Slashdot Mirror
CERT Recommends Mozilla, Firefox
EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."
Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."
CERT's recommendation usually is to download the patch. However, since this hole has an exploit in the wild, and there isn't a patch to be found... use something else is the only recommendation left to issue.
Mac, Linux and other non-Windows operating systems are immune from this attack.
At least he said "this attack" instead of "attacks".
but joe user wont read this or know about it. too bad eh?
the only way is to hijack people's computer, install a real broswer, and put the IE icon on it.
I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.
Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
Good recommendation from CNET. I am a windows user (mostly) and get a chance to use unix boxes only at work. if using a web-browser, IE was the default choice since it's bundled with windows. I installed opera, netscape but they had issues loading a couple of webpages. I then tried mozilla but it was too slow. I then tried avant browser and it worked wonders albeit for a short period of time. The popup's were still coming, and there isn't a shortcut for opening a new tab. Finally, I moved on to Firefox 0.8 and 95% of the time, I am a die-hard user of firefox.
I now use IE only to open my native language webpages since they aren't encoded properly in firefox. I would be grateful to anyone if they can show me how to open www.eenadu.net in Firefox. The native language is Telugu, if anyone needs it
V
Yes. But now it is easier for me to go to my boss and recommend we move all browsers to Mozilla. He used to think Internet Explorer == Internet. I have shown him the way.
There are first malicious programmers that try to infiltrate mozilla users. An example ist http://xxxtoolbar.com/ (sexually explicit!) that tries to install an "toolbar" per XPI. Fortunately this needs an Win32 system and a users who clicks without thinking.
Have you ever seen an signed mozilla extension?
and send it registered mail to your bank. Notify them that continued use of insecure servers, and requiring you as a customer to use an insecure webrowser, could lead to a compromise of your personal data and a direct loss. It's not a threat, just a stement of actual, probable data. And if such an event occurs, that you would consider taking legal action against them. Maybe that will get their attention. And if you are a stockholder in the bank, or have a valuable mortgage there, or other serious busines, it's even worse.
I don't do online banking but if I did and that was part of it,forcing me to *use* grade c products, and having to *trust* grade c products, at a place that HAS to consider "security threats" over almost anything else, I would have long ago called up and kvetched about it or sent a missive along the lines I have outlined.
Think about it, how many people would trust a bank if it had no doors, it was running in the seediest section of town with obvious scoundrels hanging around the entrance, the vault was open,no security guard in sight, and if they forced you to come in blindfolded, turn over the keys to your car to one of the characters hanging around the opening where no door is, and to trust whatever happened then to you and your money as you came and went? No one would put up with that, but in the cyberworld, that is *exactly* what is going on all the time with these insecure out of the box office/internet "products" from that convicted monopolist corporation and with their co-opted and faked out business "partners". You would THINK after the 983rd time something like this happened that they would have bought a clue or two. And it just gets worse, all the time, it hasn't gotten any better, just the exploits get better, and paying for the privelege of getting exploited costs more.
Good idea for a geek cyberbank, BTW, that runs only better quality open source, and refuses entrance with explorer browser, and gives a helpful page where to get the alternatives. Niche market, but I bet it would get decent business over-all.
We have a problem: grep doesn't exist on any computer that has a lot of browsing activity.
(Please go easy on me, it's a joke.)
Later,
Patrick
1. Get Firesomething extension for Firefox 0.9
2. In the dialog box, remove "Mozilla" vendor and add "Microsoft". Remove all prefixes also and add "Internet". Remove all names and add "_Explorer" (substitute the underline for a leading space). Enable the "single name mode". Apply.
3. While you are at it, get the Luna Blue 0.4 theme from http://www.intraplanar.net/projects/lunablue/
4. Adjust the icons so they look really like explorer. The order should be back, forward, STOP, RELOAD, home, separator, favourites, history, separator, mail, print
5. Rename the shortcut to "Internet Explorer" and change the icon to the blue "e" (do this on the Desktop and Quick Launch bar as well)
6. Never again worry about worms.
Dear aunt, let's set so double the killer delete select all
This particular vulnerability has been patched for two months (MS04-011). Had the administrators applied that patch when it becase available this would have been half fixed. Then all you'd need to do is get an IE fix. And then that would be the end of this particular issue. Since the patch existed before any known use of the exploit, the blame is squarely on the shoulders of two groups: (1) the malware author(s) themselves; and, (2) the lazy sysetm administrator too slow or stupid to deploy the patch in a timely manner.
Really, this is an issue settled by termination of the employee responsible for not keeping a good record of patches and updates. Of course, that still leaves the IE problem, but with the IE team recently recreated, probably for Longhorn, but perhaps they're therer just to release an update to IE to fix this type of crap, we may see the end of these types of things. If only people would quite exploiting innocent code... Sadly, people left to their own devices will revert to base and vile activities, then add in the anonymity of the internet, you get the jerks who think it's fun to spoil the party for everyone.
The shareholder is always right.
Explain please.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
> Can anyone point to a single free software worm that auto propagated?
How about the lion and ramen worms from 2001? Or how about the fact that someone is trying to convince phatbot/agobot to compile on Linux?
Free software is not impervious to worms. However, due to the diversity of systems, it tends to be far more difficult to write a single exploit.
Then again, Free Software tends to have patches pretty quickly, too. Where's Microsoft with the patch for this latest pair of vulnerabilities in IE?
1 Ability of running any Windows shortcut or folder within the browser or explorer.
Firefox is a web browser. Are your computer running a web server, and if not, why would you expect your web browser to be able to 'explore' your folders in the browser view?. Try "Open file". There, you can "explore" and "open" at your leisure.
2) Autologin of websites (form filling-username, pass)
Security hazard. I don't care how much you think this is a great idea; it isn't. Sometimes us developers must protect you against yourselves.
3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)
I just put all the search engines I like in a HTML-page that is my default page. What you want is trivial to do in Opera BTW, and probably in FF too (after all, there's always the source, worst case).
4) "Groups" of websites that open in tabs at the same time
This is standard. Are you trolling? Open bookmark folder, click "Open in tabs". What a waste of time.
5) In-line Flash/Advertsing blocks
Plugin: Adblock
"So how do you explain that it is IIS and not apache that is being attacked?"
[*] Apache is more secure than IIS. That's a fact, but it's different to saying that all open-source software is more secure. It certainly doens't prove that linux is more secure than windows (although other evidence certainly does)
[*] Apache runs more websites, but lots of those are on the same computer. My website runs on the same Apache server as 2782 other websites. My sourceforge websites run on the same Apache server as 83000 other websites. Domain-squatters run tens of thousands of "websites" from one Apache server. So you only need one competent admin, and suddenly thousands of Apache websites are secure.
[*] I think IIS can tend to expose more services than Apache -- most people setting up Apache are running an HTTP or HTTPS server, and they think long and hard and read documentation before expanding it to run more services than that. I've not used IIS, but I imagine that it's easy and tempting to run everything from windows workgroups to DNS to email servers at the click of a checkbox and without any need to understand what's being created. Perhaps there's a lack of care among IIS admins contributing to the problem?
Write to their feedback page, letters to the editor, or ombudsman. Tell them: 1) their failure to mention that this only affects Windows users running IE needlessly worries people using other OSes and browsers, and 2) their failure to mention alternative browsers means they missed an opportunity to assist the general public on an important matter.
I did. I also did this a couple of years ago when some Windows virus came out (can't remember which one -- there are so many) and CNN failed to mention it was a Windows-only problem. The next time a major virus came out (I think it was a few weeks), I noticed that CNN actually mentioned that non-Windows users were not at risk.
Obviously, we need to keep reminding them.
Oh, and if you do, be polite!!!
(And if you already did, then good for you! And my apologies for implying you didn't.)
Gates fussy over security in Sydney
Couple of choice quotes:
"The Microsoft co-founder and one of the world's richest men is in Sydney today for a press appearance so tightly scripted and controlled it could have been orchestrated by US President George W. Bush's media office."
"At least the assembled do not have to submit their retinas or fingerprints for scanning - possibly because Microsoft can't come to grips with good security."
"Those running the market-leading open source Apache web server, who use desktop operating systems such as Mac OS X or GNU/Linux, or Windows web browsers other than Explorer (such as Opera or Mozilla) were inoculated from the virus."
There's quite a bit more, all fun reading.
Hal Spacejock: Science Fiction with Nuts