×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

IE Vulnerability Exposing Banking Logins, Spreading Rapidly

Unknown Lamer posted about 9 months ago | from the apt-get-wrong-operating-system dept.

Internet Explorer 93

jfruh writes "A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly. Sites compromised by the malware run the gamut from U.S. Veterans of Foreign Wars site, to a site frequented by French military contractors, to a Japanese dating site. Microsoft has released a 'fix-it tool' but not a regular patch."

Sorry! There are no comments related to the filter you selected.

Well there's your problem. (1)

Anonymous Coward | about 9 months ago | (#46345757)

Why is there a banking login on a Japanese dating site? Perhaps we should start by addressing that.

Re:Well there's your problem. (1)

The Rizz (1319) | about 9 months ago | (#46346009)

...so you're saying that other sites shouldn't be using the "best" security for their login process? They should intentionally use weaker security than banks?

Re:Well there's your problem. (0)

Anonymous Coward | about 9 months ago | (#46346303)

No, that AC was commenting on how poorly worded TFS is.

Re:Well there's your problem. (1)

Anonymous Coward | about 9 months ago | (#46347857)

He doesn't know about the growing Date-Trading business in Japan. I'm heavily invested in Japanese Dating Futures.

Re:Well there's your problem. (1)

Penguinisto (415985) | about 9 months ago | (#46347337)

Why is there a banking login on a Japanese dating site? Perhaps we should start by addressing that.

Hell, why is anyone still using IE to browse anything on the public Internet (let alone anything to do with banking)? May want to address that first.

Re:Well there's your problem. (1)

lgw (121541) | about 9 months ago | (#46349521)

This is not 2004. IE 11 is fine, as a browser, with the main problem being that adblock isn't free. What's surprising is that IE would be targeted when Chrome has the market share now (you can buy vulnerabilities for old versions of any browser, so attackers generally pick what will affect the most people).

Maybe this is Chrome's auto-update-without-asking paying off? IE does that now (finally!), but not across major versions: hopefully this will be an object lesson.

Re:Well there's your problem. (0)

Anonymous Coward | about 9 months ago | (#46349693)

Liar.

Re:Well there's your problem. (1)

hawkinspeter (831501) | about 9 months ago | (#46349805)

Even if it wasn't for attacks like this one, everyone should boycott Microsoft browsers for their awful use of "standards" in IE6. The total amount of pain caused to web developers around the world must never be forgotten.

Re:Well there's your problem. (1)

Billly Gates (198444) | about 9 months ago | (#46351083)

Why?

Webkit, Opera, Netscape, and even early Mozilla all failed the acid test back in 2004. It took almost a decade before rendering was done correctly.

Mozilla before Firefox 1.5 had more rendering quirks than IE 6! Ask any website developer from that time frame?

IE 6 was a good browser back in 2001. It was just software was not that great and sucked goatballs back then and then the browser stagnated for many years.

Re:Well there's your problem. (1)

Penguinisto (415985) | about 9 months ago | (#46350243)

This is not 2004. IE 11 is fine, as a browser, with the main problem being that adblock isn't free.

1) well that sucks for an ad-blocking solution - ABP and DoNotTrackMe are, well completely cost-free for the browsers that I use the most (FF, Chrome, and occasionally Safari).

2) Chrome is a consistent user experience on my MacBook Pro (both in OSX 10.9 and on the Linux VM sitting on it), my Windows 7 desktop at work, my Android phone and tablet... no matter what device I use in my possession. I can also sync bookmarks between the MBP and phone, allowing for more than just a little portability. IE can't give me that without being forced to drink the koolaid with a mono-platform solution, and I doubt that the bookmarks automatically sync. (besides, IE doesn't exist for either OSX 10.9 or Android)

Re:Well there's your problem. (1)

lgw (121541) | about 9 months ago | (#46351035)

Yup, it's less than idea, but DNT is free and I bought some adblock solution cheap that seems to work OK (it's free for some limited number of ads blocked, so I use it on infrequently-used VMs).

I find Chrome a consistently crappy user experience, so ewww. FF seems just fine to me, can't quite pinpoint why Chrome annoys me so.

Re:Well there's your problem. (1)

Billly Gates (198444) | about 9 months ago | (#46351043)

I think your knowledge of adblock is a little dated? It has been free and available since last summer all the way back down to IE 8.

If you are corp the best way to be secure is just to not install flash or push a GPO to remove it corporate wide. Besides the marketing department wanting to see commercials flash servers no purpose at work other than being an attack vector.

Re:Well there's your problem. (1)

Billly Gates (198444) | about 9 months ago | (#46351061)

Forgot to close the ahref link. ... my bad

Adblock for IE is here https://adblockplus.org/en/int... [adblockplus.org]

AdBlock = Inferior + 'Souled-Out' (0)

Anonymous Coward | about 9 months ago | (#46375369)

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)...

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

AdBlock = Inferior + 'Souled-Out'... apk (0)

Anonymous Coward | about 9 months ago | (#46366573)

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

AdBlock = Inferior + 'souled-out' (0)

Anonymous Coward | about 9 months ago | (#46358921)

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re: Well there's your problem. (0)

Anonymous Coward | about 9 months ago | (#46353779)

There are even many banks that require IE those that require a token key.

Re:Well there's your problem. (1)

ShanghaiBill (739463) | about 9 months ago | (#46347429)

Why is there a banking login on a Japanese dating site?

So the chicks can verify that the dude's income is really as high as he claims. Duh.

HAH!! I use IE6! (5, Funny)

Anonymous Coward | about 9 months ago | (#46345775)

I'm immune!!!!

Re:HAH!! I use IE6! (1)

coolsnowmen (695297) | about 9 months ago | (#46346951)

Maybe-- I'm immune to that horrible apple SSL bug because I didn't update to maverick

Re:HAH!! I use IE6! (1)

Penguinisto (415985) | about 9 months ago | (#46347347)

Maybe-- I'm immune to that horrible apple SSL bug because I didn't update to maverick

Pfft, children, children... I'm immune because I use wget and curl to do all of my browsing!

Re:HAH!! I use IE6! (1)

Nivag064 (904744) | about 9 months ago | (#46348597)

REAL PROGRAMMERS write a new Web Browser in machine code for each session...

Re:HAH!! I use IE6! (3, Funny)

Penguinisto (415985) | about 9 months ago | (#46349969)

Err, why wait for the IDE to warm up, the compiler to finish, and etc? Just telnet to port 80 or 443 on the destination server, and send your GET and POST commands manually.

Re:HAH!! I use IE6! (2)

imatter (2749965) | about 9 months ago | (#46351547)

and you try and tell the young people of today that ..... they won't believe you.

Re:HAH!! I use IE6! (0)

Anonymous Coward | about 9 months ago | (#46353113)

Pepperidge farm remembers...

Re:HAH!! I use IE6! (0)

Anonymous Coward | about 9 months ago | (#46355601)

Err, why wait for the IDE to warm up, the compiler to finish, and etc?

Dude, you compile machine code? Even Chuck Norris cain't do that.

Re:HAH!! I use IE6! (1)

Applehu Akbar (2968043) | about 9 months ago | (#46350749)

Meanwhile, I'm immune to that horrible Apple SSL bug because my iMac is hardwired to my router and never ventures outside the office.

Re:HAH!! I use IE6! (0)

Anonymous Coward | about 9 months ago | (#46354259)

just wait til april 9th.

Is IE Really to Blame? (0)

CastrTroy (595695) | about 9 months ago | (#46345783)

Is IE really to blame in this case. From what I'm understanding, the web sites/servers themselves are being compromised. Once the web server is compromised, it doesn't matter what browser you're using, as login credentials, or any other information you're sending to or receiving from the site would be easily intercepted.

Re:Is IE Really to Blame? (1)

Anonymous Coward | about 9 months ago | (#46345981)

From what I'm understanding, the web sites/servers themselves are being compromised.

Not quite. Any compromised website can take over the browser. So a malware ad hosted on Youtube or ./ can infect the browser, and the attacker can then snoop on future activity – e.g. on banking sites.
As the vulnerability seems to allow arbitrary code execution (with user privileges), this means keyloggers and the whole shebang, so using a dedicated banking software isn't necessarily going to save you.

Re:Is IE Really to Blame? (3, Informative)

crunchy_one (1047426) | about 9 months ago | (#46346431)

Any compromised website can take over the browser. So a malware ad hosted on Youtube or ./ can infect the browser, and the attacker can then snoop on future activity – e.g. on banking sites.

And this is exactly why I always run an ad blocker.

Given the current mess that is web advertising, it would be foolish to do otherwise.

Re:Is IE Really to Blame? (1)

fast turtle (1118037) | about 9 months ago | (#46347131)

and this is why I have Noscript in Deny All Mode be default. Forget the damn adblocker as blocking scripts is how you do it. I also use a Hosts file * Thanks APK for the reminder * to block most of the god damn advertisers around the world.

Re:Is IE Really to Blame? (2, Funny)

Zalbik (308903) | about 9 months ago | (#46347327)

and this is why I have Noscript in Deny All Mode be default. Forget the damn adblocker as blocking scripts is how you do it. I also use a Hosts file * Thanks APK for the reminder * to block most of the god damn advertisers around the world.

And this is why I browse using Lynx. Forget the damn script blocker as blocking all active content is how you do it. I don't need a hosts file as I literally don't see ads.

Netflix kinda sucks though. Kevin Spacey just isn't the same when rendered in ASCII.

Re:Is IE Really to Blame? (1)

CastrTroy (595695) | about 9 months ago | (#46348797)

Kevin Spacey In ASCII [asciibabes.com] for all those who were wondering.

Re:Is IE Really to Blame? (0)

Anonymous Coward | about 9 months ago | (#46346017)

Yes. The vulnerability is in IE. The sites are just being used to exploit the vulnerability in IE. The bank related part of the story is just what the malware in the wild uses the vulnerability to accomplish. The banks web sites are not being exploited in this case, it's IE that is being exploited

How much did MS pay you for that post? How much did the moderators get paid as well?

Re:Is IE Really to Blame? (0)

Anonymous Coward | about 9 months ago | (#46347345)

How much did MS pay you for that post? How much did the moderators get paid as well?

Do you twats have any idea how absolutely absurd you sound when you trot out that nonsense? Aside from the paranoia aspect, there's the simple fact that MS doesn't give a flying fuck what a bunch of angry, dirty neckbeards on Slashdot think.

Re:Is IE Really to Blame? (1)

i kan reed (749298) | about 9 months ago | (#46346019)

That's not what I read at all. It seems to be an entirely client side problem.

Re:Is IE Really to Blame? (4, Informative)

quickOnTheUptake (1450889) | about 9 months ago | (#46346031)

The compromised site is being used to host/inject the exploit.The vulnerability that is being exploited is in IE 9 &10, and allows code execution. It is being used to get the credentials for other--non-compromised--websites.

Re:Is IE Really to Blame? (4, Informative)

140Mandak262Jamuna (970587) | about 9 months ago | (#46347011)

Microsoft [microsoft.com] says "The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated".

Clearly the wild pointer read error is in IE not in the server. They need to hack the server to post the exploit code in their server. But they could also create the same vulnerability in a site owned by them. No need to hack. But it is more difficult to lure visitors to the newly created malware site. That is why they need to hack a well visited site to upload the hack. But all visitors to that site using Chrome and Firefox and other versions of IE are not affected. Fault lies solely on these versions of IE

Re:Is IE Really to Blame? (1)

sjames (1099) | about 9 months ago | (#46349409)

Yes it is. IE has a bug that allows a site to get it to execute arbitrary code. That is always wrong.

Re:Is IE Really to Blame? (1)

parkinglot777 (2563877) | about 9 months ago | (#46350089)

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

The vulnerability exists in IE version 9 & 10 themselves at http://technet.microsoft.com/e... [microsoft.com] (from TFA). The problem in this case is not about users hit the site which is already compromised, but it is that the browser being used allows exploitation to happen. Furthermore, MS has not come out with an official patch but rather suggested a work around.

If other browser has exactly the same vulnerability that can be exploited the same way, then your statement is somewhat valid. However, I doubt that other browsers would have it even though they may have similar vulnerability but cannot be exploited the same way.

here comes the sun (0)

Anonymous Coward | about 9 months ago | (#46345827)

rock on /. http://youtu.be/6SFNW5F8K9Y [youtu.be]

If you're dumb enough to use IE when banking... (1, Insightful)

gestalt_n_pepper (991155) | about 9 months ago | (#46345873)

I'm not sure what anyone can do for you.

Re:If you're dumb enough to use IE when banking... (0)

Anonymous Coward | about 9 months ago | (#46346433)

IE11 sounds like its just fine. If youre dumb enough to use outdated browsers...

Re:If you're dumb enough to use IE when banking... (3, Funny)

BUL2294 (1081735) | about 9 months ago | (#46348437)

Well, you might not have a choice depending on your OS version...

XP, 2003 - max is IE8 (not affected)
Vista, 2008 - max is IE9 (affected, presumably most used version)
7, 2008R2 - currently at IE11, but many users still using IE10 (affected) since IE11 came out in November for this OS
8, 2012 - only supports IE10 (affected)
8.1, 2012R2 - only supports IE11

Re:If you're dumb enough to use IE when banking... (1)

sjames (1099) | about 9 months ago | (#46349437)

A signed document! You can't go wrong if you have a signed document!

AUUUUUUUUUUUUUUUUUGGH......WHUMP!

Re:If you're dumb enough to use IE when banking... (1)

damnbunni (1215350) | about 9 months ago | (#46351431)

Does it absolve you from all blame?

It must be nice to have a document like that.

Re:If you're dumb enough to use IE when banking... (1)

sjames (1099) | about 9 months ago | (#46352391)

Whoosh!

Re:If you're dumb enough to use IE when banking... (-1)

Anonymous Coward | about 9 months ago | (#46346521)

What are they going to do? Use an open source browser and hand the attackers the shitty C/C++ code it's built upon? I'm a security researcher and can spot security holes in every single open source project, in any file of code within seconds, it's easy if you know what to look for. At worst I need to run the code through an analyzer, but then it's final. It never fails and thus, my opinion is that open source is shit, written by teens who knows nothing. They would be better of obscuring their code, that would take me much longer time. Sometimes I find nothing and give up.

Re:If you're dumb enough to use IE when banking... (1)

I'm New Around Here (1154723) | about 9 months ago | (#46347141)

You better stop typing and run along. You're going to be late for third period math (remedial).

Re:If you're dumb enough to use IE when banking... (1)

Zalbik (308903) | about 9 months ago | (#46347355)

Geez Ballmer, you really haven't found anything to do since retirement, have you?

Why don't you just calm down?

Maybe throw a chair or something....that always seems to help...

Hmmm... (1, Troll)

Bugler412 (2610815) | about 9 months ago | (#46345991)

Given the anti-MS slant here, I think it's ironic that Slashdot is sometimes a more timely news source on exploits in MS software than of nearly any of the open source products Slashdot users are so fond of, hmmm....

Re:Hmmm... (1)

Zero__Kelvin (151819) | about 9 months ago | (#46346135)

"Given that we are all educated enough to have an anti-MS slant here"

FTFY

Re:Hmmm... (0)

Anonymous Coward | about 9 months ago | (#46346503)

"Given that we are all blinded by irrational hatred in to having an anti-MS slant here"

FTFY

Re:Hmmm... (1)

Anonymous Coward | about 9 months ago | (#46346553)

It's pretty obvious you like M$. You can't log in, and don't know how to properly blockquote.

Re:Hmmm... (0)

Anonymous Coward | about 9 months ago | (#46350367)

Winner

Re:Hmmm... (5, Interesting)

The Rizz (1319) | about 9 months ago | (#46346165)

Well, for one thing, the anti-MS slant has been tapering off here for years; they're no longer seen as "Big Evil", but more of a "McComputer" sort of thing.

For another thing, most /. readers may like the OSS movement, but they primarily work in Windows, have friends who use Windows, have family who use Windows, and are often the ones who provide tech support to those friends/family/co-workers. Knowledge of these vulnerabilities do more good for more people than knowledge of the latest bugs in Epiphany.

Yeah, I can see that (3, Funny)

morgauxo (974071) | about 9 months ago | (#46347837)

I hated Microsoft pretty hard. Now... McComputer sounds about right. Good Call!

I mostly use Windows at work (because that's what my work uses) and just about entirely Linux at home (that's what I choose). This hasn't changed.

I don't think I have changed. Microsoft has changed and so has the market. I just don't see Windows computers crashing like they used to. Quality has improved Perhaps this was in part due to the threat of competition from oss? Note that I said threat of, not actual competition. We all know Linux didn't take off on the desktop but there certainly was enough hype about the possiblity!

Also, you can actually do something in Windows without having a corporate sized budget. Want to be an amateur programmer? It used to be all Windows had was a BASIC interpereter. To get an actual compiler (any language) was 100s of dollars. Apparently you had to pay for the privilege of creating software for Windows. Even though more software existing for Windows just makes Windows more desirable... explain that one. Now Micorosoft releases free versions of their development environments which are cut down enough to give companies a reason to buy the real thing but not so much as to prevent one from compiling a useful application.

Besides what Microsoft offers, now there is all sorts of free oss available for Windows. You can develop for Windows in gcc! Can't afford Photoshop? Gimp runs on Windows now. How about web serving. Microsoft used to charge big bucks for different levels of licensing on their web server. They limited how many people could connect at a time. I thought that was a very assinine money grab. It's not like Microsoft programmers put in more hours every time your server serves 100 copies of your web page vs 5! Do they still do that? I don't know. Who cares?!? I can always run Apache on Windows or any one of a million other free programs.

In the early days Microsoft plus IBM were the PC. The PC was awesome for hackers, makers and all kinds of geeks. Before that everything was pretty much proprietary. Now you could mix and match hardware pieces as you please. Also, I could run the same program on my Tandy as my friend ran on his Dell even though it was written on a computer made by IBM!

Later Microsoft became evil in part becasue the kind of compatiblity the PC gave us was expected. We didn't need Microsoft to help us get that anymore. But.. Microsoft was pushing things the other way, embracing standards just to change them a bit once they had a market share so that people would be locked in to using their product.

Now.. Microsoft is losing that monopoly power. They can't do as much damage as before. But.. mobile devices are the big thing, not Desktops. And with our phones and tablets we are back to the bad old pre-pc days where everything is proprietary. I'm not saying that Microsoft is doing anything to try to change this but at least they aren't the driving force behind it. That title is shared by Apple and the cellphone carriers.

So.. Microsoft is a de-fanged wannabe villian who occasionally does nice things. Apple and the Telecoms, they are where the real evil lives today.

Hanlon's Razor (0)

Anonymous Coward | about 9 months ago | (#46347865)

As was said by The Rizz, the MS slant has a tapered off. As the saying goes, "Never attribute to malice that which is adequately explained by stupidity." In recent years, I think this applies to MS. Don't get comfortable and underestimate Microsoft.

Re:Hmmm... (1)

rtb61 (674572) | about 9 months ago | (#46352959)

I would expect that an in the wild browser exploit that targets login credentials, including financial institution credentials would be pretty damn high public notification list of all news sources not just slashdot. In fact I am damn surprised that this information is not being presented on mass media sources. Isn't it disgusting how advertising dollars can put people at risk because PR=B$ experts (drips under pressure) well don't give a fuck about anything but their own profits regards of the harm caused by their companies actions.

Band Aid Security Industry Top to Bottom (4, Insightful)

BoRegardless (721219) | about 9 months ago | (#46345997)

CEOs have ignored security researchers since the start of the modern internet, because CEOs only want "Results now!"

Re:Band Aid Security Industry Top to Bottom (0)

Anonymous Coward | about 9 months ago | (#46346315)

Does this apply to Satya Nadella?

Re:Band Aid Security Industry Top to Bottom (0)

Anonymous Coward | about 9 months ago | (#46346895)

CEO's and large companies consider security a "cost sink". It brings no money into the company, so should be managed and if at all possible avoided.....

Staying behind the curve wins again! (0)

smooth wombat (796938) | about 9 months ago | (#46346117)

Still running IE8 so no problems.

Keep pushing the envelope to be cool and edgy and this is what you get.

Same thing with thinking everything needs to be touch screen and/or digital. Witness the fiasco of trying to use touch screens for radio controls. Knobs and buttons for the win!

Re:Staying behind the curve wins again! (1)

The Rizz (1319) | about 9 months ago | (#46346245)

Still running IE8 so no problems.

Keep pushing the envelope to be cool and edgy and this is what you get.

Actually, Windows 8.1 comes with IE11, so anyone who is completely up to date is immune to this one as well. So, being behind the curve is bad, being either at the forefront or way behind the curve is good.

Re:Staying behind the curve wins again! (1)

lgw (121541) | about 9 months ago | (#46349749)

Well, that's hardly surprising: the lesson for a decade now has been "don't run what most people run". If Win8 had been successful, this would have been an IE11 exploit. In a few years, it will all be Chrome exploits.

Edgy? (1)

sjbe (173966) | about 9 months ago | (#46346973)

Keep pushing the envelope to be cool and edgy and this is what you get.

Right. People running Windows are really concerned with being "cool and edgy".

Re:Staying behind the curve wins again! (1)

Billly Gates (198444) | about 9 months ago | (#46347515)

Funny IE 11 is fine and is the most recent. I would argue an older browser is less secure and IE 8 has more vulnerabilities than IE 9 and IE 10.

Yep forget better sandboxing, HTML 5 support, h.264, and lowrights mode if you are on XP still as well. Stay with the old!

Many sites and not just geek ones like my t-mobile site to pay my bill are not IE 8 compatible. If you read about the vulnerability it uses flash too. So get rid of flash and then hafl the web wont work when you want to listen to pandora or youtube music videos.

IE 8 has alot more exploits than IE 11 as it doesn't have as many modern sandboxing techniques due to compatibility for XP.

I thought you lot were all Snowden supporters? (-1)

Anonymous Coward | about 9 months ago | (#46346159)

And all against government cover ups and all that shit? No?

What about this one? Why is this being covered up on reddit? Huh?

https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/

Re:I thought you lot were all Snowden supporters? (0)

Anonymous Coward | about 9 months ago | (#46346617)

herp derp look at me i to dumb to slashdot.

http://yro.slashdot.org/story/... [slashdot.org]

it even links to your damn site.

And IE is the standard in the banking industry (2)

RevWaldo (1186281) | about 9 months ago | (#46346231)

It's the one most banking and investment houses use and develop their sites to work with. So there's that.

.

Re:And IE is the standard in the banking industry (1)

sjames (1099) | about 9 months ago | (#46349529)

Brought to us by the geniuses that think a number you must tell everybody and his dog has any use as an authentication token.

Patch has been released for awhile (0)

Anonymous Coward | about 9 months ago | (#46346393)

It's called IE11. People not using it are to blame, or their company is to blame. It's truly that simple.

IE? (1)

Anonymous Coward | about 9 months ago | (#46346447)

Who in their right mind uses IE for anything secure would be my question?

Security not a big enough priority (0)

Anonymous Coward | about 9 months ago | (#46346579)

I think its clear after the Apple SSL "goto" security problems that security is not nearly important enough. Not going to defend Microsoft, Google or Apple. All of them have severe lapses in security in at least one of their products at one time or another. I don't think its ever possible to stop these security problems from happening. But if that is true, then its even more important to close them up ASAP. Apple probably took so long to fix its SSL issues because its fix required so much work to reverse engineer the OS. I think we forget how complex operating systems are and that fixing a security hole without breaking functions is a big task sometimes. It's just like active X in the old days of Windows. It was great to have a way to help users install what they needed. But then the honeymoon was over when hackers began to take advantage of that. Same goes for today, users like the features and conveniences of what a OS can do. But again we have the negatives of all that with potential weaknesses in security.

Laugh (1)

koan (80826) | about 9 months ago | (#46346723)

People still use IE?

Re:Laugh (0)

Anonymous Coward | about 9 months ago | (#46346955)

I know this is going to rock your world view but yes. Though all the cool kids use chrome....

http://www.w3schools.com/browsers/browsers_stats.asp

Some people do not care about the browser. It is just something they use to get 'on the web'.

Re:Laugh (4, Interesting)

hcs_$reboot (1536101) | about 9 months ago | (#46346977)

People still use IE?

Yes. Many non-IT companies require their users to use only IE, due to *security concerns* (the security concerns being that everybody should use the default browser provided with the OS, and not a random one of choice). This is usually the case where the CIO/IT management has been holding that same position for a relatively long time, signing that same yearly contract with Microsoft for OS+Office. In short, keeping the same IT environment is the recipe to ensuring there is no change on IT management side either.

Re: Laugh (3, Insightful)

tom229 (1640685) | about 9 months ago | (#46348101)

Our default browser is IE, and it's not because I have any love for Microsoft, or spending extortionate amounts of my IT budget on Microsoft licensing. I personally use firefox on a day to day basis, but the official "supported" browser in the company is still IE simply because it's easily configurable within the domains group policy, and most widely supported when it comes to corporate browser applications.

I know what you're getting at, and I'd have to disagree. Most company's are forced to be a Microsoft shop simply for compatibility reasons. The software my users depend on daily to do their jobs is Windows only... and there's nothing I can do about this.

Accounting needs Word and Excel. In fact, they "need" 2010 or they all need to be on the same versions. If I have even one of them on a different version they will complain about compatibility issues.

Geology needs a plethora of Windows only client/server software first written in the early 2000's and sparingly updated. This is specialized stuff.. you can't just get it off the shelf anywhere. This requires Windows desktops and Windows servers.

I could go department by department but I think you get the point. Once you require Windows on the desktop for end user software, it makes the most sense to have a Microsoft domain and Exchange Server because they all play nicely together. Exchange is especially nice since every member of my staff took some business course in community college and is comfortable with Outlook. We did a test run of gapps using the outlook plugin but it wasn't nearly as intuitive or function rich as an Exchange environment; especially when it comes to calendars, room booking, scheduling, and tasks.

So at the end of the day, when everything else is Microsoft, it makes the most sense to use IE, because it plays nicely with all of the above. I probably could struggle with getting everything to work on Firefox, and deploying policies through the registry or batch scripts, but in my experience it's just not worth the hassle. You're not busy enough, or responsible for enough if you haven't yet learned to leave your ideals at the door, and just use what works.

Re: Laugh (2)

Kz (4332) | about 9 months ago | (#46351425)

that started reasonable enough, citing real issues that make it the only option to use Windows, Word and Excel. That much, I concede, it's not worth it to fight.

But I draw the line, and Exchange and Outlook are way past it. No way I would support either on my networks. Simply put, these are the real implementations of the first Halloween document. in other words, it's baitware that works "nicely enough", and with several well-researched features to make them attractive, but as soon as you want anything non-microsoft in your setup, they create all kinds of obstacles and hoops you have to jump. It's not that other systems don't "work nicely with all the above" it's that these specific programs were designed from the start to create those problems.

I agree that MS isn't the 'evil' it once was, but in the email space, it hasn't changed a bit. And it's up to us not to tolerate it.

Re: Laugh (1)

tom229 (1640685) | about 9 months ago | (#46359299)

Fair enough. I'm curious then. What do you use for email?

Re: Laugh (1)

Kz (4332) | about 9 months ago | (#46373071)

Fair enough. I'm curious then. What do you use for email?

SMTP / IMAP. that's all.

As for software, it's usually CommuniGate or Zimbra on the servers. For clients, I support Thunderbird, apple's Mail.app, kontact, Eudora, and the included clients on iOS and Android and even Blackberry. all of them work perfectly together when using standard protocols.

There are a couple of big bosses that insist on using Outlook, even though they can't say a single reason to prefer it, it's usually just "i'm too old to learn something new". One of them creates by himself easily more trouble than the three companies where i'm involved in support. What seems to be helping a little is that we created an isolation server running Fetchmail to keep a copy of all his mail and accessed exclusively from his one Outlook machine. all his other devices (two iPhones, an iPad, one Blackberry and a MacBook) work without a hitch directly on the CommuniGate server.

Re: Laugh (1)

tom229 (1640685) | about 9 months ago | (#46387967)

Hmm.. well I'm glad you've been able to exist without Exchange. Personally I've tried Zimba, Groupwise, Google Apps, etc and I've never found a platform that can support users as seamlessly and easily as Exchange can. IMAP is completely fine, but users expect so much more from their mail these days. Contacts, Global address book, Calendar, Room Calendars, Shared Calendars, Tasks, etc. Using Outlook they can easily share calendars. I can easily give management full access permission to a mailbox and it will automatically add to Outlook. This business is rather large so boardroom space can be scheduled and booked. They can see eachother's availability, etc.

I've never used Communigate, and maybe Zimbra has gotten better. Thanks for the information. Perhaps I'll give them a try.

Re:Laugh (0)

Anonymous Coward | about 9 months ago | (#46349099)

Not "security concerns", many use IE-only features for intranets and the like. And nobody wants some random user installing what may be dodgy software on their computers (your computer at work is not yours, it's your employer's). If you're installing software on someone else's computer without their permission, you're an asshole.

Do your banking from your own computer at home!

Yes, IE is to be blamed. (2, Insightful)

140Mandak262Jamuna (970587) | about 9 months ago | (#46346969)

The hackers have to lure you into visiting the compromised website. How difficult is that? Once you visit that site using IE, it corrupts the memory. Then it takes advantage of a wild pointer read error in IE to get remote execution ability.

Of course Secunia will count this is as "one bug", after Microsoft agrees it is a bug. On the other hand, it will look at bugzilla of Firefox, and every bug report by everyone will be counted towards the total bug count on Firefox. Microsoft will continue to insist its browser has fewer bugs than Firefox. Gartner will issue a TCO report based on these numbers. And everyone will be scratching their head, why IE market share continues to fall when all these numbers say IE is the safest browser in the world.

Secunia also says Firefox less secure than IE 6 (3, Interesting)

Billly Gates (198444) | about 9 months ago | (#46347415)

So how do you really trust them?

However, Chrome is getting many patches recently between versions due to flaws in blink and flash. So the idea to blame IE as still sucking is disingenuous.

The point is always upgrade your browser and OS in addition to running adblock/flashblock, or if you are a corp banning flash and java altogether. The port of adblock for IE is here [adblockplus.org] .

Many IT professionals who whine about leaving XP and IE 8 behind should be FIRED. IE 11 sandbox is fine for this. If you run WIndows 7 or later both IE 9+ and Chrome have lowrights mode which restrict everything include writting to the disk with the narrow exception of %appdata.

These days most of the infections I see come from Firefox and plugins. Firefox has no lowrights mode and if anyone reading this is using XP you neglect sandboxing on all browsers and expose yourself.

AdBlock = Inferior + 'Souled-Out' (0)

Anonymous Coward | about 9 months ago | (#46358989)

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Funny mitigation quotes from MSA (0)

Anonymous Coward | about 9 months ago | (#46347273)

"By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. "

Translation: IE is crippled by default on windows server. Any attempt to use our browser means you are screwed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

http://xkcd.com/1200/ [xkcd.com]

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites.

Most popular sites directly and indirectly link to at least a dozen different ad networks, stats, "market intelligence", CDNs, social media all interacting with your browser able to inject or command your browser to visit whatever site they please without asking.

If we were serious about security... (4, Interesting)

ggraham412 (1492023) | about 9 months ago | (#46347905)

... we would stop loading up web browsers with "features" that only help content providers shove ever more ads and video down our gullets.

Re:If we were serious about security... (1)

WD (96061) | about 9 months ago | (#46356037)

The vulnerability is a use-after-free bug triggered by DHTML. If DHTML is a feature that you don't care for, feel free to switch to Lynx or Mosaic.

frostg pIst (-1)

Anonymous Coward | about 9 months ago | (#46349489)

paper towels, I won't bore you shitheads. *BSD BSD style.' In the one Here but now with the laundry Project faces a set visions going DON'T WANT TO FEL as one of the

With the result that... (0)

Anonymous Coward | about 9 months ago | (#46353111)

...French military contractors are now dating U.S. Veterans of Foreign Wars in huge numbers.

Mon dieu!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?