Jump to content

Update: Third of Internet Explorer users at risk from attacks...


Recommended Posts

.

Update: Third of Internet Explorer users at risk from attacks

 

Microsoft confirms both IE9 and IE10 contain vulnerability, urges customers to upgrade to IE11; leaves Vista users out in the cold

 

February 14, 2014 05:15 PM ET
 

Computerworld - Microsoft on Friday said that both Internet Explorer 10 and its predecessor, IE9, contained an unpatched vulnerability, but that hackers were currently exploiting only the newest, IE10.

 

The extension of the vulnerability to IE9 followed confirmation earlier yesterday that active attacks are compromising the newer IE10 and hijacking PCs running the browser.

 

"Microsoft is aware of limited, targeted attacks against Internet Explorer 10. Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected," a Microsoft spokesperson said via email today.

With both IE9 and IE10 vulnerable, it means that about a third of all those using Internet Explorer are at risk.

 

According to Web analytics vendor Net Applications, IE9 accounted for 15.3% of the total IE user share last month; IE10's share was 15.9%. Together, the two editions represented 31.2% of Internet Explorer's January user share.

 

Milpitas, Calif.-based FireEye was the first to spot the attacks, and said that they had been aimed at IE10 as part of a campaign targeting current and former U.S. military personnel when they visited the Veterans of Foreign Wars (VFW) website.

 

While FireEye said it identified the "zero-day" vulnerability -- a term to indicate that the flaw is currently unpatched -- on Feb. 11, yesterday San Diego security company Websense said it had found evidence that the exploit may have been used as early as Jan. 20, or more than three weeks ago.

 

Websense also speculated that those earlier attacks had been aimed at visitors to a French aerospace association's website. Members of the organization, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), include defense and space contractors and subcontractors.

 

GIFAS is best known to the general public as the sponsor, through a subsidiary, of the Paris Air Show, an annual extravaganza where aircraft makers, both commercial and military, strut their newest wares.

 

Microsoft's advice to customers that they upgrade to IE11 was not possible for those still running Windows Vista. That 2007 operating system cannot run either IE10 or IE11. Most Vista users are likely running IE9, since Microsoft automatically upgraded their copies of from IE7 or IE8 to the then-new IE9 in the first half of 2012.

 

The only silver lining is that few Windows users run Vista: Last month, the oft-disparaged OS represented just 3.6% of all editions of Windows.

 

Microsoft has not said if it will issue an "out-of-band" security update -- a rush fix shipped before the next regularly-scheduled Patch Tuesday of March 11 -- or yet issued a formal security advisory. It will certainly do the latter, and at that time may, as it often does, provide a work-around to protect IE9 and IE10 users.

 

SOURCE: https://www.computerworld.com/s/article/9246343/Update_Third_of_Internet_Explorer_users_at_risk_from_attacks

 

Steve

Link to post
Share on other sites

What M$ fails to also disclose is that IE11 is not compatible with a lot of websites. Using IE11 you have to put some websites in compatibility mode just to get the pages to load.

 

Indeed - that has been an ongoing issue since Day 1.

 

And IE11 was designed primarily for Win8 -- lots of folks with Win7 have had issues with it.

Many folks have had to rollback to IE10.

Not to mention the ongoing problems with 9C59 and other errors for many Win7/x64 users upgrading from IE9 to either IE10 or IE11.

Fixing that mess keeps Noel busy over at sevenforums.com

 

As soon as M$ issues the fix, the bad guys will find & exploit a new hole for IE-ANYTHING.

Whack-a-mole.

 

I only keep, patch, and browse with IEXX for the thankfully rare website that still requires it.

Link to post
Share on other sites

  • Root Admin

Well the security updates for IE11 are a good thing really - but unfortunately since MS does not own the billions of sites out there they can't make them update the web code to be compliant. As such they need to drop back to a compatibility mode that itself is still often not as fully compatible as IE8 is/was.

Since the compatibility mode does not even match IE8 when using 10/11 what Microsoft seems to be saying is:  Microsoft confirms both IE9 and IE10 contain vulnerability, urges customers to switch to Firefox or Chrome

Link to post
Share on other sites

  • Root Admin

ADP one of the largest online payroll firms does not support past IE9 in some areas of their site.  You can run many areas of the site but on IE11 reporting is one area that does not work well.

Plenty of sites that have compatibility issues and why Microsoft even has a team dedicated to creating "updates" just for compatibility.

Link to post
Share on other sites

ADP one of the largest online payroll firms does not support past IE9 in some areas of their site.  You can run many areas of the site but on IE11 reporting is one area that does not work well.

Plenty of sites that have compatibility issues and why Microsoft even has a team dedicated to creating "updates" just for compatibility.

 

One can set the site(s) into Compatibility Mode or via Local/Group policy

 

computer --> administrative templates --> windows components --> internet explorer --> compatibility view --> Use policy list internet explorer 7 sites

Enable

Add associates sites.

Link to post
Share on other sites

  • Root Admin

Fully understand how to do that David.  It is NOT supported by ADP and no matter what you set security to.  Remove every single common sense item in security of IE11 and add site to Trusted Group and add to Popups allowed, allow ALL signed or unsigned access, add to Compatibility and it DOES NOT WORK.  Fire up Firefox or Chrome out of the box no adjustments at all aside from allow popup and they both work. It is a Compatibility issue with IE end of story. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.