Zero-Day IE Exploit In the Wild 239
Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
I *only* use IE to run Javascript and ActiveX (Score:5, Interesting)
If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.
Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.
Two browsers... (Score:1, Interesting)
Of course, there are also tons of other browsers out there.. but I recommend to everyone to have two so that they can move to the other when an exploit is found in one of them.
Re:easier solution (Score:2, Interesting)
I suppose now is as good a time as any to ask a question.
I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.
Are there any ways to reduce the time to load firefox? I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory. Is this possible? I like a lot about Firefox, but it's startup time and the GUI's "feel" have kept me using IE.
Thanks for any suggestions.
Zonk? Are you kidding me? (Score:3, Interesting)
Re:No surprise (Score:3, Interesting)
This is not necessarily a smart idea.
If you simply start afresh, chances are that you're going to end up with all the same exploits all over again.
They either need to do a full security audit of the code (unlikley for microsoft), or they need to start afresh *and* write it in a language/toolkit that is impossible/much harder to attack via buffer-overflow.
I guess my point is that simply starting over (without changes made to the development method) will not help. I'll be interested to see how many issues vista has actually, seeing as they finally got the TCP/IP stack working reasonably well in XP SP2 and have decided to re-write it for vista from scratch :D
Oh, okay... (Score:5, Interesting)
One acronym: AJAX.
Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.
Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).
I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.
Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.
Safe browsing (Score:3, Interesting)
Re:No surprise (Score:3, Interesting)
I don't think that's true any more. This time it would be reasonable for Microsoft to rewrite their browser in C#.Net, which theoretically provides the kind of sandboxing protection that prevents buffer overflows.
But would that address evil Java/J/Ecma Scripts? Image file exploits? Any of the vulnerabilities that are actually rooted in the Win32 APIs and the NT kernel?
Re:Well yeah (Score:2, Interesting)
I use Talklets [textictalk.com] to help with my reading difficulties, when out and about. Switching off Javascript on public machines will realy cause me issues! So don't. Switch to Firefox. Thanx