SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8. ... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"
Navigate with confidence through the cloud. Sign up for the SlashCloud Update newsletter now.
First time accepted submitter carlypage3 writes "Benefits claimants in the UK are being forced to use Microsoft's now obsolete Windows XP and Internet Explorer 6 software. The Department of Work and Pensions (DWP) states that its online forms are not compatible with Internet Explorer 7, 8, 9 and 10, Safari, Google Chrome or Firefox. As if that wasn't unnerving enough, the Gov.UK website says that users cannot submit claims using Mac OS X or Linux operating systems, either." (Note: as we noted not long ago, it's not just the DWP that's stuck using IE6.)
mikejuk writes "The biggest problem with IE10 as far as modern web apps go is its lack of WebGL support. Now we have strong evidence that IE11 will support WebGL. A leaked build of Windows 'Blue,' aka Windows 8.1, also contained an early version of IE11. Web developer François Remy decided to see what it was hiding and found that there were WebGL APIs, but they were non-functional. Rafael Rivera, who writes the Within Windows blog, dug a little deeper and discovered the registry keys that have to be changed to enable WebGL support. Apparently the API works so well that you can take existing WebGL programs (with OpenGL shaders) and just run them. As the implementation also supports DirectX HLSL shaders, it seems reasonable to guess that the implementation maps OpenGL to DirectX, thus avoiding Microsoft having to endorse OpenGL use."
Billly Gates writes "With the new leaked videos and screenshots of Windows Blue released, IE 11 is also included. IE 10 just came out weeks ago for Windows 7 users and Microsoft is more determined than ever to prevent IE from becoming irrelevant as Firefox and Chrome scream past it by also including a faster release schedule. A few beta testers reported that IE 11 changed its user agent string from MSIE to IE with the 'like gecko' command included. Microsoft may be doing this to stop web developers stop feeding broken IE 6-8 code and refusing to serve HTML 5/CSS 3 whenever it detects MSIE in its user agent string. Unfortunately this will break many business apps that are tied to ancient and specific version of IE. Will this cause more hours of work for web developers? Or does IE10+ really act like Chrome or Firefox and this will finally end the hell of custom CSS tricks?"
Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."
An anonymous reader writes "Internet Explorer 10 for Windows 7 is out. Windows 8 may suck but now you can at least enjoy (most of) that version's Internet Explorer. IE10 for Win7, originally not planned, has seen the light of day after all — four months after it debuted in Windows 8. It is available via Windows Update as an optional update; however, if you've already installed a pre-release version, it will be updated automatically as an 'important' update. IE10 on Win7 requires a platform update to bring some Windows 8 APIs to the more mature Windows, and it will not feature embedded Adobe Flash as the Windows 8 version does (use the plug-in version from Adobe, as usual, instead)."
An anonymous reader writes "It's not everyday that we get to hear about the potential downsides of using WebKit, but that's just what has happened as Dave Methvin, president of the jQuery foundation and a member of the core programming team that builds the widely used Web programming tool, lamented in a blog post yesterday. While most are happy to cheer for IE's demise, perhaps having three main browser engines is still a good thing. For those that work in the space, does the story ring true? Are we perhaps swearing at the wrong browser when implementing 'workarounds' for Firefox or IE?"
Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."
DeviceGuru writes "Although IE remains the one of the top browsers on desktops, it's being trounced on tablets and smartphones by browsers based on WebKit, including Safari, the Android Browser, and Google Chrome. Faced with this uphill battle on handheld mobile devices, Microsoft MVP Bill Reiss has suggested that it might be time for Microsoft to throw in the towel on Trident and switch to WebKit (though Reiss later decided he was wrong). But although there are lots of points in favor of doing so, there are also some good reasons not to, including security and a need for healthy competition to avoid having mobile developers begin to target WebKit rather than standards."
An anonymous reader writes "Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday. For those who didn't see the news on the weekend, criminals started using a new IE security hole to attack Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are."
An anonymous reader writes "Criminals are using a new Internet Explorer security hole to attack Windows computers in targeted attacks, though the vulnerability could end up being more widely exploited. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are. It's great to see that the latest versions of IE are immune, but this new vulnerability is still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft's browser. 'We are actively investigating reports of a small, targeted issue affecting Internet Explorer 6-8,' Dustin Childs of Microsoft Trustworthy Computing told TNW. 'We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted.'"
Billly Gates writes "In a bizarre, yet funny and ironic move, Microsoft warned web developers that using WebKit stagnates open standards and innovation on the Web. According to the call to action in its Windows Phone Developer Blog, Microsoft is especially concerned about the mobile market, where many mobile sites only work with Android or iOS with WebKit-specific extensions. Their examples include W3C code such as radius-border, which is being written as -WebKit-radius-border instead on websites. In the mobile market WebKit has a 90% marketshare, while website masters feel it is not worth the development effort to test against browsers such as IE. Microsoft's solution to the problem of course is to use IE 10 for standard compliance and not use the proprietary (yet open source) WebKit."
Billly Gates writes "IE 10 just hit the final preview yesterday for Windows 7. Windows XP and Windows Vista support has been dropped. Most slashdotters have a complex relationship with Internet Explorer. Many of us hate it but have to use it in the office. Microsoft had tried last year to make IE good again with the release of IE 9 which had some fanfare on slashdot, such as hardware acceleration and better standards compliance. MS even launched a full campaign to get us to switch. IE 10 is supposed to continue the new process and promises to be much faster and support more HTML 5, CSS 3, W3C HTML 5.1 and CSS 3.1 with a score of 320 on HTML5test. As a comparison, last years IE 9 only scored 138. "
An anonymous reader writes "Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft's latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together."
dsinc writes "And so it begins... Yahoo has made it official: it won't honor the Do Not Track request issued by Internet Explorer 10. Their justification? '[T]he DNT signal from IE10 doesn't express user intent" and "DNT can be easily abused.'" Wonder what percentage of users would rather be tracked by default.
judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."
colinneagle sends this excerpt from Network World: "Google announced last Friday that, in accordance to its policy of supporting a current browser and the immediate predecessor, its Google Apps productivity suite would drop support for Internet Explorer 8 once Windows 8 ships. Neither IE9 nor IE10 are available on XP. Adobe announced on the Photoshop Blog that the next version of Photoshop CS would support only Windows 7 and 8. The current version, CS6, is available for XP but, amusingly, not for Vista, which was its successor. This is a much-needed boost for Microsoft, which anxiously wants to put XP out to pasture after 11 years. Despite efforts to get rid of the old OS, XP still holds 43% of the market, according to the latest monthly data from Net Applications. Among Steam customers, Windows 7 has 70% market share, covering both 32-bit and 64-bit, while XP has 12%. That confirms what has been known for some time: consumers are adopting Windows 7 at a much faster rate than businesses. I know there is a whole economic argument to be had, and these numbers are not precise or scientific, but if XP really can be found in only 12% of households but 43% of businesses (or something close to that), then it really is time for the enterprise to stop dragging its tail."
Orome1 writes "Microsoft has issued a security advisory with advice on how to patch a Internet Explorer zero-day vulnerability recently spotted being exploited in the wild by attackers that might be the same ones that are behind the Nitro attacks. News that there is a previously unknown Internet Explorer vulnerability that is actively being misused in the wild by attackers that are believed to be the same ones that are behind the Nitro attacks has reverberated all over the Internet yesterday."
wiredmikey writes "A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named 'exploit.html' is the entry point of the attack ... According to analysis by VUPEN, the exploit takes advantage of a 'use-after-free vulnerability' that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems."
An anonymous reader writes "Google today [Friday] announced it is discontinuing support for Internet Explorer 8 in Google Apps, including its Business, Education, and Government editions. The kill date is November 15, 2012. After that, IE8 users accessing Google Apps will see a message recommending that they upgrade their browser."