Slashdot Mirror
CERT Recommends Mozilla, Firefox
EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."
Mac, Linux and other non-Windows operating systems are immune from this attack.
At least he said "this attack" instead of "attacks".
Anybody have a list of which sites were affected by this IE/IIS problem. Seems as though it's been kept under wraps pretty well so far.
San Jose Mercury news indicates Yahoo!, Earthlink, and EBay. True, not true?
Now KBB?
Thanks.
Caution: Contents under pressure
Here's the beta version of my freeware program popURL (for Windows, sorry!). You can copy a URL to the clipboard (Copy Link Location) then click the tray icon, and popURL will pop up an info box on the URL telling you the software running on the remote server (IIS, Apache, whatever); the MIME type of the document, and its size if available. Potentially useful for safe, IIS-free browsing :) On UNIX you can get the same info using wget -S though somewhat less convenient.
that some security flaws are Windows only. In a local newpapers there was a small article about the latest security exploit that could install a trojan on your machine, and thus possibly empty your bank account. For once, it was said this only was an issue for users using Microsoft Windows in combination with Internet Explorer. Usually, when a Microsoft Windows virus/trojan/worm is reported, no reference is made to Windows as such.
My piece, written for the non-techie masses, on why they should consider other browsers:r chives/2004 0615_why_you_should_dump_internet_explorer.phtml
http://channels.lockergnome.com/news/a
I am glad to see CERT step up and make a decision like this despite the fact that they are guaranteed to be flogged for it.
dmiessler.com -- grep understanding knowledge
Good recommendation from CNET. I am a windows user (mostly) and get a chance to use unix boxes only at work. if using a web-browser, IE was the default choice since it's bundled with windows. I installed opera, netscape but they had issues loading a couple of webpages. I then tried mozilla but it was too slow. I then tried avant browser and it worked wonders albeit for a short period of time. The popup's were still coming, and there isn't a shortcut for opening a new tab. Finally, I moved on to Firefox 0.8 and 95% of the time, I am a die-hard user of firefox.
I now use IE only to open my native language webpages since they aren't encoded properly in firefox. I would be grateful to anyone if they can show me how to open www.eenadu.net in Firefox. The native language is Telugu, if anyone needs it
V
Yes. But now it is easier for me to go to my boss and recommend we move all browsers to Mozilla. He used to think Internet Explorer == Internet. I have shown him the way.
There are first malicious programmers that try to infiltrate mozilla users. An example ist http://xxxtoolbar.com/ (sexually explicit!) that tries to install an "toolbar" per XPI. Fortunately this needs an Win32 system and a users who clicks without thinking.
Have you ever seen an signed mozilla extension?
CERT have suggested using a different browser before (e.g. here).
I wouldn't read too much into it myself though. If one browser has a vulnerability, and another doesn't, surely it's an obvious thing to suggest? And in the past, they've pointed out the potential problems with not using IE (i.e. incompatibilities with IE-dependent sites). More a suggestion than a recommendation I'd say.
BBC mentions other browsers.
Jennifer Scharff, vice president of marketing for MinervaHealth, said some of the company's clients reported the problem on Thursday. The company has since fixed its site, she said. Scharff said no more than 50 visitors browsed the Web site during the time it was serving up the hostile code.
I had never heard of the company, but is it realistic that only 50 visitors browsed the site after it had been cracked? That seems very low, especially for a problem which was previously unknown to the Virus scanners.
Mielipiteet omiani - Opinions personal, facts suspect.
I expect corporate firewalls to start blocking IE soon. Be prepared. Do you want your E-commerce site locked out?
The problem is not that IE has bugs. It is that, by design and intent, it gives the web site too much power over the browser, and the browser too much power over the operating system. This is a fundamental design flaw, and cannot be easily fixed.
Because IE hasn't changed much for a few years now, the other browsers have solved most of the compatibility problems. You don't really need IE any more. There are still sites that won't work with Mozilla or Firefox, but there are usually competing companies with compatible browsers.
I'm using Firefox for my daily browsing, but I'm still using IE for internet banking. This because most Internet Banking only support and recommended for using IE only and I can't loggin if I using different browser (i.e Firefox or Mozilla)
The issue is two fold... One, they are able to force IIS (only IIS) to serve out a footer to every html, jpeg, etc. that the web server sends out. This then contains code that then executes on the browser. This isn't just Internet Explorers fault, it is the company's fault that uses IIS to serve out it's web pages. We have long since known that IIS is not secure, and yet still we have major sites that use this for their front end. I am not sure, but couldn't a reverse proxy stop this from happening at all? Aren't the major web sites responsible for serving out viral web pages. My problem is this: You cannot browse all of the web with only mozilla. You must use IE to browse some sites, or they don't look right. The content is sometimes unreadable without IE. I agree that Mozilla is comparable. I use both. I recently designed a site for a company, and the hardest part was getting it to look right in IE, Mozilla, and Opera. But when it was done, I knew that it was done right. This is the problem. Web designers don't want to take the time to worry about standards compliancy. The statistics still say that around 80% of all browsers are IE. Why would they need to worry that much, all of the people reviewing the sites are using IE (executives and marketing). We are not going to get all users, or even the majority of users to switch to Mozilla, they have been using IE for years and as some of you have said, some users still think that "E" stands for the internet. It is going to take time. What I think we really need is to stop relying on Microsoft to be the internet facing web applications. They can be the business worlds desktop, and even the enterprise servers, but they cannot continue to be the web facing application servers.
and send it registered mail to your bank. Notify them that continued use of insecure servers, and requiring you as a customer to use an insecure webrowser, could lead to a compromise of your personal data and a direct loss. It's not a threat, just a stement of actual, probable data. And if such an event occurs, that you would consider taking legal action against them. Maybe that will get their attention. And if you are a stockholder in the bank, or have a valuable mortgage there, or other serious busines, it's even worse.
I don't do online banking but if I did and that was part of it,forcing me to *use* grade c products, and having to *trust* grade c products, at a place that HAS to consider "security threats" over almost anything else, I would have long ago called up and kvetched about it or sent a missive along the lines I have outlined.
Think about it, how many people would trust a bank if it had no doors, it was running in the seediest section of town with obvious scoundrels hanging around the entrance, the vault was open,no security guard in sight, and if they forced you to come in blindfolded, turn over the keys to your car to one of the characters hanging around the opening where no door is, and to trust whatever happened then to you and your money as you came and went? No one would put up with that, but in the cyberworld, that is *exactly* what is going on all the time with these insecure out of the box office/internet "products" from that convicted monopolist corporation and with their co-opted and faked out business "partners". You would THINK after the 983rd time something like this happened that they would have bought a clue or two. And it just gets worse, all the time, it hasn't gotten any better, just the exploits get better, and paying for the privelege of getting exploited costs more.
Good idea for a geek cyberbank, BTW, that runs only better quality open source, and refuses entrance with explorer browser, and gives a helpful page where to get the alternatives. Niche market, but I bet it would get decent business over-all.
That is how long I give Microsoft before they find themselves confronted by a revolution from their users due the their inability to deliver secure products.
... IS a 'revolution' from their users.
... but it is just as malicious to have written 5 different Operating Systems, in the last 20 years of computing science, which have continually allowed this circumstance to occur...
...
Every single Windows virus
Nothing says "I hate you Microsoft, I want to bring you down" more than a well-written Virus designed to bring the issue of extraordinarily poorly written and managed software releases to the attention of the world.
That this fact is ignored only proves that Microsoft's responsibility for this issue has been deflected, quite well, by their PR people, towards the Virus writers and away from the true culprits: Microsoft, Inc.
It is Microsofts' complete and utter lack of responsibility for the issue of Virus control and propagation which has resulted in this situation. Sure, it is malicious to write Virus code and let it loose on the 'net
Don't overlook this fact. Microsoft are the ones who are responsible for this condition, now. In the first 2 years of Virus problems, it was feasible to forgive them. But not now, after 20 years of 'product' from Redmond, in light of all the opportunities they had to truly resolve this issue
Punish Microsoft the only way that hurts: STOP using their "products".
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
we would instatly switch to using firefox if they added support for proxy autoconfiguration via wpad. (either DNS or dhcp based wpad would be fine). We have laptops that need to be able to pick up their proxy configs automatically since they roam between offices....
--
Time is on my side
with Netscape over ten years ago and stuck with it. I didn't switch to IE at first because I didn't want to. Then it became an issue of; Gates didn't pay for my computer, or the electricity to run it, so where does he get the idea he has any say in the software on it. Then I found Linux, Konquerer was cool, then Mozilla. My current box is dual boot, XP and RH9. In windows I use Mozilla. The only time IE can be found is for update. No icons, no place on the start menu. I consider it a virus trap and treat it that way.
Professional Politicians are not the solution, they ARE the problem.
The quote is so rich, I think I'll include it.
CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions.
Good bye, anti-competitive little nasty. IE was M$'s attempt to push it's desktop monopoly into the web. I'm going to be so happy when I quit running into pages that ignorantly tell me they are best viewed in IE. With it will go a whole host of proprietary crap.
Friends don't help friends install M$ junk.
IE is crappy coded (it's closed-source, so there's no 'second opinion' on the code).
The number of "second opinions" on code has more to do with code review process than it does with whether the program is open-source. mozilla.org requires most new code to be reviewed by 2 people. I think that does more for the quality of the code than the wide availability of source code.
Of the 50 or so security holes I've found in Mozilla (see my resume for a link to the list), I only found 2 of them by looking at the source code. To be fair, other people have reported buffer overflows, overflowable integers used to determine the amount of memory to allocate, and other security holes they did find by looking at the code. Also, I chose to look for security holes in Mozilla rather than IE or Opera because Mozilla is an open-source project and I want it to succeed.
The shareholder is always right.
*Google shows a slight upswing in Gecko marketshare in the last couple of months
*Firefox 0.9 is an awesome release, and 1.0 promises to be a killer
*Mozilla foundation hires former Netscape marketing guy and also starts major grassroots marketing effort
*MSIE is hit with more security vuln's than ever before
*More and more mainstream tech news outlets start recommending firefox
*Microsoft is sufficiently scared to reconstitute MSIE dev team
Could this be the beginning of another round of browser wars??!!
And another dated June 24, 2004, at http://www.us-cert.gov/current/current_activity.h
Am I looking at the wrong advisories? Where does it actually say "Switch to the following alternative browsers"?
Folks:
I have been using a nice IE add-on called Slimbrowser. It has a lot of features and I really come to like it. But I also have been using Firefox and noticed rendering is 2-3 times faster than IE/SB! Would love to move from SB to FF but I noticed I want certain features that SB that I
haven't been able to find on Mozilla's website. Can anyone point me to the right direction and tell me where to download the right Windows extensions that can make Firefox have the:
1) Ability of running any Windows shortcut or folder within the browser or explorer.
2) Autologin of websites (form filling-username, pass)
3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)
4) "Groups" of websites that open in tabs at the same time
5) In-line Flash/Advertsing blocks (I noticed one of Achilles' Heels of FF is that it eats
cpu like crazy when flash is used on the page)
I would appreciate any help you can give me!
Well, considering that Internet Explorer is an "integral part of the operating system" they are only a hair shy of telling people to switch to an operating system that isn't vulnerable to so many damn critical remote vulnerabilities.
The advisory did mention that just changing browsers doesn't mean you're safe. It pointed out that IE may still be opened under certain circumstances or by other applications. So, yeah, it does seem like they're edging closer to saying it in plain English.
Man just email admin@site or ceo@site or director@site or better all of them.
:)
Send an email to the highest people there (not at once but in intervals of 24 hours).
Say how lousy the webdesigners are, and how 90% of other sites give users a choice - of using something other than IE.
Tell that there is a significant proportion of customers that run something else - including prominent figures and CEO of big companies.
I mean really embarrass them to the point they fire the mediocre MS-Frontpage-whores. And then whether they take action or not - just do yourself a favour and boycott the site.
I did that - it works wonders.
DON'T email the webmaster - email the big guys!
It's nice getting an apology from a Director and promise of immediate action
MSNBC.. Is Microsoft passively promoting open source/alternate source to squeeze a few easy minutes until the patch is released. Rushed patch nonetheless.
Write to their feedback page, letters to the editor, or ombudsman. Tell them: 1) their failure to mention that this only affects Windows users running IE needlessly worries people using other OSes and browsers, and 2) their failure to mention alternative browsers means they missed an opportunity to assist the general public on an important matter.
I did. I also did this a couple of years ago when some Windows virus came out (can't remember which one -- there are so many) and CNN failed to mention it was a Windows-only problem. The next time a major virus came out (I think it was a few weeks), I noticed that CNN actually mentioned that non-Windows users were not at risk.
Obviously, we need to keep reminding them.
Oh, and if you do, be polite!!!
(And if you already did, then good for you! And my apologies for implying you didn't.)
Gates fussy over security in Sydney
Couple of choice quotes:
"The Microsoft co-founder and one of the world's richest men is in Sydney today for a press appearance so tightly scripted and controlled it could have been orchestrated by US President George W. Bush's media office."
"At least the assembled do not have to submit their retinas or fingerprints for scanning - possibly because Microsoft can't come to grips with good security."
"Those running the market-leading open source Apache web server, who use desktop operating systems such as Mac OS X or GNU/Linux, or Windows web browsers other than Explorer (such as Opera or Mozilla) were inoculated from the virus."
There's quite a bit more, all fun reading.
Hal Spacejock: Science Fiction with Nuts
It have only been majorly exploted for 10 months. The fault goes back to 1995. We are lucky that our current population of Hackers did not use it well before now. We are verry lucky that we don't have a good population of Hackers most are script kiddys that don't know how to find these back doors and pick on them.
The big question is how many times it has been used to get information out of companys.
Basicly it effects win 95+ I still have to test ie6sp1 to see of a javascript can still buffer overflow and crash the machine like to use to. But that one worked also from 1995 and was reported in 1995 1996 1998 by me same sample code and no fix even in 6 just have not tested 6sp1 for it. Basicly I have been wasting my breath telling them they do nothing.
There is a short form of the responce you are not ment to code a webpage like that.
My code did not follow coding rules correct yes but a cracker does not have to flow rules it just has to work. The funny part is that the code works flawlessly with Netscape and Mozilla and Netscape created Javascript(ie the standard).
Now I get into trouble because I hate Microsoft and people cannot understand why ie you must be a zelot or something. No I am not a Zelot I just hate people not fixing problems I report.
Also I wish people would stop reporting directly to microsoft but start reporting in the press. It seams to be the only way to get them off there tail.
Please note a lot of problems inside IE extend back to them not flowing standard or breaking them for a pratical reason.(them controling the market).
The most effect way to explot this back door is to send a email containing a automatic direct link to the web site and install the spyware. Nice little ie flaw merged with a nice little outlook express flaw creating Access to a machine to extract data.
The Cracker uses of this have been heavyly over looked for far to long. If you are using outlook or IE change now.
Now that's a funny thing to see on Slashdot. As it just so happens, I know the guy who serves the Kelley Blue Book site... This dude swears by Windows and all Microsoft products. I bagged on MS a whole bunch and this guy wouldn't hear it at all. I remember how, back in '98 or so, I mentioned to him that one day, MS's bullshit will come back to bite him in the ass, if he doesn't switch to something else. In fact, I was pissed when he told me stories about how many UNIX servers he replaced with Windows ones. What a crock of shit, I thought to myself. But yeah, now he's probably in a world of shit, and maybe he'll take my advice and switch.
Micro$COft. Software for the downtime-happy business.