Archive for the ‘Internet Explorer’ Category
The year is 2009. YouTube, four years old, has become the Web's leading video site. Though Internet Explorer 6 was far from current—it had been superseded by versions 7 and 8—it nonetheless made up some 18 percent of YouTube's traffic. These were, after all, the dark days of Windows XP; corporations had overwhelmingly stuck with Windows XP in spite of the release of Windows Vista, and Windows 7 was still some months from release. Many organizations still running XP appeared to be wishing for a kind of computational stasis: they wanted to be able to run Windows XP and Internet Explorer 6 forever, unchanging, which would greatly simplify their maintenance and support costs.
But Internet Explorer 6 was nearly eight years old and seriously showing its age. On its release, the browser had a legitimate claim to be the best, fastest, most standards compliant, and most stable mainstream browser around. But those days were long gone. Compared to the alternatives—Firefox 3.5, Internet Explorer 8, and Google's Chrome—it was slow, unstable, and riddled with proprietary, non-standard behaviors. This was causing the team developing YouTube considerable pain, with weeks of extra work each development cycle to ensure that the site still worked correctly in the old browser.
According to former YouTube developer Chris Zacharias, this pain prompted the YouTube team to take renegade action to drive users away from Internet Explorer 6 and onto something newer and better. Though YouTube had been under Google's ownership for about three years, YouTube's engineers were suspicious and wary of being integrated into Google's corporate machine. They had their own special set of permissions named "OldTuber," and anyone with OldTuber permissions could freely modify the YouTube site without going through Google's usual change management process of code reviews, testing, adherence to coding standards, and so on. It was cowboy territory, where developers could do as they liked. Only the risk of breaking things—and hence losing OldTuber permissions, if not their job—kept them on the straight and narrow.
A researcher has uncovered strange and unexpected behavior in Windows 10 that allows remote attackers to steal data stored on hard drives when a user opens a malicious file downloaded with the Edge browser.
The threat partially surfaced last week when a different researcher, John Page, reported what he called a flaw in Internet Explorer. Page claimed that when using the file manager to open a maliciously crafted MHT file downloaded with Internet Explorer, the browser uploaded one or more files to a remote server. According to Page, the vulnerability affected the most recent version of IE, version 11, running on Windows 7, Windows 10, and Windows Server 2012 R2 with all security updates installed. (It’s no longer clear whether any OS other than Windows 10 is affected, at least for some users. More about that in a moment.)
Below this paragraph in Page's post was a video demonstration of the proof-of-concept exploit Page created. It shows a booby-trapped MHT file triggering an upload of the host computer's system.ini file to a remote server. Interestingly, while Page's post says his exploit is triggered when the malicious file is downloaded by IE, and makes no mention of Edge at all, the video shows the file being downloaded with the newer Microsoft browser.
Microsoft’s Patch Tuesday this month had higher-than-usual stakes with fixes for a zero-day Internet Explorer vulnerability under active exploit and an Exchange Server flaw that was disclosed last month with proof-of-concept code.
The IE vulnerability, Microsoft said, allows attackers to test whether one or more files are stored on disks of vulnerable PCs. Attackers first must lure targets to a malicious site. Microsoft, without elaborating, said it has detected active exploits against the vulnerability, which is indexed as CVE-2019-0676 and affects IE version 10 or 11 running on all supported versions of Windows. The flaw was discovered by members of Google’s Project Zero vulnerability research team.
Microsoft also patched Exchange against a vulnerability that allowed remote attackers with little more than an unprivileged mailbox account to gain administrative control over the server. Dubbed PrivExchange, CVE-2019-0686 was publicly disclosed last month, along with proof-of-concept code that exploited it. In Tuesday’s advisory, Microsoft officials said they haven’t seen active exploits yet, but that they were “likely.”
In an unusual turn of events, Microsoft this week warned Windows users off from using its Internet Explorer and dissed its new Office 2019 suite in a series of videos that show it to be worse than the competition.
While Windows 10 uses the newer, faster, much more standards compliant Edge browser as its default, it still ships with Internet Explorer 11. Enterprise customers with legacy systems from time to time want to make Internet Explorer 11 the default, but Microsoft doesn't think this is a good idea. Internet Explorer 11 isn't being updated to support new Web technology (and indeed, hasn't been updated for many years), existing only as a compatibility tool to access legacy "designed for Internet Explorer" content that simply won't work properly in any other browser.
As such, while it might be tempting to set Internet Explorer as the default to ensure that any intranet and line-of-business applications continue to work, that comes at a price. It will be slower, less secure, and increasingly incompatible with the broader Web as developers drop the old browser from their testing. So please, use it only when it's absolutely necessary.
Microsoft has issued an emergency update that fixes a critical Internet Explorer vulnerability that attackers are actively exploiting on the Internet.
The memory-corruption flaw allows attackers to remotely execute malicious code when computers use IE to visit a booby-trapped website, Microsoft said Wednesday. Indexed as CVE-2018-8653, the flaw affects all supported versions of Windows. The vulnerability involves the way Microsoft's scripting engine handles objects in memory in Internet Explorer.
In a separate advisory, Microsoft said the vulnerability is being used in targeted attacks, but the company didn't elaborate. Microsoft credited Clement Lecigne of Google's Threat Analysis Group with discovering the vulnerability. No other details were available about the vulnerability or exploits at the time this post was being reported.
Apple, Microsoft, Google and Mozilla finally set roadmaps for deprecating venerable but outdated SHA-1 certificates
With the release of 12 Security Bulletins, Microsoft addresses a total of 56 vulnerabilities in its different products. The bulletins include five critical updates, out of which two address vulnerabilities in all versions of Windows.
The September Patch Tuesday update (released on second Tuesday of each month) makes a total of 105 Security Bulletins being released this year; which is more
Posted in Denial of Service, Internet Explorer, Microsoft Edge browser, Microsoft Patch Tuesday, privilege escalation, Remote code execution vulnerability, Security patch Update, Vulnerability | Comments (0)