Zero-Day Flaws Found in Internet Explorer, Everyone Advised to Stop Using the Browser

[Karamjit]

HP’s ZDI has published four critical flaws in the browser

Internet Explorer will soon become the second option in Windows 10, but Microsoft is still struggling to keep it secure and patch all found vulnerabilities as fast as possible to make sure that users are perfectly secure.

But it turns out that this time the company hasn’t moved fast enough, as HP’s Zero-Day Initiative (ZDI) has just published four critical zero-day vulnerabilities (ZDI-15-359, 360, 361 and 362) it found in Internet Explorer after the 120-day policy was reached.

HP’s ZDI has a policy that stipulates that vendors who are informed about the found vulnerabilities are given 120 days to fix the flaws. If they fail to do so, the zero-days are posted online.

According to the information ZDI provided today, all vulnerabilities allow for remote code execution and attackers could get the same privileges as the logged-in users.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities,” ZDI says in an advisory.

“Refrain from using the browser”

What’s very important to know is that attackers need to convince you to click a malicious link, so unless you do that, you are perfectly secure. In some cases, however, they could turn to scripts and other tricks to make you click the link, so that’s why some security experts recommend you to stop using Internet Explorer for a while until Microsoft fixes this.

“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities as details are sparse. There is not much you can do at the moment, except refrain from using Internet Explorer,” Wolfgang Kandek, CTO of Qualys, said in a statement.

Internet Explorer is also available in Windows 10, which launches next week, so expect another out-of-band patch released by Microsoft in the coming days.

Source

[Ballistic Gelatin]

They should rename it as "Malware Explorer".

[dMog]

nobody uses now and have not used it since the days of the now defunct Netscape.... now there is way better options than that

[steven36]

nobody uses now and have not used it since the days of the now defunct Netscape.... now there is way better options than that

This is true for most home users we can use what we want but in business some government sites only work right with IE and there are some now that only work right in chrome . I dont use IE but some have too . Google Chrome is full of 0 days as well they pay millions of dollars a year in rewards out for researchers to find them . If you panic every-time read the news you may as well logoff for good . :lol:

[Sliuown]

They should rename it as "Malware Explorer".

Rofl :lol:

[Holmes]

nobody uses now and have not used it since the days of the now defunct Netscape.... now there is way better options than that

I use internet explorer and all the people using windows xp have to use internet explorer for windows update and there are many sites that use internet explorer they offer it as a way to browse with compatibility. Like steventhirtysix said google chrome is full of zero days to and something tells me firefox and opera have many zero days to is there a browser that doesnt contain zero days I dont think there is want to stop using internet explorer like steventhirtysix said if you get freaked out when you hear about something like this the internet and applications used to browse it are not for you. I posted a day or two ago about windows and zero days bitching about them I said it because I was in a aweful mood comparing the posts I look like a hypocrit I want to call myself out and correct myself this post is where I stand..

[afgzee]

dMog, on 23 Jul 2015 - 12:12, said:

nobody uses now and have not used it since the days of the now defunct Netscape.... now there is way better options than that

Speak for yourself, I use Internet Explorer (11) and love it. As do many people I know.

According to NetApplications Internet Explorer has over 58% of the desktop browser market share, that's up from 52% in Q4 2011.

IE market share will begin to fall now that Microsoft Edge (IE12) is here.

[thunderpants]

Me thinks Microsoft is hoping people will hurry up and jump to Edge and win 10.

[dcs18]

In the very distant past, was forced to depend upon Internet Explorer for approximately 1% of my intranet work, on the corporate network — after installing the Fire IE add-on for Firefox, have completely purged my systems of Internet Explorer, in recent times. :)

[212eta]

IE has never been my primary browser.

[dcs18]

Now, Internet Explorer has ceased to be my secondary browser — after purging it, I no longer have any need for more than one browser (Firefox.) :showoff:

[steven36]

IE has never been my primary browser.

You must not been on the internet very long then when I 1st longed on they were no Firefox and Chrome didn't come out tell many years latter. Opera when I 1st tried it was a ad version or shareware and it needed a serial to get rid of the ads , .Firefox 1.0 was released on November 9, 2004 I done been on the internet all the time for over 3 years by then I didn't try Firefox tell v1.5 and it became main browser after v2 . The 1st public release Google Chrome was September 2, 2008 like 4 years after Firefox .

Me thinks Microsoft is hoping people will hurry up and jump to Edge and win 10.

Its already been said it runs slow and not that great compared to other browsers. More like something Google put in the media to try to shatter IE's rep even more , :P

nobody uses now and have not used it since the days of the now defunct Netscape.... now there is way better options than that

I use internet explorer and all the people using windows xp have to use internet explorer for windows update and there are many sites that use internet explorer they offer it as a way to browse with compatibility. Like steventhirtysix said google chrome is full of zero days to and something tells me firefox and opera have many zero days to is there a browser that doesnt contain zero days I dont think there is want to stop using internet explorer like steventhirtysix said if you get freaked out when you hear about something like this the internet and applications used to browse it are not for you. I posted a day or two ago about windows and zero days bitching about them I said it because I was in a aweful mood comparing the posts I look like a hypocrit I want to call myself out and correct myself this post is where I stand..

When you're forced to use IE you know its time to update you're O/S . And there's palemoon for xp so you dont have to use IE unless you want.

[212eta]

You must not been on the internet very long then

when I 1st longed on they were no Firefox and Chrome.

Before Firefox and Chrome, there was Netscape Communicator

[steven36]

You must not been on the internet very long then

when I 1st longed on they were no Firefox and Chrome.

Before Firefox and Chrome, there was Netscape Communicator

Before IE there was Netscape :lol:

Netscape's web browser was once dominant in terms of usage share, but lost most of that share to Internet Explorer during the so-called first browser war. The usage share of Netscape had fallen from over 90 percent in the mid-1990s to less than one percent by the end of 2006.

Netscape stock traded from 1995 until 1999 when it was acquired by AOL in a pooling-of-interests transaction ultimately worth US$10 billion. Shortly before its acquisition by AOL, Netscape released the source code for its browser and created the Mozilla Organization to coordinate future development of its product. The Mozilla Organization rewrote the entire browser's source code based on the Gecko rendering engine; all future Netscape releases were based on this rewritten code. The Gecko engine would later be used to power the Mozilla Foundation's Firefox browser.

Under AOL, Netscape's browser development continued until December 2007, when AOL announced that the company would stop supporting the Netscape browser as of early 2008.^{%5B8%5D%5B9%5D} AOL has continued to use the Netscape brand in recent years to market a discount Internet service provider.

The company's first product was the web browser, called Mosaic Netscape 0.9, released on October 13, 1994. This browser was subsequently renamed Netscape Navigator

Netscape advertised that "the web is for everyone" and stated one of its goals was to "level the playing field" among operating systems by providing a consistent web browsing experience across them. The Netscape web browser interface was identical on any computer. Netscape later experimented with prototypes of a web-based system which would enable users to access and edit their files anywhere across a network, no matter what computer or operating system they happened to be using. This did not escape the attention of Microsoft, which viewed the commoditization of operating systems as a direct threat to its bottom line, i.e. a move from Windows to another operating system would yield a similar browsing experience thus reducing barriers to change. It is alleged that several Microsoft executives visited the Netscape campus in June 1995 to propose dividing the market (an allegation denied by Microsoft and, if true, would have breached antitrust laws), which would have allowed Microsoft to produce web browser software for Windows while leaving all other operating systems to Netscape. Netscape refused the proposition.

Microsoft released version 1.0 of Internet Explorer as a part of the Windows 95 Plus Pack add-on. According to former Spyglass developer Eric Sink, Internet Explorer was based not on NCSA Mosaic as commonly believed, but on a version of Mosaic developed at Spyglass^] (which itself was based upon NCSA Mosaic). Microsoft quickly released several successive versions of Internet Explorer, bundling them with Windows, never charging for them, financing their development and marketing with revenues from other areas of the company. This period of time became known as the browser wars, in which Netscape Communicator and Internet Explorer added many new features and went through many version numbers (not always in a logical fashion) in attempts to outdo each other. But Internet Explorer had the upper hand, as the amount of manpower and capital dedicated to it eventually surpassed the resources available in Netscape's entire business. By version 3.0, IE was roughly a feature-for-feature equivalent of Netscape Communicator, and by version 4.0, it was generally considered to be more stable on Windows than on the Macintosh platform. Microsoft also targeted other Netscape products with free workalikes, such as the Internet Information Server (IIS), a web server which was bundled with Windows NT.

Netscape could not compete with this strategy. In fact, it didn't attempt to. Netscape Navigator was not free to the general public until January 1998, while Internet Explorer and IIS have always been free or came bundled with an operating system and/or other applications. Meanwhile, Netscape faced increasing criticism for the bugs in its products; critics claimed that the company suffered from 'featuritis' – putting a higher priority on adding new features than on making them work properly. This was particularly true with Netscape Navigator 2, which was only on the market for 5 months in early 1996 before being replaced by Netscape Navigator 3. The tide of public opinion, having once lauded Netscape as the David to Microsoft's Goliath, steadily turned negative, especially when Netscape experienced its first bad quarter at the end of 1997 and underwent a large round of lay-offs in January 1998. Later, former Netscape executives Mike Homer and Peter Currie described the period as "hectic and crazy" and that the company was undone by factors both internal and external.

https://en.wikipedia.org/wiki/Netscape

[212eta]

Before IE there was Netscape

When I started using the Internet in 1998, I was lucky enough to have

Netscape as my Primary browser and IE as my Secondary one. ;)

[steven36]

Before IE there was Netscape

When I started using the Internet in 1998, I was lucky enough to have

Netscape as my Primary browser and IE as my Secondary one. ;)

It was so full of bugs in 1998 you some the very few who used it still it was shareware before that . IE pretty much has owned the market every since . Back when on windows Me the 1st computer I owned only had IE in it. Chrome has been catching up . when you look at IE there 4 different versions 8, 9,10 and 11 so you must add it all together to get the big picture.

https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0

Here is more about it

Microsoft Corporation Internet Explorer’s Market Share Below 55% As Google Chrome Charges Ahead

http://www.bidnessetc.com/46917-microsoft-corporation-internet-explorers-market-share-below-55-as-google-ch/

[212eta]

IE was buggy, too.

In the late 90's, Netscape was very popular

among the ones who were Not Noobs.

[steven36]

Back to the subject now though

Zero-Day Flaws Found in Internet Explorer, Everyone Advised to Stop Using the Browser

You may as well log off for good if this scares you I find it absurd this is why.

Just this month Google Patches 43 Bugs in Chrome 44

Two of the more serious vulnerabilities fixed in Chrome 44 are a pair of universal cross-site scripting bugs. One of the flaws is in blink, the Web layout engine in Chrome. The other one is in Chrome for Android. Universal XSS vulnerabilities allow attackers to exploit XSS bugs in browsers rather than on sites. Each of those vulnerabilities earned the researchers who reported them a $7,500 bug bounty from Google.
As part of that bounty program, Google paid out roughly $40,000 to external researchers who reported vulnerabilities to the company. Among the other vulnerabilities patched in this release are three heap buffer overflows in pdfium, the PDF rendering engine in Chrome. There also are a number of use-after-free bugs in various components patched in Chrome 44.

Here’s the list of vulnerabilities reported by external researchers:
[$3000][446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.

[$3000][459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.

[$TBD][461858] High CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi.

[$7500][462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte) of Baidu X-Team.

[$TBD][472614] High CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.

[$5500][483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.

[$5000][486947] High CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.

[$1000][487155] High CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.

[$TBD][487928] High CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.

[$TBD][492052] High CVE-2015-1283: Heap-buffer-overflow in expat. Credit to sidhpurwala.huzaifa.

[$2000][493243] High CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen of OUSPG.

[$7500][504011] High CVE-2015-1286: UXSS in blink. Credit to anonymous.

[$1337][419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.

[$1000][444573] Medium CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen of OUSPG.

[$500][451456] Medium CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva.

[479743] Medium CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.

[$500][482380] Medium CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.

[$1337][498982] Medium CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.

[$500][479162] Low CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to [email protected].

https://threatpost.com/google-patches-43-bugs-in-chrome/113892

And you want talk about 0days in IE when every month Google pays out thousands of dollars to researches to find them in theirs so they can try to fix them ... The more poplar something is the more its exploited in the wild . ;)

[212eta]

The more popular something is,

the more it is exploited in the wild.

:yes:

[dcs18]

Update, July 24, 2015: Microsoft has revealed to us that the vulnerabilities reported by ZDI have already been fixed in bulletins MS14-037 on July 8, 2015 and MS15-018 on March 10, 2015, so you can safely use Internet Explorer if your computer is fully up-to-date.

Same article was updated a couple of days ago; with the news that those flaws have been plugged — I would still not welcome this PoS on any of my systems. :tehe:

[212eta]

IE is obsolete, now.

Edge took over...

:D