Internet Explorer users have been told in many sources many times (including my blog): ditch the IE application and switch to another browser, pronto. There is a a new serious hole that’s exploitable by visiting a malicious Website: The site owner can take possession of the computer used for surfing. This critical zero-day bug in Internet Explorer is under active attack. It is claimed that this IE exploit was created by the same group that recently released a Java zero-day into the wild.
The attack works on IE 7 through 9 running on XP, Vista and Windows 7. This is one of the few times that a single vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. There is no correction for this yet.
Microsoft recommendations for this problem:
Install Enhanced Mitigation Experience Toolkit
Set IE security: intranet and the Internet security level to “high.”
My recommendations:
Do not use Internet Explorer. Get rid of IE now! Use some safer browser like Firefox or Chrome.  While every browser has its security issues, those are considerable safer alternatives.
41 Comments
Tomi Engdahl says:
Microsoft was quick to react to this IE problem:
Microsoft issues a rebootless ‘Fix’ to the Internet Explorer security weakness
http://thenextweb.com/microsoft/2012/09/20/microsoft-issues-rebootless-fix-internet-explorer-security-weakness/
The company adamantly states that few users were in fact harmed, but does acknowledge the potential for further infections. Microsoft has now planned a security update for this Friday that will be ‘cumulativel.’
Tomi Engdahl says:
Internet Explorer Fix it available now; Security Update scheduled for Friday
http://blogs.technet.com/b/msrc/archive/2012/09/19/internet-explorer-fix-it-available-now-security-update-scheduled-for-friday.aspx
Earlier this week, an issue impacting Internet Explorer affected a small number of customers. The potential exists, however, that more customers could be affected. As a result, today we have released a Fix it that is available to address that issue.
Tomi Engdahl says:
Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution
http://support.microsoft.com/kb/2757760
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:
http://technet.microsoft.com/security/advisory/2757760
The “Prevent Memory Corruption via ExecCommand in Internet Explorer” Fix it solution that is described in this section is not intended to be a replacement for any security update.
Tomi Engdahl says:
Redmond promises emergency IE bug fix on Friday (zero day + 5)
Keep calm and carry on, advise security types
http://www.theregister.co.uk/2012/09/20/ie_zero_day_latest/
Microsoft is promising to release an emergency patch that tackles a zero-day vulnerability in Internet Explorer on Friday.
In the meantime, the software giant is pointing customers towards a temporary fix, issued on Wednesday.
“The decision on whether to deploy the FixIt or whether to wait for the final patch should take into account that attacks are not widespread yet; currently attacks using the vulnerability continue to be of the targeted type with low infection rates reported,” Kandek writes.
The exploit has been tied to the Chinese hackers behind the recent infamous Java zero-day flaw.
A German government agency advised citizens to avoid browsing the web with internet Explorer until the software was properly patched.
The Federal Office for Information Security (BSI) advised consumers and business to switch to alternative browsers instead.
Tomi Engdahl says:
Another good reason to switch from IE to some other better browser:
Microsoft Said to Face EU Antitrust Complaint on Browser Choice
http://www.bloomberg.com/news/2012-09-18/microsoft-said-to-face-eu-antitrust-complaint-on-browser-choice.html
European Union regulators are preparing an antitrust complaint over Microsoft Corp. (MSFT)’s failure to comply with a settlement to give users a choice of web browsers, according to two people familiar with the matter.
The Redmond, Washington-based company agreed to offer access to rival browsers as a part of a 2009 settlement to repair its relationship with the bloc’s regulators. It told regulators last December that it was complying with its commitments.
The company said it only learned in July that it didn’t offer its browser choice software to some 28 million computers running Windows 7 Service Pack 1, or 10 percent of the computers that should have received it. It blamed a technical error and said it has already started distributing a fix.
Under the terms of Microsoft’s 2009 pledge, consumers who buy personal computers were given a choice of the 12 most widely used browsers to install in addition to, or instead of, Microsoft’s Internet Explorer.
Tomi Engdahl says:
Microsoft Security Bulletin MS12-063 – Critical
Cumulative Security Update for Internet Explorer (2744842)
http://technet.microsoft.com/en-us/security/bulletin/ms12-063
Tomi Engdahl says:
The following article (written in Finnish) talks about the IE security problem and fix to it. It contains a good drawing how the attack works.
Microsoft julkaisi kriittisen hätäkorjauksen
http://www.tietokone.fi/uutiset/microsoft_julkaisi_kriittisen_hatakorjauksen
Cassondra Geremia says:
Interesting post. We found a nice offer with £40 off Kaspersky One for 3 devices. See link: http://bit.ly/TlVI2y
how to i get Rid of hemorrhoids says:
You are so cool! I don’t believe I have read through something like that before. So great to discover someone with some original thoughts on this subject matter. Seriously.. many thanks for starting this up. This website is one thing that’s needed on the internet, someone with a little originality!
Tomi Engdahl says:
‘IE hit squad’ helps ease browser babel on office PCs
Used to be all (Microsoft green) fields round here
http://www.theregister.co.uk/2012/10/31/browsium_cross_platform_browsers/
A browser start-up is building software to help large operations manage the increasing breakdown in dominance of Microsoft’s Internet Explorer and the proliferation of various other browsers in the workplace.
Internet Explorer hit squad Browsium has announced beta availability of Catalyst, software that manages the creeping penetration of Firefox and Chrome onto work PCs and devices.
Catalyst allows organisations to run Firefox and Chrome on enterprise machines – in addition to IE – without exposing important applications and machines to attack from the web, and without the additional cost of training and supporting end-users.
Catalyst works by directing the browser that the end user is running to the “right” application or website. The “right” app or site is defined in the Catalyst configuration manager; you set the default browser for a given type of traffic, with Catalyst executing the rules.
To get around this so far, Schare reckoned organisations have been putting in manual places to support mixed browser environments but that these end up costing time and money because they don’t work.
Through his engagements, Share said he has found organisations using training to get around the cross-platform issue: telling users the sites they can access on a browser-by-browser basis but, he says, this breaks down and people end up calling the support desk.
This happens because Firefox and Chrome don’t support Microsoft’s ActiveX controls, so sites optimised for Microsoft’s browser won’t render the same way in Firefox or Chrome – they will appear broken, and would need to be tweaked by IT.
“Catalyst is a way of avoiding help-desk calls and avoiding security crises,” Share said.
Google, too, has helped complicate things: Google in 2009 released a plug in for IE called Chrome Frame that gave IE the Chrome rendering and JavaScript engines.
Tomi Engdahl says:
Mozilla: Browser Ballot Glitch Cost Us 9m Firefox Downloads
http://yro.slashdot.org/story/12/11/01/1222205/mozilla-browser-ballot-glitch-cost-us-9m-firefox-downloads
“Microsoft’s failure to include the EU browser ballot in Windows 7 SP1 cost Mozilla as many as 9 million Firefox downloads, the organisation’s head of business affairs revealed. Harvey Anderson said daily downloads of Firefox fell by 63% to a low of 20,000 before the ballot was reinstated, and after the fix, downloads jumped by 150% to 50,000 a day. Over the 18 months the ballot was missing,”
“The EU is currently investigating the ‘glitch,’ and Microsoft faces a massive fine for failing to include the screen,”
Tomi Engdahl says:
MS plugs ‘highly exploitable’ IE 9 hole in November Patch Tuesday
http://www.theregister.co.uk/2012/11/14/nov_patch_tuesday/
November’s Patch Tuesday brought six updates, four of them critical, starring fixes for Windows 8 and a patch that addresses a highly exploitable vulnerability in IE 9.
Vulnerability management firm Qualys rates the Internet Explorer update (MS12-071) as easily the most urgent. Left unpatched, the set of four flaws easily lend themselves to exploitation through drive-by download style attacks. Microsoft rates its exploitability as “1,” which means that it is relatively easy to develop malicious code.
“We think any vulnerability in a popular application that allows Remote Code Execution should be high on any IT administrator’s list to fix,”
“Much of the core operating system is reused from version to version, even in new releases, and all software has bugs,” Storms said. “These factors, combined with security researchers that love to find and report bugs in the latest software version, are reasons for the number of bulletins for Windows 8. This should surprise no one.”
Tomi Engdahl says:
Internet Explorer becomes Korean election issue
Presidential candidate promises to kill crypto standard locking nation into IE
http://www.theregister.co.uk/2012/11/14/ahn_lab_internet_explorer_seed_replace_korea/
Microsoft’s Internet Explorer market share may soon take a tumble in South Korea if presidential candidate Ahn Cheol-soo wins looming elections. The hot seat hopeful plans to abolish an anachronistic government crypto standard which has effectively locked users into Internet Explorer for over a decade.
At the tail end of the 1990s, the Korean government decided in its wisdom to develop a home-grown 128-bit SSL encryption standard to increase security around e-commerce.
SEED, as it was known, was then mandated for all online transactions.
The only problem with this new system was that it requires users to install Microsoft ActiveX plug-in to work and therefore needs Internet Explorer.
The result: a decade-long monopoly for IE as banking, shopping and other transactional sites were optimised specifically and exclusively for the Microsoft browser.
Although SEED was made non-mandatory back in 2010, its use is still widespread because the government-led approvals process for alternatives is so rigorous, according to Korea Times.
Tomi Engdahl says:
If you can’t get rid of IE completely then you might consider updating to newest version:
IE 10 Almost Finished For Windows 7 With Final Preview
http://tech.slashdot.org/story/12/11/15/007245/ie-10-almost-finished-for-windows-7-with-final-preview
“IE 10 just hit the final preview yesterday for Windows 7. Windows XP and Windows Vista support has been dropped.”
” IE 10 is supposed to continue the new process and promises to be much faster and support more HTML 5, CSS 3, W3C HTML 5.1 and CSS 3.1 with a score of 320 on HTML5test.”
Visualizing 100,000 Stars In Chrome « Tomi Engdahl’s ePanorama blog says:
[...] of the Milky Way. This web app works best in Chrome, but I was able to try it in Firefox as well. If you are still stuck with IE only, you are out of luck with this [...]
Tomi Engdahl says:
Internet Explorer Data Leakage
http://spider.io/blog/2012/12/internet-explorer-data-leakage/
On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.
Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.
The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.
Tomi Engdahl says:
Internet Explorer tracks cursor even when minimised
Keep calm: it’s only being exploited by adware blood-suckers … probably
http://www.theregister.co.uk/2012/12/12/ie_stupidly_exposes_cursor_movements/
Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated
“An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” the company writes. “The vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month.”
The 21-lines-of-code exploit posted by spider.io demonstrates that JavaScript in any Webpage, or any iframe, can poll for the position of the mouse cursor via fireEvent(), because IE “populates the global Event object with some attributes relating to mouse events, even in situations where it should not”.
The Register wouldn’t anticipate a fix in a hurry, since the fix would devalue a couple of billion ad-clicks.
Tomi Engdahl says:
Possible IE bug would let hackers track mouse moves
http://news.cnet.com/8301-1009_3-57559135-83/possible-ie-bug-would-let-hackers-track-mouse-moves/
Microsoft is investigating a researcher’s assertion that all versions of the Web browser are vulnerable to a flaw that allows attackers to track cursor movements on the screen, even if the browser window isn’t in use.
The alleged flaw, which security firm Spider.io says it discovered a few months ago, compromises the security of virtual keyboards and virtual keypads in all supported versions of the browser since IE6, the security firm reports.
“As long as the page with the exploitative advertiser’s ad stays open — even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer — your mouse cursor can be tracked across your entire display,” the security firm said in a statement.
Even the security-conscious are at risk of having their cursor movements recorded, Spider.io warned. “An attacker can get access to your mouse movements simply by buying a display ad slot on any Web page you visit,” the security firm warned, adding that any site from YouTube to The New York Times would be a possible attack vector due to ad exchange activity.
At least two display ad analytics companies are exploiting the suspected vulnerability to see what people are looking at online, Spider.io said.
Tomi Engdahl says:
Microsoft does not consider Internet Explorer tracks cursor tracking a big issue:
Update to Alleged Information and Security Issue with Mouse Position Behavior
http://blogs.msdn.com/b/ie/archive/2012/12/13/update-to-alleged-information-and-security-issue-with-mouse-position-behavior.aspx
Over the last few days we’ve seen reports alleging abuse of a browser behavior regarding mouse position. Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy.
We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.
Online advertisers started a shift (link) “from a ‘served’ to a ‘viewable’ impression[s].”
The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft’s security team has discussed with researchers across the industry. We take these risks very seriously. Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine.
Tomi says:
Microsoft releases temporary fix for vulnerability in IE6, IE7, and IE8; security patch coming soon
http://thenextweb.com/microsoft/2012/12/31/microsoft-releases-temporary-fix-for-vulnerability-in-ie6-ie7-and-ie8-security-patch-coming-soon/
Microsoft on Monday released a temporary one-click “Fix it” tool for old versions of Internet Explorer. Running it will prevent the recently-discovered vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the user’s ability to browse the Web. Unlike an actual patch for the browser, a reboot is not required.
Microsoft says it has “observed only a few attempts to exploit this issue” but it is still encouraging all users of its browser to apply the Fix it solution. As we reported on Saturday when the security hole was first discovered, IE9 and IE10 are not affected.
Tomi Engdahl says:
Microsoft flings out emergency patch for Iatest gaping IE hole
Monday ‘fun’ for sysadmins
http://www.theregister.co.uk/2013/01/14/ms_emergency_ie_patch/
Microsoft has announced plans to release an out-of-band patch today tackling a critical zero-day hole in Internet Explorer.
The update will almost certainly tackle an unpatched remote-code execution flaw in earlier versions of IE (detailed in Microsoft Security Advisory 2794220) that has become the target of hacker attacks since late December.
For now, Redmond only says the flaw is critical, as per its standard practice of not going into details ahead of actually publishing a security patch. Microsoft advises customers to apply the critical patch immediately
Several websites have already been compromised to spread malware exploits based on the vulnerability in IE 6,7 and 8. Users could safeguard themselves by either updating to IE 9 and 10 or using an alternative browser.
Microsoft published a temporary FixIt tool to protect against this vulnerability but security researchers found this defence was far from bullet-proof.
Tomi Engdahl says:
IE Standardization Fading Fast
http://slashdot.org/story/13/02/14/2352235/ie-standardization-fading-fast
“Just as Internet users in general have defected in huge numbers from Microsoft Internet Explorer over the past several years, the business world, as well, is becoming less dependent on the venerable browser. Companies that used to mandate the use of IE for access to web resources are beginning to embrace a far more heterodox attitude toward web browsers.”
Tomi Engdahl says:
jQuery 2.0 kicks old Internet Explorer versions to the curb
Leaner, faster code base for ‘the modern web
http://www.theregister.co.uk/2013/04/19/jquery_2_drops_old_ie_support/
Popular JavaScript library jQuery has reached version 2.0, and as expected, the new release drops support for older versions of Internet Explorer, including IE 6, 7, and 8.
“jQuery 2.0 is intended for the modern web; we’ve got jQuery 1.x to handle older browsers and fully expect to support it for several more years,” the project’s Dave Methvin said in release notes posted to the jQuery Foundation website on Thursday.
By some counts, jQuery is now used on more than 50 per cent of all websites, making it much more popular than competing frameworks such as Dojo, MooTools, Prototype, or the YUI Library.
Tomi Engdahl says:
Patch Tuesday: And EVERY version of IE needs fixing AGAIN
Adobe, VMware join Microsoft in the stocks this month
http://www.theregister.co.uk/2013/06/12/ms_june_patch_tuesday/
June’s Black Tuesday patch update from Microsoft has rolled into town with five bulletins, including a solitary critical update that tackles flaws in all supported versions of Internet Explorer.
The IE update (MS13-047) grapples with 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, on all supported versions of Windows, from XP to RT. It’s just the sort of thing that might be latched onto by hackers as part of drive-by-download attacks, based on malicious scripts on compromised websites, and therefore needs to be patched sooner rather than later.
Tomi Engdahl says:
Zero day IE flaw exploited in targeted attacks. Microsoft releases temporary fix
http://grahamcluley.com/2013/09/serious-flaw-exploited-targeted-attacks-microsoft-temporary-fix/
Microsoft has released an emergency workaround for users of Internet Explorer, to protect against a “limited number” of targeted attacks being specifically directed at IE 8 and IE 9 – but which could potentially affect all versions of the web browser.
Tomi Engdahl says:
The legacy IE survivor’s guide: Firefox, Chrome… more IE?
Ask yourself, how many times do you want to rewrite?
http://www.theregister.co.uk/2013/10/10/ie6_migration_guide/
Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That’s when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.
Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain’s taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.
That’s despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.
Those on IE7 and IE8 are relatively safe – until support for these browsers’ release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft’s “extended support mode” – same as IE6. Extended support means you get the security fixes – for now.
It’s time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 – after all, it’s been nearly 15 years now, haven’t attackers found all the vulnerabilities out there already? And just because you’ve got three to four more years doesn’t mean IE7 and IE8 people shouldn’t pay attention, too.
The problem on IE6 is, even if that were true – and it’s not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.
“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities.”
In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won’t necessarily be vulnerable to them all, but all it takes is one.
If you’ve long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.
Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP’s default browser.
The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards.
IE6 used Microsoft’s Trident rendering engine, optimised in a typically Microsoft way to play Microsoft’s Active X framework for the web, which updated the company’s existing COM and OLE diagramming software.
When Windows XP is swept into the dustbin of computing history, there’s an excellent argument for writing apps that conform to web standards rather than the browser du jour.
Out on the web, this lesson was learned the hard way when IE6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards.
If you’ve got legacy apps that require IE6, here’s the good news: if – and when – you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants.
As far as Microsoft shops are concerned, if you’re on IE6 you’re long out of luck and when it comes to using Google’s apps and you should forget IE8, too. Support for IE8 on apps finished on 11 November, 2012. Support for Google Analytics will stop at the end of this year.
There is an option for older apps. Google recently upped the ante for enterprise, offering the Chrome Legacy Browser Support extension. The Chrome Legacy Browser Support extension lets you to upgrade to Google Chrome while still opening your legacy IE apps.
Tomi Engdahl says:
Internet Explorer 11 BREAKS Google, Outlook Web Access
The Windows 8.1 train wreck rollout continues apace
http://www.theregister.co.uk/2013/10/21/internet_explorer_11_breaks_google_outlook_web_access/
The Windows 8.1 rollout has hit more hurdles: the new version 11 of Internet Explorer that ships with the operating system does not render Google products well and is also making life difficult for users of Microsoft’s own Outlook Web Access webmail product.
The latter issue is well known: Microsoft popped out some advice about the fact that only the most basic interface to the webmail tool will work back in July. It seems not every sysadmin got the memo and implemented Redmond’s preferred workarounds, but there are only scattered complaints out there, likely because few organisations have bothered implementing Windows 8.1 yet.
The Google problem is making greater waves because the company’s search engine often renders badly
Microsoft’s blaming Google for the problem
Tomi Engdahl says:
South Korea is stuck with Internet Explorer for online shopping because of security law
http://www.washingtonpost.com/world/asia_pacific/due-to-security-law-south-korea-is-stuck-with-internet-explorer-for-online-shopping/2013/11/03/ffd2528a-3eff-11e3-b028-de922d7a3f47_story.html
South Korea is renowned for its digital innovation, with coast-to-coast broadband and a 4G LTE network that reaches into Seoul’s subway system. But this tech-savvy country is stuck in a time warp in one way: its slavish dependence on Internet Explorer.
For South Koreans who use other browsers such as Chrome or Safari, online shopping often begins with a pop-up notice warning that they might not be able to buy what they came for.
“Purchases can only be made through Internet Explorer,” says one such message on the Web site of Asiana Airlines, one of South Korea’s two major carriers.
But South Koreans remain captive to laws passed 14 years ago, which — in the name of Internet security — require citizens to bank and make nearly all purchases with Internet Explorer. Three-quarters of the country’s Web usage involves Internet Explorer, according to a measurement by the Web analytics firm StatCounter — among the highest in the world.
“Internet Explorer has bugs. It freezes. It requires all these annoying updates,” said Lee Dong-won, a 35-year-old businessman.
“But everybody I know uses it,” said Seo Yeon-ho, a 25-year-old design student.
Those with computers that run Windows have no problem; even if they otherwise browse through Chrome or Firefox, they can double-click on IE when it’s time to make purchases.
But those with Apple computers — for which IE isn’t available — have it harder.
The story of how South Korea became dependent on Internet Explorer begins in the late 1990s.
South Korea’s government was among the first to encourage shopping and banking online, but many people were concerned about Internet safety.
To reassure South Korean customers, the government created its own system to authenticate the identities of online buyers. To make purchases, shoppers had to supply their names and social security numbers and apply for government-issued “digital certificates,” which they could present to sellers as proof of ID. The whole process took just a few clicks.
But the back-and-forth was technologically complicated, and it came with a catch: It required a piece of additional software, or “plug-in,” known as ActiveX — which is also made by Microsoft and worked in tandem only with Internet Explorer.
That system, implemented in 1999, remains largely in place today.
The certificates are not necessary on international sites such as eBay and Amazon.com, in which credit card information is passed from buyer to seller — and verified by a third, private party — with technology built into Web browsers.
South Korean Internet security officials insist that the certificates are necessary to maintain trust on the Web, though they recently approved two approaches — rarely used — for smaller purchases that don’t require ActiveX.
Many South Koreans say they are happy, in theory, to trade a little inconvenience for the sake of security. But critics here argue that the dependence on Internet Explorer has actually made the nation more vulnerable to malware. They point to a string of massive data thefts and cyberattacks in recent years.
In current versions of Internet Explorer, Web surfers must approve the use of ActiveX by clicking “Yes” to a question asking whether to proceed.
In South Korea’s National Assembly, a small group of lawmakers is pushing a bill to loosen the security laws. “We’ve fallen behind the times, and we’re clinging to an old tech trend,”
Tomi Engdahl says:
Ditch IE7 and we’ll give you a FREE COMPUTER, says incautious US firm
Cheaper than supporting Microsoft’s 7-year-old browser
http://www.theregister.co.uk/2014/01/30/new_computer_for_ie7/
Internet Explorer 7 holdouts are being offered a brand new computer by a US company sick of working to support Microsoft’s legacy browser.
Following a new website launch, NursingJobs.us has determined it is cheaper to buy each customer using IE7 a brand new computer running a “modern” browser rather than making its slick new site IE7 compatible.
“We are offering to buy a new computer with a modern browser for any of our customers who are stuck with IE7. We determined that it would cost us more to support a browser from 2006 in 2014 and beyond than it would to help our clients upgrade their legacy hardware.”
Tomi Engdahl says:
Every time I think Microsoft has their browser house in order, and it might be safe to use IE occasionally, stuff like this hits the fan:
New IE 10 Zero-Day Used in Watering Hole Attack Targeting U.S. Military
http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars’ website.
Dubbed “Operation SnowMan” by FireEye, the attack targets IE 10 with Adobe Flash.
Tomi Engdahl says:
IE Vulnerability Exposing Banking Logins, Spreading Rapidly
http://tech.slashdot.org/story/14/02/26/1447222/ie-vulnerability-exposing-banking-logins-spreading-rapidly
“A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly.”
budget travel tips says:
i find it very clea and informative one and it helped me a lot to understand the actual
logic behind the scene,thanks
Tomi Engdahl says:
App designer turns Microsoft’s own ‘kill IE6′ campaign against IE8, IE9
Microsoft ‘standing in the way’ of new Web features, argues designer behind theie8countdown.com
http://www.computerworld.com/s/article/9238064/App_designer_turns_Microsoft_s_own_kill_IE6_campaign_against_IE8_IE9
A Web and app designer has stolen a page out of Microsoft’s own playbook in urging users to abandon three of the company’s four newest browsers because Microsoft is “standing in the way” of progress.
Josef Richter, formerly a website designer who now works primarily on iPhone app design, registered a quartet of domains two years ago — including theie8countdown.com — just a day after Microsoft debuted its own Internet Explorer 6 (IE6) deathwatch at ie6countdown.com.
Tomi Engdahl says:
Stop using Microsoft’s IE browser until bug is fixed, US and UK warn
April 28, 2014
http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us/
In a rare move that highlights the severity of the security hole in one of the Web’s most popular browsers, the US Computer Emergency Readiness Team and its British counterpart tell people to stop using Internet Explorer until Microsoft can fix it.
It’s not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability that affects all major versions of the browser from the past decade has forced it to raise an alarm: Stop using IE.
The zero-day exploit, the term given to a previously unknown, unpatched flaw, allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer.
Tomi Engdahl says:
Windows XP die-hards can slash attack risk by dumping IE
Microsoft’s patch stats support advice to switch to another browser
http://www.computerworld.com/s/article/9248277/Windows_XP_die_hards_can_slash_attack_risk_by_dumping_IE?taxonomyId=125&pageNumber=1
By switching to a non-Microsoft browser, Windows XP users can halve the number of vulnerabilities that apply to the OS, according to a survey of flaws Microsoft fixed in the second half of 2013.
The statistics support the advice from security professionals, who have recommended users run a rival browser to avoid some of the attacks aimed at their unprotected PCs.
Tomi Engdahl says:
Microsoft To Drop Support For Older Versions of Internet Explorer
http://it.slashdot.org/story/14/08/07/230210/microsoft-to-drop-support-for-older-versions-of-internet-explorer
After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, 9, or 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support.
Tomi Engdahl says:
Now even Internet Explorer will throw lousy old Java into the abyss
Out-of-date, unsafe ActiveX controls to be blocked starting next week
http://www.theregister.co.uk/2014/08/07/ie_out_of_date_activex_control_blocking/
Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it’s got its eye set squarely on Java.
Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.
The change mirrors similar features found in competing browsers, including Chrome and Firefox, both of which already block out-of-date and unsafe plugins.
Microsoft will maintain the list of verboten ActiveX controls itself
What’s interesting, though, is that when the blocking feature launches later this month, Redmond’s blacklist will consist of but a single culprit: Oracle’s Java ActiveX control.
And not just one or two versions of the add-on will raise the alarm, either. Microsoft has flagged every version from all but the most recent patch levels of the Java SE platform, going all the way back to Java SE 1.4.
Tomi Engdahl says:
Microsoft considered renaming Internet Explorer to escape its checkered past
The team hasn’t completely ruled out the possibility of rebranding the browser.
http://arstechnica.com/information-technology/2014/08/microsoft-considered-renaming-internet-explorer-to-escape-its-checkered-past/
Microsoft has had “passionate” discussions about renaming Internet Explorer to distance the browser from its tarnished image, according to answers from members of the developer team given in a reddit Ask Me Anything session today.
Tomi Engdahl says:
If you can’t get rid of IE completely, get rid of the old versions at least for you safety:
Outdated Internet Explorer versions still run on many business PCs
http://betanews.com/2016/05/11/outdated-internet-explorer-business-pcs/
Businesses around the world don’t really enjoy updating their software, security researchers from Duo Security have found, exposing themselves, and their organization to risks of cyber-attacks, phishing, scams and malware.
Researchers looked at a sample of two million Windows devices used by businesses around the world and found that almost a quarter, and that’s 500,000 devices, are using an outdated and unsupported version of Internet Explorer.
That puts both the users and the company at risk from more than 700 known, and who knows how many unknown, vulnerabilities.
Besides using outdated Internet Explorer, almost two-thirds (60 percent) of business users are also risking a lot by using an out-of-date version of Flash. Almost three quarters (72 percent) are using an outdated version of Java, also putting their systems at risk.
Tomi Engdahl says:
Internet Explorerin aika on virallisesti ohi
https://etn.fi/index.php/13-news/14597-internet-explorerin-aika-on-virallisesti-ohi
Eilinen ystävänpäivä merkkasi loppua Microsoftin Internet Explorer -selaimelle. Tiistaina jakeluun tulleen Edge-selaimen päivityksen jälkeen Windows 10 -käyttäjät eivät enää voi avata selainta vaan ainoa vaihtoehto on käyttää Edgeä.
Kaikki jäljellä olevat kuluttaja- ja kaupalliset laitteet, joita ei vielä ollut uudelleenohjattu IE11:stä Microsoft Edgeen, ohjattiin uudelleen Microsoft Edge -päivityksellä. Microsoftin mukaan käyttäjät eivät voi peruuttaa muutosta. Lisäksi uudelleenohjaus IE11:stä Microsoft Edgeen sisällytetään kaikkiin tuleviin Microsoft Edge -päivityksiin.
Windowsissa on vielä IE11-kuvakkeita, esimerkiksi Käynnistä-valikossa ja tehtäväpalkissa, mutta ne poistetaan kesäkuun 2023 Windows-tietoturvapäivityksessä, joka on määrä julkaista 13. kesäkuuta 2023.
Tomi Engdahl says:
Microsoft Permanently Disables Internet Explorer With Valentine’s Day Update
Internet Explorer 11 should be permanently disabled on consumer versions of Windows 10 today through an update rolling out to Microsoft Edge.
https://uk.pcmag.com/browsers/145433/microsoft-permanently-disables-internet-explorer-with-valentines-day-update