Slashdot Mirror
BBC says "Avoid Explorer"
twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little
more each day.
Phoenix and it fookin rocks.
Well, no it isn't actually. The BBC is reporting what Mr Clover said. Not at all the same thing as "the BBC recommends".
Sigh.
Subject says it all. Get it here.
The BBC isn't actually saying to avoid explorer, it's the Mr. Clover they interviewed. There is a differance, you know ...
---
"The chances of a demonic possession spreading are remote -- relax."
Cheers,
Ian
Oh boy, the MS FUD team is working hard this morning. It is not a decent web browser. The only reason most people use it is because of Microsoft's absuse of monopoly power. IE is a rather poor browser, for many reasons including the fact that it doesn't really browse the web. It is primary geared towards mark-up that Microsoft created without public review on the process. Therefore, not Web. As for people who want to browse the Web, they should get a browser that adheres to Web standards. You'll find Opera and Mozilla to be excellent choices on virtually any platform.
... ...
Aside from that, IE is chock full of rendering errors on even simple elements, has very poor JavaScript, comes bundled with 8-year-old Java technology, is loaded with security holes, has nothing by the way of tabbed browsing, no built-in pop-up blocking, a horrid caching mechanism, slow as hell and hogs memory,
Why bother.
It is good to see that more and more major parties are realizing the serious problems with certain MicroSoft software. It's buggy, so it should be fixed. There are serious bugs, so they should be fixed ASAP. MicroSoft is known to not always do this. Worse, many MicroSoft programs have bugs with serious security implications, and your average luser doesn't know, much less care about those. This is a real threat to everything on the Internet.
However, I can't help but wonder who's next. MicroSoft operating systems are unsurpassed in the number of virii they support, and MicroSoft's software has traditionally been qualitatively inferior to competing products in many cases. However, this does not mean that this is a MicroSoft-only issue. I know that MicroSoft's Windows, Internet Explorer, Office, and the whole ActiveX system are full of holes, but how do they compare to, say, the GNU system, Linux, Xfree86, Mozilla, Koffice, and Java? Many of those seem to be more securely designed, but I don't think any of them have had the extensive testing from crackers that MicroSoft's products have. How can we recommend avoiding one product, if we don't have a better alternative?
Please correct me if I got my facts wrong.
Then, you install Phoenix or Opera, or whatever you want and be all happy.
Dawn of the Dead
I fail to see what Internet Explorer has to do with the latest rash of Messenger Service spam coming in from the Internet. Instead, it is just a general Windows problem that will affect you no matter which browser you use. The only solutions are to disable the messenger service and/or block incoming connections to udp/tcp 135, 137, 139, and 445. I think that even XP has this service turned on by default if you have a network adapter. But, maybe I am way off base and they are talking about some other kind of spam??
The internal copyright to do so expired, ending the trial.
Then in September, they sorted this out. Ogg streaming is due to re-start, Real Soon Now(tm). As it has been since September... See Here for more details....
--
I'd rather have a bottle in front of me than a frontal lobotomy
``Apart from the known issues with IE, outlook, and IIS, what is insecure in Windows?
The unknown issues.''
While obviously true, it doesn't really help to talk about unknown issues when assessing the security of a system. It's a safe bet that there are unknown issues with any piece of software, especially a complex one. The argument that closed-source software isn't open to as much peer review as is open-source software doesn't really hold ground. It's perfectly possible for closed-source software to be more extensively audited than an open-source alternative.
What does make Windows insecure is it's single-user nature. Even the NT-based systems running on many desktops these days, while technically capable of using a good security model, are often run in single-user mode, meaning that if that user's account is broken into, there are virtually no restrictions on what harm (or good?) can be done.
Many software from the Big Satan of Redmond suffers from inherently insecure design. Windows (not NT)'s single-user nature, weak protection of address spaces (know those little programs that can be used to read other program's text fields, indeed even password fields?), a web browser that doubles as a full-access file manager with the ability to run programs, a mail client that can and will automagically open (or even run) attachments, a scripting language so powerful that a component as central the registry can be modified with it that can be used in officially non-executable things as office documents and webpages, the list goes on. This is something MicroSoft can be blamed for, should be blamed for, and should be ashamed of. This is what makes a system with pretty much any MicroSoft software on it insecure. And the best thing is that others are trying hard to copy some of these `features'.
Please correct me if I got my facts wrong.
Some time ago there was a story about the IE only UK government gateway size. Fortunately, this is no longer the case.
The only way Linux is more secure is if you spend several hours every day downloading and installing the latest security patches.
OK, I'll bite.
Several hours? I don't know what distribution you run, but remind me to avoid it! I've run both Debian and RedHat - neither require several hours of daily patching.
With Debian, you only install the services you intend to use, then keep an eye out for security issues with those services (which isn't hard, and takes 15 minutes at most per day, usually less). When there is a vulnerability found that affects you, all that's generally required is an 'apt-get update && apt-get -u dist-upgrade', which may take a bit of time if you're on a slow link, or have a lot to update, but generally is pretty darn quick (again, for me it's generally less than 15 minutes). If they haven't managed to roll an "official" patch in yet, you can either wait for it (generally less than 24 hours for most), or compile it yourself. Turnaround time for security patching on Debian is excellent, though, and you generally won't find yourself needing to compile things yourself if you don't want to.
RedHat is a little different in that (at least prior to 7.3 - the last one I installed was 7.2, and things may have changed with 7.3 or 8.0) it installs everything but the kitchen sink by default - and you have to go around turning off what you don't need. Once you've got the "undesirables" turned off, security updates really aren't much different from Debian (especially if you're using apt for RPM). Again, for major vulnerabilities, patch turnaround time is excellent (generally 24 hours or less) and you won't have to recompile things you don't want to. Because RedHat is a bit more widespread than Debian, there are a few more exploits to watch out for, but hitting a few security sites during your daily web browsing should alert you to anything you might need to know. Definitely not "several hours every day".
See this page for info about the Beeb's ogg streaming. I looks like they stream a few programmes regularly, here's hoping they can get more available (so that you non-Brits can experiance Radio 4 :-)
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
I know a lot of people say this, but is it actually true. I use both Mozilla and IE and very rarely notice any differences.
I'm using mozilla with the internet explorer skin. It works great, though there's a little hack you have to do to get the home button back into the main toolbar.
:-).
Mozilla is a better browser than i.e. in a lot of ways (tabs, standards compliance, etc.), but the big one for me is that i.e. is essentially an ad delivery systerm. So there's not much we can do to selectively block cookies, or graphics from specific servers, or pop-ups, etc. And I don't like the prospect of being at the mercy of unscrupulous companies who wish to make changes without my knowledge or consent. (Actually, what I'd really like is a way to get rid of i.e. entirely on w2k/xp.)
That explains mozilla, but why the i.e. skin? Well, the default mozilla skins are not exactly beautiful. And my wife is highly resistant to change of any kind when it comes to her computer, and with the i.e. skin I was able to switch her w2k machine to mozilla without even a word of protest. Of course, at this point she's so used to tabbed browsing and the pop-up blocker that she wouldn't switch back anyway. And me, I don't have to worry about some exploit using i.e. to take her computer down.
Actually, I even use the i.e. skin on my linux box. Just for the perverse fun of it, I guess. I also have a nice wallpaper from w2k of a diver against a blue sky. It's very spiffy, though naturally I GIMPed out the little windows logo first
t's just incredibly more popular, and not just because it comes with Windows, as IE is the leader on the Mac as well.
What did you try to prove? IE comes preinstalled on all new Macs. of course it's because it comes with the machine, 99% of people are more lazy than ignorant.
Assorted stuff I do sometimes: Lemuria.org
Your browser still accepts them. When you close the session, they all go away.
Oh wait, you're doing Windows? Does it still have attrib? What was the command again... "attrib +r cookies.txt" or somesuch?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
That's how I've always seen it used...
Your monitor is staring at you.
If opera is crashing, try (if you're not already) the statically linked qt version. Stability problems are often caused by interactions between the installed qt on your machine and the one that opera was compiled against. The statically linked one does not suffer from this problem. If you are using the statically linked version, then I got nothin' for ya.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
One issue: Universal PNP
Another one: Windows Messenging Service (not MSN Messenger, but the alerter) lets anyone put a popup on your computer if they have the IP address or DN. Just lovely. This is a security issue because the popup can be used as part of a social engineering attack.
The list goes on and on.
Of course, most of them were fixed before the article on The Register was even written.
``a web browser that doubles as a full-access file manager with the ability to run programs
/etc using something such as Perl?''
/. community consists largely of hackers. They are more like admins than like lusers. They don't like others messing with their systems. What they are saying is that automatic updates are Evil, not necessarily a Bad Thing. For the majority of Windows users, they are probably a huge win. And Real Hackers don't use Windows to begin with.
Like Konqueror and Eazel's Nautilus?''
Indeed. Konqueror and Nautilus are making the same mistake here. The difference is that if a cracker breaks through them, he still only has access to the files accessible by the user running them. When run as a mere-mortal user, Konqueror and Nautilus are not full-access file managers.
``a mail client that can and will automagically open (or even run) attachments
This was true in, like, 1999. Outlook doesn't do this anymore.''
It has taken MicroSoft years and years to fix this. I don't know in which version of Outlook [Express] they fixed it, but the `feature' has been there for around 5 years. Many people still use versions of Outlook that do contain the vulnerability. Yes, these people should know better, but the reality is that most people don't know or care about security issues. MicroSoft should never have included such a dangerous, unnecessary, and badly implemented feature in the first place, and they should have fixed it as soon as its problems became apparent. They really do get the blame here.
``a scripting language so powerful that a component as central the registry can be modified with it that can be used in officially non-executable things as office documents and webpages
So you're saying you can't modify something in
And do you have perl in your webpages? In your AbiWord documents? In your manpages, perhaps? I know I don't. Perl is too powerful for that; it has access to resources that documents have no business accessing. If you want to use a perl script for doing administration, fine, that's what it's for. But it's a Good Thing my word processor doesn't interpret perl scripts in documents that would allow you do administer _my_ box.
``What falls prey to all these worms, et al that are going around are the people that are still running Windows 98 first edition with Outlook Express 4 that never bother to upgrade anything.''
Yes. A lot of people who use MicroSoft software simply don't know enough about computers, or are too afraid to do something as strong as upgrading.
``All it takes is something as simple as going to Windows Update to fix all this. Then Microsoft comes along and tries to remedy this problem with the Automatic Updates feature to try and remove the middleman (read: uninformed/apathetic user) and what response does that receive from the Slashdot community? "No! Kill the bastards! They're spies! Seize them!"''
That's because the
Please correct me if I got my facts wrong.
The 'Avoid IE' bit in the BBC article is actually a quotation you know, it's not an endorsement from the Beeb.
:-S
k .com/
It's a quotation from me, in fact.
I also went on to add that the 'Avoid IE' quote was a glib answer, and was accurate only in part due to IE's propensity for security holes. The other parts are, of course, the fact that IE's popularity causes malware writers to target it specifically, and finally - as you mention - the design decisions behind ActiveX.
Of course, technically difficult issues such as why ActiveX is flawed by design are unlikely to make it into a mass-media article, but I am glad they got the bit about not clicking 'Yes' in.
I've been increasingly worried about the DHTML feature creep of Mozilla, and the fact that it has its own automatic-install system (XPInstall). I can't say I expect using Mozilla to stay safe either. But still, it can't be much worse than IE.
Anyway. My site's already been hit by a denial-of-service attack by an adware author this month, let's see if Slashdot can help bring it down...
--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdes
Internet Explorer for Mac OS X (and Mac OS 9) doesn't suffer from the same problems as its Windows counterpart since it's not an "integrated" component of the OS; it's just an app. Doesn't mean it's not crap, sometimes.
Many Windows technologies that cause the vulnerabilities in IE/Windows are very limited or don't exist with IE/Mac. In particular, ActiveX control support is there, but appears mostly broken. Java support is strongest in this browser (it seems), but many Java pages don't render things properly since MS doesn't appear to tie their browser properly in OS X's strong Java implementation (1.3.1).
IE/Mac is just as annoying with pop-ups, but that's why I use OmniWeb, where I can disable JavaScript that generates pop-ups with one preference settings.
IE is still the most compatible browser, but only because many webmasters are drones to Microsoft's web tools--and shouldn't be. The pages they create work best--and in some cases, ONLY--with IE.
Vos teneo officium eram periculosus ut vos recipero is.
``If I'm understanding you correctly, this would mean abolishing the file:// pseudo-protocol-handler, right?''
That would be the most secure option. But file:// doesn't have the power to modify files, delete them, change their names, etc. Reading local files with a web browser can be useful for testing webpages (although I prefer running an HTTP server, so I can test server side scripting as well). Modifying files is, as I see it, clearly a task of file managers and not web browsers. Combining web browser and file manager may have its advantages, but IMHO the security implications make it wiser to keep them separate.
One issue I haven't mentioned or heard mentioned yet, is that virtually all web browsers write files, in the form of cookies. However, this is easy to protect, as the write access can be restricted to one directory or even one file. Personally, I allow only cookies that expire when the browser closes, completely eliminating any need for write access, as far as I can see.
Please correct me if I got my facts wrong.
Better yet, Mozilla ought to use the text in the ALT attribute. At least in the context of an IMG element, the TITLE attribute is redundant. Since ALT is required for IMG elements anyway, why would you use <img width=80 height=60 src="foo.png" alt="foo" title="foo"> when <img width=80 height=60 src="foo.png" alt="foo"> conveys the same information?
(I was wondering where the tooltips for the icons at the top of every /. page had gone. Mozilla must be the only browser that doesn't render ALT attributes as tooltips.)
20 January 2017: the End of an Error.
Actually, what I'd really like is a way to get rid of i.e. entirely
Nice.
So you'll basically never be able to update that box then?
Update your machines, people!
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
I've been following the associated bug on this for a while and it isn't sounding too promising. Most recent threads are people pleading for a solution and coders saying it won't/can't be done. You'll have to copy and paste the link due to bugzilla blocking the Slashdot referrer: http://bugzilla.mozilla.org/show_bug.cgi?id=23679 . Also, this NTLM auth proxy being written in Python that looks promising. It sounds like the proxy sits local and performs the NTLM auth. I've heard .net will have it's own authentication, but I can't find anything on it (argh, generic search terms).
I haven't played with this, but I understand that NS4 does not support @import, which makes for a useful loophole-- put NS4 styling in a "link rel" stylesheet, and put styling for compliant browsers in an @import stylesheet.