I guess IE8 still needs "Emergency" Updates

[kblessinggr]

Well emergency according to the blog, microsoft just goes by the ever famous 'critical'.

Emergency IE update patches 10 critical security holes | Zero Day | ZDNet.com

Microsoft today shipped a cumulative Internet Explorer update with patches for 10 security holes, including a drive-by download vulnerability that’s already being used in malware attacks.

The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft’s flagship browser, including the newest Internet Explorer 8.


From the bulletin:

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.



The patch comes a full three weeks after the appearance of targeted drive-by download attacks that dropped a backdoor on a hijacked Windows computer.

The backdoor allowed an attacker to perform various functions on the compromised system, including uploading and downloading files, executing files, and terminating running processes.

Yes, IE8 users, you need that new security update | Ed Bott’s Microsoft Report | ZDNet.com

Microsoft issued a so-called out-of-band update for Internet Explorer today. In plain English, that means the update is being pushed out via Windows Update and Microsoft Update ahead of the normally scheduled release on Patch Tuesday, April 13. Out-of-band updates are relatively rare, and reserved for vulnerabilities that are are being actively exploited.

If you’re using IE8 on any platform, including Windows 7, you need the updates described in Microsoft Security Bulletin MS10-018. If you heard otherwise, it’s understandable. Microsoft has issued some confusing public statements on this matter. Here’s a quick explainer.

According to the security bulletin:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. [emphasis added]

So why the confusion? In the blog post that provided advanced notification of the fix, the Microsoft Security Response Center said:

MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory …

Indeed, IE8 is unaffected by that one issue. But MS10-018 is a cumulative update that also includes fixes for nine privately reported and previously undisclosed vulnerabilities in all versions of Internet Explorer, including IE8.

If you have Automatic Updates turned on, this should be delivered to you today or tomorrow at the latest. The update isn’t large, and a restart is required after installation, so if you don’t want an unexpected reboot, go get it now by checking Windows Update manually.

Looking at the chart from the first one, even more reasons for people to at the very least get the hell off IE6.

I'm wondering if exploits from competitor browsers (safari, chrome, firefox, etc) are just not as openly published or something.

 

[nvanprooyen]

I'm wondering if exploits from competitor browsers (safari, chrome, firefox, etc) are just not as openly published or something.

I could be totally wrong, but my guess is that the reason why IE (and MS OS' in general) has all these "security holes" is less about it being "less secure" than some of the others and more about it being targeted more because of adoption numbers. If I was going to code something malicious, I would try and exploit as large of a group of people as possible. Oh, and fuck IE.

 

[Rage9]

I'm wondering if exploits from competitor browsers (safari, chrome, firefox, etc) are just not as openly published or something.

Firefox pushed 3.6.2 out like two weeks early because of a major exploit, coupled with the German security experts telling people to stop using the browser for the time being. This was like 1 or 2 weeks ago. So it defiantly doesn't just happen to Mircrosoft.

[edit] Ok it was only a week ahead of schedule but still:
http://www.theregister.co.uk/2010/03/23/firefox_zero_day_fix/

 

[kblessinggr]

Firefox pushed 3.6.2 out like two weeks early because of a major exploit, coupled with the German security experts telling people to stop using the browser for the time being. This was like 1 or 2 weeks ago. So it defiantly doesn't just happen to Mircrosoft.

But as often?

I really wish people would just bite the bullet and just give up on supporting IE6, no sense in supporting something that is so ridden with holes, especially given it's age.

 

[leewang]

But as often?

I really wish people would just bite the bullet and just give up on supporting IE6, no sense in supporting something that is so ridden with holes, especially given it's age.

There are some people that are not very technical with computers. They do not know there are other browsers besides the one that come with their computer or that there is a newer version available.

 

[roclafamilia]

But as often?

I really wish people would just bite the bullet and just give up on supporting IE6, no sense in supporting something that is so ridden with holes, especially given it's age.

pwn2own raped apple and microsoft new assholes like a week ago...so it's not only microsoft...

 

[nvanprooyen]

But as often?

I really wish people would just bite the bullet and just give up on supporting IE6, no sense in supporting something that is so ridden with holes, especially given it's age.

It's starting to happen. Google Apps recently joined in. I know YouTube and Digg stopped supporting it for new features a few months back. 37 signals as well.

 

[kblessinggr]

There are some people that are not very technical with computers. They do not know there are other browsers besides the one that come with their computer or that there is a newer version available.

The only reasons that someone hasn't upgraded to IE8 yet is because:

A) They never turned on automatic updates
B) They have a pirated or otherwise considered 'invalid' copy of windows (or were too stupid to get past the activation).
C) Have no internet access, or only have dial-up and don't want to bother with a couple hundred megs of updates to get caught up.
D) Still work in a corporate environment where the mandate was that no software changes were to be done on the computers (aka the bot army)

And seeing as the % are probably either @work corporate users, or pirates, I don't see much incentive to catering to them, has anyone actually collected stats to show how many of their conversions were IE6 ? I mean whinning about how 2 to 8% of your traffic is still IE6 is one thing, but if you haven't gotten even 1% conversions from it, fuck em.

And all of the above doesn't require knowing there's another browser besides IE.

 

[nvanprooyen]

There are some people that are not very technical with computers. They do not know there are other browsers besides the one that come with their computer or that there is a newer version available.

Quite a lot (from what I've heard) of the current IE6 base is from government and large corporations who simply haven't eaten the cost to update everything, even though it's riddled with security problems...not to mention can't properly render pages to save it's life.

 

[kblessinggr]

Quite a lot (from what I've heard) of the current IE6 base is from government and large corporations who simply haven't eaten the cost to update everything, even though it's riddled with security problems...not to mention can't properly render pages to save it's life.

If its anything like NC ESC LMI (North Carolina Employment Security Commission Labor Marketing Information devision) I used to contract for, their computers will be the same as the day they purchased them, short of some new book marks and such, since its against their policy for any user to do any system changes and such. But in terms of work, all the sites they need to visit were usually designed specifically for IE6 or earlier (when I worked on websaras.org back in 2001 I had to make that thing both IE5/IE6 compatible, and Nutscrape 4 compatible, it's probably still netscape 4 compatible lol)

Course back then they were using Windows 2000 pro, wouldn't be surprised if they didn't upgrade to XP until 5 or 6 years ago.

For over a year they had a frontpage extension on their server that did not require a password at all, even despite me telling them about it, they figured if no one knew it would be fine, and someone upstairs had to make some changes and couldn't remember their password.

 

[Berto]

It's starting to happen. Google Apps recently joined in. I know YouTube and Digg stopped supporting it for new features a few months back. 37 signals as well.

I no longer waste more than an hour trying to make IE6 functional. If it doesn't look good on my site.. oh well. I'll make that 5% of revenue up elsewhere, or just consider that my tax for enjoying an IE6-less, stress-free lifestyle

 

[high risk]

I'm wondering if exploits from competitor browsers (safari, chrome, firefox, etc) are just not as openly published or something.

Wat?

WebKit (Safari + Chrome's rendering engine, where 99.9% of exploits live in a browser) is open source. https://bugs.webkit.org/report.cgi

Chromium is open source. Issues - chromium - Project Hosting on Google Code

FireFox is open source. https://bugzilla.mozilla.org/report.cgi

I'm hardly an open source fanboy but I'm not sure on what planet Microsoft bugs could ever be construed as more "openly published."

Bottom line is Microsoft's code has far more security issues, and far more researchers looking for those holes due to the impact (publicity if you're a whitehat, profit if you're a blackhat.)

 

[high risk]

Quite a lot (from what I've heard) of the current IE6 base is from government and large corporations who simply haven't eaten the cost to update everything, even though it's riddled with security problems...not to mention can't properly render pages to save it's life.

a family member works for a fortune 50 insurance company, their corp-issued mandatory laptops (which are docked as desktops at work, so these are virtually the only PCs in the organization) all run IE6. end users are not allowed to install other software (just by policy, it's not actually secured)..

tl;dr = fortune 50 w/ 40k employees all run IE6 fulltime on the open web

 

[bobsoap]

The reason why many large corporations still run IE6 is that they typically have many separate IT systems that are interconnected. Software X works with Y which integrates with Z. Such companies may also have an intranet that is "optimized for IE6", which I know sounds funny and so 1990s but that's really when it was built.

So to upgrade one piece of the puzzle would mean to update all the other pieces as well. It's damn expensive to revamp dozens of interconnected IT systems, not to speak of security concerncs and then we have all the employees requiring some sort of training or at least an awareness seminar, which adds yet another price factor to the equation. All this while IT maintenance costs can be as high as 80% of the total cost for a system per year.

So that's the effort involved. What do they gain in return for upgrading their IT? Transparent PNG support.

I'm obviously just kidding on that last sentence but that's their point, and it makes total sense. We all may hate it (I know I do) and we have a very good point as well, but their position is a different one than ours entirely.

 

[high risk]

The reason why many large corporations still run IE6 is that they typically have many separate IT systems that are interconnected. Software X works with Y which integrates with Z. Such companies may also have an intranet that is "optimized for IE6", which I know sounds funny and so 1990s but that's really when it was built.

So to upgrade one piece of the puzzle would mean to update all the other pieces as well. It's damn expensive to revamp dozens of interconnected IT systems.

yeah, definitely.. my post was just meant to be an amusing anecdote that probably is true among most of the other large corps whose IT is a cost center, not their core business.

as gov-conservative as i am, this is one area that needs new legislation. (no, not requiring people to upgrade IE, read on..)

as is it's much cheaper for companies to just get hacked and lose enormous amounts of sensitive customer data, then buy everyone identity monitoring and call it a day, than to actually spend the time and money securing their systems/processes.

that's unfortunate, and one of the things that the market can't really fix when you're talking about banks and insurance companies who all work together in a
big shitpile of collusion and price fixing (whether natural or not.)

i think the EU went overboard with their consumer privacy/data protection laws, but there should be steep penalties when you lose someone's (or 5 million someones') personal data by negligence.

 

[kblessinggr]

The reason why many large corporations still run IE6 is that they typically have many separate IT systems that are interconnected. Software X works with Y which integrates with Z. Such companies may also have an intranet that is "optimized for IE6", which I know sounds funny and so 1990s but that's really when it was built.

I can vouche for this possibility, had to write a number of ActiveX controls for internal use with the state of north carolina. And obviously ActiveX only works in IE, some of them still use controls written in VB6.

 

[Jizzlobber]

I no longer waste more than an hour trying to make IE6 functional. If it doesn't look good on my site.. oh well. I'll make that 5% of revenue up elsewhere, or just consider that my tax for enjoying an IE6-less, stress-free lifestyle

I strongly suggest that you look at the browser version traffic stats for your site. Unless you are running a Mac fanboy site, the numbers for IE6 users will scare you.

 

[kblessinggr]

I strongly suggest that you look at the browser version traffic stats for your site. Unless you are running a Mac fanboy site, the numbers for IE6 users will scare you.

kbeezie.com for example is far cry from being a 'mac fanboy site', just a technical blog, and well most 'coders' are on PC, good portion on linux and my stats are:

48% FireFox
25% Chrome
12% Safari
6.66% Internet Explorer
5% Opera

of the 6.66% of IE
62% IE8
27% IE7
10% IE6 (that's 10% of 6%)
1% IE5 (probably IE 5.5 for mac)


For Kblinker.com
58% FireFox
23% Chrome
11% Internet Explorer
5% Safari

of the 11% Internet Explorer
80% IE8
13% IE6 (thats 13% of 10%)
6.7% IE7

For BannerCrate.com (SilentPen's site)
63% FireFox
13.3% Internet Explorer
12.5% Safari
8% Chrome
3% Opera

Of the 13.3% of Internet Explorer
46% IE7
40% IE8
13% IE6 (13% of 13%)


Now I imagine if you run a government site, or say a bank or mortgage site you're probably going to have a higher percentage of IE users and probably even higher % of IE6 within that. I can only go by the stats of sites I've installed analytics tools on. But far as my own sites, and some of the ones I've built, IE6 seems pretty insignificant. I'd be interested to see other people share their states from their own sites though.

 

[Jizzlobber]

I'm at roughly 80% IE on my money sites with roughly 30% of that being IE6. I can't ignore IE6 traffic just because it's a pain in the ass to design around. And even if I did ignore them for the sake of maintaining some design aesthetics, I could very well in fact just be keeping things more appealing to those visitors that are just lifting my shit and leaving anyhow.

 

[kblessinggr]

I'm at roughly 80% IE on my money sites with roughly 30% of that being IE6. I can't ignore IE6 traffic just because it's a pain in the ass to design around. And even if I did ignore them for the sake of maintaining some design aesthetics, I could very well in fact just be keeping things more appealing to those visitors that are just lifting my shit and leaving anyhow.

Course you could always utilize PHP to detect the browser and instead of trying the pain-in-the-ass route of maintaining a single design for all the browsers, load up a different HTML source thats scaled-down for non-modern browsers, basically just whats needed to keep conversions going on that platform. It'd be a hell of a lot easier than coming out with a kickass design but then having to butcher it cuz you don't want to lose 30% of 80%.