Microsoft has reacted quickly to a recently emerged zero-day exploit that affects IE 6, 7, 8, and 9. The patch will be made available to IE users on Friday and users are advised to update their IE right away.
Released as a MSI package, the patch is described as a workaround that leverages the Windows application compatibility toolkit to make a small change to MSHTML.DLL in memory every time the DLL is loaded by Internet Explorer. Microsoft previously recommended IE users to take this step manually, while the patch automates the task. Microsoft provides an installation guide for the workaround as well as information to uninstall the patch again.
Microsoft stressed that the workaround is only effective if all recent security updates for IE have been installed as well.
The company confirmed existing attacks that exploit the vulnerability. However, Microsoft said that "only 32-bit versions of Internet Explorer" are targeted and attacks "rely on third-party browser plugins to either perform efficient heap-spray in memory and/or to bypass the built-in mitigations of Windows Vista and 7 such as DEP and ASLR." However, users can further reduce the risk of a successful attack by updating their Java version from Java 6 to 7.
MS had to make it like their NSA co-authored OS, aka Swiss Cheese. But all those built in back doors for the FEDS come at price. Want security use Linux
On the positive side, Javascript <> Java. The javascript engine from Firefox and Chrome is far more secure than Oracle's JRE. Worst thing, almost everytime Oracle patches a bug, it introduces a vulnerability, and viceversa. There was a small bug in windows JRE6 than if you were running a java application and then shutdown windows, the application hanged and you had to force close it. They never fixed it, simply saying tham to solve it, upgrade to JRE7. Piece of *** software.
Micro$oft was made aware of a problem and came up with a patch. What else should they have done ?
It's not as if Firefox, Opera or Chrome are perfect; as a web developer I -have to- use all 4.
What buggers me far more that I can have a relatively simple page layout with a few tables and basic CSS and it still looks different on all 4 browsers. Try to explain that to a client !
Done several websites and its more demanding to know what functions work in what browsers than know how to do the html/css/php/sql ect. Its absurd really!
the blame rests squarely on adobe and sun micro for piss poor programming.
were i microsoft, i wouldn't take the blame for flash and java software i'd issue patches that disabled their programming until such a time as they passed quality testing or fixed their own exploits. i would further include a pop up in IE that kicked in every time warning users their shoddy flash or java software could be exploited by any hacker or script kiddy do you want to allow this action.
On the positive side, Javascript Java. The javascript engine from Firefox and Chrome is far more secure than Oracle's JRE.
Javascript and Java are not the same thing. Javascript is a scripting langauge used to add logic to web pages while Java is a compiled langauge that requires a plugin runtime environment similar to flash.
I call it Internet Exploder.