Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by n1 on Monday April 28 2014, @06:11AM   Printer-friendly
from the film-at-11 dept.

Late Saturday, Microsoft confirmed the existance of a new zero-day vulnerability that resides in all versions of Internet Explorer since IE6 has been spotted in the wild. The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. While all versions of the web browser, IE6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm Fire Eye, which first reported the flaw Friday.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Funny) by aristarchus on Monday April 28 2014, @06:31AM

    by aristarchus (2645) on Monday April 28 2014, @06:31AM (#37047) Journal

    Wow, thank goodness I have never used IE, ever, not since it began to possibly be a contender against Netscape, but I was still using Mosaic then. Wow, what would have happened to me if I used M$ as an operating system? I shudder to think, and then I turn blue, and then, I screen!!!! Blue shuddering screen of Death! (Sorry, can't help it. Hi, NSA guys!)

  • (Score: 4, Insightful) by tomp on Monday April 28 2014, @07:06AM

    by tomp (996) on Monday April 28 2014, @07:06AM (#37049)

    Well that didn't take long. Less than a month from end of support to "all XP systems can be infected from a random web site".

    • (Score: 1) by Horse With Stripes on Monday April 28 2014, @09:11AM

      by Horse With Stripes (577) on Monday April 28 2014, @09:11AM (#37072)

      I don't let my Windows users run IE, but if you need to because a website actually requires it, run IE in that no-fun-at-all "Enhanced Protection Mode" or install EMET 4.1 [microsoft.com].

    • (Score: 2) by elf on Monday April 28 2014, @03:19PM

      by elf (64) on Monday April 28 2014, @03:19PM (#37216)

      This isn't XP specific, you could also say the same for any windows version able to run the infected IE 6-11 versions.

      Note windows server 2003 already runs IE in as protected mode by default

      • (Score: 0) by Anonymous Coward on Tuesday April 29 2014, @05:44AM

        by Anonymous Coward on Tuesday April 29 2014, @05:44AM (#37532)

        The point is nobody is going to be fixing XP or the IE8 running within, unlike slightly later versions of each.

        I would say turn in your card, but it's obvious you didn't have one to begin with.

  • (Score: 3, Insightful) by wonkey_monkey on Monday April 28 2014, @07:15AM

    by wonkey_monkey (279) on Monday April 28 2014, @07:15AM (#37051) Homepage

    New vulnerability in every version of Internet Explorer since IE6

    Interesting use of the word "new."

    And When Did SN Decide To Go With All Capitalised Words in Headlines?

    --
    systemd is Roko's Basilisk
    • (Score: 3, Funny) by lx on Monday April 28 2014, @08:37AM

      by lx (1915) on Monday April 28 2014, @08:37AM (#37067)

      First Heartbleed and now this. These zero-decade vulnerabilities are getting out of hand.

    • (Score: 0) by Anonymous Coward on Monday April 28 2014, @09:06AM

      by Anonymous Coward on Monday April 28 2014, @09:06AM (#37071)

      Title capitalization - cancer that everybody* likes.

      * Defined as a group of people making news sites.

    • (Score: 2) by tangomargarine on Monday April 28 2014, @02:41PM

      by tangomargarine (667) on Monday April 28 2014, @02:41PM (#37181)

      And When Did SN Decide To Go With All Capitalised Words in Headlines?

      Why wouldn't you? It's a title. The Other Site does, too.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 3, Funny) by wonkey_monkey on Monday April 28 2014, @03:14PM

        by wonkey_monkey (279) on Monday April 28 2014, @03:14PM (#37204) Homepage

        Because People Don't Talk Like That. Nor do they substitute commas for the word "and" in everday conversation, writing.

        It makes the text harder (slightly, I'll grant you, but still a bit) to read.

        The Other Site does, too.

        And if the Other Site told you to jump off a cliff? ;)

        --
        systemd is Roko's Basilisk
        • (Score: 2) by tangomargarine on Monday April 28 2014, @03:20PM

          by tangomargarine (667) on Monday April 28 2014, @03:20PM (#37218)

          It's a long-standing journalistic tradition, I assume to make it catch the eye more. And they title books that way, too (or at least, they should...there are a lot of titles that use a lowercase font these days). The intention isn't to be the same as the way people speak because it's just a single line.

          I'm kind of confused by your reasoning.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
        • (Score: 1) by cbiltcliffe on Wednesday April 30 2014, @10:17PM

          by cbiltcliffe (1659) on Wednesday April 30 2014, @10:17PM (#38275)

          Because People Don't Talk Like That.

          SHUT YOUR FESTERING GOB, YOU TIT! YOUR TYPE REALLY MAKES ME PUKE, YOU VACUOUS, COFFEE-NOSED, MALODEROUS PERVERT!!!

          I think people do talk like that. You just don't talk to the right people....

          How can the lameness filter block Monty Python? That's got to be the lamest lameness filter I've ever seen. Of course, it's like yelling. It's supposed to be yelling, you snotty-faced heap of parrot droppings!

    • (Score: 3, Informative) by janrinok on Monday April 28 2014, @07:06PM

      by janrinok (52) Subscriber Badge on Monday April 28 2014, @07:06PM (#37343) Journal

      The editorial rules of this site state that all summary titles will be in in Title Case. Er, since day 1. Not very observant, are we?

      http://wiki.soylentnews.org/wiki/Story_Style#Hea dline_Capitalization

  • (Score: 4, Funny) by timbim on Monday April 28 2014, @07:27AM

    by timbim (907) on Monday April 28 2014, @07:27AM (#37053)

    What's the difference between ie5 and ie6? Maybe everyone should switch to ie5 to be safe. Maybe ie1 is the safest browser available in today's world?

    • (Score: 3, Interesting) by AnonTechie on Monday April 28 2014, @07:50AM

      by AnonTechie (2275) on Monday April 28 2014, @07:50AM (#37057) Journal

      Possibly ... until somebody comes up with another NEW vulnerability with affects IE version 1 to version 5 !!

      --
      Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
    • (Score: 5, Informative) by Hairyfeet on Monday April 28 2014, @08:12AM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Monday April 28 2014, @08:12AM (#37060) Journal

      Most likely because IE 6 was released at the start of the whole "Web 2.0 lets run everything in a browser" phase of stupid that we are seeing til this very day. I mean sure, put all these extra features to allow a rich app experience in the browser, what could go wrong?

      I've said it before and I'll say it again, the whole "lets just run code from anywhere, rich apps in a browser" thing needs to go and we really need to start over, starting with tossing JavaScript. When JavaScript was thought up nobody even thought about what bad actors might do to it, much less that the web would become "monetized" in a way that actively encouraged website owners to take third party code sight unseen from middlemen, and crap like this is the result. All this sandboxing and other crap which keeps pushing up the browser bloat while still letting shit like this happen? Its just bandaids on bulletwounds and does nothing to address that the web is currently working on a retarded model where a single page can have a dozen redirects on it to shit that the person that wrote the website has no clue about.

      When I started out a browser easily fit on a floppy and even on 28k pages loaded pretty damned quickly, now we have pipes several orders of magnitude larger and these huge browsers that are more like a mini-OS than the page rendering tools of old yet if anything pages are slower and the experience is worse. Hell so many pages have so much third party shit on them now that surfing without adblock is fricking painful and do these webmasters even have a clue what is being done on their pages from view to view? Nope, hell considering how many ads from conservative companies I've seen in videos reviewing sex toys I seriously doubt the companies buying the ads have a clue either. This whole system seriously needs a do-over, and common sense needs to be used when it comes to the web, though as long as companies and webmasters can make money from this broken design I sadly doubt it'll change.

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
      • (Score: 3, Funny) by jimshatt on Monday April 28 2014, @08:18AM

        by jimshatt (978) on Monday April 28 2014, @08:18AM (#37063) Journal
        You forgot to add "get off-a my lawn!"
      • (Score: 2) by kaszz on Monday April 28 2014, @09:27AM

        by kaszz (4211) on Monday April 28 2014, @09:27AM (#37080) Journal

        Javascript code looks like hell and perhaps should have had some thought in naming to avoid the name confusion with Java (bytecode). The whole system just seems thoughtless.

        Sandboxing is likely a necessary evil but as the font bug [slashdot.org] shows. Whenever a external input is processed there are possible unintended consequences.

        • (Score: 3, Informative) by forsythe on Monday April 28 2014, @01:31PM

          by forsythe (831) on Monday April 28 2014, @01:31PM (#37147)

          For reference, Javascript did have some thought in naming. It was named Javascript precisely so that it would be associated with Java. (For citation, see e.g. W3's [w3.org].

          • (Score: 2) by kaszz on Monday April 28 2014, @10:46PM

            by kaszz (4211) on Monday April 28 2014, @10:46PM (#37428) Journal

            But why is there a need for association with Java? for all I know it could been Javascript + flash instead. If W3 had decided so.

            A script language is sure useful but Javascript seems to loosely defined, incompatible between browsers and missing strict type control. Often scripts lack checks of environment capability and often get stuck with 99% CPU usage.. Let's hope this gets fixed.

      • (Score: 5, Interesting) by Common Joe on Monday April 28 2014, @11:46AM

        by Common Joe (33) <common.joe.0101NO@SPAMgmail.com> on Monday April 28 2014, @11:46AM (#37109) Journal

        I've said it before and I'll say it again, the whole "lets just run code from anywhere, rich apps in a browser" thing needs to go and we really need to start over, starting with tossing JavaScript.

        I wish the right people were saying that. I'm a desktop app developer and right now I'm learning web app development. I've been out of a job for a while and after months of no one giving me the time of day, I decided to look at web technologies because that's all anyone wants. Luckily, at the same time, a small firm has finally said they are thinking about hiring me because they don't want script kiddies and I have decent object oriented experience. Reasonably, they want to see what I can do and how fast I can learn web technologies before they hire me. They gave me the names of a couple of technologies that they use and said, "Good luck, we'll talk to you in a month." Thank goodness I already had some experience in web development from a decade ago. I'm looking at a dozen technologies piled on top of one another.

        That's twelve technologies just to produce something akin to Hello World for a modern web page. Symfony2, Twig, Twitter bootstrap, PostgreSQL, HTML5, CSS, JavaScript, jQuery, JSON, YAML, PHP, and Doctrine. Yes, some are easier than others, but I have literally read and studied hundreds of pages of documentation and skimmed thousands of pages in the past two weeks (and I'm not done learning). The cherry on top is the guy bragged they used over 120 different technologies at his tiny firm so I know he wants me to learn more. WTF? Is this what we call normal in the web world?

        There is something fundamentally wrong at every level of web development. Even the development environment sucks compared to the desktop environments. The desktop IDE kicks the web IDE's ass even if you're using the same IDE for the different languages. The web languages are structured so that there is little to no type checking and autocomplete is nowhere near the standards that I'm used to.

        No wonder why my potential employer can't find anyone who isn't a script kiddie. How does anyone become an expert at this stuff and still have a life?

        • (Score: 3, Informative) by tibman on Monday April 28 2014, @01:51PM

          by tibman (134) Subscriber Badge on Monday April 28 2014, @01:51PM (#37160)

          It probably doesn't help that its all new. DotNet web development is the same soup. C#, XML (configs), CSS, HTML with embedded C# (Razor), Javascript, and i'd like to put Linq/EntityFramework as separate from C#. JSON shouldn't count as it is just an associative array.

          HTML is your organization, CSS is your presentation, and Javascript is your business logic. When you look at it that way it's actually quite nice. If you are doing TestDriven development then type checking won't even matter. AutoComplete will probably always lag behind what you're used to though : / But i'll bet you come to rely on it a lot less. If your desktop IDE was visual studio (i'm guessing) then you can try a php extension. You'll be able to debug code and use IntelliSense exactly like you use to. http://www.devsense.com/products/php-tools [devsense.com]

          I have no doubt that your marketable value will go up if you learn all this stuff this guy is throwing at you. He's right though, it isn't always about what you already know. It's also about how quickly you can learn new things. You've got a great opportunity here to transition to web development. You'll have a huge amount of server-side knowledge that most web-devs lack. Good luck!

          --
          SN won't survive on lurkers alone. Write comments.
        • (Score: 0) by Anonymous Coward on Monday April 28 2014, @02:12PM

          by Anonymous Coward on Monday April 28 2014, @02:12PM (#37168)

          A hundred and twenty "technologies" sounds like one of those inflated numbers people come up with to be able to brag: my OS is a "technology," as is e-mail, as is g-mail, as is my word processor, as is my kid's favorite word-processors, etc., all the way to one hundred and twenty. If the guy counts HTML and CSS as "technologies" as opposed to de facto common knowledge in the tech world generally, he's definitely inflating numbers.

          On the other hand, if he's using a hundred frameworks for a project, he very likely has a shallow-to-none understanding of each. Deeply understanding JavaScript (including closures), a server-side language (PHP is, despite the common fastidium, a general default), and basic SQL (with the ability to specialize in MySQL or PostgreSQL) is what you need.

          Once you have those, the rest either follows naturally or becomes pointless. JSON is actually just a subset of JS. JQuery is nice to know and doesn't take long at all IF you have the deep understanding of JavaScript. Bootstrap is worthless once you know the basics.

      • (Score: 1) by O3K on Monday April 28 2014, @05:48PM

        by O3K (963) on Monday April 28 2014, @05:48PM (#37306)

        That's a badass rant right there, Man.

      • (Score: 1) by iWantToKeepAnon on Monday April 28 2014, @06:39PM

        by iWantToKeepAnon (686) on Monday April 28 2014, @06:39PM (#37331) Homepage Journal

        Very very very bad idea. Things You Should Never Do [joelonsoftware.com]

        They did it by making the single worst strategic mistake that any software company can make: They decided to rewrite the code from scratch.

        Netscape wasn't the first company to make this mistake. Borland made the same mistake when they bought Arago and tried to make it into dBase for Windows, a doomed project that took so long that Microsoft Access ate their lunch, then they made it again in rewriting Quattro Pro from scratch and astonishing people with how few features it had. Microsoft almost made the same mistake, trying to rewrite Word for Windows from scratch in a doomed project called Pyramid which was shut down, thrown away, and swept under the rug. Lucky for Microsoft, they had never stopped working on the old code base, so they had something to ship, making it merely a financial disaster, not a strategic one.

        We're programmers. Programmers are, in their hearts, architects, and the first thing they want to do when they get to a site is to bulldoze the place flat and build something grand. We're not excited by incremental renovation: tinkering, improving, planting flower beds.

        We don't need to loose that much time. Yes we can incrementally make things better. Tearing down the whole damn frickin internet and trying to build a better replacement is not the solution. Your "better" solution would be delivered late and over budget and would be totally ignored. And while you were off in your marbled halls creating a work of beauty, the real world would go on without you and fix the already working technologies and nobody would care when you tell them how much better your app is "under the hood" ... yet works just about the same as what we already have.

        --
        "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
      • (Score: 2) by lennier on Monday April 28 2014, @10:37PM

        by lennier (2199) on Monday April 28 2014, @10:37PM (#37424)

        I've said it before and I'll say it again, the whole "lets just run code from anywhere, rich apps in a browser" thing needs to go and we really need to start over, starting with tossing JavaScript... Its just bandaids on bulletwounds and does nothing to address that the web is currently working on a retarded model where a single page can have a dozen redirects on it to shit that the person that wrote the website has no clue about.

        You may be surprised (and pleased) to know that Alan Kay, the guy who invented object oriented programming and the GUI and possibly knows what he's talking about, heartily agrees with you. [drdobbs.com]

        Kay: ... Pop culture is all about identity and feeling like you're participating. It has nothing to do with cooperation, the past or the future - it's living in the present. I think the same is true of most people who write code for money. They have no idea where [their culture came from] - and the Internet was done so well that most people think of it as a natural resource like the Pacific Ocean, rather than something that was man-made. When was the last time a technology with a scale like that was so error-free? The Web, in comparison, is a joke. The Web was done by amateurs.

        Binstock: Still, you can't argue with the Web's success.

        Kay: I think you can. ...

        Binstock: How do you mean?

        Kay: Go to a blog, go to any Wiki, and find one that's WYSIWYG like Microsoft Word is. Word was done in 1984. HyperCard was 1989. Find me Web pages that are even as good as HyperCard. The Web was done after that, but it was done by people who had no imagination. They were just trying to satisfy an immediate need. There's nothing wrong with that, except that when you have something like the Industrial Revolution squared, you wind up setting de facto standards - in this case, really bad de facto standards. Because what you definitely don't want in a Web browser is any features.

        Binstock: "Any features?"

        Kay: Yeah. You want to get those from the objects. You want it to be a mini-operating system, and the people who did the browser mistook it as an application. They flunked Operating Systems 101.

        Binstock: How so?

        Kay: I mean, look at it: The job of an operating system is to run arbitrary code safely. It's not there to tell you what kind of code you can run. Most operating systems have way too many features.

        --
        Delenda est Beta
  • (Score: 3, Funny) by black6host on Monday April 28 2014, @08:12AM

    by black6host (3827) on Monday April 28 2014, @08:12AM (#37061) Journal

    >>attacks are currently targeting IE versions 9, 10 and 11

    Monday morning I'm going to tell my know-it-all peons just why we haven't moved from IE6! And VB6 for that matter. The wheel has been round (as in shape) for millennia for a reason, you know?

    • (Score: 0) by Anonymous Coward on Monday April 28 2014, @08:25AM

      by Anonymous Coward on Monday April 28 2014, @08:25AM (#37065)

      You must be reading the headline/summary different than I do: From my understanding, IE6 is also affected.

      • (Score: 0) by Anonymous Coward on Monday April 28 2014, @08:52AM

        by Anonymous Coward on Monday April 28 2014, @08:52AM (#37069)

        Yes, you are right. I was referring to the attack being carried out against later versions of IE.

    • (Score: 2) by marcello_dl on Monday April 28 2014, @08:40AM

      by marcello_dl (2685) on Monday April 28 2014, @08:40AM (#37068)

      Dude, My appleII runs a TCP/IP stack just fine.

      • (Score: 2) by kaszz on Monday April 28 2014, @09:42AM

        by kaszz (4211) on Monday April 28 2014, @09:42AM (#37082) Journal

        You must quickly install zeroexploit(tm) so that anyone that wants to spy may do so .. :-)

  • (Score: 2, Funny) by Daiv on Monday April 28 2014, @08:59AM

    by Daiv (3940) on Monday April 28 2014, @08:59AM (#37070)

    Good thing I'm still rocking IE 5.2 on my Mac!

  • (Score: 1) by ButchDeLoria on Monday April 28 2014, @10:32AM

    by ButchDeLoria (583) on Monday April 28 2014, @10:32AM (#37095)

    I sure hope IE4 for Unix is safe.

    • (Score: 0) by Anonymous Coward on Monday April 28 2014, @10:43AM

      by Anonymous Coward on Monday April 28 2014, @10:43AM (#37098)
      Probably is safe in practice. Not like those old machines would really help bot farmers mine enough bitcoins for the trouble. They might even keel over sending "modern" spam workloads ;).

      The average smartphone is probably more powerful.