Internet Explorer zero-day (opens in new tab)

(blog.malwarebytes.com)

135 pointssanlyx8y ago69 comments

69 comments

50 comments · 11 top-level

kodablah8y ago· 14 in thread

> despite efforts from Microsoft to move on to the more modern Edge.

Then allow me to use Edge as a Windows control a la MSHTML in a non-UWP app. It's like if Chrome were suddenly made close source and non-embeddable and then Google complaining about insecure Electron apps.

chrismorgan8y ago

Your analogy is imperfect; for MSHTML and EdgeHTML are first-party, while Electron is third-party; and it’s not just MSHTML that Microsoft are pushing people away from, but the entire Win32 API—Microsoft’s been saying, use WinRT instead, and you can have EdgeHTML there. Notably, Microsoft has been steadily stepping back from this vision in the last few years, and EdgeHTML is expected to be exposed to Win32 apps at some point (the impression I have is that it is expected sooner rather than later).

It’s a nuisance that it isn’t already there, but it is coming.

Note also that Chromium isn’t embeddable on its own; it’s only because it’s open source that anything has been able to embed it at all. It has no stable API, so CEF has to wrap it and shed some functionality to ensure it’ll keep working across more than just a few releases of Chromium, as changes are made therein. The Electron project basically builds itself inside Chromium instead, see https://electronjs.org/blog/electron-internals-building-chro....

But really, IE has enough things needing it that removing it outright isn’t an option yet, and won’t be for quite a few years. I can imagine in a few years’ time not installing IE by default, and making the MSHTML widget actually be EdgeHTML instead if IE’s not installed, but even that I expect would break quite a bit of software. And Microsoft cares a lot about not breaking compatibility. It’ll be interesting to see what they do about it.

(You may well know these points already, kodablah; I’m providing them as much for background for others reading as for you.)

kodablah8y ago

Sure the analogy is imperfect. I also don't have a perfect analogy for a browser vendor hobbling its newer product. But I'm just appealing to common sense wrt not addressing an extremely common use of something yet wanting that something to stop being used.

I personally don't think they should implement the MSHTML/COM APIs with Edge any more than I think they should implement ActiveX on Edge. The old tech can die its slow death, so long as there is a viable replacement.

Selfishly, I want this for https://github.com/zserge/webview to watch Electron adoption decrease or even an API-compat version using shared libs already on the system.

2 more replies

ngold8y ago

So are you pro or anti open source? It seems both have their challenges. But only one can be addressed by outsiders.

1 more reply

setquk8y ago

Literally announced 4 days ago.

https://blogs.windows.com/msedgedev/2018/05/09/modern-webvie...

kodablah8y ago

Looking for a dead simple cpp example if anyone knows of one.

bartread8y ago

Not to mention, Microsft, please fix the keyboard event latency in Edge[1]. It makes anything vaguely interactive, especially games, nigh on unusable, unless you particularly enjoy dying on a regular basis because the browser took 300ms to notice you'd pressed a key.

[1] Notably not a problem that affects Internet Explorer, nor (obviously) Firefox, Chrome or Safari.

setquk8y ago

They just did this. Latest release is actually usable as of the April 2018 windows 10 build (1803). Was quite surprised.

1 more reply

jnxx8y ago

Modern computers have about five times more latency as an Apple IIe:

https://danluu.com/input-lag/

pcf8y ago

As a Mac user – how on earth could MS have a keyboard latency for so long? Seems very unprofessional.

2 more replies

poizan428y ago

Here you go: https://docs.microsoft.com/en-us/windows/uwp/xaml-platform/x...

kodablah8y ago

I saw this as part of https://docs.microsoft.com/en-us/windows/uwp/cpp-and-winrt-a... (and the previous cppwinrt github project) but I haven't dug too deeply. I wonder if the restrictions are too limiting. Any bare-bones win32 example of using it in a simple cpp file? I plan on doing a poc myself soon.

1 more reply

userbinator8y ago

As a long-time IE (and Chromium, Firefox, and Opera --- I don't really have any particular "allegiance" with browsers --- I have two of those open at the moment with different sites) user, what really makes me refuse to use Edge the most is the dumbed-down UI. I'd be perfectly happy if they took its rendering engine and put it in the "normal" IE UI, and kept all the configurability too.

pjc508y ago

Edge has a number of deficiencies (font rendering, failure to take tabs seriously) that make it unsatisfactory.

hb3b8y ago

And allow it to be installed on Server for purposes of RDS.

jacksmith210068y ago· 7 in thread

Does anyone still use ie?

Zelphyr8y ago

Very much so. I've worked with major corporations that are still standardized on IE9. Meaning, every employee's computer has IE9 on it. IE6 is still used by a lot of companies simply because they have too much ActiveX code they don't want to migrate.

fencepost8y ago

I know of hospitals that a few years back were requiring IE 6 for their physician portal - long after that version was EOL. I think some are still using those older versions, but now they're doing it the safe way - running it as a remote application connected to via Citrix and hosted on a dedicated system.

It's still jarring to see an old IE version icon on a task bar though.

sbov8y ago

In 2016, we shutdown one of our websites where around 11% of our userbase was still on IE6.

jordache8y ago

are you sure it wasn't scrapers? Or test clients masquerading ? real humans using IE6?

1 more reply

Yuioup8y ago

Unfortunately, yes.

robocat8y ago

Corporate web app in NZ:

0.5% IE9

0.25% IE10

39% IE11

4% Edge

blueline8y ago

yes

Froyoh8y ago· 6 in thread

Obligatory "who still uses IE?"

astura8y ago

Doesnt matter, this exploit was actually being deployed through a word document, which bypassed the need to actually use IE to be vulnerable.

chrismorgan8y ago

Enough people, especially in businesses, that removing it would be catastrophic for Microsoft.

meuk8y ago

I know several companies who developed internal applications using Silverlight. They still have to use Internet Explorer.

Sylos8y ago

The least number of them use it voluntarily. It's usually in bigger corporations where it's set as default browser and even if you have an option of installing a different browser, there's no way of getting into the intranet with that.

fencepost8y ago

Anyone who still hasn't migrated off Windows 7 or (for whatever reason) 8.1.

rasz8y ago

answer is right there in the article: Operating System

kerng8y ago· 5 in thread

>> Microsoft has released a patch for this vulnerability...

Still, would be good to see IE go away.

falcolas8y ago

Why? To reinforce the browser monoculture that is getting worse and worse? Competition is good, even if some of the options aren't perfect.

kerng8y ago

Microsoft has Edge, no need for IE besides backward compatibility for ActiveX and VBScript and such things that some enterprises might still depend on. It's actually amazing how long Microsoft supports things compared to others in the industry.

LocalPCGuy8y ago

I make that argument myself fairly often, but IE should go away. Microsoft would prefer users use Edge, and are not updating IE except for security patches. So while I will join you in railing against people who say everyone should adopt [browser of choice here], I don't have a problem saying Microsoft IE needs to go away.

butz8y ago

Well, there's Edge, that has decent standards support and timely updates. As for Internet Explorer - it's time for it to retire.

SimeVidas8y ago

It is going away … slowly :-)

Someone12348y ago· 2 in thread

The irony is that Microsoft never supported NPAPI in Edge to improve security, and left NPAPI in IE11 indefinitely so any business (which is millions) stuck on NPAPI are left using IE11 for many years to come (Java Applets, Flash, ActiveX, etc).

It is one of those decisions taken with the best possible motives, but that will have massive unintended consequences and keep IE11 on life-support well into the 2020s.

yuhong8y ago

It is not NPAPI. It has not been supported since IE 5.5 SP2.

UnoriginalGuy8y ago

They never said it was, they said that's why IE11 remains popular.

sus_0078y ago· 2 in thread

One can also simply disable IE by going through Windows' Turn On/Off Windows Features menu. I wonder why do they not do it by default if they want their users to use Edge ahead of any alternatives.

sanlyxOP8y ago

Because third-party software, specially old third party software, still uses mshtml and disabling Internet Explorer also gets rid of mshtml IIRC

copperx8y ago

For most "why does Windows xxx?", the answer is Enterprise. I bet there are many IE-only Intranet websites in the Enterprise world.

baxtr8y ago· 1 in thread

I don’t think the current title “internet explorer 0-day discovered” is correct.

An new way to exploit the zero-day was discovered. But not bug itself.

In late April, two security companies (Qihoo360 and Kaspersky) independently discovered a zero-day for Internet Explorer (CVE-2018-8174), which was used in targeted attacks for espionage purposes. This marks two years since a zero-day has been found (CVE-2016-0189 being the latest one) in the browser that won’t die, despite efforts from Microsoft to move on to the more modern Edge.

jwilk8y ago

As I understand it, it was a 0-day exploit when it was discovered in "late April". (That is, it was exploing a then-unknown bug.)

TelAvivHacker8y ago· 1 in thread

Isn’t this an old browser? What about Edge?

mtgx8y ago

Many of the worst Edge bugs are actually due to some backwards compatibility with IE.

Zelphyr8y ago· 1 in thread

After over twenty years of the abomination that is browsers produced by Microsoft, I'm ready to beg them to stop making a browser. EVERY. SINGLE. TIME. they release a new version or new name of their browser, they say, "But this time its going to blow the other guys out of the water in terms of speed, security, and standards compliance!" And EVERY. SINGLE. TIME. they drop the ball in significant ways.

JeremyBanks8y ago

Edge is one of the best browsers, as promised, and this didn’t happen in Edge.

Jerry28y ago

A much better analysis and the source of the article is here: https://securelist.com/root-cause-analysis-of-cve-2018-8174/...

gcb08y ago

any way sites that host user generated content can mitigate this?

j / k navigate · click thread line to collapse

69 comments

50 comments · 11 top-level

kodablah8y ago· 14 in thread

> despite efforts from Microsoft to move on to the more modern Edge.

chrismorgan8y ago

It’s a nuisance that it isn’t already there, but it is coming.

(You may well know these points already, kodablah; I’m providing them as much for background for others reading as for you.)

kodablah8y ago

Selfishly, I want this for https://github.com/zserge/webview to watch Electron adoption decrease or even an API-compat version using shared libs already on the system.

2 more replies

ngold8y ago

So are you pro or anti open source? It seems both have their challenges. But only one can be addressed by outsiders.

1 more reply

setquk8y ago

Literally announced 4 days ago.

https://blogs.windows.com/msedgedev/2018/05/09/modern-webvie...

kodablah8y ago

Looking for a dead simple cpp example if anyone knows of one.

bartread8y ago

[1] Notably not a problem that affects Internet Explorer, nor (obviously) Firefox, Chrome or Safari.

setquk8y ago

They just did this. Latest release is actually usable as of the April 2018 windows 10 build (1803). Was quite surprised.

1 more reply

jnxx8y ago

Modern computers have about five times more latency as an Apple IIe:

https://danluu.com/input-lag/

pcf8y ago

As a Mac user – how on earth could MS have a keyboard latency for so long? Seems very unprofessional.

2 more replies

poizan428y ago

Here you go: https://docs.microsoft.com/en-us/windows/uwp/xaml-platform/x...

kodablah8y ago

1 more reply

userbinator8y ago

pjc508y ago

Edge has a number of deficiencies (font rendering, failure to take tabs seriously) that make it unsatisfactory.

hb3b8y ago

And allow it to be installed on Server for purposes of RDS.

jacksmith210068y ago· 7 in thread

Does anyone still use ie?

Zelphyr8y ago

fencepost8y ago

It's still jarring to see an old IE version icon on a task bar though.

sbov8y ago

In 2016, we shutdown one of our websites where around 11% of our userbase was still on IE6.

jordache8y ago

are you sure it wasn't scrapers? Or test clients masquerading ? real humans using IE6?

1 more reply

Yuioup8y ago

Unfortunately, yes.

robocat8y ago

Corporate web app in NZ:

0.5% IE9

0.25% IE10

39% IE11

4% Edge

blueline8y ago

yes

Froyoh8y ago· 6 in thread

Obligatory "who still uses IE?"

astura8y ago

Doesnt matter, this exploit was actually being deployed through a word document, which bypassed the need to actually use IE to be vulnerable.

chrismorgan8y ago

Enough people, especially in businesses, that removing it would be catastrophic for Microsoft.

meuk8y ago

I know several companies who developed internal applications using Silverlight. They still have to use Internet Explorer.

Sylos8y ago

fencepost8y ago

Anyone who still hasn't migrated off Windows 7 or (for whatever reason) 8.1.

rasz8y ago

answer is right there in the article: Operating System

kerng8y ago· 5 in thread

>> Microsoft has released a patch for this vulnerability...

Still, would be good to see IE go away.

falcolas8y ago

Why? To reinforce the browser monoculture that is getting worse and worse? Competition is good, even if some of the options aren't perfect.

kerng8y ago

LocalPCGuy8y ago

butz8y ago

Well, there's Edge, that has decent standards support and timely updates. As for Internet Explorer - it's time for it to retire.

SimeVidas8y ago

It is going away … slowly :-)

Someone12348y ago· 2 in thread

It is one of those decisions taken with the best possible motives, but that will have massive unintended consequences and keep IE11 on life-support well into the 2020s.

yuhong8y ago

It is not NPAPI. It has not been supported since IE 5.5 SP2.

UnoriginalGuy8y ago

They never said it was, they said that's why IE11 remains popular.

sus_0078y ago· 2 in thread

One can also simply disable IE by going through Windows' Turn On/Off Windows Features menu. I wonder why do they not do it by default if they want their users to use Edge ahead of any alternatives.

sanlyxOP8y ago

Because third-party software, specially old third party software, still uses mshtml and disabling Internet Explorer also gets rid of mshtml IIRC

copperx8y ago

For most "why does Windows xxx?", the answer is Enterprise. I bet there are many IE-only Intranet websites in the Enterprise world.

baxtr8y ago· 1 in thread

I don’t think the current title “internet explorer 0-day discovered” is correct.

An new way to exploit the zero-day was discovered. But not bug itself.

jwilk8y ago

As I understand it, it was a 0-day exploit when it was discovered in "late April". (That is, it was exploing a then-unknown bug.)

TelAvivHacker8y ago· 1 in thread

Isn’t this an old browser? What about Edge?

mtgx8y ago

Many of the worst Edge bugs are actually due to some backwards compatibility with IE.

Zelphyr8y ago· 1 in thread

JeremyBanks8y ago

Edge is one of the best browsers, as promised, and this didn’t happen in Edge.

Jerry28y ago

A much better analysis and the source of the article is here: https://securelist.com/root-cause-analysis-of-cve-2018-8174/...

gcb08y ago

any way sites that host user generated content can mitigate this?

j / k navigate · click thread line to collapse