Critical exploits plague IE11 but MS is too busy with W10 to patch them

[Cream pie filled car]

Opera ftw

[zacRupnow]

Not an exploit, people/PCs that are worth exploiting don't use IE under any circumstance.

[Counter-Strike Player]

Me to install chrome.

There's a simple solution.

 

Don't use Internet Explorer.

 

One of my early items on a new win7 reinstall checklist is after arriving on the desktop (and after changing the resolution to "tolerable" and disabling UAC) is immediately go into the control panel and untick IE in the "turn off Windows features" list which effectively uninstalls IE right from the start of your install. 100's and 100's of MB's of Windows security Updates and activeX killbits updates can be averted this way that solely relate to keeping IE up-to-date. Since you don't even have IE installed on your system, you don't need the updates and hence they're not even offered. Why more smart people don't do this, I have no idea. Just be prepared and have all your driver installers and a simple firefox offline installer (or chrome if you prefer) on a usb drive so you can install a browser that way.

 

Curiously, on some of the later AMD CCC gpu drivers, after the AMD installer finishes, it tries to specifically open IE and browse to an AMD webpage. In a case where you're the kind of person who likes to install drivers first before doing WIndows Updates, this means a highly-vulnerable version of IE8 probably will be directed to that site after you install the gpu driver and who knows what kind of code they have on that page that could potentially take advantage of that -- if they wanted to. On my box, cmd prompt simply throws an error since it can't even find iexplore.exe -- so gg AMD, no rematch.

 

There's also this service that's installed, and after many years of research and random speculative forum posting that "probably" has more to it than just "hotkey support":

This is still a huge shot in the dark but, any other ideas on what it's about?

 

 

To answer the question who uses IE, it is a requirement for some of my work.

 

We use Siebel CRM 8.0 software and we use it as a web application and it requires Internet Explorer. For the longest time it wouldn't work with anything higher than IE8. And on top of that it only works with the 32-bit version of IE.

 

Literally just last week we were finally allowed to upgrade to IE11. They had to make sure nothing would break with any of the applications we use.

 

It's insane how exact software and configurations need to be when working with software like Siebel, which is fucking massive. Everything is so specific. Even if one little setting in your browser isn't right it can cause the whole thing to not work. We have a script that we run on our computer that automatically sets all of IE's settings to what they need to be.

 

Sounds like Siebel is an "Oracle" product, surprising that is not #yoda

[Altecice]

Also lets not forget they are wanting to retire IE for the new W10 browser... (not that it excuses it).

[dalekphalm]

Not an exploit, people/PCs that are worth exploiting don't use IE under any circumstance.

That's... a very uninformed view.

 

As previously mentioned many times - IE is often necessary to run in large corporate environments, because of legacy web services or specific required software.

 

Not to mention that IE11 is pretty solid - certainly it lacks the customization/plugins of Chrome/Firefox (fixed with Edge), but performance and reliability is quite good.

 

I personally use Firefox as my daily driver, but IE11 is not a bad browser.

 

Not to mention that this exploit is specifically about Windows Phone... not desktops in general.

[Gale]

I don't like Chrome and I don't like Firefox

 

I spotted the Opera user!

[LAwLz]

Not to mention that this exploit is specifically about Windows Phone... not desktops in general.

See:

It's not clear to me if this is a phone only issue or not. Microsoft's own statement only mentions Windows Phone, but from what I can tell this affects the desktop too. This vulnerabilities details says "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer, including on Windows Phone.". The other 3 vulnerabilities don't mention phone whatsoever.

 

Seems like it's a security hole in the desktop version as well.

[JustChilliing]

I spotted the Opera user!

 

Nope >_>

[Fabri91]

There is also the problem that IE in Windows Phone, which, again, is the only OS affected by this issue, would need an OS update to be updated, similarly to how it was like for Android when the default browser was the tightly-integrated Android Browser. This means carrier approval is needed, which delays things quite a bit.

Edge on Windows 10, regardless of wether mobile or not, on the other hand, will be much more easily updatable, kind of like Chrome is now on Android devices.

[LAwLz]

There is also the problem that IE in Windows Phone, which, again, is the only OS affected by this issue [snip]

Again, to me it seems like this affects the desktop version as well. The official disclosure from HP says that one of the exploits works on Internet Explorer 11 INCLUDING the phone version, and the other 3 reports don't even mention mobile or phone at all.

[Kurosaki Isshin]

it's not quite that simple. On a consumer level that works fine -- most of the time -- but on an enterprise level you run into some serious issues with trying to transfer everyone to a different browser. Including a learning curve in some cases, but far more importantly, not everything is compatible with everything else -- IE, on the other hand, tends to be compatible with almost everything.

I would hate to run my business and have someone tell me "you can't just switch their browsers, man. imagine the learning curve?" because immedietly I would fire a huge number of my staff. they can't use any other browser because 'learning curve'? *throws monitors out the window*

 

also, why are they using IE when Edge is so good? =o

[79wjd]

I would hate to run my business and have someone tell me "you can't just switch their browsers, man. imagine the learning curve?" because immedietly I would fire a huge number of my staff. they can't use any other browser because 'learning curve'? *throws monitors out the window*

 

also, why are they using IE when Edge is so good? =o

Edge is only on W10? 

 

The reason IE is so commonly used is because everyone in every business codes for it, and uses it -- i.e. IE is the browser which actually works on almost all sites -- whereas Chrome/Firefox may or may not. 

 

The learning curve isn't really as much of an issue, but it does make life a million times easier for MIS since it allows for a more uniform environment. 

[dalekphalm]

See:

 

Seems like it's a security hole in the desktop version as well.

It does not specifically state any other platform aside from Windows Phone. That's shoddy journalism at best. 100% unclear. IE is available on numerous versions of Windows - if it affects more than one (or even just one), they should specifically state which ones are affected.

 

That does not convince me that it affects other versions - but I do admit that it possibly might. All I know is that none of these articles are written well.

 

Again, to me it seems like this affects the desktop version as well. The official disclosure from HP says that one of the exploits works on Internet Explorer 11 INCLUDING the phone version, and the other 3 reports don't even mention mobile or phone at all.

IE 11 is available on numerous versions of Windows (including Phone). They should have specifically listed all affected OS's, or stated that it affected all OS's.

 

Though the fact that Windows Phone is the only one specifically mentioned, indicates that's what is affected. But I digress. Those articles are written like shit. A good tech journalist would have specifically outlined which versions on which OS were affected - not leave it "vague and easily misunderstood".

 

I would hate to run my business and have someone tell me "you can't just switch their browsers, man. imagine the learning curve?" because immedietly I would fire a huge number of my staff. they can't use any other browser because 'learning curve'? *throws monitors out the window*

 

also, why are they using IE when Edge is so good? =o

Have you ever worked corporate IT?

 

We have public access computers - 53 of them - and we upgraded them all from Windows XP machines to Windows 7 machines over the spring. I shit you not, many people couldn't navigate the new versions of Firefox, Chrome, and Internet Explorer, because by default the Menu Bar is disabled. We had so many complaints that we had to manually enable the Menu Bar on Firefox and IE (Chrome has fully removed it in newer versions).

 

Not to mention that some of our staff can barely do basic tasks. Any change is very difficult for some of them. There are of course times when change is 100% unavoidable, and you must keep up with the times, but the situation is way more complex then you make it out to be.

[Kurosaki Isshin]

Not to mention that some of our staff can barely do basic tasks. Any change is very difficult for some of them. There are of course times when change is 100% unavoidable, and you must keep up with the times, but the situation is way more complex then you make it out to be.

I've not worked corporate IT. I assume it is like working for neighbors/grandmas. where a program auto-updates and the icon is slightly different. and for this, they call IT. is it like that?

 

because if it is.. you have my sympathy. although someone should do something about these people. giving them so much responsibility and they can't deal with an icon changing. how do they get to work?

[Darkman]

grandma dont get a virus pls :c

Don't worry, I get to reinstall windows on my grandmas computer this week... Can't uninstall programs and if you go to the processes tab in task manager it force closes.

[dalekphalm]

I've not worked corporate IT. I assume it is like working for neighbors/grandmas. where a program auto-updates and the icon is slightly different. and for this, they call IT. is it like that?

 

because if it is.. you have my sympathy. although someone should do something about these people. giving them so much responsibility and they can't deal with an icon changing. how do they get to work?

It can be exactly like that. (fun fact: one of the reasons Microsoft Renamed Spartan to Edge is to keep the "big e" that people expect to launch "the internet")

 

As for how some of these people have jobs? Quite simple. Because despite their computer illiteracy, most of them are still very intelligent, and have skills and know things I do not know.

 

Some of them are experts in local history and work on our reference database. Some of them are expert Art Gallery Curators. Some of them are incredibly good at local community outreach. Etc.

 

The younger generations (Even myself, who is a late Gen X baby) who grew up with computers and technology take it all for granted. The basics are natural to us because we've been using computers since early school-hood.

 

Some of these people didn't use their first computer - ever - until they were in their 30's or 40's. Most of them went to schools that straight up didn't have a single computer in them, and only some of them had access to computers in College or University (Often being limited to mainframe computers in STEM schools).

 

So I can forgive their ignorance. It's a pain in the ass, yes, but it's also not going to change until those older generations eventually all retire.

[LAwLz]

It does not specifically state any other platform aside from Windows Phone. That's shoddy journalism at best. 100% unclear. IE is available on numerous versions of Windows - if it affects more than one (or even just one), they should specifically state which ones are affected.

 

That does not convince me that it affects other versions - but I do admit that it possibly might. All I know is that none of these articles are written well.

 

IE 11 is available on numerous versions of Windows (including Phone). They should have specifically listed all affected OS's, or stated that it affected all OS's.

 

Though the fact that Windows Phone is the only one specifically mentioned, indicates that's what is affected. But I digress. Those articles are written like shit. A good tech journalist would have specifically outlined which versions on which OS were affected - not leave it "vague and easily misunderstood".

My source and quotes are from the ZDI, not some tech blog. But I just realized how stupid I am. The third section in the vulnerability report says "Affected Products" and it only lists Internet Explorer Mobile. So desktop Windows users are safe.

[mr moose]

Well, if this thread tells us two things,  one I hope is that people on LTT are learning to question everything and not just assume an article is straight up reality.

 

The second is be careful if your using IE 11 mobile, rumour is it's got some issues...

[dalekphalm]

My source and quotes are from the ZDI, not some tech blog. But I just realized how stupid I am. The third section in the vulnerability report says "Affected Products" and it only lists Internet Explorer Mobile. So desktop Windows users are safe.

You're not a complete idiot. The quality of journalism on this subject has been lacking, to say the least.

[Speedbird]

One of my early items on a new win7 reinstall checklist is after arriving on the desktop (and after changing the resolution to "tolerable" and disabling UAC) is immediately go into the control panel and untick IE in the "turn off Windows features" list which effectively uninstalls IE right from the start of your install. 100's and 100's of MB's of Windows security Updates and activeX killbits updates can be averted this way that solely relate to keeping IE up-to-date. Since you don't even have IE installed on your system, you don't need the updates and hence they're not even offered. Why more smart people don't do this, I have no idea. Just be prepared and have all your driver installers and a simple firefox offline installer (or chrome if you prefer) on a usb drive so you can install a browser that way.

 

Curiously, on some of the later AMD CCC gpu drivers, after the AMD installer finishes, it tries to specifically open IE and browse to an AMD webpage. In a case where you're the kind of person who likes to install drivers first before doing WIndows Updates, this means a highly-vulnerable version of IE8 probably will be directed to that site after you install the gpu driver and who knows what kind of code they have on that page that could potentially take advantage of that -- if they wanted to. On my box, cmd prompt simply throws an error since it can't even find iexplore.exe -- so gg AMD, no rematch.

 

There's also this service that's installed, and after many years of research and random speculative forum posting that "probably" has more to it than just "hotkey support":

amd-service.png

This is still a huge shot in the dark but, any other ideas on what it's about?

 

 

 

Sounds like Siebel is an "Oracle" product, surprising that is not #yoda

You are not uninstalling IE, you are disabling it. It's still there, on your hard drive, wasting space. The only way to completely rid of it is by tampering the installation media, which I do not recommend doing as it can cause all kinds of problems. By disabling it, all you are doing is converting a usable program, and a good alternative browser, to just wasted space. Also, disabling UAC is a security risk, and it's a high one. You are allowing every program to run at the highest level of privilege, allowing them to do anything. UAC is your last line of defence after the antivirus (which I assume you do not have installed either) - it is literally the last time malware can be stopped before it infects your system. As for the updates, is it really that hard to download a few more megabytes?

Sorry for quoting a long post, I cannot select text normally on iOS

[dalekphalm]

You are not uninstalling IE, you are disabling it. It's still there, on your hard drive, wasting space. The only way to completely rid of it is by tampering the installation media, which I do not recommend doing as it can cause all kinds of problems. By disabling it, all you are doing is converting a usable program, and a good alternative browser, to just wasted space. Also, disabling UAC is a security risk, and it's a high one. You are allowing every program to run at the highest level of privilege, allowing them to do anything. UAC is your last line of defence after the antivirus (which I assume you do not have installed either) - it is literally the last time malware can be stopped before it infects your system. As for the updates, is it really that hard to download a few more megabytes?

Sorry for quoting a long post, I cannot select text normally on iOS

I agree with UAC. The same kinds of people who bitch about UAC seem to be the same people who think Windows is shit, and Linux should be the dominant OS... Well guess what folks, UAC is like SU in some ways. To do anything stupid or powerful, you need to enable SU in linux. Not having root access prevents things like viruses from just randomly executing themselves without your permission.

 

UAC does the same damn thing. Turning down UAC so it's not so much in your face? Sure, if you want. Disabling it all together? Hello malware; Meet a vulnerable system.

[LAwLz]

I agree with UAC. The same kinds of people who bitch about UAC seem to be the same people who think Windows is shit, and Linux should be the dominant OS... Well guess what folks, UAC is like SU in some ways. To do anything stupid or powerful, you need to enable SU in linux. Not having root access prevents things like viruses from just randomly executing themselves without your permission.

 

UAC does the same damn thing. Turning down UAC so it's not so much in your face? Sure, if you want. Disabling it all together? Hello malware; Meet a vulnerable system.

It's worth mentioning that UAC and sudoing into root work in very different ways which both has big benefits and drawbacks. So it's perfectly possible to hate UAC while liking sudo.

I wouldn't be surprised if only a handful of the "Baww Linux is da best" and the "baww Windows is da best" fanboys actually know the differences.

[othertomperson]

I agree with UAC. The same kinds of people who bitch about UAC seem to be the same people who think Windows is shit, and Linux should be the dominant OS... Well guess what folks, UAC is like SU in some ways. To do anything stupid or powerful, you need to enable SU in linux. Not having root access prevents things like viruses from just randomly executing themselves without your permission.

 

UAC does the same damn thing. Turning down UAC so it's not so much in your face? Sure, if you want. Disabling it all together? Hello malware; Meet a vulnerable system.

 

SU doesn't bother me for privilege every single time I boot for generic tasks. UAC does. I use Linux and Windows. Linux does it better.

[mr moose]

SU doesn't bother me for privilege every single time I boot for generic tasks. UAC does. I use Linux and Windows. Linux does it better.

 

My version of ubuntu asks me for a password every time I fart.  I probably should get the latest version though.

[dalekphalm]

It's worth mentioning that UAC and sudoing into root work in very different ways which both has big benefits and drawbacks. So it's perfectly possible to hate UAC while liking sudo.

I wouldn't be surprised if only a handful of the "Baww Linux is da best" and the "baww Windows is da best" fanboys actually know the differences.

That's very true. They are of course very different, and one could argue that Linux does have the better implementation. But I was only comparing them in a general sense.

 

And yes, I agree, the fanboys on either side probably don't know the difference.

 

SU doesn't bother me for privilege every single time I boot for generic tasks. UAC does. I use Linux and Windows. Linux does it better.

What kinds of things is Windows bothering you with every time you boot? Do you mean every time you start your PC, you're getting UAC prompts as auto-starting programs load?