Jump to content



Photo

  • Please log in to reply
9 replies to this topic

#1 EZRecovery

EZRecovery

    Puertorican Neowinian Member

  • 2,072 posts
  • Joined: 21-November 03
  • Location: Somewhere in the US

Posted 27 May 2014 - 04:59

This is the second time in a one-month period that a vulnerability in Microsoft’s Internet Explorer has been exposed.The first one was announced in April, with Microsoft being quick to admit the problem. The company even shared emergency measures that users can take while waiting for the patch to be released officially. That’s over and done with, but yesterday, Zero Day Initiative released details of another Internet Explorer flaw.

 

According to the announcement of Zero Day Initiative, they first heard of the vulnerability back in October of 2013. It was discovered by Belgian researcher Peter Van Eeckhoutte. The Initiative then immediately alerted Microsoft about the issue.

 

internet-explorer-black-large.png

 

By practice, the Initiative does not release such information to the public for about six months after informing the concerned party. This is to give the latter time to release a patch to address the issue.

 

Since it’s been a while since the Internet Explorer vulnerability has been pointed out to Microsoft, the Initiative gave the company notice on May 8 that they would announce the details to the public. It’s now been weeks since, and still nothing from Microsoft, so now we know. (Maybe Microsoft was too busy with the Surface Pro 3.)

 

Specifically, the vulnerability affects Internet Explorer 8, and “allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

It is rather surprising that Microsoft has not done anything since they were informed of the flaw, especially considering that Internet Explorer 8 still has 20.85% share of the browser market. This is according to Net Market Share’s April report.

 

If you’re using IE 8, just be extra careful about the sites you visit, as the vulnerability requires the user to visit a page designed to take advantage of the flaw. Every link you receive – via email, chat message, or whatever – make sure you trust the source. Else, you just might become a victim of this flaw.

 

Source: http://news.filehipp...y-flaw-exposed/




#2 Shiranui

Shiranui

    Iconoclast

  • 3,905 posts
  • Joined: 24-December 03

Posted 27 May 2014 - 05:40

IE 8 is obsolete on all currently supported OS.

#3 +_Alexander

_Alexander

    Neowinian

  • 1,188 posts
  • Joined: 21-January 13
  • Location: USA
  • OS: W8.1 u1
  • Phone: Nokia 521

Posted 27 May 2014 - 05:41

AFAIK Vista supports at most IE9, while W7 and W8 support IE11

#4 +virtorio

virtorio

    4089 III

  • 8,363 posts
  • Joined: 28-April 03
  • Location: New Zealand
  • OS: OSX 10.9, Windows 8.1
  • Phone: Samsung Galaxy SIII

Posted 27 May 2014 - 06:03

IE 8 is obsolete on all currently supported OS.

Irrelevant, support lifecycle for IE is inherited from whatever OS it's running on and the issue should be fixed.

 

http://support.micro...=8&y=8&p1=13418



#5 Mike Allen

Mike Allen

    Neowinian Senior

  • 3,068 posts
  • Joined: 05-May 05
  • Location: Where it's blue states against red states

Posted 27 May 2014 - 21:11

Unacceptable. 



#6 Lord Method Man

Lord Method Man

    Banned

  • 3,758 posts
  • Joined: 18-September 12

Posted 27 May 2014 - 21:19

:rolleyes:

 

On the front page a week ago http://www.neowin.ne...er-seven-months

 

And for the umpteenth time, this isn't a zero-day attack. Zero-day attacks are vulnerabilities being exploited before said vulnerability is known to the programmers. This is the opposite - the vulnerability is known, but there are currently no known attacks taking place.



#7 sinetheo

sinetheo

    Neowinian

  • 481 posts
  • Joined: 09-January 14

Posted 27 May 2014 - 21:25

Haha

 

When will people learn to use a real browser



#8 Max Norris

Max Norris

    Neowinian Senior

  • 4,706 posts
  • Joined: 20-February 11
  • OS: Windows 8.1, BSD Unix
  • Phone: HTC One (Home) Lumia 1020 (Work)

Posted 27 May 2014 - 23:45

Irrelevant, support lifecycle for IE is inherited from whatever OS it's running on and the issue should be fixed.

All currently supported versions of the operating systems have newer versions of the browser available, never mind a fair number of sites are dropping support for it as well. Unless you have some sort of corporate intranet site that requires it, no real reason to be even using it anymore. If you're still on XP, well, IE8's dead, switch to another browser, while you still can.
 

When will people learn to use a real browser

Which real browser is it that hasn't had vulnerabilities? I'm game to switch to it, hell even Lynx has had code execution vulnerabilities.

#9 +virtorio

virtorio

    4089 III

  • 8,363 posts
  • Joined: 28-April 03
  • Location: New Zealand
  • OS: OSX 10.9, Windows 8.1
  • Phone: Samsung Galaxy SIII

Posted 27 May 2014 - 23:52

All currently supported versions of the operating systems have newer versions of the browser available, never mind a fair number of sites are dropping support for it as well. Unless you have some sort of corporate intranet site that requires it, no real reason to be even using it anymore. If you're still on XP, well, IE8's dead, switch to another browser, while you still can.

And as I said above, that's totally irrelevant. 



#10 Max Norris

Max Norris

    Neowinian Senior

  • 4,706 posts
  • Joined: 20-February 11
  • OS: Windows 8.1, BSD Unix
  • Phone: HTC One (Home) Lumia 1020 (Work)

Posted 28 May 2014 - 00:01

And as I said above, that's totally irrelevant.

It's completely relevant as there's no good reason to be actually anymore using it when they've updated it multiple times and major web sites are dropping support for it. And after all that, if you read their report, it lists multiple ways to counter the issue, never mind the report clearly says it still requires user interaction to get the thing to work in the first place... you know, the common sense stuff that's been drilled into peoples heads for years, patches can't cure that.