BBC says "Avoid Explorer"

twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little more each day.

Great idea but still an unrealistic solution

[Max+Romantschuk]

Working as a web developer I know that getting users to update their browsers is hard, let alone switch browser alltogether...

Unfortunately I doubt the problem as a whole can be solved by switching browsers. Rather I'd see stricter legislation tackle privacy issues.

Re:I use

[Zapper]

I've been using Opera6/Linux.
It's pretty good, fast, some nice features and who knows I might even pony up some dollars to remove the ads. I've got a slow PC, so it really shows up renering speed. Mozilla really sucked. Might have to give Pheonix a go when I can be bothered with the d/load.

Slight addition...

[26199]

"Never, ever click 'Yes' to a 'Do you want to download and install?' prompt unless you 100% sure the people who made it are trustworthy," he warns.

More importantly: unless you are 100% sure who made it. This is at least as much of a problem as whether the person you think made it is trustworthy...

Re:IE

[DerPflanz]

As with anything, if people used common sense probably 95% of problems could be avoided.

Which is the problem. People are surfing the net, and will click away all boxes they didn't ask for. Most of the messages you get are total nonsense if you are a user and just want to look for that apple-pie recipe. For one reason or another people must have a clue when using computers/the internet but not when using other (evenly complex) devices such as CD players, DVD players, etc. To me that means that the product (IE in this case) is not designed correctly.

The internet sucking more each day

[ACNeal]

I remember back when I was in school. No one but academics and a few others had ever really heard of the internet.

Then I remember reading an article about some BBSes that were offering internet access via some sort of gateway technology. At first I thought this was a grand idea, and wanted in on it, mainly because I was no longer at school, and wanted to be able to email friends still in school and use usenet and gopher.

Mosaic had just hit the emerged as a fledgling proof of concept, and as I read more about the internet in even the trade press, I started to get that quezzy feeling that you get everytime something good comes to an end.

I knew it was all over for the internet when my roommate came home and told me all about this great new technology called the internet, and how it was the latest craze.

I wasn't around for the dawn of the internet, but I wonder when it started to suck, the first real indication it was going to become some commercialized, overused, underutilized resource for the masses.

I also, coincidently, remember the first person to show me mosaic, that barely stayed running (early, early version). He was sitting in my dorm room, so excited, telling me how he was going to make money designing these sites. "How is this any better than Gopher?" was my foolish question.

Re:IE

[BurritoWarrior]

My mon doesn't know what .cz is, nor should she have to. Don't blame the users because IE is an insecure piece of junk. That is like saying "it doesn't matter that your car is a deathtrap, just avoid getting into a collision". And IE's insecurity has NOTHING to do with it being popular. It was insecure long before it had any market share.

As an aside, my mom also doesn't know what IE is. To get on "the internet" she click on that "little lizard thing" I set up for her.

Re:How about

[DrXym]

How can you be careful of where you browse if you've never visited a site before? And even if you have, who's to say that it doesn't run IIS and thanks to the latest MDAC problem or some other vulnerability that it hasn't been hacked and is infecting all its visitors?

Since hackers tend to go after the biggest fish, perhaps a better strategy (applied with other common sense measures), is to protect yourself by going heterogeneous. Pick a perfectly fine alternative browser such as Mozilla, run on a Mac or Linux and throw in a couple of other variables that automated exploits won't work for. It doesn't make you immune from attack but it certainly saves you from the latest exploit du jour. If you think you're safe sticking with IE, you should try taking the Anonymizer.com Snoop Test.

The same strategy applies for email. I reckon I get a macro / mime exploit virus in my inbox once a week, but thanks to the simple fact that I don't even run Outlook, I get a level of built-in protection reaching which so far has been 100%. Moz Mail still has vulnerabilities (every software does), but since it takes security seriously to begin with and is a much smaller target, it is considerably safer (and dare I say better and more usable) than Outlook. Using Outlook or IE is like waving a red flag to a bull.

I wonder how many people Santa will turn into unwitting victims this Christmas when they get a brand new PC with Outlook and IE installed on it.

However...

[MtViewGuy]

...The folks who write spyware and other programs tracking your Internet access haven't yet discovered Mozilla 1.x and Netscape 7.0 yet. Given that many web browsers need cookies to operate in certain sites, it won't be long before you see spyware running in Mozilla and Netscape 7.0 without you knowing it.

Besides, if you apply all appropriate patches from Windows Update, configure Outlook Express' Security functions NOT to allow downloading of attachments and install McAfee VirusScan 7.x, you can surf the Internet pretty securely with Internet Explorer 6.0 SP1.

Re:Yes, but now the webdesigners will have to foll

Considering the BBCs site doesn't or didn't display right in Netscape how can they recommend avoiding IE?

I forget how many times I've complained about that.

Re:Somewhat misleading title

[thirddegree]

"Somewhat misleading"...? More like outright misrepresentation. You know, the anti-MS lobby doesn't do itself any favours by spinning stories like this. Just report the truth - it's damning enough without distorting and finessing it.

Is Phoenix better than Mozilla?

I hear so many great things about Phoenix here on the dot of slash. Are these accolades warranted? Even though Pheonix is only at 0.4 or something?

unfortunately..

[zozzi]

I reported a compliance bug with a web page whereby the authors used some proprietory tags which are not W3C compliant. I filed the bug under Mozilla too but the official reply was: "It's not a bug, we're following the standard and not accepting propr. tags". Unfortunately, rather than acknowledging their mistake and fixing it (heck I pointed out the line numbers, offered patches and gave them a URL showing these problem tags and a solution on how to fix them) here's their reply:

---

Thank you for your e-mail. In reply to your queries both Mygo and go mobile's website are designed for IE5 and upwards and this is Company policy.

We are aware that not everyone uses IE. However, IE offers certain features which other browsers do not. Using these, we are able to use a greater array of features which allow us to design better interfaces. 84.3 per cent of the internet population uses Internet Explorer. More than 98 percent of the hits on go mobile's website originate from IE.

---

I mailed them again telling them it's nonsense (browsers reporting themselves as being IE etc) and that there are alternatives to make it work for both but surprise surprise! no reply. Bugzilla contains a number of other websites suffering from this condition (inc. Microsoft, no surprises here).

Therefore Mozilla follow standards so page X won't work and page X authors follow market so they won't fix it. What does BBC recommend I do in this case?

What about the companies behind spyware?

[job0]

Unfortunately a lot of people don't actually read the EULA. They just click through until the software is installed. Even if you do read it it's full of dense obscure legal language that mostly doesn't apply to you. Advertising software if implemented correctly can allow developers to make money from their software without requiring the end user to pay.

The problem is it's often not done properly. There are spyware apps like aureate that operate in stealth mode by passing themselves off as Windows system processes and making sure that they don't even show up the task list or binding themselves to winsock so that you delete or uninstall them your Internet connection stops working. Microsoft should be made to fix these holes in IE but I think some pressure should also be applied to the people that write these programs.

Re:It is?

You forgot the part about how it's UI, look and feel, and general high functionality makes it way better than all the crappy opensource browsers with their shitty coder-made guis and gimmicky bullshit "features" (gestures etc). IE > * And btw, IE + a filtering proxy like proxomitron is just as if not more ad-repelling as moz/phoenix.

Re:IE

I actually found that gator will install itself quietly, without prompting. I still haven't figured out how it did it, but it did. After uninstalling it, I did a thorough search through the machine and found there was still a piece of gator left (I forget which one it was). Even though I uninstalled it!

Maybe my IE was unpatched at the time, maybe not (I kept up with it, actually). Afterwards, I went to gator and sent them a flaming email about it, which they promptly disregarded.

Fact is, it *did* install without so much as a "Are you sure?" prompt. And it *kept running*. If I had stayed much longer at that job, I'd've dug up a packet sniffer, or stuck zone alarm or something just to make sure gator was finally gone.

There are more than privacy concerns here. The machine I was using had unlimited access to company IP (I was an administrator), and there was lots of compromising stuff that could've been stolen by a program I didn't even want to install. (I don't work there anymore, did you catch that?) In a more ethical business, there are *still* countless pieces of information stored that would be dangerous to the business if someone managed to get ahold of it.

The article talks about how this affects home users, but sooner or later it's gonna come out about billions$ lost because of this stuff.

Furthermore, as far as home users go, I found a couple of ISPs that'll let me run an internet server. These ISPs have the whole p2p problem licked as well. They give you 2-5GB of bandwidth/month, and then meter anything you use over that amount. Adware and spyware both use up your bandwidth pretty seriously (the reason I was chasing after gator in the first place was because the machine was running so damn slow, and network applications even slower), and for some people, they have to PAY for it. So these companies aren't showing you ads that you can close or anything, they're also making you pay your ISP for additional bandwidth. Sure, sure, you could get an account with unmetered bandwidth, but you typically lose certain freedoms by doing so (running an internet server).

For the reasons in that last paragraph, it is also unacceptable for the browser to go ahead and load the pages without opening a window like some people mentioned in the Anti-Leech forum. The bandwidth still gets used, and it still gets paid for somehow.

The ad and marketing companies have to figure out a way to do their jobs with the support of the customers, because without our support they've got nothing. We won't buy their stupid little dolls or cameras or whatever they're selling this time unless they're willing to sell them to us on *our terms*. That means no popups, no adware, no spyware (even if it is used to gather legitimate marketing demographical information).

I'll play the game. I'll respond to surveys on the phone, if they don't intrude on me. I'll even respond to snail-mail surveys if the postage is paid, and I'll respond to spam surveys too. HTTP itself provides some of the most valuable web-based demographical information, and it's *part of the protocol*. Just look at your weblogs. I've no problem with cookies, but I do clear them out pretty regularly. When I go to the grocery store, I'll answer questions. I'm not willing to give out my address unless I've built a strong relationship with the company, or they actually *need* it to service me (mail-order, anyone?).

There's plenty of ways for them to get the information *without* exploiting my computer, and since I take steps to prevent this exploitation (starting with GNU/Linux, moving on to firewalls and so forth) then if they depend on this information, they're not getting it. They can get it another way, on *my terms*, and I'll gladly give it to them.

IE tested

[Mr_Silver]

If you think you're safe sticking with IE, you should try taking the Anonymizer.com Snoop Test.

I did. With IE. Here is what happened:

1. Your IP address

It picked up my IP address. Fair enough. I'm not running through an anonymous proxy.

2. Hidden tracking files (cookies)

It couldn't list any of my cookies.

3. Exposed Clipboard

This was a little scary. It picked up what was in my clipboard and displayed it.

4. Hack and Exploit Vulnerability

Sophos immediately popped up a message telling me it had detected 'Troj/Codebase-A' in my temporary internet files. A window appeared with some HTML telling me that file:///c:/winnt/win.ini had moved. But nothing else.

I couldn't open the click here links, the links below that didn't work and MSN wasn't giving out my contacts.

5. Browser and Operating System

Big deal. It got them from the HTTP_USERAGENT. I'm not totally paranoid - I don't mind people knowing what browser I use.

6. Geographical location

Middlesex, England, GBR. Well, 2 out of 3 isn't bad but not exactly something to get worried about. Wonder why it thought Middlesex though?

7. Your network

This took the piss. It's just a traceroute from them to the IP address that they determined in the first test. It's not much of a big deal.

I run Internet Explorer 5.50.4919.2200. Sure, I don't doubt that IE has it's problems - but the stuff that Anonymiser is shreaking about is generally not that big a deal and flagged only so they can sell their products.

(mind you the clipboard one was a little spooky)

/. supports Security through Obscurity.

[sheldon]

Avoid Internet Explorer because people are targeting it. Use something else because it's more obscure.

Now tell me. Does that make sense? Are you actually safe, or do you just feel safe?

Internet?

[Epsillon]

Why is it most people confuse Internet with web? The www is simply one facet of the Internet even though most folks only use the www and email but even so, the dstinction still should be recognised or the Internet *will* stagnate as feared.

a good feature of mozilla

besides the obvious and very effective ability to block unrequested windows, you can add your own css to all the pages you view.
This is great as it allows you to make a banner add blocker.
This is what i use(i didn't come up with it but i can't remember who did so i can't give them credit for it, even though they deserve some):
create a txt file call it userContent.css
add the following to it:

[src*="ads."], [src*="ads/"],
[src*="doubleclick"],
[href*="dou bleclick."] *,
[href*="rd.yahoo.com"] [src*="yimg.com"],
[width="60"][height="468"],
[ width="468"][height="60"],
[width="120"][height=" 600"]
{
-moz-outline: medium dotted red;
-moz-opacity: 10%;
} /* i find this a bit much, but someone might like it.

[src*="ads."]:hover, [src*="ads/"]:hover,
[src*="doubleclick"]:hover,
[href*=".doubleclick."] *:hover,
[href*="rd.yahoo.com"] [src*="yimg.com"]:hover,
[width="60"][height="468 "]:hover,
[width="468"][height="60"]:hover,
[wid th="120"][height="600"]:hover
{
-moz-outline: medium dashed red;
-moz-opacity: 100%;
}
*/

[type="application/x-shockwave-flash"]
{
displ ay: none !important;
}

Ok this should make your browsing more enjoyable.
place the userContent.css into you user chrome directory.
for linux it will be in your home directory, on my system(obviously yours will vary for the username etc..) /home/john/.mozilla/default/9zo2x54t.slt/chrome

for windows(sucks to be you :)
It will be in your windows\profiles\i_forget_the_path\chrome directory.

That's not the problem with Windows

[Anonymous+Brave+Guy]

The problem with Windows isn't single-user mode, it's the fact that it's vastly over-spec'd and everything is on by default.

If e-mail readers just read text messages and let you write them back, and web browsers just displayed HTML instead of automagically downloading and installing stuff, and you didn't default to running with any TCP/IP port you like available, and so on, then any single-user OS could still be secure.

The problem is the way power has spread without adequate control. They invented ActiveX, based it around a non-secure model, and then let web browsers use it, instead of just rendering HTML. Then they made the e-mail client accept HTML mails, using the same rendering engine, so now someone just has to send you a mail, rather than you actively visiting a site. They gave the e-mail client a preview pane, and switched it on by default, so now the software has a chance to do its damage not only if I actively do something like visit a particular web site, but even if I fail to actively switch it off.

The same story happens all over the place in Windows, and is behind nearly major security cock-up out of Redmond in the last several years. You'd think they'd have learned, but then they'd have had to unbundle IE.