CERT Recommends Mozilla, Firefox
EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."
CERT's recommendation usually is to download the patch. However, since this hole has an exploit in the wild, and there isn't a patch to be found... use something else is the only recommendation left to issue.
but joe user wont read this or know about it. too bad eh?
the only way is to hijack people's computer, install a real broswer, and put the IE icon on it.
I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.
Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
Explain please.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
However, that's not the case here. There was a major bug in the IIS patch that caused system instability, and the patch for the IE end of the hole is in Release Candidate stage, NOT Final stage. It's Microsoft BETA software. I wouldn't run it... (then again, I wouldn't run Windows XP...) Which brings one more point - it's fixed by XP SP2. XP SP2 won't run on NT, 98, 2000, or ME. See a problem? All of those OSes can run IE 6, which is vulnerable.
"So how do you explain that it is IIS and not apache that is being attacked?"
[*] Apache is more secure than IIS. That's a fact, but it's different to saying that all open-source software is more secure. It certainly doens't prove that linux is more secure than windows (although other evidence certainly does)
[*] Apache runs more websites, but lots of those are on the same computer. My website runs on the same Apache server as 2782 other websites. My sourceforge websites run on the same Apache server as 83000 other websites. Domain-squatters run tens of thousands of "websites" from one Apache server. So you only need one competent admin, and suddenly thousands of Apache websites are secure.
[*] I think IIS can tend to expose more services than Apache -- most people setting up Apache are running an HTTP or HTTPS server, and they think long and hard and read documentation before expanding it to run more services than that. I've not used IIS, but I imagine that it's easy and tempting to run everything from windows workgroups to DNS to email servers at the click of a checkbox and without any need to understand what's being created. Perhaps there's a lack of care among IIS admins contributing to the problem?