Zero Day Exploit: Every Version of Internet Explorer

Deathmage

Internet Explorer bug lets hacker control your PC - Apr. 28, 2014

http://www.tomsguide.com/us/zero-day-internet-explorer,news-18697.html

No version of IE is safe from the threat; oo joy!

lsud00d

FireEye advises disabling the Adobe (ADBE) Flash plugin

What's new /rollseyes

5ekurity

Being used in targeted attacks right now; most APT actors are going after technology / financial sectors so those organizations should be on high alert.

YFZblu

And it will never be patched on XP, obviously. Let it begin.

Deathmage

YFZblu wrote: »

And it will never be patched on XP, obviously. Let it begin.

I ponder if this is a ploy to make people upgrade from XP.....

YFZblu

Except, this vulnerability isn't exclusive to Windows XP. There's no guarantee people are patching out there..

Jamm1n

Its for all versions not just XP, also people need to move on from XP regardless.

wes allen

I hope this pushes people, esp those with XP, to deploy EMET.

Cert Poor

Specifically it's affecting IE versions 6 - 11. When did 6 come out, over 10 years ago?

W Stewart

YFZblu wrote: »

Except, this vulnerability isn't exclusive to Windows XP. There's no guarantee people are patching out there..

It's not specific to Windows XP but obviously Microsoft is going to release a security update to fix this vulnerability and unless you explicitly configured your system not to run automatic updates then high priority security updates like this one should still run. Unless of course, you're running Windows XP.

Bryzey

People still use IE?

Master Of Puppets

Bryzey wrote: »

People still use IE?

Good I was starting to think that I'm the only one who is wondering about that.

wes allen

Bryzey wrote: »

People still use IE?

People, maybe a few that do. But there are many, many large enterprises out there with software that only works with IE, and usually only older versions like 8. And probably some old version of Java that can't be updated without breaking something critical as well.

Deathmage

Bryzey wrote: »

People still use IE?

The day Source Forge releases a working ADM/ADMX template for Firefox/Chrome is the day I no longer use IE at my job or any job. But since IE, as far as I know, is the only browser you can control via GPO sadly it will be sticking around....

Mainly only large corporations with extensive use of GPO's still use IE.

W Stewart

That and end users who don't know any better. Another thing that bothers me is all of the website's still coded with microsoft silverlight. I'm pretty sure Microsoft stopped developing for it but netflix and WGU both use silverlight.

qwertyiop

We literally can't get away from IE as our applicant tracking system was coded in coldfusion and will only render in IE.
That is literally the only thing keeping me from loading up a custom linux distro and drop windows wherever I can.

aftereffector

Bryzey wrote: »

People still use IE?

Pretty much the entire US Department of Defense. This is going to be fun.

--chris--

Cert Poor wrote: »

Specifically it's affecting IE versions 6 - 11. When did 6 come out, over 10 years ago?

We just upgraded all workstations to 8 from 7 this month....then had the CIO send out an email about this (IE bug) to all the higher ups and its been filtering down all day.

We have plenty of XP machines around here as well (some new machines going in with XP). Its not my job to try and figure out who has balanced the risk with the cost savings, so I just keep on installing

NovaHax

Deathmage wrote: »

I ponder if this is a ploy to make people upgrade from XP.....

Of course it is. Microsoft is still writing the patches but only making them available to high paying industry giants who use embedded XP and are willing to shell out a fortune to keep the patches coming. Everyone else is up sh*t-creek without a paddle.

So Microsoft makes money either way. Either you pay to upgrade or you pay to keep the patches.

zidian

qwertyiop wrote: »

We literally can't get away from IE as our applicant tracking system was coded in coldfusion and will only render in IE.

ColdFusion really has nothing to do with the website loading in IE or other browser versions. The ColdFusion server outputs pretty much exactly what the developer said to output. A ColdFusion application is typically a mixture of ColdFusion tags and regular html. The ColdFusion server then reads the CF Tags, does some computations, and strips out the tags to leave just the bare html behind.

I've used ColdFusion to output ASP, .Net, SVG, Java and many many other formats.

Not that knowing any of this really helps you that much, but I figured I'd clear up that misconception.

j.petrov

I've been dealing with this situation with a bunch of my company's clients. Its very unfortunate that people still use IE, however it still has its place. A lot of internal customized apps will only work correctly under IE, which is why this is such a pain. Best thing to do is put out an advisory to the user base telling them to practice safe web surfing guidelines and to use Chrome or Firefox for surfing the web.

Additionally, we have suggested blocking IE from accessing the Internet and only allow it internally for the apps. You can then force all web traffic through Chrome of Firefox. Obviously you need the appropriate technology to implement this, an app sensing proxy is able to accomplish this.

For all the XP users.... get off of XP. Plain and simple

j.petrov

WOW, Microsoft patched XP as well. Didn't see that coming!

Cert Poor

Me neither. It's a double-edged sword. I actually agree with MS for patching XP just to avoid a PR nightmare, but it only serves to disincentive shops from truly migrating away from XP. Actions aren't matching words. I'm still glad this hole's been patched but surprised it's been vulnerable since IE 6. Ancient history.