Microsoft has announced that all current versions of Internet Explorer are currently at risk of being hacked due to a flaw in the programme.
It is now known that the web browser, used by 900 million people across the globe, requires a software patch in order to defend against attack while Microsoft prepares a longer term fix, a massive security slip up by the firm.
A security advisory announcement was made on Friday highlighting scripting vulnerabilities affecting all versions of Windows.
It is not however thought that there has been any breaches of security so far: “The main impact of the vulnerability is unintended information disclosure,” said Angela Gunn, a Microsoft representative.
“We're aware of published information and proof-of-concept code that attempts to exploit this vulnerability, but we haven't seen any indications of active exploitation.”
The fault lies in the MHTML protocol handler, which is used by applications to render certain kinds of document.
According to the statement an attacker could, for example, construct an HTML link designed to trigger a malicious script and then persuade the targeted user to click on it.
Once this happens the script would then be able to run on the machine for the rest of that IE browser session, potentially collecting information from emails, sending the user to fake sites and generally interfering with the browser usage.
“The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation,” Gunn said.
“We're also in communication with other service providers to explain how the issue might affect third-party Web sites and to collaborate on developing a variety of further solutions that address the varied needs of all parts of the Internet ecosystem - large sites, small sites, and all those who visit them.”
People are advised to return to the Microsoft Security Response Centre to check for any update on the situation. The fix can be found here.
.jpg){kind=icon}
For quite some time, the claim was that we cannot remove IE from the desktop, because outlook used IE libraries for html and mthml parsing.
Has anyone tested Outlook to see if the same flaw can be triggered by a mhtml file (.mht) ?
Among the huge number of people who use IE, which is users' favourite web browser, there are no known cases of anybody being affected or even of anybody being able to use the exploit. We also don't know how severe the results of an attack would be. Let's face it, you don't need a browser exploit to make a user click on a malicious link, there are infinitely easier ways, and indeed it happens every day for instance in phishing scams.
The number of users affected makes an impressive headline, but it's arguably sensationalist. The fact is, IE does have a huge number of users.
Security issues are common in major software products, especially web browsers, like these examples I happen to have handy affecting Firefox and Chrome:
http://www.zdnet.com/blog/security/google-plugs-high-risk-chrome-security-holes/6952?tag=nl.e550
http://www.timacheson.com/Blog/2009/aug/critical_security_bugs_in_firefox
We're lucky that we're quick to learn about any issue like this with IE, which is one advantage of using IE, and MS are on the case and will fix it soon.
KEY STATISTIC
0 users affected.
Among the huge number of people who use IE, which is users' favourite web browser, there are no known cases of anybody being affected or even of anybody being able to use the exploit. We also don't know how severe the results of an attack would be. Let's face it, you don't need a browser exploit to make a user click on a malicious link, there are infinitely easier ways, and indeed it happens every day for instance in phishing scams.
The number of users affected makes an impressive headline, but it's arguably sensationalist. The fact is, IE does have a huge number of users.
Security issues are common in major software products, especially web browsers, like these examples I happen to have handy affecting Firefox and Chrome.
We're lucky that we're quick to learn about any issue like this with IE, which is one advantage of using IE, and MS are on the case and will fix it soon.
KEY STATISTIC
0 users affected.
Perhaps they have short memories and forget previous issues affecting other browsers, such as Firefox and Chrome. Perhaps they simply wish to uphold double-standards.
Perhaps they were not aware of the issues affecting the other browsers, which is a reminder about one of teh advantages of using IE (IE users hear quickly about any issues, and it's hard to miss all the coverage).
So what you're basically saying is that IE is the better browser for having so many faults, exploits and bugs that the infrastructure to apply fixes for said faults, exploits and bugs is *really well developed! :D*?
You don't have to *hate MS* to know what a bad browser Internet Explorer is. Trident is a failure of an engine, aside from major security holes, it has repeatedly failed to render web documents to spec for over 10 years.
You can ~feel~ safe with your Microsoft branded browser, but that doesn't mean it's a reality.
Williham, are you suggesting that IE is the only software that requires security patches?
If not, are you saying that IE has many more security patches than any other software (including web browsers)? If so, please quantify your comparisons.
It sounds like your knowledge of security patches is limited to IE, which would add weight to the very point you're trying to challenge. I look forward to your replies.
Other web browsers do require security patches from time to time. Evidently, users like Williham only hear about the patches to IE. Users have problems with other browsers but are not aware of them. Williham, if you were using IE, you would not be so in the dark about security issues affecting your web browser. That’s what I am saying, and you seem to have proved my point.
Tyler, people in the anti-IE camp always wheel out these old popular misconceptions, reenforcing the myth.
IE9 is currently the best web browser for HTML5, as confimed by the W3C:
http://tech.slashdot.org/story/10/11/02/1851255/W3C-Says-IE9-Is-Currently-the-Most-HTML5-Compatible-Browser
http://www.zdnet.com/blog/hardware/w3c-and-the-winner-of-the-html5-conformance-test-is-ie9/10213
Of course, no browser is 100% compliant with HTML5, and furthermore version 5 of the HTML specification is still a draft document and subject to change.
Facebook just launched a new web app performance test framework, confirming that IE9 is the fastest browser by far:
http://www.timacheson.com/Blog/2011/feb/ie9_the_fastest_web_browser
Before that, IE8 was the most secure web browser:
http://www.timacheson.com/Blog/2009/aug/ie8_is_the_most_secure_web_browser
People love to criticise IE6, but it's a victim of its own success. IE6 is a decade old, and yet it is still widely used. But at the time it was actually ahead of other browsers, for instance in compliance with key W3C guidelines -- particularly CSS.
"an HTML link designed to trigger a malicious script and then persuade the targeted user to click on it.
Once this happens the script would then be able to run on the machine for the rest of that IE browser session, potentially collecting information from emails, sending the user to fake sites and generally interfering with the browser usage."
Lookin for somemore discussion!!!