Ie 9, 10 And 11

I continue to see write-ups about patches needed to Windows because of, or directly to Internet Explorer. Can't remember the last time I used it and most any thread you read nowadays of anything related to online activity, the user is using a different browser.

This week I see the NSA has put out warnings about a vuln making the rounds in browsers including IE. MS says their fix will come out in the Feb11 update. Till then use work-arounds and limit access to jscript.dll. - I sure most user can do this with a blindfold on!!

Here's a partial note from 'EndGadget'.....

The issue is significant enough that Homeland Security issued an advisory encouraging people to both be aware of the flaw and consider implementing workarounds, including temporarily restricting access to jscript.dll.

Unlike the Firefox bug, though, you'll have to wait a while for a patch. Microsoft said it wasn't likely to provide its fix until its next monthly security release, slated for February 11th. Until then, you'll either have to consider workarounds or be cautious about clicking links to visit unfamiliar sites.

.....

In 10 I see both browsers, IE and Edge, come with the install.
Is IE there because so much of the OS has needs IE code to function. Remember on earlier versions you could not just delete IE. Would mess up File Explorer and I don't know what else.
So why don't MS just bury the code needed in the /system or /system32 folders and eliminate the public facing IE all together. Will this maybe be part of a future update, roll-up or whatever type fixes they come up with?

 

And so with IE tied into the OS so deeply all Windows installs needs IE patched since a perp that gains access can exploit the vulns offered by IE whether it's even never been used on a certain pc. With '7 just past eos will it get this IE patch I wonder?

 

Hey, Thanks! Now there's a link that might be more helpful to a certain group of users compared to the info given in some of the more 'authoritative' tech and news articles out there just telling people to use a workaround and leave them dangling.......

Great for those comfortable with the command prompt and using admin rights.
I bet that leaves a lot of users just scratching their heads. I don't see anything that says if a perp finds a way in a system that they couldn't call their way into the jscript.dll vuln to furthur their damage. So I don't know if you have to be actively using IE.

The MS page says in the "Impact of the Workaround" section that it only applies if your under 'elevated risk' already. Then it seems to say it only comes from websites using jscript in the scripting engine. And that '9, '10 and '11 use jscript9.dll anyway.

So is this really so important and impacting on users for the NSA and Homeland Security to be putting out warnings? And MS can wait for 2 or 3 weeks? Sounds a lot less impacting than what is being put out.

 

An article with a brief write-up, a list of os's affected, up to '10 1909 IE11, and the work-around code in one place-


https://www.bleepingcomputer.com/ne...itigation-for-actively-exploited-ie-zero-day/

 

Seems the work-around breaks a few things.

HP Printers
Some USB printers
Windows Media player when playing MP4 files
SFC......

If you have trouble with printing or using media player......running SFC isn't going to help....

https://www.bleepingcomputer.com/ne...ie-zero-day-fix-is-breaking-windows-printing/

 

For someone to exploit any vulnerability in any Windows OS, they need access to that computer.
Computer security is user dependent.