Author Topic: Why some stay away from IE8  (Read 1895 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33486
  • malware fighter
Why some stay away from IE8
« on: March 20, 2009, 09:45:33 PM »
Hi malware fighters,

There could not be a better introduction to IE8 to find it hacked within a couple of hours after it's release:
http://www.reddit.com/r/technology/comments/86034/as_if_you_need_another_reason_to_avoid_ie_ie8/
Since IE is another side of explorer.exe in Windows, so when Internet Explorer comes under danger "part" of your Operational System comes under danger. In Vista less than in XP because Vista has a couple of extra defense layers built on top of the XP ones. Those in XP are already broken (WFP, SafeMode, etc), Vista has some extra layers of defense to protect it, but I rather like to use a browser that is not an integral part of the OS. I keep IE upgraded and patched just to protect the OS and use it only to get the regular MS updates and patches,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87275
  • No support PMs thanks
Re: Why some stay away from IE8
« Reply #1 on: March 20, 2009, 10:46:43 PM »
I strongly doubt it got hacked within hours of its launch.

I would imagine that they have been probing the beta and RC versions looking for vulnerabilities to exploit. All it needs then is a quick check of the final to see if the vulnerability still exists and bingo the exploit is released.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33486
  • malware fighter
Re: Why some stay away from IE8
« Reply #2 on: March 20, 2009, 11:49:37 PM »
Hi DavidR,

It was the release version that got his first zero-day at its birthday, honest it is true. I quote:
Quote
The big news of the day is that the MSRC (Microsoft Security Response Center) woke me up before my alarm went off this morning to let me know that they had reproduced and validated IE8 vulnerability discovered by the mysterious Nils. Of course, we can't tell you anything more than that- stay tuned for more information once Microsoft releases an update for it! I continue to be impressed by the dedication of the MSRC team- and was shocked to get the news of verification in less than 12 hours- considering the entire IE team was most likely at the MIX 2009 con down in Vegas for the official launch of IE8!

For those not keeping score, the confirmation of the IE8 vulnerability on the released bits (available just this morning!) marks the first official vulnerability in IE8! Congratulations Nils! We take our collective hats off to you!
Well, I guess they do not pay Nils 5.000 green backs for an exploit on which he can brood months in advance, well he had some tricks up his sleeve when he came in there, but he did not have a trial run with the real software. We have to admit that he did extremely well, and the glorifying tone of MS at launching the browser "went a little bit sour". You have to admit that, the developers have to learn to keep up with the reversers now.....

polonus
« Last Edit: March 20, 2009, 11:51:34 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87275
  • No support PMs thanks
Re: Why some stay away from IE8
« Reply #3 on: March 21, 2009, 12:17:03 AM »
Yes, that is exactly what I was saying, but you can bet your life they didn't just find it within 8 hours of release, but through probing the beta and RC builds looking for vulnerabilities.

No point in exploiting vulnerabilities in the beta or RC builds as it is a limited audience and it alerts MS to the vulnerability which they could close before the release version. That way it is a bigger audience and a headache and egg on face for MS to resolve.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33486
  • malware fighter
Re: Why some stay away from IE8
« Reply #4 on: March 21, 2009, 01:22:52 PM »
Hi DavidR,

But as I said in a previous posting somewhere, Microsoft finds itself in between a rock and a hard place here. They have to consider users with a minimal or no knowledge whatsoever of safe browsing practices, everything must have full functionality with complex techniques as it comes out of the box or ready installed, Flash, full admin rights, dangerous browser heper objects etc. etc. - the software developer has to keep all dangers at bay and the poor uneducated n00b user must use the new browser "with no strings attached". This cannot function, not even in an ideal world. It is still a miracle this Internet of ours is not completely "broken beyond repair" as you come to think of it, so actually we should be thankful for the white and red hat community to educate developer and "dumbed down"user alike to keep the rubber bands in the right places. If these aforementioned user hordes were left loose at a Mac or open standards the malcreants could jump for joy, they could have a free for all,

polonus
« Last Edit: March 21, 2009, 01:25:27 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!