topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday October 15, 2024, 1:15 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Microsoft Races To Fix Massive Internet Explorer Hack  (Read 20318 times)

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Microsoft Races To Fix Massive Internet Explorer Hack
« on: April 29, 2014, 09:31 AM »
I just heard about this yesterday.  This site explains a couple of workarounds.

http://www.forbes.co...-1-in-4-pcs-exposed/

It appears XP users are basically screwed.   :(

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #1 on: April 29, 2014, 11:35 AM »
I just heard about this yesterday.  This site explains a couple of workarounds.

http://www.forbes.co...-1-in-4-pcs-exposed/

It appears XP users are basically screwed.   :(

People wanna comment? Is this massive!?


crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #2 on: April 29, 2014, 11:39 AM »
I just heard about this yesterday.  This site explains a couple of workarounds.

http://www.forbes.co...-1-in-4-pcs-exposed/

It appears XP users are basically screwed.   :(

People wanna comment? Is this massive!?



I thought it would have already been posted.  Not many IE users I guess?   :huh:

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #3 on: April 29, 2014, 12:01 PM »
It appears XP users are basically screwed.

No, just the ones that read Forbs and believe its over the top sensationalized version of the news.

Let's starts with the title:
Microsoft Races To Fix Massive Internet Explorer Hack: No Fix For Windows XP Leaves 1 In 4 PCs Exposed
-Forbes

This is simply bull shit. It's the same size hole as any other phishing scam level attack vector...and just as easy to spot.

FireEye also revealed a sophisticated hacker group has already been exploiting the flaw in a campaign dubbed  ‘Operation Clandestine Fox’, which targets US military and financial institutions.
-Forbes

...And by that I'll just assume it to mean the NSA has found an method/reason/excuse to rummage through their sister agency's knickers drawer.

FireEye spokesman Vitor De Souza declined to name the hackers or potential victims as the investigation is ongoing, only telling Reuters: “It’s unclear what the motives of this attack group are at this point. It appears to be broad-spectrum intel gathering.”
-Forbes

 :-\ I'll just go with world domination by the NSA here ... It's what everybody with any sense is thinking already anyhow.


For its part Microsoft has confirmed the existence of the flaw in an official post. It gave limited information on the bug, but admitted “an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
-Forbes

Oh FFS They did not! The exploit give the same rights that are assigned to the current user. If the user ain't an admin then neither is the bugg. Standard security practice here folks...there are reasons for them.


A Temporary Fix
 While Microsoft rushes to fix the bug, FireEye gave concerned users two workarounds .

1. Use another web browser other than Internet Explorer
 2. Disable Adobe Flash. “The attack will not work without Adobe Flash,” it said. “Disabling the Flash plugin within IE will prevent the exploit from functioning.”
-Forbes

While not the worst advice I've seen it is still again total bullshit! Flash is the most common target but CERT maintains that other file types can be used in the same fashion. That's why it's an IE bugg, and not a Flash bugg. But hay...no reason to keep the facts straight or anything Because driving off a cliff is perfectly safe as long as you do it backwards, right? Wrong!!!


The remaining drivel is just more idiotically panic toned RUN FOR YOUR LIVES!!!!!!!!!!!!!!!!!!!!! crap directed squarely at XP users ... Even though all MS OS's are equally as vulnerable as their security is configured.

The same basic sound security practices that "work" for Windows 8.1 will still work for XP.

The MS Enhanced Mitigation Experience Toolkit

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,858
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #4 on: April 29, 2014, 01:15 PM »
+1 w/Stoic - Once again some breathless reporting directed at the clueless from people that should know enough to do a little more research and editing prior to rushing their article into print.

This is yet another remote code execution vulnerability. It doesn't do anything by itself. In order to be exploited, the IE user needs to be convinced to browse over to a website containing code that's set up to take advantage of the vulnerability. This is nothing new.

It happens. It gets identified. It gets plugged. As all 'zero-days' eventually do. It's all in a day's work for network and security people.

I'm not sure why Forbes felt the need to get so breathless over this one. I guess there's still some residual angst left over from the Mask/Careto story that Forbes is hoping to piggyback on.

 :-\


Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,068
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #5 on: April 29, 2014, 03:06 PM »
Wouldn't be surprised is MS knew about this before April 8 and waited to release the info to add even more marketting pressure to dump XP.

Beginning to want to wipe Windows 8 off this laptop and put XP back just to say screw MS

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,858
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #6 on: April 29, 2014, 05:18 PM »
Beginning to want to wipe Windows 8 off this laptop and put XP back just to say screw MS
-Carol Haynes (April 29, 2014, 03:06 PM)

I went further and shifted completely over to Linux and BSD for my own needs once I saw where things were going starting with Win 8. If I didn't need to support clients, I wouldn't be using Microsoft's desktop OSes at all. (Their servers, on the other hand, aren't half bad.)  8)

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #7 on: April 30, 2014, 07:31 AM »
... Once again some breathless reporting directed at the clueless from people that should know enough to do a little more research and editing prior to rushing their article into print.

I suppose I am "clueless" but only when it pertains to computers or cell phones.

Monday evening, on CNN, was where I first heard about this.  Yesterday, Tuesday, I figured DC would have covered the topic.  Found zilch.  My web search brought up around 10 sites.  I picked Forbes.  I didn't want to spend an hour desiding which site to link.  Being "clueless" I wanted to bring the supposedly bad news to DCers ASAP.

CNN rarely runs a story about anything to do with computers much less a specific issue.

anandcoral

  • Honorary Member
  • Joined in 2009
  • **
  • Posts: 783
    • View Profile
    • Free Portable Apps
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #8 on: April 30, 2014, 08:00 AM »
Wouldn't be surprised is MS knew about this before April 8 and waited to release the info to add even more marketting pressure to dump XP.

Beginning to want to wipe Windows 8 off this laptop and put XP back just to say screw MS
-Carol Haynes (April 29, 2014, 03:06 PM)

Yeah right.

I installed Win7 over Xp in my old machine, when Xp support was ceased.

But now planning to overwrite back to Xp, anyway Win7 runs toooo slow in the old machine and I use FF.

Regards,

Anand

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,858
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #9 on: April 30, 2014, 11:06 AM »
... Once again some breathless reporting directed at the clueless from people that should know enough to do a little more research and editing prior to rushing their article into print.

I suppose I am "clueless" but only when it pertains to computers or cell phones.

Monday evening, on CNN, was where I first heard about this.  Yesterday, Tuesday, I figured DC would have covered the topic.  Found zilch.  My web search brought up around 10 sites.  I picked Forbes.  I didn't want to spend an hour desiding which site to link.  Being "clueless" I wanted to bring the supposedly bad news to DCers ASAP.

CNN rarely runs a story about anything to do with computers much less a specific issue.

@crabby3 - Please don't think I was referring to you personally when I said "clueless." That was meant to be in reference to Forbes's usual non-tech management target audience. (Sadly, Forbes tends to get a little sensationalist when reporting on stuff like this. They're guilty of way too much sizzle - and far too little steak sometimes.)  Your bringing this up is greatly appreciated. Because even grouchy network/IT types like Stoic and me can be dead wrong about the seriousness of things like this. And just because we aren't overly concerned about something doesn't mean it it can't be a very serious threat. So please don't hesitate to share anything you think may be of interest here.

 :Thmbsup:

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #10 on: April 30, 2014, 12:29 PM »
Because even grouchy network/IT types like Stoic and me can be dead wrong about the seriousness of things like this. And just because we aren't overly concerned about something doesn't mean it can't be a very serious threat. So please don't hesitate to share anything you think may be of interest here.

+.5 - Us wrong? Never... <fingers crossed> :D

@Crabby3 - Only reason I shredded the Forbs article -(other than being a prick because I'm not smoking)- so quickly is that I'd also been concerned about the hype surrounding the exploit and was researching the details of who exactly had found what, and what if anything could be done about it. So there is/was definite interest in the topic...it just doesn't always manifest well. :)

So like 40 said, don't hesitate to share things of interest.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,858
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #11 on: April 30, 2014, 12:47 PM »
+.5 - Us wrong? Never... <fingers crossed> :D

@SJ - Your 99px-Bofh.png is showing.  :P

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,021
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #12 on: April 30, 2014, 09:07 PM »
Just for the record, I work for a government agency these days (nothing sinister, trust me), and we just got an email that Firefox will be remotely installed on our workstations and that we should avoid using Internet Explorer until Microsoft can fix the bug.  Sometime in mid-May, they said.  I don't know about the hype, but when it's bad enough to make the government change their default browser almost overnight, it's bad enough.
http://www.neowin.ne...osoft-releases-patch
« Last Edit: April 30, 2014, 09:12 PM by Edvard »

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #13 on: May 01, 2014, 03:39 PM »
The patch appears to be out:

 - https://technet.micr...ry/security/ms14-021

Also, MS *is* providing patches for IE 6, 7 and 8 on WinXP SP3.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #14 on: May 02, 2014, 03:49 AM »
The patch appears to be out:

 - https://technet.micr...ry/security/ms14-021

Also, MS *is* providing patches for IE 6, 7 and 8 on WinXP SP3.

Thanks for the link mwb1100.  According to this site, if you have auto-update set, the patch will be downloaded/installed like any other update.

I do have auto-update set but I manually *checked for updates* so I could get the required restart out of the way.  ;D

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #15 on: May 02, 2014, 04:41 AM »
I don't know about the hype, but when it's bad enough to make the government Microsoft change their default browser decision not to provide support for XP almost overnight, it's bad enough.

Heh with modifications we were hollering about over at Slashdot. : )


TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #16 on: May 02, 2014, 04:44 AM »
Wouldn't be surprised is MS knew about this before April 8 and waited to release the info to add even more marketting pressure to dump XP.

Beginning to want to wipe Windows 8 off this laptop and put XP back just to say screw MS
-Carol Haynes (April 29, 2014, 03:06 PM)

Yeah right.

I installed Win7 over Xp in my old machine, when Xp support was ceased.

But now planning to overwrite back to Xp, anyway Win7 runs toooo slow in the old machine and I use FF.

Regards,

Anand


Yeah I'll have to think about that too Anand, if the cost was just the raw OS and the time to rebuild a hundred programs, it's one thing, but having to sacrifice the entire hardware is another!

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #17 on: May 02, 2014, 07:30 AM »
Respect to Microsoft for releasing patches for Windows XP. A lot of companies would have just used this incident as a bullet point on their sales presentation to get you to upgrade.

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,041
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #18 on: May 02, 2014, 08:54 AM »
I'm a bit puzzled about all this.  Today I was offered an update related to this issue: KB 2964358.  It's offered to people on Win 7 who have an earlier update installed (KB 2929437, I think, which is already installed).  However, KB 2964358 is rated as "important" rather than "critical," even though it would seem that the issue is more serious than "important" suggests.  Moreover, this update was offered to me but not checked, which usually is a sign I shouldn't be quick to install it.  I'm not all that worried, since I almost never use Internet Explorer (it's fourth on my list, after Pale Moon, Opera 12.17, and Firefox).  But I'm nonetheless puzzled.  Needless to say, I haven't yet installed it.   :huh: 

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,963
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #19 on: May 02, 2014, 10:34 AM »
[2964358 is being] offered to people on Win 7 who have an earlier update installed (KB 2929437, I think, which is already installed).

Yeah, I'm being offered it today.

MS does give a warning:
Known issues with this security update

    Internet Explorer will crash if you try to install this security update on a Windows 7-based system that does not already have security update 2929437 installed. To avoid this issue, take either of the following actions:
        Install security update 2929437, and then install security update 2964358. For more information about security update 2929437, click the following article number to view the article in the Microsoft Knowledge Base:
        2929437 Description of the security update for Internet Explorer 11 on Windows 7 and Windows Server 2008 R2: April 8, 2014
        Install security update 2964444 instead of security update 2964358. Security update 2964444 is intended for systems that do not have security update 2929437 installed.

Wondering is there any way of easily checking what updates are installed? (in Win7, they show you a nice list after updating/rebooting, but I dont know how to access that)
Tom

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #20 on: May 02, 2014, 11:12 AM »
Wondering is there any way of easily checking what updates are installed? (in Win7, they show you a nice list after updating/rebooting, but I dont know how to access that)

Control Panel-->System and Security then look for View Installed Updates under the Windows Update section.

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #21 on: May 02, 2014, 12:08 PM »
I put my XP update through this morning. On to see what next crisis MS will support after ending support! At this rate we could be getting into "Bob Hope Retiring" territory!
;D

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,759
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #22 on: May 02, 2014, 01:49 PM »
I don't understand why people keep calling this a Windows XP update. It's not. It uses the "Microsoft Update" automated update system to update a Microsoft product, namely IE. It's not an update to XP. It's an update to IE.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #23 on: May 02, 2014, 02:37 PM »
I don't understand why people keep calling this a Windows XP update. It's not. It uses the "Microsoft Update" automated update system to update a Microsoft product, namely IE. It's not an update to XP. It's an update to IE.

Because that's not as funny?  Nor as interesting.  It would just be run of the mill logic...

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Microsoft Races To Fix Massive Internet Explorer Hack
« Reply #24 on: May 02, 2014, 03:01 PM »
I don't understand why people keep calling this a Windows XP update. It's not. It uses the "Microsoft Update" automated update system to update a Microsoft product, namely IE. It's not an update to XP. It's an update to IE.

Because that's not as funny?  Nor as interesting.  It would just be run of the mill logic...

Nailed It! :Thmbsup: