Serious security flaw found in IE - Advised to use different browser

oh thats a relief lol had me freaking out for a second lol

 

is there anyway to completely get rid of IE off my computer. I will never trust it agian plus I never use it anyway. How do i get it off my computer?

 

Moral of the story - DO NOT USE IE!

My eyes twitch when I have to open up that garbage browser out of necessity

 

Funny how when Bitdefender found a huge security flaw in FF3, people would say oh no browser is perfect, and now with IE7, the same people would say IE7 sucks!

I use FF3 as my main browser, but seriously, IE7 isn't as bad as the FF fanboys put it.

 

I would agree with that, on the occasions that I've had to use IE7, I liked some of the features like the Tab View.

Main reason why I don't use it is that it's a bit slow, esp. when opening tabs.

 

if this is a old story then sorry

MS will be releasing a Out-of-band patch this vulnerability today

http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

and this flaw can also be exploited when browsing hijacked genuine websites , so beware

also remember this even if you don't use IE Directly there lots of programs which uses IE Rendering engine so patch it as soon as MS releases it today

 

IE security holes, browsers security holes and flaw. They all have it. Firefox releasing 3.0.5; Opera releasing 9.63; Safari 3.2.1: all about security just the past few days.

cheers ...

 

I agree and IE8 beta 2 is even better. Apart from the crashes but that is why it is still beta .

Bottom line is, nobody likes Microsoft yet 90% of the population is using it .


Still no patch out.

 

Do any anti-virus software plugins help to avoid this problem?

I currently use both IE and Firefox, but still mostly use IE, until I saw this news report. But I also have Norton Internet Security installed and a bunch of Norton plugins on IE. Would those help?

Do you guys recommend still shifting to Firefox fully, and not using IE at all?

 

mmm... that's scary.
thanks for the news.

http://www.microsoft.com/technet/security/advisory/961051.mspx

Looks like this is serious.

 

When Microsoft has released the patch that will fix this bug (it will be available through Windows Update today), you can keep using IE like you did before.
No harm in trying out Firefox though, maybe you'll like it.

 

The difference is FF developers generally keep one step ahead of the hackers and fix the holes before they become a real issue. MS for that matter usually stays ahead of the game as well. But in this case, this exploit was able to multiple in the wild like crazy and its the worse kind of exploit imaginable (zero day) which means it requires no input from the user. One merely has to visit an infected website.. of which there are already over 10000. Sure this can happen to FF but quite frankly, I can't remember a case where FF3 had an issue this severe. If ever one wanted a reason to bash MS this is as good a reason as I can think of.

Personally, I believe the rest of the browsers are not effected by this simply because they are not bound and tied to the OS like IE is. For that reason alone IE will always be at a disadvantage. But having said all that, I have been playing around with IE 8 Beta 2 and see allot to like. Hopefully MS learns something from all this and makes IE more secure. But thats probably wishful thinking on my part.

Its kind of like the old win 95/98 OS's where the whole system would crash if an application went haywire. If you can exploit IE then you gain acccess to the whole OS. MS could make their life so much easier if they would just unbundle IE off the OS.

 

Yeah and then you will have another N Windows Version. Thanks to the Commission rulling some people get those. If you want to add via the MS website the missing things, it will crash. I saw that on a friend's laptop. Thanks but I prefer IE in my OS.

 

I understand what you and Microsoft are saying. But what Microsoft is also saying is true too. The known (existing) attacks are stopped via the High setting alone. It is all that needs to be done. Killing scripts doesn't correct the vulnerability, just its avenue of attack.

Fortunately a patch is scheduled for today!

 

No, they generally don't. What does help, more reliably than any kind of anti-this-or-that software, is to always do your day-to-day work and web browsing while logged in as a standard user, not as an administrator. The currently known exploits attempt to install a rootkit. These exploits will fail on a machine that is properly configured and used (see above).

P.S.: Maybe I should emphasize this point more strongly: Anti-virus software, firewalls, etc., are no substitute at all for running your system in a secure configuration. The first thing any hacker worth his or her salt will do is check their malware against current versions of anti-virus software. Thus you can be pretty much assured that any malware that's a real threat will easily defeat your second-line-of-defense strategy.

 

This is not correct. You gain access to the whole system only if the user has essentially disabled OS security, by habitually running with administrative rights, and maybe even with UAC turned off. On a properly configured system, running as a standard user, with IE in protected mode, your system will be relatively safe even if there is a giant security hole in IE, such as the one we have right now.

 

First off, I am not trying to add more fuel to the flame-war between the IE-nuts and the FF/O/etc.-nuts, so don't start on me with that, ok?

Ok, with that said, there are a couple of pieces of hard, cold fact missing from some of the most egregious crowings from the FF/O/etc crowd; for example, the FF developers have only one product to worry about, a browser, and thus, while they have to worry somewhat about backwards compatibility with older versions of FF, the range of issues that limited amount of legacy support generates is dwarfed by the amount of issues that Microsoft must deal with in terms of legacy support for IE, both with respect to the browser itself and also with respect to the fact that IE exists within a very particular mileu - the WinOS - which raises a whole different set of legacy support issues.

This is not to excuse Microsoft, because the integrated nature of IE is a result of Microsoft's original attempt to completely integrate the browser into earlier iterations of its operating systems, an attempt that was only half-killed by the successful browser suit against Microsoft. Had Microsoft not taken the original decision to integrate IE into the OS, or had they spent the extra time and money needed to fully dis-integrate it after losing that lawsuit, then IE would have a much more limited scope and a correspondingly smaller set of legacy support issues to worry about.

Given that the IE designers/coders have a much bigger kettle of fish to deal with, it should not surprise anyone that IE ends up having a larger number of issues to deal with than, say, FF does. Also, since FF doesn't have legacy support obligations anywheres near the extent that IE does, the designers of FF can simply choose to cut off legacy support much more quickly than the designers of IE can.

Second missing fact is that IE is everybody's favorite target, partly because of Microsoft's commanding market share, and partly because anti-IE sentiment feeds on itself, and the more people claim to "hate" IE, the more of a target it becomes, which only feeds the beefing of those who "hate" IE. The point to be drawn from this is that, everything else being equal, the more you shoot at a particular target, the more likely you are to find holes in it when you go inspect it.

If/when FF or one of the other alternatives to IE reaches the point of having a market share similar to that now held by IE, the roles will undoubted be reversed, and whatever alternative browser ends up becoming the dominant browser will also become the lame-duck browser everybody loves to "hate."

Thus, all in all, the mere fact that IE appears to have more security troubles than, say, FF, is not really a good indicator for the relative value of IE and/or FF. While that particular number needs to be taken into account, it also needs to be risk-weighted (e.g., number of security incidents per installed copy, or somesuch), and other factors need to be added into the mix.

That is not to say that I believe that IE would win that competition; as others have pointed out, FF and the other alternative browsers also have other demonstrable performance positives that IE does not, such as being faster and more standards-compliant.

At the end of the day, the most likely differentiator between IE and the alternative browsers is probably the fact that Microsoft, once it lost the browser lawsuit, failed to simply excise the underlying IE functionality from its OS and instead continued to utilize shared resources (such as a variety of .dlls) both for IE and for the Win-Explorer itself (amongst others). By failing to completely divorce IE from the OS, Microsoft simply made the task of keeping IE up-to-date and light on its feet an almost insuperable chore compared to that faced by the developers of the alternative browsers.

 

[rant]

When IE7 starts up faster from cold than FF then we have a problem. The reason I gave up on FF was this. I told them, I is a part of their beta testing programme, do something about the hideous start up time. Moreover, leave the browser overnight and check out the memory usage .
FF is dead. Chrome will take over. I've never had a website not work with IE but I had tons with FF.

[/rant]


Back to our pets,


any news on that patch?

 

Hi.

Temporary fix at the link below! , until Microsoft release it`s update.

http://www.telegraph.co.uk/sciencea...urity-alert-how-to-protect-your-computer.html

Regards

John.

 

I will never use IE ever again lol. I will patch it then never touch it.

 

Few more steps to avoid this vulnerability

Disable the Microsoft OLE DB Row Position Library COM object

The most effective way of mitigating this vulnerability appears to be to disable the Microsoft OLE DB Row Position Library COM object. As outlined in the Microsoft Security Advisory, delete the following registry key:

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}]

Note that once this change is made, all ADO (ActiveX Data Objects applications that use the RowPosition property and related information and all OLE DB applications that use the OLE DB Row Position Library will not function properly.

Disable Active Scripting

This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the "Securing Your Web Browser" document. Note that this will not block the vulnerability. IE still may crash when parsing specially-crafted XML content. Disabling Active Scripting will mitigate a common method used to achieve code execution with this vulnerability.

Enable DEP in Internet Explorer 7

Enabling DEP in Internet Explorer 7 on Windows Vista can help mitigate this vulnerability by making it more difficult to achieve code execution using this vulnerability.

more : http://blogs.technet.com/swi/archiv...-workarounds-from-the-recent-IE-advisory.aspx

 

It's out. Hit Windows Update.

 

Thanks for the heads up . Gotta update 300 megs from MS. Pains of a new OS .

 

Direct download:

http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx

Scroll down to select your IE and Windows versions.

 

Thanks for this.

 

I believe a lot of the haters are closet IE lovers.

 

Of course . But the new trend. Everyone is a hater so they all pretend to be . Like in highschool, when some dude was very cool because he could buy vodka and the rest were so sad because they did not have the age . That dude with the Vodka bottle was the role model. The person everyone wanted to be .

Back to our lamb, the update is rather interesting. At least on my 64 Vista.

 

Well, well, well, as I was saying, ...:

8 FF security flaws, 3 critical, patched.

And no, this isn't a flame attack; I'm still perfectly happy to grant that, in the balance, FF is probably a better browser than IE, the point is merely that it's not some unblemished ideal.

 

Seems the patch is out now. I just got it through WU.

No biggie.

 

Go FIREFOX!!!!

 

You know, one of the reasons why I abandoned FFx after running it exclusively for 6 months was the blatant fanboyism not only of its users (those I couldn't care less about, to tell you the truth), but also of its developers. I really didn't care too much for the gratuitous swipes at Microsoft. Notice that "gratuitous" is really the operative word in the previous sentence. Just like any other complex entity, Microsoft does have their share of faults, mistakes committed, and sometimes plain bad software, but they are certainly not any worse in this regard than many other companies out there, and a lot better than some (outfits like Symantec come to mind; as an aside, we should really thank our lucky stars that Microsoft was headed by Gates, and not Steve Jobs...). Plus, many of the claims of the FFX fans simply have no basis in fact (such as this silly story of FFX being "faster"). Firefox as well as any other browser out there have their own share of problems (can you say "memory management"?).

 

Of course IE starts up quicker, it's tied into the underlying OS, which as mentioned is part of the reason it's more vulnerable to attack and part of the reason it's such a bi target.

But using a browser because it starts up quicker is retarded, how many times a day do you start up a browser? And what difference does 1.6s make over 1.7s?

Funny you should imply increasing memory use for Firefox though:

http://dotnetperls.com/Content/Browser-Memory.aspx
http://blog.pavlov.net/2008/03/11/firefox-3-memory-usage/

In multiple tests Firefox memory use stays pretty flat while IE rises constantly.

The only site I've ever had not work with Firefox was Windows update, strangely.

 

Well, that's actually not quite the conclusion of these articles. Both were in fact somewhat positive in their evaluation of IE, but of course they ranked FFX superior, an entirely unsurprising result given the source of the articles.

P.S.: I do agree with your assessment of the relevance of browser startup speed.

 

I used to like Firefox up to version 1.5. After that, it went downhill. Start-up time was simply horrible. I even tried Safari, and I hate apple . It was faster and better than Firefox. Then IE7 came out and on XP is annoying but on Vista it flies. I am a part of their beta testing community and the fanaticism there is overwhelming. If anyone needs FF 3.1 beta let me know .

 

the update was only 2Mb? The there was only one thing that updated? That was KB960714. Was that the only update? I just want to make sure mine is fully updated.

 

Chrome is not a part of the OS, yet it starts faster than anything. Same with Safari....hmmm, how about dem apples?

Firefox used to have the speed Chrome has up to ver 1.5. Those were the good ole days. Mozilla screwed up.

IE7 is faster, better, more stable. IE8 beta 2 thrashes FF when it does not crash .


About those figures...yeah...i learned my lesson with reviews done by "professionals". They rarely apply to how I use my laptop.

I will come back to this post....

 

5.5MB for me. Prolly cos I am using x64.

 

any one ueing 32 bit vista how big was your update?

 

That's because Chrome has bugger all for a featureset, of course it loads quicker.

And again, how many times a day do you load your browser? Why on earth do you value a saving of 2-3 seconds a day over anything else?

IE7 is faster, better and more stable than what? IE6? Hardly much to brag about. :x

Of course nobody else matches how you use your laptop, apparently you spend all day starting up your browser.

 

Same as yours, now quit fussing...

 

Oh that's right, resort to personal insults.

Awesome argument you have there.

 

Do you read what you post mate? When I start-up my laptop and want to check NBR and click on FF i need to wait until that stupid browser loads the homepage. That is not normal on a system like mine when Opera, Safari, Chrome, IE7 open in half the time. This is what is annoying.

 

microsoft post a recover patch to fix the flaw you can update your machine now
got my update

 

I got my update too, i installed just because i use the msn messenger and i prefer to hit mail, in order to get my mail account faster.

For all another activities involved internet, firefox is superior, Enough said.

 

When it comes to MS products, people just like to freak out or make things bigger than it is.

Yes, that's the only patch.

But why do you care, you said you won't touch it again?

 

Since I'm (a) lazy, and (b) not at home right now, anyone care to opine on whether or not the just-released update also applies to IE6? From what I recall of the bug that was found, it affects IE6 as well as IE7, but when I went looking for the patch last night, I can only recall finding the IE7 patch for my system - my wife insists on sticking with IE6, and I don't recall having found a similar patch for IE6.

 

According to the MS bulletin, it also applies to IE5 (Windows 2000) and IE6 (XP and Server 2003).

You can get the download links from here:

http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx

 

Thanks! I really appreciate it (although I was sorta hoping you would say it was only for IE7 so I could "force" the wife to upgrade - I get tired of having to deal with IE6 when I work on her computer ).

 

Just tell her you can't find the patch.

Plus, IE7 is safer than IE6 for other stuff too.

 

That's another good idea - maybe I'll give it a try (after I hand her print-outs of all the doom-and-gloom news bites regarding the flaw - printed in garish red ink ).