Ditch Internet Explorer, experts warn after new flaw

I literally cannot remember the last time I used IE. Why are "security experts" are advising users to "temporarily" switch to another browser? This should be permanent recommendation unless there is a piece of legacy software/site which requires IE, I cannot see any reason to use such an awful browser.

By isofa on 18 Sep 2012

This is just an unfair attack on Microsoft.
What makes any other browser immune from the same threat if security firms find it so hard to detect?
This stinks of self interest of security firms.

By curiousclive on 18 Sep 2012

@isofa

If you can't remember the last time you launched IE, have you even used a modern version? It has improved vastly over the last few years.

Okay, I still use Firefox as my main browser, but I use IE for a few tasks (one service requires IE, for example) and it is actually not a bad experience.

By big_D on 18 Sep 2012

@isofa - sorry but that's a stupid troll like comment

If you haven't used IE for ages, how do you know that, in your opinion, its an "awful browser"? Personally, I use IE9, Chrome and Firefox everyday and all three have their good and bad points. If everybody followed your advice and switched to another browser permanently, do you really think that would be the end of security problems? Any piece of complex software has security weaknesses, AND YES that holds whether the said software is open or closed source. If hackers have the resources and the motivation they will find zero day flaws whichever browser you opt for.

By rjp2000 on 18 Sep 2012

@isofa - sorry but that's a stupid troll like comment

If you haven't used IE for ages, how do you know that, in your opinion, its an "awful browser"? Personally, I use IE9, Chrome and Firefox everyday and all three have their good and bad points. If everybody followed your advice and switched to another browser permanently, do you really think that would be the end of security problems? Any piece of complex software has security weaknesses, AND YES that holds whether the said software is open or closed source. If hackers have the resources and the motivation they will find zero day flaws whichever browser you opt for.

By rjp2000 on 18 Sep 2012

@rjp2000

Which car would you say is better, a Jaguar XKR-S or an Aston Martin Volante?

If you have an opinion on this, I shall assume you either own or have driven both in everyday use for a while.

By synaptic_fire on 18 Sep 2012

@curiousclive

Sorry but this is NOT an unfair attack on microsoft.
The other browsers WILL be immune to THIS attack as the flaw is down to programing flaws/errors within the internet explorer browser as the browsers are programed and tested/validated etc differently by different people

By elliot_1 on 18 Sep 2012

Misleading headline

The headline, and the tagline on the front page, imply that you should stop using IE altogether, if you haven't already. The experts are advising just temporarily switching away from IE until its patched in a few days time.

IE9 is a great browser, and my main browser at home (despite the big 3 all being installed). I see no difference between using one giant corporation's browser versus another. Both Chrome and IE are designed to enhance their company's respective products.

By roblightbody on 18 Sep 2012

I'm trying to understand the Microsoft Security Advisory (2757760):

"Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from successfully being exploited by applying in-box mitigations such as DEP to applications configured in EMET."

Admittedly I'm feeling a little jaded today, but if this is important wouldn't it be nice if they could stick to more easily understood terminology with hand-held instructions?

What are "in-box mitigations such as DEP"?

By revsorg on 18 Sep 2012

Yes, there's a flaw in MS IE & yes, clearly there can be noone else at fault for that than MS. However, you can be sure other browsers won't be 100% secure either. They may not suffer this particular exploit, but there is a very strong likelihood that there is something there somewhere. The hackers tend to focus on the browser that gives the best chance of success. Since IE is on all PC's, then it's hardly a surprise they focus on it. If everyone switched to Firefox, you can be sure the hackers would move their attention to that instead. Anyone thinking "I'm safe 'cos I don't use IE" is a fool. You may be safer, but you are not safe. It's just a matter of time...

By fish2000 on 18 Sep 2012

Yes, there's a flaw in MS IE & yes, clearly there can be noone else at fault for that than MS. However, you can be sure other browsers won't be 100% secure either. They may not suffer this particular exploit, but there is a very strong likelihood that there is something there somewhere. The hackers tend to focus on the browser that gives the best chance of success. Since IE is on all PC's, then it's hardly a surprise they focus on it. If everyone switched to Firefox, you can be sure the hackers would move their attention to that instead. Anyone thinking "I'm safe 'cos I don't use IE" is a fool. You may be safer, but you are not safe. It's just a matter of time...

By fish2000 on 18 Sep 2012

@synaptic_fire

Not necessarily but if I was to express an opinion on the Jag vs the Aston, I would do so from an informed view point perhaps based on test drives, reviews etc and would come up with cogent arguments as to why I thought one was better than others. I wouldn't say, I last drove an Aston in 1970 and it broke down therefore all Astons including the latest models are awful - Do you understand what I'm saying?

By rjp2000 on 18 Sep 2012

Yes, I understand. You're trying to sell me a clapped out 1970 Aston.

But seriously, my intent was to show that an opinion can be formed without actual hands on experience of a product. Something you clearly already understand. I'm sorry if you misinterpreted my comment as an attack of some form. That was not my intent.

PS.

How much do you want for the Aston?

By synaptic_fire on 18 Sep 2012

Hi revsorg,

In box mitigations are the included mitigations in Microsoft’s EMET.

For a detailed explanation of what DEP (Data Execution Prevention) is, please see the following links:

http://blogs.technet.com/b/srd/archive/2009/06/12/
understanding-dep-as-a-mitigation-technology-part-
1.aspx

http://blogs.technet.com/b/srd/archive/2009/06/12/
understanding-dep-as-a-mitigation-technology-part-
2.aspx

ASLR and other mitigations are discussed in the following links:

http://netsecurity.about.com/od/quicktips/qt/whati
saslr.htm

http://msdn.microsoft.com/en-us/library/bb430720.a
spx

A detailed explanation of all of the mitigations contained in EMET is provided at the following link:

http://www.infoworld.com/t/microsoft-windows/micro
soft-shuffles-windows-security-deck-emet-21-831

The explanation is pretty much word for word from the Microsoft EMET User Guide that is included after you install EMET.

Articles on the effectiveness of EMET can be found at the following links:

http://www.rationallyparanoid.com/articles/emet-te
sting.html

http://blogs.technet.com/b/security/archive/2012/0
8/08/microsoft-s-free-security-tools-enhanced-miti
gation-experience-toolkit.aspx

http://www.rationallyparanoid.com/articles/microso
ft-emet-3.html

I have used EMET since February 2011 beginning with EMET 2.0.0.3 and it only caused me minor issues which I resolved in a few minutes. I have used EMET 3.0 since it was released in May this year and it is very un-obtrusive. I have also tested EMET 3.5 Tech Preview in a VM and I like what I see so far.

I hope this information is of assistance to you.

By Jimbo762 on 18 Sep 2012

I agree with fish2000, this exploit could just as easily have been created for Firefox or Chrome. There is no guarantee that these browsers will not also experience a Zero day vulnerability before the end of the year or in the near future.

All we can do is to stick with the browser that we find works best for us, keep it up to date and follow sensible security practices.

However I don’t think that you can deny that Microsoft is trying its best to improve security as the following blog posts illustrate:

http://blogs.msdn.com/b/ie/archive/2012/03/12/enha
nced-memory-protections-in-ie10.aspx

http://blogs.msdn.com/b/ie/archive/2012/03/14/enha
nced-protected-mode.aspx

If Microsoft does release an out of band update, you should spare a thought for those people who create, test and document such an update. I looked around for an example of the kind of work they do and found the following PDF describes that work very well:

http://download.microsoft.com/download/B/D/B/BDB57
917-D70B-41C3-9948-C5C0C67875D4/MSRC%20Progress%20
Report%202012.pdf

rjp2000 and big_D also raise very valid points.
Thanks for mentioning them.

By Jimbo762 on 18 Sep 2012

@rjp2000 - manners will get you everywhere...

What a charming egregious comment, and posted twice - perhaps the submit button faults in your version of IE :) Actually I'm a professional who has contributed to the PC Pro forums and posts since the site existed. In my opinion IE isn't as good as Chrome, nor Firefox with all the security plug-ins such as NoScript, ABP and Flashblock - I cannot see how IE can compete for security here. I've seen problem after problem, security issue after issue for years with IE; I've seen huge IT depts slow in updating security patches with IE leaving gaping holes in corporate systems; I've seen poorly written websites crafted specifically for IE; the list is tedious and endless. For me I'd had enough long ago. I may well have used it approx 6 months ago to access my MS Pro subs/partner website as they almost insist on IE, but I cannot say I found it very good. MS may well be better back to a good browser (in some opinions), but many of us moved on long ago. Whilst all others are subject to issues and patches, I personally have found third party browsers to be more robust and more expandable. Choices and opinions, each to their own.

By isofa on 18 Sep 2012

Some people have no idea

I find it disturbing. IE has a flaw. Run! Run for the hills! OMG. Some of you really have no idea who the users of modern day computers are. Those reading this site are more than likely techies. You know the difference between IE and Chrome.

A regular home user has no idea the big blue E is a piece of software. They know it as "The Internet". Yes thats the end of the spectrum, but now lets look at those who use IE in business. Do you think they want to? They are forced to by cruddy, poorly written software such as Oracle and CRM. Software that was only ever written for IE and nothing else. Hell I use CRM and it doesn't support anything other than IE! Heck it only just supported IE10 after an update.

Yes everyone is entitled to their opinions, but for just one second why don't you all look at the reasons people stay with IE before you judge them.

If I had my way IE would be banned and Chrome would rule the world. But then i'd also like CRM and Oracle put in the bin as well.

By metalmonkey on 18 Sep 2012

@isofa - If you want people to be nice to you...

try posting well argued posts, instead of using teenageresque phrases like "IE is an awful browser" - after all this is PCPro not Youtube! From your 2nd post, you seem to be harking back to IE6, as I seriously doubt many companies have written software specific to IE7, 8 or 9. But things move on, IE9 is much better than IE6 and if everyone simply swapped over to using Chrome or Firefox then the hackers would follow and would quickly find security holes in those browsers as well.

By rjp2000 on 19 Sep 2012

@isofa - If you want people to be nice to you...

try posting well argued posts, instead of using teenageresque phrases like "IE is an awful browser" - after all this is PCPro not Youtube! From your 2nd post, you seem to be harking back to IE6, as I seriously doubt many companies have written software specific to IE7, 8 or 9. But things move on, IE9 is much better than IE6 and if everyone simply swapped over to using Chrome or Firefox then the hackers would follow and would quickly find security holes in those browsers as well.

By rjp2000 on 19 Sep 2012

And another thing...

If anybody reading this thinks that Chrome or Firefox are immune from security exploits because (as one poster claimed on another site) they're "open source" (and obviously sprinkled with magic stardust that keeps them eternally protected), visit secunia.com and check out the security advisories for both browsers. You will see that serious security holes allowing remote code execution have been found (and patched) in both browsers.

By rjp2000 on 19 Sep 2012

You sad people

Browser "fans" freak me out. Arguing about a free piece of software that simply displays websites. Sad.

By peterj6 on 20 Sep 2012

Keep an alternative handy

Even if you won't or can't permanently switch, you should install and learn to use an alternate browser for these situations.

Many things that officially work only with IE can be made to work with another browser if you spoof the user agent so it looks like you're using IE. There's even a Firefox extension to do it easily, User Agent Switcher.

And yes, other browsers get exploits, too, but they tend to get patched much sooner than those in IE.

By greenknight32 on 20 Sep 2012

++ rjp2000

Fully agree with you rjp2000. FOr a great deal of last year Firefox was left at severe risk according to secunia, with flaws reamining un-patched despite the highly cosmetic changes in version number.

I would argue the simple browser switch advice is clumsy as the game changes day to day. Far better to recommend a service like secunia which regularly informs and offers updates combined with current security software.

By Gindylow on 20 Sep 2012

Chrome? It's the perfect alternative to IE

IE is great but I still can't bring myself to use it. And even though Chrome is by far the fastest browser, it's also far too simplistic, and I only ever use that when FF (with its various indispensible addons) doesn't render a page properly. IE is always my third choice. (It'd be my fourth choice if there was a site I used frequently but that only rendered well in Opera and IE. I've not found one of those yet.)

And yet, the safest way to avoid problems like this is simply not to look at pr0n & wareZ sites with JS enabled.

By baldmosher on 20 Sep 2012

Forced to use IE

I don't normally use IE, but I do have it up to date.
Before I heard about this problem yesterday, I tried to download a security update for a driver that is not on the automatic updates.

It insisted on doing a genuine Validation check, or rather downloading the exec, which does not work.
Look it up online and there is a known problem with it and the only solution MS have come up with is: You must use IE to validate Windows and download security updates.
Are they that busy with sellable stuff that they cannot sort out gross errors in their own security code.

By Burn_IT on 20 Sep 2012

Problems with fix KB2744842

Installed the patch on 2003 R2 Server, and the explorer shell blows up with every login.
Also see reports that it cripples Java 6 apps.

By splett on 25 Sep 2012