Big Hole in IE!!!! (Patch is Here, May1!!!)

[Virgorising]

Sorry, in a rush, double posted....

 

[Virgorising]

http://www.ft.com/cms/s/0/789b2c0e-ce2b-11e3-bc28-00144feabdc0.html#axzz307WkMU3i

Sigh.:'( Is there any end to this stuff????

Where is the MS PATCH?????

 

[Virgorising]

Heads up: re link to Financial Times, above, pls scroll down to this article, I can't link directly to it.

 

[Virgorising]

Hopefully better link:

http://www.dailykos.com/story/2014/...-to-impersonate-known-websites-to-steal-data#

While they say those still running XP are most vulnerable, truth is we all are.

Forgive link issue, Financial Times, is, well, Financial times and wants people to pay them. But reading account on KOS should suffice.

 

[Victorian Gray]

http://www.ft.com/cms/s/0/789b2c0e-ce2b-11e3-bc28-00144feabdc0.html#axzz307WkMU3i

Sigh.:'( Is there any end to this stuff????

Where is the MS PATCH?????

The flaw was just disclosed a couple of days ago. Did you expect them to have a patch ready for a flaw they didn't know about? Sheesh.

 

[Virgorising]

The flaw was just disclosed a couple of days ago. Did you expect them to have a patch ready for a flaw they didn't know about? Sheesh.

My take is holes in all MS OSes & browsers are inevitable, ongoing and infinite, and to be expected. But my take, is this one is ESPECIALLY BAD.

Major wire services/major periodicals do not report holes in IE or MS OSes as a matter of COURSE.

PLUS, this is only the latest in a recent, ATYPICAL chronology.

Do I expect better?

YES. I DO.

 

[Virgorising]

Update!

Huffington post just offered an update 26 mins ago; MS is scrambling:

http://www.huffingtonpost.com/2014/04/27/internet-explorer-flaw_n_5223426.html

And, boys and girls, read the above....appears targets are defense & financial sectors. This is starting to feel like cyber terrorism to me; this ain some isolated, lonely nerd in a basement.

 

[Victorian Gray]

My take is holes in all MS OSes & browsers are inevitable, ongoing and infinite, and to be expected. But my take, is this one is ESPECIALLY BAD.

Major wire services/major periodicals do not report holes in IE or MS OSes as a matter of COURSE.

PLUS, this is only the latest in a recent, ATYPICAL chronology.

Do I expect better?

YES. I DO.

And the browser that holds the record for serious security flaws is Firefox not IE.

And yes security flaws like this one are indeed reported in the major media on a regular basis.

btw, what in the world is an 'atypical chronology'? A time line of untypical events? What the heck?

 

[Virgorising]

And the browser that holds the record for serious security flaws is Firefox not IE.

And yes security flaws like this one are indeed reported in the major media on a regular basis.

btw, what in the world is an 'atypical chronology'? A time line of untypical events? What the heck?

Forgive me, I find your take on this wanting in both specifics and perspective.

Atypical not so different from untypical. I almost always choose the former, and so do most in my circles, including professional circles.

Naturally, I include the Heartbleed mess. And, u bet, all this is comprising an ATYPICAL CHRONOLOGY.....and, an objectively rattling one.

If you don't agree, that's your choice.

And if so, you and I live in different realities. Use the last update link I put up. And, if you still think this is business as usual.....you just continue to invest in that cavalierly.

 

[Victorian Gray]

Forgive me, I find your take on this wanting in both specifics and perspective.

Atypical not so different from untypical. I almost always choose the former, and so do most in my circles, including professional circles.

Naturally, I include the Heartbleed mess. And, u bet, all this is comprising an ATYPICAL CHRONOLOGY.....and, an objectively rattling one.

If you don't agree, that's your choice.

And if so, you and I live in different realities. Use the last update link I put up. And, if you still think this is business as usual.....you just continue to invest in that cavalierly.

Firefox insecurity info:

http://www.extremetech.com/computin...er-falls-to-four-zero-day-exploits-at-pwn2own

http://www.pcworld.com/article/2029...efox-take-25-year-lead-in-security-flaws.html

Heartbleed has nothing to do with MS it was related to OpenSSL.

 

[code65536]

There's a user comment in the coverage over at Ars that I'm going to shamlessly steal and repost here because:

you know that during the last Pwn2own browser hacking contest every browser has been hacked several times, right?

even ChromeOS was pwned twice.

the only target that has not been pwned despite the highest reward ($150 000) was... IE11 with EMET.

this tends to prove that MS knows how to build a secure browser with the latest memory protection techniques. However, due to the risk of breaking some plugins used by big enterprise customers, Microsoft refrains from shipping the technologies provided by EMET directly via windows update.

but if you are computer literate, you have no excuse not to use EMET (even if you don't use IE).

some (easy to understand) information about EMET:

http://www.julien-manici.com/blog/EMET-protection-against-flaws-Internet-Explorer-Firefox-Chrome/


also, Win8.x users can enable Enhanced Protected Mode, the newest IE sandbox which breaks the exploit currently in the wild (even if EMET is not installed).
EPM is enabled by default in IE/Metro, but not in IE/Desktop.

http://www.julien-manici.com/blog/ie10-new-sandbox-enhanced-protected-mode-windows-8/

also note that IE Mobile on WP is not vulnerable, since VML is a deprecated component which doesn't ship in WP7/8.

 

[Ketchup]

I think Finkle summed it up pretty well in the first couple paragraphs here.

PCs running Windows XP will not receive any updates fixing that bug when they are released

Security firms estimate that between 15 and 25 percent of the world's PCs still run Windows XP

I expect more of this will come, as hackers now know that those older versions of IE that are running on XP will not be able to block any fix Microsoft releases from now on.

Glad I don't use IE, and glad I finally got my parents and some good friends off XP.

 

[R0H1T]

you know that during the last Pwn2own browser hacking contest every browser has been hacked several times, right?

even ChromeOS was pwned twice.

the only target that has not been pwned despite the highest reward ($150 000) was... IE11 with EMET.

this tends to prove that MS knows how to build a secure browser with the latest memory protection techniques. However, due to the risk of breaking some plugins used by big enterprise customers, Microsoft refrains from shipping the technologies provided by EMET directly via windows update.

but if you are computer literate, you have no excuse not to use EMET (even if you don't use IE).

some (easy to understand) information about EMET:

http://www.julien-manici.com/blog/EM...irefox-Chrome/


also, Win8.x users can enable Enhanced Protected Mode, the newest IE sandbox which breaks the exploit currently in the wild (even if EMET is not installed).
EPM is enabled by default in IE/Metro, but not in IE/Desktop.

http://www.julien-manici.com/blog/ie...ode-windows-8/

also note that IE Mobile on WP is not vulnerable, since VML is a deprecated component which doesn't ship in WP7/8.

A little surprised that more people don't know more about this, especially on AT, & I've been using the enhanced protected mode since I saw it being the default option put in place for server 2008 R2. Now I have not delved into the details, since they aren't shared publicly, of it but as the name suggests EPM should save you from a bunch of potentially fatal (security) flaws in IE & windows plus EMET will make it even more secure but yeah anything older than IE9 should be dumped asap !

 

[John Connor]

Firefox insecurity info:

http://www.extremetech.com/computin...er-falls-to-four-zero-day-exploits-at-pwn2own

http://www.pcworld.com/article/2029...efox-take-25-year-lead-in-security-flaws.html

Heartbleed has nothing to do with MS it was related to OpenSSL.

These were patched by FF and I do think FF patches crap quicker than IE.

 

[Virgorising]

I expect more of this will come, as hackers now know that those older versions of IE that are running on XP will not be able to block any fix Microsoft releases from now on.

But this disgusting thing impacts IE thru ELEVEN. I run eleven.

Glad I don't use IE, and glad I finally got my parents and some good friends off XP.

While Pale Moon is my default browser, I retain IE as well.

Yes......SO good of you to convince people to upgrade from XP!!!! While I don know anyone personally who runs Windows and still runs XP, clearly a lot of the world still does. If that is about money for them, be they businesses or individuals.....I feel very bad for them.

 

[Virgorising]

These were patched by FF and I do think FF patches crap quicker than IE.

I agree.

 

[Virgorising]

Forgot to say THANK YOU to whoever moved this to this most esoteric and proper forum!

 

[Thor86]

Newer version of Adobe Flash released to mitigate this threat.

https://isc.sans.edu/forums/diary/IE+Zero+Day+Advisory+from+Microsoft/18035

 

[Virgorising]

Newer version of Adobe Flash released to mitigate this threat.

https://isc.sans.edu/forums/diary/IE+Zero+Day+Advisory+from+Microsoft/18035

U have to disable Flash! the newest build of Flash does not mitigate this at all according to wut I jus read using yr link.

This whole thing is disgusting. Seriously disgusting.
_____________________________________________
Edit: Hold on.....perhaps the Flash update does address it:

K-Dee, yes the 13.0.0.206 update is explicitly about this vulnerability. See:

http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

 

[Virgorising]

Firefox insecurity info:

http://www.extremetech.com/computin...er-falls-to-four-zero-day-exploits-at-pwn2own

http://www.pcworld.com/article/2029...efox-take-25-year-lead-in-security-flaws.html

Heartbleed has nothing to do with MS it was related to OpenSSL.

BESIDE THE POINT! And, AGAIN, obfuscating both facts and perspective.

I never said Heartbleed is related to this new, serious horror. I said, RECENT CHRONOLOGY. And yes! ATYPICAL.....in light of history.

 

[HOSED]

OP Just wanted to say thanks for bringing this up & links. I removed flash plugin for IE (Shockwave) and You Tube Videos seem to play fine. Also thanks to R0H1t for the info about EPM. (Win 7 SP1 / IE11)

 

[Virgorising]

OP Just wanted to say thanks for bringing this up & links. I removed flash plugin for IE (Shockwave) and You Tube Videos seem to play fine. Also thanks to R0H1t for the info about EPM. (Win 7 SP1 / IE11)

That is incredibly kind and classy of you.

But I, the OP remain seriously disgusted.:|

Wish we had footage of the, bet, round the clock scrambling on the Left Coast. With audio.

But, without Flash, could we play it?:whiste: Yes, but I still resent this whole thing.

 

[Victorian Gray]

BESIDE THE POINT! And, AGAIN, obfuscating both facts and perspective.

I never said Heartbleed is related to this new, serious horror. I said, RECENT CHRONOLOGY. And yes! ATYPICAL.....in light of history.

Have a nice day

 

[corkyg]

Forgot to say THANK YOU to whoever moved this to this most esoteric and proper forum!

You're most welcome. It is truly a Security matter. Thank you for initiating it.

 

[Virgorising]

You're most welcome. It is truly a Security matter. Thank you for initiating it.

I actually never took note of "Security" in the software forum.

I AM WAITING FOR THE PATCH. I guess, we all are. Am sure this is way more complex than I knew the second I read about it, and so, writing the patch is more daunting than usual.

We get MS, et.al., have to work on this in secret....but I still wanna see a live stream. :sneaky: