Dept. of Homeland Security Says to Stop Using IE
LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News:
'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
Horray for the Department of Homeland Security! LWATCDR is not the only person that has been saying "get off of IE" for a long time.
Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.
It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.
"According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
I hope that this also translates into a large spike of donations to the mozilla organization. Firefox and T-bird are teh moh scheezi, and i started using mozilla years ago.
I've donated about $150 over the years, how bout y'all?
do() || do_not();
Homeland Security says to stop using IE but in the Air Force we're still using it and I haven't heard any plans to switch to something else. It's good to know that the DoD is listening to the security measures of the other departments.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
Not 4 months ago MSN.com (obviously slanted) was trumpeting around "BROWSER WAR IS OVER!!!" and proclaiming that IE was the clear victor (though they never gave the conditions that made it a victor, they just sensationalized and re-iterated the same shit over and over in different wording in True Fox News Style(tm))
MS to "win the browser war" just in time to have their browser shot down every time they turn.
They had better wake up to this, too... These days, "internet" is about 85% of what computing is about. MS with all their attempts to blur the lines between your computer and the internet, and their flagship web application is poo.
do() || do_not();
Not really. This is the original source document...
Notice that it's the Department of Homeland Security seal at the top of the document. For our purposes, CERT is a subset of DoHS... it's just that the media is now picking up on the more known name of the larger organization to bring the story to the masses.
This kind of thing could be serious for Microsoft. Their strategy is 'thick client' - the browser and other features are integrated into the operating system. If security issues remain while the browser becomes a fundamental part of future Windows use, their are in trouble.
Netcraft confirmed in a report today that the beleagured Pop-Up Advertisement industry is citing Mozilla and Firefox as the driving force that has snuffed out their livelihood and threatens to drive them into extinction....
:-D
(c'mon, someone else can do this better than me)
In other news.... when parasites and popups are no longer possible, what sorts of nefarious crap will the nefarious-mongers do next?
do() || do_not();
my question is, if 1) there's no patch yet for IIS servers to defend against the attack, and 2) the microsoft update servers are all IIS, then how can we know that microsoft update hasn't been hacked? hmm? (oh the humanity!)
I love the Firefox, have been using it since Phoenix days... It's great browser, and I've gotten a few of my friends to switch, especially when seeing the browsing features, let alone the security advantages, of which, I confess, I know little about. It's one of those "well, this is more secure, so use it."
/.ers that can school me on the finer points of Firefox security, so please, explain it's security advatages in layman's terms, and how they can remain secure from a determined hacker.
But the thing is, now that more people are flocking to it, Firefox could become a target. The script kiddies will start looking for flaws in Firefox and attempting to exploit them. I mean, why go to the trouble of writing any type of malicious code unless you're going to impact the greatest number of users?
I'm not saying that Firefox has many, if any, known security issues (too lazy to research that right now), but if they're out there, they're sure to get exploited once it becomes attractive to do so.
I know that there are many
Thanks in advance.
I objected and got called "Ayatollah of web-compliance" :-)
In Soviet Washington the swamp drains you.
Some folks at microsoft recommend firefox. Ok slate isn't directly microsoft but it is an msn publication.
As x approaches total apathy I couldn't care less.
Leaving aside whether or not click-wrap licenses are actually enforceable, I suggest that all the folks who aren't using any MS products at all (myself included) -- and as such haven't agreed to any such nonsense -- band together to join a class action suit against them. Whether it's for all the time we're stuck burning, having to fix the Windows PCs our friends, family, &c constantly need fixed, network outages caused by virii that use Windows exploits as a vector (my ISP [cable] was more or less buried under the overload in traffic from MyDoom and Welchia or whatever they were called, to the point that their only recourse was turning off infected users' connections).
Does "people who don't use a product but are still inconvenienced, put out and may even have suffered financial loss (as did a friend of mine when our ISP choked on virus traffic) because of its foreseeable and preventable problems" consitute a class?
"CERT's subsequent recommendation ... resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
I hate to ask, but didn't the CERT recommendation happen right around the same time as release of 0.9.1?
Without sources I can't refute or support the Wired's article, but it provides no support of it's conclusion itself...
As pointed out, IE & IIS and such are paid for. Another factor is that despite the weak remedy of the DOJ antitrust suit, MS was still found to be a monopoly. This puts them into a different class than most other software.
Despite the click-wrap license which claims no liability, I think it would be easy to show the contrary and the class action is a good idea. MS is a for-profit company and as such their goal is to make money. They aren't going to write any code unless it affects the balance sheet. Time to make the exploits show up on the 10-Q.
There's more truth in Dilbert than in Farenheit 9/11
I made the switch last night myself. Moved from a hodgepodge of using Mozilla's mail/news client to Thunderbird, and from IE to Firefox. Why? Because I got tired of pop-ups defeating the Google toolbar, and I figured the individual packages would get updated more often.
The Firefox move was painless, and I'm not missing IE.
Whoever decided to skip any sort of wizard to migrate Mozilla mail to Thunderbird has made a mistake. That was *not* painless, and the average user is going to balk at editing text files.
Does anybody realize just how hard it is to make people change their browser or OS? I work in IT and almost no one has even heard of Firefox. Only one (besides me) has it installed...and we are IT. This is not the end of anything for the evil empire, this CERT notification won't move M$ market share of browsers by more than 1%. And since the overwhelming majority run IE, we will all still have to have IE just to be able to continuously repair and troubleshoot it. Sorry for the reality check, but end-users are skeptical about any change, unless they feel 100% sure they will gain much, loose little. People say this is the end of the empire, but most people who run Linux and OS X have a Windows PC also.
Did anyone else notice this tidbit in the article:
Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.
"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.
My jaw just dropped open. How are the reports misrepresenting CERT's statements? Get a new web browser can mean only one thing - GET A NEW FRICKIN' WEB BROWSER! How could that possibly be "misrepresented"?
It's basic english - we use it every day! Are you honestly working with computers while not knowing ordinary conversational language? Perhaps we need to tell Microsoft what the definition of IS is.
But in my mind I can see a Microsoft lackey going - "No, no, no, what the really meant was get a new blouse. Um, CERT doesn't like turquoise tops.... uh, yeah that's what they meant."
I don't know what's more pathetic - the fact that Microsoft is trying to accuse others of misrespresenting them, or the fact that many people will believe them and just stick with IE.
Ugh it just disgusts me how blatant and open they are about their lies and coverups. It makes me feel dirty just to see the little IE icon up on slashdot now.
But I'll tell you one thing - people who work for Microsoft certainly must be gearing up for very successful careers in politics.
That still doesn't address previous damages. Fleeing to another product only prevents FUTURE damages. A harm has still been done. Harm will likely continue to be perpetrated until the careless party is made to be accountable.
Individuals are subjected to the "Crime and Punishment" mentality, corporate persons should be given no special treatment in this regard.
A Pirate and a Puritan look the same on a balance sheet.
> THIS SOFTWARE IS PROVIDED "AS-IS" WITHOUT ANY WARRANTIES....
In this country (UK) the EULA isn't worth the paper it's written on. All goods have to be "fit for purpose".
The EULA is a grossly misleading document when it comes to informing you of your rights with regards to the software you have bought. MS should be told by a court to remove it, or the worthless statements that are contained therein (wouldn't leave much of the EULA though).
I can't see how XP is currently fit for purpose. Stick it on the 'net and you get infected in pretty short order. Most reputable businesses give you stuff that is fit for purpose but MS have made a habit of selling software that isn't. Nice if you've got a monopoly isn't it?
My guess is that MS haven't fallen foul of consumer law yet because:
- they've got an army of lawyers (more than coders)
- they've got deep pockets
- they play the buck passing game: "The OEM sold you the software".
- they can argue in court that equivalent commercial software is garbage too.
The OEMs don't dare complain to MS about it, remember that Judge Jackson found that the cost of MS softs went up for OEMs that caused "trouble" for MS.
One day though somebody will take them to court and they'll get buried. Good job too, I hate companies that rip off their customers whilst simultaneously advertising how wonderful their software - certainly not from a security POV.
I thought Ralph Nader had set himself up as the consumer's champion in the states. He's turned politician now but I would have thought a fight with MS might win him a few votes (put him in the public eye if nothing else).
The Machine stops.
Of all programming errors, buffer overflows, off-by-one, and signed mistakes are some of the easiest spot and to fix. Other errors, like SQL injection, privledge separation, races and the dozens of other errors that can cause crashes, security vulnerabilities, or denial of service attacks, can not be protected against by a managed language because they're outside the scope of the language itself.
I used up all my sick days, so I'm calling in dead.
This browser warning page thoroughly trashes MSIE, but every phrase is linked to a news article that uses the exact same verbiage in order to demonstrate that it isn't just anti MS FUD - It's the honest truth. It's designed and maintained for webmasters to deliver to the IE-using visitors to their webpages. You can read the source code for some more information about that. In case you're curious, here's a paste of the text and links that it has - This should prove quite effective with anyone you're trying to convince to stop using IE:
Warning!Your web browser - a version of Microsoft Internet Explorer - may not function properly on this website, and could have a large number of problems that allow hackers to hijack it with viruses. These viruses could be used by criminals to secretly take over your computer, download child-pornography, or to commit acts of terrorism and fraud. You may automatically update it now with Microsoft's available patches, however, there is a possibility that a necessary patch will not be available due to Microsoft's somewhat sluggish development schedule.
The US Department of Homeland Security strongly suggests that you stop using Internet Explorer immediately.
There are several standards-compliant web browsers that you may use instead of Internet Explorer. Please install one of them as a replacement.
If you suspect that your computer is already being used for criminal activity, it is critical that you seek help from a computer professional in your local area. You may also try one of the free web-based virus scanners that are available.