
Internet Explorer zero-day - sanlyx
https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/
======
kodablah
> despite efforts from Microsoft to move on to the more modern Edge.

Then allow me to use Edge as a Windows control a la MSHTML in a non-UWP app.
It's like if Chrome were suddenly made close source and non-embeddable and
then Google complaining about insecure Electron apps.

~~~
bartread
Not to mention, Microsft, _please_ fix the keyboard event latency in Edge[1].
It makes anything vaguely interactive, especially games, nigh on unusable,
unless you particularly enjoy dying on a regular basis because the browser
took 300ms to notice you'd pressed a key.

 _[1] Notably not a problem that affects Internet Explorer, nor (obviously)
Firefox, Chrome or Safari._

~~~
pcf
As a Mac user – how on earth could MS have a keyboard latency for so long?
Seems very unprofessional.

~~~
zeusk
> As a Mac user – how on earth could MS have a keyboard latency for so long?
> Seems very unprofessional.

A) It doesn't matter you're a "mac user".

B) It's a technical fault, not "unprofessional"

------
baxtr
I don’t think the current title “internet explorer 0-day discovered” is
correct.

An new way to exploit the zero-day was discovered. But not bug itself.

 _In late April, two security companies (Qihoo360 and Kaspersky) independently
discovered a zero-day for Internet Explorer (CVE-2018-8174), which was used in
targeted attacks for espionage purposes. This marks two years since a zero-day
has been found (CVE-2016-0189 being the latest one) in the browser that won’t
die, despite efforts from Microsoft to move on to the more modern Edge._

~~~
jwilk
As I understand it, it _was_ a 0-day exploit when it was discovered in "late
April". (That is, it was exploing a then-unknown bug.)

------
Jerry2
A much better analysis and the source of the article is here:
[https://securelist.com/root-cause-analysis-of-
cve-2018-8174/...](https://securelist.com/root-cause-analysis-of-
cve-2018-8174/85486/)

------
Someone1234
The irony is that Microsoft never supported NPAPI in Edge to improve security,
and left NPAPI in IE11 indefinitely so any business (which is millions) stuck
on NPAPI are left using IE11 for many years to come (Java Applets, Flash,
ActiveX, etc).

It is one of those decisions taken with the best possible motives, but that
will have massive unintended consequences and keep IE11 on life-support well
into the 2020s.

~~~
yuhong
It is not NPAPI. It has not been supported since IE 5.5 SP2.

~~~
UnoriginalGuy
They never said it was, they said that's why IE11 remains popular.

------
sus_007
One can also simply disable IE by going through Windows' _Turn On /Off Windows
Features_ menu. I wonder why do they not do it by default if they want their
users to use Edge ahead of any alternatives.

~~~
sanlyx
Because third-party software, specially _old_ third party software, still uses
mshtml and disabling Internet Explorer also gets rid of mshtml IIRC

------
kerng
>> Microsoft has released a patch for this vulnerability...

Still, would be good to see IE go away.

~~~
falcolas
Why? To reinforce the browser monoculture that is getting worse and worse?
Competition is good, even if some of the options aren't perfect.

~~~
kerng
Microsoft has Edge, no need for IE besides backward compatibility for ActiveX
and VBScript and such things that some enterprises might still depend on. It's
actually amazing how long Microsoft supports things compared to others in the
industry.

------
TelAvivHacker
Isn’t this an old browser? What about Edge?

~~~
mtgx
Many of the worst Edge bugs are actually due to some backwards compatibility
with IE.

------
gcb0
any way sites that host user generated content can mitigate this?

------
Froyoh
Obligatory "who still uses IE?"

~~~
astura
Doesnt matter, this exploit was actually being deployed through a word
document, which bypassed the need to actually _use_ IE to be vulnerable.

------
jacksmith21006
Does anyone still use ie?

~~~
Zelphyr
Very much so. I've worked with major corporations that are still standardized
on IE9. Meaning, every employee's computer has IE9 on it. IE6 is still used by
a lot of companies simply because they have too much ActiveX code they don't
want to migrate.

~~~
fencepost
I know of hospitals that a few years back were requiring IE 6 for their
physician portal - long after that version was EOL. I think some are still
using those older versions, but now they're doing it the safe way - running it
as a remote application connected to via Citrix and hosted on a dedicated
system.

It's still jarring to see an old IE version icon on a task bar though.

------
Zelphyr
After over twenty years of the abomination that is browsers produced by
Microsoft, I'm ready to beg them to stop making a browser. EVERY. SINGLE.
TIME. they release a new version or new name of their browser, they say, "But
this time its going to blow the other guys out of the water in terms of speed,
security, and standards compliance!" And EVERY. SINGLE. TIME. they drop the
ball in significant ways.

~~~
JeremyBanks
Edge is one of the best browsers, as promised, and this didn’t happen in Edge.

