Microsoft says it will fix an Internet Explorer security bug under active attack

[steven36]

Microsoft has confirmed a security flaw affecting Internet Explorer is currently being used by hackers, but that it has no immediate plans to fix.

 

 

In a late-evening tweet, US-CERT, the division of Homeland Security tasked with reporting on major security flaws, tweeted a link to a security advisory detailing the bug, describing it as “being exploited in the wild.”

 

Microsoft said all supported versions of Windows are affected by the flaw, including Windows 7, which after this week no longer receives security updates.

 

The vulnerability was found in how Internet Explorer handles memory. An attacker could use the flaw to remotely run malicious code on an affected computer, such as tricking a user into opening a malicious website from a search query or a link sent by email.

 

It’s believed to be a similar vulnerability as one disclosed by Mozilla, the maker of the Firefox browser, earlier this week. Both Microsoft and Mozilla credited Qihoo 360, a China-based security research team, with finding flaws under active attack. Earlier in the week, Qihoo 360 reportedly deleted a tweet referencing a similar flaw in Internet Explorer.

 

Neither Qihoo, Microsoft, nor Mozilla said how attackers were exploiting the bug, who the attackers were, or who was being targeted. The U.S. government’s cybersecurity advisory unit also issued a warning about current exploitation.

 

Microsoft told TechCrunch that it was was “aware of limited targeted attacks” and was “working on a fix,” but that it was unlikely to release a patch until its next round of monthly security fixes — scheduled for February 11.

 

Microsoft assigned the bug with a common vulnerability identifier, CVE-2020-0674, but specific details of the bug have yet to be released.

 

When reached, a Microsoft spokesperson did not comment.

 

Source

[mp68terr]

Quote

Microsoft told TechCrunch that it was was “aware of limited targeted attacks” and was “working on a fix,” but that it was unlikely to release a patch until its next round of monthly security fixes — scheduled for February 11.

 

As said in the link (https://www.us-cert.gov/ncas/current-activity/2020/01/17/microsoft-releases-security-advisory-internet-explorer) :

Quote

Consider using Microsoft Edge or an alternate browser until patches are made available.

 

[steven36]

1 hour ago, mp68terr said:

Consider using Microsoft Edge or an alternate browser until patches are made available.

The problem with this some people  use old IE depended  programs on Windows and may not even know there using IE . Ive not used IE itself since 2007 but I have used Mipony  , getflv and other programs that used it since then. that why it always good cybersect hygiene to keep it updated  . It not just a browser it also a  dependency  for some programs  on Windows. IE is integrated  deeper into Windows than you think. Other issue is a lot of old websites still use ActiveX controls that only work in IE. If you use  one of these sites for your work you have no choice but to use  IE.

 

Quote

A lot of old websites still use ActiveX controls that only work in IE. The latest Microsoft Edge browser does not support ActiveX. That’s why Windows 10 comes with both Edge and IE 11, for legacy support. Often there are plug-ins that are only supported in Explorer.  Pretty much all the court and government websites use plug-ins that only work with Explorer. 

That why Homeland Security issued a warning  because so many Goverment websites still  use it. To the average joe using Chrome at home it would never matter unless they have software that uses it .   IE haunts  these are problems  caused from the 90s and Microsoft bundling in IE and creating illegal  web standards but it was only deem illegal in the EU . USA Goverment  websites still use activex even. 

 

Quote

Many, many years ago, Microsoft developed IE6 and the software backend to support it - adding 'features' that  bypassed security for convenience. Their IDE was essentially drag and drop, the code was fat, slow, and awful, but it didn't require much thought to use, and development was quick and simple. Their .asp platform was just horrible, from a security standpoint, and activeX was even worse.Governments, hospitals, and businesses, all assisted with the spread of insecure, proprietary, garbage code, because it was fast and easy to do so. Governments, hospitals, and businesses, all are slow to change. Getting rid of that backend costs a fortune, and why should they spend it? From their perspective, there is no problem, most of their customers are running an OS that supports their needs, it isn't like the CEO cares if an end user has to use IE11 in compatibility mode to view his site - you'll do it because he's led you to believe that it's worth it.

 

Also another thing is Microsoft slack patching  if  a app  comes with your device  they should provide updates in a timely manner instead of trying to hide the  problem. They should  of stuck to doing small incremental and do updates 5 days  a week and patch problems as they arise like the updates we get on Linux  . It was also  a problem in Firefox and  it already been patched on all OS.

[Guest]

It's 2020, by now organization should have already phase out any ActiveX dependency in favour of new features offered by modern browsers. Who would still use IE even knowing the fact that ActiveX have worse security issues than other browsers?

[steven36]

56 minutes ago, Edward Raja said:

It's 2020, by now organization should have already phase out any ActiveX dependency in favour of new features offered by modern browsers. Who would still use IE even knowing the fact that ActiveX have worse security issues than other browsers?

Cost of building a new website is why  . The taxpayers are the ones that have to pay for new Goverment websites  and it has to be voted on and passed and nobody wants to pay more  taxes, so it never passes . These sites don't run off ads , paywalls  or donations they  run off tax money .

 

They dont care about your safety  it like when IE 11  came out  many organizations  put a block on IE so  IE would not update to IE 11 on Windows 7 .They bypassed security for convenience. IE 11 browser still gets security updates . Same reason they   have  were you can block  EDGE HTML  from being upgraded to new Edge its called Legacy support . If IE  was not needed in Windows for some  organizations it would not ship in Windows because  Microsoft really don't want you to still use it!

 

Quote

, it's a 'compatibility solution' for enterprise customers to deal with legacy sites that should be updated for modern browsers. 

source: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/The-perils-of-using-Internet-Explorer-as-your-default-browser/ba-p/331732

 

The way IE is used  at work they only use to it access  these certain websites .Chrome is used for everything else .  It's not used as a default browser . Only a moron  home user would use it for a default browser.

 

It's like XP  was Microsoft made a mosnter  that will take time and money to ever shake all in the name of keeping people locked in to there browser.  No one is to blame but Microsoft because they the ones who set the standards when them sites were built.

 

This is how slow the government is they still upgrading computers  to launch nuclear bombs that are from the 60s and the 70s  to windows 10.