Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. "The craziest part: Windows users don't ever even have to open the now-obsolete web browser for malicious actors to use the exploit," reports Mashable. "It just needs to exist on their computer..." [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service...

Most worrisome, according to Page, is that Microsoft told him that it would just "consider" a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn't particularly matter in this case as the exploit just requires a user to have the browser on their PC.

An anonymous reader writes: Microsoft today ended support for old versions of Internet Explorer, including IE8, IE9, and IE10, as well as Windows 8. For the browsers, the company has also released a final patch (KB3123303) that includes the latest cumulative security updates and an "End of Life" upgrade notification. In short, the final patch will nag Windows 7 and Windows Server 2008 R2 users to upgrade to Internet Explorer: A new tab will automatically open the download IE page. It doesn’t appear Microsoft has plans to push similar notifications for Vista, Windows Server 2008, or Windows Server 2008 R2 users, but this isn’t too surprising: They can’t upgrade to IE11 or Edge without upgrading their operating system. While support for Windows 8 has ended, Windows 8.1 will have Mainstream Support until January 9, 2018 and Extended Support until January 10, 2023.

An anonymous reader writes: On Tuesday, January 12, Microsoft Internet Explorer 8, 9, and 10 will officially reach their end of life. A new patch going live soon will add a notification that nags users to upgrade. "What's even bigger about the end of life for these versions is that this means Internet Explorer 11 is the last version of Microsoft's old browser that's left supported, as the company continues to transition customers to Edge on Windows 10."

An anonymous reader writes: Microsoft announced today that it will soon open source the "Chakra" JavaScript engine used inside its Edge browser and Internet Explorer. The company plans to publish the code on its GitHub page in January. "Microsoft is calling the version it's open sourcing ChakraCore. This is the complete JavaScript engine—the parser, the interpreter, the just-in-time compiler, and the garbage collector along with the API used to embed the engine into applications (as used in Edge). This will have the same performance and capabilities, including asm.js and SIMD support, as well as cutting-edge support for new ECMAScript 2015 language features like the version found in Microsoft's Windows 10 browser." While it'll be Windows-only code to start, they plan on taking it cross-platform just as they did with .NET. "Microsoft intends to run ChakraCore's development as a proper community project. The company says that Intel and AMD have already expressed interest in contributing, and others are sure to join them."

prisoninmate writes: Google announces that its Google Chrome web browser will no longer be available for 32-bit hardware platforms. Additionally, Google Chrome will no longer be supported on the Ubuntu 12.04 LTS (Precise Pangolin) and Debian GNU/Linux 7 (Wheezy) operating systems. Users are urged to update to the Ubuntu 14.04 LTS (Trusty Tahr) release and Debian GNU/Linux 8 (Jessie) respectively. Google will continue to support the 32-bit build configurations for those who want to build the open-source Chromium web browser on various Linux kernel-based operating systems. Reader SmartAboutThings writes, on a similar note, that: Microsoft is tolling the death knell for Internet Explorer with an announcement that it will end support for all older versions next year. Microsoft says that all versions older than the latest one will no longer be supported starting Jan. 12, 2016. After this date, Microsoft will no longer provide security updates or technical support for older Internet Explorer versions. Furthermore, Internet Explorer 11 will be the last version of Internet Explorer as Microsoft shifts its focus on its next web browser, Microsoft Edge.

An anonymous reader writes: Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Angler is currently the most popular exploit kit, regularly tied to malware including Cryptolocker. Vulnerabilities in Microsoft's Internet Explorer and Silverlight are also major targets. All of these are the conclusions of a Recorded Future report.

MojoKid writes: The Internet and web browsers are an ever changing congruous mass of standards and design. Browser development is a delicate balance between features, security, compatibility and performance. However, although each browser has its own catchy name, some of them share a common web engine. Regardless, if you are in a business environment that's rolling out Windows 10, and the only browsers you have access to are Microsoft Edge or IE — go with Edge. It's the better browser of the two by far (security not withstanding). If you do have a choice, then there might better options to consider, depending on your use case. The performance differences between browsers currently are less significant than one might think. If you exclude IE, most browsers perform within 10-20% of each other, depending on the test. For web standards compliance like HTML5, Blink browsers (Chrome, Opera and Vivaldi) still have the upper-hand, even beating the rather vocal and former web-standards champion, Mozilla. Edge seems to trail all others in this area even though it's often the fastest in various tests.

mask.of.sanity writes: Microsoft has released an out-of-band patch for Internet Explorer versions seven to 11 that closes a dangerous remote code execution flaw allowing attackers to commandeer machines. From their advisory: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability." The attack could assist in watering hole and malvertising campaigns. The Windows 10 Edge browser is not impacted.

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."

An anonymous reader writes: After analyzing the leaked data from last week's attack on Hacking Team, Vectra researchers discovered a previously unknown high severity vulnerability in Internet Explorer 11, which impacts the browser on both Windows 7 and Windows 8.1. The vulnerability is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, it can allow an attacker to bypass protections found in standard memory. Microsoft has published a patch for this vulnerability, and also patched another one pulled from the Hacking Team files by different security researchers.

An anonymous reader writes: Software developer Nolan Lawson says Apple's Safari has taken the place of Microsoft's Internet Explorer as the major browser that lags behind all the others. This comes shortly after the Edge Conference, where major players in web technologies got together to discuss the state of the industry and what's ahead. Lawson says Mozilla, Google, Opera, and Microsoft were all in attendance and willing to talk — but not Apple.

"It's hard to get insight into why Apple is behaving this way. They never send anyone to web conferences, their Surfin' Safari blog is a shadow of its former self, and nobody knows what the next version of Safari will contain until that year's WWDC. In a sense, Apple is like Santa Claus, descending yearly to give us some much-anticipated presents, with no forewarning about which of our wishes he'll grant this year. And frankly, the presents have been getting smaller and smaller lately."

He argues, "At this point, we in the web community need to come to terms with the fact that Safari has become the new IE. Microsoft is repentant these days, Google is pushing the web as far as it can go, and Mozilla is still being Mozilla. Apple is really the one singer in that barbershop quartet hitting all the sour notes, and it's time we start talking about it openly instead of tiptoeing around it like we're going to hurt somebody's feelings."

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.

Mark Wilson writes: Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1. This security protocol protects against man-in-the-middle attacks and is being delivered to users of older version of Windows through an update in the form of KB 3058515.

jones_supa writes: As it did in the past when it tried to make Internet Explorer more secure, Microsoft has launched a new bug bounty program for Spartan browser, the default application of Windows 10 for surfing the information highway. A typical remote code execution flaw can bring between $1,500 and $15,000, and for the top payment you also need to provide a functioning exploit. The company says that it could pay even more than that, if you convince the jury on the entry quality and complexity. Sandbox escape vulnerabilities with Enhanced Protected Mode enabled, important or higher severity vulnerabilities in Spartan or its engine, and ASLR info disclosure vulnerabilities are also eligible. If you want to accept the challenge, Microsoft provides more information on how to participate.

An anonymous reader writes: The history of the do-not-track setting for web browsers has been rife with debate. It took a long time for web experts to come to anything resembling a consensus on how it should be implemented, and the process isn't over yet. Microsoft took criticism for enabling the do-not-track setting by default in Internet Explorer. While it sounds good in theory, many worried it would just spur websites to completely disregard the setting (and some, like Yahoo, did just that). Now, Microsoft has reversed their stance. The do-not-track setting will not be enabled by default in the company's future browsers. They say, "Put simply, we are updating our approach to DNT to eliminate any misunderstanding about whether our chosen implementation will comply with the W3C standard. ... As a result, DNT will not be the default state in Windows Express Settings moving forward, but we will provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so."

An anonymous reader writes: Today Microsoft released a new Technical Preview build for Windows 10. Its most notable addition is Microsoft's new browser: Project Spartan. In a brief post explaining the basics of the browser, the company says it includes their personal assistant software, Cortana, as well as "inking" support, which lets you write or type on the webpage you're viewing. But the biggest change, of course is the new rendering engine. The "suggestion box" page for Project Spartan is already filling up with idea from users, including one for Trident/EdgeHTML to be released as open source.

Anne Thwacks writes The British Government web site for applying for for a licence to be a security guard requires a plugin providing Internet Explorer emulation on Firefox to login and apply for a licence. It won't work with Firefox without the add-on, but it also wont work with Internet Explorer! (I tried Win XP and Win7 Professional). The error message says "You have more than one browser window open on the same internet connection," (I didn't) and "to avoid this problem, close your browser and reopen it." I did. No change.

I tried three different computers, with three different OSes. Still no change. I contacted their tech support and they said "Yes ... a lot of users complain about this. We have known about it since September, and are working on a fix! Meanwhile, we have instructions on how to use the "Fire IE" plugin to get round the problem." Eventually, I got this to work on Win7pro. (The plugin will not work on Linux). The instructions require a very old version of the plugin, and a bit of trial and error is needed to get it to work with the current one. How can a government department concerned with security not get this sort of thing right?"

MojoKid writes One of the most anticipated new features in Windows 10 is the Spartan web browser, which will replace the long-serving Internet Explorer. We've seen Spartan in action on the desktop/notebook front, but we're now getting a closer look at Spartan in action on the mobile side thanks to some newly leaked screenshots. Perhaps the biggest change with Spartan is the repositioning of the address bar from the bottom of the screen to the top (which is also in line with other mobile browsers like Safari and Chrome). The refresh button has also been moved from its right-hand position within the address bar to a new location to the left of the address bar. Reading Lists also make an appearance in this latest build of Spartan along with Microsoft's implementation of "Hubs" on Windows 10 for mobile devices.

darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.

An anonymous reader writes: The Verge reports that Internet Explorer as we know it will be taking a back seat to Microsoft's new browser, Project Spartan, in Windows 10 and future projects. IE will still exist, and stick around for compatibility issues, but Project Spartan will be the default way users interact with the internet. Microsoft wants to distance itself with the negative connotations Internet Explorer has acquired through the years. They still haven't decided on an official name for Project Spartan, but it will probably have the company name in it.