BBC says "Avoid Explorer"

twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little more each day.

Great idea but still an unrealistic solution

[Max+Romantschuk]

Working as a web developer I know that getting users to update their browsers is hard, let alone switch browser alltogether...

Unfortunately I doubt the problem as a whole can be solved by switching browsers. Rather I'd see stricter legislation tackle privacy issues.

Re:I use

[Zapper]

I've been using Opera6/Linux.
It's pretty good, fast, some nice features and who knows I might even pony up some dollars to remove the ads. I've got a slow PC, so it really shows up renering speed. Mozilla really sucked. Might have to give Pheonix a go when I can be bothered with the d/load.

Slight addition...

[26199]

"Never, ever click 'Yes' to a 'Do you want to download and install?' prompt unless you 100% sure the people who made it are trustworthy," he warns.

More importantly: unless you are 100% sure who made it. This is at least as much of a problem as whether the person you think made it is trustworthy...

Re:IE

[DerPflanz]

As with anything, if people used common sense probably 95% of problems could be avoided.

Which is the problem. People are surfing the net, and will click away all boxes they didn't ask for. Most of the messages you get are total nonsense if you are a user and just want to look for that apple-pie recipe. For one reason or another people must have a clue when using computers/the internet but not when using other (evenly complex) devices such as CD players, DVD players, etc. To me that means that the product (IE in this case) is not designed correctly.

The internet sucking more each day

[ACNeal]

I remember back when I was in school. No one but academics and a few others had ever really heard of the internet.

Then I remember reading an article about some BBSes that were offering internet access via some sort of gateway technology. At first I thought this was a grand idea, and wanted in on it, mainly because I was no longer at school, and wanted to be able to email friends still in school and use usenet and gopher.

Mosaic had just hit the emerged as a fledgling proof of concept, and as I read more about the internet in even the trade press, I started to get that quezzy feeling that you get everytime something good comes to an end.

I knew it was all over for the internet when my roommate came home and told me all about this great new technology called the internet, and how it was the latest craze.

I wasn't around for the dawn of the internet, but I wonder when it started to suck, the first real indication it was going to become some commercialized, overused, underutilized resource for the masses.

I also, coincidently, remember the first person to show me mosaic, that barely stayed running (early, early version). He was sitting in my dorm room, so excited, telling me how he was going to make money designing these sites. "How is this any better than Gopher?" was my foolish question.

Re:IE

[BurritoWarrior]

My mon doesn't know what .cz is, nor should she have to. Don't blame the users because IE is an insecure piece of junk. That is like saying "it doesn't matter that your car is a deathtrap, just avoid getting into a collision". And IE's insecurity has NOTHING to do with it being popular. It was insecure long before it had any market share.

As an aside, my mom also doesn't know what IE is. To get on "the internet" she click on that "little lizard thing" I set up for her.

Re:How about

[DrXym]

How can you be careful of where you browse if you've never visited a site before? And even if you have, who's to say that it doesn't run IIS and thanks to the latest MDAC problem or some other vulnerability that it hasn't been hacked and is infecting all its visitors?

Since hackers tend to go after the biggest fish, perhaps a better strategy (applied with other common sense measures), is to protect yourself by going heterogeneous. Pick a perfectly fine alternative browser such as Mozilla, run on a Mac or Linux and throw in a couple of other variables that automated exploits won't work for. It doesn't make you immune from attack but it certainly saves you from the latest exploit du jour. If you think you're safe sticking with IE, you should try taking the Anonymizer.com Snoop Test.

The same strategy applies for email. I reckon I get a macro / mime exploit virus in my inbox once a week, but thanks to the simple fact that I don't even run Outlook, I get a level of built-in protection reaching which so far has been 100%. Moz Mail still has vulnerabilities (every software does), but since it takes security seriously to begin with and is a much smaller target, it is considerably safer (and dare I say better and more usable) than Outlook. Using Outlook or IE is like waving a red flag to a bull.

I wonder how many people Santa will turn into unwitting victims this Christmas when they get a brand new PC with Outlook and IE installed on it.

However...

[MtViewGuy]

...The folks who write spyware and other programs tracking your Internet access haven't yet discovered Mozilla 1.x and Netscape 7.0 yet. Given that many web browsers need cookies to operate in certain sites, it won't be long before you see spyware running in Mozilla and Netscape 7.0 without you knowing it.

Besides, if you apply all appropriate patches from Windows Update, configure Outlook Express' Security functions NOT to allow downloading of attachments and install McAfee VirusScan 7.x, you can surf the Internet pretty securely with Internet Explorer 6.0 SP1.

Re:Yes, but now the webdesigners will have to foll

Considering the BBCs site doesn't or didn't display right in Netscape how can they recommend avoiding IE?

I forget how many times I've complained about that.

Re:Somewhat misleading title

[thirddegree]

"Somewhat misleading"...? More like outright misrepresentation. You know, the anti-MS lobby doesn't do itself any favours by spinning stories like this. Just report the truth - it's damning enough without distorting and finessing it.

unfortunately..

[zozzi]

I reported a compliance bug with a web page whereby the authors used some proprietory tags which are not W3C compliant. I filed the bug under Mozilla too but the official reply was: "It's not a bug, we're following the standard and not accepting propr. tags". Unfortunately, rather than acknowledging their mistake and fixing it (heck I pointed out the line numbers, offered patches and gave them a URL showing these problem tags and a solution on how to fix them) here's their reply:

---

Thank you for your e-mail. In reply to your queries both Mygo and go mobile's website are designed for IE5 and upwards and this is Company policy.

We are aware that not everyone uses IE. However, IE offers certain features which other browsers do not. Using these, we are able to use a greater array of features which allow us to design better interfaces. 84.3 per cent of the internet population uses Internet Explorer. More than 98 percent of the hits on go mobile's website originate from IE.

---

I mailed them again telling them it's nonsense (browsers reporting themselves as being IE etc) and that there are alternatives to make it work for both but surprise surprise! no reply. Bugzilla contains a number of other websites suffering from this condition (inc. Microsoft, no surprises here).

Therefore Mozilla follow standards so page X won't work and page X authors follow market so they won't fix it. What does BBC recommend I do in this case?

What about the companies behind spyware?

[job0]

Unfortunately a lot of people don't actually read the EULA. They just click through until the software is installed. Even if you do read it it's full of dense obscure legal language that mostly doesn't apply to you. Advertising software if implemented correctly can allow developers to make money from their software without requiring the end user to pay.

The problem is it's often not done properly. There are spyware apps like aureate that operate in stealth mode by passing themselves off as Windows system processes and making sure that they don't even show up the task list or binding themselves to winsock so that you delete or uninstall them your Internet connection stops working. Microsoft should be made to fix these holes in IE but I think some pressure should also be applied to the people that write these programs.

IE tested

[Mr_Silver]

If you think you're safe sticking with IE, you should try taking the Anonymizer.com Snoop Test.

I did. With IE. Here is what happened:

1. Your IP address

It picked up my IP address. Fair enough. I'm not running through an anonymous proxy.

2. Hidden tracking files (cookies)

It couldn't list any of my cookies.

3. Exposed Clipboard

This was a little scary. It picked up what was in my clipboard and displayed it.

4. Hack and Exploit Vulnerability

Sophos immediately popped up a message telling me it had detected 'Troj/Codebase-A' in my temporary internet files. A window appeared with some HTML telling me that file:///c:/winnt/win.ini had moved. But nothing else.

I couldn't open the click here links, the links below that didn't work and MSN wasn't giving out my contacts.

5. Browser and Operating System

Big deal. It got them from the HTTP_USERAGENT. I'm not totally paranoid - I don't mind people knowing what browser I use.

6. Geographical location

Middlesex, England, GBR. Well, 2 out of 3 isn't bad but not exactly something to get worried about. Wonder why it thought Middlesex though?

7. Your network

This took the piss. It's just a traceroute from them to the IP address that they determined in the first test. It's not much of a big deal.

I run Internet Explorer 5.50.4919.2200. Sure, I don't doubt that IE has it's problems - but the stuff that Anonymiser is shreaking about is generally not that big a deal and flagged only so they can sell their products.

(mind you the clipboard one was a little spooky)

/. supports Security through Obscurity.

[sheldon]

Avoid Internet Explorer because people are targeting it. Use something else because it's more obscure.

Now tell me. Does that make sense? Are you actually safe, or do you just feel safe?

Internet?

[Epsillon]

Why is it most people confuse Internet with web? The www is simply one facet of the Internet even though most folks only use the www and email but even so, the dstinction still should be recognised or the Internet *will* stagnate as feared.

a good feature of mozilla

besides the obvious and very effective ability to block unrequested windows, you can add your own css to all the pages you view.
This is great as it allows you to make a banner add blocker.
This is what i use(i didn't come up with it but i can't remember who did so i can't give them credit for it, even though they deserve some):
create a txt file call it userContent.css
add the following to it:

[src*="ads."], [src*="ads/"],
[src*="doubleclick"],
[href*="dou bleclick."] *,
[href*="rd.yahoo.com"] [src*="yimg.com"],
[width="60"][height="468"],
[ width="468"][height="60"],
[width="120"][height=" 600"]
{
-moz-outline: medium dotted red;
-moz-opacity: 10%;
} /* i find this a bit much, but someone might like it.

[src*="ads."]:hover, [src*="ads/"]:hover,
[src*="doubleclick"]:hover,
[href*=".doubleclick."] *:hover,
[href*="rd.yahoo.com"] [src*="yimg.com"]:hover,
[width="60"][height="468 "]:hover,
[width="468"][height="60"]:hover,
[wid th="120"][height="600"]:hover
{
-moz-outline: medium dashed red;
-moz-opacity: 100%;
}
*/

[type="application/x-shockwave-flash"]
{
displ ay: none !important;
}

Ok this should make your browsing more enjoyable.
place the userContent.css into you user chrome directory.
for linux it will be in your home directory, on my system(obviously yours will vary for the username etc..) /home/john/.mozilla/default/9zo2x54t.slt/chrome

for windows(sucks to be you :)
It will be in your windows\profiles\i_forget_the_path\chrome directory.

That's not the problem with Windows

[Anonymous+Brave+Guy]

The problem with Windows isn't single-user mode, it's the fact that it's vastly over-spec'd and everything is on by default.

If e-mail readers just read text messages and let you write them back, and web browsers just displayed HTML instead of automagically downloading and installing stuff, and you didn't default to running with any TCP/IP port you like available, and so on, then any single-user OS could still be secure.

The problem is the way power has spread without adequate control. They invented ActiveX, based it around a non-secure model, and then let web browsers use it, instead of just rendering HTML. Then they made the e-mail client accept HTML mails, using the same rendering engine, so now someone just has to send you a mail, rather than you actively visiting a site. They gave the e-mail client a preview pane, and switched it on by default, so now the software has a chance to do its damage not only if I actively do something like visit a particular web site, but even if I fail to actively switch it off.

The same story happens all over the place in Windows, and is behind nearly major security cock-up out of Redmond in the last several years. You'd think they'd have learned, but then they'd have had to unbundle IE.