Slashdot Mirror
Dept. of Homeland Security Says to Stop Using IE
LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News:
'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
Been there, done that, got the t-shirt.
We did this story on Sunday...
However, in CowboyNeal's defense, both articles cited here were published after that story on Sunday, and we now have the news of Microsoft's rather weak reaction claiming that CERT didn't mean what we all saw them say and Mozilla's reaction that downloads are up since the first reports. Still, that's a Slashback, not a new story.
Firefox, you need to do yourself a favor. Flawless pop-up blocking, the beauty of tabbed browsing...real standards implementation...the list goes on and on. Now, if only Windows would be declared a national security risk...
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
For those considering installing Firefox on Win2k PCs they don't have 'administrator' accounts on, I can report that it installs and works perfectly well from a 'power user' account. Perfect for those considering an installation on a work PC.
You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.
Happy browsing!
Imposing Libertarian views on everyone online since 1992.
Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...
I use Mozilla for most things, though on my Mac I increasingly use Safari, for the simple reason that I feel that Mozilla's rendering engine needs work. Gecko is slower at rendering pages than the engine powering Safari. Maybe had I a more recent computer I wouldn't notice the difference so much, but for many people this could be a sticking point. Some people I have spoken to still feel Mozilla and Firebird lose out against IE for just this reason. Other than that, I like the browser (Mozilla that is), and I am using the most recent release.
Jumpstart the tartan drive.
Microsoft released a fix for this issue today. Basically it disables the ADODB.Stream object. However, it requires a regedit to implement. I imagine a hotfix is forthcomming. Still, Firefox and Mozilla don't suck at all, so people should at least use this as an excuse to give them a try IMO.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
Sorry, Steve Jobs already beat BillyGoat Gates to the punch.
I hate Grammar Nazi's
After making the switch to Mozilla Firefox and using it for two days, I'm hooked. I downloaded the All-in-One Gestures extension, and I can't for the life of me figure out how I ever lived without it. It's a whole new paradigm in browsing. This is another milestone in the MS exodus towards open source and Linux. Disclaimer: I do not work for Mozilla... just a satisfied user.
When I become an Evil Overlord: My ventilation ducts will be too small to crawl through.
1. IMHO Firefox is cleaner and lighter
2. I believe it will work when you set Firefox as the default browser
3. Yes but you can set it to close when download is complete
"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."
Ummm... I don't think so.... here is a link to the US-CERT Vulnerability Note VU#713878 which (I think) is where this all starts. Go right to the bottom (OK, this is slashdot, so I'll cut-and-paste)
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
The way I read that last sentence, CERT say you are not safe unless you get rid of the IE6 functionality.
You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.
NO ACTIVE X. That means no sneaky little programs in your system.
The open source movement is well on top of issues like this... always have been.
Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.
Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.
Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
We still have SCO.
*breathes sigh of relief*
http://www.livejournal.com/users/cixel
1. Which of the two browsers is simpler / less bulky, Mozilla, or Firebox?
Firefox is less bulky (about 5MB download) as it is just the browser. Mozilla also has an email/news client, chat client & HTML editor built in.
2. Can either of them merge with Windows the way IE does?
Not quite. A URL is really just a filetype determinied by the file extension (.htm, .html, etc.) In Windows, you can point those (and other) filetypes to whatever applications you want - even when you install Mozilla/Firefox, it asks to be the default browser, in which case it will open most URLs, even from the run box.
Unfortunately, Microsoft specific sites, like "Windows Update" never seem to open anything other than IE and seem to deliberately bork any other browser. Also, because IE essentiall underpins Windows Explorer, you can never really weld in a 3rd party browser as tightly as IE.
3. Does Mozilla still have that stupid "download manager"? How do I turn it off?
There is a download manager that opens a smaller window for the files you are downloading. It has been improved in Firefox, it is not obtrusive particularly and I find it more useful to have it there than to not have it there. You can set it to download each file to a directory of choice or just have it download everything to one place you specify.
Firefox is also themeable, has the Google search bar built in and a lot of pop-up blocking. It REALLY is a better browser, full stop.
Gentoo Linux - another day, another USE flag.
Any decrease in IE use as seen by your logs is not a true picture.
Some of us Moz/FF/Op users set up our browsers to masquerade as IE, because -some- sites still seem to insist on it...
Here's my piece I did on the topic about a week before the CERT announcement:
http://www.dmiessler.com/reading/ie.html
dmiessler.com -- grep understanding knowledge
This has information on plugins like: Adobe Reader, Java Plugin, Macromedia Flash Player, Macromedia Shockwave Player, QuickTime, RealPlayer 10, Windows Media Player, etc.
Paul "Say no to feeping creaturism"
I don't want something slow loading, bloated with features, and overcomplicated. You know, IE.
IE is a lot of things but I don't see how you can say that. IE is very fast loading on every system I have used it on because of the fact that it is so integrated wit the OS. IE loaded much faster then the 0.8 build of firefox. The 0.9x build is much faster but I havn't compared it with IE.
What feature bloat are you talking about with IE? The tabbed-browsing? The pop-up blocking? No, it has neither. IE browses and that's it.
And finally, what exactly is over complicated about it? The only thing that I can possibly think of is the "Advanced" tab in the preferences. It is called "Advanced" for a reason. Most users do not need to modify anything in that tab. Most features that users will need are on the first tab in the preferences.
Firefox is a much superior browser and IE has a lot of flaws but didn't hit on any of them.
Not everything is analogous to cars. Car analogies rarely work.
IE has been discontinued on MacOS, too.
> If the open source people are on top of things, why does it seem that there is always a new OSS expliot every week?
You've missed the point - the notifications are what show that OSS folks are on top of things. As soon as a vulnerability is known, it's published, along with a workaround so people can defend against it until it's patched.
Compare/contrast with closed-source companies that try to hide evidence of exploits until they're fixed, and preferably, until well after the servicepack that fixes it has been released (with ALL NEW FEATURES! to get their customers to upgrade). Customers never know there was a problem, which is NOT the same as saying there wa no problem to begin with.
Good PR != good vulnerability management.
A broken clock is right twice a day.
Not if it is an electronic display clock or 24 hour time cycle clock.
Served.
Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines
Did anyone RTFM from the Yahoo link. It says at the very bottom that Mozilla is vulnerable too. I use Mozilla myself but it appears that the real culpret is ActiveX which you can install on Mozilla. I don't think this plug in will work on platforms other than windows so it's really a platform issue.
a link (http://www.kb.cert.org/vuls/id/323070) to the US-CERT pub recommendation. It is also interesting to note that the suggestion to "use a different web broswer" is the last offered (see section III. Solution).
Considering normal computer replacement cycle is 3-4 years
I wish this were the case everywhere. In most of the businesses I work with, the upgrade cycle is about 4-6 years depending on the scope of the project and the machine's use. Desktop office PCs tend to be upgraded every 4 years, project-specific machines every 6. Very specific setups, when usually not connected to the LAN, often never get upgraded. It "just works".
Security patches are deployed fairly quickly. OS updates are rare and generally occur at the start of a new project. Right now, XP SP1 is the most common on the office desktop, but Win2K is very close behind. For most existing projects, Win2K is pretty much the standard. Some projects nearing their end are still on NT4 SP6 (thank heavens for our good network security). A couple of the smaller businesses still a lot of Win98 (ack!) but most jumped to NT4 or better long time ago.
Keyboards, mice, and monitors typically aren't hard to request as needed, but a full system upgrade is like pulling teeth. Exception: recptionists. They generally have a new Dell with a 20" LCD. (Or 17" LCD iMac G4). Their machines are updated often. They generally spend their days forwarding email poems and chain letters to their friends.What a lovely world.
is your friend. use it next time, or post in "plain old text" mode
Same here in the Army. But you are expecting a LOT if you think that the military will change the web browser overnight.
First a committee/team has to be put together to verify the recommendation not to use IE. Then an alternative will have to be selected. This means another committee/team will have to determine what the alternatives are. Once the alternative web browsers are identified, they will have to be tested to make sure that they are secure and compatible they are. This testing can very depending on how indepth they go and how soon they realize that a large number of military web sites are IE only!! Once a replacement browser is selected, a Plan of Action has to be determined to figure out how the new web browser will be installed and how the completed installation is reported back up the chain of command. Once all of this has been completed, it will then be briefed to the head shed at the Pentagon who will then make some modifications before giving an order that all computers have a new web browser installed.
This doesn't take into account any turf battles that may come up during this process, fixing all of the IE only military web sites, complaints and stubborn refusal from users (IE will have to be completely removed otherwise people will still use it), all of the modifications to the Plan of Action as it goes down the chain of command, the several weeks it will take for each DOIM and unit to figure out how they are going to implement the Plan of Action, DoD civilians.....
It should take the military a few months to install a new web browser.....
Army of One!
Ok here is a little more detail:
1) Firefox is lighter
2) Whatever browser is set as the default is what the Run box will open. Firefox will never be as integrated as IE, but that integration is part of the problem. It is a good thing. Open Firefox from an icon and use it as just a web browser, not as a file browser, desktop viewer, whatever else IE wants to be.
3a) In Mozilla you can disable the download manager by going to Edit->Preferences. Under the Navigator section select Downloads. On the right side of the screen you can choose Download Manager, Progress Dialog, or nothing for downloads.
3b) Under Firefox (0.9.1) you can trun off the Download Manager, but the alternative is no Progress Dialog of any kind. To do this go to Edit->Preferences. Select Downloads on the left. On the right side set the download folder to whatever you want and then look at the settings for the download manager.
This is all from a Linux box, but the settings for the Windows version of Mozilla and Firefox should have identical settings.
I have never been able to use WindowsUpdate from Mozilla. Of course even if you uninstall IE from XP or 2000 all the parts of it are still there, just the icon is gone.
HTH
the_crowbar
Have you read the Moderator Guidelines
http://johnkerry.com was running Apache on Linux when last queried at 26-Jun-2004 10:33:54 GMT
http://georgewbush.com was running Microsoft-IIS on Windows 2000 when last queried at 25-Jun-2004 13:05:27 GMT
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.
CERT gave the warning on June 10 . BBC reported this on June 14 .
Open Source software can be (and often is) of better quality, especially when it comes to security.
The only "security issues", I've heard about Mozilla were about reading files or crashing - and those were instantly fixed. IE is so flushed with real grave security holes (like "take over computer") that crashing or reading files isn't even worth reporting, never mind fixing.
Microsoft usually does nothing unless there is an exploit - then maybe they do something - or (like with IE lately) they still don't do anything unless the exploit is used by a lot of people.
If you wanna test, this ebay page has the Scob virus... http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&cate gory=48685&item=5705210428
NOAA has also told its employees to stop using IE. Unfortunately for us, though, Netscape 4.7 is the only other browser that is default installed (goes with the mail client), so now everyone is using that, and wondering why all the pages suddenly look like crap (we stopped designing for 4.7 a year ago). There was a rumor that we are being upgraded to NS7.2, but I have yet to hear any further details.
The world moves for love. It kneels before it in awe.
Yeah, but, wasn't it just a few weeks ago, that a company got out of legal problems involved with privacy (an airline?), because they argued that most of the plantiffs probably did not read the privacy statement they clicked to agree with....and therefore it wasn't binding.
Well, if that works in reverse...just claim you never read those click through EULA's.....and therefore aren't bound by them...and so you can sue.
Seems fair....?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
* Valenti gets the boot.
Sure, but he's been replaced by another DRM-lover. Trust me, there's no clue coming to the MPAA.
* AU sets up a free CA.
Ok, I'll agree with you about this bit of good news... once I see it in IE's default CA list.
* European software patents are being rejected.
Wrong. The Dutch reversed their vote. This does not *yet* invalidate them, although it is a good start... keep the pressure up on your EU representatives!
This patch disables ADODB.Stream, which should eliminate any vulnerability. You can download it here: http://support.microsoft.com/default.aspx?kbid=870 669
Life in Orange County
http://www.kb.cert.org/vuls/id/323070 says in boldface "Use a different web browser".
I don't think the media misreported that.
The problem is that OEMs are not free to change the browser. If you are a Microsoft OEM, you CANNOT replace IE at all. This is the root of the problem. Computers are bought as a package deal from OEMs, and Microsoft has prevented OEMs from including competitive software in the default installs.
Engineering and the Ultimate
Yes there is good reasons to have Java/ActiveX on a web page. E.g. on an internal private network, where you have trusted users and want things like signature pads uploading signatures to a database. Or how about on a public network, there is a wonderful tool to trace a route with a cool picture of the globe (but this is done without violating network security).
With Java you have to actively accept the dismantling of security, if someone clicks yes to trusting an unknown source then they will get an ugly lesson in trusted computing. With ActiveX it comes out of the box with no security and one has to actively enable security. Given the majority of home users are never going to do this, and the majority are using Windows, a massive ripe resource for worms/viruses/spammers exist. Active X suffers from fundamental security flaws, and is going to cost Microsoft a lot to fix the damage to reputation and loss of customers.
I used to wonder what was so holy about a silent night, now I have a child.
Slashcode spits out incredibly bad HTML. Don't take my word for it - paste the source into a validator sometime to see for yourself. Given that, it's not meaningful to say that any given browser "doesn't display Slashdot right" since there's no clear answer to how it's supposed to appear.
Slashdot's a great site, but noone's ever praised it for the beautiful HTML. It's just kind of one of those things.
Dewey, what part of this looks like authorities should be involved?
the second richest man in the world, Warren Buffett, has thrown his weight behind the [Kerry] campaign.
Would ya look at that... the super-rich backing their home boy. Of course, eight of the 10 richest Senators are also Democrats...
They must be the "party of money."
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Howto - Browser version control with the Squid HTTP cache
http://www.clavister.com/support/kb/10026/
googled for 'squid user-agent' - result # 23 or so.
I haven't tested this, please reply to this thread with your results
I got the following batch files off the net somewhere, and it seems to work for Win2K and probably XP. To disable IE, run:
:End
:Activate :End
@echo off
C:
cd "\Program Files\Internet Explorer"
if not exist IEXPLORE.EXE goto End
if exist IEXPLORE.EX_ del IEXPLORE.EX_
if not exist IEXPLORE.DIR md IEXPLORE.DIR
if not exist IEXPLORE.DIR goto End
attrib -r -h -s IEXPLORE.EXE
ren IEXPLORE.EXE IEXPLORE.EX_
if exist IEXPLORE.EXE goto End
ren IEXPLORE.DIR IEXPLORE.EXE
echo IE disabled.
echo If prompted, click "Cancel" then "Yes" on File Protection restore.
echo Run enable-ie.bat to allow IE to run again.
It still runs if you put a URL into a window bar though, but if your alternative browser is the default browser then it'll launch for everything else.
To re-enable Bill's little helper:
@echo off
C:
cd "\Program Files\Internet Explorer"
if not exist IEXPLORE.EX_ goto End
if not exist IEXPLORE.EXE goto Activate
attrib -r -h -s IEXPLORE.EXE
rd IEXPLORE.EXE
if exist IEXPLORE.EXE del IEXPLORE.EXE
ren IEXPLORE.EX_ IEXPLORE.EXE
echo IE enabled.
"And the meaning of words; when they cease to function; when will it start worrying you?"
That is not what they are talking about. Internet Explorer allows you to embed IE inside of another application. You can even put a different name on the taskbar and call it another application, even with your own icon. In theory, some scam artist could write their own "web browser" in about 15 minutes. The problem here is that you really are using Internet Explorer, even if you are claiming to be some other application.
More often this is used in applications like AOL (IE is the default browser in AOL), where they use this ActiveX component to display web content. I think AOL uses their own e-mail system, however. You can also see this in the Real Player application, again if they are going to display web content instead of playing music or an audio/video clip. (Try this if you have Real Player.) Other application also use this, in things like About boxes or even a cool splash screen when you start an application. Sometimes they even do full TCP/IP http requests for content, including machine-specific data. A good security hole if I ever heard of one, and a cheap and easy spy app as well.
Mozilla does not use the I.E. rendering engine... they have their very own, so they don't need it. A while back it was a common task for CS instructors to assign students to make their own HTML rendering engine. I wrote one myself just to see if it could be done. Not a beginner task, but still something well within the capabilities of any recent CS college graduate (if they actually taught you anything).
They're redirecting all the common worm and trojan exploit attempts for IIS to MS' website. Nice.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I work in the IT industry as a system/network administrator at a large hospital during the day and I do part time work at night and on the weekends doing internet installs for the local ASDL, FTTH and Cable internet service providers.
The hospital I work at has a "good" security section with proxy, firewall, SMS server, intrustion detection all the gee-wiz-bang security tools that you would expect an organization lible to the tune of $25k per privacy violation (thanks to HIPPA) to have. Still, I have to deal, on a daily basis, with computers that have spyware installed on them. Not only that, but when the Blaster worm hit (and remember, we had all these security tools prior to its arrival), it still managed to wriggle its way on to our network and in less than 5 minutes infecting every vulnerable computer. My standard response to reimage any desktop that is found with spyware, virus or worm as a matter of policy. For instances of Spyware, I consider this to be punishment for the miscreadent behind the keyboard (very likely a "smart" person with a PhD or MD). The other, non-user initiated instances, we are currently looking at PXE booting our Windoze desktops from solid, known-good image each and every time the user starts up their desktop. We have a gigabit backbone, so we can get away with this. I think the long term decision that needs to be made, however, is to remove windows from the equation entirely.
Now, on to that part-time moonlighting gig. First, I decided to do this to get a better understanding of how users operate at home vice work (with the hope that it would lead to some insight about why things go wrong at work). Second, the pay was good if done right. I discovered that home users are completely insane with regard to security. About 10% to 15% of the user's desktops I encounter have IE so comletely dorked up beyond recognition as a functioning browser that I *MUST* manually download mozilla from the command prompt to get the user through the web based section of the sign-up process. Another +30% of the users have marginally functioning browsers with fairly benign malware (pop-ups, web page redirection, unwanted browser plug-ins, lowered volume modem dialing scamware, etc.). I have a time limit on my installs (user needs to be signed up within at least 20 minutes or else it's not economically worth my while to be out there); so, I usually point them at mozilla.org before I leave. There is a certain large percentage to users (say between 3% to 5%) who's computers are so throughly fscked that I will just walk away from the install after demonstrating, with my laptop, that their internet connection works, but their windoze computer doesn't. To these poor, unfortunate folks, I hand them a live CD distro before I leave.
If you do the math, over half of home Windows users are fscked to some degree. Now I understand why call centers are being farmed out to India. It just simply isn't a matter of cheaper labor; it's actually an economic necessity in light of Windows market share.
I think that Microsoft, in its desperation to "get" the internet, made some really bad design and business decisions that will end up truly demonstraiting that they didn't "get" the internet at all.
The other half of the equation, which has not been tested, is the curse of market share. It will be very interesting to see, over time as the Open Source market share starts to re-take the browser and over take the desktop, how the open source community patches and updates flawed software (fortunately, Microsoft has demonstraited some good ideas that didn't work; maybe, with a little luck, the Open Source community will learn from these mistakes and either correct the fundamental flaw(s) or build something better). Regardless of all the drivle that comes out of Open Source advocates' mouthes, this will be the single feature that defines the difference between Open Source and Microsoft.