back to article Redmond slow to fix IE 8 zero day, says 'harden up' while U wait

Microsoft has decided not to rush out a fix for an IE 8 zero-day first identified seven months ago, instead telling users to harden up their browsers. The vulnerability allowed attackers to execute arbitrary code on computers running the older Internet Explorer version 8 through drive-by and phishing attacks. Details were …

COMMENTS

This topic is closed for new posts.
  1. Thorne

    Harden your browser

    Install Chrome......

    1. AlbertH
      Linux

      Re: Harden your browser

      Harden your SYSTEM - delete Windoze and install a proper Operating System

      1. Grikath

        Re: Harden your browser

        Yes, and $LINUX is of course proof against any attack... /facepalm.

        1. jake Silver badge

          Re: Harden your browser

          Linux isn't proof against "any" attack, Grikath, but it is proof against most of the attacks "in the wild". If you are paying attention, that is. Which most Cupertino/Redmond users aren't.

          User ignorance is by far the largest problem. Linux users included.

          That said, I use BSD on Internet facing kit. Seems cleaner, somehow.

          1. Anonymous Coward
            Anonymous Coward

            Re: Harden your browser

            "Linux isn't proof against "any" attack, Grikath, but it is proof against most of the attacks "in the wild". If you are paying attention, that is. Which most Cupertino/Redmond users aren't."

            Really? - better tell LAMP website owners or Android users that then - it will sure be a surprise to them!

          2. Kristian Walsh

            Re: Harden your browser

            "Linux isn't proof against "any" attack, Grikath, but it is proof against most of the attacks "in the wild". If you are paying attention, that is. Which most Cupertino/Redmond users aren't."

            So, what you're saying is that because Unix-clones are still inscrutable to non-technical users, the only people who can actually use them day-to-day are technically-literate systems admins, who are well versed in how to stop security issues, and so those platforms are inherently more secure because they exhibit fewer malware incidents, because by being inscrutable to non-technical users, the only people who can actually used them are... et cetera. Get off when you feel dizzy.

            1. jake Silver badge

              @ Kristian Walsh (was: Re: Harden your browser)

              "inscrutable to non-technical users"

              Read: "Computer illiterates".

              The World needs to understand that there is a difference between "interface users" and "computer users" ... Unfortunately, the likes of !GooMyFaceYouMSiTwit! have convinced TheGreatUnwashed[tm] that they are computer users, as opposed to interface users with absolutely zero concept of the underlying code that holds it all together.

              Enjoy your cats and porn. It's not what we built this thing for, but I'm sure it works for you.

              1. sabroni Silver badge

                Re: @ jake

                Jesus, could you patronise that up a bit for me?

                1. jake Silver badge

                  @ sabroni (was: Re: @ jake)

                  "Jesus, could you patronise that up a bit for me?"

                  Only if you use an iFad and try to look important in a technical forum.

              2. Anonymous Coward
                Anonymous Coward

                Re: @ Kristian Walsh (was: Harden your browser)

                " It's not what we built this thing for"

                Is that the royal we?

                Care to divulge what it was built for?

                1. Thecowking

                  Re: @ Kristian Walsh (was: Harden your browser)

                  it was built to transmit jake's wisdom to the great unwashed.

                  May his tecknowledge shine on us all.

                  Of course I don't need his knowledge, it's like I told Archimedes when he was having a bath (different times, told him a few things about displaced fluids too, very excitable those ancient Greeks), "Archy", I said, "It's like jake always says, everything that isn't a ranch owned by jake is suspect. You have to install a hardware firewall on your datastore."

                  Daft bugger set fire to Alexandria.

                  Still you can't help everyone.

                  1. jake Silver badge

                    @ Thecowking (was:Re: @ Kristian Walsh (was: Harden your browser))

                    Grow up, child. You really can learn from your elders, if you apply yourself.

                2. jake Silver badge

                  @ Cowardly person (was :Re: @ Kristian Walsh (was: Harden your browser))

                  "Is that the royal we?"

                  No, it's the inclusive "we". Some of us were actually there, you know.

                  "Care to divulge what it was built for?"

                  It was built as a research network to research networking.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: @ jake

                    "It was built as a research network to research networking."

                    So Number 9, if you're so down on how this thing you... heh.. 'helped' 'build' has been so terribly corrupted by all those people using it to watch cat vids and porn, why are you on the Reg forums all the time flame baiting? Shouldn't you be doing some networking research? Or some of the three hundred-odd other things you make unverifiable claims of expertise in?

              3. LDS Silver badge

                Re: @ Kristian Walsh (was: Harden your browser)

                Thereby to use a smartphone you should be an expert in wireless communications? How much do you know about it? To use a camera you should be an expert in optics, CCD/CMOS technology and image processing? How much do you know about them? Or are you just an "interface user", as it happens also with many more devices you use everyday? Could you design a refrigerator, an AC system, a washing machine, a TV, a satellite receiver of even your router/wifi? Could you design and build your wristwatch? Face it - most users are just "users". For them the computer is just a tool to perform a task - like everything else. It's not something to worship, take care of every day, and go to sleep with.

                Users are often very "literate" in their field - I worked for a computer system for an ancient textiles museum, and the people working there although knowing very little about computers had a very deep knowledge of textiles, designs, colors, materials that went far beyond what I could ever think of about such a world. They just needed software to handle all those informations, all they cared of was the interface to get data in and out - they couldn't care less about it was handled inside the machines. That was my task, and I wasn't there to transform them in "computer gurus". and force upont them my vision of what a "computer guru" is. Good SW designers and developers are those who understand that. Bad ones are those who believe that any human on the planet shoud be "assimilated" and become a worshipper of his tools and OS.

                1. jake Silver badge

                  @LDS (was:Re: @ Kristian Walsh (was: Harden your browser))

                  My point obviously went clear over your head.

                  There is a huge difference between computer users and interface users.

              4. Fatman

                Re: @ Kristian Walsh (was: Harden your browser)

                @jake,

                Have an upvote from me.

                So many stupid ones just do not get it, and we in IT have to clean up the shit they leave behind.

                1. jake Silver badge

                  @Fatman (was: Re: @ Kristian Walsh (was: Harden your browser))

                  They are not stupid. They are ignorant.

                  Stupidity is permanent, ignorance can be cured through education.

              5. tekHedd

                Re: @ Kristian Walsh (was: Harden your browser)

                "Enjoy your cats and porn."

                Hmm, last I checked, cats and porn *were* the reason "we" built "this thing". Oh, I'm sure somewhere an academic is crying because his beautiful data compression algorithm is being used in impure ways, but that's beside the point.

              6. Kristian Walsh

                Re: @ Kristian Walsh (was: Harden your browser)

                How do you get around California without a car, Jake..? It's not like you know about every single system inside it, is it?

                You don't know me, but you still assume that your knowledge of everything is superior to mine... There's a name for someone who reasons without facts... Several names, in fact, but you've already been called them all by now, and maybe you still think it's just jealousy from us "stupid" people.

                1. jake Silver badge

                  @Kristian Walsh (as: Re: @ Kristian Walsh (was: Harden your browser))

                  "How do you get around California without a car, Jake..? It's not like you know about every single system inside it, is it?"

                  Actually, my daily drivers ('59 Pan, '70 Mercury Cougar convertible and '75 Ford F-250) are frame-up restorations. I did all the work myself, with the exception of paint, chrome, and powder coating.

                  "There's a name for someone who reasons without facts... "

                  Yep. Look up "projection". Seriously.

                  Sarah Bee used to accuse me of tilting at windmills. She was probably right.

          3. John Tserkezis

            Re: Harden your browser

            "User ignorance is by far the largest problem. Linux users included."

            Correct, but it doesn't matter anyway. There are idiot users everywhere.

            Coverage doesn't matter either - if Linux had the coverage that windows does now, we would be saying it's safer if everyone moves to windows, ditto for MacOS.

            Most scammers try to get the widest coverage by picking the OS that has the widest coverage - whoever that may be. So you're not actually helping by saying your choice of OS is proof against most of the attacks. It might be technically correct, but it doesn't actually help.

            You may be able to help yourself, but you have control over your own equipment, it doesn't fix anything by whining that OS brand Whatever is terrible, if your employer uses it, or any of the shops you visit, or any of the public services use it, or your bank, or whoever.

    2. Anonymous Coward
      Anonymous Coward

      Re: Harden your browser

      "Install Chrome......"

      But Chrome is one of the worst browsers for security holes and has had far more vulnerabilities than IE. Not to mention that it is spyware by design.

    3. Anonymous Coward
      Happy

      Re: Harden your browser

      "Install Chrome......"

      Install SRWare Iron.

      There, fixed.

      1. Stevie Silver badge

        Re: Harden your browser

        "Install Chrome......"

        Install SRWare Iron.

        There, fixed.

        And this is easier than simply installing the MS hardening kit how?

        You can keep chrome. I have to use Chrome for fiddling with my BeagleBone Black and every time I do it wants to know about my gmail settings and where I keep my contacts and ... (don't you just love when browser evangelists saddle you with nagware AND spyware in the name of political correctness).

        If Redmond did this you'd crucify them, and rightly so.

    4. Mike Flugennock
      Coffee/keyboard

      Re: Harden your browser

      "Install Chrome......"

  2. Christian Berger

    Is ActiveX fixed yet?

    That remote code execution feature was still there last time I checked.

    1. AlbertH
      FAIL

      Re: Is ActiveX fixed yet?

      Every time I look at Windows "latest and greatest" I find further flaws. It's still very open to abuse.

      There are many of the old, quite trivial attack vectors still available. MS seem either unwilling or unable to fix the many problems. They've been given plentiful details of the attacks, but ignore the reports and concentrate in putting ever more shiny stuff in place.

      They seem to hope that the look of their OS will divert attention away from the fundamental flaws.

      Polish that turd, guys!

      1. Anonymous Coward
        Anonymous Coward

        Re: Is ActiveX fixed yet?

        "Every time I look at Windows "latest and greatest" I find further flaws. It's still very open to abuse."

        A quick check of the 'latest and greatest' on Secunia - being Windows 8 and 8.1 shows ZERO unpatched vulnerabilities. And the vulnerability count is significantly lower over time than say an Enterprise Linux distribution or OS-X.

        1. Anonymous Coward
          Anonymous Coward

          Re: ZERO unpatched vulnerabilities.

          A quick check of the article reveals a real ZERO day vulnerability in IE 8 that MS aren't patching.

          So to try and avoid this degenerating into bickering, is it that this is effectively an XP bug or does windows 7 run IE 8? If it's the latter then surely there's a real problem here, legitimate Windows 7 users running a legitimate copy of IE 8 are vulnerable. Update to windows 8 isn't a suitable fix for this....

          1. Ian Thomas

            Re: ZERO unpatched vulnerabilities.

            According to an answer from Microsoft, IE8 on Vista SP2 is supported until April 2017, so they really should be fixing this, at least on Vista. http://answers.microsoft.com/en-us/ie/forum/ie8-windows_xp/lifecycle-internet-explorer-8/2d64f20f-7801-4636-82be-456302181b37

            On the other hand, Vista users do have the option of upgrading to IE9. If I were Microsoft I'd be telling people to upgrade to newer versions of IE, rather than turning off important features.

          2. Anonymous Coward
            Anonymous Coward

            Re: ZERO unpatched vulnerabilities.

            "A quick check of the article reveals a real ZERO day vulnerability in IE 8 that MS aren't patching."

            But that's not 'The latest and greatest' is it? We have IE9, IE10, IE11 also.

          3. Stevie Silver badge

            Re: ZERO unpatched vulnerabilities.

            "IE8"

            Anyone still using it, other than the XP users?

        2. Anonymous Coward
          Anonymous Coward

          Re: Is ActiveX fixed yet?

          "A quick check of the 'latest and greatest' on Secunia - being Windows 8 and 8.1 shows ZERO unpatched vulnerabilities. And the vulnerability count is significantly lower over time than say an Enterprise Linux distribution or OS-X."

          TheVogon, given the way you trot this garbage out without fail on every single Windows-related thread, I think you actually have some kind of behavioural disorder. Would you like me to go over the reasons why you are so comprehensively full of shit, one more time? There are an army of Eadons out there who'll bash Windows on ideological grounds, but you are simply the flipside of the coin, coming out with the same old mince thread, after thread, after thread.

          I'm interested in products that serve a purpose, the right tool for the right job and there's room for that to be Windows, room for that to be Linux and other FOSS or proprietary solutions; you and the hardcore Linux fanbois are interested in products that serve a worldview. If you're really a Windows advocate, do the platform a favour and cut the crap.

      2. Robert Helpmann??
        Joke

        Re: Is ActiveX fixed yet?

        Polish that turd, guys!

        Now, now. MS has provided many of your fellow readers with years of gainful employ supporting their products. If it were perfectly secure and lacked all flaws, where would we be?

  3. h4rm0ny

    Good!

    I manage a project for one of my clients and they have to support IE8 for the sake of a large customer who refuses to budge from IE8 and FLASH 9. Anything that can get through to companies that they need to move forwards is good, by this point.

    1. Charlie Clark Silver badge

      Re: Good!

      One of my customers is a large company and IE 8 is still the standard IE version because of the legacy support for internal browser-based apps written for IE 6 back in the day. Rewrites are either prohibitively expensive or not even possible so I think Browsium is the only solution.

      Makes you wonder why companies stick with Microsoft but there are still too few alternatives for desktop machines. As long as Microsoft can continue to collect licences for this kind of shoddy product management then they're unlikely to change their practices.

      1. h4rm0ny

        Re: Good!

        >>"As long as Microsoft can continue to collect licences for this kind of shoddy product management then they're unlikely to change their practices."

        No-one wants to get companies upgrading to newer versions of Windows than Microsoft. They would far rather people were using IE9+ on Windows 7+ than legacy old stuff which they are contractually obliged to support.

        1. Dan 55 Silver badge

          Re: Good!

          Could this be called supporting IE8 though? It's just a workaround to mitigate the attack, it doesn't fix the problem.

          Unless MS unlink IE from the OS and make IEs9-11 available for Server 2003 and Vista, they should be supporting IE8 until Server 2003's end of line date. They've made their bed, now they should lie in it.

          1. LDS Silver badge

            Re: Good!

            Are you browsing the web for any site from a server? 8-O

            You have bigger issues than a zero day vuln in IE8, then.

            1. Dan 55 Silver badge

              Re: Good!

              Intranets, Outlook and Help (using the MSHTML control) are attack vectors too. People shouldn't use them either on a server, but it happens.

              If the EOL is July 2015, then it should be supported till then. Why trust a company which doesn't fully support its server platform?

              1. LDS Silver badge

                Re: Good!

                1) You can manage Windows servers without ever running a "shell" on them (remote desktop or whatever). Most Windows server operations can be performed via MMC plug-ins from a remote administration machine. Other software is usually maintanable via some web application or the like. If it has none of them, it's probably some *nix port and you should look for something better :-P

                2) If I have to access contents via the web, I never do it on the server directly, but I do it from the machine I'm connected from, and the transfer to the server only what really needs to be transferred. Servers are servers, should be dedicated to their tasks, and should never be used as "general purpose" machines. Access to what they don't need should be restricted.

                3) Servers should never have installed software that shouldn't be run on servers. Mail clients, whatever, should not allowed on servers, unless there are very good reasons to allow them. Sysadmin lazyness is not usually a good reason.

                4) If bad practices "happens", you have a problem no software solution will ever solve. No matter what OS you're using, no matter how much you spend in hw and sw to protect you, bugs and vulnerabilities will "happen" also, and compromission as well, because bad practices will make them much easier.

                1. VirtualizationGuy

                  Re: Good!

                  What about Citrix XenApp, Microsoft App-V, and VMWare View?

            2. Ken Hagan Gold badge

              Re: Good!

              "Are you browsing the web for any site from a server? 8-O"

              We don't know. Just because one is using Server 2003, doesn't mean the machine is an important "server". Indeed, anyone who still thinks there is a difference between a server OS and a client OS, apart from the application software workload, needs to stop drinking the cool-aid. Using the word "server" to mean "valuable" or "powerful" is like using the word "proprietary" to mean "better". It's what the marketeers want you to believe, but surely everyone reading this site knows better?

              1. LDS Silver badge

                Re: Good!

                Why should you run something that costs five-ten times the cost of a client OS for something 'not important'? Sure, I've test machines running server OSes (and licenses like MSDN allows for that kind of use only...), but they are still managed as servers to ensure applications work in a proper configured environment. And there are differences, since server OS has many features client one has not, from large multiprocessor support to services like AD and so on.

                Then if you're one of those who believe running an invalid license of a server OS on his PC makes him cool, well, you need to grow up...

        2. Charlie Clark Silver badge

          Re: Good!

          No-one wants to get companies upgrading to newer versions of Windows than Microsoft. They would far rather people were using IE9+ on Windows 7+ than legacy old stuff which they are contractually obliged to support

          Most corporates are on Windows 7 but they still have to use IE 8 because of its "legacy" support. But Microsoft is happy because it usually means Office 2010 and relevant server kit.

  4. A Non e-mouse Silver badge
    Flame

    My Browser/OS/Whatever is better than yours

    Oh PLEASE can we stop this whole "Don't use that, it's buggy, use this" ranting. It feels like I'm standing in a primary school play ground.

    All software, whether open source, closed source, old or new has bugs.

    Where's the Moderatrix when you need her?

    </rant>

  5. Anonymous Coward
    Anonymous Coward

    To be fair...

    ..it's obsolete and if your stuck with it, your either on XP, so we all know that's unsupported or server 2003, in which case, WTF are you doing surfing dodgy websites?

    1. Charlie Clark Silver badge

      Re: To be fair...

      IE 8 still makes up a around 30 % of corporate desktops. Quite often because legacy "browser apps" that were designed to work in IE 6. Probably because of ActiveX

      1. Ian Thomas

        Re: To be fair...

        If I were the sysadmin of a network that required IE8 for an internal app, then I would restrict it to be used on just that app. General browsing can be done using another browser.

      2. chris lively

        Re: To be fair...

        It's been enough time that those corporations should have moved off of any platform that required IE6 to work. Not doing so in this day and age is a complete dereliction of their responsibility and I believe they should be sued into oblivion.

        IE6 was released 13 YEARS AGO. It's time to move on. And I don't mean that they should move up to IE7 or even IE8. I mean they should have their desktops configured to go straight to whatever the most current version of the browser is: IE11. If they are still running XP (god forbid) then those Network Admins have a responsibility to push Chrome, Firefox or one of the other contenders across the desktop and disable the older IE for any type of browsing.

        The fact that several such corporations don't means that they are more than happy having their computers taken over AND/OR their administrators need to be fired. And, no, having McAfee, Norton (or whatever they are called this week) isn't good enough. Those things are complete horseshit and generally cause as many problems as they supposedly fix.

  6. LDS Silver badge

    Upgrade clients to IE11 when you can, and use "Document modes"

    If you upgrade to IE11, you can use "Document modes" to have site rendered as if opened with older versions. You just need to add a "X-UA-Compatible" HTTP header. And you can do it with any version of IIS, Apache, or other web server.

    Thereby if your clients run a supported version of Windows, you have very little reasons to keep on using old, slow, and buggy version of IE. On servers you may still have IE8, but you're not browsing the web on a production server (and even from test/development ones), aren't you?

    http://msdn.microsoft.com/en-us/library/jj676915(v=vs.85).aspx

    http://msdn.microsoft.com/en-us/library/jj676913(v=vs.85).aspx

  7. M7S

    IE8 is how old?

    Oh 5 years.

    At least no car company would take this attitude to the operating system of an autonomous vehicle.

    Thank goodness for that

    1. h4rm0ny

      Re: IE8 is how old?

      >>"At least no car company would take this attitude to the operating system of an autonomous vehicle."

      Can your car be magically replaced in your garage overnight without having to buy a new one? If so, great analogy.

  8. Mikel

    Won't fix

    See: Trustworthy Computing

  9. tekHedd

    Oh thank goodness.

    IE8 is a pox and it needs to die. Just standards-compliant enough to fool you into thinking that it will work, and then you start getting bug reports. The sooner they abandon it the better.

  10. Herby

    Problem here...

    Microsoft in its infinite wisdom decided LONG ago to do the embrace-extend model where they locked people into their products. Now that they have done "updates" and have better products, this comes back as users that can't upgrade since they are locked into the products that Microsoft designed to be locked into.

    Users that took the bait (locking into a Microsoft product) and now find they are unable to change have no one to blame but themselves (and the Microsoft marketing droids).

    What comes around, goes around.

  11. Mike Flugennock
    Coffee/keyboard

    Redmond won't fix IE8 zero day, says 'tough shit' instead

    There, fixed it for you.

    But, seriously, folks... two words: Sea Monkey.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021