×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

CmdrTaco posted more than 4 years ago | from the oh-we'll-fix-it-eventually dept.

Internet Explorer 279

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

279 comments

Not fixing it in IE6... (0, Insightful)

Anonymous Coward | more than 4 years ago | (#30807680)

.. now *that* would be real fun.

Re:Not fixing it in IE6... (3, Insightful)

Penguinisto (415985) | more than 4 years ago | (#30807968)

That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.

After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes the browser of choice for public Internet use?

* note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker). Also, there's the fact that Microsoft has a lot of old baggage around that it can ill afford to simply stop supporting.

Re:Not fixing it in IE6... (4, Insightful)

quantumplacet (1195335) | more than 4 years ago | (#30808052)

it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.

Re:Not fixing it in IE6... (5, Insightful)

Bacon Bits (926911) | more than 4 years ago | (#30808162)

How is this a troll? What he said is true.

Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK [microsoft.com]. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.

Re:Not fixing it in IE6... (4, Informative)

maotx (765127) | more than 4 years ago | (#30808622)

We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.

The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.

Re:Not fixing it in IE6... (3, Insightful)

Eirenarch (1099517) | more than 4 years ago | (#30808320)

WTF? First of all how do .NET programmers have anything to do with IE6 installs? Second - why pick on .NET and not on Java which came first or even Python and Ruby which claim to be even easier? Oh yeah... the first from Microsoft and the others are open source... And btw these programmers you are talking about would still be employed and would be doing much more damage if it was not for .NET and Java to keep them from producing billions of buffer overflows and memory leaks.

Re:Not fixing it in IE6... (4, Insightful)

TheRaven64 (641858) | more than 4 years ago | (#30808402)

(due to hordes of crap .NET programmers*)

You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.

Well it attacking google.. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30807708)

So ofcourse, microsoft whant more peoples to become drone that attack google.

Google desserves that (1)

Adolf Hitroll (562418) | more than 4 years ago | (#30807850)

They deceived their users by pretending they "don't be evil".
And the Chineses are right to kick their double-playing asses out.

Upgrade to Firefox (0, Troll)

jijitus (1478465) | more than 4 years ago | (#30807712)

I an upgrade it's needed, let's upgrade to Firefox and trick recalcitrant IE users using a some theme/persona.

Upgrade to Opera (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30807872)

Firefox without any plugins is a PITA. People who are using IE6 now are average users, most of them don't even know what a plugin is, so they will have a hard time finding all the plugins like AdBlock and customizing Firefox to make it usable, so upgrading to Opera [opera.com] would be a much better solution, Opera comes configured properly out of the box without requiring any additional plugins and just by clicking F12 you get a menu where you can turn on/off Java, Javascript, Plugins and Cookies. It's simple, fast and secure, give it a try, you won't regret it.

Re:Upgrade to Opera (0, Troll)

lorenlal (164133) | more than 4 years ago | (#30807944)

I dunno... If these folks are using IE6, and don't have any clue what they're doing, wouldn't they just be better off without a web browser? They'll find a way to stumble along something dangerous regardless of what anyone does to help them protect themselves.

I think that we should encourage these users to upgrade to the "offline experience."

IE8 has the flaw but is immune... (5, Informative)

vistapwns (1103935) | more than 4 years ago | (#30807726)

Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...

Re:IE8 has the flaw but is immune... (3, Interesting)

FlyingBishop (1293238) | more than 4 years ago | (#30807760)

But even at Google they apparently have some stuff that requires them to disable it. You can bet a lot of the shops that can't ditch IE will have to disable DEP for backwards compatibility with the crappy apps that are the only reason they don't switch to something better anyway.

Re:IE8 has the flaw but is immune... (3, Informative)

vistapwns (1103935) | more than 4 years ago | (#30807794)

And how are other browsers better in that case? If they have to disable DEP on firefox, it's even worse than IE because it's not sandboxed. Anyways, the articles I've been reading say Google was exploited thru IE6 that they have on XP systems.

Re:IE8 has the flaw but is immune... (3, Interesting)

should_be_linear (779431) | more than 4 years ago | (#30807934)

And how are other browsers better in that case?
This whole problem is based on fact that MS is not willing/able to fix this issue for quite long time (days?). Other browsers are different in a way that they are fixing security issues ASAP.

Re:IE8 has the flaw but is immune... (3, Insightful)

vistapwns (1103935) | more than 4 years ago | (#30807998)

IE is used by corporations, and corporations do not want patches for patches for hotfixes and all that jazz, they expect the patch to be tested and corporations are the ones who wanted a monthly release for patches so the IT staff are not patching and testing patches all month long.

Re:IE8 has the flaw but is immune... (4, Insightful)

should_be_linear (779431) | more than 4 years ago | (#30808080)

OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?

Re:IE8 has the flaw but is immune... (3, Interesting)

plague3106 (71849) | more than 4 years ago | (#30808022)

A security fix which breaks other required functionality isn't much better though is it? A patch rushed out the door without much testing isn't a patch I necessarly want to install.

Re:IE8 has the flaw but is immune... (1)

should_be_linear (779431) | more than 4 years ago | (#30808380)

A security fix which breaks other required functionality isn't much better though is it?

Joe Sixpack might be upset, but yes, it is _much_ better then leaving your computer vulnerable.

Re:IE8 has the flaw but is immune... (0)

Anonymous Coward | more than 4 years ago | (#30808316)

That is horseshit.

Re:IE8 has the flaw but is immune... (1)

xeoron (639412) | more than 4 years ago | (#30808088)

The only solution from a security and user standpoint is to sandbox all programs you think need it. I suggest using the Windows program Sandboxie, [sandboxie.com] unless someone can offer a better method that is OSS for the MS Win platform.

Re:IE8 has the flaw but is immune... (2, Insightful)

dunezone (899268) | more than 4 years ago | (#30807814)

And thats Microsofts fault how?

Microsoft provides the ability to be up to date and secure as well as backwards compatibility, its the users risk for which he chooses not Microsofts.

Re:IE8 has the flaw but is immune... (4, Insightful)

should_be_linear (779431) | more than 4 years ago | (#30808028)

Having radio button somewhere that makes your OS vulnerable to _KNOWN_ exploit is really stupid idea.

Re:IE8 has the flaw but is immune... (1)

Opportunist (166417) | more than 4 years ago | (#30808440)

At the very least I'd expect a hotfix that disables the button for the time being, with info to their customers that those who need the functionality should not apply it but have to be aware they're vulnerable.

Sounds like a good solution to me.

Re:IE8 has the flaw but is immune... (4, Informative)

UnknowingFool (672806) | more than 4 years ago | (#30807804)

If it has the flaw, then it's not immune but it's less vulnerable. If DEP is disabled (which may be required to get some apps to work), then IE8 can become exploited too.

Re:IE8 has the flaw but is immune... (1)

vistapwns (1103935) | more than 4 years ago | (#30807842)

Well, I meant to say IE8 in the default configuration is immune. I thought that much would be obvious from the other information I posted...

Re:IE8 has the flaw but is immune... (2, Insightful)

UnknowingFool (672806) | more than 4 years ago | (#30807900)

Maybe in the default configuration but every place I've worked, IT changes the configuration of IE due to needs of the company. Home users might not okay with using default configuration but some companies will not be.

Re:IE8 has the flaw but is immune... (1)

vistapwns (1103935) | more than 4 years ago | (#30807946)

That's sad if true, but there's only so much MS can do here. It has the ability to be secure, and it's secure by default, if the user goes and breaks that purposefully because they are too cheap to upgrade their applications, that's on the user, not microsoft. I've run Vista for 3 years and Win 7 for half a year and have never run into a plug-in that didn't work with DEP or Protected Mode, despite copious amounts of web surfing, so what I can I say..

Re:IE8 has the flaw but is immune... (1)

conureman (748753) | more than 4 years ago | (#30808470)

"Other measures recommended by Microsoft include running the browser in Protected Mode and ensuring users aren't running with administrator privileges."
Translate to: "Don't blame us, it's the fucking lusers who operate their browsers in default mode."
So they're not Evil, or Incompetent, it's us!

Re:IE8 has the flaw but is immune... (1)

lseltzer (311306) | more than 4 years ago | (#30808356)

If the user is on Vista or Win7 they'll have to disable protected mode as well in order for the exploit to be able to do anything meaningful.

So if a user running IE6 on XP, who doesn't enable DEP gets exploited, who is really to blame? This is an ancient configuration and Microsoft has, for a long time, provided products and technologies to address the problems in it.

Re:IE8 has the flaw but is immune... (4, Interesting)

KnownIssues (1612961) | more than 4 years ago | (#30807858)

Then why would Microsoft state that IE8 is vulnerable to this flaw? They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.

Re:IE8 has the flaw but is immune... (1)

benjymouse (756774) | more than 4 years ago | (#30808260)

They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.

Actually, Microsoft has a policy of not taking protected mode, low integrity processes, DEP/NX, ASLR and other memory corruption protection mechanisms into consideration when assigning severity levels or reporting bugs.

This means that MS reports the bug as being in IE8, but the several layers of extra protection in both IE8 and Vista/7 may very well neuter it completely.

Re:IE8 has the flaw but is immune... (0, Troll)

Antiocheian (859870) | more than 4 years ago | (#30807938)

Sandboxing & virtualization of a sick browser is not a panacea. If the sandboxed application is compromised, it could still be controlled in its own domain and compromise cookies, passwords and anything else that it obtainable in its virtual space. It could still be used for malicious purposes, purposes that can could result in a knock on the door from the law.

A hale and open sourced browser is the only safe way to go. Screw IE, any version.

Was it not the browser that would install keyloggers and dialers through the press of the [Enter] key as it would default on installation of any "signed" ActiveX, not matter how fucked up it was? Yes! Did these people have any idea of what was happening on the Internet? Yes! Fuckit, the said, system-browser integration is not debatable; Microsoft had their fun killing Netscape, now we have our fun watching them trying to fix the mess. (They wont).

Re:IE8 has the flaw but is immune... (3, Insightful)

plague3106 (71849) | more than 4 years ago | (#30808126)

Sandboxing & virtualization of a sick browser is not a panacea. If the sandboxed application is compromised, it could still be controlled in its own domain and compromise cookies, passwords and anything else that it obtainable in its virtual space. It could still be used for malicious purposes, purposes that can could result in a knock on the door from the law.

Sandboxing and virtualization are sane for ANY application which is processing content from untrusted sources, regardless of whether you think them secure or not.

A hale and open sourced browser is the only safe way to go. Screw IE, any version.

Right, because FF hasn't had any major security holes. Open source does not mean secure. It means you can see the code.

Was it not the browser that would install keyloggers and dialers through the press of the [Enter] key as it would default on installation of any "signed" ActiveX, not matter how fucked up it was? Yes! Did these people have any idea of what was happening on the Internet? Yes! Fuckit, the said, system-browser integration is not debatable; Microsoft had their fun killing Netscape, now we have our fun watching them trying to fix the mess. (They wont).

Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy. I think the problem is that you're upset that, even with problems in MS software, people would STILL rather use it than your favorite OS.

Also, I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out? oh ya, it took way too long, they should have rushed it out without any kind of testing, like open source does.

Re:IE8 has the flaw but is immune... (0, Troll)

Antiocheian (859870) | more than 4 years ago | (#30808594)

Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy.

This guy is talking about Microsoft ?

Somebody give me a clue, please.

Re:IE8 has the flaw but is immune... (1)

TheRealMindChild (743925) | more than 4 years ago | (#30808244)

These would be the same people that turned on "Allow unsigned ActiveX controls" and had a pirated version of windows, so they never got their ActiveX killbits information installed.

I'm not totally blaming the user, but most of the exploited folks are running unpatched, pirated windows versions with every option turned off just to make it "easier" to usw (say UAC)

Re:IE8 has the flaw but is immune... (1)

Antiocheian (859870) | more than 4 years ago | (#30808488)

I'm not totally blaming the user, but most of the exploited folks are

using Internet Explorer. Period.

Re:IE8 has the flaw but is immune... (1)

JerryLove (1158461) | more than 4 years ago | (#30808538)

Sandboxing & virtualization of a sick browser is not a panacea.

No, but it's better than not sandboxed.

I notice you don't mention that IE8 is not actually vunerable unless you reconfigure it that way because DEP is on.

A hale and open sourced browser is the only safe way to go. Screw IE, any version.

Because those have no bugs?

Re:IE8 has the flaw but is immune... (4, Informative)

Penguinisto (415985) | more than 4 years ago | (#30808016)

True, DEP is enabled by default on the Win 7 / IE8 combo. OTOH, neither will run (very well, anyway) a horde of old enterprise services and suites that still linger about the industry, compatibility modes be damned.

There are fixes and workarounds, but they can get rather expensive (and usually involve an XP Mode server of sorts, or Terminal Services seat licenses, etc).

Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.

Re:IE8 has the flaw but is immune... (0)

Anonymous Coward | more than 4 years ago | (#30808046)

DEP relies on hardware support, i.e. the processor must be able to flag memory as non-executable. Support for this flag is not available in AMD Athlon processors (pre-Athlon64), some Intel Pentium 4 processors and a few others. Yes, those are old, but they're still out there.

Re:IE8 has the flaw but is immune... (0)

Anonymous Coward | more than 4 years ago | (#30808236)

I agree 100%, even though I use Iron myself.* That said, this particular bug was solved in 1995: in that year Visual Basic 4.0 came out, and in VB it's impossible to reference dead objects unless you're linking with C++ code. So this whole class of bugs could be entirely eliminated by using a programming language that has proper semantics for allocating and freeing objects. You could even extend C++ if you want to stick with that, but anyway the problem has been solved for at least 15 years. It's just that people aren't using the solution.
* I thus also think it's a disgrace that the German and French government are urging people to drop IE; it's undue market interference and it shows that the Microsoft bashing of the various European governmental bodies isn't fueled by consumer protection or upholding of justice, but by a general dislike of Microsoft. If you think that's a good thing, and there is nothing wrong with the fact that they're allowed to act like this, think again. What if they turn against you or some cause you're sympathetic with, there's nothing you can do because proper checks apparently aren't in place.

Re:IE8 has the flaw but is immune... (1)

jellomizer (103300) | more than 4 years ago | (#30808268)

Shhhh. Quite... We want to live in a world were every Microsoft bug will remain unfix and slowly become so problematic that we can life fat dumb and happy with the alternatives.

Re:IE8 has the flaw but is immune... (1)

jim_v2000 (818799) | more than 4 years ago | (#30808608)

Browser security is great in theory, but the last two infections I cleaned up at work were from people downloading Flash_Update.exe and running it so they could watch some video from "Santa" that they got in their email.

Re:IE8 has the flaw but is immune... (1)

jim_v2000 (818799) | more than 4 years ago | (#30808620)

That said, I'm lobbying my boss to make all of our users "users". Some of them bitched about not being able to install things awhile back, so they were given administrator rights. That turned out well.

Always Look on the Bright Side of Life (1)

sznupi (719324) | more than 4 years ago | (#30807736)

...or Death

Security theater to keep people on their, similarly defective, latest product is the best thing MS could do for now, it seems. I'm waiting for comment from Bruce Schneier...

What?!?! (0)

Anonymous Coward | more than 4 years ago | (#30807766)

the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Is this an ActiveX thing? I mean how the hell do you get the pointer in the first place? And how do you keep the browser from page faulting?

I'm so confused!

Marketing must be pleased (5, Funny)

webdog314 (960286) | more than 4 years ago | (#30807776)

Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

Re:Marketing must be pleased (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30808534)

Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."

Upgrade (1)

CxDoo (918501) | more than 4 years ago | (#30807812)

This whole article should be marked redundant. Whoever could upgrade to 8 did it.
Some people just can not afford to do it; if it is a question IE6 or access to internet it will be IE6.

Vista, Win7 - really? (5, Interesting)

TheNetAvenger (624455) | more than 4 years ago | (#30807818)

Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.

So saying it is a 'problem' on Vista or Win7 is stretching the truth.

Re:Vista, Win7 - really? (4, Interesting)

Sycraft-fu (314770) | more than 4 years ago | (#30807972)

Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.

By default, IE8 on 7 is pretty secure.

Re:Vista, Win7 - really? (3, Informative)

Penguinisto (415985) | more than 4 years ago | (#30808074)

Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.

Microsoft has come a long way in securing their OS, but they still have a long way to go before claiming that their product is as secure as, say, FreeBSD or OSX.

well done Google (2, Interesting)

vacarul (1624873) | more than 4 years ago | (#30807828)

Looking back at the whole story it seems that Google planed this in advance. They got hacked for real... but then someone had an idea: this an IE exploit so lets benefit from this. Let's show everyone how bad IE really is. So they posted on their blog saying that they will get out of China because of this attack (very dramatic so everybody heard about it) but I suspect that they have no intention to do that. I think they used their blog just to let people know: "we are Google, we know stuff about security but we've been hacked, we will lose this big market and it's all because of this flawed IE". Now everybody is running away from IE (finally).

Not sure if this is evil but I'm sure IE will lose because of this.

Re:well done Google (3, Funny)

ElSupreme (1217088) | more than 4 years ago | (#30807904)

Yeah use our cool browser that reports almost all of you browsing back to us. We won't be evil, we promise!

Re:well done Google (1)

dskzero (960168) | more than 4 years ago | (#30808034)

That sounds terribly farfetched. I seriously doubt it. And not everyone is running for IE: most people who use it probably don't even know abou tthe news.

Re:well done Google (1)

vacarul (1624873) | more than 4 years ago | (#30808104)

I think a lot of people heard that Google was hacked and they want to get out of China. It was published on a lot of non-tech websites.

Re:well done Google (1)

dskzero (960168) | more than 4 years ago | (#30808210)

That would be the fact, but Google planning this seems a bit too perfect.

Re:well done Google (1)

vacarul (1624873) | more than 4 years ago | (#30808370)

they planned it by saying they will quit China while it is clear, for me, that they will never do this.

Hard to know for sure.. it's a speculation.

Chrome? (0)

Anonymous Coward | more than 4 years ago | (#30808254)

Makes me wonder why they were not using Chrome in the first place... ^^

I don't understand... (0)

Anonymous Coward | more than 4 years ago | (#30807848)

From TFA:

But although Internet Explorer 6 has been the source of attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.

But then, in the very next sentence of the very same FA:

Nevertheless, Microsoft is still urging its customers to upgrade their browser to the latest version. "Customers using Internet Explorer 8 are not affected by currently known attacks and exploits due to the improved security protections in IE8," the company claims.

Am I missing something, or are they suggesting that last week's attack is not "currently known"???

My head feels like it's about to asplode from this doublespeak...

/HJ

Re:I don't understand... (1)

lukas84 (912874) | more than 4 years ago | (#30808280)

The currently known attacks do not affect IE.

However, it is possible and likely that existing attacks could be modified to work on IE8.

That's what they're saying. Yeah, it's Marketing speak, but i've seen worse.

Re:I don't understand... (1)

Goaway (82658) | more than 4 years ago | (#30808394)

IE8 has the same bug, but it has further protective measures that limit the bug from being harmful. Defense in depth.

Re:I don't understand... (0)

Anonymous Coward | more than 4 years ago | (#30808572)

IE8 is vulernable, except that it has DEP turned on by default. Turn off DEP and you're in the same boat as the IE6 users with this particular exploit. So yeah, it's misleading to say that "Customers using Internet Explorer 8 are not affected", unless you force DEP on in IE8, which they don't.

Who the fuck cares why? (0)

Anonymous Coward | more than 4 years ago | (#30807884)

UPGRADE!

IE6 must die!

Faulty Products. A comparison. (1, Interesting)

geekmux (1040042) | more than 4 years ago | (#30807940)

You know what struck me as strange when I read this post? I thought about the issue that Firestone went through a few years back with their faulty tires causing a few deadly accidents. By comparison:

If Firestone were to beg people to buy their faulty product, even though it was dangerous, people would think that Firestone being rather twisted and greedy.

When Microsoft basically does the same thing with their faulty product, it's somehow "OK"?

I guess the "go fix your shit and don't come back until it's done" mentality is rather dead these days...

Re:Faulty Products. A comparison. (0)

Anonymous Coward | more than 4 years ago | (#30808058)

Except for the product is free and one is more secure then the other. While it's not perfect it's not as terrible as you make it out to be. No browser is 100% secure so by your standards if you recommend Firefox instead and they get malware from it are you to blame for it? Is this really MS's fault for people refusing to upgrade for whatever reason?

Doctors prescribe medications all the time knowing about potential side effects and even if the user does have these side effects many times it is better then the original condition. Or would you just recommend that someone shrivel up and die because there is no perfect solution?

Re:Faulty Products. A comparison. (1)

Infiniti2000 (1720222) | more than 4 years ago | (#30808062)

That's a bad analogy, because the TFA only suggests customers to upgrade to IE8 from a previous version. It doesn't appear to be a money grab, i.e. (no pun intended) there's no recommendation to switch from say Firefox to IE8.

Re:Faulty Products. A comparison. (5, Informative)

plague3106 (71849) | more than 4 years ago | (#30808166)

Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.

As usual, another analogy on /. fails...

Re:Faulty Products. A comparison. (2, Informative)

robogun (466062) | more than 4 years ago | (#30808408)

Firestone still took the contract, they weren't going to turn down a sale of millions of tires.. They knew what Ford was putting them on.

Re:Faulty Products. A comparison. (0)

Anonymous Coward | more than 4 years ago | (#30808456)

As usual, another car analogy on /. fails...

There, fixed that for you. ;-)

Re:Faulty Products. A comparison. (1)

barzok (26681) | more than 4 years ago | (#30808504)

It wasn't even that "exotic" of a problem. Ford recommended a low tire pressure for a softer ride - trying to make a truck not ride like a truck. Low tire pressure generates excess heat, which ultimately causes the tire failure. And because the other tires on the vehicle are also under-inflated, the changes in the vehicle's handling are magnified and everything goes to hell.

People who ran the tires at (for example) 35PSI instead of 30PSI didn't have problems.

Re:Faulty Products. A comparison. (0)

Anonymous Coward | more than 4 years ago | (#30808648)

Any tire that has issues running at 30PSI is garbage. That's a normal pressure.

If the difference between 35PSI and 30PSI can end your life then I would never use those POS tires. That kind of pressure difference could be caused by nothing more than a cold morning.

Re:Faulty Products. A comparison. (0)

Anonymous Coward | more than 4 years ago | (#30808250)

A browser exploit doesn't put your life in danger.

Re:Faulty Products. A comparison. (1, Informative)

Anonymous Coward | more than 4 years ago | (#30808290)

Incorrect... The fault was Ford stuck the tires on as OEM parts, and actually UNDER-INFLATED the tires. The issue that occurred with the Firestone tire would have happened with ANY P or UV tired that was also under-inflated on that vehicle at highway speeds. An under inflated tire causes major heat build up, and leads to tire failure.

As another posted said, a crap analogy.

Re:Faulty Products. A comparison. (0)

Anonymous Coward | more than 4 years ago | (#30808314)

Except that using a faulty browser isn't more likely to kill than people riding with faulty tires on something that moves really fast.

Re:Faulty Products. A comparison. (1)

xaxa (988988) | more than 4 years ago | (#30808426)

Except that using a faulty browser isn't more likely to kill than people riding with faulty tires on something that moves really fast.

I assume you aren't a political activist in China.

Re:Faulty Products. A comparison. (0)

Anonymous Coward | more than 4 years ago | (#30808452)

you should remember that these are criminals who spend all day trying to find any way into your computer and the only reason you don't hear a lot about firefox is because IE 6 and IE 8 have the largest marketshare when it comes to browsers
  i am by no way a soldier of microsoft but they are under constant attack by these criminals
  after all why go after someone else who may only have 20% of the market

Channeling BadAnalogyGuy (-1, Flamebait)

NevarMore (248971) | more than 4 years ago | (#30808064)

Barence, the submitter, shouldn't bother eating more fruits and vegetables. It won't fix his FUDish writing so why bother?

Re:Channeling BadAnalogyGuy (4, Informative)

MrMr (219533) | more than 4 years ago | (#30808178)

Your comment is outrageous. The submission consists of a factual statement and some literal quotes from Microsoft.
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.

Re:Channeling BadAnalogyGuy (1)

NevarMore (248971) | more than 4 years ago | (#30808588)

Well I DID say it was an attempt at a bad analogy.

The point I was trying to make was similar to that of some other folks. Yes IE8 does not fix this specific flaw, however it does address many other vulnerabilities and outright flaws in IE6.

I believe the expression is "throwing the baby out with the bathwater".

The right time to upgrade (4, Informative)

Random BedHead Ed (602081) | more than 4 years ago | (#30808262)

The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?

I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?

(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)

Re:The right time to upgrade (3, Interesting)

robogun (466062) | more than 4 years ago | (#30808442)

So I was doing an install of ATT DSL a few months ago. You don't just plug it in, you have to authenticate.

Only IE works with their server, and the install disc includes IE6 in case you don't have it.

Who cares? (1)

BCW2 (168187) | more than 4 years ago | (#30808292)

I haven't used IE in any form for 5 years. Any web page that I can't see in Firefox doesn't want my business. The only way to start IE on my computer is to run the .exe file since there are no shortcuts or icons anywhere.

Re:Who cares? (1, Insightful)

ScytheBlade1 (772156) | more than 4 years ago | (#30808480)

>The only way to start IE on my computer is to run the .exe file since there are no shortcuts or icons anywhere.

I'd disagree. Open up "My Computer" and type in "http://www.google.com/" into the address bar.

Enjoy your IE.

When will we change programming practices? (4, Insightful)

haruchai (17472) | more than 4 years ago | (#30808336)

It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?

Isn't it past time that things changed?

Re:When will we change programming practices? (1)

gr8_phk (621180) | more than 4 years ago | (#30808668)

Why haven't they changed to something better? From what I can see, better tools have been available for a long time

I was wondering that too. Microsoft says C# and .net will alleviate these types of problems with "managed code" in your wares, but apparently they don't feel the need to use it for their own products.

Re:When will we change programming practices? (1)

tokul (682258) | more than 4 years ago | (#30808748)

Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly, the old "we've always done things this way and it would be too expensive to change" is real crap.

  1. "better tools are available" means nothing if you don't name those tools.
  2. Complete rewrite does not make thing secure. It adds new problems and can reintroduce old ones. older stuff works and needs few patches. New stuff would require a lot more patching and more coding hours. You won't call old stuff crap, if you know how it works and you are the one who has to redo same thing on new stuff.

DUH! (1)

Opportunist (166417) | more than 4 years ago | (#30808404)

Really? Impossible! I fully expected them to say it would be better to use Firefox or Opera.

Seriously. What did you expect? Be honest.

Let's just fix one (1)

Midnight Thunder (17205) | more than 4 years ago | (#30808438)

In many ways if you are going to stick to using Internet Explorer, then it might as well be the latest one. If there is a flaw that affects IE8 less than the other two, then it is still the lesser risk. Even if it doesn't and is still major, then Microsoft will most probably concentrate on providing a security fix for IE8, and not the others. Heck, beyond hyper-conservative company policy (aka "let's stick with 10 year old software, no matter what"), there is very little reason not to upgrade and plenty of reasons to upgrade. To name three: its free, its more standards compliant and it is probably more secure that the previous to versions.

If you are still using IE5, then I have nothing good to say.

Pentagon thinking (2, Insightful)

Angst Badger (8636) | more than 4 years ago | (#30808526)

Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.

Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.

FAKE (0)

Anonymous Coward | more than 4 years ago | (#30808592)

According to the actual advisory (http://www.microsoft.com/technet/security/advisory/979352.mspx), no upgrading is recommended at all...

Microsoft's advisory admits that both IE7 and IE8 (3, Informative)

benjymouse (756774) | more than 4 years ago | (#30808656)

Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.

That is a misrepresentation, at best.

The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx [technet.com]

It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.

Good move (1)

Mopatop (690958) | more than 4 years ago | (#30808700)

Seriously, while there's no security change by getting users to upgrade from IE6 to IE8 (with respect to this flaw), there's a massive net gain in getting another IE6 off the streets. Thank you Microsoft, for using every means possible to move users away from IE6.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...