Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New IE Zero Day

CmdrTaco posted more than 3 years ago | from the well-that's-not-good dept.

Internet Explorer 305

RebootKid writes "Microsoft has released a notice about a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"

cancel ×

305 comments

Merry Xmas (1)

Anonymous Coward | more than 3 years ago | (#34653244)

Merry Xmas

Re:Merry Xmas (0, Offtopic)

dmbasso (1052166) | more than 3 years ago | (#34653402)

Thank you AC.

I think nobody has to worry as "Microsoft Security Essentials 2.0 [was] Released".
At least that is what moderators implied with the troll score in my post:
http://slashdot.org/comments.pl?sid=1916850&cid=34608728 [slashdot.org]

Mod me as you please, I'm still 100% malware-free for 10 years with Debian and Ubuntu. :)

Re:Merry Xmas (0, Informative)

Anonymous Coward | more than 3 years ago | (#34653430)

And you're still a troll. And if you think that simply running Linux automagically protects you from any threat of malware, you're also an idiot.

Re:Merry Xmas (0)

Anonymous Coward | more than 3 years ago | (#34653720)

oh oh oh! someone is jealous!

Re:Merry Xmas (-1)

Anonymous Coward | more than 3 years ago | (#34654090)

I don't know about him, but I sure am jealous of not having an OS that will only run a tiny library of poorly written, half-assed software and having pathetic hardware support. Oh well, I'll just have to stick with Windows and continue to be able to use all PC hardware on the market and have the biggest and best selection of software at my fingertips.

Re:Merry Xmas (2)

miknix (1047580) | more than 3 years ago | (#34654316)

I don't know about him, but I sure am jealous of not having an OS that will only run a tiny library of poorly written, half-assed software

*shrug*
I don't usually reply to trolls but...

Mind you that people writing open-source code do it for fun and recognition. Writing "half-assed" code seems something that a paid employee could do since they have deadlines to meet and other more important objectives to worry about than writing "clean-code". Also, the very nature of *open*-source code makes it more vulnerable to third party quality checks and peering.

If you never tried to push code into kernel.org, gnome, kde or any other big opensource project, I suggest you do so you can recognize that is not that easy to push "half-assed" code.

and having pathetic hardware support.

Sure. That's why Linux is found in the TOP 100 super computers, in fridges, high-end TVs, cellphones, routers and of course.. desktops

Talking about desktops .. don't expect Linux to run 100% if you throw it into some random combination of hardware without *checking compatibility first*. Because you can do the same and grab Microsoft Windows, for example, and throw it into non Microsoft certified hardware and you will see how well it will run.

Oh well, I'll just have to stick with Windows and continue to be able to use all PC hardware on the market and have the biggest and best selection of software at my fingertips.

Your comments are childish and obviously pathetic. Worse is that you have knowledge of it by replying as AC..

Re:Merry Xmas (0)

Anonymous Coward | more than 3 years ago | (#34653750)

Linux certainly protects me from most exploits. I only suffered one stupid exploit on a server in 15 years of using Linux on thousands of machines, and no, I am probably not an idiot.

Re:Merry Xmas (5, Insightful)

causality (777677) | more than 3 years ago | (#34654190)

And you're still a troll. And if you think that simply running Linux automagically protects you from any threat of malware, you're also an idiot.

The quality of discussion on this site is taking a nosedive lately. I think phony "debate" talkshows and the demagoguing occurring in politics does a lot of damage by repeatedly presenting invalid processes as though they were legitimate or useful. I'll spell it out right now, the dishonest tactics used on shows like that and commercials like that are designed for one purpose: so the host or politician can "win" and "be right" no matter how right or wrong he/she actually is. It's rhetoric, not debate.

I'll give a rough outline of how this most often plays out on Slashdot. My goal is to demonstrate how petty and useless it really is:

  1. Read a statement made by another poster.
  2. Decide whether you like or don't like that statement.
  3. Assume that anything you don't like must be factually incorrect.
  4. (Optional) Demonize people who say things you don't like by never admitting when they make a valid point. That would be like helping the enemy since you're either with us or against us! That's much more precious than honest debate, right?
  5. Do not deal with the poster as an individual. Instead, pigeonhole them:
    • Decide what group (real or imagined) the poster vaguely sounds like.
    • Ascribe all attributes of that group to the poster.
    • Fail to notice that the poster actually made no such claims; instead, put words in their mouth.
  6. Proceed to tear down the straw man you have just set up.
  7. (Optional) call the poster names, use invective, use ad-hominems.
  8. (Mandatory) forget that you just tore down a strawman that you set up, so your "victory" feels genuine and earned.

It boils down to what kind of man or woman you are. To some people, the truth is more important than winning and any winning that does happen is not legitimate if it is not rooted in truth. To many people, winning is more important than the truth and lying, distorting, misrepresenting, are all acceptable as long as you win and the other guy loses. The latter group will never know what it means to say "you know, that's a really good point, it made me think about this differently, you changed my mind about this -- thank you!" for that would mean losing face, or so they imagine.

What does this have to do with the subject at hand? I'll explain. For every 500 times I've seen someone say "if you think Linux automagically protects you from malware", I think I've seen maybe 1 time that anyone actually made that claim. This strawman has been beaten so severely it's reverted back to a small pile of hay. It's time to let it go, no matter how otherwise trollish somebody else has decided to be (and he was -- I don't dispute that, but this BS compounds that problem).

The GP said two things. He said he has run Debian and/or Ubuntu for the last 10 years. That's not absurd or beyond the realm of possibility. So ok, I believe him. He also says he has experienced no malware during those 10 years. That's strictly a matter of his competence as a Linux admin, skilled admins exist, and it doesn't take a particularly high level of skill to achieve that. So that's not absurd or infeasible either. Ok, I believe him on that one too.

Now hear this: he did not claim that Linux automagically did anything. I realize some people have said that -- if you want to do something about it, locate and deal with those people. What you're doing is assuming he must be just like them because he wears the same kind of tie. Until and unless he makes the same claims, he is not just like them. If he trolled a little, you said "oh yeah, watch THIS" and showed him how it's done.

Re:Merry Xmas (2)

mcgrew (92797) | more than 3 years ago | (#34654282)

Put the chair down, Steve.

Trolling through the snow, on a one... (0)

Anonymous Coward | more than 3 years ago | (#34654286)

And you're still a troll.
Different poster here.
Whether you use Windows, Linux, MacOS, BeOS, Android...
If you aren't paying attention to what you're doing, you deserve the consequences.
That goes for everyone.

And, that said and given the myriad alternatives, Internet Explorer just plain sucks the 1 bit.

Re:Merry Xmas (0)

Anonymous Coward | more than 3 years ago | (#34653932)

I think you misspelled your username.. it should be dumbass

I've been malware free on Windows for 15++ yrs. (-1)

Anonymous Coward | more than 3 years ago | (#34653958)

See subject-line, & it's not "b.s." - you can "security-harden" Windows NT-based OS' far, Far, FAR beyond the "std. oem-stock shipping default" is how/why you I can state that.

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

That url contains the links to the techniques I use to get the result my subject-line above states.

(It works for the results I get, as well as others who have used it's tricks/tips/techniques (& I can produce testimonials to that effect IF you like, easily!))

No LINUX required... though I use KUbuntu 10.10.x here myself in "dual boot" via GRUB.

APK

P.S.=> That layered security guide for Windows of mine's the MOST READ/MOST VIEWED THERE IS ONLINE for securing Windows... at well over 750,000 views worldwide by now, & it was at that viewcount last time I checked, back in 2008 or so. On the 15 forums its' featured on, it was made either a:

---

1.) Sticky/Pinned thread
2.) Essential Guide
3.) 5/5 star rated
4.) Most viewed status

---

& even GOT ME PAID @ PCPitStop.com for writing it, because it actually works!

(The getting paid part? It was completely unexpected, but welcome - & in January 2008 it won me a $100 prize there for its content)...

That's the "total gamut" of "layered security" I use in addition to the HOSTS file!

(Which I consider IT (a custom hosts file) my "arc reactor core" of that security guide, since it currently has 915,000 unique entries of KNOWN bad sites/servers/host-domain names blocked out in it - & what I can't touch, can't touch me, online)... apk

Re:I've been malware free on Windows for 15++ yrs. (0)

Anonymous Coward | more than 3 years ago | (#34654440)

Loving the fact that most (all?) of those threads from that Bing search were just you screaming in all-caps and bold into the abyss. That pcreview thread was 8 pages of you being ignored. Nobody cares about your 16MB hosts file or 85.706 CIS score. Nobody.

This is you:
http://www.timecube.com/ [timecube.com]

You have wasted your life.

Re:Merry Xmas (1)

mcgrew (92797) | more than 3 years ago | (#34654244)

Well, you can get the IE patch here [google.com] , and the Windows patch here. [google.com]

Re:Merry Xmas (0)

Anonymous Coward | more than 3 years ago | (#34654372)

And where can you get useful software?

Terrible, terrible and juvenile summary. (4, Insightful)

Delusion_ (56114) | more than 3 years ago | (#34653252)

If you felt the story was newsworthy, I have no doubt that it was submitted in a form that was better than this one, or that you could have re-wrote it.

Re:Terrible, terrible and juvenile summary. (1)

jellomizer (103300) | more than 3 years ago | (#34653320)

But it makes fun of Microsoft... Isn't that all we need. If there is a bug in Microsoft we celebrate.

Re:Terrible, terrible and juvenile summary. (1)

aliquis (678370) | more than 3 years ago | (#34653494)

It was submitted in a better form, and I gave that one + and this one -.

Bad:
http://slashdot.org/submission/1426606/MS-warns-over-zero-day-IE-bug [slashdot.org]

This one:
http://slashdot.org/submission/1426648/New-IE-Zero-Day [slashdot.org]

The other one:
Can't be found, probably because it was submitted later? Or something, was better though, dunno why they have removed it from firehose? Same URL and this one got submitted = fail?

Re:Terrible, terrible and juvenile summary. (3, Informative)

commodore64_love (1445365) | more than 3 years ago | (#34653512)

I don't see anything wrong with the summary. It inserted some comic relief & levity, but still got the message across. Just as that comedian does on Comedy Central's daily news show.

Re:Terrible, terrible and juvenile summary. (0)

Anonymous Coward | more than 3 years ago | (#34653706)

  • Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.'
  • Ok, fess up -- who asked for an IE 0 day for Christmas?
  • I'm guessing Santa got his lumps of coal mixed up with a bag of exploits.

Writing just one of these would have been fine, but all three? I don't have all day.

Re:Terrible, terrible and juvenile summary. (0)

Anonymous Coward | more than 3 years ago | (#34653982)

  • Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.'
  • Ok, fess up -- who asked for an IE 0 day for Christmas?
  • I'm guessing Santa got his lumps of coal mixed up with a bag of exploits.

Writing just one of these would have been fine, but all three? I don't have all day.

Obviously you do, else you would not post about it.

Re:Terrible, terrible and juvenile summary. (-1, Flamebait)

Blakey Rat (99501) | more than 3 years ago | (#34653598)

No kidding.

Hey "Reboot Kid": Grow the fuck up! We already have enough snide 12-year-olds in computer security. If it's serious business, then be serious. If not, then don't post at all.

Re:juvenile summary - still a serious story (0)

Anonymous Coward | more than 3 years ago | (#34653664)

Despite the jokey look, the history is still serious.. very very serious.

Re:juvenile summary - still a serious story (0)

Blakey Rat (99501) | more than 3 years ago | (#34653700)

Yeah, well, posting 5 sentences of "MICROSOFT R TEH SUX LOLOLOLOL WHO WANTED 0-DAY FOR XMAS LOLOLOLOL" doesn't really convey that impression to me.

Re:Terrible, terrible and juvenile summary. (0)

MichaelKristopeit327 (1963772) | more than 3 years ago | (#34653658)

you haven't heard?

slashdot = stagnated

Re:Terrible, terrible and juvenile summary. (1)

mister_playboy (1474163) | more than 3 years ago | (#34654120)

I vote you the /. user most likely to snag the 2 millionth UID.

Re:Terrible, terrible and juvenile summary. (0)

MichaelKristopeit327 (1963772) | more than 3 years ago | (#34654266)

i have already prepared. you are perhaps the first forward thinking individual i've encountered on this stagnated internet website chat room message board.

i have no reason to attack your logic, and as such i'll choose to ignore the cowardice you display as you hide behind your hypocritically chosen pseudonym.

(a real playboy would not address himself as such)

Re:Terrible, terrible and juvenile summary. (1)

steveo777 (183629) | more than 3 years ago | (#34653662)

Great. Now I need to buy a digital cliche meter. This summery of this story nearly caused my mercury cliche meter to burst.

Re:Terrible, terrible and juvenile summary. (-1)

Anonymous Coward | more than 3 years ago | (#34653668)

Baww some more, faggot. I like it when you bitch about pointless shit.

Re:Terrible, terrible and juvenile summary. (1)

hesaigo999ca (786966) | more than 3 years ago | (#34653688)

Typical of the author

Wanna hear a joke? (-1)

Anonymous Coward | more than 3 years ago | (#34653260)

Q: What did The Furher say when he crossed the street?
A: Wir mussen die Juden aus rotten!

Wasn't that Hitlarious?

Re:Wanna hear a joke? (-1)

Anonymous Coward | more than 3 years ago | (#34653390)

Not wanting to be a grammar nazi, but it should be "Führer"

Re:Wanna hear a joke? (1)

AndGodSed (968378) | more than 3 years ago | (#34653990)

Exactly what I thought...

Re:Wanna hear another joke? (-1)

Anonymous Coward | more than 3 years ago | (#34653432)

Why do German shower heads hve 11 holes in them?

Because even a Jew only has ten fingers....

Re:Wanna hear another joke? (-1)

Anonymous Coward | more than 3 years ago | (#34653464)

Why do Jews have huge noses?

Because air is free.

zero day is today not two days ago (1)

chronoss2010 (1825454) | more than 3 years ago | (#34653262)

UGH ain't pirates taught you anything yet

!0day (0)

Anonymous Coward | more than 3 years ago | (#34653268)

Kind of bad that the folks at SANS dont even know the difference between a "0 day" and simply "a really bad exploit". If its not being utilized yet, and the first notice came from MS, it is in no way a 0 day.

Re:!0day (2)

99BottlesOfBeerInMyF (813746) | more than 3 years ago | (#34653532)

If its not being utilized yet, and the first notice came from MS, it is in no way a 0 day.

The vulnerabilities (there are two by the way) were first disclosed by WooYun.org although metasploit did not add modules until after MS's advisory. I don't know f it was exploited before it became public or not.

Re:!0day (0)

Anonymous Coward | more than 3 years ago | (#34653704)

Ugh, as much as I don't want to chime in on this argument, disclosure has nothing to do with being a 0day, it's the patch. If the exploit is in the wild before a patch is available, it is a 0day, which supposedly is the case here. Although it's a little bit murky if anyone's seen legitimate usage in the wild here.

Re:!0day (2)

kbielefe (606566) | more than 3 years ago | (#34653860)

Zero day refers to how much time an administrator has to patch his systems before an exploit is known. Since this is still not patched, it is indeed a zero day exploit, although if the exploit is as yet unused it is not a zero day attack.

IE9 is safe (1)

Anonymous Coward | more than 3 years ago | (#34653302)

or at least it's not on the list.

Re:IE9 is safe (1)

AndGodSed (968378) | more than 3 years ago | (#34654062)

That's what tickled me. If you believe the hype, every new version of IE is just that, new. Why then does is exploit like this for "all versions of Internet Explorer" except, as you pointed out, IE9?

If there is a really good (technical) reason for this, I'd like to hear it, because it kinda intrigues me that this is possible... kinda like the sharing vulnerability that Win98 had, XP did not have, and then Vista, Win7 and Server 2008 had.

Okay, here's a question ... (-1, Troll)

ScrewMaster (602015) | more than 3 years ago | (#34653312)

Microsoft has released a notice about a new zero day attack against Internet Explorer.

And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.

It irks me that there are better options than Explorer readily available, but so many people just don't care enough about their own security and privacy to avail themselves of those options. It's not like paying through the nose for an anti-virus product: these things are free to use! I feel less and less sorry for Explorer users every day, having heard all the excuses ("it doesn't look like Explorer, my favorite free-malware-site doesn't like it, it's too hard to install, I'm too stupid to use a computer, and so on ad infinitum.) It's not as if the likes of Firefox, Chrome and Opera are hard to find, or aren't in the public's eye nowadays. Hell, a few months ago a major U.S. bank issued a warning recommending that its customers eschew Explorer in favor of anything else and further recommended that any online banking be done in anything but Windows (preferably Linux/Unix.) Of course, the month after that they made another public statement to the effect that they would only support Internet Explorer (note: they didn't follow through on that threat. I got the distinct impression that it was a "left hand doesn't know what the right hand is doing" situation.)

Re:Okay, here's a question ... (1)

jdastrup (1075795) | more than 3 years ago | (#34653380)

It's noteworthy, because while you and I don't use IE, we support tens, hundreds, or thousands of people that do. Therefore, we like to be informed about what's going on and what we can expect, especially if it will impact our Christmas vacation.

With that said, I still use IE often, even though Chrome is my browser of choice. Don't get me started on Firefox. If malware can be defined as an app that sucks every last megabyte of usable RAM, then Firefox is malware.

Re:Okay, here's a question ... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34653414)

I don't use technology X and therefor nobody else does! LALALALALALA NOT LISTENING

Re:Okay, here's a question ... (4, Insightful)

99BottlesOfBeerInMyF (813746) | more than 3 years ago | (#34653544)

And this is noteworthy why?

Because a significant number of people on Slashdot are security geeks and enjoy learning about exploits, or are sysadmins that manage at least some machines where the users can get to IE.

Re:Okay, here's a question ... (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34654084)

And this is noteworthy why?

Because a significant number of people on Slashdot are security geeks and enjoy learning about exploits, or are sysadmins that manage at least some machines where the users can get to IE.

Or you work as a lowly developer or IT Grunt Technician a company where you are pretty strictly IE only - based on policies set forth by Vice Presidents who don't know how technology works.

Re:Okay, here's a question ... (4, Insightful)

Jahava (946858) | more than 3 years ago | (#34653588)

And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.

Firstly, a serious security vulnerability in a popular (for whatever reason) software tool is always noteworthy, if just for the fact that it's interesting. Secondly, the overall state of IE is large enough to affect everyone in some way or another. And finally, numerous people here administer systems or have friends and family that may run or require Internet Explorer, and such a bulletin could certainly prove useful to them to prevent this attack from damaging those they (are paid to) care about.

It irks me that there are better options than Explorer readily available, but so many people just don't care enough about their own security and privacy to avail themselves of those options. It's not like paying through the nose for an anti-virus product: these things are free to use! I feel less and less sorry for Explorer users every day, having heard all the excuses ("it doesn't look like Explorer, my favorite free-malware-site doesn't like it, it's too hard to install, I'm too stupid to use a computer, and so on ad infinitum.) It's not as if the likes of Firefox, Chrome and Opera are hard to find, or aren't in the public's eye nowadays. Hell, a few months ago a major U.S. bank issued a warning recommending that its customers eschew Explorer in favor of anything else and further recommended that any online banking be done in anything but Windows (preferably Linux/Unix.) Of course, the month after that they made another public statement to the effect that they would only support Internet Explorer (note: they didn't follow through on that threat. I got the distinct impression that it was a "left hand doesn't know what the right hand is doing" situation.)

I've met smart people who think that Internet Explorer is the Internet. They don't know or care what a browser is. Technology, Internet included, is just another tool, and it needs to work correctly. To tell someone like this to get another browser is not feasible; without a long explanation, they will never like the idea of switching from something that is (or appears to be) working to something different.

Approaching someone and taking the time to explain the situation and answer their questions is the only way to make a transition sit comfortably with them. Unfortunately, people "in-the-know" don't have the time or desire to address the remaining population. The best effort I've seen to address the non-technical public is Google's "get a faster browser" button on their home page, and even then I've heard those who say "well, mine is fast enough". Someone has to explain things and answer their questions.

I've encountered pretty popular attitude that viruses only exist on shady websites (e.g., gambling, and porn) and that caring about or addressing security is not only unnecessary, but also an admission of one's intention to visit such sites. Once again, the only way to break past this is to take the time to sit down, explain things, and answer questions.

Short of prosthelytizing nerd squads going door-to-door, there's not much that can be done. Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers, and they are wholly responsible for keeping their shit together. Maybe someone should sue them for damages.

Also, keep in mind that serious flaws have been found in Firefox, Safari, and Chrome. IE, like Windows, is targeted more heavily than other browsers due to its market share. If IE is ditched en masse, I would bet money on the number of flaws in other browsers growing significantly higher. This doesn't absolve Microsoft (see previous paragraph), but it does suggest that the problem is larger than IE and attitude.

Re:Okay, here's a question ... (0)

Blakey Rat (99501) | more than 3 years ago | (#34653726)

Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers,

Wha? Since when did Microsoft "lock out" other browsers?

Re:Okay, here's a question ... (2)

Jahava (946858) | more than 3 years ago | (#34653872)

Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers,

Wha? Since when did Microsoft "lock out" other browsers?

Sorry for the ambiguity; I was referring to locking them out of the browser market via aggressive pushing, default installation in the most popular operating system, IE-only web sites due to standards deviations, inseparable integration with the host operating system, and use of (at the time) Microsoft-only APIs for optimizations, plug-ins, and media capabilities. People always have had a choice, but Microsoft used every bit of their considerable influence and position to make that choice for them, causing an effective "lock out".

I didn't use the term appropriately, and I would retract if it I could; s/locking out/thoroughly defeating/g. My point was that by becoming the dominant product in the market and accepting that role, Microsoft also inherited the responsibility for operating as a major player in securing that market, and they have grossly failed in this role.

Re:Okay, here's a question ... (2)

Blakey Rat (99501) | more than 3 years ago | (#34654014)

Ah, I agree.

The cynical person in me would say that the dominance of IE is at least half of the blame on Mozilla's disastrous decision to re-write Netscape from scratch, resulting in them having literally no way of competing with Microsoft. (It's also telling that IE won against Netscape on the Macintosh, a platform which wasn't subject to the biases you mentioned.)

I mean, if you want Microsoft to write good software, you need to compete with them-- that's just how it works. No competition to Microsoft = no effort from Microsoft.

Re:Okay, here's a question ... (1)

Pieroxy (222434) | more than 3 years ago | (#34654312)

Ah, I agree.

The cynical person in me would say that the dominance of IE is at least half of the blame on Mozilla's disastrous decision to re-write Netscape from scratch, resulting in them having literally no way of competing with Microsoft.

You fail to mention that Netscape (4.x) was in no way or shape capable of beating IE. It was a pile of crap. IE went into dominant position because it was a so much better browser starting at IE4.

(It's also telling that IE won against Netscape on the Macintosh, a platform which wasn't subject to the biases you mentioned.)

Well, this is not the case anymore. Again, they won because they had no worthy competition.

I mean, if you want Microsoft to write good software, you need to compete with them-- that's just how it works. No competition to Microsoft = no effort from Microsoft.

But they did make lots and lots of efforts to wipe Netscape out of the map. They did succeed because Netscape had such an horrendous product AND because they did all they could for it to go away, not counting technical superiority.

Re:Okay, here's a question ... (2)

PRMan (959735) | more than 3 years ago | (#34654338)

I've met smart people who think that Internet Explorer is the Internet.

No, you haven't.

Re:Okay, here's a question ... (1)

Machtyn (759119) | more than 3 years ago | (#34653670)

How many slashdotters support many users who refuse to use anything other than IE despite our insistence and warnings and enabling them to use another browser. So, knowing that there is a new 0 day is newsworthy and relevant to our interests.

Re:Okay, here's a question ... (2)

Beerdood (1451859) | more than 3 years ago | (#34653686)

Maybe the majority of slashdotters are on firefox, chrome, opera right now, but the software we're developing may only work on IE. The Network admins will need to deal with their users using IE. And a lot of our relatives are still using IE

When your aunt Bertha calls on christmas and goes "MY INTERNET IS BROKEN", i'll be able to go "ah yea, I remember reading about that on slashdot".

Re:Okay, here's a question ... (1)

AndGodSed (968378) | more than 3 years ago | (#34654166)

And then you go: "But Aunt Bertha, it's Christmas, I can't help you today."

Re:Okay, here's a question ... (1)

hufman (1670590) | more than 3 years ago | (#34654336)

If the software you're developing only works in IE, someone somewhere made a bad decision. Also, how does my Aunt Bertha know you? ;)

Re:Okay, here's a question ... (4, Informative)

Daltorak (122403) | more than 3 years ago | (#34653778)

Microsoft has released a notice about a new zero day attack against Internet Explorer.

And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.

Weeellllll, that's the stereotype, sure, but the on-the-ground reality paints a different picture.

Surely you've noticed that Firefox 3.6 is up to its 13th point release since January,and #14 is just around the corner. The first Secunia security advisory for this browser was issued within weeks of its initial release, and there now have been 11 in total, covering 85 separate vulnerabilities in Firefox 3.6. Look at SA42517 for an example, which was published two weeks ago. In that one advistory alone, 13 different security bugs are addressed, covering a wide variety of attack vectors like large Javascript arrays and large parameters to document.write(). And when you look at the fixes made in source control to patch these bugs, you sometimes scratch your head and wonder, how the fuck did they miss that when coding it?

But the problem with Firefox is worse than that. On Windows and Mac OS X, users are prompted over and over again to install these point updates. It requires elevation to Administrator privileges, and it requires restarting the browser. I see people routinely ignoring these updates because it'd interrupt what they're doing..... and the web server logs I have access to are a mishmash of Firefox browser versions.

This is a browser with 25% of the worldwide marketshare -- more than any version of Internet Explorer save for version 8.

So.... how about Google Chrome, you say? Their patching setup is far superior (that's why I use it), but it's not like the browser is any better-written. Just this month there have already been eighteen disclosed security vulnerabilities. And that's only slightly worse than average for a month in Chrome land. There are actually a number of Google Chrome bugs which are marked as only affecting the Linux version, too. Look at CVE-2010-4041 for an example of what I mean.

What I'm trying to say here is this -- Internet Explorer's security profile isn't significantly different than the other major vendors. They all have poorly-coded browsers that focused on packing the features in, without taking due consideration to the safety of the code they're writing. If you want to single out Microsoft for criticism, let's talk about the fact that they take so long to get these fixes out, and that reboots are often required to get the patches in place. That's where Firefox and especially Chrome are ahead.

The hell?! (0)

Anonymous Coward | more than 3 years ago | (#34653334)

We're in 2010. How come we still have something as simple as a godamn webpage able to make the system run arbitrary code on the OS itself?

What about memory-checking, array boundaries, etc? This isn't 1985, systems are so complex that nobody can know it from top to bottom, they don't only have 64KB and they don't run a single program anymore.

Re:The hell?! (1)

Anonymous Coward | more than 3 years ago | (#34653610)

from the CVE:

Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 7 and 8 and possibly other products, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via multiple @import calls in a crafted document.

Lols, use after free in C++, the best language to shoot yourself in the foot with once again.

Re:The hell?! (0)

Anonymous Coward | more than 3 years ago | (#34653864)

Yup, I still think that C++ was the worst catastrophe that happened to computing in the 20th century.

Re:The hell?! (0)

man_of_mr_e (217855) | more than 3 years ago | (#34654352)

If you actually read the advisory, you would see that the default configurations of every new Windows OS released since 2003 have mitigated the vulnerability, making it either unexploitable, or useless to the exploiter (due to signicantly lower user rights of the exploited code).

So it only affects idiots who turn off UAC, or who are still running XP.

Yet time after time we hear from the peanut gallery that UAC is useless, that protected mode is pointless, that it's just security theater. Funny how every time there is a vulnerability, people using those "useless" and "pointless" technologies aren't affected.

By the way, side note. It appears that remote code execution vulernabilities in IE have become such a rare event that when they happen, they are now front page news. Interesting.

I switched to Opera (0)

commodore64_love (1445365) | more than 3 years ago | (#34653336)

My Netscape Dialup requires Internet Explorer to work with its compression software. But knowing how IE operates, I decided to give Firefox, Seamonkey, and Opera a spin. Opera and its Turbo work great.

Then I uninstalled IE. So happily this 0-day exploit is a non-issue for me. I advise all my coworkers, when the topic comes up, to stop using IE and switch to any other browser. Some look at me like I'm nuts, but IE is still the #1 browser and biggest target for viruses/malware/thieves.

Re:I switched to Opera (0, Flamebait)

commodore64_love (1445365) | more than 3 years ago | (#34653454)

(-2 overrated)
That's fine. I'll just post the same thing tomorrow. I will not be censored by either the government or the /. corporation.

Re:I switched to Opera (0)

Anonymous Coward | more than 3 years ago | (#34653502)

Quit Doc Rubying. You have never been a victim and you will never be a martyr.

Re:I switched to Opera (-1)

Anonymous Coward | more than 3 years ago | (#34653618)

How about -5 Asshole? You're such a fucking cock smoker with bitching about the moderation system here. Get a fucking clue, Slashdot is optional.

Re:I switched to Opera (0)

Anonymous Coward | more than 3 years ago | (#34654284)

I will not be censored

You keep using that word, I don't think it means what you think it means.

Protip, freedom of speech goes both ways. You are free to troll, and we are free to tell others that you are a troll. Don't like it? Then stop being a troll. Claiming censorship when we're just exercising our freedom of speech just makes you out to be an even bigger troll.

Misleading report (1, Informative)

Anonymous Coward | more than 3 years ago | (#34653398)

Microsoft is not being entirely straightforward in their report. This is not an IE bug. It is a .Net bug in mscorie.dll. Mscorie.dll is not required by IE. (IE works just fine, so to speak, without .Net.)

Re:Misleading report (3, Interesting)

Artefacto (1207766) | more than 3 years ago | (#34653640)

This is not an IE bug. It is a .Net bug in mscorie.dll. Mscorie.dll is not required by IE. (IE works just fine, so to speak, without .Net.)

Referece? The CVE description says:

Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 7 and 8 and possibly other products, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via multiple @import calls in a crafted document.

Re:Misleading report (0)

Anonymous Coward | more than 3 years ago | (#34653960)

| Referece?

http://blogs.technet.com/b/srd/archive/2010/12/22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx [technet.com]

    It's the second link in the article linked by Slashdot:
"...In a few words, Internet Explorer loads mscorie.dll..."

As with most news articles, the security advisory (first link) *does not* mention mscorie.dll, describing the problem as "within Internet Explorer".

Re:Misleading report (1)

man_of_mr_e (217855) | more than 3 years ago | (#34654418)

You are misunderstanding that article. The article is not saying that the vulnerability is in mscorie.dll, but that the exploit uses the non ALSR'd mscorie.dll because the base addresses are known.

The vulnerability in mshtml.dll allows the exploit access to mscorie.dll, which is not protected because it cannot normally be accessed remotely in this manner.

This is like saying there's a vulnerability in a banks safety deposit boxes because the vault itself let people with specialized tools capable of breaking into them walk in through a hole in the floor.

maybe mscorie.dll should be ALSR'd, but the fact that it's not is not the vulnerability itself, it's just an avenue of exploiting the real vulnerability.

Re:Misleading report (0)

Anonymous Coward | more than 3 years ago | (#34653918)

its actually in mshtml.dll according to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3971 and other sources.

Elves... (1)

theamarand (794542) | more than 3 years ago | (#34653406)

Just don't put this on the Christmas Elves or Elf Bowling sites.... Let's see, risk factors:

* Tech-clueless relative just got their first computer for Christmas. "Chooses" I.E. as browser. Drawn in by Elf Bowling. There's a virus on your computer, click here!

Oh, man....

And related to what an earlier poster said, why is it that we need to use Internet Explorer in order to update our Windows boxes? I still find that a little bit anti-trust.

To borrow from 2001: My God--it's full of holes!

Re:Elves... (1)

DeathFromSomewhere (940915) | more than 3 years ago | (#34653514)

You need Internet Explorer to update your OS if you happen to be running XP and older. Vista and newer have a seperate client app for updating the OS. Don't expect this to change anytime soon because XP is long past its expiration date.

Slow news day? (1)

Artem Tashkinov (764309) | more than 3 years ago | (#34653424)

Is it a slow news day? ;)

Next you are going to say there are some unpatched vulnerabilities in IE.

net zero; +1 MS -1 for MS (5, Informative)

hAckz0r (989977) | more than 3 years ago | (#34653456)

Microsoft blundered again. No big supprise. They left off the /DYNAMICBASE randomization switch when compiling mscorie.dll. Dumb, Oversight, or is it on purpose? (-1 score)

Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?

What security features can you add with EMET?

Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)

Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?

The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg [tinyurl.com]

Re:net zero; +1 MS -1 for MS (0)

BitZtream (692029) | more than 3 years ago | (#34653764)

If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues?

Yea, thats exactly what they should have done.

Except ... applying it is known to break shit, often. Applying it randomly, willinilly to the same effect as removing the alternate option from the system (the dynamic linker in this case, a core feature of windows for literally 20 years.) and changing the base behavior of a core system.

If they could do that without breaking all sorts of shit, they would have already.

Windows users care more about shit working than running the latest and greatest code and rarely have access, inclination or know how required to recompile the applications they use to deal with this system changes and the required modifications to applications.

Sometimes though, applying it does work well enough to get most people through until next patch tuesday.

I'm guessing you haven't been working with computers very long or have never actually worked with computers for a living where working is more important than ZOMG NEW LINUX KERNEL PATCH.

Re:net zero; +1 MS -1 for MS (5, Informative)

phantomcircuit (938963) | more than 3 years ago | (#34653770)

DEP and ASLR both cause problems with lots of poorly written software, which is why they're only enabled for executables that specifically flag themselves as working with DEP/ALSR.

I can attest to that (3, Interesting)

Sycraft-fu (314770) | more than 3 years ago | (#34654116)

When I went to a 64-bit OS I decided I'd force DEP on. Windows actually has 4 DEP modes: always off, always on, opt in, opt out. It just only shows the opt in and opt out choices in the GUI. So I turned it on. After all, this was some time since DEP had come about, figured things would be fine.

Wrong answer. Tons of apps bombed on DEP errors. Seems lots of apps like to execute from memory they forgot to mark for code. I tried the opt out mode for a bit, figuring that I'd just add the apps that were problems, but it got to be too much since you have to do it by hand (there isn't an "add exception" button in the error or anything), some apps had multiple sub apps that had to be added, and of course it isn't like apps would always just fail to execute, sometimes they'd run fine until you were in them and working, then bomb (audio apps with plugins were notorious for this).

So now my computer is in the default op in state, meaning only apps that ask for DEP get it. Not as secure, but such is life. Good news is as far as I can tell all my apps that run at any privilege above user DO use DEP so that's nice.

Re:I can attest to that (1)

hAckz0r (989977) | more than 3 years ago | (#34654314)

there isn't an "add exception" button in the error or anything

I think you just hit on the most major feature that MS left out. What is needed is a balance of usability and enforcement. One needs enough enforcement so that the developer will hear about the issues and have the incentive to correct them, but not so much that the user is prevented from getting the application to work properly. Wouldn't it be great if MS used a click through message to both correct the problem and to also notify the developer? I like that MS is now collecting information on application crashes for quality purposes, and this would be just an extension of that to help everyone improve both quality and overall stability.

Re:I can attest to that (0)

Anonymous Coward | more than 3 years ago | (#34654420)

FWIW, "AlwaysOn" is NOT the same as "OptOut with nothing opting out". OptOut by itself enables lots of little shims and compatibility fixes for various common DEP-tripping apps. Then, on top of that, you can add exceptions (and that's actually fairly rare unless you're a gamer).

AlwaysOn on the other hand kills both the exception list AND the compatibility shims. And it's the latter that will make your apps bomb left and right. Try switching to OptOut, it has worked great for me.

Also, FWIW, you can also switch ASLR to AlwaysOn, but that's more likely to cause terrible horrible things to go wrong (but it worked OK when I tried it). Google "MoveImages" for the registry hack.

Re:net zero; +1 MS -1 for MS (0)

Anonymous Coward | more than 3 years ago | (#34654174)

DEP and ASLR both cause problems with lots of poorly written software, which is why they're only enabled for executables that specifically flag themselves as working with DEP/ALSR.

Perhaps for "Windows 8" Microsoft should just declare that they will be enabled by default. If you have a program that doesn't work with it you have to click a check-box that runs it in a VM of some kind.

Re:net zero; +1 MS -1 for MS (1)

hAckz0r (989977) | more than 3 years ago | (#34654234)

DEP and ASLR both cause problems with lots of poorly written software

Exactly! When MS came out with NT, and protected mode Win32, a lot of programmers had to straighten up and fly by MS's new rules, and things improved greatly. They are still bad, but much improved. The problem is MS is not trying to get them to fix their own problems and therefore MS suffers an image problem that needn't be. If MS said, "this is the way things are, you have X months to make it work under the new rules" then the third parties will put in the effort. Not until. Don't expect them to fix anything that doesn't put money in their pocket unless they have to. They have to. The platform would be greatly improved as a whole, and much more stable. Yes, the developers will complain, but in the long run *everyone* looks better.

I have been there. I have fought the issues with management before. They need a shove in the right direction, and Microsoft is the only company that can do it. Anyway, making it the system default but with the option of turning it off 'per application' would be a much improved situation with just enough incentive to those companies to fix their own issues. If they have to answer the phone to tell you to flip a switch they will certainly take the time to fix it, or die of embarrassment in the eye of public relations. If you fix your product you sell more copies. Quality does count.

Re:net zero; +1 MS -1 for MS (2)

140Mandak262Jamuna (970587) | more than 3 years ago | (#34653816)

These things it very difficult to reproduce the defects. Of course so many of the defects are caused by stupid things like uninitialized memory access, freeing freed memory and such dumb mistakes. And these tools would help you find such bugs quicker and make a more reliable product. But the developers have a strong aversion to tools that break things. The attitude is, "yes, yes, it is really stupid to have used variable xxx without initializing it, but the code does not crash and I install this tool and it crashes the code, so it is the fault of the tool".

And on top of it you make bugs difficult to reproduce, they just hate it. Most people debug by stepping through code and setting break points. If the code path is randomized in anyway these developers get all flustered. None of them would invest in writing sanity check and audit methods.

Re:net zero; +1 MS -1 for MS (1)

hAckz0r (989977) | more than 3 years ago | (#34654032)

I understand that mentality completely! About 20 (?) yrs ago I was working for a company using Windows 3.xx and they had big problems with software bugs trashing customer databases. I asked why they didn't run with NT, or at least with the protected mode turned on, and their reply was it broke too many things. Well, Duh! There are bug in there that you won't find unless you do.

I came in one weekend and turned it on on my workstation and debugged everything I knew how to run (I was the new kid on the block in that shop), and by the time I left things were much more stable. After the next software release the phones stopped ringing off the wall and the sr tech actually had time to think for a change. His next conclusion, after thinking, was to run everything in protected mode and they never disregarded my advice after that. The product was much more stable and had fewer problems in the field, all because one person took the initiative to fix it rather than complaining that it would break.

Sometimes you have to stop running and realize its time to hop on the bike, because it takes longer to push it along than to ride it the way it is meant to be used.

How long would it take for the engineers to throw the switch during their normal development cycle? Not long. They just need to do it and get the job done as they stumble across the problems during the general course of the day. Just do it.

Re:net zero; +1 MS -1 for MS (0)

Anonymous Coward | more than 3 years ago | (#34654302)

"why is it not part of the OS"
Most likely because very little Microsoft or Adobe written software will work properly if you apply all of those security measures. Not that it would do any better with some OSS wares. But the upside is that it might help with a world wide switch to Linux, BSD, or OSx!

It's not even zero day. (0)

pinkeen (1804300) | more than 3 years ago | (#34653500)

I thought that zero day means that somebody uses it in a attack and it appears that it hasn't been known before the said attack. Public Disclosure automatically disqualifies it as zero-day.

Re:It's not even zero day. (2)

Jahava (946858) | more than 3 years ago | (#34653798)

I thought that zero day means that somebody uses it in a attack and it appears that it hasn't been known before the said attack. Public Disclosure automatically disqualifies it as zero-day.

Zero-day generally indicates that the attack is in-use (by bad guys) at the time that it becomes known by the vendor and/or the public (e.g., zero days for anyone to take steps to mitigate the damage). This is as opposed to a vulnerability that is only known to the public after it has been addressed by the software maintainer. "Zero-day" can also mean an attack that is still viable at the time of disclosure, though there is less significance in the specific choice of term.

Can someone please explain to me... (0)

Anonymous Coward | more than 3 years ago | (#34653504)

Can someone please tell me how does these exploits normally work?

1. Victim visits webpage with malicious code.
2. Attacker execute code on victim machine.
3?
4?
?

But what kind of remote code do they execute, is it some kind of program already installed ?
Do they make you download some program and execute it silently?
Does all these only works when victim has (good)firewall installed?

Re:Can someone please explain to me... (2)

jdastrup (1075795) | more than 3 years ago | (#34653538)

3. Attacker installs super good anti-virus software that informs you of the 137 virus you have installed.
4. Super smart victim buys super good anti-virus updates with credit card.
5. Attacker make money, victim get protected. Everybodies win.

Re:Can someone please explain to me... (1)

pinkeen (1804300) | more than 3 years ago | (#34653570)

All or any of the above. Seriously, pick a malicious activity that can be accomplished with a PC program and there you have it. Oh, and firewall does not protect you from these kind of explots. It (probably) will make it a little harder to send/receive info to/from the internet by a malicious app but in most cases won't help a lot, depending on how you configured it, how much attention do you pay, etc. Besides there are ways to trick it.

Re:Can someone please explain to me... (1)

hAckz0r (989977) | more than 3 years ago | (#34653586)

Generally speaking, the malicious site sends malformed network packets that are read into the browser and overlays memory that it was not supposed to use, then when that function returns it trips over the modified memory and winds up executing the injected code. If done correctly the malicious site will then gain access to the machine through the side effects of that code execution, and game over. The code will likely download a binary and configure it to be persistent, and coming from inside the machine it is generally permitted to bypass any local firewall due to a stupid 'default allow' rule. Dumb.

There are MANY ways to do this, but its tricky to get the injected code just right for each possible target system. Microsoft makes a good target, because here are so many machines configured exactly the same way, and Microsoft makes it too easy by not coding things in a secure manor to begin with.

Re:Can someone please explain to me... (1)

clone52431 (1805862) | more than 3 years ago | (#34653628)

But what kind of remote code do they execute, is it some kind of program already installed ?
Do they make you download some program and execute it silently?

The latter. A remote code execution exploit is one that can download some program and execute it without your knowledge or permission.

Does all these only works when victim has (good)firewall installed?

A good antivirus should prevent most stuff like this from getting its claws dug in. A firewall... maybe, maybe not.

Re:Can someone please explain to me... (1)

SnarfQuest (469614) | more than 3 years ago | (#34653690)

4. Profit?

But, but, but MS claimed it was so much better... (-1)

Anonymous Coward | more than 3 years ago | (#34653698)

According to MS (mickeysoft), this version of the internet exploder is sooo much better than all the rest, and everything that came before it. They claimed faster, better, gooder (their words, not mine), and everything else doesn't even come close. Well, when it comes to 0 day exploits, nothing else comes close, thats for sure, but surely they could have checked the software for security vulnerabilities before it went out the door.... Oh Wait! No, that's right. The marketing department head salesman comes in, tells the programmer that "Its ready NOW! We are taking it, and shipping it for Christmas, THIS YEAR! and our sales figures WILL NOT be dampened by your concerns of 'insecure' and 'not ready yet'. Its mostly working, and that means we have something to ship. Out the door. The Crash Test Dummies(tm) ....(early adopters), will find all of the bugs, and report them back to us. We will fix them at our leisure, sell them the better version in 6 months and make yet more money. Done. Its so much better than those silly Firefox, Opera and Safari people, who check for bugs and security before publishing the software. Their sales folk can't have Christmas bonanzas like the sales/marketing folk at MS.

The summary (0, Insightful)

Anonymous Coward | more than 3 years ago | (#34653888)

The summary is childish, but more importantly, it is NOT EVEN FUNNY!!!

Re:The summary (1)

RebootKid (712142) | more than 3 years ago | (#34654050)

My apologies. Part of that is my own warped sense of humor, part of it is a direct quote from SANS.
I'll endeavor to work better/worse humor into future submissions.

*Note to self: Must work harder on pleasing all of the people all of the time*

protip (1)

nimbius (983462) | more than 3 years ago | (#34654006)

more outline and summary of the article, its content, affected users and payload. bonus points for countermeasures to employ.
less goofy references to your fucking holidays.

sincerely,
the overworked windows administrator trying to use slashdot for an intended purpose.

It's sing-a-long time! (1)

Chris Tucker (302549) | more than 3 years ago | (#34654158)

Botnets! Worldwide botnets!
What kind of boxes are on on botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too.

Are boxes! Found on botnets!
All running Windows. FOO!

Why, yes! Yes I Am a smug, OS X using bastard!
How kind of you to notice!

Before we all start the bashing.. (1)

metrix007 (200091) | more than 3 years ago | (#34654196)

Please remember that this happens to all browsers, Firefox [theregister.co.uk] , Safari [computerworld.com] , Chrome [zdnet.com] and Opera [softpedia.com] have all had zero days.

It is also important to take note that IE is the second most secure browser after chrome, as it is the only one to make full use of WIC(Windows Integrity Controls), although does not have the sandboxing that Chrome has.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...