Slashdot Mirror
BBC says "Avoid Explorer"
twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little
more each day.
Phoenix and it fookin rocks.
Well, no it isn't actually. The BBC is reporting what Mr Clover said. Not at all the same thing as "the BBC recommends".
Sigh.
Subject says it all. Get it here.
The BBC isn't actually saying to avoid explorer, it's the Mr. Clover they interviewed. There is a differance, you know ...
---
"The chances of a demonic possession spreading are remote -- relax."
Cheers,
Ian
Oh boy, the MS FUD team is working hard this morning. It is not a decent web browser. The only reason most people use it is because of Microsoft's absuse of monopoly power. IE is a rather poor browser, for many reasons including the fact that it doesn't really browse the web. It is primary geared towards mark-up that Microsoft created without public review on the process. Therefore, not Web. As for people who want to browse the Web, they should get a browser that adheres to Web standards. You'll find Opera and Mozilla to be excellent choices on virtually any platform.
... ...
Aside from that, IE is chock full of rendering errors on even simple elements, has very poor JavaScript, comes bundled with 8-year-old Java technology, is loaded with security holes, has nothing by the way of tabbed browsing, no built-in pop-up blocking, a horrid caching mechanism, slow as hell and hogs memory,
Why bother.
I fail to see what Internet Explorer has to do with the latest rash of Messenger Service spam coming in from the Internet. Instead, it is just a general Windows problem that will affect you no matter which browser you use. The only solutions are to disable the messenger service and/or block incoming connections to udp/tcp 135, 137, 139, and 445. I think that even XP has this service turned on by default if you have a network adapter. But, maybe I am way off base and they are talking about some other kind of spam??
The internal copyright to do so expired, ending the trial.
Then in September, they sorted this out. Ogg streaming is due to re-start, Real Soon Now(tm). As it has been since September... See Here for more details....
--
I'd rather have a bottle in front of me than a frontal lobotomy
``Apart from the known issues with IE, outlook, and IIS, what is insecure in Windows?
The unknown issues.''
While obviously true, it doesn't really help to talk about unknown issues when assessing the security of a system. It's a safe bet that there are unknown issues with any piece of software, especially a complex one. The argument that closed-source software isn't open to as much peer review as is open-source software doesn't really hold ground. It's perfectly possible for closed-source software to be more extensively audited than an open-source alternative.
What does make Windows insecure is it's single-user nature. Even the NT-based systems running on many desktops these days, while technically capable of using a good security model, are often run in single-user mode, meaning that if that user's account is broken into, there are virtually no restrictions on what harm (or good?) can be done.
Many software from the Big Satan of Redmond suffers from inherently insecure design. Windows (not NT)'s single-user nature, weak protection of address spaces (know those little programs that can be used to read other program's text fields, indeed even password fields?), a web browser that doubles as a full-access file manager with the ability to run programs, a mail client that can and will automagically open (or even run) attachments, a scripting language so powerful that a component as central the registry can be modified with it that can be used in officially non-executable things as office documents and webpages, the list goes on. This is something MicroSoft can be blamed for, should be blamed for, and should be ashamed of. This is what makes a system with pretty much any MicroSoft software on it insecure. And the best thing is that others are trying hard to copy some of these `features'.
Please correct me if I got my facts wrong.
The only way Linux is more secure is if you spend several hours every day downloading and installing the latest security patches.
OK, I'll bite.
Several hours? I don't know what distribution you run, but remind me to avoid it! I've run both Debian and RedHat - neither require several hours of daily patching.
With Debian, you only install the services you intend to use, then keep an eye out for security issues with those services (which isn't hard, and takes 15 minutes at most per day, usually less). When there is a vulnerability found that affects you, all that's generally required is an 'apt-get update && apt-get -u dist-upgrade', which may take a bit of time if you're on a slow link, or have a lot to update, but generally is pretty darn quick (again, for me it's generally less than 15 minutes). If they haven't managed to roll an "official" patch in yet, you can either wait for it (generally less than 24 hours for most), or compile it yourself. Turnaround time for security patching on Debian is excellent, though, and you generally won't find yourself needing to compile things yourself if you don't want to.
RedHat is a little different in that (at least prior to 7.3 - the last one I installed was 7.2, and things may have changed with 7.3 or 8.0) it installs everything but the kitchen sink by default - and you have to go around turning off what you don't need. Once you've got the "undesirables" turned off, security updates really aren't much different from Debian (especially if you're using apt for RPM). Again, for major vulnerabilities, patch turnaround time is excellent (generally 24 hours or less) and you won't have to recompile things you don't want to. Because RedHat is a bit more widespread than Debian, there are a few more exploits to watch out for, but hitting a few security sites during your daily web browsing should alert you to anything you might need to know. Definitely not "several hours every day".
See this page for info about the Beeb's ogg streaming. I looks like they stream a few programmes regularly, here's hoping they can get more available (so that you non-Brits can experiance Radio 4 :-)
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
I know a lot of people say this, but is it actually true. I use both Mozilla and IE and very rarely notice any differences.
I'm using mozilla with the internet explorer skin. It works great, though there's a little hack you have to do to get the home button back into the main toolbar.
:-).
Mozilla is a better browser than i.e. in a lot of ways (tabs, standards compliance, etc.), but the big one for me is that i.e. is essentially an ad delivery systerm. So there's not much we can do to selectively block cookies, or graphics from specific servers, or pop-ups, etc. And I don't like the prospect of being at the mercy of unscrupulous companies who wish to make changes without my knowledge or consent. (Actually, what I'd really like is a way to get rid of i.e. entirely on w2k/xp.)
That explains mozilla, but why the i.e. skin? Well, the default mozilla skins are not exactly beautiful. And my wife is highly resistant to change of any kind when it comes to her computer, and with the i.e. skin I was able to switch her w2k machine to mozilla without even a word of protest. Of course, at this point she's so used to tabbed browsing and the pop-up blocker that she wouldn't switch back anyway. And me, I don't have to worry about some exploit using i.e. to take her computer down.
Actually, I even use the i.e. skin on my linux box. Just for the perverse fun of it, I guess. I also have a nice wallpaper from w2k of a diver against a blue sky. It's very spiffy, though naturally I GIMPed out the little windows logo first
t's just incredibly more popular, and not just because it comes with Windows, as IE is the leader on the Mac as well.
What did you try to prove? IE comes preinstalled on all new Macs. of course it's because it comes with the machine, 99% of people are more lazy than ignorant.
Assorted stuff I do sometimes: Lemuria.org
Your browser still accepts them. When you close the session, they all go away.
Oh wait, you're doing Windows? Does it still have attrib? What was the command again... "attrib +r cookies.txt" or somesuch?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
That's how I've always seen it used...
Your monitor is staring at you.
If opera is crashing, try (if you're not already) the statically linked qt version. Stability problems are often caused by interactions between the installed qt on your machine and the one that opera was compiled against. The statically linked one does not suffer from this problem. If you are using the statically linked version, then I got nothin' for ya.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
One issue: Universal PNP
Another one: Windows Messenging Service (not MSN Messenger, but the alerter) lets anyone put a popup on your computer if they have the IP address or DN. Just lovely. This is a security issue because the popup can be used as part of a social engineering attack.
The list goes on and on.
Of course, most of them were fixed before the article on The Register was even written.
The 'Avoid IE' bit in the BBC article is actually a quotation you know, it's not an endorsement from the Beeb.
:-S
k .com/
It's a quotation from me, in fact.
I also went on to add that the 'Avoid IE' quote was a glib answer, and was accurate only in part due to IE's propensity for security holes. The other parts are, of course, the fact that IE's popularity causes malware writers to target it specifically, and finally - as you mention - the design decisions behind ActiveX.
Of course, technically difficult issues such as why ActiveX is flawed by design are unlikely to make it into a mass-media article, but I am glad they got the bit about not clicking 'Yes' in.
I've been increasingly worried about the DHTML feature creep of Mozilla, and the fact that it has its own automatic-install system (XPInstall). I can't say I expect using Mozilla to stay safe either. But still, it can't be much worse than IE.
Anyway. My site's already been hit by a denial-of-service attack by an adware author this month, let's see if Slashdot can help bring it down...
--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdes
Internet Explorer for Mac OS X (and Mac OS 9) doesn't suffer from the same problems as its Windows counterpart since it's not an "integrated" component of the OS; it's just an app. Doesn't mean it's not crap, sometimes.
Many Windows technologies that cause the vulnerabilities in IE/Windows are very limited or don't exist with IE/Mac. In particular, ActiveX control support is there, but appears mostly broken. Java support is strongest in this browser (it seems), but many Java pages don't render things properly since MS doesn't appear to tie their browser properly in OS X's strong Java implementation (1.3.1).
IE/Mac is just as annoying with pop-ups, but that's why I use OmniWeb, where I can disable JavaScript that generates pop-ups with one preference settings.
IE is still the most compatible browser, but only because many webmasters are drones to Microsoft's web tools--and shouldn't be. The pages they create work best--and in some cases, ONLY--with IE.
Vos teneo officium eram periculosus ut vos recipero is.
Better yet, Mozilla ought to use the text in the ALT attribute. At least in the context of an IMG element, the TITLE attribute is redundant. Since ALT is required for IMG elements anyway, why would you use <img width=80 height=60 src="foo.png" alt="foo" title="foo"> when <img width=80 height=60 src="foo.png" alt="foo"> conveys the same information?
(I was wondering where the tooltips for the icons at the top of every /. page had gone. Mozilla must be the only browser that doesn't render ALT attributes as tooltips.)
20 January 2017: the End of an Error.
Actually, what I'd really like is a way to get rid of i.e. entirely
Nice.
So you'll basically never be able to update that box then?
Update your machines, people!
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
I've been following the associated bug on this for a while and it isn't sounding too promising. Most recent threads are people pleading for a solution and coders saying it won't/can't be done. You'll have to copy and paste the link due to bugzilla blocking the Slashdot referrer: http://bugzilla.mozilla.org/show_bug.cgi?id=23679 . Also, this NTLM auth proxy being written in Python that looks promising. It sounds like the proxy sits local and performs the NTLM auth. I've heard .net will have it's own authentication, but I can't find anything on it (argh, generic search terms).
I haven't played with this, but I understand that NS4 does not support @import, which makes for a useful loophole-- put NS4 styling in a "link rel" stylesheet, and put styling for compliant browsers in an @import stylesheet.