Posted on 04/27/2014 4:26:55 PM PDT by dayglored
A new zero day vulnerability that resides in all versions of Internet Explorer has been spotted in the wild, Microsoft confirmed late Saturday.
The vulnerability, which could allow remote code execution, is being used in "limited, targeted attacks," according to an advisory issued by Microsoft. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm Fire Eye, which first reported the flaw Friday.
The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections, according to Fire Eye.
An attack could be triggered by luring visitors to a specially crafted web page, Microsoft explained.
...
True, but only ONE O/S has the bragging rights for "Patch Tuesday" for the last 12 years and that's Windows XP.
Thank God Microsoft finally dropped XP. Now we get our First Tuesday's of the month back.
Ummm, no, Patch Tuesday will still be there for Vista, Win7, and Win8.
And it's the SECOND Tuesday of the month. :)
Why use XP now anyway? Firefox is far superior to all others for power users.
That never changed how Windows Update worked on XP, it always uses IE.
And if you copy/pasted the URL for Windows Updates into Firefox, there was an error saying you had to use IE.
I'm not sure what you're referring to. If you mean manually finding and identifying and downloading and manually installing updates, yes of course that can be done with a non-IE browser. Hell, I've done that with Firefox on Linux.
I'm talking about the normal Windows Update service that normal users use, to get Windows Updates.
How were you able to run the Windows Update service with (say) Firefox?
The good part about ATMs is that they are wearing out much faster than a lightly used indoor equipment for scientists. There are those buttons, screens, slots, rollers, sensors... lots of stuff that deals with moving objects. Those things wear out first. ATMs can have short amortization period because they are very profitable, so their useful life can be set to just a few years.
I am not sure, though, that many ATMs are connected to the Internet. Not every "network" is the Internet. Here is what howstuffworks.com has to say:
Most host processors can support either leased-line or dial-up machines. Leased-line machines connect directly to the host processor through a four-wire, point-to-point, dedicated telephone line. Dial-up ATMs connect to the host processor through a normal phone line using a modem and a toll-free number, or through an Internet service provider using a local access number dialed by modem.
Dial-up was extremely common for several decades, and I guess it is still used today. It is pretty secure - you have to have physical access to the cable or to the switch, and still the connection is encrypted. In such configuration WinXP's vulnerabilities are not a concern because there is no data ports that one could tweak to exploit security holes. An ATM may not even have a network card, for example, just the modem. The buttons are connected to a custom peripheral controller, so no three finger salute for you. Such systems are only vulnerable to their own security holes - and with a very limited set of inputs you can mathematically prove that the software is correct.
The quoted text does mention that some ATMs may dial the ISP and be connected to the Internet. But those that do that most likely will not be using IE for encryption. It's more complicated than whipping up one's own https client, even if you call DLLs that came with Windows. As these connections are point to point, originated by the ATM to a fixed IP address of the bank, it is not practically possible to "trick" an ATM to connect to some other site and become hacked. Besides, what is the risk? That the machine dispenses all its cash to a hacker? Thieves are known to steal the whole ATM; a patch won't be effective against a steel cable and a powerful truck.
Yes, XP users were warned. The practice of abandoning support for older versions of MS software is something that happens across all Microsoft platforms, not just the OS business. It is the Microsoft business model and every user of XP knew this when they first started using XP.
In time, the platform will become unusable. If you are still on XP, get off of it. Otherwise do not complain when a third party provider who promises to keep XP running, so hoses it up that you lose all of your data, or worse.
You have a poor grasp of irony.
I think I read that Embedded XP support will continue for a while yet.
Since there will be no more updates, why use IE?
Because lots of business applications and certain critical websites require IE. They won't run with anything else.
If your business depends on those applications and/or websites, your employees must use IE.
And there are a lot of normal users who don't know there's anything else -- they assume that since IE came with the operating system that it must be the best one to use.
New hardware is the primary driver of that. Today if you install XP onto a new PC it may or may not work. I have seen BSODs during setup. There is little that you can do, unless it is XPe and you are willing to play with drivers. In the best case you may get the XP running, but half of the hardware in the PC will be unusable, and no drivers will be available for download. XP makes sense today only coupled to the hardware that is designed to run it. If you have XP-only software, in many cases you are better off running XP in VirtualBox - the software-defined "hardware" will remain such for as long as there is a need, and modern multi-core PCs with large RAM are well suited for running a VM or two.
Can you find a link to that information? I know some folks who would dearly like to have that confirmed....
Can you explain a little more...
Indeed, that's the ONLY way I run XP these days. Captive, safe environment, trivial recovery (replace the VMDK). I use VMware rather than VirtualBox but the principle is the same.
I simply checked off “Notify but do not download” on the updates options.
Then when notified of new updates being available, would select XP security stuff and their malware program updates. Ignored IE updates as I never used it, had removed IE long before.
Always preferred picking and choosing which updates to download, as stuff for Office and IE did not apply. Always worked well. Some Net 3.5 thing was the only one that would download but refuse to install.
You need to have admin rights to install software on your computer. You do not need admin rights to run the software. So most of the time you can run in user mode.
Most viruses and malware need admin rights to install on your computer. So if you run in user mode the virus can not install. My garage computer runs in user mode with no added virus protection and I have not gotten a virus in over five years. I never open e-mails from unknown people with this computer.
How to create user accounts.
http://www.bleepingcomputer.com/tutorials/create-new-user-account-in-windows-vista-7/
I will look for a more complete answer and post a link.
Sure, I always did that too.
> Then when notified of new updates being available, would select XP security stuff and their malware program updates. Ignored IE updates as I never used it, had removed IE long before. Always preferred picking and choosing which updates to download, as stuff for Office and IE did not apply. Always worked well. Some Net 3.5 thing was the only one that would download but refuse to install.
Fair enough, though it's interesting, usually you don't get Office notifications unless you have Office installed, in which case why would you not want the Office updates? They usually fixed problems.
The .NET updates were always huge and I sometimes had trouble with those not installing too.
The Office stuff was always for a much newer version of the suite than I had loaded. Stayed on Office 2000 for a very long time until I transitioned to a new Win 7 box and retired the XP box to lagacy program work.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
