Slashdot Mirror


CERT Recommends Mozilla, Firefox

EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera." Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."

8 of 529 comments (clear)

  1. When there's no other fix... by LostCluster · · Score: 5, Insightful

    CERT's recommendation usually is to download the patch. However, since this hole has an exploit in the wild, and there isn't a patch to be found... use something else is the only recommendation left to issue.

    1. Re:When there's no other fix... by Anonymous Coward · · Score: 5, Insightful

      You'd think that, but most mainstream news reports that I've seen (such as CNN's) make no mention at all of alternative browsers, recommending that the best solution is to update antivirus software and up the security settings on IE.

    2. Re:When there's no other fix... by f.money · · Score: 5, Insightful

      You'd think that, but most mainstream news reports that I've seen (such as CNN's) make no mention at all of alternative browsers, recommending that the best solution is to update antivirus software and up the security settings on IE.

      Too bad that won't work. The cross zone attacks work regardless of your security settings in IE. And AV products don't pick up the attacks (as far as I'm aware). This is a fundamental flaw in IE that _needs_ to be fixed, but isn't (it's over 10 months old).

      jon

  2. i agree with CERT by theguywhosaid · · Score: 5, Insightful

    but joe user wont read this or know about it. too bad eh?
    the only way is to hijack people's computer, install a real broswer, and put the IE icon on it.

  3. Hopefully this will get more sites off IE only by Sikmaz · · Score: 5, Insightful

    I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.

    Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!

  4. Yup wich is why IIS the underdog server is attacke by SmallFurryCreature · · Score: 5, Insightful
    So how do you explain that it is IIS and not apache that is being attacked? Apache is the top webserver. Not IIS. So by your logic it should be apache that is attacked and not IIS.

    Explain please.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  5. Re:At least he didn't continue a myth. by bhtooefr · · Score: 5, Insightful

    However, that's not the case here. There was a major bug in the IIS patch that caused system instability, and the patch for the IE end of the hole is in Release Candidate stage, NOT Final stage. It's Microsoft BETA software. I wouldn't run it... (then again, I wouldn't run Windows XP...) Which brings one more point - it's fixed by XP SP2. XP SP2 won't run on NT, 98, 2000, or ME. See a problem? All of those OSes can run IE 6, which is vulnerable.

  6. Re:Yup wich is why IIS the underdog server is atta by gnu-generation-one · · Score: 5, Insightful

    "So how do you explain that it is IIS and not apache that is being attacked?"

    [*] Apache is more secure than IIS. That's a fact, but it's different to saying that all open-source software is more secure. It certainly doens't prove that linux is more secure than windows (although other evidence certainly does)

    [*] Apache runs more websites, but lots of those are on the same computer. My website runs on the same Apache server as 2782 other websites. My sourceforge websites run on the same Apache server as 83000 other websites. Domain-squatters run tens of thousands of "websites" from one Apache server. So you only need one competent admin, and suddenly thousands of Apache websites are secure.

    [*] I think IIS can tend to expose more services than Apache -- most people setting up Apache are running an HTTP or HTTPS server, and they think long and hard and read documentation before expanding it to run more services than that. I've not used IIS, but I imagine that it's easy and tempting to run everything from windows workgroups to DNS to email servers at the click of a checkbox and without any need to understand what's being created. Perhaps there's a lack of care among IIS admins contributing to the problem?