Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE 6 & 7 Unpatched Exploit Goes Wild

CmdrTaco posted more than 4 years ago | from the brace-for-impact dept.

Internet Explorer 149

Kolargol00 writes "Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework."

Sorry! There are no comments related to the filter you selected.

Serves the noobs right (5, Funny)

oldhack (1037484) | more than 4 years ago | (#31441112)

That's why we in the know sticks to IE5.

Re:Serves the noobs right (2, Funny)

jocabergs (1688456) | more than 4 years ago | (#31441184)

Personally I like AOL 2.0 but whatever floats your boat, I suppose.

Re:Serves the noobs right (0, Offtopic)

wiredog (43288) | more than 4 years ago | (#31441402)

I use Mosaic [seanm.ca] .

Re:Serves the noobs right (0, Offtopic)

Beardo the Bearded (321478) | more than 4 years ago | (#31442186)

LYNX

Re:Serves the noobs right (0)

Anonymous Coward | more than 4 years ago | (#31442568)

I use elinks - amazing how many sites look good in text only!

Re:Serves the noobs right (1)

changa (197280) | more than 4 years ago | (#31442976)


I use curl.

Re:Serves the noobs right (0, Redundant)

ilsaloving (1534307) | more than 4 years ago | (#31443456)

Telnet!

Re:Serves the noobs right (1)

rthille (8526) | more than 4 years ago | (#31442398)

Still running WorldWideWeb.app [w3.org] here you noobs...

Re:Serves the noobs right (3, Funny)

$RANDOMLUSER (804576) | more than 4 years ago | (#31441560)

>> Personally I like AOL 2.0

ME TOO!!!

Re:Serves the noobs right (2)

flamingnight (234353) | more than 4 years ago | (#31441862)

A/S/L?

Re:Serves the noobs right (0)

Anonymous Coward | more than 4 years ago | (#31443216)

[SOUND] 6farts.wav

Re:Serves the noobs right (1)

mcgrew (92797) | more than 4 years ago | (#31441886)

I like Firefox with all plugins running on Vista, but whatever bloats your foat. [urbandictionary.com]

Re:Serves the noobs right (0, Redundant)

kickme_hax0r (968593) | more than 4 years ago | (#31441186)

I don't find that secure enough. Which is why I use curl.

Re:Serves the noobs right (1)

JWSmythe (446288) | more than 4 years ago | (#31441376)

    You damned kids and your newfangled toys. I telnet straight to port 80 and read from there. Damn I hate all these new tags. It was so much easier when folks just wrapped a text file in PRE tags.

Re:Serves the noobs right (0)

Anonymous Coward | more than 4 years ago | (#31441556)

Port 80?! I always telnet into port 443!

Re:Serves the noobs right (1)

Frnknstn (663642) | more than 4 years ago | (#31444012)

Telnet?! I pipe it all through netcat!

Re:Serves the noobs right (5, Funny)

The MAZZTer (911996) | more than 4 years ago | (#31441216)

I live life risky, 5.5 here!

Re:Serves the noobs right (4, Interesting)

houghi (78078) | more than 4 years ago | (#31441432)

I know it is funny. What is tragic is that recently we wanted to go to IE8. Some major program we use did not work anymore, while it worked with IE7. When asked if they could solve the issue, the answer was that the program was made for IE6 so we should downgrade to that.
What makes it double sad is that that 'advice came from the main IT department.

Re:Serves the noobs right (1)

Em Emalb (452530) | more than 4 years ago | (#31441558)

This drives me crazy. We have several mission-critical apps (via 3rd parties) that REQUIRE IE6 or, in some cases, IE7. It's frigging ridiculous, but there's not a lot we can do about it. (I work for a small company, 1 department uses a program that requires IE6 and IE6 alone. To change off it would cost hundreds of thousands of dollars. It's flat-out retarded, but we deal with it because we have to.

Re:Serves the noobs right (2, Insightful)

Khyber (864651) | more than 4 years ago | (#31441696)

"but there's not a lot we can do about it."

Bullshit - ditch the slacking fuckwits and build it yourself in-house.

Re:Serves the noobs right (4, Insightful)

Khyber (864651) | more than 4 years ago | (#31441720)

And before you point out "To change off it would cost hundreds of thousands of dollars." just bear in mind all it takes is me doing one right thing and that hundreds of thousands of dollars in fixing your shit just got turned into multi-million dollar losses because you refused to ditch the slacking bastards and get your own shit sorted out.

Re:Serves the noobs right (0, Redundant)

Ironhandx (1762146) | more than 4 years ago | (#31441818)

For the hope of humanity everywhere, please MOD THIS MAN UP.

I'd do it myself but I don't have mod points. :(

As an aside: Slashdot should start using some of these exploits to start flashing "UPGRADE" in big red letters across peoples screens.

Sure, it'll get a few people fired for goofing off at work at first, but then those that are left might actually follow the advice!

Re:Serves the noobs right (1)

Darinbob (1142669) | more than 4 years ago | (#31443114)

It's like insurance. You spend a little to avoid some huge losses for an event that may not happen; or you don't get the insurance and cross your fingers.

Re:Serves the noobs right (1)

Ironhandx (1762146) | more than 4 years ago | (#31443490)

I have this ridiculous fear that someday we're all going to be subjected to a nuclear winter due to a "Critical App" that causes some important facility to still have IE6 installed.

Re:Serves the noobs right (0, Flamebait)

Em Emalb (452530) | more than 4 years ago | (#31441838)

Excellent advice! You're the savior of my company! Thank you!

Actually, wait, no. No you're not. You're not even remotely helpful. Everybody completely understands every situation when they're on the internet, though, so I forgive you.

Re:Serves the noobs right (1)

snspdaarf (1314399) | more than 4 years ago | (#31442834)

Re: (Score:2, Troll)
by Khyber (864651) writes: Alter Relationship
"but there's not a lot we can do about it."
Bullshit - ditch the slacking fuckwits and build it yourself in-house.
-- Deep Water Culture Made Easy - http://ledkitsune.livejournal.com/ [livejournal.com]
*
*
Re: (Score:2, Insightful)
by Khyber (864651) writes: Alter Relationship
And before you point out "To change off it

Wow. Both troll and insightful. I think you hit the slashdot jackpot.

Re:Serves the noobs right (5, Interesting)

Buelldozer (713671) | more than 4 years ago | (#31441834)

Deploy IE6 with Terminal Services for far less than $30,000. Configure it to only talk to the the authorized applications. Deploy any browser you would like to the desktop.

Where do I send my bill for solving your problem for less than "hundreds of thousands of dollars"?

Re:Serves the noobs right (2, Informative)

ircmaxell (1117387) | more than 4 years ago | (#31443034)

Actually, that's exactly what I do here. When our QC team needs to test websites on IE6 (Because some of our clients still use it and they pay the bills), they simply RDC into a server that we keep live solely for IE6. It has nothing else on it, and has networking locked down to only allow traffic to our local subnet (and hence only our applications). Anyone who needs to test is simply granted RDC rights, and they can do it. And considering the server is a VM, it was basically free (we already had the terminal server and windows licenses)...

Re:Serves the noobs right (1)

Beardo the Bearded (321478) | more than 4 years ago | (#31442258)

I work for a huge company and we've got some IE6-only software here. The IT guys say "[Beardo], we know. We can't do anything about it."

I'd really like to know what the software is.

Re:Serves the noobs right (0)

Anonymous Coward | more than 4 years ago | (#31442518)

You must be in the medical industry and using Allscripts. Fucking retarded browser based EMR.

Re:Serves the noobs right (1)

Sleepy (4551) | more than 4 years ago | (#31442644)

I would clearly and calmly present the risk and the cost. Who is going to own cleanup if there is an exploit? Where will THAT money come from.

Remember that managers are there to solve YOUR problems, in theory anyways. They help keep your plate clean so you can focus on task. Present the risks, and let them own this issue and whatever the outcome is you did the right thing.

You might simply protect yourselves by forcing the IE6 and IE7 systems to use a web proxy that DOESN'T allow outside Internet access.
You can install Squid proxy for Windows for free (there are also freeware and shareware proxies also of course).
That way even if someone disregards common sense or "rules", they can't go anywhere unsafe. Policy Editor can prevent users from changing the proxy or network settings.

Re:Serves the noobs right (1)

nangus (1026732) | more than 4 years ago | (#31443636)

Remember that managers are there to solve YOUR problems, in theory anyways. They help keep your plate clean so you can focus on task. Present the risks, and let them own this issue and whatever the outcome is you did the right thing.

Wow, my manager tried to feed me something like that once. He was in a war with one of the other managers over who got to control which minions.

Re:Serves the noobs right (1)

Ihmhi (1206036) | more than 4 years ago | (#31441828)

Whoever is in charge of your main IT department should be fired. Out of a cannon.

Re:Serves the noobs right (1)

Talderas (1212466) | more than 4 years ago | (#31441896)

Bonus points if you fire the person out of a condom.

Re:Serves the noobs right (1)

nangus (1026732) | more than 4 years ago | (#31443664)

Or even better, out of canon.

Re:Serves the noobs right (1)

clone53421 (1310749) | more than 4 years ago | (#31441910)

Whoever is in charge of your main IT department should be fired. Out of a cannon.

We could finally find out what happens when an infinitely dense (i.e. unstoppable) skull meets an immovable brick wall!

Re:Serves the noobs right (1)

KenSeymour (81018) | more than 4 years ago | (#31442946)

Ah, but if you do that you may not be able to find a replacement manager of the same caliber.

Re:Serves the noobs right (1)

Cro Magnon (467622) | more than 4 years ago | (#31442470)

The other day, someone was asking about moving to IE7 because some sites, including our credit union, would soon end support for IE6. The response was that 1: The web people haven't tested our apps yet, and 2: What testing they HAVE done indicates the apps will break under IE7.

*sigh* Either way, we're screwed. :P

Re:Serves the noobs right (1)

Akzo (1079039) | more than 4 years ago | (#31443368)

Did you try the compatibility mode?

Re:Serves the noobs right (1)

eulernet (1132389) | more than 4 years ago | (#31443980)

Did you try hitting F12 and change the compatibility mode ?

For example, Virtual PC does not work in IE8 mode, and this is the only way to make it work.

Re:Serves the noobs right (0)

Anonymous Coward | more than 4 years ago | (#31441586)

Forget your IE5 I'm gonna go spend $1000 on a Mac, 'cause their ALWAYS safer, right?

Re:Serves the noobs right (1)

A12m0v (1315511) | more than 4 years ago | (#31441922)

You are making it sound like a lot.

Re:Serves the noobs right (1)

clone53421 (1310749) | more than 4 years ago | (#31442710)

Well, let’s see.

For $999, I can get a MacBook [apple.com] with:
- 2.26 GHz dual-core Intel processor
- 13.3” 1280x800 display
- 250 GB 5400 RPM hard drive
- 2 GB of RAM
- NVIDIA GeForce 9400M with 256MB shared memory
- 2 USB ports, gigabit ethernet, mini DisplayPort

Or an HP laptop [hp.com] with:
- 2.4 GHz dual-core AMD processor
- 17.3” 1600x900 display
- 500 GB 7200 RPM hard drive
- 4 GB of RAM
- ATI Mobility Radeon HD 4530 with 512MB dedicated memory
- 4 USB ports, gigabit ethernet, HDMI, VGA, 5-in-1 card reader, eSATA, 56k modem, firewire

(Both of the laptops write DVDs at 8x, have built-in webcams and microphones, similar wireless capabilities)

Actually, that’s not a fair comparison, because my Windows laptop only cost $849.99. Oh, and did I mention $150 in mail-in rebates?

...and? (2, Insightful)

snugge (229110) | more than 4 years ago | (#31441218)

there will always be unpatched exploits for OLD and OBSOLETE software.

Re:...and? (1)

dotgain (630123) | more than 4 years ago | (#31441762)

As long as developers, developers, developers, developers are still putting out apps that are IE6/7 only, (and Microsoft keep releasing browsers that perpetuate the whole "works in THIS version of THIS browser" metality), the situation is going to be exactly the same when IE8 is "obsolete" (and I'm picking, full of exploits that will never be patched), yet none of its webapps work in IE9 or IE10.

Internet Explorer 8 means: You've had 8 chances to learn this lesson. Internet Explorer "webapps" aren't. They're Internet Explorer Version ($VERSION_YOU_WANT_TO_RUN_MINUS_ONE) Apps.

I don't think of IE as a web browser any more, but more as some sort of "virtual machine" for running ActiveX applications (or exploits).

Re:...and? (1)

Phrogman (80473) | more than 4 years ago | (#31441864)

there will always be organizations who are too large to easily upgrade anything, even something as simple as a browser version, without it cost a ton of money. If you are well prepared and organized I am sure its not that bad, just time consuming, but for many companies, IT sucks hind tit and doesn't get the money, personnel or resources it needs to do something like a system wide upgrade - they exist on the bare minimum required to operate.

And there will always be users who buy a computer and treat it like a toaster - it does what they want until it doesn't. Then they are fucked because they don't even know that you can upgrade, let alone how. Never underestimate how little the average computer user actually knows about their computer. The /. crowd find that hard to believe, but for the average person configuring their PC *is* like rocket science (yeah I know some of you out there are rocket scientists, pick a different metaphor), and they have no idea how or where to start.

Re:...and? (1)

hairyfeet (841228) | more than 4 years ago | (#31444430)

While there isn't much you can do about the giant megacorps and how long it takes them to move, sadly there IS a way to fix a lot of the "it's a toaster" consumers, and that is to force the OEMs to stop having the world's most shitty defaults and turn autoupdates to ON. Just yesterday I was cleaning up a machine still at SP2, that is no updates for..what? 7 years? All because the user didn't have a clue the OEMs cripple their machines from the factory by turning autoupdate to off.

Frankly with all the nasties floating through the Internet there really is no excuse for having such shitty defaults. You would be surprised how less likely a machine is to be pwned if it just has the updates regularly installed, yet millions of machines are sold every year with a "pre-activated" image that has a lame admin account like "HP_User" with NO password and automatic updates killed at the factory. I wonder how many of those IE6 and IE7 machines that are gonna get infected are owned by consumers that simply have no idea their PC was pre-crippled at the factory. It is just pointless and stupid and needs to end.

Re:...and? (1)

mcgrew (92797) | more than 4 years ago | (#31442458)

Unpatched exploits for COBOL?

I'm safe. (5, Funny)

Anonymous Coward | more than 4 years ago | (#31441246)

From the Google Translation: "For the new security hole in Internet Explorer 6 p.m. to 7 p.m..." I do most of my porn browsing much later in the day, I'll be fine.

Internet Explorer and News for Nerds (-1, Troll)

Akido37 (1473009) | more than 4 years ago | (#31441256)

I would think that anyone who posts and reads Slashdot knows not to use Internet Explorer. Have we reached the point yet where a new flaw is no longer news?

I would think REAL news would be if a test somewhere showed a version of Internet Explorer superior to ANY other browser.

Re:Internet Explorer and News for Nerds (1, Insightful)

dave562 (969951) | more than 4 years ago | (#31441360)

It's great to know not to use IE if you're supporting yourself and your parents. It's a completely different world when you're supporting an entire organization.

Re:Internet Explorer and News for Nerds (4, Insightful)

Akido37 (1473009) | more than 4 years ago | (#31441412)

It's great to know not to use IE if you're supporting yourself and your parents. It's a completely different world when you're supporting an entire organization.

In that case, it's not like you can do anything about it anyways. If you had the power to change that, hopefully you would have done it by now.

Re:Internet Explorer and News for Nerds (1)

Em Emalb (452530) | more than 4 years ago | (#31441528)

The problem is not that the "helpdesk" people are stupid, it's that in a lot of cases, the companies they do business with have "extremely important programs" that are used constantly that REQUIRE IE6 or IE7. I don't do helpdesk work, but I do help out from time to time in my small company. Everyone here just about uses FF for everything they can, and use IE when they absolutely have to.

User education is important. It's simple, just tell them "to be safe, do any non-work related surfing (let's be honest, there are times even the most dedicated employees will be going to a non-work related site) in FF and ONLY do work-related stuff in IE.

For the most part, they get it.

Re:Internet Explorer and News for Nerds (0)

Anonymous Coward | more than 4 years ago | (#31441980)

Should tell them about IEtab, its a great FF extension that allows you to open certain sites using IE, I use it for stuff at work that requires IE, and it works for everything except iMap.

Re:Internet Explorer and News for Nerds (0)

Anonymous Coward | more than 4 years ago | (#31443700)

If the vendor tries hard enough, they can crash Firefox through IETab. It is far from bulletproof.

Re:Internet Explorer and News for Nerds (1)

davester666 (731373) | more than 4 years ago | (#31441494)

Um, I would say, if you're supporting an organization, you should definitely know that it should have switched away from all version of IE years ago.

And if you have internal software that requires the use any version of IE, what steps have you taken to make it work with other browsers that at least aren't the main focus of widespread internet attacks. And the same goes for Adobe's push I remember reading about a couple years ago for trying to get enterprises to build their internal apps in Flash instead of web pages to make them more interactive...

Re:Internet Explorer and News for Nerds (2, Informative)

davester666 (731373) | more than 4 years ago | (#31441526)

And I missed including the obvious extension to this, namely, you would be transitioning your company off Windows software, which is the most attacked software in the world.

Other OS's may be equally or more vulnerable, but no other is more exploited than Windows.

Re:Internet Explorer and News for Nerds (0, Troll)

Khyber (864651) | more than 4 years ago | (#31441758)

The OS is rarely exploited, and in fact Windows is fairly secure.

ADOBE is the fucking issue, as noted by the consistent hack-a-mac contest winner. Always Adobe which gets compromised. Always some THIRD PARTY NON-STANDARD that fucks everything up.

Re:Internet Explorer and News for Nerds (1)

davester666 (731373) | more than 4 years ago | (#31442078)

"The OS is rarely exploited"

Should be: The OS is rarely exploited anymore.

And only because it's no longer the low-water mark for exploits. Flash and IE 8 are the current low-water marks for exploits, with pdf on the rise.

"Always some THIRD PARTY NON-STANDARD that fucks everything up."

This has maybe become more prevalent in the last couple of years, but before that, it was largely Microsoft software that was attacked. It was everywhere, and it was super-vulnerable. Now that Microsoft has put more effort into both turning off more services by default, as well as making them less vulnerable to attacks [and as a bonus, may also crash less due to nil pointer errors, etc], attackers have moved on to other software commonly installed on a large number of computers, whose creator hasn't put as much effort into security [namely, Adobe Flash and Reader]. I'm sure in the future, they'll move to other software to attack.

Re:Internet Explorer and News for Nerds (1)

dave562 (969951) | more than 4 years ago | (#31441704)

What organization do you support? What apps are your users using? When was the last time an IE exploit caused problems for your organization?

It's really easy to throw around the word "should". What's the reality of your day to day situation?

tough titty says the kitty (1)

axl917 (1542205) | more than 4 years ago | (#31441262)

Time for some to upgrade, then.

Re:tough titty says the kitty (3, Informative)

Opportunist (166417) | more than 4 years ago | (#31441500)

Most companies still using IE6 or 7 cannot.

Usually you're facing a scenario akin to this: Some external company created a mission critical web applications. Of course a web app had to be it, because it saves you a lot of dough because you don't need to create a frontend, it's already there! You also don't need to roll out anything, it's already part of the system!

Since MS cares really much (/sarcasm) about standards, you had the choice: Doing it for IE, or for the rest. Since IE is part of every Windows installation, and you didn't want to roll out a frontend in the first place (remember, paradigmas are to stick to, even if they become a problem, else your boss might ask "why did you want that in the first place?"), you will create that frontend for IE. IE 6 orIE 7, to be exact, because they, too, are only kinda-sorta compatible to each other.

Fast forward to the present. The company that made your mission critical application already overstepped its allotted budget by about twice its size and is still busy fixing the odd bugs... provided the company still exists, that is.

Are you the one going to your boss telling him that they should stop fixing bugs now and migrate the behemoth to IE8? He will ask for the reason. You tell him about the security problems. He will laugh at you and call you a scaredy-cat.

That was the moment I quitted my well paid CISO position. It became too much of an ejector seat to be comfortable anymore.

Re:tough titty says the kitty (1)

Jenming (37265) | more than 4 years ago | (#31441718)

This is fairly easily solved by using IE 6 or 7 to access those apps and using a current browser for everything else.

Re:tough titty says the kitty (1)

Opportunist (166417) | more than 4 years ago | (#31442292)

Oh yeah, and your employees will certainly heed that. They know the internal app works with IE6, and they have to learn using that, so they will use it for everything.

Re:tough titty says the kitty (1)

ericlondaits (32714) | more than 4 years ago | (#31441816)

IE8 has an IE7 mode for backwards compatibility. ... Another alternative is installing some other browser (e.g. Chrome or Firefox) for external sites, and leaving IE6 or IE7 for intranet.

Re:tough titty says the kitty (2, Insightful)

Low Ranked Craig (1327799) | more than 4 years ago | (#31442022)

True, except it is perfectly possible to create something that works in both IE6 and IE 7/8 and Firefox and Safari. Coding for IE6 only, even back in 2003 or 2004 is just plain lazy and bad practice, period, end of story. If you know what you're doing, (and a professional web app developer should, don't you think?) making a web app, even one with a lot of CSS and JavaScript work on IE6 and Firefox, etc, just ain't that hard. I've been doing it for years.

Re:tough titty says the kitty (1)

Opportunist (166417) | more than 4 years ago | (#31442692)

Yes, it's possible to create something that works in all servers. Problem is, the application does already exist and it does not work too well in IE8. Yes, even in "compatibility mode".

Quick Reaction Times (2, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#31441264)

It's sad that the 'bad guys' are so quick to react to these opportunities and MS can't beat them to the punch. I'm not knocking MS (well, maybe a little) because they're facing a lot more work to fix it than the asshats who exploit it.

Re:Quick Reaction Times (3, Funny)

TheMidget (512188) | more than 4 years ago | (#31441544)

Bad guys? Anybody who helps to convince lusers to use proper software can't be all that bad...

They are doing all of us webmasters a huge favor, by hasting the long overdue demise of MSIE6

Who are the asshats? (2, Insightful)

SmallFurryCreature (593017) | more than 4 years ago | (#31441582)

Why can opensource developers fix issues so quickly when a billion dollar company can't? Why is this code that the developers were paid very good salaries to develop, on which the company made billion of dollars of profit, so insecure that it keeps turning up vulnerability after vulnerability?

Maybe when you car door keeps popping open and therefor people steel your car, it is time to stop blaming the thiefs and start to talk to the car maker.

IE is a joke, so punch the clowns that made it.

Re:Who are the asshats? (0)

Anonymous Coward | more than 4 years ago | (#31443548)

Because open source developers don't have to do any QA. Fixing it is quick, testing it is not.

Re:Quick Reaction Times (1)

Securityemo (1407943) | more than 4 years ago | (#31441892)

Amoral people wanting to boost their careers (depending on your view), versus amoral people who want to sell exploits to the botnet herders in the malware economy hierarchy, amongst other scum. Pick one (or suggest a third option!).

Re:Quick Reaction Times (2, Insightful)

mcgrew (92797) | more than 4 years ago | (#31442534)

I'm not knocking MS

When they know about an exploit and don't patch it until some black hat uses it, they deserve to be knocked, as does any other software company that acts like that (say, Adobe).

Before anyone nags about Metasploit... (4, Insightful)

Securityemo (1407943) | more than 4 years ago | (#31441340)

When non-security geeks nag about metasploit lowering the threshold for malicious behavior, it's like watching someone complain about gun laws in a warlord-ruled third world hellhole. It doesn't matter, and you're being silly. Besides, metasploit is geared a lot more towards rapid exploit prototyping, and is clearly designed with this in mind; only the already skilled can use it in this manner because you already need to be able to do it "manually" to take advantage of the framework. Hell, it's even harder to use the (ruby) framework than to code perl exploits; but you can do it faster and the shellcode part of the framework allows you to make complicated shellcode in a reliable fashion. It's not like one of those make-your-own-malware kits.

Shocking (0)

Anonymous Coward | more than 4 years ago | (#31441348)

Not patching your software for years on end can leave you open to security exploits? Shocking! I actually wish there were more ie6 security holes at this point. Maybe it would go away faster.

I wish it could be used for good (1)

MPAB (1074440) | more than 4 years ago | (#31441390)

to force stubborn IT departments into upgrading their enterprises' PCs. There's lots of them that keep a vast array of zombies with IE6 installed just because they fear anything else will be incompatible with their intranet software.

Re:I wish it could be used for good (1)

js3 (319268) | more than 4 years ago | (#31441538)

corporate ie6 users don't let their browse the rabid filled web from their internal network. Somehow people think the only way to use a browser is if it's directly accessing external websites.

Re:I wish it could be used for good (0)

Anonymous Coward | more than 4 years ago | (#31441594)

I’m almost tempted to fire up IE just so I can tell you that I’m responding to your comment using ie6 from a corporate internal network. But I won’t.

Instead, I’m using Firefox, which incidentally is against corporate policy (the IT department doesn’t install or support it, and users are not supposed to install anything on their own).

Re:I wish it could be used for good (1)

Khyber (864651) | more than 4 years ago | (#31441786)

"corporate ie6 users don't let their browse the rabid filled web from their internal network."

Bullshit. Flextronics, Solectron, Hewlett-Packard, ALL of them allow browsing on the internet with IE6 to non-work related sites.

Re:I wish it could be used for good (3, Insightful)

Opportunist (166417) | more than 4 years ago | (#31441610)

Since I have been that "stubborn IT department" for a sizable share of my life, mind if I defend myself? It's not the IT guys that refuse to upgrade most of the time.

Unless you're a tiny company with 20 employees, upgrading to another browser is not a trivial task. And I'm not even talking about installing the new version. That actually IS trivial. Any sensible company of halfway decent size already has automatic overnight rollouts in place. If they don't, well, tell me the name and I know what shares to sell quickly.

The problem is not a technical one. It's a compatibility nightmare. You might know that IE6, IE7 and IE8 are not really 100% compatible to each other. Sure, the differences are subtle and often consist of "one more click here", but I'm sure you also know the average company user: The moment his computer does not work EXACTLY as he is used to, it is "broken" and he will refuse to do anything anymore before IT comes down and "fixes" it. And no, sending out instructions how to work around the problem 'til the fix can be applied do not work. Never have, never will.

It's not IT that stalls. Actually, it's mostly a battle between CTO and CISO. The CTO fears incompatibilities, the CISO security breaches. It's easy if the company decided to roll them into one position (because, frankly, a CISO... what does that guy do except look scared all day?). Then you just find one person hanging on a rope somewhere in a basement instead of two guys in suits duking it out in the server room.

Just do your fucking job for once (5, Insightful)

SmallFurryCreature (593017) | more than 4 years ago | (#31442064)

We are talking IE6 here, it is a decade old by now. Do you still use 10 year old PC's? Do you use 10 year old cars?

Oh, you yourself might not be the problem, the real issue is IT management who keeps trying to cut costs by going for the lowest support contract and guess what costs the least to support? NO.

That is it, the word NO is simplest.

"Can I get an open port to SSH to our external servers?" "NO" Time spend: 0.5 seconds.

"Can I install software X that I do actually need?" "NO" Time spend: 0.5 seconds.

"Can I get a license for virtual window machines so I can test software in a safe environment?" "NO" Time spend: 0.5 seconds.

"Can we upgrade our software at least with in say half a decade of release so we are not completely behind the times?" "NO" Time spend: 0.5 seconds.

The problem is very simple, it is a constant cost factor to keep up-to-date. New versions are released so often after all, nearly every 2-3 years. Who can keep up? And it is oh so tempting to skip an upgrade. Why do all the compatibility testing during the beta and release candidates of a new product when you can let everyone else test it for you? Because sherlock, that doesn't test it for you. And that is the testing you need. So you save some money now, but are building up the future migration costs, till those costs become so high that you can no longer afford them no matter what.

It is all about budgets and promotions, you get promoted for keeping you budget low this year, and by then it is the next guys problem if he inherits the hidden costs.

And all because people have become more interested in management then actually doing their job. Because those incompatibilities between IE versions? Those are your fucking JOB. That is why you are paid system monkey, to sort these things out. What next? A car mechanic explaining why he hasn't replaced the brakes on a vehicle that crashed because it was such a hassle and they were covered in dirt and he just didn't want to get his hands dirty? That is exactly what you are saying. Oh my job is so hard, I can't be blamed for not doing it.

Sadly, big companies seem to attract your kind, who is more interested in their performance rating then actually just doing their fucking job. If I let my servers get so out of date they are hacked, well my customers kick me very very hard. I make sure to keep up with the alpha and beta's so that I know the issues with a new release, know the developers know them and can fix them and then am ready to implement them, so that at least then when a problem hits, I don't first have to upgrade several releases in order to not find every issue with a "solved in version X". And you know what, by staying on the edge, you often beat the bad guys. They after all are aiming for the largest mass, and the largest mass is guys like you who can straight faced give an excuse for running a decade old browser.

Really, how can you standup and claim your earned your keep when you still haven't managed to retire IE6. Do you still have a punch card reader for that essential piece of accounting software? Still use floppies because you might need one? Have word perfect installed for an old word file? No? You upgrade stuff like that? Then why does the browser, a piece of software that by its nature faces the whole nasty outside world, not get updated?

Yeah yeah, legacy system needs it. No it doesn't because such systems should be upgraded as times change. You aren't still running windows NT 3.5 are you?

Frankly, I see this problem far to often. You get asked to work on a problem and then find the software is several releases out of date and then have to find a way to bill a client for essentially doing what their own admins should have done. Admins are to afraid of having to say to their boss "why yes sir, the system is running perfectly but I still need resources to make sure it keeps doing that in the future" and developers are more interested in chasing glory then keep their past projects maintained.

But I suppose I shouldn't be surprised. Anyone capable who comes into an office where IE6 is still used would run screaming from the interview. Only the incompetent remain in such obsolete places.

Really, as admin, this is your fucking job. If you can't do it, then find something you can.

Re:Just do your fucking job for once (2, Insightful)

Otto (17870) | more than 4 years ago | (#31442362)

We are talking IE6 here, it is a decade old by now. Do you still use 10 year old PC's? Do you use 10 year old cars?

Firstly, many, many people use 10 year old cars. Not as many use 10 year old computers, I grant you, but cars can last for 30-40 years or more.

Secondly, IE6 is only a tad over 8 years old. It came out in the latter half of 2001.

Really, how can you standup and claim your earned your keep when you still haven't managed to retire IE6. Do you still have a punch card reader for that essential piece of accounting software? Still use floppies because you might need one? Have word perfect installed for an old word file?

I've worked for very large companies before. And yes, punch card readers are still used in some industries. And yes, floppies are still used. And yes, Word Perfect is still used.

Big corporations don't work the way you think they do. Most of them make money by, oddly enough, not paying for things. If that 10 year old computer running 10 year old software does the job, then they will let it sit there and keep doing its job until it *needs* to be upgraded.

You don't upgrade simply because there is an available upgrade. Upgrades cost money, and every dime you spend has to produce results in some fashion. Spending money in order to "not make any more money" is generally money that you should not have spent.

That said, upgrades do make sense, but only as part of larger strategies. You don't upgrade simply because you can. That way lies never-ending maintenance costs.

Admins are to afraid of having to say to their boss "why yes sir, the system is running perfectly but I still need resources to make sure it keeps doing that in the future"

True, but that's mainly because this is a lie and we both know it.

Once you have the system working, it will work that way until the hardware fails. You don't need to continually upgrade it to make it continue to work.

You only need to continually upgrade a system that is continually doing new things. A developer's box needs upgrades. The corporate user's box who does research using the web needs upgrades. The servers? Generally they don't need anything more than security fixes. They get upgraded when they get replaced or when the upgrade can be worked into a larger project. Upgrading solely for the sake of upgrading makes no sense.

Re:Just do your fucking job for once (0)

Anonymous Coward | more than 4 years ago | (#31443028)

You only need to continually upgrade a system that is continually doing new things.

My IE 6 machine is constantly doing new things as an active participant in a growing market of bots. You don't even need to upgrade to do new things!

Re:Just do your fucking job for once (4, Insightful)

Opportunist (166417) | more than 4 years ago | (#31442616)

Excuse me? Did something crawl up your rear and die there or why the hostility?

Here's your environment. It's not made up, it's real. I can vouch for that, I was the CISO for that environment for about a year.

You have: A mission critical web application, written for IE6. Not only for you but also for 8 sister companies that have equal share in pay (and say) where this application goes. A staff of 200 people (in your company, not counting the sisters) used to this application, each and every one of them having limited to no computer knowledge out of what they have been rote-trained to. A boss whose primary concern is to keep things running who does not believe you when you "scare" him with security threats (i.e. when you're doing your job). On the up side, you have near limitless funds at your disposal, but they have to pass boss-approval.

What do you do? Suggest an immediate upgrade to IE8? No-go. It breaks the mission critical application. Suggest bringing the app up to speed? Takes time. First to assemble the CISOs and CTOs of the other sister companies, then piss away a few meetings and lots of time trying to figure out who pays for the shit (remember, you have limitless funds but still have to pay less than the others. It's a prestige thing that you shift the cost onto the sisters). But hey, you get to spend lots of time traveling and living on company expense! So you can imagine that some of the CISOs/CTOs you're dealing with are not too keen on ending this any time soon, even if you are. You can NOT push forwards alone, because the app has to be compatible across companies (they basically use the same database backend and any minor inconsistency results in a disaster, effectively shutting your operation down, making the evening news and ensuring you won't work in any position anymore that doesn't end in "want fries with that?").

Btw, telling anyone that the security hole is a problem gets met with laughter.

Welcome to the world of CISOs. The comic foil in the C?O world.

Re:Just do your fucking job for once (1)

Amorpheus_MMS (653095) | more than 4 years ago | (#31443534)

I don't understand the problem here. Why not keep using IE6 for the one application that requires it, but have a modern browser on the same computer for everything else?

Re:Just do your fucking job for once (1)

H0p313ss (811249) | more than 4 years ago | (#31443834)

I don't understand the problem here. Why not keep using IE6 for the one application that requires it, but have a modern browser on the same computer for everything else?

You're assuming that the user base is smart enough to be able to know when to use which browser when most of them are still confused about why the the cup holder open button is labled "eject".

Re:Just do your fucking job for once (1)

asdfghjklqwertyuiop (649296) | more than 4 years ago | (#31443958)

What do you do? Suggest an immediate upgrade to IE8? No-go. It breaks the mission critical application. Suggest bringing the app up to speed? Takes time.

Fire the incompetent morons who wrote said application in the first place. That's a start, at least.

Re:Just do your fucking job for once (1)

Quirkz (1206400) | more than 4 years ago | (#31444264)

My car is 13 years old and counting. It runs great.

Also, you can rant all you want about IE6, and I'll mostly agree with you, but this exploit also affects IE7, and that's not nearly so old.

Re:I wish it could be used for good (1)

Talderas (1212466) | more than 4 years ago | (#31442094)

Then you just find one person hanging on a rope somewhere in a basement instead of two guys in suits duking it out in the server room.

Let's get ready to rummmmmmbbbbbbbbllleeeeeeeee!

Re:I wish it could be used for good (1)

natehoy (1608657) | more than 4 years ago | (#31442002)

Not just "fear". The IT department at my company has tested, and they KNOW anything newer than IE6 is incompatible with a decent array of intranet applications, including the company intranet (which was built on a commercial CMS that has since folded, so all that information has to be moved to a new CMS). They've also had to go out and find the usual rash of departmental applications that people wrote in Excel with VBScript, or Access, with a FrontPage front end, and figure out how many of those would survive an IE6 upgrade, and the answer to that question is also pretty grim. And I sincerely doubt they got 'em all. Not to mention the number of canned applications that perform really useful tasks, but not useful enough to make it worthwhile to spend money to upgrade them, so they've been slowly aging like bad cheese, but replacing their functionality is difficult or expensive.

Add into that the number of machines that are already pretty marginal for XP with IE6, throw in IE8 and it might be the straw that broke the eight-year-old camel's back, necessitating a bunch of upgrades. They've already had to hold off on hardware upgrades for two years running because the economy blows steaming monkey chunks, and a lot of the machines are struggling.

Upgrading the browser is relatively easy - SMS push, done. Replacing/upgrading the hardware is a little harder. Replacing all the applications that both IS and the business have implemented over the years that are all dependent on IE6 is a multi-million dollar project.

And, lest we forget, the economy blows steaming monkey chunks. So how many more people do you lay off to get the money to upgrade all these apps? None, you say? Righty-ho, IS will get right on working on business-critical stuff with their reduced remaining staff, then.

So they've put their money into security upgrades of the core infrastructure, improvements to AV and the firewall grid, and making sure company-confidential information doesn't reside on laptop or even desktop hard drives, and making sure access to important stuff like credit cards is only stored on an encrypted network inaccessible from the world of mere mortal desktops. If a desktop machine is compromised, the combination of hardware firewalls, software firewalls, antivirus, antimalware, and the Proxy Nazi will hopefully isolate it, and remote reimage means IS can reach out and nuke any machine that suddenly gets suspicious.

They want to go Windows Seven and IE8, but that's going to be a year or two to coordinate, and they'll have to incur a lot of wrath breaking tons of critical business apps (many of which they know they are still unaware of) or spending money upgrading them (if that's even possible). They'll also have to replace a good bit of hardware.

All of our important data is on mainframes and midrange servers, or the SAN, and that's all firewalled up the wazoo. Most people get nothing but Telnet access to that kind of hardware. Credit card data is on its own network and NO ONE gets to that except a very small list.

Do we all want to see IE6 go the way of the dodo? Hell, YES. And there is a plan to do that.

Does it make sense to make that our primary goal in terms of securing our data? No. Centralized security and a "just enough permissions" model is far cheaper, and more effective.

Easy fix for clueless people. (0)

Anonymous Coward | more than 4 years ago | (#31441442)

Linux boot CD. Just take out the entire hard disk, then there's nothing to mess up.

Sample 'sploit code? (1)

TheMidget (512188) | more than 4 years ago | (#31441510)

For those of us who have a web site, does anybody have a code snippet to put on our pages? Like changing IE's homepage to goatse, or somesuch...

They use IE, do you think they care? (4, Funny)

SmallFurryCreature (593017) | more than 4 years ago | (#31441654)

If you are still using IE, then a mere goatse is not going to change your mind.

Re:They use IE, do you think they care? (1)

kronosopher (1531873) | more than 4 years ago | (#31442872)

How about popping up the embedded browser selection screen sold in European versions of Windows?

IE6? (2, Interesting)

Wolfraider (1065360) | more than 4 years ago | (#31441774)

Wasn't IE 6 pronounced dead and services held for it? Why are we still reporting bugs on it? IE7 on the other hand, it needs to be fixed or even better, killed completely

Re:IE6? (0)

Anonymous Coward | more than 4 years ago | (#31443812)

IE 6 is still supported by Microsoft until July.

Pick up the rope, stay with the tour (0)

Anonymous Coward | more than 4 years ago | (#31442036)

This was reported yesterday but modded down. Today it's important enough? Feh. Slashdot's moderation system is still as broken as ever, I see.

Re:Pick up the rope, stay with the tour (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31442942)

Butthurt much? Your write-up probably just sucked.

just wondering ... (0)

Anonymous Coward | more than 4 years ago | (#31443204)

Mmmh, wondering, how many bugs have been exploited for a long time, before they became common knowledge as an exploit and how many bugs are currently exploited that maybe never get recognized by the public and fixed.

Considering how many exploits get found in old software even after years, things don't look good in my eyes.
If someone has money and bad intentions, they could just hire some people looking for those exploits and then exclusively use those exploits like for industry espionage etc. The chance that they can use such an exploit for a long time, when it is only used on a few selected targets, seems I'm quite high.
I'm sure it is done.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?