Critical exploits plague IE11 but MS is too busy with W10 to patch them

[Bloodyvalley]

Four zero-day vulnerabilities have been discovered in Microsoft’s Internet Explorer as the company makes plans for launching its upcoming Windows 10 next week, on July 29.

Critical Internet Explorer vulnerabilities:

While you may like it or not, Internet Explorer is still one of the most used browsers in world as it comes pre-loaded on PCs, notebooks, and Windows Phones. Recent years have seen a strong shift to better and more safer browsers, but Internet Explorer still remains the default browser for many. Such a strong user base makes the platform traditionally a favorite place for hackers. The Hewlett-Packard’s Zero-Day Initiative (ZDI) has disclosed four new vulnerabilities in the browser that could be potentially exploited to remotely execute malicious code on the target machine. This remote execution of code is possible on your machine even if your browser is fully updated.

These four bugs have been reported to be affecting IE11 on Windows Phones. The tipping point?

HP reported these critical zero-day Internet Explorer bugs to Microsoft some six months back, however, considering how Redmond has stayed busy with the development of Windows 10, it couldn’t manage to fix the issue. Microsoft was notified of the first zero-day Internet Explorer bug on November 12, 2014 which was then extended to May 12, 2015 and then again to July 19. However, as no patch came to fix the issue, ZDI went public on July 22. Microsoft reportedly requested HP to give another extension of 6 months grace period before HP makes these vulnerabilities public but HP refused the request. Now published, we expect to see Microsoft responding to this more responsibly and possibly sending some patch our way too.

We’re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers.

– Microsoft’s statement

Microsoft is replacing the aging Internet Explorer with Microsoft Edge browser once Windows 10 is launched. However, Internet Explorer will keep serving the enterprise customers and, of course, the machines not updated to Windows 10.

 

 

but who even uses IE

 

source

[Aytex]

grandma dont get a virus pls :c

[marldorthegreat]

 

 

but who even uses IE

 

source

Me to install chrome.

[79wjd]

but who even uses IE

businesses

[Guest]

businesses

 

T-Mobile still uses XP

 

 

 

tim2heck ( ͡° ͜ʖ ͡°)

[pwn_intended]

 

 

but who even uses IE

 

source

IE has actually been great since v11. I'm pretty sure that most of the IE haters have not even given it a chance since v8 and 9, which WERE awful.

Nowadays, I find IE both more stable and just all around less stupid than dealing with Chrome and its memory hog-ness.

[Guest]

More companies than you'd expect use IE. 

[TheSLSAMG]

but who even uses IE

About 51% of the market.

 

https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0

[JustChilliing]

I don't like Chrome and I don't like Firefox

[ManIkWeet]

Well then, I guess my phone is vulnerable...

[Fetzie]

but who even uses IE

 

source

I do at work, because the vast majority of the customers (businesses) that use our web interface use internet explorer, and it has to work.

[GlassBomb]

There's a simple solution.

 

Don't use Internet Explorer.

[Beskamir]

Maybe I can finally use this to convince my mom to not use IE

[79wjd]

There's a simple solution.

 

Don't use Internet Explorer.

it's not quite that simple. On a consumer level that works fine -- most of the time -- but on an enterprise level you run into some serious issues with trying to transfer everyone to a different browser. Including a learning curve in some cases, but far more importantly, not everything is compatible with everything else -- IE, on the other hand, tends to be compatible with almost everything.

[RH00D]

To answer the question who uses IE, it is a requirement for some of my work.

 

We use Siebel CRM 8.0 software and we use it as a web application and it requires Internet Explorer. For the longest time it wouldn't work with anything higher than IE8. And on top of that it only works with the 32-bit version of IE.

 

Literally just last week we were finally allowed to upgrade to IE11. They had to make sure nothing would break with any of the applications we use.

 

It's insane how exact software and configurations need to be when working with software like Siebel, which is fucking massive. Everything is so specific. Even if one little setting in your browser isn't right it can cause the whole thing to not work. We have a script that we run on our computer that automatically sets all of IE's settings to what they need to be.

[dalekphalm]

Does anyone even BOTHER to read the source? This is for Windows Phone IE 11 only.

[Trik'Stari]

Does anyone even BOTHER to read the source? This is for Windows Phone IE 11 only.

Oh GREAT, that's exactly what I use.

 

Not for anything other than reading the news, but still.

[othertomperson]

Does anyone even BOTHER to read the source? This is for Windows Phone IE 11 only.

 

"While you may like it or not, Internet Explorer is still one of the most used browsers in world as it comes pre-loaded on PCs, notebooks, and Windows Phones. Recent years have seen a strong shift to better and more safer browsers, but Internet Explorer still remains the default browser for many. Such a strong user base makes the platform traditionally a favorite place for hackers."

 

While the source does say Windows Phone, it goes out of its way to imply otherwise.

[dalekphalm]

"While you may like it or not, Internet Explorer is still one of the most used browsers in world as it comes pre-loaded on PCs, notebooks, and Windows Phones. Recent years have seen a strong shift to better and more safer browsers, but Internet Explorer still remains the default browser for many. Such a strong user base makes the platform traditionally a favorite place for hackers."

 

While the source does say Windows Phone, it goes out of its way to imply otherwise.

 

That's shoddy journalism. I can't say for certain it's 100% only Windows Phone, but the article specifically says:

 

These four bugs have been reported to be affecting IE11 on Windows Phones.

 

So you're right, the article does heavily imply otherwise, but that's just straight up shitty journalism. The article is unclear and sends mixed messages and contradictory information.

[TooManyErrors]

Does anyone even BOTHER to read the source? This is for Windows Phone IE 11 only.

Well shit. I guess I'm at risk.

[dalekphalm]

Oh GREAT, that's exactly what I use.

 

Not for anything other than reading the news, but still.

 

 

Well shit. I guess I'm at risk.

 

Me too, but I wouldn't stress too much. There have been no reported attacks, and now that this is out in the open, I expect Microsoft to quickly patch it.

 

If you want to help, then try Tweeting at the Microsoft/Windows Phone twitter handle, asking them to patch the exploit (Make sure to link the source article).

[AlexGoesHigh]

Does anyone even BOTHER to read the source? This is for Windows Phone IE 11 only.

article is clickbait at its finest, looking at the headline and that they mentioned WP once on a single line in the middle, its just that

 

while i agree MS dropped the ball in fixing this, they probably said fuck it, due to being busy making edge a proper browser and that it will replace IE with the win 10 update

[dalekphalm]

article is clickbait at its finest, looking at the headline and that they mentioned WP once on a single line in the middle, its just that

 

while i agree MS dropped the ball in fixing this, they probably said fuck it, due to being busy making edge a proper browser and that it will replace IE with the win 10 update

Not to mention that Windows Mobile 10 launches soon, and is a free upgrade to 90% of the current Windows Phone 8.1 devices (Since most of them are Nokia, and pretty much almost all the Lumia's will get the free upgrade).

 

I do hope they fix it soon though.

[LAwLz]

IE has actually been great since v11. I'm pretty sure that most of the IE haters have not even given it a chance since v8 and 9, which WERE awful.

Nowadays, I find IE both more stable and just all around less stupid than dealing with Chrome and its memory hog-ness.

IE has been "tolerable" since IE 11. Calling it great is an exaggeration since it's still quite a lot slower than the competitors, has much worse support for web standards, barely any extensions, awful image scaling and a GUI designed by an idiot.

 

The only good thing I have to say about IE 11 is that Inori Aizawa is cute, but that doesn't have anything to do with the actual browser.

 

 

 

The Ars Technica article is a lot better than the WCCFtech article (big surprise, right?).

It doesn't seem like Microsoft just went "lol who cares about IE 11. We're busy working on Windows 10!". It was only like a week ago they patched another security hole in IE.

 

What I think happened here is the reason why making security issues public if the company affected don't meet deadlines is important. Microsoft probably knew that nobody had taken advantage of the exploit yet so they just went "Fuck it. We got more important things to do" and then asked for a 4 month deadline extension which was granted. They they worked on other stuff and kind of forgot about it and asked for another extension on the deadline. HP were very generous to give them 8 months to fix it before going public, and Microsoft wanted even more time.

 

 

It's not clear to me if this is a phone only issue or not. Microsoft's own statement only mentions Windows Phone, but from what I can tell this affects the desktop too. This vulnerabilities details says "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer, including on Windows Phone.". The other 3 vulnerabilities don't mention phone whatsoever.

[Me1z]

Cool.