If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Register)   Zero day vulnerability on IE8 is still not fixed seven months after it was found. Users told to not to be a Nancy Prancy   (theregister.co.uk) divider line 72
    More: Stupid, Internet Explorer, Internet Explorers, user interaction, arbitrary code  
•       •       •

1202 clicks; posted to Geek » on 22 May 2014 at 12:13 PM (13 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



72 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2014-05-22 11:10:00 AM
Anybody that isn't forced by an enterprise setting using IE8?
 
2014-05-22 12:03:16 PM

InterruptingQuirk: Anybody that isn't forced by an enterprise setting using IE8?


We have a medical app that essentially runs in IE (with Silverlight).  It can also run standalone while using a Silverlight Launcher, but has never worked for us.  The Powers that Be that want us to use this app say use IE and deal with it.

F that S.  Thankfully, though, everyone here has IE9 or better (no XP boxes, which aren't supported anymore, anyway); but I'd LIKE them to fix it so that the app will run in the standalone client.

Outside of that, I encourage my users to use Firefox with NoScript, or at least Chrome.
 
2014-05-22 12:17:10 PM
So technically, wouldn't this be a 210-day vulnerability?
 
2014-05-22 12:18:51 PM

InterruptingQuirk: Anybody that isn't forced by an enterprise setting using IE8?


It's the last supported version available on XP.  I looked at my server logs this morning, and I've got a fair number of users still using IE8.
 
2014-05-22 12:20:03 PM
who uses IE?
 
2014-05-22 12:30:30 PM

DarnoKonrad: who uses IE?


Businesses who buy software that only work on IE because Mertyl the secretary only uses IE so lets not switch to FF or Chrome for anything. That way they wont bother IT with " IT DOESNT LOOK THE SAME!!!" questions.


Doesnt stop them from complaining
 
2014-05-22 12:41:43 PM
img.fark.net
 
2014-05-22 12:50:38 PM

Arkanaut: So technically, wouldn't this be a 210-day vulnerability?


No, the zero indicates the number of days since a patch or update was released to resolve the vulnerability.
 
2014-05-22 12:50:54 PM
I use IE8 for work apps and Google Chrome for everything else.
 
2014-05-22 01:09:12 PM

fang06554: [img.fark.net image 801x603]


I think i just had a seizure from that.
 
2014-05-22 01:17:38 PM
A zero day vulnerabililty is one that has been exploited before becoming known. This one has not been exploited yet and they have known about it for months so it is not a zero day vulnerability.
 
2014-05-22 01:20:19 PM

fang06554: [img.fark.net image 801x603]


Man, I'd love to get that free lobster dinner bar.
 
2014-05-22 01:33:04 PM
So IE8 is the last version of IE to be supported on Windows XP...which itself is no longer supported by Microsoft.

Drummed up outrage over lack of support of 12 year old software products is super cool!
 
2014-05-22 01:43:02 PM

timujin: Arkanaut: So technically, wouldn't this be a 210-day vulnerability?

No, the zero indicates the number of days since a patch or update was released to resolve the vulnerability.


Actually you're both wrong because it indicates days since the product was released. Since MSIE 8 was released on March 19th, 2009 that makes this about a 1,890 day. The term was a badge of honor indicating that the adversary was skilled enough to reverse engineer the product in under 24 hours AND release an exploit for it. In the original context the exploit was almost always a means of removing or bypassing the anti-piracy features in a product. From there the term spread to other aspects of piracy, for example releasing a copy of a movie the day it comes out in theaters. (Keep in mind, this was back when re-encoding a movie and uploading it would take a significant amount of time.)


The term (including the original meaning of days since product release) also spread into the computer security industry where it again refered to exploits on the product release date. Of course, from there journalists picked up the term and started misusing it. Can't let minor things like facts or definitions get in the way of a good scare mongering headline!
 
2014-05-22 01:47:49 PM

bmckenna: So IE8 is the last version of IE to be supported on Windows XP...which itself is no longer supported by Microsoft.

Drummed up outrage over lack of support of 12 year old software products is super cool!


IE8 was released in 2009 so it isn't 12 years old, and it shipped with Windows 7 so it will be supported until January 14, 2020. Of course people should update their browser but if Microsoft says it is still supporting something then they should do so.
 
2014-05-22 01:53:27 PM

DarnoKonrad: who uses IE?


That's for us to know and you to find out.
 
2014-05-22 02:16:58 PM

Hand Banana: IE8 was released in 2009 so it isn't 12 years old, and it shipped with Windows 7 so it will be supported until January 14, 2020. Of course people should update their browser but if Microsoft says it is still supporting something then they should do so.


Microsoft didn't say they won't fix it, they just haven't fixed it yet. They said they haven't seen it being exploited yet and offered workarounds. Whether or not they're actually going to fix it at some point in the future remains to be seen.

You shouldn't take what The Register says at face value. They lie a lot just to rile people up.
 
2014-05-22 02:29:12 PM

Arkanaut: So technically, wouldn't this be a 210-day vulnerability?


It would be a -210 day vulnerability. The "zero day" is an indication of how long the programmer has to fix the problem between its discovery and its announcement.
 
2014-05-22 02:31:01 PM

DarnoKonrad: who uses IE?


I am forced to when using a couple of Bell Canada portals.  IETab does not even work for those.

Makes me feel so dirty.
 
2014-05-22 02:35:28 PM

Hand Banana: bmckenna: So IE8 is the last version of IE to be supported on Windows XP...which itself is no longer supported by Microsoft.

Drummed up outrage over lack of support of 12 year old software products is super cool!

IE8 was released in 2009 so it isn't 12 years old, and it shipped with Windows 7 so it will be supported until January 14, 2020. Of course people should update their browser but if Microsoft says it is still supporting something then they should do so.


That would be nice. I'm stuck using IE8 at work. Which I'm using right now. I'd rather be at home using a real browser.
 
2014-05-22 02:58:08 PM

jon787: timujin: Arkanaut: So technically, wouldn't this be a 210-day vulnerability?

No, the zero indicates the number of days since a patch or update was released to resolve the vulnerability.

Actually you're both wrong because it indicates days since the product was released. Since MSIE 8 was released on March 19th, 2009 that makes this about a 1,890 day. The term was a badge of honor indicating that the adversary was skilled enough to reverse engineer the product in under 24 hours AND release an exploit for it. In the original context the exploit was almost always a means of removing or bypassing the anti-piracy features in a product. From there the term spread to other aspects of piracy, for example releasing a copy of a movie the day it comes out in theaters. (Keep in mind, this was back when re-encoding a movie and uploading it would take a significant amount of time.)


The term (including the original meaning of days since product release) also spread into the computer security industry where it again refered to exploits on the product release date. Of course, from there journalists picked up the term and started misusing it. Can't let minor things like facts or definitions get in the way of a good scare mongering headline!


According to Wikipedia:
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.[1] It is called a "zero-day" because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a "zero-day exploit".

Or, from Symantec:
Zero-day vulnerabilities are vulnerabilities against which no vendor has released a patch.  Zero-day vulnerabilities are a sub-set of the total number of vulnerabilities documented over the reporting period. A zero-day vulnerability is one that appears to have been exploited in the wild prior to being publicly known. It may not have been known to the affected vendor prior to exploitation and, at the time of the exploit activity, the vendor had not released a patch.

Or bullguard.com
the general definition describes zero-day attacks (or zero-day exploits) as attacks that target publicly known but still unpatched vulnerabilities.

In other words, a vulnerability remains "zero day" until a patch is released to fix it.  It has been zero days since a patch was available to resolve this vulnerability in IE8, it will remain zero days until one is.
 
2014-05-22 03:10:11 PM
I can spend an hour adding some jQuery stuff. Another hour to test in FF + Chrome and the rest of the day trying to get it to work in IE8+9.

As I bill by the hour, please, continue...
 
2014-05-22 03:18:13 PM

Benni K Rok: Hand Banana: bmckenna: So IE8 is the last version of IE to be supported on Windows XP...which itself is no longer supported by Microsoft.

Drummed up outrage over lack of support of 12 year old software products is super cool!

IE8 was released in 2009 so it isn't 12 years old, and it shipped with Windows 7 so it will be supported until January 14, 2020. Of course people should update their browser but if Microsoft says it is still supporting something then they should do so.

That would be nice. I'm stuck using IE8 at work. Which I'm using right now. I'd rather be at home using a real browser.


Your sysadmin/IT staff has everyone using IE?  wth...

/I'm guessing it's because some of the websites your coworkers access for work will only run on IE
//we have a few of those... :(
 
2014-05-22 03:27:56 PM
its a shame that Linux bugs are fixed within days.  having a developer community (and lots of eyeballs) around the world helps in finding/fixing bugs.  you don't have to rely on one company or one clown in the company to get a patch.
 
2014-05-22 03:28:26 PM
The Register?  Pass.  I'll just assume this is the worst thing possible, and continue on with my day.
 
2014-05-22 03:29:15 PM

xanadian: Benni K Rok: Hand Banana: bmckenna: So IE8 is the last version of IE to be supported on Windows XP...which itself is no longer supported by Microsoft.

Drummed up outrage over lack of support of 12 year old software products is super cool!

IE8 was released in 2009 so it isn't 12 years old, and it shipped with Windows 7 so it will be supported until January 14, 2020. Of course people should update their browser but if Microsoft says it is still supporting something then they should do so.

That would be nice. I'm stuck using IE8 at work. Which I'm using right now. I'd rather be at home using a real browser.

Your sysadmin/IT staff has everyone using IE?  wth...

/I'm guessing it's because some of the websites your coworkers access for work will only run on IE
//we have a few of those... :(



no, its because Microsoft Jesus said to run Internet Exploder and everyone knows that Open Source software like Firefox is socialissmss!!
 
2014-05-22 03:30:32 PM
Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.
 
2014-05-22 03:32:22 PM
We should all just switch to Lynx.
 
2014-05-22 04:18:33 PM

Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.


Even if you aren't using toilet paper, how would you get pinkeye after not wiping? Unless you're scraping the poop off of your butt with your fingers and then rubbing your eyes without washing your hands afterwards...

I don't think you have figured out this pooping thing yet.
 
2014-05-22 04:26:03 PM

Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.


That's right, you stand up to the man!

Your Linux gaming clan totally thinks you're rad.
 
2014-05-22 04:29:18 PM

DuudeStanky: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

Even if you aren't using toilet paper, how would you get pinkeye after not wiping? Unless you're scraping the poop off of your butt with your fingers and then rubbing your eyes without washing your hands afterwards...

I don't think you have figured out this pooping thing yet.


I beg to differ, he craps all over every non-Linux thread.
 
2014-05-22 05:14:12 PM

Dragonflew: I beg to differ, he craps all over every non-Linux thread.


Hell, he threadshiats the Linux ones, too. Worse yet, he's an Ubuntu-derivative user.
 
2014-05-22 05:21:16 PM

DuudeStanky: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

Even if you aren't using toilet paper, how would you get pinkeye after not wiping? Unless you're scraping the poop off of your butt with your fingers and then rubbing your eyes without washing your hands afterwards...

I don't think you have figured out this pooping thing yet.



no!   anal pink eye.   when u don't wipe your butt and it gets irritated/pink/chapped.
 
2014-05-22 05:22:58 PM

Caelistis: Dragonflew: I beg to differ, he craps all over every non-Linux thread.

Hell, he threadshiats the Linux ones, too. Worse yet, he's an Ubuntu-derivative user.



Wrong.  Debian.   Linux Mint Debian Edition.   semi-rolling and never has to be reinstalled.
 
2014-05-22 05:24:52 PM

tripleseven: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

That's right, you stand up to the man!

Your Linux gaming clan totally thinks you're rad.



i'm not a gamer.  i'd rather watch FOX News than game.
 
2014-05-22 05:29:33 PM

fang06554: [img.fark.net image 801x603]



lol.   i've actually seen sh*t like that on systems whose owner wanted 'help because my PC runs slow and is acting funny'.


Jesus, i almost sh*t myself.  now, i tell the buggers that i don't work on windows machines.  apple/unix/linux only.  it saves me alot of pain and depression.
 
2014-05-22 05:33:06 PM
i had to repost this from fang06554.   it's too beautiful and says everything.


img.fark.net
 
2014-05-22 05:34:13 PM

fang06554: [img.fark.net image 801x603]


I'll be in the corner reliving bad memories.  I've dealt with plague boxes that resemble that.  Even my professors couldn't make a system that badly infected for test systems no matter how much they tried.
 
2014-05-22 05:46:28 PM

Linux_Yes: tripleseven: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

That's right, you stand up to the man!

Your Linux gaming clan totally thinks you're rad.


i'm not a gamer.  i'd rather watch FOX News than game.


Sorry, your Linux newsgroup totally thinks you're rad.
 
2014-05-22 06:10:47 PM

Linux_Yes: Wrong.  Debian.   Linux Mint Debian Edition.   semi-rolling and never has to be reinstalled.


That's cute. Come talk to us when you've graduated out of the kiddie pool.
 
2014-05-22 06:22:21 PM

Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.


You must be old.
 
2014-05-22 06:26:02 PM

Linux_Yes: i had to repost this from fang06554.   it's too beautiful and says everything.


[img.fark.net image 801x603]


Yeah its beautiful. :)
 
2014-05-22 06:26:08 PM
The troll is eating well today.
 
2014-05-22 06:27:58 PM
I want a free lobster dinner as well.
 
2014-05-22 06:28:38 PM

Caelistis: Linux_Yes: Wrong.  Debian.   Linux Mint Debian Edition.   semi-rolling and never has to be reinstalled.

That's cute. Come talk to us when you've graduated out of the kiddie pool.



no.  i like not having to dick around with my system every time i update something.  you can if you choose, but i prefer a stable reliable system with minimal problems.  and that is what Linux Mint debian edition provides. oh, and did i say fast as hell too??  (mate desktop)  64 bit.  i'm sure i mentioned it.
 
2014-05-22 06:29:18 PM

tripleseven: Linux_Yes: tripleseven: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

That's right, you stand up to the man!

Your Linux gaming clan totally thinks you're rad.


i'm not a gamer.  i'd rather watch FOX News than game.

Sorry, your Linux newsgroup totally thinks you're rad.



not in a linux newsgroup.
 
2014-05-22 06:30:43 PM

xkillyourfacex: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

You must be old.



no, i just understand how dangerous a company like Monopoly$oft can be.  takes some growing up to realize that.
 
2014-05-22 06:33:05 PM

Luneward: fang06554: [img.fark.net image 801x603]

I'll be in the corner reliving bad memories.  I've dealt with plague boxes that resemble that.  Even my professors couldn't make a system that badly infected for test systems no matter how much they tried.



lol    when i saw it i suddenly had flashbacks to OS hell.  man, that sh*t took 10 years off my life.  maybe that's why i resent Gill Bates.
 
2014-05-22 06:34:48 PM

Hand Banana: The troll is eating well today.



lol   you take this stuff to heart, man.  it has a certain resignation tone to it.   lol
 
2014-05-22 06:36:39 PM

Linux_Yes: tripleseven: Linux_Yes: tripleseven: Linux_Yes: Even if Monopoly$oft sold sh*tpaper i wouldn't wipe with it.  i'd rather get pink eye.  it would be worth it.

That's right, you stand up to the man!

Your Linux gaming clan totally thinks you're rad.


i'm not a gamer.  i'd rather watch FOX News than game.

Sorry, your Linux newsgroup totally thinks you're rad.


not in a linux newsgroup.


You have fooled the whole thread then.  Let's go talk about it on IRC.
 
Displayed 50 of 72 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report