Several Critical MSIE Flaws Uncovered

An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."

Thanks Microsoft!

I know some people around the Mozilla camp were a bit afraid of how the media would cover their recent security problems. But, once again, Microsoft's really come through by offering problems of their own to take the spotlight off Firefox.

Re:Thanks Microsoft!

[Karzz1]

Is it just me, or have there been a ton of browser vulnerabities discovered recently? It seems that every couple of weeks or so there is a hole found in IE or Firefox/Mozilla or others even. Are security firms concentrating their efforts on browsers or are browsers simply more inherently insecure than most other software?

Re:Thanks Microsoft!

I got emails at work about the Firefox ``critical'' vulnerabilities. I probably won't get any emails about these, but it's not like I can just stop using IE for the sites that use ActiveX. It's also not like these IE problems will be fixed any time soon.

Re:Thanks Microsoft!

[ninja_assault_kitten]

Good point. Speaking as a researcher I can say that with the advent of Windows XP SP2, Windows 2003 SP1, finding vulnerabilities remotely exploitable vulnerabilities in the OS is significantly harder. Focus has shifted to the new low hanging fruit, common userland applications such as Firefox/IE.

Having seen a sneak peak at IE7, that could change too...

Re:Thanks Microsoft!

[datadriven]

And people keep saying they're anti-competitive. ...ow wait

Re:Thanks Microsoft!

It has been QUIET on the browser security front this year. Generally speaking there has been vulns found in MSIE every 2 weeks for the past 5 years.

Re:Thanks Microsoft!

Sorry, browser exploits were still more common before SP2 or windows 2003. Why don't you try... y'know researching it?

Re:Thanks Microsoft!

[m50d]

I think it's that browsers are more hacked-together. No one would be stupid enough to try and make an email client be an applications platform - but that's exactly what both mozilla and MS do with their browsers. That leaves a whole lot of exploitability.

Re:Thanks Microsoft!

[n0-0p]

Well, I assess software for a living, and in my experience it's a combination of several things that makes browsers so difficult to secure.

• Browsers are in general extremely complex apps and complexity leads to security issues
• Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues
• Browsers must deal with cross domain concerns (local system vs. remote sight), which can be very tricky
• Most browsers were initially developed during the internet boom when features ruled and security was a foreign word

IE in particular has the deck stacked against it because it was pretty much ignored in the MS security push that started in 2002. The team had already been disolved and the app was in maintenance mode. They just didn't commit the resources to dig into the code and do a thorough security review like they did with most of their apps. Instead there were some tacked on fixes like shuffling the zones, modifying ActiveX prompts, and disabling most functionality in Server 2K3. I personally have no question that they regret that decision, and we'll see what happens with IE7 this summer.

Re:Thanks Microsoft!

[ninja_assault_kitten]

I'm speaking for 8 years of experience. The focus within the commercial security community has shifted a significant portion of it's attention to userland applications from OS level vulnerabilities.

While remote OS vuls are signifcantly much more profitable, they're increasingly difficult to find.

Re:Thanks Microsoft!

No, they are increasing difficult to exploit!

MSIE has been the No1 attack vector for years.

Re:Thanks Microsoft!

[wfberg]

Browsers are like cheerleaders. They're popular, and they might say they use protection, but you'd better know they get around.

Re:Thanks Microsoft!

[bunratty]

No, Mozilla uses an applications platform so that the developers can easily write cross-platform code. It's just that they also developed that platform, and it's also called Mozilla. Mozilla-the-browser (and also Firefox and Thunderbird) run on top of Mozilla-the-platform.

Re:Thanks Microsoft!

[eyegone]

No one would be stupid enough to try and make an email client be an applications platform

Ever hear of Lotus Notes?

Re:Thanks Microsoft!

[Kent+Recal]

Ever hear of Lotus Notes?

Yes, I have and it is a nice proof for grandparents statement.

Re:Thanks Microsoft!

[phoenix-gb]

I imagine security firms are concentrating their efforts on web browsers; firewalls, such as Windows XPs and other third party products, mitigate, rather than directly address, any vulnerabilities in system services, but a web browser cannot be protected in the same way. And, for most people, the web browser and the email client are their primary interfaces for the web, simply requiring a black hat or script kiddie to coerce the user to visit their infecte web site/ page; a depressingly easy thing to get your average net-user to do, it would appear from the continued popularity of phishing scams.
Of course... one may ponder how much havock could be wreaked a vulnerability on a P2P client; all those users on a single virtual network and little to no coercion would be required, depending where the flaw lay.

Re:Thanks Microsoft!

[tepples]

Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues

You mean "parsers written using common C string handling techniques are notorious for security issues". There are other string handling libraries such as Vstr that aren't as vulnerable to buffer overflow, but many programmers who work with C or C++ don't know about them.

Re:Thanks Microsoft!

[inode_buddha]

Nah, its not just you IMHO. The Marketing Dept. wants you to use *their* browser.

Re:Thanks Microsoft!

[starfishsystems]

we'll see what happens with IE7 this summer

I expect that Microsoft's "integration" strategy for subverting interoperability will continue to induce pain points in fresh code just as it has done in legacy code.

In a complex design which combines a tolerance for brittleness and nonmodularity with a strong preference for products to fail open rather than closed, that has to be so. It becomes that much harder to meet functional tests, let alone the nonfunctional ones related to security.

Re:Thanks Microsoft!

we need to concentrate, cough, cough on not pointing the finger at microsoft but ITS CUSTOMERS...for some unusual reason and for the past 12 years i personally have not ever run into any problems with ie in our home & obviously, i am going to check then update any windows based computers, cough, cough, if needed...

Re:Thanks Microsoft!

[hey!]

Well, except you really have it backwards.

Notes is a messaging/workflow management application platform that can be trivially used as an email system, a use for which it is overkill, given that the least common denominator capabilities of Internet email systems are so extremely limited.

I think Notes is mispositioned in a marketing sense, given what it is. It completes against Exchange, which truly is an email system that has been overextended into a platform. This naturally leads to a lot of dissatisfaction with the product when it's used for plain old Internet email, which it is 90% of the time. Most IT departments don't have enough on the ball to develop workflow management applications, or even use non-Microsoft products.

It's too bad, because there's a lot of good stuff in there.

Re:Thanks Microsoft!

The difference, unfortunately, is that Microsoft actually does extensive testing on their fixes before releasing them. They insure that their code doesn't break any legacy applications, doesn't cause other problems, etc. Mozilla, on the other hand, is far more likely to have the "it compiles, ship it" attitude. That's how most open source projects and companies that I've worked at operate. So ya, Microsoft takes a bit longer. But it's because they're actually doing their job. Do you guys seriously think they're just sitting their with their thumbs up their butts waiting for bugs to "ripen"? Of course not.

Re:Thanks Microsoft!

[m50d]

OK, but the problem with that is that remote code also accesses mozilla-the-platform. If they used the platform exclusively for making actual programs on top of, and didn't try and make it a way of running web applications, I think a lot of their problems would go away.

Re:Thanks Microsoft!

I guess that means they'll be outlawed in Texas.

Re:Thanks Microsoft!

[Keeper]

...well, nobody would be stupid enough to try it again. :)

Re:Thanks Microsoft!

[man_of_mr_e]

Really, it's a bit earlier to be gloating about Firefox. It took them something like 10 days to patch the last two vulnerabilities. Now we're gloating about how slow IE is after 1? That's not right.

Further, MS has been known to ship critical fixes outside the normal patch timeframe, especially when they become publicly known, so assuming MS will wait a month is rather childish as well.

Re:Thanks Microsoft!

While I don't use IE as my web browser of choice (nor Firefox or Opera, so STFU fanboys), I have to say that my experience with IE has led me to believe that it /can/ be secured quite easily, and that most of the security issues are due to PEBKAC on the customers end.

Re:Thanks Microsoft!

There might be "a lot of good stuff in there" and Notes might be "not Microsoft" but it still sucks. Notes doesn't have any good scripting or heterogenous integration features.. sure you can do it all with the Notes/Domino supplied solution, but what if you don't want to use those tools exclusively? Furthermore I can't run Notes or integrate easily with Mac OS or *nix (and no, I don't consider WINE to be seemless integration).

Plus as a mail client, it is not overkill at all, indeed it truly sucks.

Notes is really the antithesis of the do one thing well.

Apache, a decent mail client and workflow client (not saying one exists) is a superior platform.

Re:Thanks Microsoft!

Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues

That is a crying shame. Parsers are the oldest and most well understood field of computer science. There is no acceptable reason why a bug in a parser should be deemed excusable.

Re:Thanks Microsoft!

[calculadoru]

Please do not mention Lotus Notes ever again. It has been, still is, and looks like it will be, the absolute bane of my existence as a corporate drone. It sucks the life out of everyone who uses it, it destroys and maims everything it touches. It is the worst program/platform/whatever the bloody hell they think it is, EVER. It was designed to incur maximum confusion in the user, with productivity and ease of use kept to an absolute minimum. It is a vile, pestilent disease on the otherwise healthy body of my computer. I could (and am actually rather enjoying) go on about this monumental piece of excrement, but I have to go archive a few megs of mail now, and Notes is SURE to crash on me, AGAIN, then require me to reboot so I can access a puny email from six months ago. As the wise man said, AAAAAAAAAAAAAAAAAAAAAAAAAARGH

Re:Thanks Microsoft!

[Fade_to_Blah]

Why dont you tell us how you really feel

Re:Thanks Microsoft!

[hey!]

Lotus always had a horrible touch with user interfaces. It always amazed me that they couldn't hire a couple of HCI gurus for a couple of hundred thousand dollars to whip it into shape. It's a flagship product, after all.

Notes and I parted ways around R5, when it was clear where the IBM/Lotus people managing the product were headed. They were building a layer of HCI crap over the good stuff in the product, which was nearly a decade old. It was clear to me that the facade they were putting up in front of the product was shaky, and that various long standing issues that the product had weren't going to be addressed.

This, by the way, is the kind of thing that provokes a fork in the F/OSS world, and why this is a good thing.

In some ways what they were doing is completely understandable from a business perspective. It sucks to have a product that you have to educate people as to why they need it. It's a lot easier (and better for quarterly revenue projections) to slap some crappy glitz on it and try to compete for a smaller slice of an (initially) bigger pie.

Re:Thanks Microsoft!

[hey!]

Notes doesn't have any good scripting or heterogenous integration features.. sure you can do it all with the Notes/Domino supplied solution, but what if you don't want to use those tools exclusively? Furthermore I can't run Notes or integrate easily with Mac OS or *nix (and no, I don't consider WINE to be seemless integration).

Chalk this up to bad product management.

There's no reason these things couldn't have been done, but they wanted to position the product against Exchange and Outlook, and that's where their effort went.

The mistake everyone makes is to try to compete with Microsoft on Microsoft's home turf. It's where the quickest buck is, to be sure, but the failure to have a vision of the product independent of trying to snipe at Exchange/Outlook's market share on Win32 is the root of all the suckiness in the product.

Re:Thanks Microsoft!

[holloway]

What's the alternative? Platform specific code that stretches just as far and you'd need to rewrite for each platform?

Re:Thanks Microsoft!

[m50d]

No, have the web browser responsible for browsing the web and a completely different program for running remote applications.

Re:Thanks Microsoft!

[jonadab]

> No one would be stupid enough to try and make an email
> client be an applications platform

Shhh, you'll give them ideas. In 1994 we commonly said thinks like, "nobody
would be stupid enough to make a mailreader automatically execute instructions
or code attached to a message", and then the Outlook team did exactly that,
and Microsoft *boasted* about it and touted it as an important feature.

"Nothing for you to see here. Please move along."

[rokzy]

how appropriate... wait, no it isn't.

Dupe?

[Kohath]

Is this story a dupe?

I could swear I read about security problems in MSIE before...

Re:Dupe?

[lostwanderer147]

No, no you haven't. It's all just the vast liberal conspiracy. They just want you to hate America. Now move along and go collect your tax refund.

Re:Dupe?

[ninja_assault_kitten]

Nope, you're confusing it with Firefox.

Re:Dupe?

No, it's just a repeat of a deja vu of a feeling that this has happened in the past, again.

Re:Dupe?

[HermanAB]

No, it is all the people that are still using MSIE that are duped.

Re:Dupe?

[PerlDudeXL]

Nothing to see here. Please move along.

Re:Dupe?

[ArtStone]

Or today's CERT notice about all the holes in Mac OS X

http://docs.info.apple.com/article.html?artnum=301 528

oh well

[siropel]

Does it affect me if i run IE with wine under linux ? (just a little joke).
But i think we are gonna see botnets in action before microsoft releases a patch ...

This is news why?

More flaws found? Oh my goodness! http://www.carltrimble.com/

Re:This is news why?

Why? Because it lets some ugly geek pimp his crappy site.

Re:This is news why?

wow ur fugly

Great..

[Marble68]

I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything. Although exploits were found in Firefox, they were patched rapidly. It's not standard on all our desktops. I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.

Re:Great..

[0x461FAB0BD7D2]

IE lite? You mean less features than IE already has? I think that's called telnet isn't it?

Re:Great..

[Mz6]

I've found that most corporate sites, both internal and external, require MORE features than most regular web sites. An IE Lite that cuts down on that, would take away those flashy "features" :)

Re:Great..

[Marble68]

Well, you would think the development team would either know how or want to take advantage of client side features.

Their apps basically round trip everything to the server for processing. Never mind how friggin' slow it is, they insist on avoiding doing anything "client side."

And they do *just* enough to make it IE specific.

I totally agreee with you that if your going to do some type of internal app, most people would use all the resources available to them.

Not where I work, though. Drives me nuts. ARG!

Re:Great..

[petermgreen]

wrap the IE ocx in a custom app and trap the events so as soon as anyone browses outside your intranet sites you fire up firefox

i wonder how hard it is to embed firefox in the same way and have a tool that transparently switches between ie and mozilla rendering engines based on admin settings.

Re:Great..

.NET code should run just fine using Mono in most cases.

Maybe they would have to modify it a bit, but if your running Linux you have a veriaty of different browsers to choose from.. Even IE if your REALY want to.

It's nice having a choice, it sucks when you don't.

Sucks for you.

Re:Great..

[VStrider]

IE lite? You mean less features than IE already has? I think that's called telnet isn't it? Excellent! Plus...telnet will keep you insecure, in the spirit of IE.

Re:Great..

[hsmith]

Punch your boss in the face if they are requiring you to use IE only for .NET. I do .NET development and there are TONS of cross browser controls out there for every feature imaginable. I don't see why anyone using .NET would be tied to IE only.

Re:Great..

[TFGeditor]

Wouldn't it be nice if Microsoft just released the IE source and made it open source so we could either fix vulnerabilities ourselves or enjoy the rapid response of the oss community.

Re:Great..

[zootm]

I think that's essentially the idea of IE in Server 2003, which has a reduced featureset for security. I think it's only available for 2003 though, which kinda negates its usefulness in the context you want it.

Re:Great..

I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything.

...a big blue 'e' being the first mistake.

Why don't you remove the Internet Explorer shortcuts, set Firefox to be the default browser, and set up a special shortcut to each web application that you do that loads Internet Explorer (disabling the address bar and favourites, of course).

Just because they need to use Internet Explorer for internal web apps, it doesn't mean that they need to use Internet Explorer to surf the web.

Re:Great..

Please, with telnet you can test game servers you are developing, hack into websites, check firewall restrictions etc. All the cool stuff which you can't do with IE. If you must, you can call IE the lite version of telnet.

Re:Great..

[jZnat]

Indeed, since telnet was recently updated to parse all ActiveX code, signed or unsigned or shat on (like most ActiveX usually is).

IE flaws unconvered?

Damn, I didn't see that one coming.

But thats not fair!

People taking advantage of Microsoft's upgrade release cycle to discover security flaws when there's a month to go to the next upgrade!

I hereby demand that everyone only look for security flaws the week before the scheduled security update so that Microsoft can continue to claim it patches all their flaws in a timely manner!

Re:But thats not fair!

[marcosdumay]

Is this really insightfull, or is intended to be funny? The last IE upgrade happened a long time ago, that is not something like waiting an release to undercover the vunerability.

Re:But thats not fair!

[grahammm]

No, the best time to announce a security flaw is just before a scheduled security update which does not address the flaw.

Re:But thats not fair!

[joeljkp]

I simply don't understand the policy of scheduling security patches. If a vulnerability is found, isn't the best policy to release the patch as soon as it is available (and properly tested)?

This seems akin to scheduling firefighter visits every two weeks, and if your house catches fire in the meantime, being told to wait it out.

Re:But thats not fair!

[grahammm]

Which I believe is what Microsoft used to do, but they gor complaints from administrators who have to plan updates (security or otherwise) and therewanted a release schedule rather than ad-hoc updates.

Re:But thats not fair!

[joeljkp]

Do they release the patches on their site immediately, but only schedule when the updates get pushed to Windows Update? Or do they forego all patches until their scheduled release?

Re:But thats not fair!

[willabr]

There is no technical solution to a management problem. The Internet was designed to trust the kindness of strangers. If it is to be consdered a mission-critical system for which compromise is a serious problem, it must evolve and will necessarily become more secure... Train tracks, especially unprotected tracks in rual contryside, are easy to sabotage, and with grimmer results than network failure, but such incidents are rare.

Re:But thats not fair!

[Barlo_Mung_42]

Exploits creators are lazy. They normally reverse engineer the patch to create the exploit. So having a set time when the admins can schedule their updates reduces the amount of time between release of patch and application of patch.

Re:But thats not fair!

[_Sprocket_]

Train tracks, especially unprotected tracks in rual contryside, are easy to sabotage, and with grimmer results than network failure, but such incidents are rare.

Train tracks in rural areas aren't immediately accessable by thousands of faceless attackers from a diverse geographic popluation.

Re:But thats not fair!

[Tiger4]

It is a marketing decision, but it comes straight from Machiavelli's little book, the Prince.

If a Prince is going to distribute benefits, be sure they are annoucned singly and prominently, no matter how trivial, to maximize their seeming importance. If a Prince will announce taxes or bad news, be sure to collect them into groups and hit the people al at once, so that each has lessend overall impact.

MS has no trouble telling you about new products and features, no matter what day or week of the month. But they save the bug fixes and announcements for one day a month, no matter how critical.

They are following the advice. I'll leave it to the reader to figure out who the Prince might be.

This delay scheme is done as a "service" to all those poor admins out there, who have so many patches to keep up with. MS only tells you how wide open you are once a month. Thanks.

Re:But thats not fair!

House fire = life threatening
browser vulnerability = not life threatening

I fail to see how these examples are in any way similar.

Re:But thats not fair!

[Vlad_the_Inhaler]

One of my machines runs WinXP (for remote access to the Outlook server at work, apart from anything else) and I just tried explicitly looking for Security Updates.

The only such update was some utility to remove malicious coding such as Sasser.

Re:But thats not fair!

[quacking+duck]

It didn't help that patches to IE could take down the entire system, thanks to their brilliant idea to tightly integrate the browser to the core system.

Re:But thats not fair!

[borawjm]

This seems akin to scheduling firefighter visits every two weeks, and if your house catches fire in the meantime, being told to wait it out.

Shouldn't it be more like finding a flaw in your house that might cause it to catch fire and not being able to get it fixed until weeks later? In the meantime, your house might catch on fire (or, as a comparison, your computer might become compromised).

Re:But thats not fair!

[Tape_Werm]

That's the linux zealot mentality at work again. To them there is no world beyond the internet and Operating Systems are like countries at war and they are glorious soldiers fighting an all powerful evil dictator for the freedom of the world...

Is it any wonder no one gives them any respect? Seriously, they come off like a freaks living in an imaginary world.

Guys, you ARE NOT heroes. You're computer nerds, and no, you still can't get a date to save yourselves.

Re:But thats not fair!

Actually, it's probably more like this - the fire hydrants on the street, are only provided with a supply of water on the second tuesday of every month, and if your house happens to be on fire, then you can put it out. Until then, you have to just wait, and in some cases let it burn.

This policy thusly allows that county, to make claims such as "lowest numbers of firefighting incidents in the state", when in fact that statement says nothing about the true risks of losing your home/property to fire.

Note This For The Next Firefox Flaw

Then make sure to follow up all the articles appearing saying Firefox is just is bad as IE for security and remind them of the huge gap in time to fix and who seems to get their ass in gear and sort things quickly.

Re:Note This For The Next Firefox Flaw

Not that firefox's update time matters when there's no automatic update mechanism - only geeks runing firefox versions that aren't vulnerable.

Re:Note This For The Next Firefox Flaw

Your point is valid, except I would make the small corrections that there is an automatic update mechanism, and that non-geeks are also running firefox versions that are non-vulnerable.

Re:Note This For The Next Firefox Flaw

[Canberra+Bob]

"except I would make the small corrections that there is an automatic update mechanism"

Yes, a brilliantly designed update mechanism that downloads the entire updated browser.

Good for bidness

[yofal]

There's no rush cause we've got something to sell!

http://www.microsoft.com/windows/onecare/default.m spx

Re:Good for bidness

Yep, make the problem and then sell the solution. OneCare will solve all your issues, right..

Re:Good for bidness

[ScytheBlade1]

For the record, you can sign up to beta this product....I did, and if it's worth anything at all,...

Re:Good for bidness

[eck011219]

Wow - MS seems to be hiring their ad copy writers from the Bass-O-Matic School of Persuasivist Languaging.

Is bad thing A happening to you? Is bad thing B happening to you? THEN xxxx IS FOR YOU! I can almost smell the plaid.

Re:Good for bidness

[Stevyn]

"Windows OneCare automatically takes care of key tasks such as running antivirus scans, updating the antivirus engine and virus definitions, updating the firewall, and running a monthly PC tune-up to improve and maintain your computer's performance."

they forgot to mention "patching all those OS holes so they can't be exploited by clicking on a random link in somebody's AIM profile"

Re:Good for bidness

[Adelbert]

Are you worried that you're still not doing everything you should to keep it safe and running at optimal performance? If your answer is "Yes," then Windows OneCare(TM) is for you. Windows OneCare is built specifically for people who don't have the time or technical expertise necessary to secure and manage a computer on a daily basis.

And people tell me MacOS is aimed at retards.

When will people learn that a computer is a powerful tool, and you need to familiarise yourself with it before clicking on that dodgy link offering "free screensavers"?

I'm told that MS is thinking of charging a subscription for OneCare (feel free to flame me if I'm wrong). If they manage to pull it off, I think I'll lose my faith in humanity.

Re:Good for bidness

[ArtStone]

I'm still waiting to see if the Microsoft's AntiSpyware is ultimately going to be a subscription service. During the install, the beta mentioned an expiration date.

Overall, I think the AntiSpyware product is making a serious dent in the the Spyware business - if Microsoft starts to charge for the service and fewer people run it, then it will become much less effective.

IE is not a Browser

[mfh]

Using IE as a browser is like putting your OS on the internet. Be smart, use a PROGRAM, not your OS to surf the web. Get Firefox http://getfirefox.com.

Re:IE is not a Browser

[-kertrats-]

Not sure /. is the best place to be advertising Firefox. We get it.

Re:IE is not a Browser

[Jeff+DeMaagd]

That's an odd claim, really.

I've been using Firefox since it was called Phoenix, but I don't really buy that argument.

While Internet Explorer is overly integrated into the operating system, the fact that your computer can access the internet means that your OS is on the internet too. Just that doing so with IE is believed to be more dangerious.

Re:IE is not a Browser

Accessing the internet with IE is like sharing needles with people under a bridge somewhere.

At least with other browsers you can disable internet behaviour. IE runs with so many things open it's far from funny. Microsoft doesn't want to fix it, or it would be done.

Re:IE is not a Browser

[Tibor+the+Hun]

Go easy on him, he must be new around here.

Re:IE is not a Browser

[gvc]

Using Windows *is* putting your OS on the internet.

Although Windows has non-privileged user accounts, they are essentially useless. I tried to set up my mother and my daughter with these, and they were just a pain in the neck. So they, along with just about everybody else, run administrator-privilege accounts.

If I'm running as a non-privileged user, the most a javascript hack can do is mess up my account.

So for most Windows machines, any old application program (and Firefox is just any old application) is an open wound.

If Microsoft want to get serious about security, they'll have to change the run-as-administrator culture. To do this they'll have to:

(a) make it easy, and the default, to run
without privilege

(b) make it unpleasant to run with privilege

I won't bet on an attitude adjustment - from Microsoft or from Windows users - any time soon.

Re:IE is not a Browser

[fermion]

Which is a point I also try to make. IE is a simple application front end. It allows developers to create GUI based applications without getting into all the GUI specifics. The controls are limited, but when one needs a simple cross platfrom(meaning that if you write it on Windows XP, it will probably work on Windows ME), writing for IE is a good compromise. This is especially try for prototyping.

The problem comes when one is trying to develop a serious web application that one expects customers to use, or one has a very large and divergent employee base, that one wants constant communcition with, but won't always have a windows computer around. Then one needs to reconsidr the shortcut of IE and try to do some real web application design.

In any case, it is best to have a web browser and IE on all computers.

Re:IE is not a Browser

[Datamonstar]

Oh, you'd so get a funny if I'd the points.

Re:IE is not a Browser

[QuietLagoon]

While I agree 100% with your comment, there is another factor here as well, third-party software. For example, I maintain the PC for my cousin's family. They run Windows XP with individual [non-privileged] user accounts, and one password-protected admin account that is used only when I'm on the phone with them.

It has been working OK, except for some thrid-party software. One example, Kodak's EasyShare. Everytime a user logs into their account, EasyShare puts up a modal dialog box stating that some features may not be available unless the user account is raised to admin privilege.

This causes two problems: I get questions about the presence of the dialog box, and I get questions about the missing features.

While it is often correct to blame Microsoft, Kodak is the problem in this instance, not Microsoft.

Re:IE is not a Browser

[iso]

I'm no Microsoft fan/appologist by any stretch of the imagination, but FWIW Microsoft is finally addressing this in Longhorn. I saw a demo at WinHEC where they showed a non-privileged user in Longhorn get to an "administrator" section by being prompted for the admin password (like Mac OS X/KDE). The Microsoft guys expressed concern over this very issue, and suggested that Microsoft would like to see nearly 100% of home users run as non-admin in Longhorn.

Of course Longhorn's not going to happen until the end of 2006 at best.

Re:IE is not a Browser

[ThisIsFred]

Just playing devil's advocate here, but by now, everyone should know that IE isn't just a browser. It's foremost a user shell for Windows, and also a development framework. It just happens to be able to render HTML, XML, and has partial compatibility for CSS as well.

Re:IE is not a Browser

[willabr]

Isn't it the application developer who should create a program that will run securly in a non-privaliged account?. I've found that most older (any many new ones) require full and/or exculsive access to the files system as well as the windows registery in order install and/or operate correctly. This seems to indicate that many programs have not be designed with secuirty as a goal, but more as a single user non-network attached single use program. For MS perhaps the goal of backwards compatibility is the real culprit. just saying...

Re:IE is not a Browser

While it is often correct to blame Microsoft, Kodak is the problem in this instance, not Microsoft.

Kodak has this problem because running with admin privileges is, for all practical purposes, the default way to run Windows. In other words, Kodak would not put out software that requires more than typical privileges.

Re:IE is not a Browser

[Thomas+Juberg]

Not only is Longhorn not going to happen until the end of 2006 at best, it will take another few years for the people running older versions to bother forking out money to upgrade. People are still happily running Windows 98 out there today.

Re:IE is not a Browser

[jfengel]

While it is often correct to blame Microsoft, Kodak is the problem in this instance, not Microsoft.

Possibly the blame rests with Kodak (and certainly for not failing a bit more gracefully), but the question is, what features does EasyShare need that MS makes available only with admin privileges? Compartmentalizing is hard in Windows (and frankly I haven't seen it be much better in Unix-derived OSes, either), and all-or-nothing is easier on the user. Except, of course, for the security nightmare.

I can't imagine what features EasyShare really needs that Windows isn't providing. I suspect it's probably a device-driver installation issue for scanners, or something like that. If that's it, they're really blowing it by having a modal dialogue pop up every start for a rarely-used operation that should be done outside the application anyway. But that's just a guess.

Re:IE is not a Browser

Yes, and since so many Windows programs are written by non-Microsoft programmers, they'd also have to:

(c) Increase the competence of all Windows programmers by teaching them how to make programs behave without privilege.

(d) Find a way to keep programmers from switching to Unix once they become skilled enough.

Re:IE is not a Browser

It's time for Slashdot to add Stupid Analogy Detection(tm) to it's lameness filter.

Re:IE is not a Browser

[DogDude]

I would, but version 1.0.4 is so full of bugs, that it doesn't even launch on most of our business machines. In fact, I had to take several hours yesterday to remove Firefox from all of our machines, and re-enable IE. We'll try Firefox again in about 6 months, after they've got it working again. But this was a major blow to their credibility (at least in my eyes as a business owner). They released a product, quite simply, without testing it. Check out the Firefox message boards. They're *filled* with big nasty bugs. But as far as security goes, it's *great* now! There's no Internet access whatsoever, making it 100% secure!

Re:IE is not a Browser

[lawpoop]

Are you sure that MS didn't make it difficult or impossible to access some hardware features without ad administrative account?

Re:IE is not a Browser

Yes. I'm also sure Linus made it difficult or impossible to access some hardware features in Linux without a root account.

Re:IE is not a Browser

[kbrannen]

It has been working OK, except for some thrid-party software. One example, Kodak's EasyShare. Everytime a user logs into their account, EasyShare puts up a modal dialog box stating that some features may not be available unless the user account is raised to admin privilege.

This causes two problems: I get questions about the presence of the dialog box, and I get questions about the missing features.

Yeah, I've experienced that one. After several emails back and forth with Kodak, they finally told me it was OK to run as non-admin (how my wife & kids are set up). The only missing feature you get is the ability to upgrade.

But that's OK with me because them running as a standard user has saved me so much time not having to clean up after spyware/adware. When there is the rare update, it does tell you and it's easy to log in as the administrator and do the update manually.

Don't get me started on how stupid it is that PowerDVD requires admin privs to run. While I like its interface, it's been ripped of the disk. The MSI DVD player functions just fine as a standard user.

Re:IE is not a Browser

[whitehatlurker]

Accessing the internet with IE is like sharing needles with people under a bridge somewhere

Ah! So that's where all my users are ... I wondered. Oh well, back to reading their email and deleting their files.

BOfH ...

Re:IE is not a Browser

Huh? I'm posting this with FF1.0.4 right now; I've been using it for about a week with absolutely zero problems. What extensions are you using? I'm using click to flash, which automatically upgraded, with no problems.

Re:IE is not a Browser

Indeed. The only reason I'm not in Linux is because my POS wireless card doesn't work in Linux. It one of those Skyline cards--It *used* to run in Linux, but no more (I upgraded the firmware, which borked its Linux compatibility)

I also use Win98 to test how IE5 renders my web pages.

Re:IE is not a Browser

[Hackeron]

Its *not* the browser, its the OS: Some reasons why Linux will never me the malware target windows is:

• Permissions -- If you download an executable file from the Internet, you must manually specify it is an executable before you can run it. The "click on attachment" or on the file downloaded from MSN scenario is prevented.
• Mimetypes -- Extensions are used as guidelines, but the content of the file is scanned to ensure the right program opens it. If a file is unrecognised or script, it will prompt to open in a text viewer. You can also feel free to remove the extension off all your files and they will open up in the right programs regardless. Faking extensions doesnt work.
• Less Automation -- For example Office files have various code and macros that can run on start that were exploitable numerous times.
• No user interraction automation -- There is typically no code in filetypes to automate user interraction. Sure there it is optional support for it in expert tools like vim (i.e. code in file header to fetch/format data), but it is disabled by default.
• No Registry -- Files are looked for in path, so exploits like changing path in registry are impossible. System clutter is also avoided by using configuration files that are only scanned by the software that needs them, not whenever a variable is required.
• Dynamic Library System -- Easy library updates without causing serious side effects or forcing software vendor to provide their own version of the same library (sometimes overwriting system's version!)
• Multiuser -- Multiuser support was forced into Windows with limited testing. It was part of the original design for *NIX.
• Superuser -- On GNU/Linux, programs get installed by the superuser or get installed to the home directory. Since the concept of an actual superuser is invalid on single user designs, many applications on Windows still assume write access to program-files and are given it. The day to day user is also the superuser on XP Pro and XP Home systems unless part of a network.
• Mature Networking (TCP/IP) -- Added to *NIX over a decade before making its way to Windows, so far more mature and tested.

Only when Windows get their shit together with the above, then I'll consider trying it in vmware again ;)

Re:IE is not a Browser

[jZnat]

(b) make it unpleasant to run with privilege

Hey, at least they're 1 for 2.

Re:IE is not a Browser

[Hackeron]

How true :) -- if only I had mod points :(

Re:IE is not a Browser

[Surye]

Hahaha. I hadn't even noticed, that's rich. I wish I had mod points.

Re:IE is not a Browser

[skiman1979]

I have been running my XP system for a while now using a non-privileged account. Actually, I have removed the admin accounts from the welcome screen (via registry). This seems to be working well for me. If I run into an application that needs admin to work properly, there is always RunAs. Of course, the average user doesn't know about RunAs, but if the OS made that more apparent (akin to KDE's prompt for the root password for certain apps) then it may be better. Some people may not like the automatic-prompt-for-root(admin)-password dialog, but the user needs to be in the wheel group in order to su to root anyway. Seems the same can be done in Windows.

Re:IE is not a Browser

[ashayh]

If Microsoft want to get serious about security, they'll have to change the run-as-administrator culture.

This culture runs pretty deep. Stories about MS exployees often mention they run their computers as admins.

Re:IE is not a Browser

[drsmithy]

Using IE as a browser is like putting your OS on the internet. Be smart, use a PROGRAM, not your OS to surf the web.

IE is a user space application, just like Firefox. There's nothing IE can do that Firefox couldn't, if similarly exploited.

Re:IE is not a Browser

It's time for Slashdot to add Stupid Analogy Detection(tm) to it's lameness filter.

No kidding. Comparing using IE to sharing needles under a bridge is like buttering up the dog and seeing if anybody salutes.

Re:"Nothing for you to see here. Please move along

[Liquidrage]

Yes, it is.

The linked article with the flaws is about as useful as lipstick on a pig. So even when there's something to see there's still nothing to see. I think there's some Taoist wisdom in there somewhere.

SP2 and Win2k3?

[sriram_2001]

Weird - the advisory doesn't mention SP2 specifically.Also, it has 'to be determined' next to Windows 2003.

Re:SP2 and Win2k3?

[diegocgteleline.es]

Which points out how insecure is IE in windows 98/Me and why you should switch!

If Microsoft would care about windows 98 users, they'd have backported some of the XP SP2 features (say, the popup blocker) to windows 98.

Of course they haven't done that (they need to encourage people to switch to SP2 and sell more SP2 licenses). Firefox is the best option for windows 98 users (and they still make 20-30% of the internet population), IE has no place for a windows 98 internet users. In XP maybe, but definitively not in windows 98.

Re:SP2 and Win2k3?

[hawaiian717]

If Microsoft would care about windows 98 users, they'd have backported some of the XP SP2 features (say, the popup blocker) to windows 98.

They didn't even backport them to Windows 2000...

Poor choice of slogan

[rokzy]

who came up with the clever design idea of making eEye's slogan "Vulnerabilty Is Over" and then pasting it at the bottom of each vulnerability report as if it's a status message?

reminds me of the Simpsons scene where someone is reporting a crime via a radio and says "over" at the end of the transmission. then Wiggum says "thank god that's over". karma for the first person to find the quote, but I only have the real kind not the /. stuff.

Re:Poor choice of slogan

http://www.thesimpsonsquotes.com/characters/chief- wiggum-quotes.html

first google hit, down some on teh page

Marge: [on radio] Husband on murderous rampage. Send help. Over.
Chief Wiggum: Whew, thank God that's over. I was worried for a little bit.

Re:Poor choice of slogan

[dark-br]

Marge: [on radio] Husband on murderous rampage. Send help. Over.
Chief Wiggum: Whew, thank God that's over. I was worried for a little bit.

Ok, now where is mar karma? ;)

Other Winggum quotes here.

Re:Poor choice of slogan

Marge: [on radio] Husband on murderous rampage. Send help. Over.
Chief Wiggum: Whew, thank God that's over. I was worried for a little bit.

www.thesimpsonsquotes.com

Re:Poor choice of slogan

[subtropolis]

i thought that as well and sent them a msg about it. I was confused as well until i noticed that tm at the end.

Re:Poor choice of slogan

[toby]

karma for the first person to find the quote, but I only have the real kind not the /. stuff.

I can tell ya, the real kind is easier to get.

quick question,

will these features be ported to Longhorn?

-SJ53

The Known Flaws.

[rtb61]

I have often also wondered about all those flaws that have been discovered and not declared, just quitely made use of. At least with open source the oppurtunity for discovery as well as a rapid fix has become obvious.

Re:The Known Flaws.

[m50d]

You assume that any audit will find 20% of the flaws that exist. So if there's only one security firm audit, that will get 20% leaving 80%, and you can expect a black hat to find 20% of those, so about 16% of the total flaws when it started. But each new audit chips away at the black hat's library, and as soon as they use their exploit and get discovered (which will happen, generally you assume a 0-day is a one-shot weapon) it's useless. I've heard tales of people who held onto a wonderful flaw for 3 years waiting for a target they needed it on, only to have it found by a researcher.

Re:The Known Flaws.

[blue_adept]

And "do you really want to have your security issues discussed by the Linux developer community on a public bulletin board," queries Alistair Baker of Microsoft UK.

That's from the MS Under Attack article a couple days ago. Ironic, no?

A large window?

[ninja_assault_kitten]

You need to realize that there's a difference betwen public and private disclosure.

I happen to know for certain that Mozilla was aware of the vulnerabilities to which you speak at least 10 days before they were publicly disclosed.

Take your head out of the sand and realize that there's more going on around you than meets the eye.

Re:A large window?

oooh 10 days before it was known to the public

well these IE flaws are known and ms probably knew about them for 3 years already and we still have to wait another month for a fix

Re:A large window?

And in 10 days time this will be fixed by M$?

Re:A large window?

[datadriven]

If you follow the link for upcoming advisories on the page you'll see that Microsoft has known about these 3 vulnerabilities for 60, 47, & 10 days.

Re:A large window?

[ninja_assault_kitten]

My completely missed the point due to your blind hatred towards M$. Sad.

Re:A large window?

OK then, but it's still going to be a bloody month before these get patched, which will still be a very crappy response time compared to that of Mozilla.

And what the FUCK is http://www.childsupermodels.com/ on your homepage? I haven't clicked on it for obvious reasons.

Re:A large window?

[ninja_assault_kitten]

You people are completely missing the point. I'm not advocating MS, I'm merely saying public disclosure doesn't mean it's 0day. There's a lot of communication going on behind the scenes the general public is completely unaware of.

At any given time there are 5-10 0day remote Linux/MS/misc vuls floating around private vul sharing groups before they're disclosed publicly. There's a lot of money to be made in this...

Re:A large window?

[ninja_assault_kitten]

Mozilla is Mini Cooper, MS is an AirBus A380.

Re:A large window?

What the fuck is that supposed to mean? Looking through your posting history you're obviously a pro-Microsoft troll/shill so I won't bother.

You never answered my second question either.

Re:A large window?

[ninja_assault_kitten]

Actually, I'm anything but pro-Microsoft. I'm just someone who's tired of all the anti-MS zealocy on Slashdot. People who run Linux and Firefox because it's the trendy thing to do but really have no idea why other than what they've heard from a friend.

I'm a Mac user and as much as I love Apple, I realize that they're making some terribly embarassing security related mistakes lately.

MS on the other hand has made an enormous move towards security mindedness. People who can't see that must be blind.

As for the URL, I just find it funny to see people like you react to it.

Re:A large window?

Actually, I'm anything but pro-Microsoft. I'm just someone who's tired of all the anti-MS zealocy on Slashdot. People who run Linux and Firefox because it's the trendy thing to do but really have no idea why other than what they've heard from a friend.

I'm a Mac user and as much as I love Apple, I realize that they're making some terribly embarassing security related mistakes lately.

MS on the other hand has made an enormous move towards security mindedness. People who can't see that must be blind.

OK, that's fair enough. However MS's security is still far from perfect, IMHO. No matter what company/organisation has a security flaw, it's always a good idea to give them an awful lot of shit for it. It encourages them and others not to make similar mistakes.

As for the URL, I just find it funny to see people like you react to it.

You win.

Re:A large window?

[ninja_assault_kitten]

Agreed.

Re:A large window?

Dude you just confirmed your a microsoft shill right there .
The classic troll formation

I am honestly and X but i admire Y recently
I could cite a hell of a lot of others which fit that mold.
Come join us on TrollTalk You will fit in well

Re:A large window?

[ninja_assault_kitten]

I'm not sure what TrollTalk is.

Re:A large window?

Why not use your 1337 researching skills to find out?

Re:A large window?

[FidelCatsro]

That is called resonible disclosure.
Most developers have a policy one way or the other on it.
I tend to prefer to give them some time to attempt a patch before disclosures, and 10 days is rather fair.
It beats the alternatives of either instant disclosure and allowing the black hats
a good head start on exploits ,or waiting too long before disclosure which will have the same effect as its bound to leak one way or the other but admins wont know about it till its much too late .

Re:A large window?

[ninja_assault_kitten]

:) I'm not very good at this Internet thing...

Re:A large window?

[bunratty]

I see you found the softcore child porn easily enough. :(

Re:A large window?

[ninja_assault_kitten]

I saw it on Fox news. :(

Re:A large window?

[bairy]

no no, you missed the parent's point. So Mozilla knew about the bugs 10 days before telling everyone and it took another few days to fix. That's what? 15 days? MS know about bugs for months and months before even trying to patch them. Mozilla may not be perfect but at least they get things done and quick.

Re:A large window?

[bairy]

It's not child porn. It's certainly not appropriate but there's no porn there. Your point is valid though.

Re:A large window?

?? Trendy thing to do? Do you have any life outside /.? No one else is doing it (at least not at my school, unless they don't talk about it) and, if anything, people look at you like you're crazy if you run linux. Ask them why and they can't give you a good answer - just things like "it's a stupid penguin" or "there's no games" (to which i might say "it's better than a stupid paperclip" and "we've got DOOM 3 [which, by the way, never worked for me on XP - it always just told me to insert the CD].)

I love linux, and it's great and it works better than Windows (at least, in my personal experience...). I don't like it because it's "trendy", I like it because it works.

And Microsoft making an "enormous move towards security mindedness"? They've been pushing that BS for years now! They have changed, and it's made a difference, but not much. MS doesn't really care about security, only about keeping their users on MS products. Yes, that involves making things more secure, but that's not their goal. But it should be. Don't give me that "it's because there's more MS users" BS users either - hackers would make tons more money off of stealing bank account numbers from Google (who uses linux) than from Uncle Jake's account at the credit union that he tracks in QuickBooks.

Re:A large window?

> I happen to know for certain that Mozilla was aware of the vulnerabilities to which you speak at least 10 days before they were publicly disclosed ..

Except for the dude that knew that Mozilla knew about the vulns. And of course yourself who knew that some dude knew about ... etc .. etc ..

Re:A large window?

Well, thanks for sharing it with all of us paedophiles. We love people like you. You're our friend. :)

Re:A large window?

[Exatron]

No, Microsoft has only claimed it has made an enormous move towards security mindedness. Nothing about the company's behavior has indicated that it's actually doing anything significant to improve security.

Re:A large window?

[ninja_assault_kitten]

Please... you're in not position to be preach about what does and doesn't motivate a hacker. When I say 'hacker', I'm referring to someone who does actual research, not some full-disclosure, k-otik exploit fag. Go sit in the corner and come to terms with the fact that the reason you got so upset with my posting is that you're exactly the type of person I was talking about.

Re:A large window?

[ninja_assault_kitten]

Uhm.. look at the default install of XP SP2... look at MS anti-spyware, look at the upcoming IE7, look at Longhorns roll-based security.. look at their vulnerability notification services, montly security disclosure, buffer overflow protection (weak as it is)...

Re:A large window?

[ninja_assault_kitten]

Oh, and one more thing regarding the "more MS users" argument. Do you realize that the going rate on a remote vul in Windows XP SP2+/2003 is around $50,000 while the going rate for a Redhat EL remote vul is $8,000. Hell, I can get between $15,000 and $30,000 for a nice Windows 2000/XP
Don't forget, these days security is a business. Professional security researchers focus their attention where they can make the most money.

I think you can do the math, right hacker?

Re:A large window?

You're absolutely right. You COULD make more money off of WinXP's vulnerabilities - but off of patching them, not off of exploiting them. I'm sure the guys at Symantec and McAfee are filthy rich - but I wasn't talking about them. I'm talking about people trying to make money off of actually hacking PC's.

I guarantee that the majority of Windows PCs aren't worth $50,000 to hack. I'm not saying that the majority of Linux boxes are, either, but the majority of PCs worth that much to hack (from a monetary point of view) are Linux/UNIX boxes. Unless you're trying to hack MS's servers.

Re:A large window?

When I say 'hacker', I'm referring to someone who does actual research

So am I.

Do you know what a hacker is? From its true definition, it's not necessarily someone who sits there and destroys all your files. It's simply someone with an immense interest in computers. Under that definition, yes, I am a hacker. Probably 80% of everyone on /. is a hacker.

A hacker generally doesn't break into people's computers and doesn't destroy or steal data without reason - that's what a script kiddie does. Yes, I probably could hack my neighbors' PCs, if I really wanted to. But why?

I don't know what brings you to this subject in the first place - I really wasn't talking about hackers so much as about what you called MS's "security-mindedness". The fact remains that there are plenty of holes MS's products that go unpatched simply because MS doesn't see them as a threat. Then they aren't fixed until someone exploits them, and, often times, multiple versions are affected. I remember one security hole spanning like IE 4.5-6.0 or something.

Re:A large window?

Uhm.. look at the default install of XP SP2... look at MS anti-spyware, look at the upcoming IE7, look at Longhorns roll-based security.. look at their vulnerability notification services, montly security disclosure, buffer overflow protection (weak as it is)...

YOU look at these things. MS is trying to give that appearance, but the truth is that they're NOT making a huge move toward security-mindedness. Rather, WE, the users, have made a move toward security-mindedness, and many of us are considering switching to MS alternatives for the sake of security. In order to satisfy its users and keep them from switching to alternatives, MS gives this appearance. MS didn't make their own anti-spyware - they just bought out a security company who already had an anti-spyware product and had them do the dirty work for them. I'm sure that's what they'll do later on, too - "Here's the IE code. Lemme know first thing tomorrow if you see any security flaws."

Also, many of these things could be used to block out competitors. SP2 already tries to prevent you from using "non-MS-approved" drivers - what's to stop them from preventing you from using "non-MS-approved" software? Future versions of Windows will be able to stop you from installing spyware, even if you were installing a product that you knew had spyware - why won't they be able to stop you from installing Borland C++ or StarOffice? All they'd have to do is remove the "Install Anyway" button.

Re:A large window?

[ninja_assault_kitten]

I'm not talking about patching or hacking a particular individual. I'm speaking about discovering a vulnerability. There's a lot of money in it, and thus researchers focus their attention on where the money is.

Re:A large window?

[ninja_assault_kitten]

They are after all a business. They're not out to make friends, they're out to make money and if making more money means more of a focus on security, I think that's a good thing.

Yes their new focus, it's based on user demand and a tarnished reputation, but that doesn't change the fact that in the MS dev camp, security has more involvement in the lifecycle than it did.

Re:A large window?

How so? If I were to find a vulnerability in Windows XP, who would pay me? The money I'd get would most likely be from me releasing a tool to fix the vulnerabilities or from companies like McAfee or Symantec who make their product able to fix the vulnerability. These people aren't necessarily going to make a dime for finding the vulnerability. Where they make the money is in showing companies how to fix it - or at least giving them some direction with what is going wrong. In other words, they make the money from the people who use this info to fix the problem - in which case, why not just cut out the middleman and make the patch yourself?

Also, let's take a look at these two final statements of yours and the original topic of our discussion - security. You say that there's a lot of money in discovering vulnerabilities and, furthermore, that a Windows vulnerability is, on average, worth more than a Linux vulnerability. Why is that? Well, let's look at Windows viruses for the past, say, 6 years (this is just off the top of my head). Let's see - we had Code Red, ILoveYou, SoBig, Bugle (or was it Beagle?), Netsky. There. All of these costed both users and businesses LOTS of money - and at least one of these, as far as viruses go, wasn't very complex, it simply used social engineering to get the user to click on the link to run a vbScript (ILoveYou). I remember the FBI getting involved, along with 20 or so different nations, to get rid of the Code Red virus. I remember people being so confused by it because it only existed in the computer's memory but, since infections were so widespread, rebooting only made you virus-free for a few minutes. I remember that for the longest time, the ENTIRE INTERNET slowed down due to Code Red. Now tell me THAT wasn't costly - whether you got infected or not, you still were affected by the virus.

I remember reading that SoBig was stealing people's files and sending them out through the Web and how people were afraid that all their personal documents, financial info, etc. would be read by someone else on the Web. But I also remember advocating Linux to people months before because it was more secure. And I remember reading about all this without a worry, and only feeling the affects of ANY of these viruses through Code Red's rampant use of the Web, which slowed the Internet way down. And I also just BARELY remember a virus called "Cheese" but not being worried about it because it didn't affect my system and was only a minor threat.

You're absolutely right - the Windows flaws make more money than the Linux flaws. However, it appears to me that this is because the Windows flaws are much more severe and have a larger impact - this was the very thing that I was talking about earlier. MS SAYS that they're pushing for more "security-mindedness", but they're not doing it enough. MS has plenty of money - IMO they should be spending it on perfecting what they have, not on making new products. Yeah, the XBox and XBox 360 might be pretty sweet, but Windows still has too many flaws to be just left alone - it needs to be fixed, whether that means hiring more programmers or whatever.

Deja-vu

That's simply called a "deja-vu", you see, that's what happens when either: the matrix has been modified, or you've been in front of the computer tooo long, or you're dealing with a bug advisory of a ordered group of flaws, bugs and exploits conventionally named "Internet Explorer".

Re:Deja-vu

[Artifakt]

But there's no black cats around. Don't you have to have black cats before its a deja-vu?
And how can you be in front of a computer too long?

Simple solution: restricted user for browsing

[adam1101]

The solution to all these browser exploits (IE, Firefox, Safari) is simple: create a restricted user to run the browser only. This can easily be done in Windows XP/2K, Linux and OS X. Restricted users cannot affect other users or system files. As long as you don't keep important data in this account, you can just periodically erase this user and create a new one.

Re:Simple solution: restricted user for browsing

[Phil+John]

Until your OS has a privilege escalation vulnerability and suddenly a buffer overflow allows execution of arbitrary code.

Re:Simple solution: restricted user for browsing

[adam1101]

Indeed, stopping one class of exploits does not magically solve all other security problems.

Re:Simple solution: restricted user for browsing

[mcc]

For some reason reading this suggestion the phrase comes to mind "the terrorists have already won".

Re:Simple solution: restricted user for browsing

[ThisIsFred]

It doesn't need one. If you're running Linux and have gcc installed, and some remote site gets arbitrary code to run under the browser's account, it'll be able to download a script/binary that compiles a program which allows privilege elevation. If you're running Windows, the executed code can just download a precompiled rootkit from the attacking machine.

All desktop and server Linux distros should have ACL support by default, which would make it easier to limit access in special cases like this. That is, limited access without making it a major pain in the butt to create normal, restricted-access user accounts. I don't see why we should wait until it becomes a problem before protecting against it.

Re:Simple solution: restricted user for browsing

[say]

. If you're running Linux and have gcc installed, and some remote site gets arbitrary code to run under the browser's account, it'll be able to download a script/binary that compiles a program which allows privilege elevation.

What? In what way does that program work, and how on earth is it used? Are you sitting there - on your own - knowing about severe security flaws in Linux?

Re:Simple solution: restricted user for browsing

What? In what way does that program work, and how on earth is it used? Are you sitting there - on your own - knowing about severe security flaws in Linux?

I think he's talking theoretically. IF your browser has a vulnerability that lets websites upload this program to your computer without your knowledge, AND your browser could automatically launch this program (or you're dumb enough to run it yourself), AND you had a program vulnerable to this attack, it COULD happen. (Somehow I think he might be thinking of the days when MS had IE for UNIX.)

Re:Simple solution: restricted user for browsing

[ThisIsFred]

What? In what way does that program work, and how on earth is it used? Are you sitting there - on your own - knowing about severe security flaws in Linux?

No one ever said that Linux was bullet proof. And there's no need to discover them on my own, I can just read about them on the Internet. Better than Windows, but not foolproof.

Re:Simple solution: restricted user for browsing

[say]

I did not imply that Linux was bullet proof. I'm just astonished that you can get privilege escalation through just a userland application run by an unprivileged user! Almost all privilege escalation loopholes I've seen come from exploiting holes in processes running as some kind of privileged user.

Re:Simple solution: restricted user for browsing

[ThisIsFred]

I did not imply that Linux was bullet proof. I'm just astonished that you can get privilege escalation through just a userland application run by an unprivileged user!

Well, if there is a system call or userland application that has a vulnerability that can result in privilege elevation, and you can compile a program to exploit it, or exploit a userland program, well there it is then.

It's surprising yes, and more commonplace than you'd think!

Old news

C'mon, this is old news.

http://www.google.com/search?client=safari&rls=en& q=new+ie+security+flaw&ie=UTF-8&oe=UTF-8

Oh, you mean its another one!

Vulnerabilities

[Mark_MF-WN]

Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser. Lots of people access their email through a browser, and that tendency seems to be increasing. This makes browser security absolutely paramount. It is the biggest gateway into the system.

Re:Vulnerabilities

[sl70]

Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser.

Damn this is true! I went to my insurance agent the other day, and he uses IE to access all my account information that is stored on the headquarters's server. Made me want to reconsider my choice of insurance companies.

Re:Vulnerabilities

[Canberra+Bob]

Very scary!

Imagine all the malicious code the headquarters have hidden in their web app so they can steal your information from the web page the agent accesses, hosted on their servers.

Even scarier if the agent is using an intranet application and has no web access through the firewall! Just imagine all the sneaky things that could have installed themselves on his browser.

Re:Vulnerabilities

[Acid-Duck]

Kudos for my bank (ScotiaBank)

Re:Vulnerabilities

[Ben174]

I don't get it. Was that sarcasm? Or do I need to reread the post.

Re:Vulnerabilities

[HD+Webdev]

Damn this is true! I went to my insurance agent the other day, and he uses IE to access all my account information that is stored on the headquarters's server. Made me want to reconsider my choice of insurance companies.

See if you can 'chat up' a secretary at a doctor's office. Turn the conversation to computers and try to get a look at the computer screen.

More often than not, you'll see IE running and an anti-virus running yet not a good firewall in sight much less a spyware detection program.

It's very unsettling to know that the person entering your personal data and scheduling information is an easy target for exploitation.

Re:Vulnerabilities

[pfleming]

Unfortunately the agent doesn't have much choice in the matter. Most large brokers develop only for IE to point of "bullying" their agents into using IE. The real problem comes when you leave the brokerage web site. These are not all intranet apps, expecially if your agent is an independent one and most agents have access to the rest of the scary web. Smarter(more paranoid) agents will use IE only on the required sites and close that gaping hole when moving to the rest of the web, but don't think that agents don't access other web sites.

Lets take them down hard..

[E+IS+mC(Square)]

BG: What, Firefox has a critical flaw? They are hogging all media attention for that? Fuck that. Hey tech team, how many more IE vulnerabilities have not been reported yet?

Tech team: 349 that we know of, SIR!

BG: Good. All critical?

Tech team: ALL CRITICAL, SIR! YES SIR!

BG: Good. Hey PR team, take the first 10 of them, contact some security firm and 'leak' them.

PR: YES SIR!

BG: Now we will see what firefox is going to do about this.

(Evil laugh all around)

Re:Lets take them down hard..

SIR, YES SIR!

Re:Funny how the emphasize

[vegaspctech]

...in an attempt to take the spotlight off all of the Firefox exploits lately.

ALL of the Firefox exploits lately? In the last two years there have been 17 reported Firefox vulnerabilities and 81 reported Internet Explorer vulnerabilities. The browser with the most recent, critical vulnerability is Internet Explorer. Do tell, where does the spotlight belong?

The remote exploit

[Haiku+4+U]

is why I use OS X.
My time is worth it.

With so many bugs,
perhaps /. should have a
IE bug marquee.

Re:The remote exploit

[Rosco+P.+Coltrane]

The remote exploit is why I use OS X.
My time is worth it.

Are you a lawyer?

Re:The remote exploit

[willabr]

Another week, another Firefox vulnerability (#1), another Internet Explorer vulnerability (#2), and another iTunes vulnerability (#3).

Re:Funny how the emphasize

[pl1ght]

"LATELY" not FOREVER. The rise of Firefoxs popularity has seen the increase of exploits and vulns. Read, dont translate.

Not just one!

[vmp17]

Although eEyes' reports look a bit confusing (look at the "Vulerability is over" image at the bottom), I think according to this page http://www.eeye.com/html/research/upcoming/index.h tml there are 3 security vulnerabilities affecting IE and Outlook that allow remote code execution.
The oldest one is 60 days old now and still not fixed.

You so 1337

Oh no, don't tell them the secret of the 0day!!!
Shit, now they all want teh warez!!!

You aren't part of any greater insight into vulnerabilities than anybody else who wants to be.

You are a poor troll and that is all.

Re:You so 1337

[ninja_assault_kitten]

Then why are you so upset? :)

Re:You so 1337

I was faking alarm. :-o

re sig

[dylan_-]

see journal.

Re:re sig

[jrockway]

> see journal

You don't have a journal.

Re:re sig

[dylan_-]

I was referring to *his* journal, regarding his old sig. Doesn't matter now...

Re:Funny how the emphasize

[penguin_asylum]

Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found... (and only about 5 times as many are)

Block IE from connecting to the outside world

[tepples]

I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.

It's called denying iexplore.exe and other apps known to embed the IE OCX the right to connect to the public Internet on port 80, using a software firewall on each machine or a proxy server that only Firefox knows about.

Re:Block IE from connecting to the outside world

That significantly reduces your exposure from the outside world, but how about the internal network? In large corporations, you may get someone who'll put the exploit code on the network or local machine and then execute from there. Bang, local root exploit.

Re:Block IE from connecting to the outside world

[ikkyikkyikkypikang]

It's called denying iexplore.exe and other apps known to embed the IE OCX the right to connect to the public Internet on port 80, using a software firewall on each machine or a proxy server that only Firefox knows about.

wow, that's a long name.

bleh, marketers...

Re:"Nothing for you to see here. Please move along

[G-Licious!]

Or maybe they are reporting it properly to Microsoft before publishing all the details.

Re:Funny how the emphasize

You mean like Apache is 3x the share of IIS and has 3x the vulnerabilities...

Oh wait, no it doesn't.

Is MSIE addictive?

[Mother+Sha+Boo+Boo]

Almost every week I receive an email or an IM of a friend complaining their pc's are full of spywares, porn and gambling pop-ups, search bars, or: "I can't reach Google! Oh my God, it just opens porn!". I always say: "Try another browser, Firefox is pretty friendly". A friend of mine switched back to IE just because Firefox sorted her imported IE bookmarks alphabetically, instead of keeping the old order. Come on, it can't be only this.... MSIE must be addictive somehow...

Re:Is MSIE addictive?

No, just familiar.

Re:Is MSIE addictive?

[Bazzalisk]

Familiarity is an issue, I always open firefox when on the computer of one of my friends who primarily uses Opera. One of his housmates always opens IE ;-/

Re:Is MSIE addictive?

Subliminals!!

Re:Is MSIE addictive?

[squatex]

You think thats bad:
I work with a Windows admin that has constant problems with spyware on his computer..mainly because he likes to surf porn at work (dont ask...my company is retarted). This guy knows a bit about computers. He knows all about Firefox. He refuses to use it becuase its not an MS product. Hes like some kind of twisted MS fanboy or something.

Re:Is MSIE addictive?

Just an observation, whenever you call someone or something retarded, at the bare minimum I would suggest that you spell retarded correctly. It's sort of like calling someone stupit if you know what I mean.

Re:Is MSIE addictive?

Shocking revelation: MS has its own squad of zealots. Usually they're the ones blasing non-MS oriented views as zealotry while swearing the MS fanbois are cool, calm, and reasonable people.

Re:Is MSIE addictive?

[therodent]

Could being a fanboy be addictive as well? Signs point to yes!

Re:Is MSIE addictive?

>I work with a Windows admin that has constant >problems with spyware on his computer..mainly >because he likes to surf porn at work

Put in a transparent web proxy server and get it to block the porn site.

Re:Is MSIE addictive?

Almost every week I receive an email or an IM of a friend complaining their pc's are full of spywares, porn and gambling pop-ups, search bars, or: "I can't reach Google! Oh my God, it just opens porn!". I always say: "Try another browser, Firefox is pretty friendly".

That's a pretty irresponsible thing to do. If they've got malware on their computer that's popping up adverts, it's more than likely that they've got more malicious software on there as well. Not just the likes of botnets, spam zombies and other nuisances, but also key loggers and other things that are directly harmful to your friend.

Installing Firefox might hide the most obvious symptoms, but it doesn't address the root of the problem.

Deja Vu?

[Primal_theory]

Couldv'e sworn i'ev seen this before...

It went away after i got firefox http//getfirefox.com

Re:Funny how the emphasize

[vegaspctech]

"LATELY" not FOREVER. The rise of Firefoxs popularity has seen the increase of exploits and vulns. Read, dont translate.

You'd do well to take your own advice. The author wrote of taking the spotlight off all the Firefox exploits lately, implying there have been more for Firefox than Internet Explorer. For what period has that been true?

Re:"Nothing for you to see here. Please move along

[Liquidrage]

Which is fine for them and MS, but that still leaves us with nothing to discuss in regards to the flaws so there was no point in posting the story.

No, NO.

[game+kid]

It should have a Javascript DOM-based moving or something. Marquees are, like, so IE3.

Better yet, be thoughtful of screen-reader users, and make it a static list that has scrolling abilities.

Re:"Nothing for you to see here. Please move along

[G-Licious!]

Sure there was, it's still news.

OMG THE SKY IS FALLING

another IE flaw!!!! OMFGLMAO*()#&KJ LDFMSNCVKJ LH) (@#*$) !@()_U*D()F&*(DSFYI UHJ@#*(&$#@

You can't compare like that

[MarkByers]

According to Secunia, Firefox has 17 advisories. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.

You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.

In Secunia's own words:

Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.

Re:You can't compare like that

[marcosdumay]

"In Secunia's own words: Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important."

So, it makes each one of the 81 IE vunerabilities worst than each one of the 17 FF ones. I.e. You can't compare because you'll be too easy on M$...

Re:You can't compare like that

[MarkByers]

I disagree.

To do a proper comparison, you should rate each individual vulnerability, based on: how critical its is, if there was an exploit released, how long it took to patch, etc.

Just saying 81 > 17 is not an accurate comparison at all. How do you know that the 81 vulnerabilities in IE weren't all very minor things? Have you checked? Adding in a fudge factor doesn't make up for not knowing the facts.

Also IE has been around for a lot longer so of course there has been more time to find more exploits.

On the other hand, having a lot of vulnerabilities discovered and patched is a good thing. If a large team of enthusiastic hackers sat down and combed the Firefox source code maybe they could find and fix 100 bugs. Would you suddenly turn around and say that now IE is more secure because Firefox have patched more bugs than IE? Of course not. But your x > y rule would suggest that.

I have nothing against comparing security of different browsers, but there are better ways to do it than just comparing the number of advisories released by one company.

I happen to remember that amongst the 81 vulnerabilities there are quite a few extremely critical vulnerabilities and some of these went unpatched for months, and there is still one that is unpatched. That, in my opinion, makes Firefox more secure than IE.

Re:You can't compare like that

[sqlrob]

Also IE has been around for a lot longer so of course there has been more time to find more exploits.

Which is countered by the fact that firefox has more transperency. You can throw automated source code validators against the firefox source, not true with IE.

Re:"Nothing for you to see here. Please move along

[SpaceLifeForm]

BS. It's certainly not a surprise, but it should be a constant reminder to everyone that Windows is not secure if the user runs IE and/or Outlook. And that reminder is what is needed in light of the recent Firefox bugs that the media flouted.

But to say there is nothing to discuss in quite disengenous. What needs to be discussed is why these holes continue to exist in MS products.

Re:Funny how they emphasize

[ArielMT]

No, it hasn't. The rate of flaw discoveries in Mozilla's applications (Firefox included) has remained statistically level since before Firefox was called "Phoenix." Quite obviously, the Mozilla Foundation's marketshare has not remained steady since then, as you argue.

Security through obscurity doesn't work. It is a fundamentally flawed concept, which I would've thought Slashdotters realized. To suggest that an open-source project like Firefox doesn't know that is simply absurd.

The rapid response of the Mozilla Foundation, even if the ten-day hush-hush rumor is true, far outpaces Microsoft's publically announced thirty day delay after this vulnerability's announcement. And that's not counting the delay between the IE flaw's discovery and announcement.

Re:"Nothing for you to see here. Please move along

[Liquidrage]

What holes? Can you explain to me just how serious these holes are? Can you explain to me what they do? Can you explain to me if threat of these being exploited is real?

I eagerly await you reponse. Because that is the information I would like to have and feel the need to have in order to discuss them. Without that information we're left to make assumptions.

Please tell me you don't write code.

[khasim]

Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found... (and only about 5 times as many are)

No .... that's only "logical" if there is no such thing as "security", just "marketshare".

By your logic, a program written by a first year student who didn't pay any attention to any security would have as many flaws discovered as a program written by an expert who tested for vulnerabilities ....

As long as both of them had the same number of users.

In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.

Re:Please tell me you don't write code.

[ssj_195]

In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.

I call it the Heisenberg Insecurity Principle.

Re:Please tell me you don't write code.

[penguin_asylum]

The presumption is that any large project is going to have bugs/security flaws in it, and the question is how quickly they get found and exploited.

IE7

[Saeed+al-Sahaf]

I personally have no question that they regret that decision, and we'll see what happens with IE7 this summer.

I suspect you are right about this, Microsoft is certainly tired of IE issues flogging them. This is why I suspect that IE7 will give Firefox a run for it's money of even possibly kill it. MS knows all eyes will be on IE7, and has probibly done a lot of work from the ground up on it with security spacifically in mind. I think all the FF fanboys my be dissapointed when IE7 comes out.

On the other hand, we are talking about Microsoft, so who knows...

Re:IE7

[LazyEmc2]

IMO I believe that the biggest reward for using FF is not the features or the small build, it is the support issue. Mozilla patched FF in less than a week when the latest flaws were annouced. No matter how small, sleek, and sophisticated IE7 is you cannot tell me that Microsoft is going to patch flaws that quickly.

Re:IE7

[NubKnacker]

If that does happen then FF would have served its purpose. But since it's highly unlikely....

I think the major reason why FF won't die is because they seem to be always a step ahead of MS when it comes to 'testing'. As someone stated above, it seems that FF team knew about the vulnerabilities before they were made public. When was the last time MS knew of a critical flaw before a security company showed it to them?

And as stated above, another reason is the speed with which FF comes out with updates. You don't have to scream your heart out for them to come out with an update which has been true of some earlier MS updates. There will always be flaws. Software has evolved so much since PC's first came out but there are still enough flaws to go around. There's no reason to believe that there is any single piece of software or that there will be one which won't have ANY flaws.

Re:IE7

Yes, all the Linux, UNIX, OS/2, Solaris, etc. etc. users are going to dump Firefox and switch their systems to Windows so they can use IE7 and then Firefox will die.

Re:IE7

...has probibly done a lot of work from the ground up on it with security spacifically in mind.

Yeah, I agree that'll surely work. After all MS is the company who successfully pulled off a complete rework with security in mind with IE6, Windows XP and a lot of other programs. No more security issues there! Oh wait... Never mind.

Re:IE7

Patches tend to break things and introduce more holes if they're not subjected to good QA first.

Re:IE7

Care to cite a (non-microsoft) example (where bugs are features)?

Firefox has never ever borked anything between an update for me. I don't see how basically a patch against what is most often just a few lines of code can open more holes, either. That's just dumb.

Re:IE7

Theo Raadt couldn't see it either, until Team Teso released an exploit for a remote root hole in OpenBSD caused by an untested single-line patch.

Re:IE7

[Master+of+Transhuman]

FireFox is NOT going to be killed by IE7.

First of all, it's probably still going to be faster because MS is incapable of writing anything but bloated featuritis-devastated code.

Second, FireFox will still be more standards-based as MS as already said they don't want to support the latest CSS version.

Third, FireFox is still OSS and that will matter to everybody to whom it DOES matter.

My projection is that the idiots who use MS will continue to do so, and those who don't trust MS will continue to download FF - though perhaps not at the same rate.

By end of 2005, I still suspect FF will have been downloaded at least 100 million times and have 8-15% of the browser market - which is remarkable when you consider that Netscape, Opera and the rest only achieved 3% of the market over the last five years.

Re:IE7

[junkcode]

Well, I always found FF startup to be very slow. Also, I have heard of an issue of memory-problem ( open multiple-tabs/close 'em - memory is not freed) that hasn't been really taken care of. For a system with moderate amount of RAM, FF definitely looks like a 'bloated' application.

IE defintely starts faster, Opera [for me] being the fastest. But what i hate about Opera is how it renders the page, IE and FF scores well in that area.

Re:IE7

[The+Snowman]

I don't see how basically a patch against what is most often just a few lines of code can open more holes, either. That's just dumb.

I see you have never worked on an enterprise-class application, otherwise you would know that just changing the boolean algebra inside an if() statement can have catastrophic consequences. Usually what happens is there is a bug. To fix this bug, the developer must modify this conditional (i.e. a transaction is not always processing because the if() skips it under weird circumstances). However, there is some obscure requirement that, despite being well-documented, is difficult to understand. That if() statement has conflicting requirements, and the logic needs to be expanded to accomodate both situations. However, desparate for a quick, one line fix, the developer changes a single line (or character, e.g. "!" not logic). This breaks a bunch of other stuff.

Some applications are like a house of cards -- precariously perched, even one small error can bring the whole structure down. Good configuration and requirements management can mitigate this risk, but the possibility of error is always there.

Re:IE7

[Aadain2001]

Just FYI: IE only starts faster because MS preloads it into memory at startup. To compare FF to IE on (more)equal footing, start FF and then try to open a new window. This is closer to how IE works on Windows.

Re:IE7

sorry, but proof by assertion doesn't hold water around here. you gotta do better than that.

Re:IE7

[Trepalium]

You really ought to hope that IE7 DOESN'T kill Firefox. Anything, regardless of if you personally use it or not, that keeps Microsoft on it's toes, is good for the customer. It's forcing Microsoft to be competitive, and that's means a better product for everyone.

Re:IE7

[strider44]

most browser exploits are buffer overflows - giving wierd input. To combat that you have to add code (input checking), not change code.

Besides OSS like Firefox definitely has QA built into it.

Re:IE7

That's because the bulk of the IE code is scattered across a couple of pinned .dlls, doofus, the .exe file is just glue around a load of COM objects that are kept hanging around so that IE (and e.g. the windows help system) can work faster. KDE can do a similar thing with Konqueror, BTW.

Re:IE7

Some software may rely on bugs such as buffer overruns to work. Two big examples are Bleem which relied on using a dirty trick to access and modify the LDT base address in order to bypass the kernel's memory managment and create/modify threads directly and Ultima 7 which used a CPU bug to access 32 bit flat memory while remaining completely in real mode.

Re:IE7

[iserlohn]

dlls? Ever wondered how osa.exe improved startup times for office, it loaded all the dlls in memory?

Re:IE7

[SQLz]

You don't have to run the application to pre-load parts it it into memory. In fact, does't the whole windows shell share a lot of components with IE?

MS does the same thing with office to make it start faster.

Re:IE7

[Kristoffer+Lunden]

Of course they won't. Still, that user base is so small that Firefox could go back to being insignificant. The reason FF is so big now is because so many Windows users has (finally) switched. As long as Windows is dominant, the choices those users make is what matters.

I personally think many will stay no matter how good IE7 is, but that remains to be seen; they have switched at least once already to get a better browser. If IE7 is truly better (in their opinion), why wouldn't they switch again? And don't give me any answers about Freedom and Openness, only people like you and me care about that - that's why I used Mozilla and Firefox already when it was arguably a much worse browser than IE, at least when it came to sites and features that worked.

Most don't care though. That is why MSN is so succesful - I don't use it myself, but apparently it can do a lot of things that competitors can't, because that is what everyone tells me, and they can name feature after feature to back it up. Often it is - to me - silly stuff like excellent webcamming or being able to drop any media into a chat, but whatever it is, they see that my client can't do that. Hell, Gaim still can't even do file transfer for many protocols, even though code for it is avaiable in other GPL clients. And it has nothing to do with bundling, most of them keep ICQ or other clients as well, if nothing else to be able to talk to people like me, but they always *wants* to use the "best" IM if they are can. Same thing here.

Especially the new generation, the ones getting use to computers now, can be extremely fickle and in the hunt for the latest and coolest. Strangely enough, power users and geeks are often the ones to stick to the tools they are accustomed to; of course, this is quite practical but it is also strange that we aren't more curious and experiment to find the best things available. Just a casual observation, but I think it is true.

Re:IE7

Open Explorer.exe. That's Internet Explorer for you, my dear friend. Integration = preloading.

Re:IE7

You must be new here.

Re:IE7

[dubious9]

With every release, FF gets bigger and bigger

Firefox 1.0.4 comes out at a whopping 5 megs for the windows version and 8 for the linux version. It's hardly big. If by big you mean feature bloat, then tell me what humongous load of features FF has added since 0.8. Lay out some facts yourself.

Yes memory usage isn't optimal, but considering that people (in my experience) usually have more FF tabs open than IE windows because it's easier to manage. Most people don't even notice it's taking up a lot of memory.

This is complete rumor. As yet, Microsoft has not made a committed response to this question. By the way, which version of CSS does FF support? What's the "latest" version? Hmmmm.

Microsoft isn't planning to go the whole way and make IE 7.0 fully CSS2 compliant...

And yes, no browser fully conforms to the CSS2 standard, but if you've ever done CSS you know that working it for IE has some serious headaches involved. I have no reason to believe that IE7 will be any different.

8 to 10% seems to be a ceiling. I predict it will not go much higher, if at all.

What ceiling? FF growth has been continuous. Or are you just being a troll?

Re:IE7

[Trejkaz]

Because Linux users really need IE in order to dump Firefox.

Re:IE7

Not iexplore.exe itself, but I've seen explorer.exe use up to 500mb of RAM on my computer. They're the same product. That is integration at work.

(and yes, I do concede that Firefox can use excessive amounts of RAM, considering that it's dubbed as a "Lean" browser. But then again, so can everything.)

Re:IE7

[grahammm]

Not forgetting all the DOS programs which broke when the 80286 (eg IBM AT) was introduced because they relied on memory wrapping round at 1Mbyte and the '286 did not wrap even in real mode.

Re:IE7

[Dracos]

One word: Irrelevant.

While MS talks about security and standards improvements, it will still be IE 5.7 with the wrong version number, still hindered by a flawed security model, and still support activeX. IE7 will only be available on SP2 and 2k3 (which is why I prefer to call it SP3), and won't be able to achieve significant marketshare when it's released a year from now. Soon after, MS will begin misdirecting everyone's attention away from all things not Longhorn.

Re:IE7

I know. IE7 will be just like IE6 but with some more eye candy and a whole new class of worms, virusses and exploits.

Besides that, all fixes to IE6 will have been lost in IE7.

Lather, rinse, ... while(1);

Re:IE7

Linux will _never_ be ready for that kind of enterprise.

Re:IE7

[ColMustard]

... reward for using [Firefox] is not the features or the small build ...

Small build? Are you using the same Firefox that I'm using?

Re:IE7

For your sake, let's hope IE7 has a built-in spellchecker too.

Re:IE7

[dotgain]

It doesn't have to be running as a task to be preloaded. While I won't endeavour to prove to that IE is preloaded - I don't care - if looking for it in the tasklist is as far as you've gone, what would you know either?

Re:IE7

[Master+of+Transhuman]

This gets modded "Flamebait" because some moron says IE will kill FireFox, then I make three perfectly good reasons why it won't.

The Windows trolls are out in force again, I see.

Obviously they don't like to be called idiots, and by such actions they prove me right.

Re:IE7

[Trepalium]

Given the fact you don't even need IEXPLORE.EXE around to use IE, this is hardly surprising. Look at the imports on EXPLORER.EXE -- it pulls in shell32.dll, shdocvw.dll, shlwapi.dll, urlmon.dll, and duser.dll, all of which either directly pull in MSHTML.DLL or have embedded in them GUIDs for the MSHTML COM/OLE/ActiveX/whatever object. Besides, how do you think that fancy "Common tasks" pane is drawn?

Type a URL into any explorer window if you don't beleve me.

Re:IE7

[The+Snowman]

most browser exploits are buffer overflows - giving wierd input. To combat that you have to add code (input checking), not change code.

Yes, but what happens when that input checking is not completely tested and needs a fix? What happens when that input checking code needs to accomodate multiple inputs? There is more to browser exploits than buffer overflows. Certain types of malformed input can cause this too, e.g. "/../../winnt/" in a URL in older versions of IIS.

My point is that input validation is more complex than "buffer overruns," and sometimes that code itself needs to be modified, resulting in the scenario in my earlier post.

OOOOLLLLDDD News

[Urgo]

Sorry but I need to say this..

'Mozilla 1.0.3 vulnerabilities'

That would be Firefox 1.0.3.... Mozilla Suite aka just mozilla and FireFox are two separate programs and have very different versions. Saying Mozilla 1.0.3 is very misleading. Please use the correct name or it makes your news story look very silly. Who cares if a version of mozilla from 2002 has security holes.

</rant>

Re:OOOOLLLLDDD News

[Nimloth]

Who cares if a version of mozilla from 2002 has security holes.

Wait, does that mean I should upgrade from 1.3a?

Re:Funny how the emphasize

[KiloByte]

It also may be a good idea to compare the criticalness level of MSIE vulnerabilities to the Firefox ones that get published.

People just don't bother with minor problems in IE -- on the other hand, there is much vested interest in digging every smallest issue in Firefox, and dragging it into the press.

Re:Funny how the emphasize

[vegaspctech]

Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found...

Logically found? That's assuming all other things are equal, such as level of difficulty for discovering vulnerabilities in each. Clearly this is not the case. You can't go to the Internet Explorer home page and download its source code.

Re:As I said in another thread today...

Troll? That's the most insightful comment in this thread!

Possible Wishful Thinking, But... Is IE Pointless?

[FhnuZoag]

Is Internet Explorer still really of any benefit to Microsoft? Once upon a time, it might have been used to push ActiveX, or reinforce the Windows platform by encouraging integration. But security worries, and legal trouble, have put paid to that...

To my naive eyes, it seems that IE is more trouble than it's worth. It's earlier bugginess puts a weight on later development to duplicate previous rendering errors, and it is strongly challenged by Opera, Mozilla, and the like. Also, their developers have to take care not to break compatiability too much - or at least, to sort out how to get various plugins to work with newer versions. The whole thing is a running sore with regards to their reputation, and the number of idiots running the browser means everything has to be dumbed down.

It seems that the wise thing for Microsoft to do, simply from a selfish level, is to ditch the IE project. Open source what can be open sourced, develop a light, secure, bare-bones and idiot-proof version for bundling with their OS, and re-dedicate their resources elsewhere.

Internet Explorer has no future.

In other news...

[fm6]

...scientists report that water is wet.

Opera...

[simetra]

It seems like, every day, I'm reminded that my Opera purchase was a good decision.

Really, I've been amazed, for YEARS that anyone uses IE. I've been amazed for MONTHS that anyone uses Firefox. But that's just me.

Re:Opera...

You know I was using Netscape back in 96 and my buddy asked if I actually paid for it, that made me laugh... the concept of paying for a browser still does.

Security through obscurity is not security at all. Opera has no reported exploits, doesn't mean they are not there.

Mozilla encourages people to "hack" their products inorder to make them better (a reward is offered for exploits proven.) Firefox's "critical" expoits have never lasted long enough to have a working one out in the wild for the black hats to use because white/grey hats find the exploits, report them to the mozilla team and by the time its public knowledge there is already a workaround in place and a patch following soon after.

Press coverage

[motank]

Will this be posted on the front page of every single news outlet, like it happens every time with Firefox, or are they gonna keep giving IE a free pass, like always?

The scheduling is meant for enterprises

[n0-0p]

Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.

Re:The scheduling is meant for enterprises

[springbox]

because IT can say they deployed all critical patches in under three days.

Yeah, but that's like saying you read a book when in reality you looked at the first few pages and put it away, giving a false impression.

Re:The scheduling is meant for enterprises

[Narphorium]

So how would that be any different than if MS released their patches immediately and then corporations that choose to could wait it out and deploy the patches on their own regular intervals? While the rest of the world could actually secure their computers in a timely fashion.

The only advantage is that this method lets MS slack off for a month and IT departments can artificially inflate their 'metrics'. Neither of which improve security for anyone.

Re:The scheduling is meant for enterprises

[n0-0p]

The logic is that after a patch has been released it is much easier to identify the vulnerability by analyzing the differing code between the original app and the patch (Google on Halvar Flake and BinDiff for more info). Combine this with researchers that still release sample exploit code, and you can see where they're coming from. By using a fixed release schedule MS feels that it reduces the chance of a publicly available exploit before enterprise customers can deploy the fix. MS switched to this approach because their biggest customers were clamouring for it.

By the way, just because I understand the reasoning behind the policy doesn't mean I necessarily agree with it. I know in many cases it's just used by IT departments as a way to salvage their metrics, which in my mind points to a broken process. But it is important to understand the complexity of the issue, and having unscheduled downtime several times a week is usually not feasible for the enterprise.

It's been said before...

[rbochan]

This is a surprise to anyone?

This is Microsoft we're talking about here. Color me cynical if you want, but they've never done anything more than lip service with regards to anything other than their own bottom line.

Re:Funny how the emphasize

[internic]

Actually, I'd expect that each version of a piece of software has some finite number of vulnerabilities V, and I'd think that with a user base U that after an amount of time t you'd have found a number of exploits something like E = V(1 - exp(-a*U*t)), where "a" is some constant for that particular piece of software. Yes, I just pulled that out of my ass, but the point is that I'd expect diminishing returns with more users and time, since eventually you will have found all the easy to find vulnerabilities and it will take longer and longer to find the really obscure ones.

You seem to be suggesting a linear relationship E = a*V*U*t. Notice, that will be a good description of my model at very early times (t much less than 1/(a*V*U) ) or at all times in the limit a -> 0 and V -> infinity while V*a stays finite. Now it seems unlikely that we can think of IE being in the early time stage of behavior, but, admittedly, maybe an infinite number of vulnerabilities is a good model for IE; however, I wouldn't expect a linear model to work very well for most software.

Re:Possible Wishful Thinking, But... Is IE Pointle

[oneiron]

Microsoft has a vision of an integrated web desktop (or at least used to)... Eliminating IE would put a damper on that, to say the least.

Re:admin privilege req'd

[Baron_Yam]

Try printing from MS Publisher or editing an MS Org chart in PowerPoint; Neither will work unless you have admin privilege, because both expect to write to %systemroot%.

If MS doesn't care about the problem (and these two examples are still present in the latest version without any apparent intention of being fixed), why should 3rd party software develpers care?

MS Fanboy

[Mother+Sha+Boo+Boo]

Well, that I respect: declared stubbornness. But don't give me the Bookmarks bullshit...

Marketing...

[Freggy]

It's just a question of marketing. By limiting the patches to once a month, it /seems/ as if the number of security vulnerabilities actually is not that big. A lot more Joe Users would start raising questions if they saw that they have a security flash popping up twice a week...

Re:admin privilege req'd

[QuietLagoon]

You raise a very valid point.

Re:Possible Wishful Thinking, But... Is IE Pointle

One word: XAML.

Well, one acronym, anyway :)

IE must sell well in arab land

[Seiruu]

With a slogan that goes "It's very similar to a harem with 1001 women!"

Re:Possible Wishful Thinking, But... Is IE Pointle

[simetra]

Unfortunately... one of IE's big strongholds is the flaky ActiveX stuff. It has allowed a LOT of vendors to build browser-based apps to do stuff rather than have to build actual programs. Maybe if one of the alternative browsers magically included ActiveX support, we could ditch IE, which, coincidentally, requires an MS OS (except for Macs, which have what, 1% of business pc market?)... Since IIS gives everyone a free "development" platform, I don't see vendors rushing to use real development tools to build replacements for these IE "apps" any time soon. And hey, since we've got the MS OS, and browser, and web server, heck, let's just go all MS... ka-ching!

Re:"Nothing for you to see here. Please move along

[SpaceLifeForm]

March 31: http://www.eweek.com/article2/0,1759,1781171,00.as p

He said Microsoft was alerted to the first vulnerability March 16.

That bug was found in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.

Default install problem. Minimal user interaction.

According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.

...more than 30 percent of the security holes found in IE remain unpatched. Last I saw, that was 13 known holes (not necessarily rated critical).

http://windowssecrets.com/comp/050512/#story1

As of today, Secunia reports that there are still 19 unpatched security flaws in IE, the most severe of which is rated "highly critical." Firefox has only 4 unpatched flaws, all of which are rated "less critical" or "not critical," the lowest severity rating. Opera has none.

Oh. It's 19 now.

Sorry. You're right. Nothing for *you* to see here.

Re:Possible Wishful Thinking, But... Is IE Pointle

Unfortunately yes. For them it is. At this stage IE is the most dominant browser and morons develop purely for it in a lot of places. This ignorance of standards is why their web based apps don't work in other browsers. This means that vendors are locked into the one browser. When that browser turns out to be crap they can't change.

Microsoft aren't going to change it to be fully supportive of standards because then they'll lose the tie-in to IE and therefore the tie-in to windows.

Even in IE7 the developers will be "improving" the css support and not fully implementing it.

When people realise that the OS is a commodity for a lot of things, and that they can use web based apps why would they pay for windows?

Re:Possible Wishful Thinking, But... Is IE Pointle

Are people still stupid enough to use ActiveX?

Re:Possible Wishful Thinking, But... Is IE Pointle

[simetra]

Yes. People are still and allways will be stupid. Next question.

Well, it's not that complex.

[biendamon]

Let's take a look at why an administrator might say both those quotes.

"Oh, no MS releases too many secuirty patches making my job as an admin hard, what a bunch of A-holes"

Looking at our hypothetical admin's thought processes, what's going through his head might be: "IE is just a damn application, but they've embedded it into the OS. So every time they release a patch for this friggin' application, I have to patch! I'd prefer to just remove the damn thing, but no... There's no uninstaller for it."

And now, let's look at the next quote.

"*Stoopid* MS is going to take a month to release a security patch, what a bunch of A-holes. Firefox ROX#$%^&!"

So what's the administrator thinking on this one? It's pretty simple: "Okay, so now this damnable embedded application, this junk browser that has to be on my operating systems, isn't gonna be patched for a month? The way they did it before would have been acceptable if I could patch the application without worrying about it breaking the OS or making me reboot. But NEITHER of these patching methods works well for me. I've either gotta patch applications that might destabilize my systems all the time, or I've gotta give hackers the keys to my network for a month!"

So, while the point you're trying to make - i.e., that neither of the upgrading options Microsoft has provided are acceptable to admins - is a valid one, it's a situation Microsoft brought on themselves.

Lock-in and Control

[_Sprocket_]

Others have already touched on the subject of lock-in and its obvious economic advantage. But another reason for this strategy is simply control.

Microsoft always talks about a long-term vision for computing. It's a lot easier to bring about that vision when you directly control the components used to bring about that vision. And that means controlling the implementation of protocols as well as setting defacto standards.

I couldn't see it being in Microsoft's interest to simply hand something as widely used and therefore important as web browsing over the a third party.

Very nice phrase

[Bozdune]

"Bass-o-Matic School of Persuasivist Languaging."

Like it, Centurion, like it.

0-day vulernabilities are like precious warez

Something a lot of people don't seem to realize is there's a black hat side to the security exploits page; at any one time, dozens of exploits are circulated before they're released, or in some cases, even discovered or known about by the wider security community. Until things are released, the core of the black hats has carte blanche to do what they want, when they want, with your machines. ..and there are ALWAYS exploits out there.

Public disclosure brings on the skript kiddies, but there is another side to these things oft not spoken about.

Re:admin privilege req'd

Ugh, are you serious? I was hoping to deny write priviledges to WINNT and WINNT/system32 for the machines I admin to try to cut down on spyware/malware since they like to install there. Guess it could break some apps.

integration at it's worst

I suspect I'm a repeat but here goes.
MSFT's integration of their web browser into everything has backfired. You can no longer just *issue* a fix because you'd affect thousands of production level computers. Most of you who patch your workstation think...oh, this security patch will fix xyz and that's that. But they really do need regression testing as I have seen first hand the clusterFSCK an untested patch can do.

It's much easier to patch a Linux workstation because even if they have a few insecure services or applications, due to the OS design it's difficult to break the functionality or compatibility.

Once on MSFT XP Home, a prevalent patch fix broke my cousin's HP laptop and no one knew what had happened. He couldn't use the laptop for more than 5 minutes before it froze up on him. Literally, no BSODs or anything, just froze up. Since he was busy he didn't send it in for repairs or ask me for help. Almost 2 years past by before I take a look at it and fix it in 30 minutes.
It took a BIOS patch to fix it.
Turns out one of MSFT's APM compatibility patches broke it.

Re:Funny how the emphasize

Yes, I just pulled that out of my ass, but the point is...

That won't matter if you post it somewhere else then issue a press release citing the two sites where it was posted as sources. You only need a name and the press release and then we can pretend it's real science. ;-)

Now THAT'S news. . .

MS taking forever to patch things? Who could've guessed? (aside from Linux/Apple/Firefox/Mozilla/Opera/Eudora/KMail/Thu nderbird users everywhere)

Seriously, though - we've known for YEARS that MS takes forever with patches (that is, if they make a patch at all). It's not "news", it's just that now that MS alternatives (such as Firefox) have become more mainstream, more people can see that there are better alternatives.

There's more than simple buffer overflows

[n0-0p]

String handling is not not the only kind of parser attack, and buffer safe routines do not necessarily protect you from the full range of buffer issues that can occur. Integer issues in particular are a growing concern even with buffer safe libraries. Your average programmer does not have an in depth understanding of the C standard on things like type promotion and sign extension. Google on David LeBlanc's SafeInt library and look over the code for some in depth understanding of this.

Of course, there's a lot of fertile territory in parsers for all sorts of non-buffer related exploits. Cross domain context and external includes were both used in the most recent Firefox exploits. These issues are not unique to XML and HTML formats. I've seen exactly the same problems occur in binary OLE document handlers. This is why I stated that the parsers as a whole are complex issues. They touch so many areas and intermingle so many other concerns that they can be a security nightmare.

Re:Funny how the emphasize

[DogDude]

Do tell, where does the spotlight belong?

I would say Firefox. 3/4 of our machines were FUBAR'ed with the lastest Firefox update. I'm not the only one. IE at least still works. Firefox is DOA (was DOA until I had to remove it from all of our machines). Check the Firefox message boards. The latest release doesn't even *launch* successfully on many machines. I'd much rather have security problems than a browser which doesn't launch, and instead sits and chews up resources behind the scene.

Re:Funny how the emphasize

*sigh*

The spotlight belongs on 1) incompetent programmers 2) bloated insecure code 3) a culture of "responsible disclosure" that encourages the release of buggy, insecure code that will be patched and patched indefinitely.

I don't care how many security holes are in IE, or in Firefox. The question is, "does this program have at least one critical security problem"? The answer is yes to both products. They are both bloated and insecure as far as I'm concerned.

Don't fool yourself into thinking that an open source license will magically turn programmers into gifted developers. Firefox is huge and complex, I don't expect we'll ever see an end to the security holes.

I really don't know the solution, short of writing my own stripped-down browser that runs every module in a chroot jail (which would actually be a good idea, I think djb is working on that), but that's the world we're stuck in.

I see no value in recommending Firefox over IE or vice-versa.

Ah, there's the rub.

as it is available (and properly tested)?

Do you really believe that it takes microsoft a month to write a single patch? Do you realize how big of a faux paus it is to release a fix for a fix? Add it up...

When I see Firefox developes hack together & release a non-trivial fix in an hour with practically no testing, it makes me squirm.

Re:Ah, there's the rub.

[Trepalium]

You do realise that the reason Microsoft now takes a month to release the patch is because they are frustrated with the (bad) publicity frequent patch releases were causing them? That's why we have the one patch-a-month scheme now (and as an added bonus, they get to claim they're more secure than any Linux distro because they put out fewer patches!). Microsoft is (again) treating security as a PR problem.

Reduced privilege apps?

[gvc]

Thanks to all who pointed out that changing the culture involves also changing the behaviour of application developers.

Does anybody know a sensible way to write a reduced-privilege application for Windows? That is, one that is launched by an administrator but runs as a non-administrator version of the same user.

It isn't a solution to run the app as guest, because the app would want to access the documents and settings of the actual user.

If this were possible, responsible application developers could use the facility to make sure that any system breaches were "not on their watch."

Re:Reduced privilege apps?

[Foolhardy]

If you're asking if there's a way to launch a new process with less privileges than its parent, then there is a way: create the child process with a restricted token. A restricted token is a copy of another token, but with privileges and SIDs deleted and an optional list of restricting SIDs.

Privileges are for things like loading a driver or shutting down the system. Normally you delete all the privileges on a restricted token.

SIDs give you identity, both as a user and for group membership. A token has a SID for the user himself and each group he belongs to. There's a SID for the Users group, one for the Administrators group, etc. Deleted SIDs can't be used to gain access to resources (but will still be considered for deny entries). If you delete the Administrators SID from the restricted token, new processes created with it won't have admin access.

If a list of restricting SIDs exists, then access checks must succeed using the normal SIDs AND the the list of restricting SIDs. (See the description on the CreateRestrictedToken page)

There's two ways that I know of to use restricted tokens:
1. Use the "protect my computer" option of RunAs; this runs the program with the Administrators group and your personal SID disabled, all privileges deleted, and a list restricting SIDs the same as yours, plus the SID named RESTRICTED. This way, you can explicitly deny RESTRICTED access to things that you would normally have access to, such as sensitive things in your own profile. See Aaron Margosis's blog for a good description.
2. You can use my program, jobprc. It's a command line program that's more complicated but exposes virtually all of the power of restricted tokens and job objects.
For example, you could run Internet Explorer without admin privileges with jobprc iexplore -dsid administrators -dprivmax. IE would still have access to your profile, but it doesn't get the access granted by the Administrators group or any special privileges.

As an application developer, you could check to see if your app was started with an appropriate token, and if not, have it relaunch itself with a restricted token.

Time for the season finale...

[mtec]

These are the voyages of the browser Explorer, It's mission; to explore strange new exploits and seek out new viruses and hacker civilizations, to boldly expose data not exposed before!!
*cue music*

Ineffective and impossible.

[argent]

Let's pretend for a moment that this would actually work. It's not possible to get people to implement it.

It's hard enough to get any of the browser teams to commit to implementing a complete sandbox, even though that could be done without inconveniencing the users.

It's hard enough to get users to adjust the sandbox that they're already using so that it's as complete as possible, even though doing so imposes very little invenvenience.

Getting users to go through a lot of inconvenience to create a new account to run their browser in, that's really tough.

But even if you could do it, it wouldn't be effective.

A restricted account could still be used to compromise their privacy, it could still be used to destroy data they consider important... their bookmarks, information maintained on websites they connect to, and so on.

And that's assuming it would remain restricted: once I can run native code on your machine, getting out of a restricted environment is just a matter of time. It's easiest on Windows, of course, but even your typical UNIX or Mac OS X box has all kinds of mechanisms that a restricted account can use to extract information from your "real" account, or launch code (directly or through a boobytrap) into the "real" environment.

The only "restricted environments" I have used that I would consider secure enough to not treat malware running in that account as an immediate threat, apart from physically separate boxes, are FreeBSD Jails or completely emulated systems (VMware, Virtual PC, etc).

But we do know one thing that does work very well. And that's having a sandbox that has no holes in its design. That means there's no holes that the developer's reluctant to close, and no holes that users are reluctant to see closed. That means that any holes that do occur are bugs, and as such can be quickly fixed without embarassment and without discouraging users from applying them.

It's not perfect, but it works much better than a whole sandboxed account, and it's much easier to implement and MUCH more convenient.

So: the first absolute requirement for building a secure web is for the browser manufacturers to commit to a completely closed sandbox. That means there is no mechanism inside the sandbox to get outside the sandbox even as far as to see information stored about other websites. That means: no XPI installers, no ActiveX or Active Scripting, no "open safe files after download", no use of "Desktop" applications to open documents (even if you think the document is local), nothing. Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to explicitly download the document and so move it outside the sandbox, and THEN explicitly open it in the unsandboxed environment. Those two steps must never be shortchanged.

What does that mean to the user, then?

Not much, in most cases. For Firefox users that means they'll have to download XPI files and then load them from the menu or their desktop file manager. For Safari users, no more "open safe files", and no more warnings the first time they open an app because the browser won't ever be opening apps behind their back. For Windows, there would be a bigger impact: a few tools like Software Update would be separate applications, but the bigger impact is that some third-party applications would need to be redesigned to use the new safe API.

Windows, I can see their reluctance. The rest? I don't get it... they're not gaining all that much by having a leaky sandbox, and the fact that even such small leaks can be exploited is sure a good argument for having at the very least no designed-in holes at all.

Re:Ineffective and impossible.

[Tim+C]

It's hard enough to get users to adjust the sandbox that they're already using so that it's as complete as possible, even though doing so imposes very little invenvenience.

But it requires more knowledge than most users currently possess. Education is a huge problem... MS has made it easy for anyone to own and use a computer. That's good, in that anyone can, but bad in that "anyone" *does*.

Re:Ineffective and impossible.

[argent]

But it requires more knowledge than most users currently possess.

Which is precisely why the responsibility should be placed on the browser developers. Where they have committed to a comprehensive sandbox (for example, in Firefox outside the XPI installation mechanism) people have accepted it AND the system's overall security has been good without any need for annoying scary dialogs. Where they haven't (for example, Safari's "open safe file" mechanism) they've had repeated problems, and users have complained that fixing the problem would be inconvenient for them.

I've had someone ARGUE with me that HE should be an exception to my "No Outlook" rule... WHILE I was sitting there cleaning his computer after he infected it through Outlook. You're right, the users can't be expected to understand the details of security. What's depressing is that the vendors don't seem to understnd either.

Apple, KDE, Mozilla, Microsoft, they all need to stand up and commit to a comprehensive sandbox. They need to commit to NEVER passing an object outside the sandbox, and requiring all plugins, handlers, helper applications, and so on to register explicitly with the browser... and stop assuming that an application designed for use from the shell/Finder/Desktop is safely sandboxed.

... Timing!

[SEWilco]

With the next MS Windows security bulletin release scheduled for June 14

Note to security companies: Schedule your next flaw announcements on June 15.
Yes, everyone on the same date.

My proofreader is slacking off again. :)

[argent]

I wrote: "Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to..."

Then I changed the sense of the preceding sentence when I was previewing it, and didn't notice that changed the meaning of this one. What I meant to write was "If the user wants to do anything more than that, they have to..."

A new measure of browser security

Yes, here and now, I am going to unveil a new metric for browser security. The operational fix ratio. What is the operational fix ratio? It's a measure of the time you spend cleaning up computers due to security flaws in the browser. You take the number of weeks someone has used the computer with a particular browser, and divide by the number of hours you've had to spend cleaning spyware, adware, and other crap off their computers. Oh sure, it's not transferable -- you may fix that crap faster than I do. But for each individual, it will have some meaning. I'm talking about the time to clean up your own, your family's, and any friend's computers you support. Come on, I know there's a lot of you who do it.

I don't CARE if one browser is actually better code than the other, or if one has more vulnerabilities -- what I care about is hours wasted running SpyBot S&D, AdAware, "Malicious Software Removal Tool", etc. and the associated reboots and reinstalls required to get the system back into a useable state. If MSIE has only 2 remaining flaws, but they are constantly exploited in a way that keeps me up to 2AM at a friend's house when I could be enjoying myself, it loses. If Firefox has 20x the vulnerabilities, but for some reason no one exploits them (laziness, obscurity, whatever), then it's the one for me. Lets stop talking about theoretical crap -- lets talk bottom line: wasted time.

So far, I've spent cumulatively days at friends' and relatives' places cleaning up the mess left behind from their time running MSIE. I've installed Firefox on all of them and encouraged them to try it (I always leave MSIE behind -- sometimes they REALLY DO NEED it for work or a bank or something). If they've made the switch, I've never spent an hour cleaning up stuff again. That's anecdotal evidence, so your experience may vary. Maybe you have the opposite experience. Anyway, everyone's free to use whichever they want. I encourage you to choose the one which leaves you and yours the happiest. If you run into a problem cleaning up the spyware on your mom's PC, don't call me, I don't carry the cell phone when I'm in the hot tub... And since most of my "customers" now run Firefox, I can spend more time there.

Re:A new measure of browser security

I second that =).

So far, my operational fix ratio for IE is approximately 5hrs removal vs. 2 weeks (on one particular computer). Firefox's is 0 : 10. On my alternate machines, IE's runs at 0 : 0 =)

Re:Possible Wishful Thinking, But... Is IE Pointle

[argent]

[ActiveX] has allowed a LOT of vendors to build browser-based apps to do stuff rather than have to build actual programs.

The really interesting thing here is that the ActiveX based applications aren't any less complex than a standalone application that injected the ActiveX components as plugins inside a customized HTML control, and they're no more convenient for the user than downloading an application would be because right now it's a LOT harder for a user to figure out how to selectively grant the rights to the webpage that's running the applets than it is to download and install an application. It would be possible for Microsoft to completely eliminate the pain of locking down ActiveX simply by providing a simple conversion kit that created this application with the ActiveX plugins bundled into it, and removed the ActiveX launch capability from the common HTML control. Then the user would download the application as an application, and install it as an application, and these applets would exist IN THAT APPLICATION but they, as well as other ActiveX components out there on the web, would be safely ignored by the common HTML control everywhere else in the computer.

At the same time applications like Windows Explorer or Software Update would have to be modified to do the same thing with their custom extensions to the HTML control.

The other "extra rights" (or rather, the code that implements these capabilities) that IE gives to local pages, like running local scripts, could also be injected by the controlling applet the same way.

So long as they didn't then put in code for IE to automatically install these "Windows Dashboard Widgets", they'd be perfectly safe. This is how KDE's Konqueror handles potentially unsafe extensions (they call them I/O slaves). It's how Dashboard adds them to WebCore (well, except for Safari installing them automatically... Safari doesn't even need to know they exist). It's safe, secure, convenient, and I really expected Microsoft to come up with something equivalent SEVEN YEARS AGO after the first HTML-based malware showed up. But, no... and now it's hard for them to go back.

Re:admin privilege req'd

Ok, seriously no one can be this stupid. Have you ever heard about secondary logon to open programs as another user temporarily and then the user is automatically logged off when the program is closed? Sheesh, some people are just too stupid to be admins.

Microsoft. Trash software.

[rice_burners_suck]

Mozilla is good. MSIE is bad. End of story.

It doesn't take a great genius to discover that all Microsoft software is completely and utterly defective down to its very core, while software made under F/OSS methods is generally quite good, solid, and sound. Perhaps some features aren't implemented in F/OSS which exist in Microsoft's trash, but those features will eventually become available, and in the meantime, it is much safer to compute with F/OSS.

For years, Microsoft deliberately created defective software in order to continuously sell upgrade after upgrade. But today, people are waking up to Microsoft's defective business models and realizing that they have been the victim of Microsoft for many years. Therefore, Microsoft is going to lose. Day after day, more users switch away from Microsoft's garbage. And say what you will, but Microsoft will lose eventually, and they will go out of business. There is nothing they can do about this now. No matter how hard they try. No matter what Longtooth does when it comes out, if it ever comes out. And guess what, no matter what they do, Longtooth will still be a very extremely defective and insecure piece of trash software. And that makes me glad. Because I hate Microsoft.

Re:Microsoft. Trash software.

[VGR]

It doesn't take a great genius to discover that all Microsoft software is completely and utterly defective down to its very core ...

Fanatically worded but largely true. There is no excuse for writing a buffer overflow in the 21st century. Everyone who calls himself/herself a professional knows how to routinely avoid such pitfalls.

For years, Microsoft deliberately created defective software in order to continuously sell upgrade after upgrade.

It sure seems like it. But I think you're ignoring good ol' Hanlon's Razor here. It's much more likely that they deliberately did little or no QA, and naive programmers did foolish things which went unchecked. This is even easier to believe if you've worked with "professional" programmers and witnessed the things some are doing even to this day.

change

[dotpavan]

I might change to lynx....

Bill Gates, is that you?

Bill Gates, is that you?

Re:"Nothing for you to see here. Please move along

[Liquidrage]

Does any of the information you present answer any of the questions I asked?

No? Thank you.

Does it even all pretain to the orginal submission which is what was being discussed here. No again.

The only thing for me to see here is people like you who want to have a pissing contest.

Don't even give me the "Default install problem. Minimal user interaction." as real details.

Minimal user interacation? That could mean anything. Without the details this could be a "Who cares?" or an "OMG!". We don't know.

It's not that this stuff shouldn't be reported and run up the proper channels. It's that there's nothing this type of story can lead to expect for +funny comments, some IE vs Firefox flame wars. Some Win95 jokes, and some very generic security discussions that won't even center around the flaws in question (since people don't know enough to discuss them).

Re:admin privilege req'd

[Baron_Yam]

Yes, that's the kind of thing I want to implement in a large organization:

"Here, user who can barely remember their logon ID, (and continually calls the helpdesk for a reset of their forgotten complex password), here's a second logon that will allow you to violate all of the restriction on your computer"

Seriously, how can you be that stupid?

Assume IE does kill Mozilla/Firefox

[dpilot]

Just for a moment, grant that assumption, then let's look at where it leads...

About as soon as Mozilla/Firefox is dead, Microsoft will begin migrating people off of the IE team, most likely onto the new XBox to compete with Sony, the base OS to compete with Linux, media stuff to compete with Apple, etc. Thereafter IE will stagnate, again. There *might* be enough people left on IE to keep chugging security fixes, but more likely they'll spend more time doing IE integration things with XBox, base OS, and media stuff, etc.

Take a look at the track record. Whenever Microsoft had smashed the competition in one arena, they have NEVER kept up the advancement, there. It doesn't make economic sense to let it do anything other than stagnate.

So the simple truth is: If you want good products from Microsoft, make sure they have competitors.
The corollary: Without competitors, Microsoft's products stagnate into a mess.

Re:Assume IE does kill Mozilla/Firefox

[strider44]

I hate to break it to you mate but Firefox won't die anytime soon, even if its market share shrinks to one percent or something. It's OSS not a company - they don't have financial difficulties with continuing development like Netscape.

Re:Assume IE does kill Mozilla/Firefox

[dpilot]

You miss my point, entirely. I wasn't commenting on the ability or not to kill Mozilla/Firefox.

I was commenting on Microsoft's actions every time, in every market where they have lacked competition. Lacking competition, Microsoft will do NOTHING to a given product.

It is in ALL of our best interests for Microsoft to have competitors, across the board. There will be other things to buy, and Microsoft will produce better products.

Re:Assume IE does kill Mozilla/Firefox

[strider44]

heh, I just tripped on the line About as soon as Mozilla/Firefox is dead, but no I didn't miss your point, and agreed with you. The thing is it's different now though - Microsoft aren't battling a company, they're battling a community. They just can't destroy it, even with their huge marketting power.

Re:Assume IE does kill Mozilla/Firefox

[ColMustard]

If Firefox marketshare shrinks to one percent or less, you may not consider it dead, but you might as well consider it irrelevant which is just as bad. The relevancy of a browser is what makes websites support it. Microsoft would then be free to continue breaking standards and compatibility and everything else they have done in the past to keep competition under control.

Re:Assume IE does kill Mozilla/Firefox

[dpilot]

Good point.

Fool me once, shame on you. Fool me twice, shame on me. Except that since it's Microsoft, the industry leader, it's OK. Fool me a thousand times. Please.

(I wish there were an appropriate sad, ironic, misplaced-humor emoticon.)

take pity on them

[toby]

They just didn't commit the resources to dig into the code and do a thorough security review

Well, I hear they're a bit short of cash, so one should not be too hard on them. So what if a few hundred thousand machines are compromised?

Re:admin privilege req'd

[man_of_mr_e]

I've never had a problem with Publisher 2003 needing systemroot access. If you're running older versions, you don't need to give them root access. All you need to do is give them write permission to the directory without replacing the permissions on the files within, that way nothing alter existing files. There's nothing special about systemroot other than it's a place many system files are stored.. let the user create new files there isn't going to comprimise security any more than letting them create new files somewhere else.

Re:Possible Wishful Thinking, But... Is IE Pointle

I don't think Microsoft would be as worried if IE's main competitor was Opera. With Firefox being Open Source, news outlets can't help drawing parallels between Firefox and Linux. There's a general perception that both of these come from the same people (I've had someone tell me that FF was made by "the Linux company"), and MS are worried of some sort of iPod effect that will draw people away from Windows.

IE Security Porblem

There is one main Problem with MSIE.
That is: MSIE

Re:admin privilege req'd

[Baron_Yam]

I don't know what to say except that I have Publisher 2003 on locked down machines, and it won't print without admin access... and I did both KB and Google searches confirming the issue and the lack of a resolution. Since you're not experiencing the problem, perhaps your machines aren't as locked down as the ones I work with - and while it certainly is a %systemroot% issue with MS Org, it could be registry or something else for Publisher... I filed the 'resolution' in my company's support database months ago and haven't kept the details between my ears.

But in reality...

But in reality you're still more vulnerable. I thought downtime was the most important thing and not these stupid metrics.

Where can I get the patches?

[richman555]

Anyone know where I can get the patches? I don't wanna be vulnerable.

Re:Funny how the emphasize

The issue was security, not your purported trouble with installation.

Exerpt from "The Devil's DP Dictionary"

[rah1420]

One-line Patch: A kludge so trivial that no testing is necessary. Repaired with another one-line patch. See Recursion.

Recursion: See recursion.

Re:Funny how the emphasize

[msuarezalvarez]

I'd much rather have security problems than a browser which doesn't launch

Cute.

Re:Funny how the emphasize

[16K+Ram+Pack]

I saw a lot of stuff about the 1.0.3 vulns. I know that it wasn't good, but I didn't really understand how it got rated as "critical". You had to already have a site on your list of trusted sites to get XPIs from.

I would guess that maybe less than 10% of all users download XPIs from anywhere but Mozilla.org. Add to that that if you downloaded an XPI from someone already, why would they post maliciously this time, and not the previous time.

As far as I know, the speed of resolution meant that not a single machine out there suffered from an attack.

Ho hum. No news here.

[The+Cisco+Kid]

This isnt 'news for nerds', in any sense of the word. It is neither news (in the same way that 'The sun rose again today' would not be considered news), nor anything a self-respecting 'nerd' would consider interesting.

I just assume that new holes in IE will be found daily, if not more often. I dont use IE, or any other MS software, so I don't consider it terribly important.

Anyone in the field still using IE
is either a complete moron or a brainwashed MS-apologist (or a blackhat 'using' it on other peoples machines).

Re:Funny how the emphasize

[penguin_asylum]

Not how many it has, how many are going to be found and exploited.

eEye?

[Symb]

eEye? eEye! Oh...

Re:Jeez.

The huge networks of compromised machines are mostly used for spamming, and occasionally extortion.

The reason that even my dial-up IP (which changes each Login to my IP) gets pinged 10-20 times an hour, is not someone trying to look cool, its someone trying (generally very successfully) to make money.

It is sometimes l337 kiddies, but by far the majority is organized and spammer-funded. (Or organized and criminal in the case of extortion)

So you see, because there money to be made, and because Microsoft doesn't need to make a secure system, because they can sell and insecure on 92% of computers, the problem won't go away by assuring 5c1p7 |<1dd135 that hacking is uncool.

You have to decide that your privacy and bandwidth is important to you, and you must buy a Mac or install Linux or BSD for your web-browsing and e-mail.
</wakeup call>

Complately Offtopic but....

http://www.childsupermodels.com/ (from ninja_assault_kitten's profile)

Is it just me? Or does this site look exactly like something that one would find on Persian Kitty (albeit with older models)? I guess that it's legal, as the girls seem to all be clothed. However, it seems to be a very sexualized site. Plus, the design (and sales pitch) is just like several porn sites that I have seen.

Maybe it's just me, but I find that site very creepy.

Re:Complately Offtopic but....

After you pointed out the link, I had a look for myself. By the way it's not you. You're not the only one creeped out by the site.

Re:admin privilege req'd

[edbulldog]

Let me see if I got it right...

Older versions don't require systemroot access, while newer versions do?

Weren't some things called "security issues" ever thought of?

Re:admin privilege req'd

[man_of_mr_e]

No, you did not get that right. Reread what I wrote.

Re:admin privilege req'd

[man_of_mr_e]

Printing? It's probably writing to the spool folder for some reason. Give the spool folder write permissions for the users. You don't need to give the users administrator privs.

it's all because MSIE is connected to the OS

[krunk4ever]

if MSIE was a seperate app that didn't have ties to the actual OS, then all these security vulnerabilities wouldn't have existed in the 1st place. i'm guessing they really wanted to integrate their software and make it easier to use and allow for windows updates and etc.

personally, i think they should've made MSIE a seperate program altogether and avoid all these problems. windows update can be a seperate program that you find in accessories->system tools->windows update. but if that was the case, they wouldn't have been allowed to bundle ie with windows. i guess there were trade-offs in doing it this way.

Slashdot FUD

Yeah, talk about FUD -- Slashdot distributes more FUD than Microsoft ever did.

Read the following article:
http://www.eweek.com/article2/0,1759,1815784,00.as p?kc=EWRSS03119TX1K0000594

There are a few points to notice:
1.) The vulnerability has been PRIVATELY disclosed, meaning that the exploit is not openly known by everyone the way Firefox's was a couple of weeks ago.

2.) There is no reason to believe that it will take as long as mid June. According to the above link, "Under normal circumstances, Microsoft patches are released on a monthly cycle, but in cases of emergency, the company could release an out-of-cycle update"

This is just another case of classic Slashdot anti-Microsoft bias.

Re:Slashdot FUD

[Ben174]

I can't believe it took this long for someone to point this out! Finally someone who makes some sense. Slashdot is really beginning to discourage me and I'm having more and more trouble believing what I read here.

Re:admin privilege req'd

[man_of_mr_e]

Better yet, why don't you actually try to figure out what it's trying to do. Download filemon and figure out what it's trying to access and then only give the privs necessary to make that app work.

Where is fix noted?

[SenFo]

I read the Security Bulletin; but, I see nowhere that that anybody says whether or not the vulnerabilities will be covered in this release.

Typical

[Mind+Socket]

History repeats itself once again ... Microsoft taking the work of others and integrating it into their product, only bigger and flashier.

Re:Funny how the emphasize

Is this really how security vulns are found? The hackers search the source code for "//potential security problem below!!!"

I suspect fuzzing a running program probably leads to finding more security holes than looking at source code.

Note: methodical review of source code is also good--but not the point of the parent.

If the vulnerability is serious...

[MtViewGuy]

...Microsoft will offer a security patch for IE fairly quickly outside of their normal security patch release cycle. After all, a couple of months ago they did exactly just that for a serious browser flaw in IE 6.01 SP1.

You folks are forgetting that Microsoft does take the security alerts from Secunia very seriously, as they should be. I expect a patch to be available within 5-8 days from now.

Re:admin privilege req'd

[Admiral+Burrito]

There's nothing special about systemroot

Famous last words.

What security?

[cpangelich]

Allowing code to download and execute while online is absurd from a security standpoint. Anyone who thinks there is a 'safe' way to allow this is niave.

Re:Funny how the emphasize

[Ben174]

I happen to agree with parent. Shame it got modded down by some bigots. MS is getting better, and the open source community is finally starting to get a taste of the bullying MS has had to tolerate. Only MS is kinda numb to it now and does things their own way.

Re:Funny how the emphasize

[vegaspctech]

I suspect fuzzing a running program probably leads to finding more security holes than looking at source code.

Let's assume you are correct in that more security holes are found by fuzzing a running program than by looking at source code. That is conceding that some security holes are found by looking at source code. The source code for Firefox is freely available. The source code for IE is not. It follows that of the total number of vulnerabilities found, the percentage found by people looking at source code is higher for Firefox than for IE. So all things are not equal and it does not logically follow that the percentage of Firefox vulnerabilities discovered should equal its usage share. Or in other words, you agree. You could have just said so. ;-)

Re:admin privilege req'd

[Hymer]

Sorry dude... a fix for this one is on M$ site...

Not IE7, but LYNX on Win32...

[quarkscat]

Which will also negate the need for more bandwidth so sorely lacking in the USA. Nothing quite like killing two birds with one stone.

Tweak to start FF faster

[bsquizzato]

Type about:config in the URL bar, then scroll down to a line that says "browser.turbo.enabled". Double click on that value and change it from false to true. It speeds up the start and performance somehow (not exactly sure how)

Fix for the Firefox bookmarks thing

[InvisiBill]

PlainOldFavorites will give you a "Favorites" menu in Firefox, which directly accesses your IE favorites. It's a bit slow, but it will provide identical-to-IE favorites inside Firefox, even if for nothing other than fixing the arrangement of the imported stuff.

SP2 is affected

[InvisiBill]

... according to the eWeek article from the 13th. They also say it goes back as far as NT4, but 2k3 isn't mentioned at all.

It's time to pull MS IE off the shelves

[WillAffleckUW]

until they fix the bug. ...

What, it's what MSFT was saying about Firefox ... isn't that a reasonable response?

Good thing I use Opera and Firefox ...

Re:integration at it's worst or do we upgrade?

[WillAffleckUW]

MSFT's integration of their web browser into everything has backfired. You can no longer just *issue* a fix because you'd affect thousands of production level computers.

So, does this mean that the fix for this flaw is to totally replace Win every time there is an IE flaw?

Ooh, i can smell the upgrade fees ...

Not exactly...

[lpq]

I don't believe this to be literally true -- UNLESS you always start IE within the first few minutes of a reboot. MS-XP monitors your boot and some segment of time after a reboot to determine your most likely startup drivers and programs. If you always load IE, immediately on reboot, it will end up being preloaded -- if you always load T-bird, it benefits some as well (as I've noticed in my own usage). The same would go for FF, but both T-bird and Firefox are large apps, and the space on disk MS reserves for startup programs (it reserves a large contiguous area on disk that it can read into memory at boot with one big read (ideally)) is of a fixed size. I doubt all of even T-bird, let alone T-bird+FF would fit after it has stored the OS, used drivers, the login/authentication code, the "Shell (GUI)", security & other tray add-ons.

IE benefits over FF simply because of "DLL" re-use. IE and Explorer use the same HTML rendering and display libraries -- so if explorer has been loaded and asked to display HTML content (folders with "common tasks", active desktop background, probably others), those librarys are already in memory.

Firefox suffers in this area because the project "re-invents the wheel" so their "wheel" can be used across several platforms. This is most easily seen with on the HTML display panels, where FF correctly renders some pages that IE won't, but also FF's smooth scroll function isn't as smooth as IE's native/built-in. As long as FF and T-bird don't use any local-OS libraries that may already be loaded in shared memory (as Konquorer might benefit on Linux from similar effects vs. FF on a KDE desktop), they will be at a disadvantage compared to those programs that share the same code.

-l

read your posts before hitting send

[alizard]

While Internet Explorer is overly integrated into the operating system, the fact that your computer can access the internet means that your OS is on the internet too. Just that doing so with IE is believed to be more dangerious.

You just stated the reason why everyone qualified to have an opinion not on the MS payroll directly or indirectly believes using IE to be more dangerous. Back when I was using Windows as a primary OS, the second thing I did after installing it was to use 98lite to remove IE completely from the OS. The first, of course, was zapping Active Desktop.