guy is throwing at you. He's right though, it isn't always about what you already know. It's also about how quickly you can learn new things. You've got a great opportunity here to transition to web development. You'll have a huge amount of server-side knowledge that most web-devs lack. Good luck!
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Monday April 28 2014, @02:12PM
A hundred and twenty "technologies" sounds like one of those inflated numbers people come up with to be able to brag: my OS is a "technology," as is e-mail, as is g-mail, as is my word processor, as is my kid's favorite word-processors, etc., all the way to one hundred and twenty. If the guy counts HTML and CSS as "technologies" as opposed to de facto common knowledge in the tech world generally, he's definitely inflating numbers.
On the other hand, if he's using a hundred frameworks for a project, he very likely has a shallow-to-none understanding of each. Deeply understanding JavaScript (including closures), a server-side language (PHP is, despite the common fastidium, a general default), and basic SQL (with the ability to specialize in MySQL or PostgreSQL) is what you need.
Once you have those, the rest either follows naturally or becomes pointless. JSON is actually just a subset of JS. JQuery is nice to know and doesn't take long at all IF you have the deep understanding of JavaScript. Bootstrap is worthless once you know the basics.
(Score: 1) by O3K on Monday April 28 2014, @05:48PM
That's a badass rant right there, Man.
(Score: 1) by iWantToKeepAnon on Monday April 28 2014, @06:39PM
Very very very bad idea. Things You Should Never Do [joelonsoftware.com]
We don't need to loose that much time. Yes we can incrementally make things better. Tearing down the whole damn frickin internet and trying to build a better replacement is not the solution. Your "better" solution would be delivered late and over budget and would be totally ignored. And while you were off in your marbled halls creating a work of beauty, the real world would go on without you and fix the already working technologies and nobody would care when you tell them how much better your app is "under the hood" ... yet works just about the same as what we already have.
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 2) by lennier on Monday April 28 2014, @10:37PM
I've said it before and I'll say it again, the whole "lets just run code from anywhere, rich apps in a browser" thing needs to go and we really need to start over, starting with tossing JavaScript... Its just bandaids on bulletwounds and does nothing to address that the web is currently working on a retarded model where a single page can have a dozen redirects on it to shit that the person that wrote the website has no clue about.
You may be surprised (and pleased) to know that Alan Kay, the guy who invented object oriented programming and the GUI and possibly knows what he's talking about, heartily agrees with you. [drdobbs.com]
Delenda est Beta
(Score: 3, Funny) by black6host on Monday April 28 2014, @08:12AM
>>attacks are currently targeting IE versions 9, 10 and 11
Monday morning I'm going to tell my know-it-all peons just why we haven't moved from IE6! And VB6 for that matter. The wheel has been round (as in shape) for millennia for a reason, you know?
(Score: 0) by Anonymous Coward on Monday April 28 2014, @08:25AM
You must be reading the headline/summary different than I do: From my understanding, IE6 is also affected.
(Score: 0) by Anonymous Coward on Monday April 28 2014, @08:52AM
Yes, you are right. I was referring to the attack being carried out against later versions of IE.
(Score: 2) by marcello_dl on Monday April 28 2014, @08:40AM
Dude, My appleII runs a TCP/IP stack just fine.
(Score: 2) by kaszz on Monday April 28 2014, @09:42AM
You must quickly install zeroexploit(tm) so that anyone that wants to spy may do so .. :-)
(Score: 2, Funny) by Daiv on Monday April 28 2014, @08:59AM
Good thing I'm still rocking IE 5.2 on my Mac!
(Score: 1) by ButchDeLoria on Monday April 28 2014, @10:32AM
I sure hope IE4 for Unix is safe.
(Score: 0) by Anonymous Coward on Monday April 28 2014, @10:43AM
The average smartphone is probably more powerful.