Slashdot Mirror
BBC says "Avoid Explorer"
twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little
more each day.
Phoenix and it fookin rocks.
They should recommend avoiding Windows if their problem is security.
BTW, being Explorer unseparable from Windows, avoiding Explorer is avoiding Windows. Am I right, Bill?
It would be one step in the right direction...
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
They never figured out they can make the same stuff work in many browsers if they would only try and learn something about web design itself instead of designer tools...
So till that's solved a lot of people will use Explorer because their favorite site is badly designed.
Working as a web developer I know that getting users to update their browsers is hard, let alone switch browser alltogether...
Unfortunately I doubt the problem as a whole can be solved by switching browsers. Rather I'd see stricter legislation tackle privacy issues.
.: Max Romantschuk
its a known fact. They're also trying to do with the customer's knowledge with messenger version 5. hell.. users are calling it a "downgrade". when is microsoft gonna learn that its all about empowering the user... not crippling him i don't say their products aren't good.. after all u can;t survive with 100% marketing, 0% product. what are they gonna lose if they declare Internet Explorer as an open source project? They aren't selling it as a seperate product anyways
|/________
|\A|ALYS|
Well, no it isn't actually. The BBC is reporting what Mr Clover said. Not at all the same thing as "the BBC recommends".
Sigh.
instead of abandoning IE, which is a decent web browser, be careful (not paranoid, but like anyone who's been on /. for more than ...5 minutes won't click on a goatse.cx link) about where you actually browse.
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Subject says it all. Get it here.
"Avoid the BBC"
Rubbish. The Internet is getting better everyday. Pop-ups are becoming less common (especially using Moz), businesses are using better business models and delivering things on time, email filters are working more effectively, and the world is speeding towards most home users having broadband (and therefore more sites providing more content).
Life is good as a netizen.
--------
where is the beef? its mouldy at the bottom of the fridge. mmmmmmmmm beef mould
The easiest way to avoid parasite programs, he says, is to stop using Internet Explorer because it is targeted by many of the adware and spyware companies.
I've never ran accross a site that "forced" its software on me. I've ran accross "gator" a few times which tries to install without my permission, but I still have to hit OK. This article has a hint of FUD.
As with anything, if people used common sense probably 95% of problems could be avoided. By common sense I mean NOT going to suspicious sites (you can usually tell by the URL.. something that has "geocities" or ends with ".cz" is probably going to be more dangerous than amazon.com for instance). Let's face it, there is always going to be some security holes in the most popular and widely used browser. Even if that browser ever becomes Mozilla (which I doubt will happen any time soon- I run Mozilla but speed wise it just doesn't compare with IE).
Unfortunately, we can't rely on common sense because it really isn't all that common. It would be nice to have a "sandbox browser setting" for people who don't trust themselves to practice safe browsing. Here's an idea- they could click on a little icon of ralph wiggam playing in his sandbox (remember, he doesn't go into the deep end). This automatically forces the most stringent security settings (disabling activeX, scripting, etc.) and double prompts each time you go to download something "Are you sure? Are you really sure?". This probably wouldn't be too hard to add to IE.
"Never, ever click 'Yes' to a 'Do you want to download and install?' prompt unless you 100% sure the people who made it are trustworthy," he warns.
More importantly: unless you are 100% sure who made it. This is at least as much of a problem as whether the person you think made it is trustworthy...
Apart from the known issues with IE, outlook, and IIS, what is insecure in Windows?
And as far as IIS goes, Apache hasn't had a spotless security record.
Some people decide they'll be on the safe side by "Condoming Up" and turning security all the way up.
But when they get rashes of popup ads, and sore security holes, they realize that IE is a tired lay that not only lacks the finesse and technique of younger variants, but leaves you wanting your money back.
Even though you didn't pay anything... Bastards. You just wanted to surf the net with IE, and BANG!!! Next thing you know you have a Windows infection.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
The BBC isn't actually saying to avoid explorer, it's the Mr. Clover they interviewed. There is a differance, you know ...
---
"The chances of a demonic possession spreading are remote -- relax."
I understand that this security/usability patch will correct virtually all the problems with IE to which the BBS objects. Of course, it's a pretty complete patch...
So people stop using IE, then another browser (say, opera) takes over as the dominant browser, so spy/adware starts to be targetted at opera users.
Do we then avoid opera?
The problem is that there are morons out there developing spy / ad / malware, not which browser someone happens to use.
Sometimes they come attached to software you download from the web - the details are often included in the license agreement small print that most users click through without reading.
Which means you caused the problem not IE or windows.
And sometimes they don't even need your permission to download, but just hop on your hard drive, totally unannounced, because you are browsing the wrong webpage.
Too bad they don't go into more detail here about whether this is a general issue with malicious websites for most browsers, or actually expoloiting some hole in IE.
A few companies are now exploiting holes in Windows messenger to sneak adverts on to the screens of unsuspecting users.
Windows messenger _IS NOT_ part of IE. It is a seperate component that is unfortunatly automatically turned on. I do wish MS was better about what services were on by default, though I usually go in and turn off most services when I install windows, which I recommend. This is not a "hole" in the sense of a bug though, you _CAN_ turn it off.
While this article may have some basis, it really seems to be pointing at user stupidity. Don't browse some site, Read the EULA's and don't just click OK on a popup.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
Cheers,
Ian
Oh boy, the MS FUD team is working hard this morning. It is not a decent web browser. The only reason most people use it is because of Microsoft's absuse of monopoly power. IE is a rather poor browser, for many reasons including the fact that it doesn't really browse the web. It is primary geared towards mark-up that Microsoft created without public review on the process. Therefore, not Web. As for people who want to browse the Web, they should get a browser that adheres to Web standards. You'll find Opera and Mozilla to be excellent choices on virtually any platform.
... ...
Aside from that, IE is chock full of rendering errors on even simple elements, has very poor JavaScript, comes bundled with 8-year-old Java technology, is loaded with security holes, has nothing by the way of tabbed browsing, no built-in pop-up blocking, a horrid caching mechanism, slow as hell and hogs memory,
Why bother.
...The folks who write spyware and other programs tracking your Internet access haven't yet discovered Mozilla 1.x and Netscape 7.0 yet. Given that many web browsers need cookies to operate in certain sites, it won't be long before you see spyware running in Mozilla and Netscape 7.0 without you knowing it.
Besides, if you apply all appropriate patches from Windows Update, configure Outlook Express' Security functions NOT to allow downloading of attachments and install McAfee VirusScan 7.x, you can surf the Internet pretty securely with Internet Explorer 6.0 SP1.
Considering the BBCs site doesn't or didn't display right in Netscape how can they recommend avoiding IE?
I forget how many times I've complained about that.
I fail to see what Internet Explorer has to do with the latest rash of Messenger Service spam coming in from the Internet. Instead, it is just a general Windows problem that will affect you no matter which browser you use. The only solutions are to disable the messenger service and/or block incoming connections to udp/tcp 135, 137, 139, and 445. I think that even XP has this service turned on by default if you have a network adapter. But, maybe I am way off base and they are talking about some other kind of spam??
and rightfully so.
Active X was pegged from the start as the dangerious hole that it is, and now IE is so tied in with the base OS that people like my mother are screwed over time and time again by these people and programs[1].
MS in make our lives so much easier has forgotten that not everyone is altruistic as they are. Or maybe everyone is....
[1]Don't say give her Linux. Trust me, if I could I would have already, just not practial for her or me.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
The thing is, Explorer's no "worse" than anything else out there. It's just incredibly more popular, and not just because it comes with Windows, as IE is the leader on the Mac as well. It's the same phenomenon we see with Windows virii: people who write spyware and virii target the most popular platforms. If >90% of Internet users ran Mozilla then we'd see the same things written for that browser. It's not due to any special vulnerability in the browser. Getting people to switch to something else is only a temporary solution, a band-aid that doesn't treat the underlying illness. The BBC should instead be educating people as to what is safe web behavior, as that transcends issues of operating system and browser.
Karma: Good (despite my invention of the Karma: sig)
---
Thank you for your e-mail. In reply to your queries both Mygo and go mobile's website are designed for IE5 and upwards and this is Company policy.
We are aware that not everyone uses IE. However, IE offers certain features which other browsers do not. Using these, we are able to use a greater array of features which allow us to design better interfaces. 84.3 per cent of the internet population uses Internet Explorer. More than 98 percent of the hits on go mobile's website originate from IE.
---
I mailed them again telling them it's nonsense (browsers reporting themselves as being IE etc) and that there are alternatives to make it work for both but surprise surprise! no reply. Bugzilla contains a number of other websites suffering from this condition (inc. Microsoft, no surprises here).
Therefore Mozilla follow standards so page X won't work and page X authors follow market so they won't fix it. What does BBC recommend I do in this case?
---
Unfortunately a lot of people don't actually read the EULA. They just click through until the software is installed. Even if you do read it it's full of dense obscure legal language that mostly doesn't apply to you. Advertising software if implemented correctly can allow developers to make money from their software without requiring the end user to pay.
The problem is it's often not done properly. There are spyware apps like aureate that operate in stealth mode by passing themselves off as Windows system processes and making sure that they don't even show up the task list or binding themselves to winsock so that you delete or uninstall them your Internet connection stops working. Microsoft should be made to fix these holes in IE but I think some pressure should also be applied to the people that write these programs.
But then you've got a perhaps larger problem than IE itself - Windows 98/ME. Eeek! :-o
Beware: In C++, your friends can see your privates!
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
I know a lot of people say this, but is it actually true. I use both Mozilla and IE and very rarely notice any differences.
It's a case of "if it aint broke, don't fix it". From Joe's point of view, it isn't broke - so he won't do anything about it. He's not experienced all this stuff that people talk about, so why change?
Until something nasty comes along, wipes his "My Documents" folder and then totals his operating system - he'll happily use Internet Explorer.
People don't protect their home until they've been burgled, the don't protect their car until it's been stolen. It's all reactive - not proactive.
Until these 1001 security issues stop becoming potential exploits and become actual exploits hitting hundreds and thousands of users a day - then no-one is going to change.
(disclaimer: I know Code Red could be put into this category, but then again, it didn't wipe anyones personal files did it?)
(another disclaimer: This is a combination of mine and other comments from my original thread here ... ignoring the AC who obviously didn't get my point)
Avantslash - View Slashdot cleanly on your mobile phone.
As long as Internet Exploder is the ONLY browser to come with that shiney new PC everyones getting, then recommending that people DON'T use it is a total waste of time. People look at the prospect of tying up their modem for a 8-10MB file, and they basically think 'It won't effect me'.
I have enough trouble convincing my Mom and sister to update their AV software weekly, and that's only a few hundred kbytes.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Considering the BBCs site doesn't or didn't display right in Netscape how can they recommend avoiding IE?
If you're using NS4 then personally I believe you should expect problems. I'm all for cross-browser compliance, but there really is no reason to be using a 5-6 year old browser with substandard (to put it mildly) CSS support.
I design for standards compliant browsers, NS4 is not, therefore visitors who insist upon using this take their chances. Even Redhat have removed it now, which is a good thing - if only Netscape would remove the download link...
Code, Hardware, stuff like that.
I'm using mozilla with the internet explorer skin. It works great, though there's a little hack you have to do to get the home button back into the main toolbar.
:-).
Mozilla is a better browser than i.e. in a lot of ways (tabs, standards compliance, etc.), but the big one for me is that i.e. is essentially an ad delivery systerm. So there's not much we can do to selectively block cookies, or graphics from specific servers, or pop-ups, etc. And I don't like the prospect of being at the mercy of unscrupulous companies who wish to make changes without my knowledge or consent. (Actually, what I'd really like is a way to get rid of i.e. entirely on w2k/xp.)
That explains mozilla, but why the i.e. skin? Well, the default mozilla skins are not exactly beautiful. And my wife is highly resistant to change of any kind when it comes to her computer, and with the i.e. skin I was able to switch her w2k machine to mozilla without even a word of protest. Of course, at this point she's so used to tabbed browsing and the pop-up blocker that she wouldn't switch back anyway. And me, I don't have to worry about some exploit using i.e. to take her computer down.
Actually, I even use the i.e. skin on my linux box. Just for the perverse fun of it, I guess. I also have a nice wallpaper from w2k of a diver against a blue sky. It's very spiffy, though naturally I GIMPed out the little windows logo first
Hmmm, that's an expert opinion and it was strong. The author, Mark Ward, quoted Mr. Clover as a computer expert, someone who knows what they are talking about. The overall opinion was that Windoze was an easy to take over piece of junk and IE should be avoided. Note the lack of comforting words from M$ shills and other whores who would simply blame the user. The article concludes:
Fears about adware and spyware are not just for privacy fetishists and cyber-libertarians. Much of this surreptitious software is badly written and can crash your computer, others simply slow down your machine and make web use a chore. But the real danger is the fact that many of the loopholes in Windows that these programs exploit are being increasingly used by virus writers. If you do nothing to close these holes then one day you may lose much more than information about your online habits.
Can there be a stronger general denunciation than that? It ammounts to, "keep using this slow painful junk with and you will lose your work." That's an amazing article to see in the mainstream press.
Friends don't help friends install M$ junk.
I've been building pcs for many people on the side, and here's the biggest complaint i get when i try to push mozilla on them:
"Why doesn't the back button on my intellimouse work with it? It works with explorer."
And just like that, 20 or 30 people have turned off mozilla for just THAT reason. To them, it's just some browser that takes longer to load, puts an icon in the taskbar, and in which the back and forward buttons don't work. And it's no use trying to convince them of all the benefits.
I did. With IE. Here is what happened:
1. Your IP address
It picked up my IP address. Fair enough. I'm not running through an anonymous proxy.
2. Hidden tracking files (cookies)
It couldn't list any of my cookies.
3. Exposed Clipboard
This was a little scary. It picked up what was in my clipboard and displayed it.
4. Hack and Exploit Vulnerability
Sophos immediately popped up a message telling me it had detected 'Troj/Codebase-A' in my temporary internet files. A window appeared with some HTML telling me that file:///c:/winnt/win.ini had moved. But nothing else.
I couldn't open the click here links, the links below that didn't work and MSN wasn't giving out my contacts.
5. Browser and Operating System
Big deal. It got them from the HTTP_USERAGENT. I'm not totally paranoid - I don't mind people knowing what browser I use.
6. Geographical location
Middlesex, England, GBR. Well, 2 out of 3 isn't bad but not exactly something to get worried about. Wonder why it thought Middlesex though?
7. Your network
This took the piss. It's just a traceroute from them to the IP address that they determined in the first test. It's not much of a big deal.
I run Internet Explorer 5.50.4919.2200. Sure, I don't doubt that IE has it's problems - but the stuff that Anonymiser is shreaking about is generally not that big a deal and flagged only so they can sell their products.
(mind you the clipboard one was a little spooky)
Avantslash - View Slashdot cleanly on your mobile phone.
That's how I've always seen it used...
Your monitor is staring at you.
Let's say everyone stops using IE and starts using another browser. What do you think the bad guys are going to do, find another hobby? No, they'll target that browser. Just as nobody burglarizes an empty house, no one targets a browser with miniscule market share. Increasing the market share of another browser will just turn attention to that browser.
The other question is this: is IE inherently insecure? More than Lynx, yes. But users want features (yes, it's true...not all the bells and whistles in a "modern" browser are forced upon us) and features add complexity which increases the potential for holes.
For true security, just telnet to port 80.
If opera is crashing, try (if you're not already) the statically linked qt version. Stability problems are often caused by interactions between the installed qt on your machine and the one that opera was compiled against. The statically linked one does not suffer from this problem. If you are using the statically linked version, then I got nothin' for ya.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
I was, like, starting to read the article using Internet Explorer. And then my computer went like beep, beep, beep. And then I got redirected to msn.com. Seemed like a really good article. Bummer.
Of course, most of them were fixed before the article on The Register was even written.
Lots of people have access to the Windows source code, albeit under non-disclosure. See the various licenses at http://www.microsoft.com/licensing/sharedsource/
This article basically says to avoid spyware and adware in general. No shit. This isn't news.
They recommended that you don't use IE because that's what most of this nasty software is targeting, not because it's a buggy piece of MS shit. It stands to reason that the most popular browser is going to attract the most amount of attacks. Again. No shit. This isn't news.
Enough of the anti-MS propaganda, it's truly getting ridiculous.
Internet Explorer for Mac OS X (and Mac OS 9) doesn't suffer from the same problems as its Windows counterpart since it's not an "integrated" component of the OS; it's just an app. Doesn't mean it's not crap, sometimes.
Many Windows technologies that cause the vulnerabilities in IE/Windows are very limited or don't exist with IE/Mac. In particular, ActiveX control support is there, but appears mostly broken. Java support is strongest in this browser (it seems), but many Java pages don't render things properly since MS doesn't appear to tie their browser properly in OS X's strong Java implementation (1.3.1).
IE/Mac is just as annoying with pop-ups, but that's why I use OmniWeb, where I can disable JavaScript that generates pop-ups with one preference settings.
IE is still the most compatible browser, but only because many webmasters are drones to Microsoft's web tools--and shouldn't be. The pages they create work best--and in some cases, ONLY--with IE.
Vos teneo officium eram periculosus ut vos recipero is.
And that elitist attitude is exactly why Windows has the market share it does. You guys expect everyone to know how to change their own oil, tune-up their car, adjust the timing belt, and balace the tires.
The computer is a tool. My mom (and millions of others) knows how to drive a car and she knows how to drive a computer. They don't know how it operates, and they shouldn't have to. They aren't experts in computers, and they aren't experts in cars.
The idea that somebody has to have advanced knowledge of computers to use them is absurd. The fact that somebody thinks they should have to treat their use of the computer like navigating a minefield is even more absurd.
Nobody is entitled to security. But what they are entitled to is reasonably secure software, not a gaping sieve of a security nightmare, such as IE.
Better yet, Mozilla ought to use the text in the ALT attribute. At least in the context of an IMG element, the TITLE attribute is redundant. Since ALT is required for IMG elements anyway, why would you use <img width=80 height=60 src="foo.png" alt="foo" title="foo"> when <img width=80 height=60 src="foo.png" alt="foo"> conveys the same information?
(I was wondering where the tooltips for the icons at the top of every /. page had gone. Mozilla must be the only browser that doesn't render ALT attributes as tooltips.)
20 January 2017: the End of an Error.
Actually, what I'd really like is a way to get rid of i.e. entirely
Nice.
So you'll basically never be able to update that box then?
Update your machines, people!
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Unix have firewalls to prevent programs getting into the system.
Windows have firewalls to prevent programs getting out of the system.
Ciryon
I've been following the associated bug on this for a while and it isn't sounding too promising. Most recent threads are people pleading for a solution and coders saying it won't/can't be done. You'll have to copy and paste the link due to bugzilla blocking the Slashdot referrer: http://bugzilla.mozilla.org/show_bug.cgi?id=23679 . Also, this NTLM auth proxy being written in Python that looks promising. It sounds like the proxy sits local and performs the NTLM auth. I've heard .net will have it's own authentication, but I can't find anything on it (argh, generic search terms).
There *is* a difference. ALT tags are a boon to making websites ready for Lynx and text-only browsers for the disabled. So if you have a graphic button that says "Home", consider these two variants:
<img src="home.png" width="100" height="20" border="0" alt="This button takes you to the homepage">
and
<img src="home.png" width="100" height="20" border="0" alt="Home">
and
<img src="home.png" width="100" height="20" border="0" alt="Home" title="This button takes you to the homepage">
The first tag (which is what you suggest) would be a little awkward in a text browser, since "This button takes you to the homepage" would show up (when "Home" would do).
The second would look idiotic in Mozilla, since the tooltip would just say "Home" (well, duh), but it would work in Lynx and other text browsers.
The third is ideal, because everyone gets what they need -- Mozilla's tooltip would say "This button takes you to the homepage", but the text browsers see just "Home".
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
And I pick a competent web designer, which clearly excludes you.
To code for other browsers as well would take at least 2-3 times as long.
What a load of crap! I can only hope that making such an idiotic claim leads you to a job more suited to your talents, such as one that involves asking your clients, "would you like fries with that?"
The problem with Windows isn't single-user mode, it's the fact that it's vastly over-spec'd and everything is on by default.
If e-mail readers just read text messages and let you write them back, and web browsers just displayed HTML instead of automagically downloading and installing stuff, and you didn't default to running with any TCP/IP port you like available, and so on, then any single-user OS could still be secure.
The problem is the way power has spread without adequate control. They invented ActiveX, based it around a non-secure model, and then let web browsers use it, instead of just rendering HTML. Then they made the e-mail client accept HTML mails, using the same rendering engine, so now someone just has to send you a mail, rather than you actively visiting a site. They gave the e-mail client a preview pane, and switched it on by default, so now the software has a chance to do its damage not only if I actively do something like visit a particular web site, but even if I fail to actively switch it off.
The same story happens all over the place in Windows, and is behind nearly major security cock-up out of Redmond in the last several years. You'd think they'd have learned, but then they'd have had to unbundle IE.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I haven't played with this, but I understand that NS4 does not support @import, which makes for a useful loophole-- put NS4 styling in a "link rel" stylesheet, and put styling for compliant browsers in an @import stylesheet.