Slashdot Mirror
CERT Recommends Mozilla, Firefox
EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."
CERT's recommendation usually is to download the patch. However, since this hole has an exploit in the wild, and there isn't a patch to be found... use something else is the only recommendation left to issue.
Mac, Linux and other non-Windows operating systems are immune from this attack.
At least he said "this attack" instead of "attacks".
Anybody have a list of which sites were affected by this IE/IIS problem. Seems as though it's been kept under wraps pretty well so far.
San Jose Mercury news indicates Yahoo!, Earthlink, and EBay. True, not true?
Now KBB?
Thanks.
Caution: Contents under pressure
but joe user wont read this or know about it. too bad eh?
the only way is to hijack people's computer, install a real broswer, and put the IE icon on it.
If you were using Firefox perhapse you wouldn't have FAILED IT
Snowden and Manning are heroes.
...when Firefox crashes whenever it tries to load the page. Don't get me wrong, I love Firefox, but it isn't perfect yet.
Here's the beta version of my freeware program popURL (for Windows, sorry!). You can copy a URL to the clipboard (Copy Link Location) then click the tray icon, and popURL will pop up an info box on the URL telling you the software running on the remote server (IIS, Apache, whatever); the MIME type of the document, and its size if available. Potentially useful for safe, IIS-free browsing :) On UNIX you can get the same info using wget -S though somewhat less convenient.
But this is Slashdot, aren't they really just preaching to the choir on this one?
that some security flaws are Windows only. In a local newpapers there was a small article about the latest security exploit that could install a trojan on your machine, and thus possibly empty your bank account. For once, it was said this only was an issue for users using Microsoft Windows in combination with Internet Explorer. Usually, when a Microsoft Windows virus/trojan/worm is reported, no reference is made to Windows as such.
Well, considering that Internet Explorer is an "integral part of the operating system" they are only a hair shy of telling people to switch to an operating system that isn't vulnerable to so many damn critical remote vulnerabilities.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I guess there should be some satisfaction in the sense that a somewhat mainstream new source is recommending using alternative browsers.
Wasn't there a discussion a while back about CNN only recommending to keep virus definitions up to date without a mention of Mozilla, Opera, or others?
It would be cool if it didn't suck.
My piece, written for the non-techie masses, on why they should consider other browsers:r chives/2004 0615_why_you_should_dump_internet_explorer.phtml
http://channels.lockergnome.com/news/a
I am glad to see CERT step up and make a decision like this despite the fact that they are guaranteed to be flogged for it.
dmiessler.com -- grep understanding knowledge
I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.
Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
This isn't new. I've been recommending people not use IE for years.
What seems to be novel about this attack is that it uses holes in both IIS and IE. When an IIS server is attacked, the payload is to compromise the site such that malicious code is inserted into every page with no outward sign that anything's wrong. That code in turn exploits a hole in IE to get onto a user's PC, which in turn goes looking for more IIS sites to compromise.
This worm depends on there being flaws in both programs. It wouldn't be nearly as powerful if those two flaws couldn't be used in concert.
... they should add to the list of Microsoft software users to consider safer alternatives the users of Outlook, IIS, MSSQL, Windows 9x/Me and Windows NT/2000/XP. All of them are good examples of ticking timebombs.
I think this is just like the straw that broke IIS's back on the server side. Big holes, no solutions...The big boys say your only solution is to use a safe product - all of a sudden Apache is golden. And this is not like your neighbor geek saying "hey, check out this browser" -- next we just need gartner to say -- do not use IE....and then that will be all she wrote. RIP IE. With all of your popups, tabless browsing and thousand of security holes, good riddence. Rot in hell.
(+1 Funny) only if I laugh out loud.
Whilst IE remains a liability, there are still occasional sites that only function properly using IE (e.g. Outlook Web Access that my work persists in using). Firefox is the way forward (tab browsing is a dream)..... though wish it wouldn't mess up the page layout on /.
Good recommendation from CNET. I am a windows user (mostly) and get a chance to use unix boxes only at work. if using a web-browser, IE was the default choice since it's bundled with windows. I installed opera, netscape but they had issues loading a couple of webpages. I then tried mozilla but it was too slow. I then tried avant browser and it worked wonders albeit for a short period of time. The popup's were still coming, and there isn't a shortcut for opening a new tab. Finally, I moved on to Firefox 0.8 and 95% of the time, I am a die-hard user of firefox.
I now use IE only to open my native language webpages since they aren't encoded properly in firefox. I would be grateful to anyone if they can show me how to open www.eenadu.net in Firefox. The native language is Telugu, if anyone needs it
V
that a division of Homeland Security would specifically suggest NOT using M$ product... Dammit, I don't want such doubt cast on the conspiracy theory that M$ is in cahoots with the gov't... this is seriously fucking up my whole worldview. Oh, the pain of cognitive dissonace! ;-)
"We are the first generation to influence the climate and the last generation to escape the consequences." - John McCain
Has anyone received any alert from CERT regarding this issue ? I have not, and also have not found any references to it on US-CERT website.
Alvie
Actually Firefox doesn't even run, since upgrading. No core file either. While the other Gecko based browsers crash on certain pages, or just crash after awhile of use. That's why I'm using Opera now.
I switched a month ago from Outlook to Thunderbird, which went so well that I switched last week from IE to Firefox. Especially the ease of importing of previous Outlook/IE settings was astonishing!
On the other hand, I found out that it is not that simple to get rid of IE though, a quick search reveals that it is not always simple[google].
with security set to high and be protected from this problem.
There are first malicious programmers that try to infiltrate mozilla users. An example ist http://xxxtoolbar.com/ (sexually explicit!) that tries to install an "toolbar" per XPI. Fortunately this needs an Win32 system and a users who clicks without thinking.
Have you ever seen an signed mozilla extension?
"CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Ofcourse they are advising something else: IE has a past of insecurity. This has two causes:
1) IE is crappy coded (it's closed-source, so there's no 'second opinion' on the code). 2) IE is wildly used, so very attractive to find a security bug in it (for malicious activities).
Therefor I recommend a non-IE browser (prefferably Opera or Firefox) to everyone.
In need of reliable and affordable server monitoring?
Seriously, I suspect that anyone who know what CERT is already runs Mozilla (or at least know he should). More significant is that this is on the Washington Post. With all respect for CERT, the mainstream press is what we need here.
Now only the mainstream media has to jump on the bandwagon and tell its readers/viewers to do it.
And it should not simply tell them to upgrade their anti-virus software even if that doesn't help at all, like CNN did yesterday.
That is how long I give Microsoft before they find themselves confronted by a revolution from their users due the their inability to deliver secure products.
Instead of spending their effort trying to destroy their competitors (which, today, means open source software), Microsoft should be closing the gap.
Yes, all software has potential insecurities. Yes, Microsoft is targetted because they are the dominant monoculture.
But no, this changes nothing. A burglar will always go for the easiest target, and Microsoft users will always be the target so long as Windows et al. is even just slightly less secure than the alternatives.
Microsoft should release a service pack to Windows that sets the security settings on MSIE to their highest levels, even at the risk of breaking many web sites. They should sponsor anti-spyware software developers with large prizes for the best anti-spyware software. They should be talking to major ISPs for ways to detect and disable zombies.
Redmond, listen: Make Windows Secure.
Otherwise you will be tarred and feathered by your long-suffering users who will prefer any viable alternative to one more "surf at your own risk" experience.
Sig for sale or rent. One previous user. Inquire within.
Yeah, they usually recommend patching, but there isn't a patch this time!
And, damnit, patching does you no good when you are the first to be hit with a new vulnerability, i.e. before the patches are even available. Does anyone think that this is the last, or even near the last, of vulnerabilties to be discovered in IE?
The real pain in all this is that M$ is forcing everyone to upgrade to IE 6.0. Everyone that is in bed with M$ forces you to upgrade to 6.0 (many DSL services and a thousand little application programs that all use the latest IE crap!). The last machine that I removed spyware from, all of the spyware/adware dated after the time that she updated from IE5.0 to IE6.0! Near as I can tell from my experiences on my own machines, IE 5.0 and 5.5 are not susceptible to stuff that IE 6.0 is, with or without all patches.
I should upgrade why? Better security? I think not!
CERT have suggested using a different browser before (e.g. here).
I wouldn't read too much into it myself though. If one browser has a vulnerability, and another doesn't, surely it's an obvious thing to suggest? And in the past, they've pointed out the potential problems with not using IE (i.e. incompatibilities with IE-dependent sites). More a suggestion than a recommendation I'd say.
URL is 404
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
(Score:-1, Maybe The Drugs Did Help)
Jennifer Scharff, vice president of marketing for MinervaHealth, said some of the company's clients reported the problem on Thursday. The company has since fixed its site, she said. Scharff said no more than 50 visitors browsed the Web site during the time it was serving up the hostile code.
I had never heard of the company, but is it realistic that only 50 visitors browsed the site after it had been cracked? That seems very low, especially for a problem which was previously unknown to the Virus scanners.
Mielipiteet omiani - Opinions personal, facts suspect.
I expect corporate firewalls to start blocking IE soon. Be prepared. Do you want your E-commerce site locked out?
The problem is not that IE has bugs. It is that, by design and intent, it gives the web site too much power over the browser, and the browser too much power over the operating system. This is a fundamental design flaw, and cannot be easily fixed.
Because IE hasn't changed much for a few years now, the other browsers have solved most of the compatibility problems. You don't really need IE any more. There are still sites that won't work with Mozilla or Firefox, but there are usually competing companies with compatible browsers.
Recommending explorer users to use mozilla/firefox is fine.
From the article
The attack takes advantage of several recently discovered security flaws in Microsoft's Internet browser and Internet Information Services Web software. Microsoft released a patch in April to fix one security hole in its Internet browser; the company is still working on a patch for the other flaw, which security researchers publicly detailed less than two weeks ago.
But a recommendation for the people running web servers that are vulnerable to this attack would *really* have been more useful. Excuse me if there's already some recommendation (Having a link to that in the news item'd have been better in that case)
Doesn't seem to work on Internet Explorer 5 either.
I think this is just like the straw that broke IIS's back on the server side. Big holes, no solutions.
One solution is to stay patched. The RPC bug they are using to infect IIS sites was fixed some time back (update 04-11). Only sites that have not patched are vulnerable. Seems this solution is necessary for Apache too.
The open bug is on the browser side.
I'm using Firefox for my daily browsing, but I'm still using IE for internet banking. This because most Internet Banking only support and recommended for using IE only and I can't loggin if I using different browser (i.e Firefox or Mozilla)
Yeah, but there are too many sites that won't work with Firefox. Worse, sometimes I'll click on something and it just won't do anything, with no indication from Firefox that it is an unsupported feature (activex or whatever). It would be nice if Firefox at least told me when it can't do something so I could load the page in IE.
Another problem is that now my bookmarks are spread across IE and Firefox. Neither one is master list. It's all fscked.
It should have read "Internet Explorer", not "Explorer", on the blurb for this article.
Explorer is another component in Windows.
I think this is the thursday past reference, but it certainly doesn't contain a reference to any browser switch.
"IIS 5 Web Server Compromises
added June 24
US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.
Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.
This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."
If anyone has the URL reference that has the browser recommendations, please provide it, it will help in spreading the word better. people might take it more seriously coming from a cert reference than just some news article.
Nice piece, but there's a space in the URL between 2004 and 0615. Delete that space for the correct URL. That is,s /2004 0615_why_you_should_dump_internet_explorer.phtml
http://channels.lockergnome.com/news/archive
What can I say, been using Firefox 0.9 for a few days now, nippy as hell, easy install, great gui that doesn't get in the way, no more sluggish IE action. I just hate it when I accidently launch IE it feels soo slooow.
I love the tabbed windows, such a simple idea that makes sense, and popup blocking makes surfing fun again.
I was scared off before by the bloat of Mozilla, but Firefox is the bee knees.
Don't get me started on Thunderbird, a real OE killer.
Since we're talking browsers, which ones are best to use? I've seen people on the web bitching about the Mozilla projects. I don't know what that translates to. I have firefox on windows and it's good.
Also, I just downloaded linux to make the switch. (Unfortunately I just found that I no longer have any burner software on my windows box so I can make the switch.. GRRRR I guess I won't see MS bundle burner software free, eh?) What are the preferred linux browsers? I've used konqueror before as well as firefox. But I see there is dillo. Which ones are best to try and how do you identify good browers?
The news has been far from clear! They say there's no patch, and yet they tell you to "run virus scanning software."
Best Buy can have you arrested
The Alert Service of the Dutch ministry of Economical Affairs concluded that early june too.
One of the solutions given is to "temporarly choose another browser untill a patch is released".
And while you are at it you may wish to change the security settings for your "My Computer" zone.
u rr entVersion\Internet Settings\Zones\0
Read this:
Description of Internet Explorer security zones registry entries
Then edit the relevant key (if you don't know how, then you should just switch to using a different O/S or browser):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
Change Flags from 0x21 to 0x01 to make it visible.
Once you do that you can more easily change the security settings for the My Computer zone.
You could also add your own custom zone, but if you have to ask me how to do it, you shouldn't.
Note that while disabling javascript and stuff in the My Computer zone protects you from numerous IE exploits[1], the web style windows explorer and other stuff require active scripting and other stuff to be enabled. So you would have to switch to the classic style. I don't see what benefits the web style has - other than make monitor/LCD vendors happy - it takes up more screen space.
[1] many attacks involve cross zone exploits with the aim of running the exploit in the My Computer zone which has lower security levels by default - raising the security levels e.g. requiring prompts before active-X stuff is run, disabling active scripting (I see very little need for scripts to be enabled on locally stored HTML pages, heck I see very little need for most websites to use javascript).
I think that the Washington Post has gotten it's facts wrong. The only thing they say to do is to disable Javascript:
http://www.us-cert.gov/current/current_activity.ht ml#iis5
And Yes, I know this doesn't make us any safer.
The issue is two fold... One, they are able to force IIS (only IIS) to serve out a footer to every html, jpeg, etc. that the web server sends out. This then contains code that then executes on the browser. This isn't just Internet Explorers fault, it is the company's fault that uses IIS to serve out it's web pages. We have long since known that IIS is not secure, and yet still we have major sites that use this for their front end. I am not sure, but couldn't a reverse proxy stop this from happening at all? Aren't the major web sites responsible for serving out viral web pages. My problem is this: You cannot browse all of the web with only mozilla. You must use IE to browse some sites, or they don't look right. The content is sometimes unreadable without IE. I agree that Mozilla is comparable. I use both. I recently designed a site for a company, and the hardest part was getting it to look right in IE, Mozilla, and Opera. But when it was done, I knew that it was done right. This is the problem. Web designers don't want to take the time to worry about standards compliancy. The statistics still say that around 80% of all browsers are IE. Why would they need to worry that much, all of the people reviewing the sites are using IE (executives and marketing). We are not going to get all users, or even the majority of users to switch to Mozilla, they have been using IE for years and as some of you have said, some users still think that "E" stands for the internet. It is going to take time. What I think we really need is to stop relying on Microsoft to be the internet facing web applications. They can be the business worlds desktop, and even the enterprise servers, but they cannot continue to be the web facing application servers.
...with the M$ and US government rants that go..."We believe..." or "We do not believe...", especially when they are defending their views on something. Look, facts are facts. Why don't they admit failure? We are all human and as such, we'll make mistakes from time to time. I will continue having trust in FOSS. Good it came in my [productive] lifetime.
I'm actually surprised no one mentioned this yet. Yes, I read all coments so far.
This CERT (whatever it is) is _not_ endorsing the Mozilla family of products, it is recommending against Internet Explorer and other browser-apps (Avant/Neoplanet anyone?) who use IE's rendering engine.
Next thing, headlines will read "CERT endorses Linux apps for web browsing", merely because Mozilla and Firefox happen to run on Linux.
and send it registered mail to your bank. Notify them that continued use of insecure servers, and requiring you as a customer to use an insecure webrowser, could lead to a compromise of your personal data and a direct loss. It's not a threat, just a stement of actual, probable data. And if such an event occurs, that you would consider taking legal action against them. Maybe that will get their attention. And if you are a stockholder in the bank, or have a valuable mortgage there, or other serious busines, it's even worse.
I don't do online banking but if I did and that was part of it,forcing me to *use* grade c products, and having to *trust* grade c products, at a place that HAS to consider "security threats" over almost anything else, I would have long ago called up and kvetched about it or sent a missive along the lines I have outlined.
Think about it, how many people would trust a bank if it had no doors, it was running in the seediest section of town with obvious scoundrels hanging around the entrance, the vault was open,no security guard in sight, and if they forced you to come in blindfolded, turn over the keys to your car to one of the characters hanging around the opening where no door is, and to trust whatever happened then to you and your money as you came and went? No one would put up with that, but in the cyberworld, that is *exactly* what is going on all the time with these insecure out of the box office/internet "products" from that convicted monopolist corporation and with their co-opted and faked out business "partners". You would THINK after the 983rd time something like this happened that they would have bought a clue or two. And it just gets worse, all the time, it hasn't gotten any better, just the exploits get better, and paying for the privelege of getting exploited costs more.
Good idea for a geek cyberbank, BTW, that runs only better quality open source, and refuses entrance with explorer browser, and gives a helpful page where to get the alternatives. Niche market, but I bet it would get decent business over-all.
Credit is being given where credit belongs. The softies can try to spin this, but they will fail as there is little hope for them to fix their platform's underlying design flaws. Microsoft remains a security dissaster.
While no one will tell you that free software is immune to attack, they can tell you that free software users are not monthly victims attacks that take advantage of moronic software design. Can anyone point to a single free software worm that auto propagated?
The variety of free software and it's quality makes such stuff very difficult to design. Imagine that you did find an exploit for a popular linux desktop that could propagate itself. Right away, you are limited to less than half of the linux population. I use KDE, others use Gnome, Window Maker, OLVWM and so on to console emacs. Typically, news of the exploit is trumpted with bug fixes and patches. Problem solved, usually without loss of data.
The widespread, spam sending, net threatening DoS attacks that we have seen on the Microsoft monoculture won't happen with free software.
Friends don't help friends install M$ junk.
You're new here aren't you?
That is how long I give Microsoft before they find themselves confronted by a revolution from their users due the their inability to deliver secure products.
... IS a 'revolution' from their users.
... but it is just as malicious to have written 5 different Operating Systems, in the last 20 years of computing science, which have continually allowed this circumstance to occur...
...
Every single Windows virus
Nothing says "I hate you Microsoft, I want to bring you down" more than a well-written Virus designed to bring the issue of extraordinarily poorly written and managed software releases to the attention of the world.
That this fact is ignored only proves that Microsoft's responsibility for this issue has been deflected, quite well, by their PR people, towards the Virus writers and away from the true culprits: Microsoft, Inc.
It is Microsofts' complete and utter lack of responsibility for the issue of Virus control and propagation which has resulted in this situation. Sure, it is malicious to write Virus code and let it loose on the 'net
Don't overlook this fact. Microsoft are the ones who are responsible for this condition, now. In the first 2 years of Virus problems, it was feasible to forgive them. But not now, after 20 years of 'product' from Redmond, in light of all the opportunities they had to truly resolve this issue
Punish Microsoft the only way that hurts: STOP using their "products".
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
also interesting is that while I was on an EzBoard I got a lot of PHP pop-up errors from my local web server. Somehow the code on an Ezboard forum was trying to access 127.0.0.1 or something like that to run an exploit in PHP. I shut down my web server and the errors went away. I was using Firefox 0.9 and I never had this error before. Maybe if I used IE I would have been infected with some wonky ActiveX exploit?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
we would instatly switch to using firefox if they added support for proxy autoconfiguration via wpad. (either DNS or dhcp based wpad would be fine). We have laptops that need to be able to pick up their proxy configs automatically since they roam between offices....
--
Time is on my side
...during those days I used to do tech support, one senior administrator told me on booting his system with a *non-system disk* inside..."My computer does not have Microsoft...!". Man I was about to laugh but kept it inside. This world is so full of people who have been brainwashed by M$.
with Netscape over ten years ago and stuck with it. I didn't switch to IE at first because I didn't want to. Then it became an issue of; Gates didn't pay for my computer, or the electricity to run it, so where does he get the idea he has any say in the software on it. Then I found Linux, Konquerer was cool, then Mozilla. My current box is dual boot, XP and RH9. In windows I use Mozilla. The only time IE can be found is for update. No icons, no place on the start menu. I consider it a virus trap and treat it that way.
Professional Politicians are not the solution, they ARE the problem.
You know, for a group that really should know better. We seem to defend the "it doesn't crash, or have other problem" position awfully strong.
It's software after all. One of the more complicated things that man has built.
Robyn Eckard, a spokeswoman for the Irvine, Calif.-based Kelley Blue Book, said the company learned about the problem late Wednesday after Web site visitors said their antivirus software tipped them off to the code. Eckard said Kelly Blue Book removed the malicious code from its site by late Thursday afternoon.
There wasn't any mention of their site being down so that means a period of what could be almost a full day where they knew their website was infecting customers with this virus but continued to let it run. Are they really allowed to do that? Perhaps they figgured the bad PR or loss of buisness from their site being down would be greater than the bad PR and loss of buisness by their customers being infected by this thing then possibly robbed when their bank info was lifted. Perhaps the article was just mistaken, google returns multiple sites and at netcraft I can't make heads or tails of the first one but the second site appears to have remained up could they be charged for this it seems kinda like one of those people with AIDS who doesn't tell partners thier infected and goes around having unprotected sex.
I stole this Sig
How many people do you think actually look to CERT before choosing what web browser to use? And among that group of people, how many are already using an alternative browser?
Second, the fact that IE is closed source means that you could not possibly know that it is coded badly.
Third, nobody uses Firefox, but I can't wait til they do so we can see how many bugs hackers can find. (They're already taking advantage of the XPI Installer)
Fourth, you would have sounded more important if you'd spelled Therefore correctly. Instead you just sounded like a stupid parrot, repeating the advice already given to us. Hope you're proud of that "Insightful" point!
The quote is so rich, I think I'll include it.
CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions.
Good bye, anti-competitive little nasty. IE was M$'s attempt to push it's desktop monopoly into the web. I'm going to be so happy when I quit running into pages that ignorantly tell me they are best viewed in IE. With it will go a whole host of proprietary crap.
Friends don't help friends install M$ junk.
1. Get Firesomething extension for Firefox 0.9
2. In the dialog box, remove "Mozilla" vendor and add "Microsoft". Remove all prefixes also and add "Internet". Remove all names and add "_Explorer" (substitute the underline for a leading space). Enable the "single name mode". Apply.
3. While you are at it, get the Luna Blue 0.4 theme from http://www.intraplanar.net/projects/lunablue/
4. Adjust the icons so they look really like explorer. The order should be back, forward, STOP, RELOAD, home, separator, favourites, history, separator, mail, print
5. Rename the shortcut to "Internet Explorer" and change the icon to the blue "e" (do this on the Desktop and Quick Launch bar as well)
6. Never again worry about worms.
Dear aunt, let's set so double the killer delete select all
I have no choice when doing online banking. Rabobank
This particular vulnerability has been patched for two months (MS04-011). Had the administrators applied that patch when it becase available this would have been half fixed. Then all you'd need to do is get an IE fix. And then that would be the end of this particular issue. Since the patch existed before any known use of the exploit, the blame is squarely on the shoulders of two groups: (1) the malware author(s) themselves; and, (2) the lazy sysetm administrator too slow or stupid to deploy the patch in a timely manner.
Really, this is an issue settled by termination of the employee responsible for not keeping a good record of patches and updates. Of course, that still leaves the IE problem, but with the IE team recently recreated, probably for Longhorn, but perhaps they're therer just to release an update to IE to fix this type of crap, we may see the end of these types of things. If only people would quite exploiting innocent code... Sadly, people left to their own devices will revert to base and vile activities, then add in the anonymity of the internet, you get the jerks who think it's fun to spoil the party for everyone.
If there isn't a patch for the IE hole yet, there can't possibly be an exploit in the wild
"the attack" What attack? At least link to a previous slashdot story!
..that does not work in recent versions.
*Google shows a slight upswing in Gecko marketshare in the last couple of months
*Firefox 0.9 is an awesome release, and 1.0 promises to be a killer
*Mozilla foundation hires former Netscape marketing guy and also starts major grassroots marketing effort
*MSIE is hit with more security vuln's than ever before
*More and more mainstream tech news outlets start recommending firefox
*Microsoft is sufficiently scared to reconstitute MSIE dev team
Could this be the beginning of another round of browser wars??!!
The shareholder is always right.
Even mild recommendations to "consider using other browsers" come out only when other BUSINESSES are affected. When the consumer is the only one affected, no one seems to care much (usual "get anti-virus updates" etc. apply always).
It is interesting that after months, I was browsing kbb.com several times in the past week because I was in the market for a car. I am glad I use Opera and Firefox for my browsing (and IE only for INTRAnet sites that required it at work).
Explain please.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
In fact, this has already happened. Have you ever used a default install of IE on a Windows 2003 machine? Everything's set for really high security. You can't even *download* an .EXE file by default. You have to manually add the site to the Trusted Sites list, and you're pretty much expected to do that with any site you want to do anything more sophisticated than reading a static page.
Supposedly, this configuration will be rolled into XP Service Pack 2 as well. No word on what Windows 2000 users get.
Of course, the spyware vendors will just add instructions that say "To play this game, click on Trusted Sites and add www.fuckyourcomputer.com". And the masses will obey.
And of course, Microsoft uses it as yet another marketing opportunity. Every single prompt and dialog involved trumpets "Microsoft's New Enhanced Security Configuration Initiative". As if we should be thankful to them for fixing holes that THEY caused in the first place.
And another dated June 24, 2004, at http://www.us-cert.gov/current/current_activity.h
Am I looking at the wrong advisories? Where does it actually say "Switch to the following alternative browsers"?
Second, the fact that IE is closed source means that you could not possibly know that it is coded badly.
No? Then how would you explain all the security bugs found in the past? It's not a bug, it's feature eh?
Third, nobody uses Firefox, but I can't wait til they do so we can see how many bugs hackers can find. (They're already taking advantage of the XPI Installer)
I think you've been living under a stone way too long, Firefox is getting bigger and bigger and really good on its way to become in the browser top3.
Fourth, you would have sounded more important if you'd spelled Therefore correctly. Instead you just sounded like a stupid parrot, repeating the advice already given to us.
If you had taken 3 seconds to check the link to my homepage you would see that I'm from The Netherlands, and therefore English isn't my native language. I often hear that my English is very decent, but nobody's perfect. I'm very eagered to hear your Dutch.
Hope you're proud of that "Insightful" point!
If you think that I'm a karma whore you should take a quick look at my Slashdot posting record. Instead of getting modded down to Flamebait and Troll as your record states my posts are modded up very often. You really think I have nothing better to do than improving my karma on Slashdot?
Get a life you fool.
In need of reliable and affordable server monitoring?
Actually, IIS isn't being attacked -- it's an RPC hole in Windows that some large sites apparenlty neglected to firewall/patch/etc.
Perhaps if a large ad network had Linux/Apache set up in an insecure way, the Evil Doers would have gone that route.
Apache had to be patched for an RPC bug?! Probably not since Apache doesn't implement RPC...idiot.
Read what they said yourself...
http://www.kb.cert.org/vuls/id/713878
Folks:
I have been using a nice IE add-on called Slimbrowser. It has a lot of features and I really come to like it. But I also have been using Firefox and noticed rendering is 2-3 times faster than IE/SB! Would love to move from SB to FF but I noticed I want certain features that SB that I
haven't been able to find on Mozilla's website. Can anyone point me to the right direction and tell me where to download the right Windows extensions that can make Firefox have the:
1) Ability of running any Windows shortcut or folder within the browser or explorer.
2) Autologin of websites (form filling-username, pass)
3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)
4) "Groups" of websites that open in tabs at the same time
5) In-line Flash/Advertsing blocks (I noticed one of Achilles' Heels of FF is that it eats
cpu like crazy when flash is used on the page)
I would appreciate any help you can give me!
No, now you read the headline as saying it 'endorses' the Mozilla family, which is not what it said. The headline said they recommend Mozilla. Yes, they do recommend against Internet Explorer and yes, they recommend Mozilla (among other browsers) as alternatives to Internet Exlorer. So, while the headline is quite Mozilla-centric, it is quite correct in stating they recommend Mozilla as alternative to Internet Explorer.
1) not that I know of
2) use the firefox password manager (it is built in)
3) try adding a bookmark to yahoo, removing the search criteria from the url and replacing it with %s. then assign it a keyword.
that way you can just type.. 'yahoo searchciteriahere'
4) groups of tabs. add the group of tabs to a bookmark folder, right click the folder and open all tabs
5) try the adblock firefox extention. it is on the extention website.
there has never been a better time to try it IMO
1 Ability of running any Windows shortcut or folder within the browser or explorer.
Firefox is a web browser. Are your computer running a web server, and if not, why would you expect your web browser to be able to 'explore' your folders in the browser view?. Try "Open file". There, you can "explore" and "open" at your leisure.
2) Autologin of websites (form filling-username, pass)
Security hazard. I don't care how much you think this is a great idea; it isn't. Sometimes us developers must protect you against yourselves.
3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)
I just put all the search engines I like in a HTML-page that is my default page. What you want is trivial to do in Opera BTW, and probably in FF too (after all, there's always the source, worst case).
4) "Groups" of websites that open in tabs at the same time
This is standard. Are you trolling? Open bookmark folder, click "Open in tabs". What a waste of time.
5) In-line Flash/Advertsing blocks
Plugin: Adblock
certs is recommened for preventing bad breath! please, let's not be remiss in this.
CB
free ipod and free gmail!
My piece, written for the non-techie masses, on why they should consider other browsers:
For the curious, here is the correct link.
Portable versions of Firefox, GIMP, LibreOffice, etc
Man just email admin@site or ceo@site or director@site or better all of them.
:)
Send an email to the highest people there (not at once but in intervals of 24 hours).
Say how lousy the webdesigners are, and how 90% of other sites give users a choice - of using something other than IE.
Tell that there is a significant proportion of customers that run something else - including prominent figures and CEO of big companies.
I mean really embarrass them to the point they fire the mediocre MS-Frontpage-whores. And then whether they take action or not - just do yourself a favour and boycott the site.
I did that - it works wonders.
DON'T email the webmaster - email the big guys!
It's nice getting an apology from a Director and promise of immediate action
Film at 11.
autopr0n is like, down and stuff.
read my post again. i never mentioned IIS and apache.
You didn't mention them, but the point is relevant nonetheless.
You claim that if Linux was as popular as Windows, you'd see a lot more widespread security issues with it.
He countered with a specific example of a Microsoft product against another OS product. The OS product is more widely deployed than IIS, yet has far less security problems.
What makes you think that Microsoft products aren't inherently more insecure? IIS certainly is. IE certainly is. OE certainly is.
Perhaps if Linux was more popular, we'd see far less problems.
I searched cert.org for this recommendation, but I couldn't find it. Anyone got a URL? I'll believe it when I see it.
Actually there is an extension that will open external applications and folders.
n al app
http://texturizer.net/firefox/extensions/#exter
For a while, I had a Firefox shortcut in my Startup folder. Since I always log in and open Firefox, I figured why not. With this extension, I could open other apps right from the Firefox toolbar.
To open a folder, you have to open Windows Explorer with a location as an argument.
It's easier than it sounds. Really.
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
It should also be noted that Apache is open source, meaning you can actually go look at the code to look for possible ways to exploit possible bugs/security flaws. The same doesn't happen with Microsoft's IIS and yet it is still more vulnerable than Apache is...
I am a speak english. Do you not? - Saroto
Switching browsers browsers is not enough. Who knows, Mozilla could be the target of some malware tomorrow. Switching to Mozilla just buys you some time.
To be more secure we need an OS that prevents the browser from executing unauthorized code and prevents the browser from accesing sensitive information or applications on our systems. The browser should not be allowed to be the only layer of security.
One way would be to swich to some Linux, using a distro that make use of the SELinux stuff enables mandatory access control and set up a good security policy.
God is REAL! Unless explicitly declared INTEGER
"So how do you explain that it is IIS and not apache that is being attacked?"
[*] Apache is more secure than IIS. That's a fact, but it's different to saying that all open-source software is more secure. It certainly doens't prove that linux is more secure than windows (although other evidence certainly does)
[*] Apache runs more websites, but lots of those are on the same computer. My website runs on the same Apache server as 2782 other websites. My sourceforge websites run on the same Apache server as 83000 other websites. Domain-squatters run tens of thousands of "websites" from one Apache server. So you only need one competent admin, and suddenly thousands of Apache websites are secure.
[*] I think IIS can tend to expose more services than Apache -- most people setting up Apache are running an HTTP or HTTPS server, and they think long and hard and read documentation before expanding it to run more services than that. I've not used IIS, but I imagine that it's easy and tempting to run everything from windows workgroups to DNS to email servers at the click of a checkbox and without any need to understand what's being created. Perhaps there's a lack of care among IIS admins contributing to the problem?
Follow this link about MIME type detection in Internet Explorer. It turns out that IE will sniff the data or filename if the extension is considered to be ambiguous (if it is returned as 'text/plain', 'application/octet-stream', an empty string, or null).
Phil Reginda has an explanation of why IE does this (basically to workaround Apache behaviour) and workaround if you get bitten by this.
Click here to go to news.google.com and take the first and only search result link which leads to the Washington Post Article without the need to register.
to complete the answers you have so far
3. see here for documentation on how to make your own Mozilla search plugins.
5. Besides the already-mentioned Adblock plugin, use Flash Click To View to replace flash with a button you can 'click to view'.
Because the Apache is visible to lots of people who can bug-check it and who are interested in a stable, secure Apache because they use it. The IIS code is only visible to Microsoft programmers, who are not only far less in numbers but also occupied with lots of other stuff.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
We have set up a dedicated forum regarding this topic. If you are interested, it can be found at: http://forums.kurczaba.com/forum_topics.asp?FID=11
Thanks,
Paul Kurczaba
Kurczaba Associates
I can't believe it's just me finding an ever growing number of sites not working with anything other than IE on Windows, but I rarely hear mention of this serious problem in any discussion of alternative browsers. Sites that used to work with Netscape/Mozilla are becoming ones that no longer do. Even IE on a Mac doesn't work on most problem sites. Here are just a few sites that have given me trouble: www.giantfood.com - shopping list no longer works without IE; www.washtimes.com - article text often eclipsed by ads - their solution when I called: use IE on Windows.; netbank.com - order a new Visa, Netscape disappears with no error message on submit. They said that they will fix it.; usa.canon.com - downloaded scanner/printer driver *installation* requires IE as default browser. No mention of this on site, it just won't work otherwise.; ebates.com - claims to work with Netacspe, but I never get credits when I do.; Many E-commerce sites I've tried do not function with anything other than IE on Windows.
Nonsense. RFC-ignorant doesn't even suggest a domain should have a working webmaster address. abuse@ and postmaster@ are the only role addresses all domains must have.
Just as a note, Flash Click To View is now known as FlashBlock.
:)
Now there's good news and bad news about it. The bad news is, it hasn't been updated for v0.9. The good news is, it still works with 0.9 flawlessly (i'm running it right now). The only problem is it won't show up in your extensions menu, so disabling or removing it could be a pain.
Now I say could be, because if you grab a little gadget known as Show Old Extensions, FlashBlock and any other pre-0.9 extensions you have installed will appear in the extension menu just like magic (cue angels singing). Hurray!
Gotta love open source communities. Solutions for everything!
Now if only Microsoft would make Windows Update compatible with non-IE browsers. What was that about extremely low termperatures in hell? Oh, and Gmail - when will they support Opera? Sooner than question #1 i hope.
next we just need gartner to say -- do not use IE....and then that will be all she wrote.
Grandma reads Gartner everyday even before she turns to the obituary page.
Write to their feedback page, letters to the editor, or ombudsman. Tell them: 1) their failure to mention that this only affects Windows users running IE needlessly worries people using other OSes and browsers, and 2) their failure to mention alternative browsers means they missed an opportunity to assist the general public on an important matter.
I did. I also did this a couple of years ago when some Windows virus came out (can't remember which one -- there are so many) and CNN failed to mention it was a Windows-only problem. The next time a major virus came out (I think it was a few weeks), I noticed that CNN actually mentioned that non-Windows users were not at risk.
Obviously, we need to keep reminding them.
Oh, and if you do, be polite!!!
(And if you already did, then good for you! And my apologies for implying you didn't.)
"Perhaps there's a lack of care among IIS admins contributing to the problem?"
While this is certianly true, in my opinion, it does not excuse the fact that these exploits are not because the admins didn't change a default password or something. They happen because there's a fault in the programming code.
There's some big web sites and hosting companies that run IIS and without being extremely diligent and purchasing extra software to protect yourself (or developing it in house) there's a significant change of being compromized.
- It's not the Macs I hate. It's Digg users. -
Those are good examples. I ran Red Hat 6.2 and 7 but was not running wu-ftp or BIND, so they did not get me. I have run pro-ftp on my gateway machine, but I've been able to turn off most ports. This clearly demonstrates the value of user control and choice of software. As I recall, the BIND problem was fixed in a few days.
Friends don't help friends install M$ junk.
http://www.microsoft.com/security/incident/downloa d_ject.mspx
FBI spokesman Joe Parris declined to say whether the FBI is investigating the attack. "These types of Trojan horse attacks are not that uncommon, and we work closely with Microsoft in investigating matters of this type and always follow up on any information provided by industry," he said.
I'm sure you do, cocksucker.
This is even better than news of Linux switchers! Hopefully this will allow webmasters to use CSS the way it was meant to be used. Suggestion to MS: start over with IE and base it on a Gecko-based rendering system and don't put so many damn holes in it.
GREP for Windows
gewg_
While this is certianly true, in my opinion, it does not excuse the fact that these exploits are not because the admins didn't change a default password or something. They happen because there's a fault in the programming code.
Sometimes I am sure it is the fault of the stupid admin who doesn't change a password, but I'm sure most of the time it relates back to the stupid admin who doesn't patch his system. No matter what OS you run, you need to patch your system. Even the clueful Windows admins might feel that having a firewall is enough, but you can never have enough protection. Thats what a competant admin knows, regardless of what OS they are supporting.
how long do you think it will be before mozilla, opera and all the other alternatives will be attacked. Or mabe the hackers will be nice and decide to leave the geeks that use them alone....Its only a matter of time
When I read about the evils of drinking, I gave up... reading.-Henny Youngman
His first comment was: "it's a lot faster!"
Now if I could just get him to install Debian...
free software users are not monthly victims attacks that take advantage of moronic software design.
Can anyone point to a single free software worm that auto propagated?
New diet lets you eat as much as you want! _ Pill makes you skinny! _ Device increases gas mileage by 15%!
It's just amazing how folks gobble this stuff up.
If something is revolutionary, IT MAKES HEADLINES worldwide.
If Microsoft had knowledge of an auto-propagated F/OSS exploit,
it would make DAMN SURE there were banner headlines and that it led the evening news.
gewg_
You're right, but at the rate the security patches flow in from Microsoft, you can't keep up with them. Well, okay. You can, but not if you actually want to test them beforehand.
The sheer volume of critical patches, you know- the weekly "This security hole could allow the attacker to gain complete control over your system" ones, do not inspire confidence that Microsoft is taking care of business; it simply shows me that their software is buggy and has a history of serious security flaws.
I can't blame the admins all the time, even though I do think that your average Unix admin is better then your average NT admin.
- It's not the Macs I hate. It's Digg users. -
Does installing Firefox stop IE from being used for all HTML rendering? I know you can set it as the default browser but it appears that Outlook continues to make use of IE to render HTML emails and not Firefox - time to look for the registry setting.
Also when Explorer does a preview of an HTML file in a folder view which renderer is it using, IE or the default browser?
It looks like there are still vectors available for this exploit even if you install Firefox as its pretty well impossible to totally remove IE from a Windows system isn't it?
hi,
and yet, somehow, the people on site at DoD's CERT are forced to use IE. how does that work, exactly?
sTc
Most things worth doing are worth doing twice. -- me I think or was that my boss' methodology?
Searching both US-CERT and CERT I find two articles (one, two) but neither make any recommendation of "alternate browsers." So unless I'm missing something, the use of "alternative browsers" was added by the author of this article?
L-A-M-E!
Gates fussy over security in Sydney
Couple of choice quotes:
"The Microsoft co-founder and one of the world's richest men is in Sydney today for a press appearance so tightly scripted and controlled it could have been orchestrated by US President George W. Bush's media office."
"At least the assembled do not have to submit their retinas or fingerprints for scanning - possibly because Microsoft can't come to grips with good security."
"Those running the market-leading open source Apache web server, who use desktop operating systems such as Mac OS X or GNU/Linux, or Windows web browsers other than Explorer (such as Opera or Mozilla) were inoculated from the virus."
There's quite a bit more, all fun reading.
Hal Spacejock: Science Fiction with Nuts
1) Ability of running any Windows shortcut or folder within the browser or explorer.
You absolutely do not want this. The mingling of file browser and web browser are what cause a huge number of IE security holes.
You could probably just set up a helper or something, but you don't want to. Really. Mozilla is not a file manager.
2) Autologin of websites (form filling-username, pass)
Exists, and I've seen it, but I don't know what plugin to use. IIRC Mozilla has this built-in.
3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)
Firefox rocks at this. Do a search, bookmark it, and replace the query text in the address field in the bookmark's properties with "%s", and then give it an alias (say, "gg"). If I did this with a Google search, I can just type "gg foobar" to Google for "foobar". I have imdb, google, and tons of other databases usable through Firefox directly. Absolutely wonderful.
4) "Groups" of websites that open in tabs at the same time
Create a folder in your bookmarks, and choose the menu item "open in tabs" for that folder under the Boomarks menu in Firefox.
5) In-line Flash/Advertsing blocks (I noticed one of Achilles' Heels of FF is that it eats
cpu like crazy when flash is used on the page)
You want Click to View.
May we never see th
It have only been majorly exploted for 10 months. The fault goes back to 1995. We are lucky that our current population of Hackers did not use it well before now. We are verry lucky that we don't have a good population of Hackers most are script kiddys that don't know how to find these back doors and pick on them.
The big question is how many times it has been used to get information out of companys.
Basicly it effects win 95+ I still have to test ie6sp1 to see of a javascript can still buffer overflow and crash the machine like to use to. But that one worked also from 1995 and was reported in 1995 1996 1998 by me same sample code and no fix even in 6 just have not tested 6sp1 for it. Basicly I have been wasting my breath telling them they do nothing.
There is a short form of the responce you are not ment to code a webpage like that.
My code did not follow coding rules correct yes but a cracker does not have to flow rules it just has to work. The funny part is that the code works flawlessly with Netscape and Mozilla and Netscape created Javascript(ie the standard).
Now I get into trouble because I hate Microsoft and people cannot understand why ie you must be a zelot or something. No I am not a Zelot I just hate people not fixing problems I report.
Also I wish people would stop reporting directly to microsoft but start reporting in the press. It seams to be the only way to get them off there tail.
Please note a lot of problems inside IE extend back to them not flowing standard or breaking them for a pratical reason.(them controling the market).
The most effect way to explot this back door is to send a email containing a automatic direct link to the web site and install the spyware. Nice little ie flaw merged with a nice little outlook express flaw creating Access to a machine to extract data.
The Cracker uses of this have been heavyly over looked for far to long. If you are using outlook or IE change now.
Sure IIS is patched now. But that is like saying the titanic has been patched up and is ready to sail - the damage is done - too little too late. Most companies I do business with would never dream of using IIS again (or at all) because of the track record -- not the current patch level.
I am just saying that IE is now going down that path also. Sure JoeShmo home user is still going to be using it....but the bigboys with the deep pockets (big business) are the ones who are heading south to "anything but MS land". (A few more nights of panic patching thousands of desktops under the moonlight on the company dollar should do the trick....) I know these last few IE exploits have the CIO at my company willing to go down any other path.
(+1 Funny) only if I laugh out loud.
Uhhh, so by your logic IIS is unable to run tens of thousands of web sites? I guess that explains why Apache is popular hmm?
Oh well, what the hell...
Now that's a funny thing to see on Slashdot. As it just so happens, I know the guy who serves the Kelley Blue Book site... This dude swears by Windows and all Microsoft products. I bagged on MS a whole bunch and this guy wouldn't hear it at all. I remember how, back in '98 or so, I mentioned to him that one day, MS's bullshit will come back to bite him in the ass, if he doesn't switch to something else. In fact, I was pissed when he told me stories about how many UNIX servers he replaced with Windows ones. What a crock of shit, I thought to myself. But yeah, now he's probably in a world of shit, and maybe he'll take my advice and switch.
Micro$COft. Software for the downtime-happy business.
I was referring to the general practice of patching to avoid vulnerabilities.
We resolved the issue by moving the intelligence into the server, different versions of the .PAC file are served up based on what subnet the client request comes in from.
This allows for customizing the proxy configuration based on which office the client is connected to, without relying on the DNS suffix assigned by DHCP to select an appropriate WPAD server name...
I do not deploy Linux. Ever.
> How about the lion and ramen worms from 2001?
Those examples are three years old, the number of Linux systems affected was small (compared to most Windows viruses or worms), and they disappeared quickly.
Meanwhile, some Windows viruses and worms continue to make the rounds many months later, and new Windows (IE is part of the OS) exploits and variations appear every month.
And don't say it's because of a lack of Linux systems, because there are just as many Linux-based Internet servers as Windows-based (see Netcraft chart from 2001).
So if those are the best examples you have, then I'm feeling quite good about my choice of Linux.
Now if you are providing those examples as proof that no OS, including Linux, is 100% secure, then I have to say that no prrof was necessary, because no one is claiming that Linux is completely virus-proof. The only claim is that Linux is _more_ secure than Windows, in fact, Linux is _inherently_ more secure than Windows because of better design decisions, and because Linux is Open Source.
I can't blame the admins all the time, even though I do think that your average Unix admin is better then your average NT admin.
I wouldn't say better. More technically adept, maybe. Understand the technology behind the software better, maybe. But let's take a Unix admin and stick them in a MS environment, and poof. Suddenly their Unix skills are irrelevant.
I'm saying this as neither a Unix admin nor MS admin. I'm saying this as someone who tried to apply Apache concepts to IIS. It simply doesn't work. They use two different bases of use. IIS is meant to be easy for MS sysadmins to set up. Apache is meant to be easy for Unix-aware people to set up (although, once you get past the basic of basics, it fails miserably at that. Try the Rewrite module. It'll kick your ass and take your lunch money.)
http://kess.afraid.org/be_nice_slashdot
Oh boy, I can just see it now!
With how hard it is to install most of the Linux software I have used, I doubt there would be a worm that infects more than a string of Linux distibutions.
Dependency hell would save alot of people.
gxworm failed to launch. Please install gnome-libs, gnome-this, gnome-that, gnome-balls, gnome-droppings
kworm failed to launch. Please install krap, kthis, kthat, kunt
Make America grate again!
I have been using Opera for a couple of years.
After gaining a bit of comfort for Opera, I disabled Internet Exploder. I disabled all features, everyone, ActiveXploiter, Java, Javascript, etc., and then set the proxy for all protocols to 127.0.0.1 port 7777 which means it can't access anything.
I also do almost everything from an account (WinXP lite) without admin privs which means some apps don't work because they can't access the registry.
Yesterday while browsing the net, the system really slowed down and I found from a netstat that there were hundreds of connections to all sorts of IP addresses to Microsoft-DS (445). Although I had recently updated the patches, I discovered after fighting to kill off the processes generating these connections that there were seven more "critical updates". I'm normally looking at all sorts of websites doing research on a dozen different, but social policy related topics, so I had a lot of web pages active and I have no idea which of a dozen or more might have been the source of the infection.
Bottom line:
-Microsoft sucks
-I don't know how and don't have the info to figure it out, but even with IE disabled and using Opera, its still possible to get infected
-Microsoft sucks
This isn't any logic. It's the facts, man.
Here we are again with yet another MS vulnerability and I see, as always, a vocal group of posters claiming that Linux or Macs or whatever are no safer and blah blah blah... Well, perhaps in theory you're right, but what's your point? To make yourself feel better by talking in meaningless abstractions? What do you gain by decrying what may be perfectly legitimate and functional replacements for Windows? What do you gain by sticking by a platform that is riddled with security issues?
I'll admit that I'm no fan of Microsoft, but what is with this defensive posturing? At what point do you finally say, "I've had enough... I'm looking elsewhere for my computing needs"? Does it ever end or are we to expect Windows users to defend this kind of thing to the end of the earth?
So often, Mac users and Linux users are painted as starry-eyed fanatics, and yet, I see the most reflexively defensive responses from Windows users and it puzzles me. Microsoft no doubt has the resources and the money to make the platform a little less problematic, and yet the problems persist. Perhaps they need some of you users to direct your frustration at them, not as Macs or Linux.
--Rick "If it isn't broken, take it apart and find out why."
I don't think there is anything which makes microsoft software "inherently" more insecure. Given enough time and effort microsoft products, like any piece of software has the potential to be bullet proof. Of course thats a practical impossibility as much for microsoft as for apache or linux. The problem for microsoft is that a very large number of its users are not installing patches, and that for microsoft releasing a patch is a big deal. They have QA issues to deal with so that patches must be tested properly before release, which OSS doesn't really have. The big problem that microsoft has though really is its user base. They've made it too easy for anyone to set up a web server or get online, so there is no knowledge based barrier to entry. That is, dumbasses can get on the net.
In order for linux to get more popular it'd have to be MUCH easier to use, and then you'd still have the problem of dumb users who never upgrade, but on linux.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
The Nimda worm was another hybrid, perhaps even nastier. It spread(s) using Outlook Express, IE and IIS, as well as Windows network shares. See the Nimda Cert advisory
I'm sorry if I haven't offended anyone
There are a lot of places where NAT or at least a chacheing proxy server is used. These will normally be identified as a single user. In reality there may have been many more, especially as a healthcare provider they are likely to get a lot of corporate hits.
See my journal, I write things there
could anybody point to advisory itself that recommends other browsers ? that could be quite serious argument
Rich
Virus designed to steal Windows users' data
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
Actually, IIS isn't being attacked -- it's an RPC hole in Windows that some large sites apparenlty neglected to firewall/patch/etc.
Given Microsoft's "integration" it's not obviouse where IIS ends and Windows begins anyway.
Perhaps if a large ad network had Linux/Apache set up in an insecure way, the Evil Doers would have gone that route.
Having many distributions means that even if all of them were insecure they probably wouldn't have the same insecurity.
"But let's take a Unix admin and stick them in a MS environment, and poof. Suddenly their Unix skills are irrelevant."
Their unix skills maybe, but not necessarily their network skills, or their ability to think about systems-security, nor many other vital things. Knowing where to change an SSL-key on a particular server is one thing, but being able to design sensible networks and good security is probably transferable. Besides, many of the same tools run in both environments (IDS, apache, firewalls, perl, ping, etc.)
The average Unix admin is indeed better than the average Windows admin. Unix admins think in a way that is condusive to better IT.
Unix admins regularly think about maximizing uptime, while good Windows admins actually reschedule reboot procedures.
Unix admins regularly maintain gold systems, where patches and upgrades are tested and evaluated. Once everything is working ok, the other systems are synced with the gold system, whereas Windows admins are tempted to use Windows Update without testing.
There aren't many good enterprise Unix backup solutions, so Unix admins tend to spend a lot of time enumerating valuable data and checking to make sure that backups completed successfully.
Unix admins tend to spend a lot of time addressing warnings in dmesg output and service logs, whereas Windows admins tend to ignore warnings in the system event log.
Unix admins are more likely to stick to the one system = one service idea. This might have something to do with the non-existant or low cost of operating system licenses. Windows admins can save immediate budget (the kind that their bosses understand) by doubling up services on systems.
Because Unix admins spend so much time setting up service configuration files, and reading documentation, they tend to be intimately familiar with the service and much better at troubleshooting problems. The availability and ease of use of tools like strace make debugging a more viable plan of attack when troubleshooting. Windows admins tend to rely on MS Tech Support contracts.
Because there are fewer enterprise management tools for Unix, admins must learn shell scripting, at least enough of it to modify administration scripts that people have contributed to the community.
- Have you ever noticed that the more you learn about technology, the more stupid you sound trying to explain it?
It should also be noted that Apache is open source, meaning you can actually go look at the code to look for possible ways to exploit possible bugs/security flaws.
Except that there are also people looking to fix bugs and security flaws. Typically there are more "white hat" than "black hats".
The same doesn't happen with Microsoft's IIS and yet it is still more vulnerable than Apache is...
This also means that only Microsoft can fix any bugs. Any third party attempting to fix bugs in IIS can find themselves in trouble for violating Microsoft's copyright. To the "black hats" not having the source code isn't much of a handicap, since they can examine the binary quite easily. Having only Microsoft build the program means that there isn't much variation in different copies of the program. If an exploit works against a few copies of IIS then it will probably work against most of them.
I wouldn't say better. More technically adept, maybe. Understand the technology behind the software better, maybe. But let's take a Unix admin and stick them in a MS environment, and poof. Suddenly their Unix skills are irrelevant.
Most likely they get very frustrated by the way Windows trys to hide things, which unix makes easily accessable. e.g. the actual UIDs and GIDs.
I don't think there is anything which makes microsoft software "inherently" more insecure.
Microsoft tends to like big programs which try to do lots of things, with lots of threading for multi-tasking. IIS does plenty of things other than web serving... On top of this there is Microsoft deliberatly writing "sphagetti code" in the name of "integration".
Given enough time and effort microsoft products, like any piece of software has the potential to be bullet proof.
It would be a case of rewriting more or less from scratch.
"FBI spokesman Joe Parris declined to say whether the FBI is investigating the attack. "These types of Trojan horse attacks are not that uncommon, and we work closely with Microsoft in investigating matters of this type and always follow up on any information provided by industry," he said."
this is part of the problem - Microsoft is not the industry and all non-technical people think Microsoft is the industry.
Well they aren't and the industry would get along just fine without microsoft. So Bill please take you money and run and let us run the industry the way it is suppose to be run. Not your way.
Your average Unix admin placed in an MS environment would install the same tools they install in Unix. Apache would probably be the first to get installed. Maybe cygwin/Windows Services for Unix, depending on their budget and shell withdrawl. After that perl, python, or another favorite language would get installed, the admin would keep approaching the problem as if its a Unix system.
An average Unix admin has experience with several Unix systems. The deviation that the corporate hierarchy hates so much, that is so "damaging" to Unix, is perfect for training admins how to cope with vastly different configuration, security, and administration options. To your average Unix admin, Windows would just be a funny variant whose quirks can be learned, mastered, and put in place.
bja
Yes, given enough time and effort programmers up at Microsoft could make their software bulletproof.
I say the software is inherently more insecure because Microsoft did not follow a methodology for their software that leads to secure products:
1. The user pretty much always runs as "root"
2. IE, Office, and OE are tied in directly with the OS, and provide functionality that should not be present with untrusted data (from the Internet/documents)
3. Microsoft does not view all security problems as a serious threat, or takes forever to release patches to certain vulnerabilities. Case in point, look at the number of unpatched IE vulnerabilities. Some of them have been around for many months. I understand that they have to do QA on patches and what not, but if the process honestly takes months then the products are inherently more insecure.
4. Microsoft didn't really take security all that seriously (supposedly they have now). Case in point the WinXP firewall. Not only is it very unconfigurable, but it starts -after- the network does. That's commitment to security. If the firewall wasn't crap, and it was enabled by default, much of this ugly worm business wouldn't be as big a deal.
It all adds up to being inherently insecure. Look at this recent issue. Why should users have to deal with getting infected automatically with no intervention when visiting a website? Can't blaim the users here either because there is no patch for this vulnerability. It's ridiculous that crap like this can happen through javascript anyway.
Anybody else notice M$ has Kelley Blue Book values in its Hotmail login spotlight?
that none of you are finding the CERT recommendation because it is not on their public sites. There are some CERT websites and mailing lists that you have to be a member of a CIRC or Incident Response Team, etc. in order to have a subscription.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
Actually I use the rewrite module on all of my sites since I have apache running in front of zope in rewrite/proxy mode. It is pretty simple to do and the instructions are clear on how to do it.
What is easy/complex for different people is based on what they are used to. I can setup new sites, addition urls etc in about a minute or two which is how long it takes me to type the commands in apache.
Computer modeling for biotech drug manufacturing is HARD!
How many times does it appear? (none)
(Sorry for the late reply, my ISP was down).
Take a look at your post again. Tell me, what was so insightful about your post? Did you bring any new information to the discussion?
Didn't think so.
I understand that the vector into my system was for yet another useless service that Microsoft built into Windows. What amazes me is that after applying a huge number of critical patches, manually turing off a bunch of service that are useless, after enabling the firewall, there are still useless services enabled that I don't know about.
And the rate of security patches for a release that is close to three years old is still high or increasing.
I really have to wonder if Microsoft is part of the al Quaeda network...
....or windows key + r, path of folder, enter
look mum! no mouse!
TIAEAE!