Slashdot Mirror
Dept. of Homeland Security Says to Stop Using IE
LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News:
'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."
This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer. You gotta love this. You just cannot make stuff up like this!
Cheers!
Erick
http://www.busyweather.com/
What's next, a recommendation that everyone stop using Microsoft Windows?
New: Microsox Windlls FU SP7 w/Ubernet Exploiter (a free pile of bugs in each release!)
I have been saying this for a long time but now it is offical.
<Shakespeare mode=Hamlet>: There needs no ghost, my lord, come from the grave to tell us this.</Shakespeare>
Really. How long before the Whitehouse figuratively grabs Tom Ridge by the lapels and tries to throttle him. Such harsh treatment for a huge dono^H^H^H^Hemployer. Oddsbodkins, what next, the GWB DoJ was soft in pursuing the danger of monopoly exploitation of the browser market?
A feeling of having made the same mistake before: Deja Foobar
Horray for the Department of Homeland Security! LWATCDR is not the only person that has been saying "get off of IE" for a long time.
Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.
It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.
resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers
Duh. All our friends at Microsoft need it too.
*grin*
*grin*
Free XBox, PS2
I didn't listen to them when they asked me to duct tape and plastic wrap my house, I didn't listen to them when they raised the alert level 5 different times, I didn't listen to them when they told me to trust them, but I am glad that other people do... Perhaps this will do double duty! It will fix websites that cater to IE only so that they work with the currently "broken" Firefox so that I don't have to refresh or cross my fingers to get it to work.
"According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
I hope that this also translates into a large spike of donations to the mozilla organization. Firefox and T-bird are teh moh scheezi, and i started using mozilla years ago.
I've donated about $150 over the years, how bout y'all?
do() || do_not();
the courts have ruled that Msft's bundling and pushing IE with every OS purchase is good for the consumer. Let business be free to manipulate their customers! It's good for the economy.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Now all us computer nerds will lose our counter culture edge. Plus you'll no longer be able to detect a fellow geek merely by his browsing choice. I guess we'll have to go back to tossing off random Kevin Smith quotes and seeing who catches on.
Firefox, you need to do yourself a favor. Flawless pop-up blocking, the beauty of tabbed browsing...real standards implementation...the list goes on and on. Now, if only Windows would be declared a national security risk...
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
1) Create product that a smaller portion of the population uses, thus keeping the effectiveness of attacks on your product less desirable than the other 2) Give your product away for free, open sourced, and up to date with all the latest standards, oh, and make it more secure (novel idea, really) 3) ??? (wait about five or six years for a government agency to declare your competitor's product unsafe enough to get the CERT all riled up) 4) Profit, or How Mozilla Pays M$ Back for The Whole Killing of Netscape Thing
That was CERT's announcement, this is actually the Department of Homeland Security making this recoomendation. 2 different orginizations, same recommendation.
Hopefully people switching to FF will mean that more bugs will be squatched from it. Perfect timing for that 1.0 release.
wow!!
I am the Alpha and the Omega-3
Recently I was cleaning rather obnoxious spyware off of my sister's laptop. To prevent further infection, I was asking her to install Firefox. I said it'll block popups. Still reluctant. Tabbed browsing? Nope. More secure? Nu uh, still stubborn. Stop the spyware? No. (She's getting irritated at this point). CERT Recommended to stop using IE? Still won't let me install it.
*pause*
She then asks if our mother uses it. I said yes (thanks to me).
"Ok, install it."
Homeland security be damned, it's the MOTHERS we need to convert.
For those considering installing Firefox on Win2k PCs they don't have 'administrator' accounts on, I can report that it installs and works perfectly well from a 'power user' account. Perfect for those considering an installation on a work PC.
You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.
Happy browsing!
Imposing Libertarian views on everyone online since 1992.
Homeland Security says to stop using IE but in the Air Force we're still using it and I haven't heard any plans to switch to something else. It's good to know that the DoD is listening to the security measures of the other departments.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
Not 4 months ago MSN.com (obviously slanted) was trumpeting around "BROWSER WAR IS OVER!!!" and proclaiming that IE was the clear victor (though they never gave the conditions that made it a victor, they just sensationalized and re-iterated the same shit over and over in different wording in True Fox News Style(tm))
MS to "win the browser war" just in time to have their browser shot down every time they turn.
They had better wake up to this, too... These days, "internet" is about 85% of what computing is about. MS with all their attempts to blur the lines between your computer and the internet, and their flagship web application is poo.
do() || do_not();
I've been posting news articles like this one around the workplace, but man, is it hard to get anyone to listen. If HQ won't even listen to this headquarters's own IT department, why should they listen to someone in R&D?
Bah. Anyone have any advice on this?
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
The only really safe browser! Not so good for browsing porn sites, but since you want to download the images anyway, maybe lynx is good for that too!
I Am My Own Worst Enemy
Microsoft released a fix for this issue today. Basically it disables the ADODB.Stream object. However, it requires a regedit to implement. I imagine a hotfix is forthcomming. Still, Firefox and Mozilla don't suck at all, so people should at least use this as an excuse to give them a try IMO.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer.
Translation: After all those horses get out of the way, we'll have your barn door fixed in a jiffy.
A feeling of having made the same mistake before: Deja Foobar
The Department of Homeland Security recommends not to use George Bush anymore - because of serious security leaks and erratic behaviour.
A support article by Microsoft suggests a solution to the holes in their product, specifically the one where an address can be spoofed and displays a different url than the one you're actually at. Solution: Don't click on links! :)
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself."
After making the switch to Mozilla Firefox and using it for two days, I'm hooked. I downloaded the All-in-One Gestures extension, and I can't for the life of me figure out how I ever lived without it. It's a whole new paradigm in browsing. This is another milestone in the MS exodus towards open source and Linux. Disclaimer: I do not work for Mozilla... just a satisfied user.
When I become an Evil Overlord: My ventilation ducts will be too small to crawl through.
Well, if you really want to be counter culture, just wait a few months, then start using IE again after the bulk of computer using Americans move over, that will really shock your friends, it can be like a cult
Not really. This is the original source document...
Notice that it's the Department of Homeland Security seal at the top of the document. For our purposes, CERT is a subset of DoHS... it's just that the media is now picking up on the more known name of the larger organization to bring the story to the masses.
This kind of thing could be serious for Microsoft. Their strategy is 'thick client' - the browser and other features are integrated into the operating system. If security issues remain while the browser becomes a fundamental part of future Windows use, their are in trouble.
If we all stop using Internet Explorer, the terrorists have won!
"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.
Let's see what we have here.
- First sentance tells us that Microsoft isn't going to try to attack the credibility of CERT because that'd be unlikely to get anywhere.
- Second sentance is trying to blame "the media" for misreporting the story, but the media's working from a primary source that has a section heading called "Use a different web browser". I don't know how you're "misrepresenting" that when you take that as a suggesting to download any browser that isn't Internet Explorer which means Mozzila, Opera, Netscape or any other compeitor out there. They want CERT to take back the recomendation to just stop using IE... that's the only kind of "clarification" that's possible here.
Microsoft clearly wants a CERT retraction. But do they stand any chance at getting one?
1) IBM is our friend
2) Apple is no longer just for coddled sheep
3) Sun is dying
4) Sun is embracing linux
5) Sun is no longer embracing linux
6) SGI is dying
7) ???
8) We might be watching the beginning of the end for Microsoft. Not just in this, but the whole pile of events over the last couple of years. If Microsoft loses relevance, and market share, and withers away...
Who Is Going To Be The New Evil Empire????
I want to know who to unconditionally hate next!!
do() || do_not();
Anyone want to place bets on whether some clever MS lawyer is preparing to argue that any antitrust action related to the browser bundling should be tossed out, because the feds are now encouraging people to use browsers written by the competition? After all, if the government acknowledges that there is legitimate competition, then clearly, MS must not be abusing its desktop monopoly, since so many people are now downloading those free alternatives... right?
As an alternative... imagine if DHS came out and said that a flaw in GM vehicles aided terrorists, and people should purchase Ford and Chrysler vehicles until the flaw is repaired. Do you think GM would immediately start demanding financial compensation for lost sales and market share from the federal government?
Now, extend that to MS, despite the fact that IE is, effectively, free. If the whole thing still seems unbelievable, insert Robert Heinlein's quote about corporations thinking they have an unassailable right to make a profit above all else here. I'll bet good money MS is already preparing the legal briefs for some kind of retaliation.
Someday, you're going to die. Get over it.
Cool, will that mean that some of the idiot web designers will actually start taking non-compatibility complaints seriously? Like those ladened with Javascript that works nowhere else but with IE. Take Expedia.com, where the calendar pop-ups only work with IE or Priston Tale web site where the side menus don't appear if you don't have IE (I already supplied a fix which was ignored) - actually this one should be lumped with the GIS2 web site for excesive use of Flash.
Maybe pigs will fly first?
Just one note Mozilla has one big advantage over Opera and Safari for MS base corportate networks: it supports NTLM.
Jumpstart the tartan drive.
I'd like to take this opportunity to emphasize the negatives of an unhealthy competitive market.
When monopolists crush the competition, and you have one company with 95% marketshare, that company gets lazy.
It produces shitty products, slows development (compare development now with when they were trying to crush netscape), all the while making monopoly profits.
Thankfully, the GPL seriously reduces the barriers to entry, because it would be DAMN hard to get either Gecko/Mozilla or KHTML/Konqueror/Safari relicensed and 'shut-down', or integrated into the MS lineup.
Mark my words, if there was no one else but Opera, MS would think long and hard about crushing it.
Monpoly bad, folks, m-kay?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.
NO ACTIVE X. That means no sneaky little programs in your system.
The open source movement is well on top of issues like this... always have been.
Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.
Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.
Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
Netcraft confirmed in a report today that the beleagured Pop-Up Advertisement industry is citing Mozilla and Firefox as the driving force that has snuffed out their livelihood and threatens to drive them into extinction....
:-D
(c'mon, someone else can do this better than me)
In other news.... when parasites and popups are no longer possible, what sorts of nefarious crap will the nefarious-mongers do next?
do() || do_not();
Wow. Think how much worse this'd be for Microsoft if IE was a core part of the operating system!
- mark
-----
I tried an internal modem, but it hurt when I walked.
Here's my piece I did on the topic about a week before the CERT announcement:
http://www.dmiessler.com/reading/ie.html
dmiessler.com -- grep understanding knowledge
Then it will be interesting to see if Mozilla has the same inherent weaknesses as IE, won't it? For years MS has used the excuse that they're the largest installed base, thus the target for most virii, etc. I say lets see if thats true.
You just need learn to love the big brother. It may take time, but in the end, you will love him. We will take care of that.
Now, how many fingers?
“Wait for Hurd if you want something real” –Linus
It's easy to bash Microsoft, but I think we should give credit where it is due. After all, Microsoft has acted very quickly to fix this problem; users who have patched their version of IE can no longer access the Department of Homeland Security's webpage.
Reality is defined by the maddest person in the room
my question is, if 1) there's no patch yet for IIS servers to defend against the attack, and 2) the microsoft update servers are all IIS, then how can we know that microsoft update hasn't been hacked? hmm? (oh the humanity!)
Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.
So the press misquoted CERT? I've read the text and almost everything I've seen is a quote, albeit summarized occasionally.
I think it's absolute comedy that when MS plays hardball, it's just business as usual, but when things swing the other way they can't stop complaining how they aren't getting a fair shake.
Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.
Translation: We are currently researching ways to extort CERT into issuing a new statement saying our browser is the most secure as long as you don't use the default settings we chose for you. Fact: IE is the most secure browser when completely blocked by a firewall.
I objected and got called "Ayatollah of web-compliance" :-)
In Soviet Washington the swamp drains you.
Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines
Did anyone RTFM from the Yahoo link. It says at the very bottom that Mozilla is vulnerable too. I use Mozilla myself but it appears that the real culpret is ActiveX which you can install on Mozilla. I don't think this plug in will work on platforms other than windows so it's really a platform issue.
a link (http://www.kb.cert.org/vuls/id/323070) to the US-CERT pub recommendation. It is also interesting to note that the suggestion to "use a different web broswer" is the last offered (see section III. Solution).
Is IE targeted because it is widespread? Perhaps. But that does not mean Mozilla is just as insecure.
It's not just that IE is widespread, but its a design issue. If the usage numbers were inverted, IE would still have more exploits because it has some extremely poor design concepts behind it. First, it is directly hooked into the OS. If an exploit executes on the browser, then it is a very short leap for it to execute on the OS. Second, IE has a promiscuous plug-in model that allows nasty malware to execute without enough checks or controls.
What drug was the IE design team engineers taking when they decided to to let (or at least failed to prevent) untrusted program execution? The drug is named "Market-share". They were trying to turn on as many features as possible to capture every possible market. Microsoft made an early design decision to tout features over correctness. It is a fatal defect that now is probably nearly impossible to correct.
Now that MS is re-starting IE development, they should probably do what the Mozilla team was forced to do years ago. When Mozilla first inherited NS-Navigator 4.X, they looked at it and decided to ditch most of it. They started clean with new design concepts. I think MS is going have to do the same thing. The current design of IE is fattaly flawed. It will have to be rebuilt from the ground up with a new security model.
The left-wing Slashdot community (that is, 99.8% of Slashdot readers) immediately becomes Internet Explorer advocates in order to avoid being on the same side as the Bush Administration on anything.
Gamingmuseum.com: Give your 3D accelerator a rest.
So when is the Govt. going to fix all of their web sites to work with Mozilla? Currently there are a great number of sites that only work with IE and some businesses rely on those sites.
âoeIn theory, theory and practice are the same. In practice, they are not." â Albert Einstein
The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.
CERT gave the warning on June 10 . BBC reported this on June 14 .
It's so great to see Mozilla rising from the smoldering ashes that MS left Netscape in, only to come back and bite MS in the ass. It's so symbolic, they should change Mozilla's name to "Phoenix" or something.
Huh? Oh. (Gilda Radner on SNL voice....) Nevermind.
Does anybody realize just how hard it is to make people change their browser or OS? I work in IT and almost no one has even heard of Firefox. Only one (besides me) has it installed...and we are IT. This is not the end of anything for the evil empire, this CERT notification won't move M$ market share of browsers by more than 1%. And since the overwhelming majority run IE, we will all still have to have IE just to be able to continuously repair and troubleshoot it. Sorry for the reality check, but end-users are skeptical about any change, unless they feel 100% sure they will gain much, loose little. People say this is the end of the empire, but most people who run Linux and OS X have a Windows PC also.
"money" , and the reality that most people use IE because of illegal monopolistic actions that resulted in MSOS being the defacto install on their computers, so they use what came with the package, which includes IE, and they are encouraged to go onto the internet without adequate instructions, or without adequate protections, both of which are well known to MS and the various vendors who sold them their computers.
When you have the vast bulk of PCs the last decade and a half being shipped with MSOS, they had a responsibility to make sure they weren't violating anti trust laws, which they failed to do, and got convicted of it.
The consumer was long ago denied any reasonable* expectation of free market choice, when the vendors themselves conspired with MS to ONLY include MSOS to such an extent. It's intent, and to my way of seeing it, is an example of RICO action and should have resulted in MS and several large vendors getting charged with criminal violations, not just civil violations, and several billionaires going to jail over it.
Even though IE is a free download, it is easily observed that most people did not have some other OS OR of their free will go "download IE", it came as a bundled app with their monopoly enforced distribution of MSOS, and the product is seriously flawed. Seriously. The EULA should be challeged, and we need to get a determination of when and how any product may be profited from, but still avoid an implied warranty for suitability for purpose. If they get granted a patent and a copyright, they have certain responsbilites when they trade it in some fashion for money. When you receive something for free, it's a different story. That's the major difference there. And if that again causes a shift in free/open source, how it's distributed, it would be worth it to force closed source/propietary and for-profit sodftware to get classed as a product that is sold, and have normal consumer protections. The tradeoffs are worth it, IMO.
* please note, I said reasonable as opposed to technical. Technically yes, they had a choice, reasonably, no, there was little choice, and still not much. Walk into any big computer store, what is the default install on the boxes there? Are any of them safe to go on the net "as is", how they are sold? No, they are not. The EULA basically is an example of a vast huge case of consumer fraud, IMO. People assume their brand new computers will work, and part of their entire computer package they purchase with real money is the software that comes with it. They would sell little if any new computers bundlked with MSOS if they were merely labled truthfully, as in "you will probably get infected with virus, malware, trojans, backdoors, etc within one hour of being on the internet with the default install and configuration if you click accept on the EULA provided for the bundled microsoft software". If that sticker was on the outside of the boxes, the stores wouldn't seel hardly any of them. How many computers and copies of MSOS would they sell then, if they were merely required to tell the truth, even keeping the current EULAs in place, exactly how they are written now?
I personally *do not care* if the entire software industry top to bottom, left to right, inside to outside has to change licensing,thinking, what they do or how they do it, enough's ENOUGH on claiming a 60 year old industry that has raked in untold hundreds of billions of dollars or more isn't mature and sophisticated enough to offer products that can be covered by minimum consumer implied warranties. Time to take the training wheels off, and get rid of the EULA get out of any responsibility "license". If it slows down releases and causes huge shifts in PHB and investors thinkings and stock holders profits, I could care less, and I bet millions more consumers feel the same exact way. Software will still be written and sold or given away, just of much better quality. Releases will be slower, but they will be much better quality. Pressure will shift from get i
"Global Class Action Lawsuit against Microsoft"
This is what people don't understand about capitalism. If you don't like the product, you don't have to sue, just stop using the damn product.
I really hate this attitude, "the man keeps us down, so lets sue." It makes absolutely no sense at all. Corporation uses child labour to make affordable products, sue them. Heaven forbid you should accept responsibility for it and stop buying their low-quality products. MSFT sells software for too much money, sue them, don't simply use something else. It's no wonder we have so much unnecessary litigation in this country.
This browser warning page thoroughly trashes MSIE, but every phrase is linked to a news article that uses the exact same verbiage in order to demonstrate that it isn't just anti MS FUD - It's the honest truth. It's designed and maintained for webmasters to deliver to the IE-using visitors to their webpages. You can read the source code for some more information about that. In case you're curious, here's a paste of the text and links that it has - This should prove quite effective with anyone you're trying to convince to stop using IE:
Warning!Your web browser - a version of Microsoft Internet Explorer - may not function properly on this website, and could have a large number of problems that allow hackers to hijack it with viruses. These viruses could be used by criminals to secretly take over your computer, download child-pornography, or to commit acts of terrorism and fraud. You may automatically update it now with Microsoft's available patches, however, there is a possibility that a necessary patch will not be available due to Microsoft's somewhat sluggish development schedule.
The US Department of Homeland Security strongly suggests that you stop using Internet Explorer immediately.
There are several standards-compliant web browsers that you may use instead of Internet Explorer. Please install one of them as a replacement.
If you suspect that your computer is already being used for criminal activity, it is critical that you seek help from a computer professional in your local area. You may also try one of the free web-based virus scanners that are available.
I don't know where you USian guys get this rubish about companies have only one goal, the damned profit.
You have been brainwashed and repeat your little mantra like the good Chinese workers used to parrot Mao's Red Book.
Companies can be the expresion of an ideal, the realization of a dream or the intent to attack social problems. You have companies that have been set up to ensure fair trade of tea and coffee, other companies that operate in a cooperative basis in which the workers are owners and benefit.
In Brazil a well known style of management (like some forward thinking USian companies like Google) support their employees to start their own businesses on their free time using company's resources that otherwise would not be utilized.
Many companies have programs to vinculate them with their local communities (mine is one of them) helping with reading skills, IT skills on deprived schools, and promoting on their employees a culture of solidarity and social responsibility. Many of you don't know, but many corporations have strict guidelines about what is legal or moreal and what is not, and employess are lectured constantly (to the point of boredom) about legal and moral obligations.
There are companies out there that compete trying to put innovative products on the market and not by the shameful "embracing and extending" touted by the greatest megalomaniac of the IT industry.
The companies are what you want them to be, if they only pursue profit without regards for the consequences it is because greedy unscrupulous individuals have been made heroes by their peers, the media and unsuspected Red Book reciters.
IANAL but write like a drunk one.