Slashdot Mirror
Dept. of Homeland Security Says to Stop Using IE
LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News:
'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."
This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer. You gotta love this. You just cannot make stuff up like this!
Cheers!
Erick
http://www.busyweather.com/
What's next, a recommendation that everyone stop using Microsoft Windows?
New: Microsox Windlls FU SP7 w/Ubernet Exploiter (a free pile of bugs in each release!)
I have been saying this for a long time but now it is offical.
<Shakespeare mode=Hamlet>: There needs no ghost, my lord, come from the grave to tell us this.</Shakespeare>
Really. How long before the Whitehouse figuratively grabs Tom Ridge by the lapels and tries to throttle him. Such harsh treatment for a huge dono^H^H^H^Hemployer. Oddsbodkins, what next, the GWB DoJ was soft in pursuing the danger of monopoly exploitation of the browser market?
A feeling of having made the same mistake before: Deja Foobar
Horray for the Department of Homeland Security! LWATCDR is not the only person that has been saying "get off of IE" for a long time.
Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.
It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.
Been there, done that, got the t-shirt.
We did this story on Sunday...
However, in CowboyNeal's defense, both articles cited here were published after that story on Sunday, and we now have the news of Microsoft's rather weak reaction claiming that CERT didn't mean what we all saw them say and Mozilla's reaction that downloads are up since the first reports. Still, that's a Slashback, not a new story.
resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers
Duh. All our friends at Microsoft need it too.
*grin*
*grin*
Free XBox, PS2
I didn't listen to them when they asked me to duct tape and plastic wrap my house, I didn't listen to them when they raised the alert level 5 different times, I didn't listen to them when they told me to trust them, but I am glad that other people do... Perhaps this will do double duty! It will fix websites that cater to IE only so that they work with the currently "broken" Firefox so that I don't have to refresh or cross my fingers to get it to work.
"According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
I hope that this also translates into a large spike of donations to the mozilla organization. Firefox and T-bird are teh moh scheezi, and i started using mozilla years ago.
I've donated about $150 over the years, how bout y'all?
do() || do_not();
the courts have ruled that Msft's bundling and pushing IE with every OS purchase is good for the consumer. Let business be free to manipulate their customers! It's good for the economy.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Who would have thought it? The government saying something intelligent; about 5 years too late, but better later then never.....
Now all us computer nerds will lose our counter culture edge. Plus you'll no longer be able to detect a fellow geek merely by his browsing choice. I guess we'll have to go back to tossing off random Kevin Smith quotes and seeing who catches on.
Firefox, you need to do yourself a favor. Flawless pop-up blocking, the beauty of tabbed browsing...real standards implementation...the list goes on and on. Now, if only Windows would be declared a national security risk...
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
1) Create product that a smaller portion of the population uses, thus keeping the effectiveness of attacks on your product less desirable than the other 2) Give your product away for free, open sourced, and up to date with all the latest standards, oh, and make it more secure (novel idea, really) 3) ??? (wait about five or six years for a government agency to declare your competitor's product unsafe enough to get the CERT all riled up) 4) Profit, or How Mozilla Pays M$ Back for The Whole Killing of Netscape Thing
Hopefully people switching to FF will mean that more bugs will be squatched from it. Perfect timing for that 1.0 release.
wow!!
I am the Alpha and the Omega-3
Recently I was cleaning rather obnoxious spyware off of my sister's laptop. To prevent further infection, I was asking her to install Firefox. I said it'll block popups. Still reluctant. Tabbed browsing? Nope. More secure? Nu uh, still stubborn. Stop the spyware? No. (She's getting irritated at this point). CERT Recommended to stop using IE? Still won't let me install it.
*pause*
She then asks if our mother uses it. I said yes (thanks to me).
"Ok, install it."
Homeland security be damned, it's the MOTHERS we need to convert.
For those considering installing Firefox on Win2k PCs they don't have 'administrator' accounts on, I can report that it installs and works perfectly well from a 'power user' account. Perfect for those considering an installation on a work PC.
You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.
Happy browsing!
Imposing Libertarian views on everyone online since 1992.
Homeland Security says to stop using IE but in the Air Force we're still using it and I haven't heard any plans to switch to something else. It's good to know that the DoD is listening to the security measures of the other departments.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
Not 4 months ago MSN.com (obviously slanted) was trumpeting around "BROWSER WAR IS OVER!!!" and proclaiming that IE was the clear victor (though they never gave the conditions that made it a victor, they just sensationalized and re-iterated the same shit over and over in different wording in True Fox News Style(tm))
MS to "win the browser war" just in time to have their browser shot down every time they turn.
They had better wake up to this, too... These days, "internet" is about 85% of what computing is about. MS with all their attempts to blur the lines between your computer and the internet, and their flagship web application is poo.
do() || do_not();
The Department of Homeland Security...recommended for security reasons using browsers other than Microsoft's Internet Explorer.
Well, no shit sherlock.
..that the hackers will start targetting Mozilla/FireFox now as it might become the dominant browser out there.
They will always target the browser having the most user base as the probablity of exploit becoming successfull increases.
I use Mozilla for most things, though on my Mac I increasingly use Safari, for the simple reason that I feel that Mozilla's rendering engine needs work. Gecko is slower at rendering pages than the engine powering Safari. Maybe had I a more recent computer I wouldn't notice the difference so much, but for many people this could be a sticking point. Some people I have spoken to still feel Mozilla and Firebird lose out against IE for just this reason. Other than that, I like the browser (Mozilla that is), and I am using the most recent release.
Jumpstart the tartan drive.
I've been posting news articles like this one around the workplace, but man, is it hard to get anyone to listen. If HQ won't even listen to this headquarters's own IT department, why should they listen to someone in R&D?
Bah. Anyone have any advice on this?
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
The only really safe browser! Not so good for browsing porn sites, but since you want to download the images anyway, maybe lynx is good for that too!
I Am My Own Worst Enemy
Microsoft released a fix for this issue today. Basically it disables the ADODB.Stream object. However, it requires a regedit to implement. I imagine a hotfix is forthcomming. Still, Firefox and Mozilla don't suck at all, so people should at least use this as an excuse to give them a try IMO.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer.
Translation: After all those horses get out of the way, we'll have your barn door fixed in a jiffy.
A feeling of having made the same mistake before: Deja Foobar
I've been interested in switching browsers for awhile now -- particularly since my windows is borked and despite owning it legitimately (won in a contest) it think it's pirated and refuses to get any IE security patches.
But a few confusion points are holding me back. Likely holding back a lot of folks who might switch, so if you know, dive in and lay down some evidence...
1. Which of the two browsers is simpler / less bulky, Mozilla, or Firebox? I don't want something slow loading, bloated with features, and overcomplicated. You know, IE.
2. Can either of them merge with Windows the way IE does? Running URLs from the Run box, for instance. I don't want to accidentally launch IE by the old methods.
3. Does Mozilla still have that stupid "download manager"? How do I turn it off? Every time I wanted to save a file that thing would pop up when I just wanted the simple windows of an IE download that go away when done.
Obviously, I am t3h n00b. But that means I'm the audience you need to sell on the idea of ditching Microsoft the most -- and I plan to pass it on to friends, coworkers, etc.
The Department of Homeland Security recommends not to use George Bush anymore - because of serious security leaks and erratic behaviour.
Not that it stopped hordes of travellers anyway.
Maybe people will choose to take charge of their own computer security like I've ranted about for years now.
Use Evolution instead of Outlook? Bewa
Yeah...monopolies are great! See...you can um, build a browser that doesn't really follow any w3c standards. But since you're a monopoly, it doesn't matter and it forces everyone to code for your browser instead of by the standards. And then...you don't have to worry about that pesky competition and the innovation that is created by competition. That silly innovation could lead to very secure browsers all around.
Oh wait...now it's all tumbling down. Who would have guessed being a monopoly and then not even following any standards but marching to the beat of your own drum would end up hurting you?
Yet...I still wonder how this will affect Microsoft. Do they even care?
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
A support article by Microsoft suggests a solution to the holes in their product, specifically the one where an address can be spoofed and displays a different url than the one you're actually at. Solution: Don't click on links! :)
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself."
After making the switch to Mozilla Firefox and using it for two days, I'm hooked. I downloaded the All-in-One Gestures extension, and I can't for the life of me figure out how I ever lived without it. It's a whole new paradigm in browsing. This is another milestone in the MS exodus towards open source and Linux. Disclaimer: I do not work for Mozilla... just a satisfied user.
When I become an Evil Overlord: My ventilation ducts will be too small to crawl through.
Well, if you really want to be counter culture, just wait a few months, then start using IE again after the bulk of computer using Americans move over, that will really shock your friends, it can be like a cult
This comment proudly posted through Firefox.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
This kind of thing could be serious for Microsoft. Their strategy is 'thick client' - the browser and other features are integrated into the operating system. If security issues remain while the browser becomes a fundamental part of future Windows use, their are in trouble.
If we all stop using Internet Explorer, the terrorists have won!
"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.
Let's see what we have here.
- First sentance tells us that Microsoft isn't going to try to attack the credibility of CERT because that'd be unlikely to get anywhere.
- Second sentance is trying to blame "the media" for misreporting the story, but the media's working from a primary source that has a section heading called "Use a different web browser". I don't know how you're "misrepresenting" that when you take that as a suggesting to download any browser that isn't Internet Explorer which means Mozzila, Opera, Netscape or any other compeitor out there. They want CERT to take back the recomendation to just stop using IE... that's the only kind of "clarification" that's possible here.
Microsoft clearly wants a CERT retraction. But do they stand any chance at getting one?
The CERT advisory specifies:"Such a decision (remove IE) may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX."
OK, tranlation, less popup, less flashing colors, less annoying mouse cursor with trailing text, and no more auto-install of spyware. hmmm, I don't see a problem here.
1) IBM is our friend
2) Apple is no longer just for coddled sheep
3) Sun is dying
4) Sun is embracing linux
5) Sun is no longer embracing linux
6) SGI is dying
7) ???
8) We might be watching the beginning of the end for Microsoft. Not just in this, but the whole pile of events over the last couple of years. If Microsoft loses relevance, and market share, and withers away...
Who Is Going To Be The New Evil Empire????
I want to know who to unconditionally hate next!!
do() || do_not();
Anyone want to place bets on whether some clever MS lawyer is preparing to argue that any antitrust action related to the browser bundling should be tossed out, because the feds are now encouraging people to use browsers written by the competition? After all, if the government acknowledges that there is legitimate competition, then clearly, MS must not be abusing its desktop monopoly, since so many people are now downloading those free alternatives... right?
As an alternative... imagine if DHS came out and said that a flaw in GM vehicles aided terrorists, and people should purchase Ford and Chrysler vehicles until the flaw is repaired. Do you think GM would immediately start demanding financial compensation for lost sales and market share from the federal government?
Now, extend that to MS, despite the fact that IE is, effectively, free. If the whole thing still seems unbelievable, insert Robert Heinlein's quote about corporations thinking they have an unassailable right to make a profit above all else here. I'll bet good money MS is already preparing the legal briefs for some kind of retaliation.
Someday, you're going to die. Get over it.
Cool, will that mean that some of the idiot web designers will actually start taking non-compatibility complaints seriously? Like those ladened with Javascript that works nowhere else but with IE. Take Expedia.com, where the calendar pop-ups only work with IE or Priston Tale web site where the side menus don't appear if you don't have IE (I already supplied a fix which was ignored) - actually this one should be lumped with the GIS2 web site for excesive use of Flash.
Maybe pigs will fly first?
Just one note Mozilla has one big advantage over Opera and Safari for MS base corportate networks: it supports NTLM.
Jumpstart the tartan drive.
I'd like to take this opportunity to emphasize the negatives of an unhealthy competitive market.
When monopolists crush the competition, and you have one company with 95% marketshare, that company gets lazy.
It produces shitty products, slows development (compare development now with when they were trying to crush netscape), all the while making monopoly profits.
Thankfully, the GPL seriously reduces the barriers to entry, because it would be DAMN hard to get either Gecko/Mozilla or KHTML/Konqueror/Safari relicensed and 'shut-down', or integrated into the MS lineup.
Mark my words, if there was no one else but Opera, MS would think long and hard about crushing it.
Monpoly bad, folks, m-kay?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I've now moved my family over from IE to Firefox - before I wouldn't really have been able to do it as they would have complained when something didn't work the same, but now I have a great reason (stopping our computers getting compromised), and they're all behind it.
My daughters actually prefer it now - citing the way that they don't get pop-up ads any more.
It's good - I think by the time Microsoft come out with a patch they'll be so used to Firefox they won't want to go back to IE.
Horray for the Department of Homeland Security!
This is the same Homeland Security that advised Americans to duct tape their windows to safeguard against a biological or chemical attack, no? I'm not sure they are really all that well-regarded by anyone with half a brain anymore. I would have been a lot happier to see some other organization -- one with more credibility -- come out with this warning.
Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.
I'm not doubting what you are telling us, I would just caution against believing that this sudden urge to shore up their security is a long-term thing. First, people are lazy. They may say that they want to switch to a different browser, or lose 10 pounds by the end of summer, but that doesn't mean they are going to put forth any effort to do so. And even if they do make the switch to another browser, there are so many webpages that are "optimzed for IE" (i.e., won't render correctly with any other web browser) that I suspect many of those will switch back.
It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.
I suspect MS is more "irked" right now than scared. I think it's too early to tell whether this story has any "legs". I strongly suspect that it's going to last for a few days and then will fall off the map. Microsoft has survived bigger problems in the past with no lasting effects. I'm really doubtful that this will have any measurable impact on them in the long term.
Call me a pessimist, but that's how I see this one.
GMD
watch this
You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.
NO ACTIVE X. That means no sneaky little programs in your system.
The open source movement is well on top of issues like this... always have been.
Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.
Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.
Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
Homeland Defense keeps messing with the terrorist threat alert level. I ignore it all the time. But when something happens, they'll inevitably say "HA! WE TOLD YOU SO!!!", when in actuality, they throw so much shit against the wall that sooner or later, something will stick.
...
Anti-MS basher types are always quick to say "THIS IS IMPORTANT!!! IT'S THE END OF MICROSOFT'S REIGN!!!". They've been saying it for so long, it's noise. But should the day ever come that Microsoft suffers, the basher will say "HA! WE TOLD YOU SO!!!". In reality, there's so much shit tossed against the wall
You know who you are
We still have SCO.
*breathes sigh of relief*
http://www.livejournal.com/users/cixel
Even a broken clock shows the right time twice a day.
Any decrease in IE use as seen by your logs is not a true picture.
Some of us Moz/FF/Op users set up our browsers to masquerade as IE, because -some- sites still seem to insist on it...
Use opera. It's the fast browser with the unmarketable name.
Netcraft confirmed in a report today that the beleagured Pop-Up Advertisement industry is citing Mozilla and Firefox as the driving force that has snuffed out their livelihood and threatens to drive them into extinction....
:-D
(c'mon, someone else can do this better than me)
In other news.... when parasites and popups are no longer possible, what sorts of nefarious crap will the nefarious-mongers do next?
do() || do_not();
Wow. Think how much worse this'd be for Microsoft if IE was a core part of the operating system!
- mark
-----
I tried an internal modem, but it hurt when I walked.
Here's my piece I did on the topic about a week before the CERT announcement:
http://www.dmiessler.com/reading/ie.html
dmiessler.com -- grep understanding knowledge
Then it will be interesting to see if Mozilla has the same inherent weaknesses as IE, won't it? For years MS has used the excuse that they're the largest installed base, thus the target for most virii, etc. I say lets see if thats true.
This has information on plugins like: Adobe Reader, Java Plugin, Macromedia Flash Player, Macromedia Shockwave Player, QuickTime, RealPlayer 10, Windows Media Player, etc.
Paul "Say no to feeping creaturism"
I do not for a second believe that there is anything in IE that could not be fixed. However, MS has continued to refuse to implement even the simple stuff, like pop-up blockers. And there is no reason why they should. The view from the bottom line dictates to spend only that money needed to keep market share and profits. Therefore it is very reasonable to give deep discounts to institutional customers, but would be silly to waste money on improving the product merely to meet end user needs, especially when those changes could negatively impact profit in other areas.
We all need a kick in the ass to become responsible. MS has never received that kick, so all it design decision, like the deep integration between the kernel and services, between data and presentation, arbitrary changes in protocols and standards, are geared to protect market share rather than customer service.
The admonishing to stop using IE, or modify the defaults to make it more secure, are not practical. To protect market share MS has encourage Industry, Government, and Academia to use those very features that endanger the user. To redesign those web sites to work with other browsers, if at all possible, would require massive efforts. Efforts that likely would not find sufficient funding.
Make no mistake. This is a result of irresponsible behavior of a person or group of persons that prize money over all else. These problems have been know for a long time. There has been plenty of time for MS to design IE properly. There has been plenty of time for Windows to be designed properly. In fact they completely squandered the opportunity to make NT better, and then implement the better OS into the consumer version. MS could have worked on open standards that would let all browsers work instead of pushing IE only sites. Instead they chose the side of evil.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
You just need learn to love the big brother. It may take time, but in the end, you will love him. We will take care of that.
Now, how many fingers?
“Wait for Hurd if you want something real” –Linus
It's easy to bash Microsoft, but I think we should give credit where it is due. After all, Microsoft has acted very quickly to fix this problem; users who have patched their version of IE can no longer access the Department of Homeland Security's webpage.
Reality is defined by the maddest person in the room
Once Mozilla gains sufficiently market shares, we will see exploits for that browser more and more often. And yes - there will be exploits. IE is not compromised so often just because it's poorly written, but because it's so popular that hordes of script kiddies are trying out every possible hack. [emphasis mine]
No, it's not just because IE is poorly written, although that is a big factor. There are several fundamental differences between IE and Moz that make IE more vulnerable (well, there's more than just these , but these are the important ones):
First of all, when an exploit is discovered in Moz we can fix it right away. When an exploit is discovered in IE we're told not to click on any hyperlinks for the next few months.
Second, Mozilla will never truly take over the market while IE is bundled with 'doze and 'doze rules the desktop. Too many people will simply use what's already there.
Finally, a substantial portion of those looking for exploits will continue to look for them in IE for the two reasons given above and because Microsoft is somewhat dispised and, I'm guessing, attacking Microsoft is more "prestigious" among crackers than attacking Mozilla. "Oh, you found a vulnerability in Mozilla. Add it to the bug tracker." vs "Wow! Another vulnerability in IE! Dude! u r l33t!"
I've switched to Firefox (and Thunderbird!), but it seems to me that it's possible to go into IE preferences, disable cross-domain frames, JavaScript, and ActiveX controls, and come up with something that's pretty safe, and roughly comparable to Mozilla.
I'm a big Microsoft fan, but their reaction to these latest attacks against them has me confused.
Best Buy can have you arrested
Sorry to say, until the big 2 (Fox News / CNN) and the evening news picks this up, it's just more of the same: a bunch of techies preaching to the choir.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
my question is, if 1) there's no patch yet for IIS servers to defend against the attack, and 2) the microsoft update servers are all IIS, then how can we know that microsoft update hasn't been hacked? hmm? (oh the humanity!)
I love the Firefox, have been using it since Phoenix days... It's great browser, and I've gotten a few of my friends to switch, especially when seeing the browsing features, let alone the security advantages, of which, I confess, I know little about. It's one of those "well, this is more secure, so use it."
/.ers that can school me on the finer points of Firefox security, so please, explain it's security advatages in layman's terms, and how they can remain secure from a determined hacker.
But the thing is, now that more people are flocking to it, Firefox could become a target. The script kiddies will start looking for flaws in Firefox and attempting to exploit them. I mean, why go to the trouble of writing any type of malicious code unless you're going to impact the greatest number of users?
I'm not saying that Firefox has many, if any, known security issues (too lazy to research that right now), but if they're out there, they're sure to get exploited once it becomes attractive to do so.
I know that there are many
Thanks in advance.
Can't these people simply disable the ActiveX functionality in IE in the Security settings? Is this REALLY that much harder than downloading and installing a new browser?!
If the Department of Homeland Security's U.S. Computer Emergency Readiness Team is worried about security then maybe they should be recommending OpenBSD as well.
Like that would ever happen.
And by thier inability to spoell wile doing so.
www.timcoleman.com is a total waste of your time. Never go there.
For immeditate release:
The Dept. of Homeland Security recommends that if a Web Application requires MS I.E. and you cannot use Mozilla or competitor please follow the following instructions in case of accidentally browsing the Internet with this software:
1) Cover the Computer (Tower or Desktop) with Plastic.
2) Place Duct Tape over the window on the Monitor Screen when a Pop-Up or insecure page loads. Once you have closed I.E. and ran virus checks you may contact Homeland security for permission to remove the Duct Tape and resume normal computing operations.
....move along....nothing to see here....
You can almost see the little TM symbol next to the Advanced Security Technologies, reassuring us that Microsoft is busily developing corporate-speak acronyms to protect our systems.
Of course my experience using and supporting products with the "improved security" underlying those acronyms is that I get nagged all the time about apparent bugs that are actually "features." Outlook Express and Outlook, for example, protect users from attachments that could be harmful by ... (drumroll) ... hiding the attachments. What moron decided that was a good idea? I guess the calls to the help desk saying "Everyone else got that attachment except me" help keep me at work, but I'm still not impressed. And my boss can't sync his Palm with Outlook without being warned that an external program is trying to access his address book. Microsoft omitted the "allow this particular program to do this and never pester me about it again" button, so I get complaints about this "feature" every couple months.
While Microsoft now tries to clean up this mess by asking CERT to "rephrase" their warning (wait a couple days - they will), I'll keep suggesting my users switch away from their products. It's been a good solution so far.
Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.
So the press misquoted CERT? I've read the text and almost everything I've seen is a quote, albeit summarized occasionally.
I think it's absolute comedy that when MS plays hardball, it's just business as usual, but when things swing the other way they can't stop complaining how they aren't getting a fair shake.
Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.
Translation: We are currently researching ways to extort CERT into issuing a new statement saying our browser is the most secure as long as you don't use the default settings we chose for you. Fact: IE is the most secure browser when completely blocked by a firewall.
I objected and got called "Ayatollah of web-compliance" :-)
In Soviet Washington the swamp drains you.
Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines
Did anyone RTFM from the Yahoo link. It says at the very bottom that Mozilla is vulnerable too. I use Mozilla myself but it appears that the real culpret is ActiveX which you can install on Mozilla. I don't think this plug in will work on platforms other than windows so it's really a platform issue.
a link (http://www.kb.cert.org/vuls/id/323070) to the US-CERT pub recommendation. It is also interesting to note that the suggestion to "use a different web broswer" is the last offered (see section III. Solution).
Considering normal computer replacement cycle is 3-4 years
I wish this were the case everywhere. In most of the businesses I work with, the upgrade cycle is about 4-6 years depending on the scope of the project and the machine's use. Desktop office PCs tend to be upgraded every 4 years, project-specific machines every 6. Very specific setups, when usually not connected to the LAN, often never get upgraded. It "just works".
Security patches are deployed fairly quickly. OS updates are rare and generally occur at the start of a new project. Right now, XP SP1 is the most common on the office desktop, but Win2K is very close behind. For most existing projects, Win2K is pretty much the standard. Some projects nearing their end are still on NT4 SP6 (thank heavens for our good network security). A couple of the smaller businesses still a lot of Win98 (ack!) but most jumped to NT4 or better long time ago.
Keyboards, mice, and monitors typically aren't hard to request as needed, but a full system upgrade is like pulling teeth. Exception: recptionists. They generally have a new Dell with a 20" LCD. (Or 17" LCD iMac G4). Their machines are updated often. They generally spend their days forwarding email poems and chain letters to their friends.What a lovely world.
the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers
I'm sure the spike in downloads has absolutely nothing to do with the recent release of new versions of Firefox & Thunderbird...
Things to do today: See list of things to do yesterday
Is IE targeted because it is widespread? Perhaps. But that does not mean Mozilla is just as insecure.
It's not just that IE is widespread, but its a design issue. If the usage numbers were inverted, IE would still have more exploits because it has some extremely poor design concepts behind it. First, it is directly hooked into the OS. If an exploit executes on the browser, then it is a very short leap for it to execute on the OS. Second, IE has a promiscuous plug-in model that allows nasty malware to execute without enough checks or controls.
What drug was the IE design team engineers taking when they decided to to let (or at least failed to prevent) untrusted program execution? The drug is named "Market-share". They were trying to turn on as many features as possible to capture every possible market. Microsoft made an early design decision to tout features over correctness. It is a fatal defect that now is probably nearly impossible to correct.
Now that MS is re-starting IE development, they should probably do what the Mozilla team was forced to do years ago. When Mozilla first inherited NS-Navigator 4.X, they looked at it and decided to ditch most of it. They started clean with new design concepts. I think MS is going have to do the same thing. The current design of IE is fattaly flawed. It will have to be rebuilt from the ground up with a new security model.
It is bad PR for Microsoft and we are all exited about people now starting to install Firefox and Opera. But what in the world makes us believe Microsoft will just sit and watch?
Sooner or later MS will provide some kind of fix for the security holes. Then there will be a version of IE coming which has tabbed browsing and all the other niceties in Firefox and Opera. That new IE will enter the desktop conveniently through Windows Update. That day people will be happy that IE is safe and they will go back to using it. Just because they are used to it and they do not need to bother finding and installing some other strange program.
Today Firefox and Opera are attractive because they offer better features and improved security over IE. What makes us believe it will always be like that? And are features and security good enough to battle the desktop monopoly?
After all these years of preaching that IE is evil, perhaps some people are finally beginning to see the truth (Now that it is biting them on the butt).
:)
And since this is the almighty Homeland Security, this means that all government agencies should now panic and try to uninstall IE from all of their computers. (Oops, where is that elusive uninstall option? No, not that one, all it does is delete the icon.)
I guess that also means that anybody who has a site that only works in IE is a terrorist!
The left-wing Slashdot community (that is, 99.8% of Slashdot readers) immediately becomes Internet Explorer advocates in order to avoid being on the same side as the Bush Administration on anything.
Gamingmuseum.com: Give your 3D accelerator a rest.
A dramatic increase in the userbase will also make the mozilla/firefox platform more attractive for exploit seekers/writers. Such increased level of "real-world testing" will benefit the quality of the browser in a very positive way if handled properly by the developers.
So when is the Govt. going to fix all of their web sites to work with Mozilla? Currently there are a great number of sites that only work with IE and some businesses rely on those sites.
âoeIn theory, theory and practice are the same. In practice, they are not." â Albert Einstein
Beyond that fact that you're either dumb or stuck if you're running IIS 5.0 these days, does it make sense to link IE w/ IIS 5.0?
--pete
I was hoping to find the links to the CERT and Homeland Security where this information was posted. I assume those would be available online somewhere. The links I see here are all in news sites that actually don't point to the source.
Anyone cares to post the links?
Because one of the biggest hurdles of getting people to change software is the interface. Most end users say to hell with functionality, if they can't recognize how it looks.
while true ; do echo this is my sig; done
'Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice,' Schare said. In other words, M$ is saying CERT should retract the statement or else. Bet there already have been some nasty letters sent their way on law office letterhead...
You're messin' with my Zen Thing, man.....
I have had this same problem as well but it hasn't been limited to Firefox. Netscape has shown similar issues. Problems haven't been limiited to my windows box at work either. At home I run Mac OS X and firefox has problems there as well. Safari seems to do fine. At work I have resorted to (ironically) using IE for all my slashdot viewing and Firefox for everything else because of it.
There's a thread on the Proximitron (Yahoo) mailing list about creating a filter set that deals with all known exploits.
Proximitron (unsupported, source not availible) is a web proxy that has a very extensive "regex" language for changing HTML on the fly. It's mostly used for ad blocking, but you can do just about anything with it. The reason I put "regex" in quotes is that the language was tuned quite extensively for handling real world HTML. As such, it's really only useful to people that are willing to get down and dirty with another complicated special purpose language.
On the other hand, that sounds like the Slashdot audience!
John Roth
"CERT's subsequent recommendation ... resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
I hate to ask, but didn't the CERT recommendation happen right around the same time as release of 0.9.1?
Without sources I can't refute or support the Wired's article, but it provides no support of it's conclusion itself...
The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.
CERT gave the warning on June 10 . BBC reported this on June 14 .
If only IE were included in the debian/stable distribution so I could have the pleasure of uninstalling it.
Religion is poison to rationality, and we lose sight of that at our own peril. -- Lurker2288
How much of this "large spike in downloads" was from downloading the recently released 0.9.1? While certainly downloads have increased, I'd like to know what amount is new users versus old users downloading the new release.
I made the switch last night myself. Moved from a hodgepodge of using Mozilla's mail/news client to Thunderbird, and from IE to Firefox. Why? Because I got tired of pop-ups defeating the Google toolbar, and I figured the individual packages would get updated more often.
The Firefox move was painless, and I'm not missing IE.
Whoever decided to skip any sort of wizard to migrate Mozilla mail to Thunderbird has made a mistake. That was *not* painless, and the average user is going to balk at editing text files.
Open Source software can be (and often is) of better quality, especially when it comes to security.
The only "security issues", I've heard about Mozilla were about reading files or crashing - and those were instantly fixed. IE is so flushed with real grave security holes (like "take over computer") that crashing or reading files isn't even worth reporting, never mind fixing.
Microsoft usually does nothing unless there is an exploit - then maybe they do something - or (like with IE lately) they still don't do anything unless the exploit is used by a lot of people.
It's so great to see Mozilla rising from the smoldering ashes that MS left Netscape in, only to come back and bite MS in the ass. It's so symbolic, they should change Mozilla's name to "Phoenix" or something.
Huh? Oh. (Gilda Radner on SNL voice....) Nevermind.
Does anybody realize just how hard it is to make people change their browser or OS? I work in IT and almost no one has even heard of Firefox. Only one (besides me) has it installed...and we are IT. This is not the end of anything for the evil empire, this CERT notification won't move M$ market share of browsers by more than 1%. And since the overwhelming majority run IE, we will all still have to have IE just to be able to continuously repair and troubleshoot it. Sorry for the reality check, but end-users are skeptical about any change, unless they feel 100% sure they will gain much, loose little. People say this is the end of the empire, but most people who run Linux and OS X have a Windows PC also.
"money" , and the reality that most people use IE because of illegal monopolistic actions that resulted in MSOS being the defacto install on their computers, so they use what came with the package, which includes IE, and they are encouraged to go onto the internet without adequate instructions, or without adequate protections, both of which are well known to MS and the various vendors who sold them their computers.
When you have the vast bulk of PCs the last decade and a half being shipped with MSOS, they had a responsibility to make sure they weren't violating anti trust laws, which they failed to do, and got convicted of it.
The consumer was long ago denied any reasonable* expectation of free market choice, when the vendors themselves conspired with MS to ONLY include MSOS to such an extent. It's intent, and to my way of seeing it, is an example of RICO action and should have resulted in MS and several large vendors getting charged with criminal violations, not just civil violations, and several billionaires going to jail over it.
Even though IE is a free download, it is easily observed that most people did not have some other OS OR of their free will go "download IE", it came as a bundled app with their monopoly enforced distribution of MSOS, and the product is seriously flawed. Seriously. The EULA should be challeged, and we need to get a determination of when and how any product may be profited from, but still avoid an implied warranty for suitability for purpose. If they get granted a patent and a copyright, they have certain responsbilites when they trade it in some fashion for money. When you receive something for free, it's a different story. That's the major difference there. And if that again causes a shift in free/open source, how it's distributed, it would be worth it to force closed source/propietary and for-profit sodftware to get classed as a product that is sold, and have normal consumer protections. The tradeoffs are worth it, IMO.
* please note, I said reasonable as opposed to technical. Technically yes, they had a choice, reasonably, no, there was little choice, and still not much. Walk into any big computer store, what is the default install on the boxes there? Are any of them safe to go on the net "as is", how they are sold? No, they are not. The EULA basically is an example of a vast huge case of consumer fraud, IMO. People assume their brand new computers will work, and part of their entire computer package they purchase with real money is the software that comes with it. They would sell little if any new computers bundlked with MSOS if they were merely labled truthfully, as in "you will probably get infected with virus, malware, trojans, backdoors, etc within one hour of being on the internet with the default install and configuration if you click accept on the EULA provided for the bundled microsoft software". If that sticker was on the outside of the boxes, the stores wouldn't seel hardly any of them. How many computers and copies of MSOS would they sell then, if they were merely required to tell the truth, even keeping the current EULAs in place, exactly how they are written now?
I personally *do not care* if the entire software industry top to bottom, left to right, inside to outside has to change licensing,thinking, what they do or how they do it, enough's ENOUGH on claiming a 60 year old industry that has raked in untold hundreds of billions of dollars or more isn't mature and sophisticated enough to offer products that can be covered by minimum consumer implied warranties. Time to take the training wheels off, and get rid of the EULA get out of any responsibility "license". If it slows down releases and causes huge shifts in PHB and investors thinkings and stock holders profits, I could care less, and I bet millions more consumers feel the same exact way. Software will still be written and sold or given away, just of much better quality. Releases will be slower, but they will be much better quality. Pressure will shift from get i
Mozilla and others work to make their browsers just as insecure as IE:
Browser Plug-in Standard
I'm sorry, but "rich" web content basically equates to "insecure" from what I can tell. The more dynamic and powerful you make downloaded code, the harder it is to keep it in check.
Save the "rich" content for some separate application-oriented protocol and leave it out of HTML. That way I can download and run some sort of OS-independent application (the goal) from a trusted site when I need to, and don't have to worry about Joe-random web site abusing it. Surfing the web and running some site-specific application are two distinct tasks with quite different security requirements. I wish folks would stop mixing them, as the problems caused are only going to get worse IMHO.
* Valenti gets the boot.
Sure, but he's been replaced by another DRM-lover. Trust me, there's no clue coming to the MPAA.
* AU sets up a free CA.
Ok, I'll agree with you about this bit of good news... once I see it in IE's default CA list.
* European software patents are being rejected.
Wrong. The Dutch reversed their vote. This does not *yet* invalidate them, although it is a good start... keep the pressure up on your EU representatives!
This patch disables ADODB.Stream, which should eliminate any vulnerability. You can download it here: http://support.microsoft.com/default.aspx?kbid=870 669
Life in Orange County
Am I the only one who feels like I'm reading an "alternate reality" article here? Tom Ridge now has a bad goatee and a sash to store is saber, and laughs like this muHAHAHA. oh wait...
I read at -1 So you don't have to.
This may be the beginning of the end... if people massively switch to Firefox (which is open source, not from MS, and damn good), the perception about FOSS will certainly change... people will realize MS is not the only choice.
The next step could be a Windows desktop, but with Firefox, Thunderbird, OpenOffice, and all free/open software with Linux counterparts... once they get used to all that software, the final switch to Linux is seamless.
My website
"Global Class Action Lawsuit against Microsoft"
This is what people don't understand about capitalism. If you don't like the product, you don't have to sue, just stop using the damn product.
I really hate this attitude, "the man keeps us down, so lets sue." It makes absolutely no sense at all. Corporation uses child labour to make affordable products, sue them. Heaven forbid you should accept responsibility for it and stop buying their low-quality products. MSFT sells software for too much money, sue them, don't simply use something else. It's no wonder we have so much unnecessary litigation in this country.
Microsoft is soon releasing a Universal Patch(tm) for all its software: Duct Tape. Just apply the patch directly to your hard disk surface and/or monitor screen and all will be well.
(That ought to shut DHS up for a while... How much of the Duct Tape business does Bush own again?)
Did anyone else notice this tidbit in the article:
Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.
"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.
My jaw just dropped open. How are the reports misrepresenting CERT's statements? Get a new web browser can mean only one thing - GET A NEW FRICKIN' WEB BROWSER! How could that possibly be "misrepresented"?
It's basic english - we use it every day! Are you honestly working with computers while not knowing ordinary conversational language? Perhaps we need to tell Microsoft what the definition of IS is.
But in my mind I can see a Microsoft lackey going - "No, no, no, what the really meant was get a new blouse. Um, CERT doesn't like turquoise tops.... uh, yeah that's what they meant."
I don't know what's more pathetic - the fact that Microsoft is trying to accuse others of misrespresenting them, or the fact that many people will believe them and just stick with IE.
Ugh it just disgusts me how blatant and open they are about their lies and coverups. It makes me feel dirty just to see the little IE icon up on slashdot now.
But I'll tell you one thing - people who work for Microsoft certainly must be gearing up for very successful careers in politics.
This was pulled from an OS X discussion group:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>
I used to wonder what was so holy about a silent night, now I have a child.
Face it if everyone stopped using M$ IE then the virus creators would switch to whatever else is used.
"If any question why we died, Tell them because our fathers lied."
Yes there is good reasons to have Java/ActiveX on a web page. E.g. on an internal private network, where you have trusted users and want things like signature pads uploading signatures to a database. Or how about on a public network, there is a wonderful tool to trace a route with a cool picture of the globe (but this is done without violating network security).
With Java you have to actively accept the dismantling of security, if someone clicks yes to trusting an unknown source then they will get an ugly lesson in trusted computing. With ActiveX it comes out of the box with no security and one has to actively enable security. Given the majority of home users are never going to do this, and the majority are using Windows, a massive ripe resource for worms/viruses/spammers exist. Active X suffers from fundamental security flaws, and is going to cost Microsoft a lot to fix the damage to reputation and loss of customers.
I used to wonder what was so holy about a silent night, now I have a child.
This must by how John Kerry raised over $3 million on Wed. They're obviously using stolen credit card numbers harvested with the help of I.E.
<\tinfoilhat>
http://www.nytimes.com/2004/07/02/politics/campai
Will the US Goverment require the removal or disabiling of IE on all of it's computers for security reasons?
If Microsoft continues to claim that they can not remove IE from Windows will the US goverment start removing Windows from there computers and replace it with Mac OS/X and or Linux?
Since they Include IIs in this what does it mean server 2003 and Longhorn?
Remember people that write websites that only work in IE are terrorists.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
It's so easy for us to lose sight of the fact that, for most people, computers are work tools. People who use them shouldn't have to be constantly on the lookout for problems, simply because the bampots at Microsoft can't be arsed to write decent code. At least, let the companies who sell people their systems add a more secure e-mail client and browser.
Julia Cameron
Oich ù agus hiùraibh éile
I remember a TV commercial...maybe you remember it too....Big conference has come to a halt because of the computer running the PowerPoint presentation has frozen. The audience is yelling out suggestions..."Try restarting, Try Control-Alt-Delete, etc." There is a pause...then someone yells out..."You should've bought a Mac."
After 11 years of Windows 3+, Win 95, Win 98 and Windows 2000...I got tired of the crashes and then the viruses and spyware. I got a PowerBook. I now do my online banking with Mac OS X and Safari.
Be safer online...buy a Mac.
One comment from the defense folks is doing more damage to IE than netscape did in 10 years.
Department of Homeland security, eh?
That means if you use IE...you support terrorism!
http://www.tev.net/photos/homelandsecurity.jpg
-Tev
Even though the software is provided "as-is" and one cannot sue if it fails in anyway, I think a case could be made for suing on the basis of malpractice. Malpractice means "bad practice" and the concept differs significantly from product warranty. Doctors, Lawyers, accountants and other similar professionals are sued based not on outcome but on the methods and procedures they followed to reach that outcome. A Doctor is not contractually obligated to cure you nor an a lawyer obligated to win your case but they are obligated to follow broadly accepted standards of method and procedure. If they do not and a negative outcome occurs they can then be held liable. No other standard is possible as no Doctor can guarantee a cure nor a lawyer a victory in court. Similarly, no software provider can guarantee that their products are free of bugs or other defects. Too much of actual process of running software lays outside the control of any single provider. Software providers can't predict how their product will fair until it actually meets the real world But software providers could be legally required to follow standard practices of design and development and be held accountable if they do not. Microsoft made conscious design decisions that opened up severe security holes in their products even though they were warned before hand the problem would occur. They did so for marketing reason even though every security expert warned at the time it was a bad practice. In short, MS needs to be held accountable not for the actual broken software they released but for the studied disregard for the basic "good practices" of secure reliable design that created the flawed software in the first place.
...because they are a monopoly (in regard to the IE bugs and the DHS advisory).
They will be sued because they were willfully negligent in the maintenance a monopoly product, the sabotage of which inflicts material damage upon third parties in the range of hundreds of millions of dollars.
Don't let your dislike of antitrust law cloud the real harm that this software has done. If Standard Oil had sold petroleum products that destroyed the engines of their customers during their monopoly breakup, would they still be liable for damages? Of course.
p.s. IANAL.
...who advised everyone to use Microsoft products, despite the fact that one of their own organizations made a secure Linux available for free?
Dear Homeland Security,
Compare and contrast:
(1) Your ass
(2) A hole in the ground.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Howto - Browser version control with the Squid HTTP cache
http://www.clavister.com/support/kb/10026/
googled for 'squid user-agent' - result # 23 or so.
I haven't tested this, please reply to this thread with your results
Is /. populated by communists? The parent should be labeled "Insightful." Seriously, if the product is bad, let the market kill it. As soon as the wonderful and egalitarian Linux is actually usable, I'm there! In the meantime, I'm stuck with a kludgey P.O.S. OS, and continuously patching it.
I use Mozilla for everything internet related and OOo for office tasks because I can actually use them! Call me a moron, but I really don't relish the thought of using an OS that can't do all the stuff I need it to do, specifically, Quicken, Photoshop, and 3D CAD (SolidWorks). I rely on those programs. Make Linux run them and I'll switch immediately. Until then, I suffer with MS crap, along with the rest of the world.
But, please, spare me the Marxist bunk about some "ideal" Star Trek world in which everyone has a perfect job and never wants for anything. It ain't gonna happen.
The Philosophy of Liberty | lewrockwell.com
They don't. By their own testimony, IE is an integral part of their operating system. And indeed, several important operations in Windows are impossible to perform without IE installed. The operating system is not free, and neither are its integral parts.
I got the following batch files off the net somewhere, and it seems to work for Win2K and probably XP. To disable IE, run:
:End
:Activate :End
@echo off
C:
cd "\Program Files\Internet Explorer"
if not exist IEXPLORE.EXE goto End
if exist IEXPLORE.EX_ del IEXPLORE.EX_
if not exist IEXPLORE.DIR md IEXPLORE.DIR
if not exist IEXPLORE.DIR goto End
attrib -r -h -s IEXPLORE.EXE
ren IEXPLORE.EXE IEXPLORE.EX_
if exist IEXPLORE.EXE goto End
ren IEXPLORE.DIR IEXPLORE.EXE
echo IE disabled.
echo If prompted, click "Cancel" then "Yes" on File Protection restore.
echo Run enable-ie.bat to allow IE to run again.
It still runs if you put a URL into a window bar though, but if your alternative browser is the default browser then it'll launch for everything else.
To re-enable Bill's little helper:
@echo off
C:
cd "\Program Files\Internet Explorer"
if not exist IEXPLORE.EX_ goto End
if not exist IEXPLORE.EXE goto Activate
attrib -r -h -s IEXPLORE.EXE
rd IEXPLORE.EXE
if exist IEXPLORE.EXE del IEXPLORE.EXE
ren IEXPLORE.EX_ IEXPLORE.EXE
echo IE enabled.
"And the meaning of words; when they cease to function; when will it start worrying you?"
This browser warning page thoroughly trashes MSIE, but every phrase is linked to a news article that uses the exact same verbiage in order to demonstrate that it isn't just anti MS FUD - It's the honest truth. It's designed and maintained for webmasters to deliver to the IE-using visitors to their webpages. You can read the source code for some more information about that. In case you're curious, here's a paste of the text and links that it has - This should prove quite effective with anyone you're trying to convince to stop using IE:
Warning!Your web browser - a version of Microsoft Internet Explorer - may not function properly on this website, and could have a large number of problems that allow hackers to hijack it with viruses. These viruses could be used by criminals to secretly take over your computer, download child-pornography, or to commit acts of terrorism and fraud. You may automatically update it now with Microsoft's available patches, however, there is a possibility that a necessary patch will not be available due to Microsoft's somewhat sluggish development schedule.
The US Department of Homeland Security strongly suggests that you stop using Internet Explorer immediately.
There are several standards-compliant web browsers that you may use instead of Internet Explorer. Please install one of them as a replacement.
If you suspect that your computer is already being used for criminal activity, it is critical that you seek help from a computer professional in your local area. You may also try one of the free web-based virus scanners that are available.
I don't know where you USian guys get this rubish about companies have only one goal, the damned profit.
You have been brainwashed and repeat your little mantra like the good Chinese workers used to parrot Mao's Red Book.
Companies can be the expresion of an ideal, the realization of a dream or the intent to attack social problems. You have companies that have been set up to ensure fair trade of tea and coffee, other companies that operate in a cooperative basis in which the workers are owners and benefit.
In Brazil a well known style of management (like some forward thinking USian companies like Google) support their employees to start their own businesses on their free time using company's resources that otherwise would not be utilized.
Many companies have programs to vinculate them with their local communities (mine is one of them) helping with reading skills, IT skills on deprived schools, and promoting on their employees a culture of solidarity and social responsibility. Many of you don't know, but many corporations have strict guidelines about what is legal or moreal and what is not, and employess are lectured constantly (to the point of boredom) about legal and moral obligations.
There are companies out there that compete trying to put innovative products on the market and not by the shameful "embracing and extending" touted by the greatest megalomaniac of the IT industry.
The companies are what you want them to be, if they only pursue profit without regards for the consequences it is because greedy unscrupulous individuals have been made heroes by their peers, the media and unsuspected Red Book reciters.
IANAL but write like a drunk one.
I'm pretty sure *most* browsers invoke some kind of HTML rendering engine. Yes, even Mozilla.
"I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94
people were really conned on this. advertising works, it's a multi billion dollar a year industry. Perople are NOT told it is difficult, or dangerous, to buy and use a computer. They are told it's easy, safe, fun, cheap, new and shiny and they will be losers if they don't jump in the pool with everyone else. When they go to the whitebox sho or back to best buy or whatever, they have never been told to load an alternativ OS, or even a browser, they are just charged for a patch of a fix or sold even more sioftware that alleges cures their computer ills. At work, where their bosses got faked out, they are confronted with the exact same thing. At the store, no choice practically speaking.
Yada yada. Although I think some blame can be laid on the victims,for putting up with it and paying for it for yearsm most of it can go to the actual pepetrators of the scams and cons and on the black hats as well for taking cruel advantage of people because it's easy for them to both do so and to remain anonymous and commit sociopathic actions they normally wouldn't do in meatspace.
I agree with half, disagree with the other.
No, people mostly DON'T know there are alternatives, due to industry collusion and fraud at very high levels, levels such that it is mostly ignored by the government, because even there they profit individually from the congame of maintaining this monopoly, although they claim they don't and had a whitewash "judicial hearing" and series of lawsuits over it. It was a coverup joke whitewash effort *at best*.. There is no prohibition from governmental employees using their income or knowledge to help make scam profits in the markets, just a joke level,or nothing really stopping them accepting "fees" on the side,just a joke level, or nothing really stopping them from getting blackmailed, that's not a joke but it happens to politicians and bureaucrats and dare I say to judges. It just depends on the situation.
As to not being able to make a safer better browser able to surf without getting hijacked within 15 minutes? Well, all I can say is, not coming from an insecure buggy windows background, or very complicated unix background, but a mac classic simple functional OS/brosewr background, I will assert to you that I ran for YEARS on the net with NO antivirus, no firewall, no anything but the default browser (netscape) that came with the OS install. YM obviously varied from that I would guess, so you have that viewpoint "it's almost impossible, it can't be done", etc.
I *never* had to jump through *any* hoops just to surf simply. I went to any website I wanted to go to, read any email. Nothing. I know a few viruses existed, but I never got one, and I don't think there was a remote exploit for mac classic, or at least to be honest and fair I never heard of one or read about one. The first firewall I ever used on a personal machine was two years ago with linux because you need one, same as windows, but at least they give you one that works with linux. With windows, nope, all the installs I ever saw were woefully overpriced, incomplete to a fault, and failed to function very well. And insecurity isn't an issue, they *are* insecure as shipped, you MUST jump through hoops to even approach a dismal-security range, let alone a pretty good-security range.
That is not what they are talking about. Internet Explorer allows you to embed IE inside of another application. You can even put a different name on the taskbar and call it another application, even with your own icon. In theory, some scam artist could write their own "web browser" in about 15 minutes. The problem here is that you really are using Internet Explorer, even if you are claiming to be some other application.
More often this is used in applications like AOL (IE is the default browser in AOL), where they use this ActiveX component to display web content. I think AOL uses their own e-mail system, however. You can also see this in the Real Player application, again if they are going to display web content instead of playing music or an audio/video clip. (Try this if you have Real Player.) Other application also use this, in things like About boxes or even a cool splash screen when you start an application. Sometimes they even do full TCP/IP http requests for content, including machine-specific data. A good security hole if I ever heard of one, and a cheap and easy spy app as well.
Mozilla does not use the I.E. rendering engine... they have their very own, so they don't need it. A while back it was a common task for CS instructors to assign students to make their own HTML rendering engine. I wrote one myself just to see if it could be done. Not a beginner task, but still something well within the capabilities of any recent CS college graduate (if they actually taught you anything).
Plug-ins are not something that automatically gets downloaded and installed on your machine. You have to knowingly download and then install them. This is for Windows or any other OS that the plug-in framework is residing on.
On the other hand, IE provides "helpful" features like self-installing plug-ins (ActiveX) and a help framework that completely circumvents the security- all without ANY user intervention.
In the proposed solution you offer, there is no difference with the plug-in model of things- you have to actually install something with your own intervention to be able to view "rich" content. The moment you do anything Internet centric, you change the security profile completely. Having one or more applications to do things doesn't change the amount of work, etc. like you seem to think it does. In fact, in some cases, you just made the work harder because now you've got to add more rules in your firewall and monitoring tools which could leave loopholes in your security. And it still doesn't stop idiots from running malware passed along via e-mail, etc.
Your whole premise doesn't work.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
They're redirecting all the common worm and trojan exploit attempts for IIS to MS' website. Nice.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Can (or do) those other applications embedding the IE engine use the zone controls and otherwise follow any of the security settings for IE itself?
God, I'd hope so, otherwise that could be a right nasty mess (and would explain some of the weirdness I used to encounter back when I used/troubleshot Windows
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
I don't know, I can imagine quite a bit :) Lord, what a clusterfuck this all sounds like.
;) )
What I do know, after fixing many hundreds of Win 9x systems for people, is that I decided I was going pure Linux and not looking back. I've found it relaxing. I spend almost no time in maintenance after initial setup and pretty much zero time worrying about system security.
Dumb, dumb. Microsoft is really going to take it on the chin this year, methinks. Which in the long run will be a good thing, perhaps; but in the meantime a lot of people are getting screwed (like my folks; every week I get another phone call...)
Not to mention the weird stuff I encounter at work, where we now run XP Pro on all our systems. FE, we have one box, identical to the others, where the network card driver pukes on a random daily basis. Easy enough to fix - go to the hardware manager and re-enable the card - but WTF?! So far nobody either at Corporate or MS has been able to fix it - and it's not hardware, either. What a PITA.
(also three times now in the last two weeks getting a call from corporate telling us to reboot all our boxes because they could no longer VNC into them. Rebooting fixes it. Ah, Oh Lauded Stability of XP. *snort* Other than kernel upgrades my home boxes never get rebooted. Never; and they work a lot harder than the work boxes do. Windows. Bah.
Cheers,
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.