New zero day vulnerability identified in all versions of IE

Cnet ^ | Apr 27, 2014 | Steven Musil

[dayglored]

A new zero day vulnerability that resides in all versions of Internet Explorer has been spotted in the wild, Microsoft confirmed late Saturday.

The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm Fire Eye, which first reported the flaw Friday.

The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections, according to Fire Eye.

An attack could be triggered by luring visitors to a specially crafted web page, Microsoft explained.

...

[Greysard]

Okay, XP die-hards, you were warned. Here it comes.

Who in his right mind is using the IE that came with XP? It was garbage then, and it isn't much better now. Download a real browser, one that is currently supported. Chrome, Opera, or any Gecko or Webkit-based browser (Safari, PaleMoon, etc.) It's hardly a challenge.

Besides, most of the XP holdouts are in the embedded world. XP runs their CNCs and their chromatographs and their oscilloscopes. Those devices do not browse the Web; many are not even accessible from the Internet. Most laptops and desktops with XP are already in the trash. I have a few, but I maintain them for a very specific technical reason; mechanically and electrically they are junk, and new laptops are cheap.

[usconservative]

Weird that this wasn’t discovered until such time as MS wants to panic its herd into W8.

No, it's not weird at all if you'd remember that Microsoft has been issuing security updates for Windows XP for 12 years .......

Windows XP "security" has been so bad that the first Tuesday of every month became known as "PATCH TUESDAY" on a world-wide basis.

That's been going on for 12 years. The fact that Microsoft HAD TO issue updates over the course of 12 years to fix known and newly found vulnerabilities should be telling those of you who insist on running it and refusing to upgrade that any decision to continue running the most security hole laden OS in history is really a dumb decision on your parts.

[dayglored]

> Weird that this wasn’t discovered until such time as MS wants to panic its herd into W8.

Microsoft released a statement saying that the only way to protect against this, if you're running XP, is to upgrade to Win7 or Win8.

I'm shocked. Shocked!

Of course, they -are- correct, that's a true statement.

Unless you're a big corporation paying extortion money to Microsoft for continued XP update support (yes, it exists if you have enough money).

[usconservative]

I'd sure like to have that link to give to my family and friends who are still running XP and will be calling me for help.

Good luck with that. I'd disconnect my phone and disown any family members still running XP. They've known end of support was coming, and refused to change.

Prepare to suffer the consequences of stupid decisions.

[doorgunner69]

Why did you need IE to get updates and not some other browser like Firefox? Never used IE of anything for years now.

[dayglored]

> Why did you need IE to get updates and not some other browser like Firefox? Never used IE of anything for years now.

Huh, last I knew, Windows Updates only ran with IE, because it required ActiveX, which is only available in IE.

When did that change???

[upchuck]

If you are using IE for anything but Windows updates, why? There are plenty of other browsers out there that are much more secure than IE. Safari, Chrome (Google product, be careful), Opera, Firefox, lots of others.

[dayglored]

> The fact that Microsoft HAD TO issue updates over the course of 12 years to fix known and newly found vulnerabilities should be telling those of you who insist on running it...

C'mon, let's be fair, ALL OSes issue security patches. That includes Mac OS X, Linux, BSD Unix, etc. etc. not just Windows.

Nobody in their right mind expects software, especially huge, complex software, to not have flaws.

[upchuck]

This appears to be the first major flaw that WILL NOT GET FIXED FOR WINDOWS XP.

Why would you write that? Reading the article, this vulnerability is very specific to Internet Explorer and has nothing to do with any MSFT operating system, including XP.

[dayglored]

> If you are using IE for anything but Windows updates, why? There are plenty of other browsers out there that are much more secure than IE. Safari, Chrome (Google product, be careful), Opera, Firefox, lots of others.

There are tons of users, especially business users, who HAVE to use IE because their business applications only run on it.

Same for Win XP.

For two decades, Microsoft strongly encouraged developers to tie applications to their specific OS and browser, and now the folks who did so are paying the price.

[sagar]

Anyone who uses Windows and/or IE in this day and age needs to have their mental state seriously questioned.

[dayglored]

> Why would you write that?

Because it's true. Read further before you write back, please.

XP users can't get IE updates.

[Greysard]

Stopping usage of IE will provide some protection for now but ultimately, XP is going to be breached world-wide and those of you running it will regret not upgrading.

There is no upgrade path from XP. Those boxes were built to run with as little as 512 MB of RAM, if not even less. They have slow processors that won't run Win7 or later. I know because I dealt with this before, and I have a few of those boxes now. The only upgrade path that they have, in theory, is Linux; but in practice they have only the path into dumpster because it costs you too much to upgrade them and to use them, compared to buying a new system.

The real problem is with XP that operates equipment. Here is an example:

This particular, now obsolete, oscilloscope was sold for about $25K then, and it still is a perfectly good instrument today. It is selling right now from $5K to $10K. But it is controlled by WinXP. If you have ten of those oscilloscopes in your business, would you be in any hurry to scrap a quarter million dollars in working hardware just because of a very remote threat? Those scopes have never seen a Windows Update in their life, by the way - you cannot risk that on a soft real time equipment. If you have to protect them, you do that with firewalls; but most scopes are not even connected to the network. Maybe GPIB; but Ethernet at that time was not very useful.

This is not the highest price for a unit of equipment either. Take this signal source analyzer, for example - its price can be above $60K:

There are CNC machining centers and robots, however, that cost far more than that. The fact is that XP/XPe was a de-facto standard for all such equipment for ten years. All high-end, smart equipment made in the last decade runs XP. There is no way to upgrade it. Discarding it would cause terrible financial losses, and it would be also not very wise because the hardware still works fine. So XP will soldier on.

[Focault's Pendulum]

Huh, last I knew, Windows Updates only ran with IE, because it required ActiveX, which is only available in IE. When did that change???

Dear Mr Rip Van Winkle. I used to run Win updates on the old Netscape browser back in the nineties.

[dayglored]

And let’s not forget the 100,000’s of ATM machines across the country that are still running WinXP and -are- connected to the network, whether directly or indirectly.

[doorgunner69]

Been getting the updates (always by notification and manual download) for many years through Firefox. That included bumping XP up through SP3 AFAIK.

Quit IE once I discovered the bliss of AD Block etc.

[dayglored]

> Dear Mr Rip Van Winkle. I used to run Win updates on the old Netscape browser back in the nineties.

So did I, before the updates started requiring IE. That was somewhere in the early 2000's, I think.

Windows Updates on Win7 and later is integrated into the OS as part of Control Panel.

Please tell me how you run Windows Updates on XP without IE. What's the procedure, suitable for an average user? If there's an easy way to do it, I'd love to know.

Of course, updates are disabled for XP now, so I don't expect it to work. I just want to know how you USED to do it on XP without IE.

[dayglored]

> ...manual download...

Well, sure, you can get the update files as a download and install them manually, if you know how and are willing to go through that extra hassle and understand what to get.

I've tried explaining that to normal Windows users, without success. They want to get Windows Updates by clicking "Windows Updates". That's not an unreasonable expectation.

I could never find a way to have the "Windows Update" service run with any other browser as a tool. If you know a way, by all means spill the beans, please.

[Focault's Pendulum]

Just about any of the browsers today can be used for an update.I went from Win 95 to 98 to Vista and now 7. I have never used IE at all except for the first time I plugged my first computer in.

If (and you should) download another browser such as Chrome or Palemoon make sure you make it your default browser, Other wise you'll be stuck having to use IE.

You can always change the setting.

[usconservative]

There is no upgrade path from XP.

Sure there are, they're called Windows 7 and Windows 8. Pick one.

I'm not going to debate "upgrade" vs. "upgrade path."

I'm also not going to debate hardware requirements. People running Windows XP on an older machine will obviously have to upgrade some hardware, whether that's memory, disk, etc..

Fact is, Windows 8 uses LESS resources than Windows 7 did, so most computers capable of having 4gb of memory installed (and that's alot of old computers) will run Windows 8 reasonably well.

My comments were addressed to the "FMCDH" crowd who says they'll never give up Windows XP (and the handful who wanted by force of Government *make* Microsoft support it going forward.)