Slashdot Mirror
Dept. of Homeland Security Says to Stop Using IE
LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News:
'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
Been there, done that, got the t-shirt.
We did this story on Sunday...
However, in CowboyNeal's defense, both articles cited here were published after that story on Sunday, and we now have the news of Microsoft's rather weak reaction claiming that CERT didn't mean what we all saw them say and Mozilla's reaction that downloads are up since the first reports. Still, that's a Slashback, not a new story.
Firefox, you need to do yourself a favor. Flawless pop-up blocking, the beauty of tabbed browsing...real standards implementation...the list goes on and on. Now, if only Windows would be declared a national security risk...
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
For those considering installing Firefox on Win2k PCs they don't have 'administrator' accounts on, I can report that it installs and works perfectly well from a 'power user' account. Perfect for those considering an installation on a work PC.
You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.
Happy browsing!
Imposing Libertarian views on everyone online since 1992.
Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...
I use Mozilla for most things, though on my Mac I increasingly use Safari, for the simple reason that I feel that Mozilla's rendering engine needs work. Gecko is slower at rendering pages than the engine powering Safari. Maybe had I a more recent computer I wouldn't notice the difference so much, but for many people this could be a sticking point. Some people I have spoken to still feel Mozilla and Firebird lose out against IE for just this reason. Other than that, I like the browser (Mozilla that is), and I am using the most recent release.
Jumpstart the tartan drive.
Microsoft released a fix for this issue today. Basically it disables the ADODB.Stream object. However, it requires a regedit to implement. I imagine a hotfix is forthcomming. Still, Firefox and Mozilla don't suck at all, so people should at least use this as an excuse to give them a try IMO.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
Sorry, Steve Jobs already beat BillyGoat Gates to the punch.
I hate Grammar Nazi's
After making the switch to Mozilla Firefox and using it for two days, I'm hooked. I downloaded the All-in-One Gestures extension, and I can't for the life of me figure out how I ever lived without it. It's a whole new paradigm in browsing. This is another milestone in the MS exodus towards open source and Linux. Disclaimer: I do not work for Mozilla... just a satisfied user.
When I become an Evil Overlord: My ventilation ducts will be too small to crawl through.
"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."
Ummm... I don't think so.... here is a link to the US-CERT Vulnerability Note VU#713878 which (I think) is where this all starts. Go right to the bottom (OK, this is slashdot, so I'll cut-and-paste)
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
The way I read that last sentence, CERT say you are not safe unless you get rid of the IE6 functionality.
You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.
NO ACTIVE X. That means no sneaky little programs in your system.
The open source movement is well on top of issues like this... always have been.
Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.
Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.
Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
1. Which of the two browsers is simpler / less bulky, Mozilla, or Firebox?
Firefox is less bulky (about 5MB download) as it is just the browser. Mozilla also has an email/news client, chat client & HTML editor built in.
2. Can either of them merge with Windows the way IE does?
Not quite. A URL is really just a filetype determinied by the file extension (.htm, .html, etc.) In Windows, you can point those (and other) filetypes to whatever applications you want - even when you install Mozilla/Firefox, it asks to be the default browser, in which case it will open most URLs, even from the run box.
Unfortunately, Microsoft specific sites, like "Windows Update" never seem to open anything other than IE and seem to deliberately bork any other browser. Also, because IE essentiall underpins Windows Explorer, you can never really weld in a 3rd party browser as tightly as IE.
3. Does Mozilla still have that stupid "download manager"? How do I turn it off?
There is a download manager that opens a smaller window for the files you are downloading. It has been improved in Firefox, it is not obtrusive particularly and I find it more useful to have it there than to not have it there. You can set it to download each file to a directory of choice or just have it download everything to one place you specify.
Firefox is also themeable, has the Google search bar built in and a lot of pop-up blocking. It REALLY is a better browser, full stop.
Gentoo Linux - another day, another USE flag.
Any decrease in IE use as seen by your logs is not a true picture.
Some of us Moz/FF/Op users set up our browsers to masquerade as IE, because -some- sites still seem to insist on it...
Here's my piece I did on the topic about a week before the CERT announcement:
http://www.dmiessler.com/reading/ie.html
dmiessler.com -- grep understanding knowledge
IE has been discontinued on MacOS, too.
Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines
Did anyone RTFM from the Yahoo link. It says at the very bottom that Mozilla is vulnerable too. I use Mozilla myself but it appears that the real culpret is ActiveX which you can install on Mozilla. I don't think this plug in will work on platforms other than windows so it's really a platform issue.
a link (http://www.kb.cert.org/vuls/id/323070) to the US-CERT pub recommendation. It is also interesting to note that the suggestion to "use a different web broswer" is the last offered (see section III. Solution).
Same here in the Army. But you are expecting a LOT if you think that the military will change the web browser overnight.
First a committee/team has to be put together to verify the recommendation not to use IE. Then an alternative will have to be selected. This means another committee/team will have to determine what the alternatives are. Once the alternative web browsers are identified, they will have to be tested to make sure that they are secure and compatible they are. This testing can very depending on how indepth they go and how soon they realize that a large number of military web sites are IE only!! Once a replacement browser is selected, a Plan of Action has to be determined to figure out how the new web browser will be installed and how the completed installation is reported back up the chain of command. Once all of this has been completed, it will then be briefed to the head shed at the Pentagon who will then make some modifications before giving an order that all computers have a new web browser installed.
This doesn't take into account any turf battles that may come up during this process, fixing all of the IE only military web sites, complaints and stubborn refusal from users (IE will have to be completely removed otherwise people will still use it), all of the modifications to the Plan of Action as it goes down the chain of command, the several weeks it will take for each DOIM and unit to figure out how they are going to implement the Plan of Action, DoD civilians.....
It should take the military a few months to install a new web browser.....
Army of One!
Ok here is a little more detail:
1) Firefox is lighter
2) Whatever browser is set as the default is what the Run box will open. Firefox will never be as integrated as IE, but that integration is part of the problem. It is a good thing. Open Firefox from an icon and use it as just a web browser, not as a file browser, desktop viewer, whatever else IE wants to be.
3a) In Mozilla you can disable the download manager by going to Edit->Preferences. Under the Navigator section select Downloads. On the right side of the screen you can choose Download Manager, Progress Dialog, or nothing for downloads.
3b) Under Firefox (0.9.1) you can trun off the Download Manager, but the alternative is no Progress Dialog of any kind. To do this go to Edit->Preferences. Select Downloads on the left. On the right side set the download folder to whatever you want and then look at the settings for the download manager.
This is all from a Linux box, but the settings for the Windows version of Mozilla and Firefox should have identical settings.
I have never been able to use WindowsUpdate from Mozilla. Of course even if you uninstall IE from XP or 2000 all the parts of it are still there, just the icon is gone.
HTH
the_crowbar
Have you read the Moderator Guidelines
http://johnkerry.com was running Apache on Linux when last queried at 26-Jun-2004 10:33:54 GMT
http://georgewbush.com was running Microsoft-IIS on Windows 2000 when last queried at 25-Jun-2004 13:05:27 GMT
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.
CERT gave the warning on June 10 . BBC reported this on June 14 .
Open Source software can be (and often is) of better quality, especially when it comes to security.
The only "security issues", I've heard about Mozilla were about reading files or crashing - and those were instantly fixed. IE is so flushed with real grave security holes (like "take over computer") that crashing or reading files isn't even worth reporting, never mind fixing.
Microsoft usually does nothing unless there is an exploit - then maybe they do something - or (like with IE lately) they still don't do anything unless the exploit is used by a lot of people.
NOAA has also told its employees to stop using IE. Unfortunately for us, though, Netscape 4.7 is the only other browser that is default installed (goes with the mail client), so now everyone is using that, and wondering why all the pages suddenly look like crap (we stopped designing for 4.7 a year ago). There was a rumor that we are being upgraded to NS7.2, but I have yet to hear any further details.
The world moves for love. It kneels before it in awe.
Yeah, but, wasn't it just a few weeks ago, that a company got out of legal problems involved with privacy (an airline?), because they argued that most of the plantiffs probably did not read the privacy statement they clicked to agree with....and therefore it wasn't binding.
Well, if that works in reverse...just claim you never read those click through EULA's.....and therefore aren't bound by them...and so you can sue.
Seems fair....?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
* Valenti gets the boot.
Sure, but he's been replaced by another DRM-lover. Trust me, there's no clue coming to the MPAA.
* AU sets up a free CA.
Ok, I'll agree with you about this bit of good news... once I see it in IE's default CA list.
* European software patents are being rejected.
Wrong. The Dutch reversed their vote. This does not *yet* invalidate them, although it is a good start... keep the pressure up on your EU representatives!
This patch disables ADODB.Stream, which should eliminate any vulnerability. You can download it here: http://support.microsoft.com/default.aspx?kbid=870 669
Life in Orange County
http://www.kb.cert.org/vuls/id/323070 says in boldface "Use a different web browser".
I don't think the media misreported that.
The problem is that OEMs are not free to change the browser. If you are a Microsoft OEM, you CANNOT replace IE at all. This is the root of the problem. Computers are bought as a package deal from OEMs, and Microsoft has prevented OEMs from including competitive software in the default installs.
Engineering and the Ultimate
Yes there is good reasons to have Java/ActiveX on a web page. E.g. on an internal private network, where you have trusted users and want things like signature pads uploading signatures to a database. Or how about on a public network, there is a wonderful tool to trace a route with a cool picture of the globe (but this is done without violating network security).
With Java you have to actively accept the dismantling of security, if someone clicks yes to trusting an unknown source then they will get an ugly lesson in trusted computing. With ActiveX it comes out of the box with no security and one has to actively enable security. Given the majority of home users are never going to do this, and the majority are using Windows, a massive ripe resource for worms/viruses/spammers exist. Active X suffers from fundamental security flaws, and is going to cost Microsoft a lot to fix the damage to reputation and loss of customers.
I used to wonder what was so holy about a silent night, now I have a child.
That is not what they are talking about. Internet Explorer allows you to embed IE inside of another application. You can even put a different name on the taskbar and call it another application, even with your own icon. In theory, some scam artist could write their own "web browser" in about 15 minutes. The problem here is that you really are using Internet Explorer, even if you are claiming to be some other application.
More often this is used in applications like AOL (IE is the default browser in AOL), where they use this ActiveX component to display web content. I think AOL uses their own e-mail system, however. You can also see this in the Real Player application, again if they are going to display web content instead of playing music or an audio/video clip. (Try this if you have Real Player.) Other application also use this, in things like About boxes or even a cool splash screen when you start an application. Sometimes they even do full TCP/IP http requests for content, including machine-specific data. A good security hole if I ever heard of one, and a cheap and easy spy app as well.
Mozilla does not use the I.E. rendering engine... they have their very own, so they don't need it. A while back it was a common task for CS instructors to assign students to make their own HTML rendering engine. I wrote one myself just to see if it could be done. Not a beginner task, but still something well within the capabilities of any recent CS college graduate (if they actually taught you anything).