Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New IE 8 Zero Day Discovered

samzenpus posted about 4 months ago | from the no-shortage dept.

Microsoft 134

Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

why are they taking so long? (2)

wulper (788005) | about 4 months ago | (#47061757)

this IS a critical bug... onehundredandeighty days... 180 zero days. why? MS wants to drive up marketshare of competing browsers incompetence? MS employees acitvely exploiting the bug?

Re:why are they taking so long? (2)

wulper (788005) | about 4 months ago | (#47061821)

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

Re:why are they taking so long? (2, Funny)

Billly Gates (198444) | about 5 months ago | (#47061905)

that's was a rethorical question, btw. I suppose incompetence of an almost petrified juggernaut. or maybe fixing it would break some obscure feature someone pays for.

No way. You mean something written only for IE with professional quality like Taleo, workday, McKearson, and PeopleSoft would break when turning on sandboxing, tls 2.0, non compromised certicates, local admin activeX controls, when turning on security and w3c standards? Oh please. If that were the case I am sure the cost accountants would be approving upgrades to use the latest versions.

Re:why are they taking so long? (0, Troll)

Billly Gates (198444) | about 4 months ago | (#47061843)

Because it's from Ms.

And what a great way to force users to upgrade

Re:why are they taking so long? (5, Informative)

Jumunquo (2988827) | about 4 months ago | (#47061857)

From ZDI advisory:
Vendor Contact Timeline:
10/11/2013 - Case disclosed to vendor
02/10/2014 - Vendor confirmed reproduction
04/09/2014 - Original predicted disclosure (180 days)
05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
05/21/2014 - ZDI publicly disclosed

Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

Re:why are they taking so long? (5, Interesting)

Anonymous Coward | about 5 months ago | (#47061969)

You forgot to add to your timeline:

4/08/2014 - Windows XP (stuck on IE 8) goes out of official support

Ironically, one day before the disclosure was supposed to happen, how convenient for Microsoft.

Re:why are they taking so long? (0, Troll)

DrXym (126579) | about 5 months ago | (#47063823)

XP was supported for 13 years. A pretty generous term by any measure. At some point a line has to be drawn and further issues should be ignored.

Re:why are they taking so long? (2, Insightful)

Anonymous Coward | about 5 months ago | (#47064033)

Microsoft was still heavily pushing Windows XP for netbooks in 2009.
So make that not even 5 years.

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47064123)

You don't end support for a product that has millions of users. Especially when most of those users are small businesses that might not be able to afford upgrades all in one shot.

Re:why are they taking so long? (1)

DrXym (126579) | about 5 months ago | (#47064377)

Says who? Other operating systems including popular dists of Linux have well defined end of lifes on their products. Why should Microsoft be expected to support their product indefinitely?

Zero-Day allowing the attacker run arbitrary code (2, Interesting)

buchner.johannes (1139593) | about 5 months ago | (#47064203)

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention [wikipedia.org] features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

Re:Zero-Day allowing the attacker run arbitrary co (1)

Antique Geekmeister (740220) | about 5 months ago | (#47064329)

> Or does this warning assume the worst case, where all these other features are turned off?

It seems not. But remember that Internet Explorer was written to be inseparable from the operating system itself, with effectively bare metal access to provide Microsft-only speed, power, and enforced reliance on Microsoft's system libraries. It was designed _not_ to be lmodular, and designed _not_ to be clealy segregated from the underlying operating system so that it would be impossible to remove or replace on a Windows system.

Re:Zero-Day allowing the attacker run arbitrary co (1)

EmperorArthur (1113223) | about 5 months ago | (#47065671)

"Zero-Day exploit allowing the attacker to run arbitrary code"

I thought these words should be history based on the implemented NX bit, sandboxing, multiple lines of defense and Data Execution Prevention [wikipedia.org] features of MS Windows after XP.

Why do all these features fail, when they are specifically designed for exposed code like IE? Or does this warning assume the worst case, where all these other features are turned off?

The NX bit, and DEP forced us to develop Return Oriented Programming https://en.wikipedia.org/wiki/... [wikipedia.org] Basically because function arguments and return pointers are on the stack you can make the code that's already there do the work for you. It's not as easy as just writing a little shell code and tends to be more specific as far as the version of the software the victim is running, but it's really quite neat and hard to stop.

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47062019)

So, the relevant parties within HP are going to be pursued by the Justice Department just like weev?

Right?

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47062067)

This is quite the contest.

http://www.ning.spruz.com/pt/Pwn2Own-is-a-computer-hacking-contest.5-21-2014/wiki.htm

American Date Format (5, Insightful)

labnet (457441) | about 5 months ago | (#47062281)

American Date Format :DIE Already!!!!!!!!!!!
American Imperial Units: DIE Already!!!!!!!!!!
American Imperialism : .....[shhh the nsa is listening]

Re:American Date Format (1, Insightful)

PsychoSlashDot (207849) | about 5 months ago | (#47062329)

American Date Format :DIE Already!!!!!!!!!!!

Sorry, but as a non-American I have to admit I find that date format the most comfortable. Things are likely different globally, but here people tend to say "May 10th, 2014" much more often than "the 10th of May, 2014". Adding two bonus words so you can satisfy some "most granular to least granular" fetish doesn't fit.

For instance, the catastrophe that happened in the US over a decade ago is called "September 11th", not "the 11th of September".

Frankly I'd be okay with a compromise... 10(5)14 is May 10th, 2014 or the 10th of May, 2014. But as long as everyone insists on using commas, DMY will never have my vote.

Re:American Date Format (4, Informative)

harperska (1376103) | about 5 months ago | (#47062403)

Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47062589)

Even the Brits do it though! See 7/7

Re:American Date Format (2)

bill_mcgonigle (4333) | about 5 months ago | (#47062489)

I speak in the American format and write in the ISO format. To me they're the best of breed, one for spoken communication, one for written. But don't forget that we're surrounded by OCD-ish folks (like the GP) who are so crazy-obsessed with EvEnNeSs. I did that last one just to piss them off.

Re:American Date Format (5, Insightful)

QuasiSteve (2042606) | about 5 months ago | (#47062497)

Remember, Remember, November 5th.

This day, July 4th, is our Independence Day.

Hm, no, just don't have the same ring to them that way. Consistency is certainly not one of the strong points of how dates are enunciated in English.

But at least when dealing with the written form and not as part of prose, yyyy-MM-dd will always have my vote.

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47062573)

I work in engineering that needs drawings used by different countries, so I do 10MAY2014, 05APR2014 and so on

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47063173)

Spelling out the month and using a 4 digit year is my favorite also.

Re:American Date Format (3)

Dynedain (141758) | about 5 months ago | (#47062687)

Depends on the language. English lends itself to day followed by month, but the latin-derived languages tend to the opposite.

Re:American Date Format (3, Interesting)

gl4ss (559668) | about 5 months ago | (#47063967)

third of the fifth? or fifth day of the third?

month-day-year is just madness. for various reasons. if you don't get the reasons then you're just knee(1 foot) deep in madness already.

even year-month-day makes more sense and overall readability is best with day-month-year. one tanker, 100 barrels and 10 cups. makes no sense to go 100 barrels, 10 cups and one tanker.

Re:American Date Format (1)

Antonovich (1354565) | about 5 months ago | (#47063431)

And you are a non-American (as in the continents) native speaker of English? I'm from NZ and it's the other way round, or at least was until I left 10 years ago... The "dialect" has undergone very strong Americanisation over the last few decades though. Your "for instance" is also a little ridiculous - a non-American would never say "nine eleven" meaning "the eleventh of September" (or even "eleven nine"). I also can't remember anyone ever saying "September eleventh" but plenty of people saying "September eleven" regarding the attacks on the WTC. The "nine eleven" term has a much stronger relation to the actual date for Americans (US-only?) than it does for non-Americans.

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47064041)

Hey I'm from NZ too. We should hang out sometime.

Re:American Date Format (2)

LordWabbit2 (2440804) | about 5 months ago | (#47063835)

Sorry, but as a programmer different dates formats are a bloody pain in the ass. Say it like you want to (while putting a pancake on your head, I don't give a shit) but store it (ie. type it) in ISO format. YYYY-MM-DD [wikipedia.org]

There are a lot of systems which transmit data as strings (xml, json, csv) which need to get parsed back into datetime and a simple thing like YYYY/MM/DD instead of YYYY-MM-DD can cause a cluster fuck of note. If everyone just used the ISO format my job would be a lot easier.
As a developer who helped fix the Y2K issues that would have happened at a major bank I am well and truly tired of different date formats.

Re:American Date Format (1)

Crash42 (116408) | about 5 months ago | (#47063985)

If you want to go for the lazy option, use the Dutch system: the tenth of May 2014 is just "ten May twothousand fourteen"
It really is DMY.

Re:American Date Format (1)

RabidReindeer (2625839) | about 5 months ago | (#47065099)

I've heard "10th May, 2014" or even "10 May, 2014". And actually, the common US reference isn't so much "September 11th" as it is "Nine-eleven", written 9/11.

My preferred date format is "2014-05-10". It collates better.

Re:American Date Format (1)

Anonymous Coward | about 5 months ago | (#47062395)

American Date Format :DIE Already!!!!!!!!!!!

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

  • 2013/10/11 - Case disclosed to vendor
  • 2014/02/10 - Vendor confirmed reproduction
  • 2014/04/09 - Original predicted disclosure (180 days)
  • 2014/05/08 - ZDI notified the vendor of the intent to publicly disclose
  • 2014/05/21 - ZDI publicly disclosed

But, otherwise, I don't really see the point.

Re:American Date Format (4, Informative)

compro01 (777531) | about 5 months ago | (#47062931)

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

That's what ISO 8601 specifies. YYYY-MM-DD.

Re:American Date Format (-1)

Anonymous Coward | about 5 months ago | (#47063831)

I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

That's what ISO 8601 specifies. YYYY-MM-DD.

That only appeals to programmers, nobody else will start saying or writing the year first - reversing this to DD-MM-YYYY is the best compromise of logical and sortable structure and what is natural to say and write.

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47065779)

nobody else will start saying or writing the year first

lolwut

You need to get out in the world more.

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47064693)

YYYY-MM-DD is also good for geeks since it matches lexicographical order (earlier dates will come before more recent date). So this is the way to go for file names and anything else where you need to sort by date (which is pretty much everything). None of the other formats (MM-DD-YYYY or DD-MM-YYYY) give sensible results with lexicographical sorting.

Re:American Date Format (1)

Megane (129182) | about 5 months ago | (#47062991)

Right on, and fuck the European date format too. YYYY-MM-DD 4evah!

Re:American Date Format (0)

Anonymous Coward | about 5 months ago | (#47064979)

there is only ONE date abbreviation format which is effectively unambiguous:
THU22MAY2014
see, you can even run it together, and it is totally understandable...
fuck your stupid ambiguous numbers, GIVE ME AN ABBREVIATION WHICH IS UNDERSTANDABLE BY HUMANS, not computers...

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47062071)

Because you can fix it by updating to IE 9. Or IE 10. Or IE 11.

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47062107)

Except under (now unsupported) Windows XP, which Microsoft really wants people to stop using anyway...go figure.

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47062673)

Microsoft has gone above and beyond the call of duty supporting that ancient OS. Anyone who is unwilling to get with the times, either by upgrading to a newer version of Windows or by switching to another modern OS, deserves everything that they get.

Re:why are they taking so long? (1)

BradMajors (995624) | about 5 months ago | (#47062805)

Computers that are still running XP almost certainly can not be upgraded to Windows 7 or 8 because they have additional hardware requirements. Microsoft has failed their customers by not providing a way to upgrade their software and forcing them to stay with XP.

Re:why are they taking so long? (0)

Anonymous Coward | about 5 months ago | (#47062921)

Learn to read.

Anyone who is unwilling to get with the times, either by upgrading to a newer version of Windows or by switching to another modern OS

Also, the Windows 8 system requirements:

1GHz CPU
1GB RAM
16GB hard disk space
DirectX 9 compatible video card

How many computers out there right now do you think fall below those specs? Did you also whine about not being able to run Windows XP on a 386 with 4MB RAM?

Re:why are they taking so long? (1)

wulper (788005) | about 5 months ago | (#47063595)

surely anybody who hasn't updated ie8 until now probably won't install a patch when it comes out either. I didn't think about that.

Re: why are they taking so long? (2)

MotherErich (535455) | about 5 months ago | (#47062385)

Why is anyone still using IE8?

Re:why are they taking so long? (2)

Skarjak (3492305) | about 5 months ago | (#47062561)

To think that my last comment on how there was no reason to use IE in this day and age got modded as flamebait...

Re:why are they taking so long? (3, Funny)

lennier1 (264730) | about 5 months ago | (#47062939)

The NSA probably wanted more time to exploit it.

Enough already (2, Funny)

Anonymous Coward | about 4 months ago | (#47061829)

I've had it. Nothing is secure. Nothing works. I'm going back to an abacus and an Etch-a-Sketch.

Re:Enough already (2)

CFBMoo1 (157453) | about 5 months ago | (#47062135)

I installed an HP Dodo Rockjet Printer with my abacus and the stone tablet prints are really nice quality. Wilma really likes it as well and she prints out all her pictures to it.

Re:Enough already (2)

jones_supa (887896) | about 5 months ago | (#47063873)

You can buy a cheap dodo printer, but the hidden costs are in the crackers, which you need to acquire to keep the printer running. A bag of crackers costs more than the dodo.

0day can happen to anybody (0)

Anonymous Coward | about 4 months ago | (#47061837)

0day can happen to anybody

No no no. (2)

Captain Coolwater (3052217) | about 5 months ago | (#47062363)

It's "640k 0 days should be enough for anybody". I'm not going to tell you again.

October?! (2, Funny)

anarkhos (209172) | about 4 months ago | (#47061861)

Can't Balmer spare any developers developers developers?

Re:October?! (0)

Anonymous Coward | about 5 months ago | (#47062659)

Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo!

Re:October?! (1)

sjames (1099) | about 5 months ago | (#47065129)

I think they're all lost in the poppies, poppies, poppies!

uhh, it's not 'new' (0)

Anonymous Coward | about 5 months ago | (#47061947)

if microsoft has been sitting on the bug report for six fucking months.. it's an old and ignored bug, certainly not 'new'... although since it's 'out there' now, there will be 'new' malware that utilizes it.

IE EIGHT? (1)

PopeRatzo (965947) | about 5 months ago | (#47062057)

Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

Re:IE EIGHT? (0)

Anonymous Coward | about 5 months ago | (#47062179)

11 actually. My company just dropped IE8 support last month finally. We're one of the last ones to do so, as well.

This is like someone harping on Mozilla for a zero-day found in FireFox 2.0. That's how old IE8 is.

Re:IE EIGHT? (5, Interesting)

xlsior (524145) | about 5 months ago | (#47062239)

Unfortunately, IE 8 is the last version of Internet Explorer that's compatible with Windows XP.... Meaning there are hundreds of millions of computers out there that are vulnerable to this exploit, which can't 'just' upgrade to a newer IE version without paying a hundred bucks to upgrade their entire OS first. Annoyingly, this bug was reported to MS when XP still had 6-7 months of extended support for XP left on their count-down clock. Today, XP is no longer supported and unless this bug starts getting heavily exploited in the wild a fix will probably never come.

Re:IE EIGHT? (0)

Old Fatty Baldman (3630557) | about 5 months ago | (#47062469)

A hundred bucks? Gosh, considering they probably bought Windows XP over a decade ago, they would have needed to save up about 80 cents a month to afford that upgrade. [Shakes fist at those fat cats in Redmond.]

Re:IE EIGHT? (2, Interesting)

Anonymous Coward | about 5 months ago | (#47062551)

Right. And the other $500 for the other puter'. oh, and the $300 for the app upgrades. Oh, and the $100 for a printer that has drivers. Or, M$oft, you could just patch what's broke for the common good. Eventually all good chipsets come to an end, and they move off. But until then...

Re:IE EIGHT? (0)

Anonymous Coward | about 5 months ago | (#47062703)

...or you could just upgrade for the common good, Typhoid Mary. Your shit computer is obsolete, and that's not Microsoft's fault. Do you demand that the dealership stock free parts and provide free repairs for your 15-year-old Geo Metro?

Re:IE EIGHT? (0)

Anonymous Coward | about 5 months ago | (#47063411)

Some enterprise products embed portions of IE for use of rendering various document types instead of writing their own engine or using an available OSS equivalent. The problem with that is you end up with having to upgrade those enterprise products to a version that doesn't break when you upgrade from IE8 to something newer. We have just such a problem where I work now. We haven't upgrade the enterprise product (which I will not divulge) holding us back, because the newer versions of the product do not perform as good as the old product, and we've been waiting for the vendor to fix this in the next release (who knows when that will be). The performance is so horrible, it's just not acceptable, and I'm not sure how anyone else uses this product outside of Citrix let alone inside Citrix. So we have a Citrix environment based on Server 2008R2 which we _should_ be running IE11, but have to stay on IE8 until this last piece of the enterprise puzzle has been upgraded.

Re:IE EIGHT? (2)

blindseer (891256) | about 5 months ago | (#47063491)

Bad car analogy. Software fixes don't take up warehouse space like auto parts, and the incremental cost to patch another computer is so close to zero that computing it be pointless.

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP. They use serial and/or parallel ports to talk to the computer. The software that runs everything is one of a kind. Replacing all of that would cost tens of thousands of dollars that we don't have. They are behind a firewall to keep the shop workers from surfing porn on the computers but the system has to have some access to the internet for some functions.

Microsoft might want to consider extending support for XP because if we cannot get what we need from Microsoft I might be asked for alternatives from the people that run the shop. Considering the cost of Microsoft products I will offer solutions to the powers that be that do not include Microsoft. You may not be bothered by that. I won't be bothered by that. Microsoft should be bothered by this if they are not already.

At work Windows 7 is tolerated. Windows 8 and Vista makes the boss's eye twitch, the GUI bothers him as does the price. No XP could mean no Windows. I'm the new guy on the crew and I'd be happy to suggest Macintosh and Linux solutions. With this coming up my recommendation may come up today. If Microsoft doesn't mind our getting Apples instead of Dells then all is well. If Microsoft wants our money then they will produce a fix so we can keep going.

I'm talking 100+ desktops running XP. If Microsoft says we need to buy Vista or 8.1 to fix our problems then we must look at alternatives. That might mean replacing the Server 2003 systems too. I imagine we are not unique. Microsoft can patch this and keep our business, or not and lose our business.

I'm not demanding they provide a fix, just showing the problems they have if they don't.

Re:IE EIGHT? (1)

reikae (80981) | about 5 months ago | (#47063793)

Will switching to Macs solve the problem though? I was under the impression that Apple supports old OS X versions for a shorter period than Microsoft supports old versions of Windows. Snow Leopard was released in 2009, XP SP3 in 2008. According to Wikipedia Snow Leopard isn't supported anymore, let alone anything released in 2001 when XP first came out.

With a libre software solution you would have the option to pay someone to backport security fixes so you could run the current versions for a long time, but I guess this would be too expensive to do properly.

Re:IE EIGHT? (0)

Anonymous Coward | about 5 months ago | (#47064067)

one Win8.1 license costs approx. 100€ an lasts till 2023, that's less than an euro per month.

Are your bosses so cheap that they can't invest this?

With linux and mac you won't have active directory, so central configuration of the machines is a PITA (or at least expensive in man-hours until it works right), but as always these are costs management won't see. In german those are calles "ehda"-costs (because the one doing them is "eh da" (already here)).

Re:IE EIGHT? (1)

LordSnooty (853791) | about 5 months ago | (#47064141)

The car analogy would work if MS were forced to release the source code once their support ends. That's how an old car would be dealt with - parts from the manufacturer until they stop making them, meaning a third party can step in and make the parts if there is a demand for them. the 'open' nature of a car allows this to happen. An open-source OS also permits this. A closed-source OS is different.

Re:IE EIGHT? (0)

Anonymous Coward | about 5 months ago | (#47064343)

That seems as economically prudent as refusing to change the oil in your car until it dies.

Re:IE EIGHT? (1)

chuckugly (2030942) | about 5 months ago | (#47065767)

At home I have four computers that I use that run XP. I keep them around because they have serial ports to talk to my network equipment. Should they die I'd have to obtain serial adapters and software to replace them. What I have is paid for and works so I keep the 15 year old computers working.

At work we have CNC machines that run XP.

And on those machines you surf the WWW using IE?

Re:IE EIGHT? (1)

msobkow (48369) | about 5 months ago | (#47063049)

So use Firefox or Chrome. No big deal.

Re:IE EIGHT? (3, Informative)

xlsior (524145) | about 5 months ago | (#47063353)

So use Firefox or Chrome. No big deal.

Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.

Re:IE EIGHT? (1)

Lennie (16154) | about 5 months ago | (#47064087)

The right answer is:

Stop using IE on Windows XP, use Firefox or Chrome, they get updates.

Or better yet: stop using Windows XP.

Re:IE EIGHT? (1)

Lennie (16154) | about 5 months ago | (#47064121)

Scrap that, if you read the advisory they mention turn off ActiveX.

So basically, it's an ActiveX exploit, so turn that off.

Re:IE EIGHT? (0)

Anonymous Coward | about 5 months ago | (#47062623)

Aren't they on like IE 10 by now? I don't use it so I haven't kept up with it.

Doesn't much matter. It's been a crappy, insecure browser as long as it has existed.

Doesn't matter what OS or browser you use (0)

Anonymous Coward | about 5 months ago | (#47062069)

Face it: There's an element of risk online. Has been for decades. You take your chances. You also take risks like it everyday (driving an automoble for Pete's sake - so let's be realistic here). Just learn to be cautious on how to use any of them more safely.

APK

P.S.=> Use this or the resultant file from it to aid in doing so (it works for added speed, security, reliability, & even anonymity) -> APK Hosts File Engine 9.0++ 32/64-bit: http://start64.com/index.php?o... [start64.com]

... apk

Re:Doesn't matter what OS or browser you use (0)

Anonymous Coward | about 5 months ago | (#47062927)

I gave it a shot in a VM, and my DNS client service takes 10 seconds to start. It also consumes about 80 MB of RAM according to Process Explorer. That's 10 times more than the entire svchost container it runs in consumes without the gigantic hosts file.

I think if you're going to use APK's hosts file, you should run it on an upstream DNS server on your network. This kills a single Windows PC. I don't think the DNS service was designed for such a large hosts file.

JC

PS => Maybe a dedicated linux box running DNS with this hosts file would be good for your network. ... jc

You must not have used my app (0)

Anonymous Coward | about 5 months ago | (#47064081)

It WARNS YOU AT BUILDTIME OF HOSTS TO TURN OFF DNSCACHE in its SAVE tab... thus, you didn';t use my app, or you don't read & follow directions.

That's also widely documented online by the way -To turn off usermode slow faulty with large hosts files dnscache service.

* It causes a lag with larger hosts files - it's a KNOWN issue!

(Nice part is that when you turn off dnscache service, you stop that "lag" & also save CPU cycles, RAM, & other forms of I/O it uses: double-bonus!)

APK

P.S.=> I regain indexing lost via its feature that allows "hardcoding" your favorite sites - I do 24 of them here @ the TOP of my custom hosts file... that equates to approximately 2-3 million indexed seeks AND seeks those favorites of yours as FAST as possible cached into RAM via the kernelmode diskcaching subsystem working in combination with TCP/IP itself also in PnP kernelmode design (higher CPU priority privelege than usermode, thus faster) in combination with DNSSEC secured EXTERNAL OpenDNS... apk

IE8 Last for Windows XP (3, Interesting)

BBCWatcher (900486) | about 5 months ago | (#47062121)

Internet Explorer 8 was the last Internet Explorer available for Windows XP. Was Microsoft tempted to ignore the security exposure until XP fell out of support? Are there other security vulnerabilities in Windows XP reported before April, 2014, that Microsoft has ignored? Will Microsoft ignore (or at least slow walk) reported security vulnerabilities in their other products as they get nearer (but not actually reach) their end of support dates?

These continuing security defects are really beyond ridiculous. Maybe regulators -- the European Commission? -- ought to be mandating that vendors fix security vulnerabilities in their products within, say, 120 days. That would extend to all products sold (refurbished, new, whatever) within the past, say, 7 years. Otherwise, the vendor will be automatically barred from selling anything unless and until their security messes are cleaned up.

Re:IE8 Last for Windows XP (0, Troll)

cavreader (1903280) | about 5 months ago | (#47063061)

Oh by all means lets get the government bureaucrats involved in policing software security. What could possibly go wrong? Stop looking to the government to protect you and start taking some responsibility for your own actions. You want guaranteed online security then just unplug your network cable because that is the only thing that will make you 100% secure from online attacks. There is not a browser on the market that doesn't have exploitable flaws if you really smart, motivated, and look hard enough. But alas even unplugging can be circumvented by simply inserting a USB drive of questionable origin into your system. Stuxnext infected the Iranian system using an infected USB drive in combination with the good ole sneaker net. If unplugging is not practical for you then you can start paying attention and stop clicking on links in the unsolicited e-mails you receive. Make sure your computer has a properly configured firewall. Use script inhibiting add-ons for your browser. Make sure your user accounts are properly privileged instead of running everything as an administrator. Setup a proxy if you want to make it harder for someone looking to infringe your anonymity. Even these precautions can be circumvented by falling for online social engineering attacks. Which by the way is the primary vector used today for bootstrapping malware.

Re:IE8 Last for Windows XP (0)

The Cisco Kid (31490) | about 5 months ago | (#47063511)

Or people could just quit using this crap.

Re:IE8 Last for Windows XP (1)

AmiMoJo (196126) | about 5 months ago | (#47063761)

You would be crazy to run IE8 on XP anyway. A vulnerability like this on Vista or later wouldn't be such a big deal because IE runs with low permissions, so the arbitrary code can't do much other than screw with IE itself. DEP probably mitigates it a lot too.

XP is fucked from a security point of view. Sorry, but it just is, and we need to move past it.

Re:IE8 Last for Windows XP (1)

gradinaruvasile (2438470) | about 5 months ago | (#47064759)

Well there are plenty user-level malware programs out there - typycally ransomware run with user level privileges (admin is a bonus, but to screw up the current user, its not necessary). For example, cryptolocker can work without administrative permissions too since it messes up your personal files.

Do NOT use MIcrosoft products (1)

Anonymous Coward | about 5 months ago | (#47062153)

They give NSA all of their backdoors months in advance. Do not use Microsoft products!

Who thinks we are really safe today online? (1)

0x537461746943 (781157) | about 5 months ago | (#47062155)

It is really a sad state that computer systems are in nowadays. Every year multiple vulnerabilities are published showing how easy it is for someone to find critical vulnerabilities in software used every day by citizens and government officials. I bet the NSA is into Chinese government systems and China already has access to american government systems. The underground hacker/criminal scene certainly already has access to corporate and government systems too if you think about how many vulnerabilities are found every year and the underground market to sell not yet published vulnerabilities. Obviously not only the good guys who publish the vulnerabilities find vulnerabilities. I wonder what the ratio is but I bet the good guys don't have that much of a lead. Maybe we are going about this wrong and instead of making people think they are secure they should assume all governments are not secure. This would bring about a cold war. China won't critically bring down American government systems because they know that America would just do the same to them :). With articles being published that show that the NSA is putting trojan software in exported systems you can certainly bet that other countries are doing the same. Are you sure that USB drive you ordered from China is only a USB drive? We need a revolution in computing when it comes to security. While we have seen improvements in security over the years we don't seem any closer to solving security issues than we were 10 years ago when it comes to the apps that every day users use.

Re:Who thinks we are really safe today online? (0)

Anonymous Coward | about 5 months ago | (#47062335)

"Are you sure that USB drive you ordered from China is only a USB drive?"

Yes, honey, the package I received today was a Chinese made USB drive.

(snickers) "It was a Fleshlight!"

Have we forgotten how to hyphenate? (1)

Anonymous Coward | about 5 months ago | (#47062311)

What's with all the illiteracy these days? It's not a "zero day"; it's a "zero-day". Zero-day is an adjective and must be hyphenated.

Zero-day attack [wikipedia.org]

Ain't that the last IE that works on XP? (0)

Anonymous Coward | about 5 months ago | (#47062315)

Up shit creek w/o paddle.
Somebody done burned old dixie down.

It is not a zero day. (5, Funny)

140Mandak262Jamuna (970587) | about 5 months ago | (#47062441)

According to the timeline it is a -180 day.

Re:It is not a zero day. (1)

PhilHibbs (4537) | about 5 months ago | (#47063565)

Has it been exploited? A zero-day attack is an exploit on the same day that the information is released. No-one has said anything about an attack. If it gets attacked today, it's a zero-day. If it's already been attacked, then it's an already-exploited vulnerability, there's no point in attaching positive or negative numbers to it. An exploited bug that never gets detected would be a minus infinity day attack!!!! Anyway that's a "zero-day attack", I don't know what a "zero-day vulnerability" is, the term doesn't make any sense. I think people are just saying "zero day" because it sounds cool.

Re:It is not a zero day. (1)

140Mandak262Jamuna (970587) | about 5 months ago | (#47064015)

Very true. The way the term originated, if an attack is mounted today it would be 180 day attack. N day attack originally meant the number of days it took for someone to exploit a vulnerability after it was known. But when you are shooting for funny ....

Huh? Naming problem? (1)

grep -v '.*' * (780312) | about 5 months ago | (#47062607)

"Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 ... The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch.

So then wouldn't that make it a minus 180 day vuln instead? </snark>

Oh -- it was found 180d ago so that's be a plus 180. Wrong orientation base there, sorry.

Don't blink this time MS (4, Interesting)

Dega704 (1454673) | about 5 months ago | (#47062625)

Honestly, I hope they do not release a patch so that all of the sysadmins they turned into liars with the last one can get some of their credibility back.

Re:Don't blink this time MS (2, Funny)

Anonymous Coward | about 5 months ago | (#47062917)

Fuck you! XP FOREVER!!!!!

Everyone should stop using Internet Explorer (1)

Anonymous Coward | about 5 months ago | (#47062761)

Doesn't matter even if it is a newer version e.g. IE10, IE11.

If you're in a corporate environment and some legacy in-house apps only play nice with IE, cough out some money and upgrade or port those apps.

It's time to let IE go the way of Realplayer: once annoyingly ubiquitous, now a mere footnote in tech history.

Zero Day? Duh... (1)

Anonymous Coward | about 5 months ago | (#47063127)

OK, first I was confused because I read IE 8 as Windows 8.

So a bug is discovered in IE 8, which has been deployed for a long time... but...

Somehow the meaning of "Zero Day" has changed over the last few years. It used to mean a vulnerability that was discovered before a version of software even went live.... ouch.

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

Re:Zero Day? Duh... (1)

Teresita (982888) | about 5 months ago | (#47065219)

Now the definition on wikipedia seems to pretty much include ANY vulnerability that hasn't been patched. So by definition ALL vulnerabilities are "zero day" until the vendor releases a patch... so therefore to add the "zero day" adjective in this context is meaningless...

And a "new" zero day at that. That's a relief, it could have been an old one.

TAG: NOTNEWS (0)

The Cisco Kid (31490) | about 5 months ago | (#47063509)

IE is a vulnerable pile of crap and always will be.

Everyone that doesn't live under a rock already knows this.

No amount of "ZOMG! NEW HACK FOUND IN IE!" announcements is going to get through the skulls of those that still use it.

Please, no more stories about IE vulnerabilities. Consider it a standing notice "IE is a POS"

Re:TAG: NOTNEWS (0)

Anonymous Coward | about 5 months ago | (#47063955)

It's not a complete pile of crap anymore. It's very fast, multithreaded, secure, runs web pages in a sandboxed environment, has excellent zooming functionality, and very responsive touchpad pixel scrolling. Did I mention that it also makes coffee and a beautiful serving of ice cream with tropical fruits.

Take look at the vulnerabilities databases. There are terrible vulnerabilities found in other browsers all the time too, but because they are based on open source code, Slashdot does not report them.

Windows Update still broken for many (0)

Anonymous Coward | about 5 months ago | (#47064227)

I'm a sales guy at a soon to be bankrupt company who has been tasked with light IT work because the boss is too cheap to hire a real one. Finally scared him enough to upgrade to Win7 (and pay for it lol). Everything went great updates/drivers seemed to install fine. All of them except for Internet Explorer! To which windows update says Error(s) found Code 9C59 Windows Update has encountered an unknown error. Spent a month on MS forums doing all kinds of voodoo and fixes still nothing. Offline installer package gives same thing. New updates download and install just fine, but were doing all our business on IE 8 which is insane. Anyone ran into this lately?

IE8 (1)

A Non-MS Coward (570972) | about 5 months ago | (#47064705)

In IE8, Internet explores YOU.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?