Slashdot Mirror
CERT Recommends Mozilla, Firefox
EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."
CERT's recommendation usually is to download the patch. However, since this hole has an exploit in the wild, and there isn't a patch to be found... use something else is the only recommendation left to issue.
but joe user wont read this or know about it. too bad eh?
the only way is to hijack people's computer, install a real broswer, and put the IE icon on it.
But this is Slashdot, aren't they really just preaching to the choir on this one?
Well, considering that Internet Explorer is an "integral part of the operating system" they are only a hair shy of telling people to switch to an operating system that isn't vulnerable to so many damn critical remote vulnerabilities.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.
Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
... they should add to the list of Microsoft software users to consider safer alternatives the users of Outlook, IIS, MSSQL, Windows 9x/Me and Windows NT/2000/XP. All of them are good examples of ticking timebombs.
I think this is just like the straw that broke IIS's back on the server side. Big holes, no solutions...The big boys say your only solution is to use a safe product - all of a sudden Apache is golden. And this is not like your neighbor geek saying "hey, check out this browser" -- next we just need gartner to say -- do not use IE....and then that will be all she wrote. RIP IE. With all of your popups, tabless browsing and thousand of security holes, good riddence. Rot in hell.
(+1 Funny) only if I laugh out loud.
"CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Ofcourse they are advising something else: IE has a past of insecurity. This has two causes:
1) IE is crappy coded (it's closed-source, so there's no 'second opinion' on the code). 2) IE is wildly used, so very attractive to find a security bug in it (for malicious activities).
Therefor I recommend a non-IE browser (prefferably Opera or Firefox) to everyone.
In need of reliable and affordable server monitoring?
Seriously, I suspect that anyone who know what CERT is already runs Mozilla (or at least know he should). More significant is that this is on the Washington Post. With all respect for CERT, the mainstream press is what we need here.
That is how long I give Microsoft before they find themselves confronted by a revolution from their users due the their inability to deliver secure products.
Instead of spending their effort trying to destroy their competitors (which, today, means open source software), Microsoft should be closing the gap.
Yes, all software has potential insecurities. Yes, Microsoft is targetted because they are the dominant monoculture.
But no, this changes nothing. A burglar will always go for the easiest target, and Microsoft users will always be the target so long as Windows et al. is even just slightly less secure than the alternatives.
Microsoft should release a service pack to Windows that sets the security settings on MSIE to their highest levels, even at the risk of breaking many web sites. They should sponsor anti-spyware software developers with large prizes for the best anti-spyware software. They should be talking to major ISPs for ways to detect and disable zombies.
Redmond, listen: Make Windows Secure.
Otherwise you will be tarred and feathered by your long-suffering users who will prefer any viable alternative to one more "surf at your own risk" experience.
Sig for sale or rent. One previous user. Inquire within.
I think what the gp was saying was that Linux and Macs are not immune to being attacked in similar ways. They may be generally safer and immune to most attempts so far, but that is different from being immune.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
Recommending explorer users to use mozilla/firefox is fine.
From the article
The attack takes advantage of several recently discovered security flaws in Microsoft's Internet browser and Internet Information Services Web software. Microsoft released a patch in April to fix one security hole in its Internet browser; the company is still working on a patch for the other flaw, which security researchers publicly detailed less than two weeks ago.
But a recommendation for the people running web servers that are vulnerable to this attack would *really* have been more useful. Excuse me if there's already some recommendation (Having a link to that in the news item'd have been better in that case)
I'm actually surprised no one mentioned this yet. Yes, I read all coments so far.
This CERT (whatever it is) is _not_ endorsing the Mozilla family of products, it is recommending against Internet Explorer and other browser-apps (Avant/Neoplanet anyone?) who use IE's rendering engine.
Next thing, headlines will read "CERT endorses Linux apps for web browsing", merely because Mozilla and Firefox happen to run on Linux.
if linux was as widely used as windows I'm sure there'd be widespread security issues. there's always going to be someone looking for and exploiting holes.
unfortunatley this is a web site frequented by too many obsessive nerds. not that I'm a fan of microsoft in anyway at all. I just think it's a little short-sighted to presume that linux is like fort-knox just because nobody has made any big effort to break it.
Not that that does you much good if you're using IE. Last I checked IE blatantly ignores mime types and uses the "file extention" of the URL, or something equally retarded along those lines.
Credit is being given where credit belongs. The softies can try to spin this, but they will fail as there is little hope for them to fix their platform's underlying design flaws. Microsoft remains a security dissaster.
While no one will tell you that free software is immune to attack, they can tell you that free software users are not monthly victims attacks that take advantage of moronic software design. Can anyone point to a single free software worm that auto propagated?
The variety of free software and it's quality makes such stuff very difficult to design. Imagine that you did find an exploit for a popular linux desktop that could propagate itself. Right away, you are limited to less than half of the linux population. I use KDE, others use Gnome, Window Maker, OLVWM and so on to console emacs. Typically, news of the exploit is trumpted with bug fixes and patches. Problem solved, usually without loss of data.
The widespread, spam sending, net threatening DoS attacks that we have seen on the Microsoft monoculture won't happen with free software.
Friends don't help friends install M$ junk.
Robyn Eckard, a spokeswoman for the Irvine, Calif.-based Kelley Blue Book, said the company learned about the problem late Wednesday after Web site visitors said their antivirus software tipped them off to the code. Eckard said Kelly Blue Book removed the malicious code from its site by late Thursday afternoon.
There wasn't any mention of their site being down so that means a period of what could be almost a full day where they knew their website was infecting customers with this virus but continued to let it run. Are they really allowed to do that? Perhaps they figgured the bad PR or loss of buisness from their site being down would be greater than the bad PR and loss of buisness by their customers being infected by this thing then possibly robbed when their bank info was lifted. Perhaps the article was just mistaken, google returns multiple sites and at netcraft I can't make heads or tails of the first one but the second site appears to have remained up could they be charged for this it seems kinda like one of those people with AIDS who doesn't tell partners thier infected and goes around having unprotected sex.
I stole this Sig
How many people do you think actually look to CERT before choosing what web browser to use? And among that group of people, how many are already using an alternative browser?
It's not only a question of popularity, it's a question of design. Linux is inherently designed to be more secure. Microsoft made choices in the past that are almost impossible to reverse now that make it's software insecure.
Also, in Linux, vunerabilities when found are fixed very quickly. And even if everybody switched to Linux, it would still not be an uniform population with all those different distributions.
Seriously, your argument doesn't hold any ground.
Slashdot anagrams to "Sad Sloth"
Or you can simply download and install Mozilla. Much simpler and safer.
Yeah, it's kind of a troll, but I can't understand why people continue to defend IE and post "workarounds" to get past its many problems, when the solution can be much simpler.
Explain please.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Actually, IIS isn't being attacked -- it's an RPC hole in Windows that some large sites apparenlty neglected to firewall/patch/etc.
Perhaps if a large ad network had Linux/Apache set up in an insecure way, the Evil Doers would have gone that route.
However, that's not the case here. There was a major bug in the IIS patch that caused system instability, and the patch for the IE end of the hole is in Release Candidate stage, NOT Final stage. It's Microsoft BETA software. I wouldn't run it... (then again, I wouldn't run Windows XP...) Which brings one more point - it's fixed by XP SP2. XP SP2 won't run on NT, 98, 2000, or ME. See a problem? All of those OSes can run IE 6, which is vulnerable.
You didn't mention them, but the point is relevant nonetheless.
You claim that if Linux was as popular as Windows, you'd see a lot more widespread security issues with it.
He countered with a specific example of a Microsoft product against another OS product. The OS product is more widely deployed than IIS, yet has far less security problems.
What makes you think that Microsoft products aren't inherently more insecure? IIS certainly is. IE certainly is. OE certainly is.
Perhaps if Linux was more popular, we'd see far less problems.
SUS reports over 400 patches for Server 2003? I think you mean the update TEAM. That's only Server 2003! Say you only NEED 200 of the patches (based on network conditions, etc), how long do YOU think it takes to adequately test 200 patches, not to mention the patches for Server 2000, Server 2000 Ent., Exchange 5.5/2000, Proxy server, SQL 7 and/or 2000, XP desktops, 2000 desktops, the stray NT boxes you know everyone has doing some critical, next to impossible to migrate task.
Did I forget Virus Scanning software and infrastructure? (you DO have an AV infrastructure, right?)
I'm really tired of people blaming admins when PHBs look at the price on Windows licensing and don't want to hire the TEAM required for updates ALONE!
Not that I can blame them though. They read the TCO was supposed to be lower!
MCSE here working with Windows AND Linux boxes, you can't pull that "Lazy Admin" crap with me!
Not to mention that with BILLIONS of people in this world, a few are bound to be interested in writing code for malicious purposes (statistically, it seems to me anyway.)
One last thing, code is not innocent OR malicious, how it is used it!
I understand what you are saying, and you probably do have far more security than the average PC user. But all it takes is for a vulnerable program to connect out to a malicious or comprimised machine. This will probably get right through your NAT if it's a program you are intentionally using. The only real protection against this (as far as I know) is to patch or avoid vulnerable software.
I don't consider it a very good policy to avoid patches. Better would be to avoid software that has a tendancy to break with patches -- and the vendors who create and patch said software.
It should also be noted that Apache is open source, meaning you can actually go look at the code to look for possible ways to exploit possible bugs/security flaws. The same doesn't happen with Microsoft's IIS and yet it is still more vulnerable than Apache is...
I am a speak english. Do you not? - Saroto
Switching browsers browsers is not enough. Who knows, Mozilla could be the target of some malware tomorrow. Switching to Mozilla just buys you some time.
To be more secure we need an OS that prevents the browser from executing unauthorized code and prevents the browser from accesing sensitive information or applications on our systems. The browser should not be allowed to be the only layer of security.
One way would be to swich to some Linux, using a distro that make use of the SELinux stuff enables mandatory access control and set up a good security policy.
God is REAL! Unless explicitly declared INTEGER
"So how do you explain that it is IIS and not apache that is being attacked?"
[*] Apache is more secure than IIS. That's a fact, but it's different to saying that all open-source software is more secure. It certainly doens't prove that linux is more secure than windows (although other evidence certainly does)
[*] Apache runs more websites, but lots of those are on the same computer. My website runs on the same Apache server as 2782 other websites. My sourceforge websites run on the same Apache server as 83000 other websites. Domain-squatters run tens of thousands of "websites" from one Apache server. So you only need one competent admin, and suddenly thousands of Apache websites are secure.
[*] I think IIS can tend to expose more services than Apache -- most people setting up Apache are running an HTTP or HTTPS server, and they think long and hard and read documentation before expanding it to run more services than that. I've not used IIS, but I imagine that it's easy and tempting to run everything from windows workgroups to DNS to email servers at the click of a checkbox and without any need to understand what's being created. Perhaps there's a lack of care among IIS admins contributing to the problem?
Because the Apache is visible to lots of people who can bug-check it and who are interested in a stable, secure Apache because they use it. The IIS code is only visible to Microsoft programmers, who are not only far less in numbers but also occupied with lots of other stuff.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Agreed. I have a friend who really doesn't give a crap as to what happens on his computer, as long as it remains working. And when it dies, all it takes is a reformat to fix it.
*sigh*
I wish I could write clever and witty sigs.
While this is certianly true, in my opinion, it does not excuse the fact that these exploits are not because the admins didn't change a default password or something. They happen because there's a fault in the programming code.
Sometimes I am sure it is the fault of the stupid admin who doesn't change a password, but I'm sure most of the time it relates back to the stupid admin who doesn't patch his system. No matter what OS you run, you need to patch your system. Even the clueful Windows admins might feel that having a firewall is enough, but you can never have enough protection. Thats what a competant admin knows, regardless of what OS they are supporting.
Does installing Firefox stop IE from being used for all HTML rendering? I know you can set it as the default browser but it appears that Outlook continues to make use of IE to render HTML emails and not Firefox - time to look for the registry setting.
Also when Explorer does a preview of an HTML file in a folder view which renderer is it using, IE or the default browser?
It looks like there are still vectors available for this exploit even if you install Firefox as its pretty well impossible to totally remove IE from a Windows system isn't it?
Here we are again with yet another MS vulnerability and I see, as always, a vocal group of posters claiming that Linux or Macs or whatever are no safer and blah blah blah... Well, perhaps in theory you're right, but what's your point? To make yourself feel better by talking in meaningless abstractions? What do you gain by decrying what may be perfectly legitimate and functional replacements for Windows? What do you gain by sticking by a platform that is riddled with security issues?
I'll admit that I'm no fan of Microsoft, but what is with this defensive posturing? At what point do you finally say, "I've had enough... I'm looking elsewhere for my computing needs"? Does it ever end or are we to expect Windows users to defend this kind of thing to the end of the earth?
So often, Mac users and Linux users are painted as starry-eyed fanatics, and yet, I see the most reflexively defensive responses from Windows users and it puzzles me. Microsoft no doubt has the resources and the money to make the platform a little less problematic, and yet the problems persist. Perhaps they need some of you users to direct your frustration at them, not as Macs or Linux.
--Rick "If it isn't broken, take it apart and find out why."
I don't think there is anything which makes microsoft software "inherently" more insecure.
Microsoft tends to like big programs which try to do lots of things, with lots of threading for multi-tasking. IIS does plenty of things other than web serving... On top of this there is Microsoft deliberatly writing "sphagetti code" in the name of "integration".
Given enough time and effort microsoft products, like any piece of software has the potential to be bullet proof.
It would be a case of rewriting more or less from scratch.
If you learn nothing else today, learn this: the phrase "It often translates roughly" is a red flag for a straw man fallacy. Yes, what I said roughly translates to "Linux's only strong point is that it's used by very few people". However, a more appropriate argument would instead address what it strictly translates to, namely "One of Linux's strong points is its relative lack of popularity". Your argument, as it currently stands, is thus based upon a logical fallacy and can thus be effectively discarded without any waste. However, after a quick glance over the rest of your post it quickly becomes apparent that there are other, more dangerous flaws in your reasoning. Thus, for your benefit, I will address those flaws as well.
"I'd like to counter this argument with only one example: Apache vs IIS."
Irrelevant. Apache is different from Linux, thus Apache's security has nothing to do with Linux's security, and bringing it up is a waste of space.
If you are trying to prove that popular systems are always more secure, one example will not be enough. One example merely proves the existence of a more secure popular systems; it does nothing to prove all popular systems are more secure. There are in fact clear counter-examples, MS Windows being one.
If you are trying to prove that popular systems are not always less secure than obscure systems, then you are guilty of yet another straw man. No one argued that popular systems are always less secure, thus you are refuting a fictional argument that you just made up.
If you are asserting that Apache's security does have a lot to do with Linux's security policy because the two systems are both open source, then you are once again wrong. You will again need a lot than one example to prove that open source necessarily means more secure. While open source systems may have some pluses with regard to security, they also have several minuses, such as the fact that no one is accountable for errors, often there is little control over the competence of those working on the project, those working on the project are often more interested in functionality than security, etc. I have personally seen major security holes in open source projects.
"I'm fairly sure that we'll never see problems amassing to reach the magnitude Windows security problems have reached."
Once again, another straw man. No one argued that Linux will become as problematic as Windows should it become as popular as Windows, merely that it will most likely suffer problems.
"And even if particularly nasty problems will appear, I can count that fixes will be available hours later."
Do you have any actual data to back up this questionable assertion? Studies have shown that Windows actually gets patched quicker than Linux (makes sense, after all they have more practice).
"Even more: increasing popularity and the subsequent increasing number of attacks will only serve to increase security for Linux applications overall, because it will ultimately translate to free bug testing."
By that logic, living in a dangerous neighborhood increases my security because the thugs that break in to rape and murder my family are ultimately translating to free bug testing. Did you read this argument before hitting the "Submit" button? That "bug testing" you write about certainly is not free if, after your OS is compromised, hackers break in and steal data, deploy viruses, or take down your entire system. It is in reality quite expensive.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
Yes, given enough time and effort programmers up at Microsoft could make their software bulletproof.
I say the software is inherently more insecure because Microsoft did not follow a methodology for their software that leads to secure products:
1. The user pretty much always runs as "root"
2. IE, Office, and OE are tied in directly with the OS, and provide functionality that should not be present with untrusted data (from the Internet/documents)
3. Microsoft does not view all security problems as a serious threat, or takes forever to release patches to certain vulnerabilities. Case in point, look at the number of unpatched IE vulnerabilities. Some of them have been around for many months. I understand that they have to do QA on patches and what not, but if the process honestly takes months then the products are inherently more insecure.
4. Microsoft didn't really take security all that seriously (supposedly they have now). Case in point the WinXP firewall. Not only is it very unconfigurable, but it starts -after- the network does. That's commitment to security. If the firewall wasn't crap, and it was enabled by default, much of this ugly worm business wouldn't be as big a deal.
It all adds up to being inherently insecure. Look at this recent issue. Why should users have to deal with getting infected automatically with no intervention when visiting a website? Can't blaim the users here either because there is no patch for this vulnerability. It's ridiculous that crap like this can happen through javascript anyway.