Slashdot Mirror
'Lower Rights' IE 7.0 Coming
blacktop writes "eWeek has official confirmation from a Microsoft vice president that the upcoming Internet Explorer 7.0 browser upgrade will ship with reduced privilege mode turned on by default to help thwart browser-based attacks. In addition to anti-phishing and anti-spoofing features, IE 7.0 will add support for IDN (International Domain Names), built-in RSS and seamless search that will include choices of search providers."
...just some of the key features of Firefox and Safari?
Butthead Vendor
Microsoft may be a bit slow to get there, but they'll get there in the end.
So what will Microsoft be offering in IE7 that is new, and not just a take on Mozilla/Firefox/Opera?
It seems to me that Microsoft is only playing catch up, has invention died over in Redmond?
Why would people move back to IE even after the release of IE7? I'm guessing they won't and this is for those that won't or can't move from IE.
People will notice that all of MS's "New Features" have been in OSS for years.
In addition to anti-phishing and anti-spoofing features, IE 7.0 will add support for IDN
Huh ? Didn't we have a story not a long time ago about IDN being a target for phishing ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Hmm let me guess, this 'less-priviledged' IE "user" will be unable to install 3d party apps & addons (let's call them "plug-ins").
...... you guys know the rest of the story.
Idiot #1: I want to install these smile-themes and weather app, but IE won't let me. It says that these "plug-ins" are unsafe and operate at a higher priviledge level. I don't know what that means BUT I WANT MY SMILES!
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
I remember about 6 or 7 years ago when I was switching from Netscape 3 to IE 4 that there was a huge argument over whether Netscape 4 or IE 4 was the better product. The step up from versions 3 was significant.
Lately, having switched to Firefox to avoid rampant security issues, I feel fairly comfortable with this browser. There are some things that I wish were better like better Googlebar and better plug-in handling, but am pretty happy with it.
So with IE7, what's the draw? What features will it have that will encourage me to jump ship again? The feature list doesn't impress me as much as the jump from Netscape 3 to IE 4 did. And security is not an issue with Firefox, so that's not a good enough reason.
I guess I'll just have to download the mandatory Critical Update and try out the browser for myself.
This is the problem with Microsoft. They're capable of making a good product when they want to, but they throw their weight around and make it the only product on the market. After this, what incentive do they have to continue to make their product better or keep it up to date? IE hadn't changed forever and didn't look like it ever would until people started using Firefox.
I don't mind MS trying to make a product for every single aspect of the computer world (and occasionally beyond) but when they use their huge bank account and the huge Windows customer base to become monopolistic and the only product out there, it really hurts the consumers more than anyone else in the end.
Too little, too late, perhaps? Why has it taken Microsoft over 5 years (and counting) to release an upgraded version of IE? Oh well, I want to thank Microsoft, because the only browser I used on my WinXP boxes was IE...then FireFox came out.
Yes, I admit it, I used to be an IE user...but now, I will never go back. For once when you see the great bird that showers fire and thunder at the masses, then you know that the forces of Mammon will never succeed at world domination.
about:mozilla
IGB: More fun than eating oatmeal!
If IE came pre-loaded with the most popular plugins (Flash, Quicktime), so that the majority of people would have no reason to ever turn off the reduced privledge mode, as opposed to turning it off several times soon after they have gotten their initial installation, it may work. If people are immediately conditioned that turning off reduced privledge mode is something that you need to do in order to get your browser to work right, then this will do nothing.
/cookies-and-bookmarks on a kernel-level might help too
Of course, simply never allowing write-access to anything but
-- 'The' Lord and Master Bitman On High, Master Of All
That's the web designer's fault. You should scream '@ media print' or "media=print" every time you see him Actually I'm curious if this will break the nicely coded CSS I've done to make pages print as they should?
You know damn well the default start page is going
to default to msn search and nobody is going to change it. If google was going be a leader and remain a leader it should have as I said all along been pushing firefox like a mad man. Instead they are about to learn the same lesson Netscape did the hard way. If the market share of the users have a msn search start page and I am a advertiser where am I going to spend my dollars.
I love google, it is going to be sad to see them go.
Got Code?
If they're thinking of running IE as a less-priv user, then that's closer to the mark. When people are tricked, an exploit is used, or they outright say, "install this, yes I agree to have you screw with me," then you better hope that app doesn't have rights to HKLM\Software\Microsoft\Run and C:\WINDOWS\SYSTEM32.
Of course if IE7 does run with a less-priv user, there's the risk that all of us in the well-oiled IT shops, already running as less-priv users, will have more and more spyware developed to target us, rather than all the truckloads of spyware that just assume they have full access to the system once they start executing.
I don't really care if a seamless user experience is lost. There's no distinction between seamless installation of a helpfull plugin or seamless installation of spyware.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Shoulda, woulda, coulda ... I agree.
But you have to realize there's always going to be some "sharing". Look at Firefox -- XUL, Java Applets, Flash or custom plugins -- all of these have been used to "break out" of the browser and infect the local machine. You could gimp your browser, but the real answer is probably some better form of OS access controls.
Whenever I hear the word 'Innovation', I reach for my pistol.
What's with the language curmudgeon? Words get verbed all the time. There's nothing wrong with it; it's been happening for at least as long as people have been speaking English.
Consider these nouns which got verbed (or perhaps they're verbs which got nouned?):
Walk, run, shop, sleep, look, smell, call, visit, drive, kill, drink....
Are all of these bad as well?
Remember how Microsoft said that Internet Explorer is a fundamental part of the operating system and cannot be removed? Well, this is what happens when you integrate the most security-vulnerable software on any OS (the browser) directly with the OS, then have everyone run as a full-privilege account by default.
See, what makes it so bad is that IE has such deep hooks into the OS that cracking into IE is effectively the same as getting a root shell. Now we've seen that Microsoft's insistence on forcing a web browser into the OS at any cost is having detrimental effects on security.
There are, of course, security exploits for lots of other browsers, but since IE has such tight integration with the rest of the OS, the stakes are much higher. Breaking into IE is to breaking into Firefox as breaking into a house is to breaking into a tool shed.
If it's not one thing it's your mother.
and damned if they don't. It doesn't really matter one way or the other, because they're already in hell. And (as is true of humans), they are there because they chose to go there.
See, Microsoft started by creating "features" (like ActiveX on the web) that are horrible security ideas. Now they are trying to fix things. But they can't make it really secure (remove the feature), because too many web sites depend on it. So they have to try to fix the security without removing the features, and are coming up with all these layers of band-aids.
Moral to the story: Don't create "features" that are gaping security holes in the first place.
Anyone heard if Firefox is going to implement a true solution? Turning it off is just not acceptable.
The only thing that turning it off does, is remove chances of spoofing a URL that has not international characters at the cost of increasing the spoofing risk of those that genuinely use international characters in their domain name (and YES those are needed. Not everybody speaks, nor wishes to speak, English).
The result of the current solution is that pages with genuine foreign characters show up as punycode, that is to say: "gibberish". Gibberish is very easy to spoof. If I have to distinguish between http://www.xn--espaa-rta.com/ or http://www.xn--espa-rta.com/ or http://www.xn--espaa--rta.com/ or http://www.xn--espaaa-rta.com/ I could easily be fooled. There are URL that are much much more cryptic than this simple one, but it makes a good point. All a phisher has to do is use a URL that looks like one of those, with . Turning it off is NOT the solution. Maybe showing the proper URL (i.e. http : // www. españa.com) but with a different color ( for instance red) as a warning. Or make it pulsating or something to warn us that it contains IDN characters, and on a mouseover have a little popup showing that punycode text that corresponds to it. This should make it easy to spot the spoofed address that should not contain IDN characters (or not the ones expected), without making it so much easier to spoof the ones that do use them legitimately.
Because, once again, punycode is EXTREMELY easy to spoof. Longs strings of apparently meaningless gibberish are hard for the brain to assimilate. A simple name when properly rendered now instead looks as difficult to remember, and distinguish from a spoofed address, as a purely numerical URL. It is NOT as solution, only a temporary patch.
I will therefore suggest that the IDN spoofing vulnerability is STILL present in Firefox. The type of URLs likely to be spoofed are the only difference.
I like my dinosaurs feathery, and my pterosaurs hairy (or is it pycnofibery?)
By extension, you should have a separate computer that is connected to the internet with no hooks whatsoever to the computer you use to run your tax form preparation program, write your letters, balance your checkbook, etc. Oh, what's that? You want to e-file? You want to send e-mail? You want to bank online?
Integration may be scary, but it isn't something you should intellectially shy away from. Convenience and security have always been at odds, and I don't see that changing any time soon. The balance beteween them isn't a zero-sum-game, however, and the solution, IMO, isn't to discard all notions of integrated solutions, even if they are less secure in the short term. We need to keep moving forward, not idolize some rose-colored past that never existed.
This Sig Kills Fascists