Zero-Day Team Launches with Emergency IE Patch

Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

Microsoft would have fixed this in 3 days

[Rik+Sweeney]

but it didn't have anything to do with DRM

Re:Microsoft would have fixed this in 3 days

[Bootvis]

You can be pretty sure that patch was already made and added some extra obfuscation.

AUGH! STOP SAYING ATTACKS!

Attacking the attacks on attacks by attackers who attack with attacks!?

This just in...

[eko33]

Third-party security vendor discovered in malware distribution scam!

Re:This just in...

[techpawn]

Ahh. Example of no good deed goes unpunished. I might not install them on my machiene, but, if someone wants to clean up the mess after Tuseday's party. I say go for it.

Spyware Thursday

[Yahma]

So we now have Patch Tuesday, Exploit Wednesday, and now what? Spyware Thursday..?

The majority of exploits could be stopped if Windows users switched to Firefox. However, getting Joe User to switch from IE to firefox is difficult, especially when he percieves no problems with IE. The majority of exploits in the wild today hide themselves from the user, and turn their machine into a Zombie node without their knowledge. Because Joe User doesnt know anything is wrong with his computer, he keeps using his unpatched IE and helps spread the exploit even further.

Yahma

Try http://www.blastproxy.com/ for a fast, free and anonymous proxy to bypass firewalls at work & school
Try http://www.mortgagetricks.info/ for free tips, tricks and advice on how to get a low mortgage rate.

Re:Spyware Thursday

[Billosaur]

The majority of exploits could be stopped if Windows users switched to Firefox.

This would also have the added effect of reducing the number of Slashdot posts villifying IE.

Re:Spyware Thursday

[iPodUser]

In my experience, it is not hard to convince "Joe User" to switch browsers. All I have to do is say: "ooh look tabbed browsing." If that fails, use "ooh look! Themes!" and they capitulate.
However, you correctly identified what the real problem is: Uneducated users. Once someone gives them a good talking to, they usually see the light. It's just hard (impossible) to reach all of the uninitiated noobs out there.

Re:Spyware Thursday

[Aladrin]

You make a good point, but take it a step further... The same people that can't be bothered to switch from IE to Firefox or Opera won't bother to patch IE with a third-party patch, either, even if they knew it existed! And even as an experienced computer user, I would not install a third party patch to IE without being insanely sure of the integrity of this group.

Re:Spyware Thursday

[compro01]

well, honestly, remove the IE icon from the desktop, put the firefox icon where the IE icon goes, and most users i know wouldn't know the differance.

if they do, direct them to the themes download section or to the useless extentions. that'll get em to switch.

Re:Spyware Thursday

[tacocat]

Never seen that happen. They don't want the "good talking to". They just want their stuff to work the way they are used to seeing it.

Changing from MSIE to Firefox means you have to re-learn how to navigate around the browser. My wife went from Linux/Firefox to Apple/Safari and after a month she's bothered to figure out how to save bookmarks. She doesn't care about tabbed browsing settings or anything else. I think she's fairly typical in that she uses

I cite this as one example of many.

Not everyone is in love with their computer.

The conversion of my family hasn't been because of a good talking to. It's been because I simply won't allow a Windows machine in the house. They've learned how to use Linux and Apple nicely enough and in some cases prefer to do their school work on Linux/Apple.

Re:Spyware Thursday

Useless posts yeah, they just rock.

Re:Spyware Thursday

Funny that the switching to FireFox will not kill all issues. Maybe you aren't educated (since everyone on here thinks that if one are using IE that you are uneducated) enough to remember that the WMF exploit also affected FireFox on Windows? Why not take them all the way and tell them to use *nix instead?

I'm just tired of the people who really thinks that going to FireFox will make them 100% secure when it doesn't.

Re:Spyware Thursday

[0x15e]

This is absolutely right.

A few months ago, I got tired of fixing spyware problems on my wife's grandparents computer and replaced IE with Firefox. I haven't heard a peep from them about spyware since.

Apparently the transition was smooth enough that they haven't even noticed a functional difference or at least haven't realized the significance of using some other browser. Yesterday I got a panicked email asking if I was going to have to fix anything because of this "0 Day Attack" they've been hearing about. It was *so* nice not to just be able to remind them I switched their browser a while back and IE problems aren't their problems any more.

Unless, of course, someone switched them back ... oh God I need to check on that.

Re:Spyware Thursday

[mmell]

It's even worse than that. My son-in-law is quite clear that as long as a black-hat doesn't prevent him from doing what he wants with his computer, he doesn't care what use said black hat puts his machine to without his knowledge or consent.

Last time his broadband broke, I refused to fix it. His machine is now completely secure from internet exploits! Apologies to my daughter - she didn't care one way or the other, so neither do I. Educational attempts rapidly turned into arguments which I don't feel the need to indulge in.

Oh, and their modem doesn't work (or so I'm told). Oh, well.

Re:Spyware Thursday

[kimvette]

Right. Joe Sixpack won't stop using MSIE until his computer is so infested it takes 5 minutes to log in and his four-year-old daughter is getting innundated with pr0n popup ads, then after finding out what it costs to fully clean a machine (or wipe and reinstall, potentially losing data), only THEN will he listen and start using firefox.

Re:Spyware Thursday

In my experience, it is not hard to convince "Joe User" to switch browsers. All I have to do is say: "ooh look tabbed browsing." If that fails, use "ooh look! Themes!" and they capitulate.

How about 'ooh look! Your bank details on their way to some unknown person in Russia!'

Re:Spyware Thursday

My son-in-law is quite clear that as long as a black-hat doesn't prevent him from doing what he wants with his computer, he doesn't care what use said black hat puts his machine to without his knowledge or consent.

Have you tried the line "So you don't mind having someone else's Kiddie Porn residing on your computer then?"

That should work with most people.

Re:Spyware Thursday

[Sarisar]

It's even worse than that. My son-in-law is quite clear that as long as a black-hat doesn't prevent him from doing what he wants with his computer, he doesn't care what use said black hat puts his machine to without his knowledge or consent.

Bugs me when people don't care about this. I ask if they will mind when the cops turn up on the doorstep asking about child porn on their computer. OK probably ain't gonna happen but mentioning either that or terrorism can get people's attention.

Yes I know I'm lowering myself to the same standards as the government

Re:Spyware Thursday

[tjansen]

If the majority of users use Firefox, then Firefox becomes the target of those hackers. Firefox is written in C++ just like IE. There is no superior technology or anything that would help to make Firefox inherently more secure. Sure, there are many eyeballs to check the source for security leaks, but the bad guys will also be able to use the source then. So far publicized sources have not prevented software from having exploitable security leaks. The Mozilla guys may offer more frequent patches (which would increase security, but reduce reliability..), but this will not solve the problem itself.

Re:Spyware Thursday

[Joe+The+Dragon]

real problem is web sites that only work with IE and the parts of the windows os that use IE code.
Also M$ need to drop the fixed update days.

Re:Spyware Thursday

So we now have Patch Tuesday, Exploit Wednesday, and now what? Spyware Thursday..?

No. Vulnerability since day 1. Exploit since Monday. Worm/spyware by next Wednesday. Over a month and still waiting for a patch.

There's currently many known exploits in IE. There's almost certain the same with Firefox (although searching bugzilla for them won't necessarily work since being "open" about know exploits that have yet to be patched is "bad"). It's easier to fix bugs in Firefox, however. Not that that really justifies the bugs in the first place.

Open source isn't a panacea, and open source doesn't work when people aren't open. Most people (me included) are too lazy to fix all the known bugs in software. But it'd be nice to actually know about the bugs by people reporting the news about them, since that'd make it at least possible for people to try to react without having to do all the leg work themselves. But then, journalists seem lazy too; or am I wrong that there aren't many true journalists when it comes to computer news? Certainly it'd be nice to really know just how secure the black hats and the white hats and the gray hats think, because of evidence they have, the programs people regularly use are. And it'd be nice if those bugs were patched fast enough by someone and the updates released frequently enough by someone in a fashion that was easy to install for near everyone that even the most lazy would be protected.

But that's all pie-in-the-sky stuff. I'd just be happy, for the moment, if more people realized, including the parent, that if anything the exploit comes first far too regularly even if the spyware manages to only come after the patch (quite possibly because too many people didn't install previous patches or some other unpatched bug was focused more heavily on). Maybe some day we'll see some actual stats to figure out what really is going on.

Re:Spyware Thursday

[teh_chrizzle]

i used to work on the helpdesk of a large manufaturer of insulation. they took two weeks to "test" MS patches before deploying them. i use the term test rather loosely, since the testing went something like this:

• phase 1: "steve, install the new updates on your PC."
• phase 2: "hey steve, did your PC blow up from those updates?"
• phase 3: "hey steve, go ahead and roll out those updates to 10,000 PCs scattered across the continental united states."

they did the rollouts on monday as part of the users' login scripts. monday morning just happens to be when everyone is returning from vacations, or business trips, or delivering the world's most important report/proposal/presentation. everyone got 4 chances to cancel those updates before they were forced to install. so the monday after "patch tuesday" was called "crippled network monday" and if you do the math, 4 cancellations means the stragglers got updated on "force-it friday", when everyone was getting ready to go on vacations, business trips, and preparing to deliver the world's most important report/proposal/presentation.

Re:Spyware Thursday

[OverlordQ]

What the fuck does a web proxy and mortage 'trick's have to do with the story? Put that shit in your sig.

Re:Spyware Thursday

The real problem isn't that people use IE and it contains vulnerabilities, its that the typical user lacks the knowledge to protect themself in the first place. On a typical WindowsXP install, browser security is present, but largely disabled. Anything that wants to run is allowed to do so without user consent. This is because people don't know what the "Do you want to install Macromedia Flash 8.0" dialog means and they get worried that something bad happened or is going to happen. Upon seeing these benign words, every hacker movie ever made runs through the user's mind and in a panic they pull the cord for fear their bank account has already been compromised and drained of funds.

If security is upped, the user has to deal with accepting content from different sources, confirming actions that might put them at risk; but this necessitates knowledge of what they are doing. Users don't want that, they just want to plug it in, turn it on, and have it work.

Some users want more; they can secure themselves against these exploits. No, I'm not defending the existence of these exploits, but what are you doing that you are exposing yourself to malicious software in the first place? If displaying arbitrary content from random sites that you haven't screened is acceptable to you, you are also probably the type of person that will run executables that are "cleverly" disguised as images. If you're such a guru shouldn't you use your own actions to avoid and protect against malicious content and not rely on third party software? No software is perfect,

I run a few Windows boxes that, lo and behold, haven't been zombified yet, despite running a number of web-based services and being used for extensive browsing. Somehow firewalls, security settings, and intellignet use have shielded me from the plethora of malicious programs that apparently have such an easy time taking over Windows boxes.

The only victims are those that want to be or don't know better; and a more secure browser isn't going to make the ignorant less ignorant, all it does is reinforce the notion that behavior is unrelated to security.

Re:Spyware Thursday

Is anybody reading slashdot truly stupid enough to believe that if Firefox had an 80% market share it wouldn't be just as readily targetted and exploited? It is really easy to wagon jump, and thats fine based on performance and features, especially if a feature is security. But rest assured that magic guaranteed security is itself a feature of low adoption, and an illusion. Firefox is definitely getting popular, it doesn't even hang or die much anymore. Keep in mind that it only takes 1 exploit to destroy a user's machine and either destroy or steal their data. Would you rather have a gun to your head with 1 bullet in it, or with 15? Can you answer that seriously?

Firefox, god's answer to the internet, shoots lightning bolts outta its arse. Safe beyond safe, if you're a sucker.

2005
http://blogs.zdnet.com/Ou/index.php?p=103

2006
http://www.informationweek.com/news/showArticle.jh tml?articleID=179101966
http://sunbeltblog.blogspot.com/2006/04/pssstyou-w anna-see-firefox-exploit-in.html
http://www.eweek.com/article2/0,1759,1814056,00.as p
http://www.xatrix.org/article.php?s=4447
http://www.techworld.com/security/news/index.cfm?n ewsID=6554&pagtype=all
http://hackcraft.wordpress.com/2006/08/02/firefox- exploit-exposed-by-hackers/

Re:Spyware Thursday

[Gilmoure]

Here at work, we're stuck with IE due to the fact that a lot of the web apps we use are IE 6/MS JVM only. Until the CTO wants to address this, fecking web programmers will keep turning out these shit sites. We look at the help desk stats and almost half the calls are IE related. The rest are mostly Outlook freak outs. Truely the Budweiser of software.

Oh well, at least on the Mac side, Firefox is the approved browser here. Windows users hate it when we tell them that yes, Firefox is supported, if you use a Mac, however we cannot support it if you use it on Windows.

Re:Spyware Thursday

[mysticgoat]

There is no superior technology or anything that would help to make Firefox inherently more secure.

Uh, not quite.

MSIE was rewritten in the mid 1990s so that core modules became an integral part of the Windows OS. It is generally recognized that maintaining a wall between OS and app is good engineering, partly because it avoids many difficult security issues. This is especially true when the application is an interface to the outside world that by nature cannot be secured, like a browser. MS in its wisdom determined that the immediate courtroom benefits of knocking that wall down outweighed the security and maintenance concerns. This was a central part of their defense strategy against lawsuits brought by Netscape and others.

So yes, Firefox's implementation of the available technology is inherently more secure. Firefox preserves the wall between itself and the OS, and is not a superhighway into the core of the OS, the way today's MSIE is.

Re:Spyware Thursday

[Penguinisto]

"However, getting Joe User to switch from IE to firefox is difficult, especially when he percieves no problems with IE."

Not really... Months ago, I removed all the IE shortcuts from my g/f's machine and changed the Firefox desktop icon to the one with that big blue "e"... she didn't notice it until last week. Once I got done catching Hell for it and explained to her why I did it, she decided that it worked well enough anyway. I changed the icons back, and she's been using FF ever since. It's not that she's unintelligent or anything, it's just that she's an ordinary user as far as computer skills, and apparently the normal user's computer habits seem to take a very long time to self-audit, as it were.

/P

Re:Spyware Thursday

[tjansen]

What kind of "integral part" is it? Is IE part of the kernel or win32?

I don't know much about IEs architecture, but AFAIK the rendering engine is just a DLL (or a couple of DLLs) that ship with the OS. I don't see why DLLs that ship with the OS should be less secure than DLLs that ship separately.

Admittedly, if some parts of the OS (like built-in applications) use those DLLs they will be automatically affected by any security problems that may show up in the rendering engine. But if you would be able to exchange the OS's default rendering engine, and the majority of users would switch to Gecko, you had exactly the same problem.

Re:Spyware Thursday

[toadlife]

[blockquote]MSIE was rewritten in the mid 1990s so that core modules became an integral part of the Windows OS. It is generally recognized that maintaining a wall between OS and app is good engineering, partly because it avoids many difficult security issues.[/blockquote]

Define "OS". Internet Explorer uses a set of core libraries that are also used by other components that come with Widnows, such as explorer, MMC, help, etc. This was done to make life easier for programmers, and it does what it was intended to do. Shared libraries are a common occurance in all operating enviroments. KDE and gnome both make heavy use of shared libraries and flaws in these libraries cna lead to explotation of any program that uses them. OSX (webcore/webkit I think?) also do the same exact thing.

[i]"Firefox preserves the wall between itself and the OS, and is not a superhighway into the core of the OS, the way today's MSIE is."[/i]

This is one of the biggest myths about IE. IE does not have any more access to the OS that the person running it does. The same goes for firefox or any other browser.

Re:Spyware Thursday

[brndn]

ok mYSTIC GOAT HAHAA

Re:Spyware Thursday

MSIE was rewritten in the mid 1990s

WTF are you talking about?!?!? Win95, released at the _end_ of 1995 did not include a web browser. One had to use mosaic, netscape, or spyglass. Microsoft couldn't figure out how to use cookies in their inhouse browser code they started, so they licensed code from spyglass (I think it was spyglass). IE 1.0 was born. The rewrite was a couple years laetr when they realized they had to cut off Netscape's oxygen supply.

Re:Spyware Thursday

[mysticgoat]

What kind of "integral part" is it? Is IE part of the kernel or win32?

How would answering these taxonomic questions advance anyone's understanding of the issues being addressed in this thread? You appear to be substituting a semantic quibble for substance.

I don't see why DLLs that ship with the OS should be less secure than DLLs that ship separately.

It isn't a matter of when the modules ship. It is a concern about appropriately partitioning computer resources so that the impact of any exploitable bug would be limited to just the application space. This is done with the Gecko browsers, was done with Netscape before them, and was central to the construction of the first Mosaic browser.

But if you would be able to exchange the OS's default rendering engine

Then you would be repeating MS's mistake and you'd deserve the piece of crap you would end up with.

Check out "cross coupling" and the evils thereof.

Re:Spyware Thursday

[tjansen]

How would answering these taxonomic questions advance anyone's understanding of the issues being addressed in this thread?

You speak in very abstract terms, and you imply that IE runs differently than a regular user-space library would. I doubt that, but am not sure, as I don't know IE's exact architecture. That's why I am asking.
Because if IE is running like any other user-space library, then there is no difference between Firefox/Gecko and IE, beside that one of them is on the same CD as the rest of the OS, and the other is not.

Re:Spyware Thursday

[mysticgoat]

You speak in very abstract terms, and you imply that IE runs differently than a regular user-space library would.

I have implied nothing like that. I have emphatically asserted that this is so.

Re:Spyware Thursday

[toadlife]

I have implied nothing like that. I have emphatically asserted that this is so.

And you are 100% wrong in your assertion.

Re:Spyware Thursday

[LordSnooty]

Maybe this "dark horse" patching group should instead concentrate on releasing their own exploits that DISABLE Joe Bloggs' computer, that would soon galvanise him into action. As you pointed out, the blackhat stuff installs itself stealthily and the user could be none the wiser. But he'll soon do something if instead of getting his desktop he gets a message telling him his computer is insecure and he cannot use it until he takes these steps. It could even download & install Firefox for him.

The proprietry software industry

where customers do the work the major companies suck at, these guys need to file for more patents. We all know that nothing innovates better customer service and support than a bunch of fat lazy execs with a patent revenue stream!

time better spent elsewhere

Their time would be better spent on improving Free Software instead of trying to plug holes of closed-source software. Microsoft does not appreciate help like this.

Re:time better spent elsewhere

[mdpye]

Their time would be better spent on improving Free Software instead of trying to plug holes of closed-source software. Microsoft does not appreciate help like this.

They don't expect MS to appreciate this, if anything they probably want to embarrass them. They are trying to help the customers who have been abandoned by MS. Of course the value of that is also debatable, but if you RTFA they are concerned about the effects such exploits have on the general Internet populance in terms of SPAM, worm traffic, DDOS oppertunities and so on, which has implications for those who are not infected as well as those who are.

Re:time better spent elsewhere

[compro01]

i don't imagine they're trying to get on microsoft's good side. i would think that they're basically trying to annoy them, as in "hey! we're a little team of upstarts and we fixed the hole faster than the big guys!".

Re:time better spent elsewhere

"They are trying to help the customers who have been abandoned by MS."

But who's going to install this? Joe Sixpack won't know about it, nevermind where to get it. And I don't know any sysadmin who would apply a 3rd party patch company-wide unless there was some sort of overwhelming emergency. That leaves people like Slashdot readers who, if they've any sense, aren't using IE anyway.

Re:time better spent elsewhere

[smitingpurpleemu]

Their objective is to minimize the effect of security holes discovered as 0-days. Since the vast majority (90%+) of people use Windows and MSIE, they need to work on fixing that if they want to see an end to exploits of security bugs.

An even simpler solution

[smooth+wombat]

Don't use Internet Explorer.

I've had to use IE at a training site this week and it's amazing how cumbersome and clunky it is to use since I've become used to using Firefox. Simple things like being able to scroll down a page before it completely loads, right-clicking and opening a new tab (not window) and just overall speed.

The use of Firefox, and other browsers, really needs to be pushed to slow and/or prevent these exploits from compromising peoples systems. It's an easy solution and doesn't require anything more than downloading an executible.

Re:An even simpler solution

[robpoe]

Wish that were the case ..

I manage several networks .. and on those networks we tried limited rollouts of Firefox ..

1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but offers us logging (required by law) and it helps with the overloaded internet connection Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.

2. IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down.

Re:An even simpler solution

[Tim+C]

Simple things like being able to scroll down a page before it completely loads

One thing that does irritate me about FF is that it won't fill-in username and password fields until the page has completely finished loading (at least not in my Windows/1.5.0.7 install). That's a pain when the site is slow, or includes a slow-to-download third part resource (I'm looking at you, google analytics...) - do I start typing now, and risk FF filling in stuff along side it, or just wait?

No, it's not a big problem, but it's irritating.

Re:An even simpler solution

[sxpert]

that's what adblock is for :D

Re:An even simpler solution

[ericlondaits]

IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down.

Worst part is, the sites I had problems with so far while using Firefox were all based on Flash. It seems that IE and FF handle screen coordinates differently... so cursors, pull down menus and buttons implemented in Flash might not work OK in FF depending on implementation. This has nothing to do with poor CSS or DHTML implementations.

Re:An even simpler solution

[Daemonstar]

Comments: 1) Make all outbound port 80 requests be routed via the transparent proxy; there shouldn't be any settings in each workstation's browser. This forces everything through the proxy, no matter what. Add other ports (i.e. 8080, etc.) as appropriate. 2) If Firefox doesn't work with some sites, then install the IE View and IE Tab extensions. You can change the rendering engine for the page in Firefox. Yes, it does use IE, but, that way, your users can view most sites in Firefox without switching applications (99% of the time, anyway). You will still have to keep IE patched.

Re:An even simpler solution

[nithinsujir]

"But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down." I disagree. It just means their BANKING site doesn't pay much importance to security and so it isn't worth it in the long run.

Re:An even simpler solution

[jd142]

Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.

GPO. Then they can't bypass it because the setting will be re-applied.

Also, you can edit one of firefox files that's just plain text to hide those menu settings. It's been awhile since I've done it, but if you do a search for firefox and kiosk you should find the instructions.

Re:An even simpler solution

[savala]

No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.

If the .reg file is an adequate solution for IE, then a userChrome.css file that simply sets the relevant preference panel to display: none, and a user.js file to reset the proxy settings at each startup (in case the user knows how to find about:config) should be equally adequate.

Just went to look it up. They of course didn't bother to tag the groupbox with an id ("grandmothers don't need easily modifiable chrome!" - meh, give me SeaMonkey any day of the week), but you can hide the "connection settings" button with the following rule: #catProxiesButton { display: none !important; }

Re:An even simpler solution

[Qzukk]

and it turns out their BANKING or STOCK site doesn't work

There are plenty of bank and stock sites out there, and most work fine. Ask them if they'd date someone who wouldn't accept their phonecalls until they switched cellphone providers and joined their "friends plan". If they say they wouldn't, ask them why they accept the same from their bank.

Re:An even simpler solution

[Dr_Barnowl]

Well, as you point out, one solution is to patch the code for yourself. If IE *didn't* have the feature of being able to selectively disable UI elements, what do you think your chances of successfully badger Microsoft to implement it would be? An academic question, but one worth thinking about. A less academic thing to think about is the risk of IE infecting your machines, and the extra work required to negate this risk, and to repair damage when it occurs.

My second suggestion would be to set up a transparent proxy redirecting port 80 traffic through your proxy server. Voila ; ALL port 80 traffic now goes through the proxy.

Or just lock off traffic through port 80, and openly publish the settings for your proxy server.

Re:An even simpler solution

[Control+Group]

But maybe he would, if the person he was dating provided the phone at no cost, the plan at no cost, noted that he could talk to other women on it while they were dating, could use it to pick up other women after they broke up, and that some other particularly attractive women wouldn't accept calls without the change, either.

But even then, the analogy is flawed. A better question would be:

Would you divorce your wife if she decided that you had to switch from Sprint to Cingular, it wouldn't cost you anything extra, and while most of your friends are free calls on Sprint, all of them would be free calls on Cingular?

Of course, if you asked that question, you wouldn't get the answer you wanted.

Re:An even simpler solution

Most people don't choose their bank based on whether or not their website is FF friendly.

Re:An even simpler solution

[pixelpusher220]

Did you try Googling for your problem?

'lock firefox proxy settings'

The first hit is this link:

Granted it's Mac, but it shows you that Firefox can indeed lock it's proxy settings. And without really delving into the article it looks as if it would be very difficult to override by 'non' geeks.

Re:An even simpler solution

[pixelpusher220]

and the second point:

Firefox plug-in IE View

Description: Lets you load pages in IE with a single right-click, or mark certain sites to *always* load in IE. Useful for incompatible pages, or cross-browser testing.

I like the idea that you can tell users, if it doesn't seem to look right, try this...and then have them default the few non-compatible sites to use IE. Trains them that IE is 'different' and Firefox is more standard.

Re:An even simpler solution

[vertinox]

the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work

Unless they are upper management... Then why are they looking at their Banking or Stock sites at work?!

As for upper management... Well... They'll just get IE Tab plug in for Firefox.

Re:An even simpler solution

Ah yes, GPO. GPO is enabled domain-wide here, but does not successfully apply to my profile.

Because the GPO policy is copied to the logon user's registry hive before being applied, it is easy to break, despite the fact that that particular key has an ACL that is write only by administrators and system.

In the case of roving profiles, the user owns ntuser.dat. The answer is obvious.
In the case of non-roving profiles, ntuser.dat is a local file. The answer is almost as obvious.

Re:An even simpler solution

Easy solution: Don't support IE-only sites by visiting them.

Re:An even simpler solution

[mrdaveb]

It's a transparent server

Well it clearly isn't a transparent proxy if you have to configure it at the client end.

Anyway, if the proxy is compulsory surely you should block all direct web traffic so that it actually is compulsory!

Re:An even simpler solution

[jafac]

I'm pretty much the only hardcore Windows guy in a mostly Linux shop. Personally, I'm not a big fan of Microsoft or their business practices, or their technology. But my Linux co-workers are often AMAZED at the stuff I can do using Group Policy to lock down and configure an entire network of desktops.

Yeah, I wish we could put Open Office and Firefox on all our Windows desktops too. But you can't centrally manage security and configuration of those like you can with MS Office and IE. (Yeah, my customer is completely anal about this - I would hate to have to be a user on these systems, you can run the apps to do your job, and that's all. You can't even adjust the screensaver timeout).

Re:An even simpler solution

[Phroggy]

1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but...

What you're describing is not a transparent proxy server. It's just a normal proxy server, that has to be configured in the browser. A transparent proxy server is where your firewall hijacks all outbound traffic on port 80 and reroutes it to the proxy server's IP without the browser knowing about it. This would solve your problem.

Another option you may want to look into (it won't help with the issue of users being able to turn it off, but it might make configuration easier) is Web Proxy Automatic Detection (WPAD). Start by making a Proxy Automatic Configuration (PAC) file, which is just a bit of JavaScript code that tells the browser what proxy server to use. For example:

function FindProxyForURL(url, host) { // Don't use a proxy when connecting to local servers
    if(isInNet(host, "192.168.1.0", "255.255.255.0")) return "DIRECT";
    return "PROXY proxyserver.example.com:3128";
}

Put this file on an internal web server. Name the file "wpad.dat", and configure the server to give the MIME type as application/x-ns-proxy-autoconfig, for example:

<Files wpad.dat>
                ForceType application/x-ns-proxy-autoconfig
</Files>

Now, configure your internal DNS server to add a host "wpad" at whatever domain you're using internally to point to your web server, so that http://wpad/wpad.dat will return the PAC file you've created.

Finally, to cover all the bases, make it explicit in your DHCP server. Set this global option in dhcpd.conf:

option wpad code 252 = text;

Then add this within your subnet declaration:

option wpad "http://wpad/wpad.dat\n";

Internet Explorer breaks without the trailing \n. I'm not sure if it has to be \n, or if some other character would work better, but this seems to work just fine.

Sounds complicated! But just remember, you only have to do this once. Internet Explorer and Firefox will both respect it automatically, out of the box, with no client-side configuration at all. One caveat: Mac OS X does not currently support WPAD; I'm hoping Apple fixes this in 10.5 "Leopard" next spring, but I haven't seen anything official about it. In the mean time, Mac clients have to set the URL of the PAC file manually. WPAD works in Firefox on Mac, but see bug 327381 if you're running it on a laptop (I don't know if that bug applies to Windows as well).

Re:An even simpler solution

[robpoe]

Exactly.

I posted an Ask Slashdot question .. about deploying OOO across a corporate network. The things I needed (such as setting OOO to use .DOC by default, not showing the NAG screen for every user, etc) are stored in XML or TEXT files. Sure, I could do some stupid kludgy thing and modify them for every user who logs in but jeez -- who has the freaking time..

People who write OSS are going to have to learn something extremely valuable. And learn it from Novell. You can fight Microsoft. You will lose. Your market share will go down the toilet. Or you can make things work all nice and pretty WITH Microsoft - then make your products work BETTER than Microsoft. Novell has learned this. Don't believe me? Check out the newest Zenworks. Or check out that you can run eDirectory / Groupwise / etc on a Windows server (and quite nicely, I might add, too!).

To emulate Ballmers change of "Developers ..", I say

"Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate, Integrate"...

Re:An even simpler solution

[Shawn+is+an+Asshole]

Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code.

It's actually pretty easy to disable anything in Firefox/Mozilla.

1. Open Firefox and set the options you want to preconfigure/lock such as the proxy settings.

2. Look in Firefox's config directory for a file called "prefs.js". Under Linux this is in "~/.mozilla/*.default/". Under Windows, this is in "Application Settings\Mozilla\*.default\". On OS X it's in "Library/Mozilla/Firefox/*.default/".

3. Copy the file to lock.js and open it in a text editor.

4. Leave the first line as is (the # line). For any option you want to lock, set "user_pref" to "lockPref". For example:


# this line is required. don't remove
lockPref("network.proxy.ftp", "proxy.somemachine.org");
lockPref("network.proxy.ftp_port", 3128);
lockPref("network.proxy.http", "proxy.somemachine.org");
lockPref("network.proxy.http_port", 3128);
lockPref("network.proxy.ssl", "proxy.somemachine.org");
lockPref("network.proxy.ssl_port", 3128);


5. Download moz-byteshift.pl and run it like this:


moz-byteshift.pl -s13 < lock.js > mozilla.cfg


6. Copy the mozilla.cfg file to the root of the Firefox install directory. This is "/usr/lib/firefox/" on most Linux distros, and "c:\windows\Program Files\Mozilla Firefox\" on Windows. On OS X it's in the "Firefox.app" directory.

7. Inside of the Firefox install directory, open the file "greprefs/all.js" and add this line to thee bottom:


pref("general.config.filename", "mozilla.cfg");


The user can no longer change the proxy settings, or any other setting you choose to lock.

This works everywhere and options are identical across platforms (except when they include file paths). The only place I haven't had it work is Ubuntu, which apparently does something to break the feature. The method they provide to provide the functionality does not appear to work (I spent a few days googling and trying everything before just disabling the built-in and installing the official build).

Deploying is easy. All you have to do is copy the greprefs/all.js and mozilla.cfg files to the clients. With WPKG this is trivial. Just make sure only the administrator can write to all.js and mozilla.cfg, also make sure that all users can read the file.

Here, I'll even help you out with WPKG. Just save "mozilla.cfg" and "greprefs/all.js" as a self-extracting file with 7-Zip:


<?xml version="1.0" encoding="UTF-8"?>
<packages>
<package id="firefox_restrictions" name="Firefox restrictions" revision="20060922" reboot="false" priority="1">
<depends package-id="firefox" />
<check type="file" condition="exists" path="%PROGRAMFILES%\mozilla.cfg" />
<install cmd='%SOFTWARE%\firefox_restrictions\firefox_restr ictions.exe -o"%PROGRAMFILES%\Mozilla Firefox\" -y' />
</package>
</packages>


Any time you need to push new updates out, just change the revision to the current date.

Re:An even simpler solution

[pe1chl]

No way to disable the menu, without going in and re-writing the XUL code.

This is not true. There certainly is a lot of room for improvement in the Firefox configuration settings management, but what you write can be accomplished by using a locked preferences file.
(assuming that your users cannot write in the Program Files directory and you install Firefox using some automatic installation system)

Re:An even simpler solution

[stripe42]

That looks interesting. I'll give it a whirl at home. Thanks for the information.

Re:An even simpler solution

[Shawn+is+an+Asshole]

2. IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down.

There is a way to work around that. Here's what I do.

Install the "IE Tab" extension. Extensions are fairly easy to deploy with WPKG, but I'm not getting into that here. In it's options (also easy to deploy) just set the sites that only work with IE to use the IE engine.

To prevent people from just using that for everything (or plain IE), I set up Squid like this:


acl msie browser MSIE
acl msie_approved_sites url_regex "/etc/squid/msie_approved_sites"
acl windowsupdate dstdomain .windowsupdate.microsoft.com
deny_info ERR_BAD_BROWSER msie
http_access allow msie windowsupdate
http_access allow msie msie_approved_sites
http_access deny msie


To do that, you need to create a ERR_BAD_BROWSER file for Squid or it won't start. This method will block IE from accessing anything other than allowed sites. Just add allowed sites to "/etc/squid/msie_approved_sites".

If you disable changing of proxy settings it's not avoidable (not easily).

Re:An even simpler solution

[SpiritGod21]

IE View

IE Tab

User Agent Switcher

There are plenty of solutions for Firefox for sites that allow IE only. I've heard that the UA switcher is the most invisible, though you do still have to change the UA yourself through the drop down menu. Personally, I prefer IE View. Go to a site that doesn't work, right click and open in IE. One extra click is a small price for better security.

Concerning proxy connections, I'd almost guarantee there's a solution for you if you look for it.

Re:An even simpler solution

So the first step is to convince developers to develop for Firefox.

It is forgivable that a user doesn't understand the advantages of using Firefox. What it is completely unacceptable is that a developer doesn't understand that he needs to code for Firefox compatibility.

Re:An even simpler solution

There are plenty of bank and stock sites out there, and most work fine. Ask them if they'd date someone who wouldn't accept their phonecalls until they switched cellphone providers and joined their "friends plan". If they say they wouldn't, ask them why they accept the same from their bank.

It will take exactly one occurrence of the CEO not being able to transfer an immediately-needed $1000 into his college-age daughter's account for every argument thus far in this thread for FF to be given the same whitewater ride given to dead goldfish.

Re:An even simpler solution

At work we make our (Mandrake Firewall --don't ask) the gateway for all computers; transparent proxying with squid. Its' set by a dhcp server. Problem solved, no bypassing it.

Re:An even simpler solution

[xmundt]

Greetings and Salutations.
          And I am amazed when I see a pig dance too, even if it IS a clumsy and sad event.
One good toy does not balance out uncounted failures.
          Regards
          Dave Mundt

Re:An even simpler solution

Would you divorce your wife if she decided that you had to switch from Sprint to Cingular, it wouldn't cost you anything extra, and while most of your friends are free calls on Sprint, all of them would be free calls on Cingular?

No, I'd tell her I was going to use whatever plan I goddamend wanted and that she could either get her own separate carrier or she could divorce me if she wished.

If you let your wife decide what you have to do in trivial matters like this, you're too pussy-whipped to go to the grocery store alone.

Re:An even simpler solution

You can manage Firefox and IE in a Active Directory and lock down both with GPO. To do this you can use FrontMotion's Firefox CE that is GPO aware and can be locked down to use a proxy or a certain default homepage. We use it at our University in the labs and it works great. Link: http://www.frontmotion.com/Firefox/fmfirefox.htm

Who didn't see this coming

[George+Beech]

I mean really, it just seems logical if they are only going to patch once a month, then the bad guys will go after every hole that wasn't patched the day after updates are released.

I'm just amazed that it took this long for it to become big news that this kind of thing is going on.

Re:Who didn't see this coming

[joe+155]

Indeed, but I think that they could stretch it further, it would depend on their motives. If all I want is profit (which is what the article says is going on) then they could start rolling out the new spyware/malware etc. on tuesday itself - there just wouldn't be enough time for them to write a fix and test it, so they're still safe. And that's even if they find it the day it comes out

If they're doing it for prestige then it could be good for them to start releasing about 10 holes (and make MS know about it) on Sunday/Monday. Firstly, if they do nothing then they can be all over the net saying "ZOMG!!!! I pwnd M$!!!11!!" because MS failed to patch even when they knew something about it. But crucially if they patch the hole and the patch (because they've not had a long time to test it or work on it) it might cause more issues which will be far more embarresing for MS because it'll be them who are pwning computers via their patches

Suprised

[joshetc]

Honestly I'm suprised it took this long for something like this to happen. You patch once a month on a specific day.. obviously they are going to time their attacks for when they will inflict the most damage.

Re:Suprised

[ruiner13]

No shit. God forbid they should actually patch their stuff when they have a patch available. Last I checked, security wasn't supposed to happen at intervals, it is continually evolving.

Alternative: Unregister vgx.dll

[Noksagt]

The latest Security Now! episode had information on this exploit. Those who have policies in which they can't install third party patches do have an alternative:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

When MS comes out with a patch,

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

will re-register it.

Why must the internet be neutropenic?

[Control+Group]

This is neat. Kudos to these guys, and I'm glad they're doing what they're doing.

But it isn't a long-term solution; it still depends on human-speed recognition of the exploit and development of a patch.

What we need is the spread of viruses/worms/trojans whose payload is the removal of malware. Internet antibodies, as it were. The ultimate goal ought to be an antibody - or, to coin a term, an ant.iBody (ant.eBody?) - software that heuristically determines what is malware and what is legitimate software, preventing the former while allowing the latter and propagates itself across the network.

Of course, deploying something like that would break all sorts of computer security laws...but it's not like that stops anything else.

Re:Why must the internet be neutropenic?

[aliendisaster]

You have to think though, if someone did start sending a spred of "internet ant.iBody"'s, how would the average Joe know what was good and what was bad? I wouldn't trust any of them but people will say "oh its trying to help" and end up downloading god knows what and then bother me cause they get a penis popup every time they start IE.

Re:Why must the internet be neutropenic?

[giorgiofr]

I suppose it wouldn't be that hard to buy some 0 days and code a worm that exploits them to virally install some security suite or at least kill the tcp stack of infected machines. But you would need a covert ops team of a few people and some money to buy the sploits. Who's going to fund this? Besides, it woudln't take long for the bad guys to smell the coffe and become even more secretive about their sploits - I believe they are traded regularly ATM but who knows what might happen if such a scenario were to come into existance.

Re:Why must the internet be neutropenic?

[Control+Group]

As secondary effects go, though, hampering lines of communication between malware writers by compromising trust isn't so bad.

Even if the development of fixes to exploits isn't accelerated, and the heuristic approach fails, having hordes of zombie boxes that are zombies specifically for the purpose of distributing malware fixes has got to be faster than trusting people to consciously patch their own computers.

The beauty of it is, of course, that the very people least likely to notice, care about, remove, or prevent malware from ending up on their machines are the people that this scheme would use to clean up the problem. People who are diligent about avoiding malicious software would also not be hosting the cleanup software, since it wouldn't have managed to sneak onto their system, either.

Re:Why must the internet be neutropenic?

[Control+Group]

But these people already don't care what ends up on their machine. I seriously doubt that the consequences of Joe Sixpack being made more complacent about computer security (if that's even possible) outweigh the benefits of having Joe Sixpack's complacency used to help clean up the problem.

Re:Why must the internet be neutropenic?

[networkBoy]

I think in most cases they do care, but just have no idea what to care about.
The machie is dog slow? They don't realise it's a bot, they just assume that the machine is old.
-nB

Re:Why must the internet be neutropenic?

[cybermage]

What we need is the spread of viruses/worms/trojans whose payload is the removal of malware...Of course, deploying something like that would break all sorts of computer security laws.

Perhaps the way to do this is to do the one thing the black hats are not doing: Get the user's consent to install. Use the same IE exploits, but with consent.

I like the idea of reputable, popular sites offering immunization anitbodies to malware viruses as part of the IE browsing experience. Some people will go ahead and install the antibodies and others will get sick of the chatter and switch to a secure browser. Win-Win if you ask me.

Yes, MOST people still use IE

How about instead of making stupid comments you suggest a solution.

Not a "use firefox" solution but perhaps a real solution, which addresses the issue at hand. Perhaps this high holy geek attitude is one of the factors that directly contributes to infection. Yes, firfox is great, i use it myself, i have given it to a few friends, but i don't see it as a fix to IE holes.

The fix is the same as it has alwasy been, USER EDUCATION!

MAKE USERES PARANOID!!!!!!!

How often have you ever been infected by visiting cnn.com, how often have you ever been infected visiting a reputable porn site, how often has slashdot ever tried to root your box when you viewed it.

The truth is, people think the internet is like the wild west, and thier illegeal or immoral activity will have no consequences. Sorry guy, it doesn't work that way.

Sorry, I can't spell today.

Poor Stew.

[twitter]

Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

Very noble of him to volunteer, but we all know what happens in the movies to the character who mistakenly sacrifices themselves to defend the bad guy. At this moment, chairs are flying and the heavy weights at M$ are screaming things like, "This guy is making us look bad! Steve smash!" A much cooler arch villain grins a maniacally at his underling and contemplates co-opting as much of the work as possible before dropping both of them into a pool of red hot magma.

What will the real world fate be for poor Stew? DMCA suit? C&D for trade secret or patent infringement? Who knows! But none of it will really make windoze a place that's safe for your work.

Re:Poor Stew.

[httptech]

As long as they don't call me Stew... I really dislike that.

-Joe

Re:Poor Stew.

[Control+Group]

But it's gotta be better than Wart, right?

Re:Poor Stew.

[httptech]

You make a good point. :)

-Joe

Re:Poor Stew.

[jamar0303]

And a better solution is to wait until the next "Patch Tuesday"? I think not- any 0-day exploit has the chance of becoming an international problem (remember the "I Love You" virus?) so it's best to patch the problem in any way possible. Or use Firefox.

Re:Poor Stew.

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

• As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
• Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
• A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
• Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
• Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
• Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
• Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
• Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
• Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
• There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy

Re:Poor Stew.

[uufnord]

I want to point this out:

Other volunteers involved with the ZERT initiative include
* Halvar Flake, CEO and head of research at Sabre Security;
* Ilfak Guilfanov, author of the IDA Pro binary analysis tool;
* Paul Vixie, founder of the ISC (Internet Software Consortium);
* Roger Thompson, chief technology officer of Exploit Prevention Labs;
* Florian Weimer, a German computer expert specializing in Linux and DNS (Domain Name System) security..

These guys are top-notch. I can't give enough praise to show my support for what they're doing. When all the government bullshit artists were finger pointing, when all the CERTs of the world were waiting for a vendor fix, when Microsoft was sitting on it's hands doing nothing, these guys were working hard to build useful tools. Hackers and crackers on both sides of the fence have benefitted from the work these guys have done. If you don't know who these guys are, google them, because they're all good people, hard workers, and brilliant minds.

... except for Roger Thompson.

Re:Poor Stew.

[twitter]

As long as they don't call me Stew... I really dislike that.

Sorry, cuts of meat simmering all day on the stove just seemed appropriate. It was not supposed to be insulting. Good luck.

The Church of Microsoft

[erroneus]

I think they should have been a LOT more religious about writing secure code back when they claimed to be focusing on security and such. I haven't noticed any slowdown in the frequency on new exploits and no real increase in the delivery of patches. But if they haven't found religion in writing secure code, I think it's about time they did.

No favors

These guys are doing no one a favor in the long run. Better to let MS hang and die quickly. As for the users, well, the old adage about a fool and his money applies to fools and their PCs/data as well: They will either adapt or suffer the consequences.

One word: AdBlock.

[Kadin2048]

I've also found a "killer feature" to be AdBlock.

Okay, so it's not really a 'feature' of Firefox per se. But it's one of those things that even relatively ignorant users can grasp and realize the value of, and once you start using, there's really no going back. And it's so easy to install on FF, you can kind of sell it as a package deal.

Set your mom/dad/grandmother/coworker up with Firefox+AdBlock+Filterset.G, and between the tabs and the lack of advertising, you'll probably have gotten a convert for life.

The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.

Re:One word: AdBlock.

[kinglink]

Just firefox ALONE makes most people I've shown it happy. Adblock is a boon but the first time adblock blocks something they want to see they'll throw it out. Firefox blocks popups, they'll be happy. Firefox blocks adware, they'll be happy. That's all you have to show them.

Re:One word: AdBlock.

[bannoy]

The only problem is that in many cases it's not quite practical to throw away IE completely;

IE Tab: https://addons.mozilla.org/firefox/1419/

Re:One word: AdBlock.

[Naughty+Bob]

Don't tell them! I kinda rely on all those guys viewing ads to pay for the sites I like....

Re:One word: AdBlock.

The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.

I use several financial institutions for my banking, and there is not a single one that's still incompatible with the latest Firefox. If I found they supported Firefox any less than IE, I'd leave them in an instant, and I'd tell them why.

A few years ago, some were slow catching on, so I switched banks. I also moved the accounts of my business, and several clients away from institutions that don't support other than IE. Since then, every one of those banks have seen the light.

Change banks. Change brokers. TELL THEM WHY YOU'RE CHANGING. If your account size warrants it, speak to someone higher than just peon level. I spoke directly to Vice-Presidents of three banks. Nothing changes their minds as quickly as their accounts leaving for the competition over something their IT department didn't bother to fix. You've got to sell it in a language they understand.

The only group you won't find willing to support Firefox is media companies, since they want to lock down the system as much as possible, and supporting more than one platform decreases their ability to do so.

I only feel a little bit guilty that I caused some very big headaches in the IT departments of banks... One VP was absolutely FURIOUS that his IT department was willing to give away 10% or more of their potential online business in order to code their pretty little menu screens a little bit faster. (As well he should have been.)

Re:One word: AdBlock.

[Huggs]

IE Tab is good for most IE emulation, however I have run into circumstances where I still needed to use the actual IE browser.

Re:One word: AdBlock.

[LordSnooty]

How do they know they need it if they can't see it? Must admit I've never hit this problem, but maybe it's for the reason I just outlined.

Is the industry gullible?

[Opportunist]

Let's be honest here. Why the hell did someone come up with the concept of "patch Tuesday" in the first place? It was a no brainer that OF COURSE exploits would be launched right the day afterwards if you can predict the patchday. Actually, an analysis of our malware early warn "radar" tells that the exploits are launched pretty much in sync with the advent of the patch.

What did MS think when coming up with the idea of "patch Tuesday"? Sure, it's something you can adjust to as an admin, knowing exactly when the next patch is coming gives you a good idea how to time your update cycles. But does it really? Or is it rather more useful for those who plan to attack the system, using the very predictable update cycle as a key to time their milestones to?

Malware and defense against it is a game of knowledge. The more you know about your enemy, the more efficient you can be. And we're currently facing the problem that the attackers know everything, the defenders almost nothing.

Re:Is the industry gullible?

[0racle]

Why the hell did someone come up with the concept of "patch Tuesday" in the first place?

Because some people manage networks professionally instead of systems in their parents basement.

Re:Is the industry gullible?

Why the hell did someone come up with the concept of "patch Tuesday" in the first place?

Mainly because IT departments were getting hammered with patches day after day. By default, we ended up scheduling patches for end-of-month or whenever because installing patches on Microsoft's schedule is just unworkable. Is "Patch Tuesday" better? It's useful mainly for the run-of-the-mill fixes and such. When a critical patch is needed there should be a fix or workaround posted in a day or so (like in the Open Source world) with the understanding that the patch is untested.

Re:Is the industry gullible?

[wizkid]

Patch Tuesday came about so the $M could passify corporations. Now they can test and schedule patch updates on a set regular schedule, just like the spammer scum schedule there exploits for Exploit Wednesday.

It's worked well. Now corporate america has a set schedule to apply patches, and the botnet pinheads have a set day to release exploits. $M makes money cause corporate interests are addressed, and virus/bot writers have a preset optimum date to get there work done.

Re:Is the industry gullible?

[johnnyb]

And everyone goes home happy and vulnerable!

I love corporate america.

Re:Is the industry gullible?

[Opportunist]

I've been in that biz myself. Of course it's convenient to know ahead of time when you're gonna roll out a patch. But critical problems need to be addressed NOW. Not in a month. Yes, it's a hassle to get a patch "overnighted" because it was dumped on your table at 4 in the afternoon, but it's still less hassle than getting the net clean again after the worm chewed through it.

Re:Is the industry gullible?

[0racle]

Critical problems are not held back until patch Tuesday. However they are not released until at least some tests have been run on them, and no admin with even a single brain cell would install a patch just because someone said it's critical without testing it on their own environment.

There will alawys be a time difference between a problem being found, a patch being released and finally that patch being applied. Having a single day where most patches will be released allows large sites to properly schedule testing and deployment of patches which will speed up the installation of those patches.

Re:Is the industry gullible?

[kingofwaldos]

I agree. MS delaying patches is dumb. If large corporations want a schedule for their updates, by all means, they should make one -- of their own. If MS released updates when they were finished and ready, large shops could still schedule their updates however they wanted. If they felt a patch warranted updating early, they could deploy. Why depend on Microsoft to decide that for you?

Re:Is the industry gullible?

[pe1chl]

Critical problems are not held back until patch Tuesday. However they are not released until at least some tests have been run on them

If you examine the monthly load of patches, you will find that it regularly occurs that critical or important patches are released on patch tuesday that have been compiled weeks or even more than a month before.

Now, you would think that would give them some time to test. However, the results of those tests are not used to determine if a patch is going to be released the next patch tuesday!
For example, the latest cumulative IE patch (KB918899) was released last month on patch tuesday, even though it was known inside Microsoft that it had a fatal flaw for users of Windows 2000 and XP SP1, and a fix for that flaw had already been compiled early last month. The "critical" fix was pushed out on patch tuesday nonetheless, damaging businesses that use certain web-interfaced software.

The affected users had to request the temporary fix, and later the KB918899 patch was re-released (two times even) to fix the problems.
Given this situation, I would prefer them to release the patches as soon as they are available, or at least inform the admins when they release critical patches for which flaws are known and fixes are already available or will be available shortly (before the next patch tuesday).
Then, at least admins can decide to wait a while.

Re:Is the industry gullible?

Legal exposure means that if a patch is released, and you don't patch, then you could become legally exposed if your system is compromised. E.g., MS releases a patch, you don't patch until the end of the month, for the period from the patch release to the patch implementation, you (or more explicitly, your company) can be liable.

Re:Is the industry gullible?

[Kaenneth]

Possibly because an untested patch could do even more harm?

How they recruit for zero day team

[Provocateur]

*scene takes place in Interview room, a panel of HR and tech types; applicant being interviewed

We're not that interested in your l33t h4x0r skillz. How good are you at time travel?

A demonstration? Sure. No, you dont have to take your clothes off now, that's only in Terminator; it's just a movie. Put them back on now. I said put them back on. I know it's cold in here. And the physical takes place when you're actually hired. Next please.
 

Open Source?

[Asklepius+M.D.]

The source code for all of ZERT's unofficial fixes will be released along with the testing methodologies used during the patch preparation.

Now it appears to me that this is an open source solution to a proprietary problem. Isn't this what the OSS crowd has said all along - that the OSS side gets patches out in a much more timely manner? Also, does anybody know what license is being attached to these patches?

MS can do it as fast as these little twerps

[140Mandak262Jamuna]

Of course MSFT can find the bug as fast or faster than these thirdparty do gooders. And if the aim is to stop the exploit they can do that too as fast. Did you notice how fast they fixed the WMP DRM breaking exploit? They can do these things if they want to. Infact they can even make IE as exploit proof as FF if they want to.

But they dont want to. There are thousands and thousands of sites that have hacked up code to step around the bugs in IE. They all will break if they lost back ward compatibility to these harebrained hacks that depend on the bugs in IE. MSFT considers it a big loss of face if more sites work in FF than in IE. If they fix all their bugs and holes in IE, more sites will work in Opera and FF than in IE. That is a big no no. That is why they tread cautiously making sure they fix the hole, just that hole, and nothing but that hole, and fix it just enough, so that most of the other hacks can continue to work. That is why they are so slow in responding. That is why the fix has to be fixed and fixed again.

Re:MS can do it as fast as these little twerps

[icydog]

When's the last time you exploited a buffer overflow or took remote control of a user's machine to make your CSS display correctly in IE?

Re:MS can do it as fast as these little twerps

Thank you. Saved me a post.
Oh wait..

The L Word

[Durango_44]

The L word will pop up here--Liability.

That is what happened this past winter in our shop when the WMF fiasco occurred: An in-the-wild exploit, MS says "yeah, but it's not *that* bad, we'll get it to you next time", and the World says "you must be kidding, we'll do it ourselves."

I run a small, corporate network. But it *is* corporate. When I went to the Boss to explain things, we wanted to deploy the third-party patch. But we kept running into the concept of Liability--the "what ifs" of something going wrong, and we did it to ourselves by applying something outside of the supported vendor. In the end, we lined up the third-party patch and were ready to quickly deploy it system-wide. In the WMF case, MS backed down and released an out-of-cycle official patch, which we then distrubuted.

The concept of the World doing the Right Thing by creating these patches is wonderful--it is an obvious and long overdue response. But I am not a lawyer--and I would have to think real lawyers who answer to corporations with thousands of boxes are going to pipe up over this.

Re:The L Word

[mibh]

does anybody think microsoft would have "backed down" without the pressure from that third party patch for WMF?

I don't care, this doesn't matter.

[plopez]

At work I let my IT department deal with it. Serves them right for being a Windows shop. At home I don't use Windows. This really isn't anything that matters to me.

philters

[TheSHAD0W]

There are good reasons for Microsoft to be careful with its patching, since it's so easy to break things. What if they adopted a strategy for, rather than patching out vulnerabilities, but instead filtering them out? Like an antivirus program, you'd scan media content for attacks and then disallow them if attacks are found. This strategy could result in an update cycle measured in days, or even hours, rather than weeks.

Re:Or Get them a Mac

[vertinox]

And they'll have no choice, because you can't download IE for OS X anymore from Microsoft.

Of course, I'd try to lessen the shock by installing Firefox for OS X for them.

Welcome to the 21t century

It's been because I simply won't allow a Windows machine in the house.

I hope you mean it's because you and your wife won't allow a Windows machine in your house.

Re:Welcome to the 21t century

My wife is grinning somewhere right now ...

Re:Welcome to the 21t century

[Icarus_SFX]

No he just doesn't like to do windows :-)

never taunt happy fun ball

[Gary+W.+Longsine]

My recollection is that most of my clever geek friends actually laughed when they first heard about Patch Tuesday. Within a fraction of a second of hearing the news, it was easy to predict that malware releases would be timed to exploit the month lag for patching institutionalized by Patch Tuesday. I would be greatly surprised if there weren't some comments to this effect in the Slashdot archive the day the Patch Tuesday strategy was announced and columns in the IT rags within a few days. It had already been common for batches of malware, particularly email worms to appear on Friday afternoon, and spread over a weekend. Malware releases were timed thusly one presumes because the malware authors suspect that fewer people are available at AntiVirus companies to analyze, fewer staff are available at system vendors to build and test patches, and so forth.

So why didn't this Malware Wednesday effect show up immediately, and why is it still not employed universally? Malware seems to emerge, in general, every week, every day. It took almost two full years for the Malware Wednesday response to emerge into a recognizable pattern. I suspect that this should indicate something interesting about the malware community. But what?

Perhaps communications between different groups and individuals that share code and ideas in the underground community isn't very efficient, due to the mistrust and need to shield identity. Perhaps these groups don't spend much time reading Slashdot or IT journals where pundits probably decried the silliness of Patch Tuesday and predicted the Malware Wednesday phenomenon. Perhaps they were too busy sitting on the beach drinking rum from hollowed out pineapple shells with those little umbrellas in it, and only recently got around to thinking about the problem. Perhaps the techniques they employed were effective enough.

However, there are problems with all of those theories. Here's a theory that seems to have greater explanatory power: Releasing patches immediately following a Patch Tuesday probably didn't show much of an advantage to the malware authors in terms that matter to them, (a) how long will the exploit remain effective, and (b) how many systems can be infected via this exploit and remain under botmaster control for an extended period of time.

• Microsoft hasn't really shown an ability to consistently patch defects within a single month of discovery.
• The systems which are most likely to remain under botmaster control (once control has been usurped by exploitation of a defect) for the longest period of time also tend to remain unpatched for a long period of time.

Systems which are patched frequently or re-imaged following an intrusion are of declining interest to the profit-motivated organized crime organizations which are driving much of the evolution of malware in the past few years. Such system remain interesting to malware authors seeking underground fame for infecting large numbers of systems, but the people who would in the past have been be trying to infect "m0R3 s1st3mS th4n 3V4R, d00dz!!!" are attracted and tamed somewhat by the money.

If they are going to work for the underground economy, and get paid to write malware, they need to write malware that focuses on the profit making goals of the underground group. That means more people writing more dangerous code that attracts less attention because it can be controlled more carefully and seldom causes global outbreaks on the scale of MS Blaster. Instead, lots of little releases all the time. Rapid spread techniques might be used as a smoke screen now and then while harvesting data for espionage purposes (either corporate or national) but are probably used much less often by those seeking to quietly build up botnets for spamming, hosting phishing sites, scanning for identity information which can be aggregated and used or sold, and so forth.

Just a thought, not fully formed. I'm kinda groggy this morning.

The patch can be downloaded.....

[8127972]

.... from any of the following links:

www.getfirefox.com
www.opera.com

works for mozilla

[codepunk]

Probably that security expert that now works for mozilla...hey lets only patch boxes on tuesdays...yea great idea..

Patch

I just downloaded the ZERT IE Patch and it is an install for FireFox!!!

Meh.

[WhiteWolf666]

So what.

There's a better solution to all these problems. Properly implemented QoS on ISPs and Servers so that the extra bandwidth usage generated by this crap doesn't prevent those of us running secure systems (Windows on a tight-ship, Linux or OS X) don't get hosed by the unwashed masses.

The vast majority of malware traffic isn't 0-day; it's ancient stuff running on older unpatched systems. As long as they don't bump us off the interwebs, I don't see why I should care.

Patching & Cleanup are a poor solution. Once your system is infected, you're screwed. Windows security these days is more in need of triage, not repair.

Re:Meh.

[RobbieGee]

Botnets created to spam or DOS attack sites, that's why we should care.

Re:You're kidding!

Yes , what is this IE everyone is talking about ?

fud friday ..

[rs232]

"There is no superior technology or anything that would help to make Firefox inherently more secure"

Unlike IEXP Firefox is not welded to the OS. It runs in user space and under Linux is locked down to the users home directory. Of course the root cause of 'buffer overflows' ans stack attacks is the defective design of the wintel memory manager.

"The Mozilla guys may offer more frequent patches (which would increase security, but reduce reliability..)"

It might only appear that way because the patches are not bundled in one monthly collection. Can you provide an example of a Firefox patch that reduced reliability.

was Re:Spyware Thursday

Re:fud friday ..

[tjansen]

Of course the root cause of 'buffer overflows' ans stack attacks is the defective design of the wintel memory manager.

I'd rather say the root cause of buffer overflows (etc) is using a language that allows them. It's not like Linux or other OSes would be able to fully prevent bugs that allow the execution of malicious code. At best they eliminate some common cases.

Can you provide an example of a Firefox patch that reduced reliability.

No. But I am pretty sure that if you have a browser that runs on many million machines, testing the patch for 30 days makes problems less likely than testing it for 3 days...

Re:fud friday ..

[rs232]

"the root cause of buffer overflows (etc) is using a language that allows them"

Incorrect, remember the phishers and virus writers don't obay the rules. Design a Memory Management Unit that prevents exploits.

"It's not like Linux or other OSes would be able to fully prevent bugs that allow the execution of malicious code"

Even on the defective wintel design it provides better protection. Combined with the exec-shield that prevents stack exploits it would be even more secure. The Vista version NX has a feature to allow stack execution to be turned back on as otherwise JIT code won't work.

Can you provide an example of a Firefox patch that reduced reliability.

"No. But I am pretty sure that if you have a browser that runs on many million machines, testing the patch for 30 days makes problems less likely than testing it for 3 days..."

But 'if' doesn't equate to 'has done'. Unlike this real world example of a fully tested patch that did reduce reliability.

Behind the times.

[FishWithAHammer]

As of the XP kernel they aren't linked at all anymore. Go try WinFLP if you don't believe me; installing that (which IS an XP kernel, just without all the crap to go with it) gives you the option of IE or not.

Re:Behind the times.

[mysticgoat]

Thanks for pointing me to WinFLP. I hadn't known of its existence. It might allow some cash registers to continue to function until the hardware fails.

However I don't see your point. WinFLP is not WinXP with some of the DLLs removed; it is an entirely separate OS that is partly based on some of the WinXP source. You can't take WinXP (or any other publically available Win OS) and strip out the MSIE modules and still have a stable OS.

Your simpler solution is not viable.

Various hospitals have implemented dozens of "IE only" solutions for specific real-world problems. The users of these solutions have zero ability to influence the technology decisions of the hospitals, and no choice but to use IE in order to do the work required for these hospitals to function.

It's too late now to say "shoulda used firefox" - the workers in this position have no option in the near future.

IE View & IE Tab

[The+Raven]

Last I heard (months ago), they were broken, and they could make ALL your tabs IE, or all not... but no way to mix'n'match. I'll have to check them out again now that they're fixed.

Re:IE View & IE Tab

[Xabraxas]

You can have mixed tabs. You can even set certain cites to always open in an IE tab. My girlfriend has to log into a web based CRM at home and it doesn't quite work right with Firefox. She uses IE tab and sets that one site to open only in IE and it works like a charm.

whoops..formatting

[toadlife]

I have implied nothing like that. I have emphatically asserted that this is so.

And you are 100% wrong in your assertion.

To all of the moderators who modded...

[toadlife]

..the above post up.

PLEASE STOP MODERATING.

There is absolutely nothing "interesting" or "insightful" about the post above. In fact, I would say by modding this post so high, the collective intelligence of everyone who has read it (and doesn't know any better) has been decreased considerably.

The author has bought into, and is dutifully spreading one of the biggest myths about Internet Explorer - that it somehow carries more rights and privileges to the OS than the user who is using it. The author also claims that firefox offers some sort of (magic?!) protection that keeps exploit code from accessing the OS. Both of these assertions are false.

If you would like to make Slashdot a better place, please click on "preferences" on the bar next to your username at the top. Then click on "homepage" and un-check the box that says "Willing to moderate".

Thank you, and have a nice day.

Re: How 2 rip MSIE from Windows

[mysticgoat]

My stated assertion was that MSIE is an integral part of the Windows OS, which means that there is an inherently unsecurable set of portals to the outside world, the browser, that is insufficiently isolated from the OS. So that exploitations of vulnerabilities in the browser can lead to such nasty infections as keyboard loggers, rootkits, and zombie processes (rather than being isolated to just messing up the browser session).

And you are 100% wrong in your assertion. [toadlife]

Good. Now then, M. Toadlife, demonstrate to me that my assertion is wrong by telling me and anyone else who reads your words how to cleanly remove IE from WinXP. Tell me how to do this in the same clean way I can remove MS Office or MS FrontPage. Or Firefox. That is, without destroying any of the other functionality like the help system, or destabilizing the OS.

Take your time. I'll wait around a while, because I'd just love it if you could show me how I'm wrong. If I can reclaim the ram, disk space, and cycles that MSIE is wasting on my machine, I'd do it in a heartbeat.

100 days exploits

[vz3phyre]

Basicly zero day exploits launch by underground group to exploits vulnerability in corporate computers. They knew that the administrator will update their pc. So, to attack the computers, they must attack before the computer being patch.

From my reading, this underground group will work hardly to find to vulnerabilities. And some of the vulnerability comes from previous patch. Patches sometimes create new vulnerabilities because they fix the problem appear not the concept why it is appear.

Because windows used by many average end user and it has many holes, this is the best target for the underground group

On the other hand, to launch DDoS attack or to mount new zombie, they don't have to work hard because they are thousandzzzz of pc not patch although ms release hundreds patch during that period of time. Because average end user not the 'nerds' or 'geeks' type. They don't really care if their pc runs as zombie. As long as, their works (typing and printing) can be done. Not to mention, that many user may not realize that their Windows need to be update!!!

At the same time, the are also many pc run with ungenuine version of windows, this the perfect target operating systems.

Re: How 2 rip MSIE from Windows

[toadlife]

My stated assertion was that MSIE is an integral part of the Windows OS, which means that there is an inherently unsecurable set of portals to the outside world, the browser, that is insufficiently isolated from the OS. So that exploitations of vulnerabilities in the browser can lead to such nasty infections as keyboard loggers, rootkits, and zombie processes (rather than being isolated to just messing up the browser session).

And once again, your stated assertion is wrong. An exploit in IE carries no more danger to the user than an exploit in FireFox. There have been plenty of exploitable remote code execution flaws in FireFox that if exploited could easily lead to the installation of key loggers, and other nasties. There have also been tons of flaws in other components such and flash and java that are completely browser independent. It all comes down to the rights of the user browsing the web. Exploit code that hits IE cannot install key loggers if the user does not have the right to install a key logger. The same goes with other browsers and programs. This seems to be an area that you don't comprehend. IE and the libraries it uses are userland programs that carry the rights of the user using them, and nothing more.

Good. Now then, M. Toadlife, demonstrate to me that my assertion is wrong by telling me and anyone else who reads your words how to cleanly remove IE from WinXP. Tell me how to do this in the same clean way I can remove MS Office or MS FrontPage. Or Firefox. That is, without destroying any of the other functionality like the help system, or destabilizing the OS.

Take your time. I'll wait around a while, because I'd just love it if you could show me how I'm wrong. If I can reclaim the ram, disk space, and cycles that MSIE is wasting on my machine, I'd do it in a heartbeat.

Way to change the subject. I never said anything about removing IE from the OS - because it is not necessary. You start by claiming that IE grants malware root access to the system while in the same situation other browsers don't (false), and then change the subject to the fact that the core libraries that IE make use of can't be removed from the system without breaking the help and support center. Do you make it a habit of browsing the web from the help and support center or something?

As far as resources, there are no "cpu cycles being wasted" by IE's core libraries being on your system, as they are only loaded into memory when they are needed. If you use an alternate browser like FireFox, then they will almost never be loaded - unless you like to browse the web from the help and support center or the mmc console.

Re: How 2 rip MSIE from Windows

[mysticgoat]

Gee, at this point I don't know what to say. I guess it's time to bow out of the conversation with an apology.

I'm so sorry that this conversation has gone the way it has; I apologize to anyone who reads this since it is contributing more to the FUD that seems to always surround any perceived criticism of Microsoft than it adds to the universe of rational discourse. There has ended up being more heat and smoke than light here. Sorry about that.

M. Toadlife, I truly regret that reality doesn't match the virtual image of it that you are attempting to project. Your world appears to be a much simpler and safer world, and I'm pretty sure I would enjoy living in it, if it only it existed outside of the mind of the beholder.

This is the kind of thread that could go on and on and on. But that would be a waste of bandwidth. Enough has been laid out here that people with some prior knowledge of the subject and the slashdot milieu can easily predict where it would go and form their own opinions. For anyone else, well, try this:

1. Consider that a poll of 53,000 slashdot users done more than three years ago showed that more than 67% preferred to use something other than IE as their browser. Since Firefox has gained a lot of market share since then, the number would be unquestionably higher if the poll was repeated today.
2. Use Google to search the news for stories about MSIE and security issues. There have been just oodles of them, and they provide more factual information than I could hope to present in this forum.
3. Then form your own opinion and act responsibly.

Re: How 2 rip MSIE from Windows

[toadlife]

It seems you have a few misconceptions about me.

I hate IE. I don't use it for many reasons - security being one of them. I've been a firefox user since 0.7 beta. I'm just not ignorant about how operating systems and their various security subsystems work.

You sir, are.

Good day.

TinyXP - Beast Edition

[BLKMGK]

You may find that this "OS" which is a stripped version of XP has no IE, has FireFox, and is perfectly stable. It also doesn't phone home for updates etc. Worth a look for "testing" anyway...

Re:TinyXP - Beast Edition

[mysticgoat]

You may find that this "OS" which is a stripped version of XP has no IE, has FireFox, and is perfectly stable. It also doesn't phone home for updates etc. Worth a look for "testing" anyway...

Um, thanks but no thanks. From a distance, I find the culture of warez is fascinating. I intend to maintain this distant point of view for at least a few more years...

It Just A Partial Fix!!!

[pl4327]

Interesting how many of these 0-day exploits appear just after Patch Tuesday, it's almost like the Bad Guys are exploiting Microsoft's scheduled updates. The ZERT patch probably works in most configurations. However there are some issues reported and it's best to wait for an official solution. 1. Unregistering the vulnerable DLL 2. Keeping AV protection updated 3. Avoidance -- Stay away from dangerous or untrusted sites and email 4. Use other complementary browsers where you can But that is only a PARTIAL fix according to Microsoft. I think it much better to use the unofficial patch...if you can get it to work. I can't so I just won't use IE. I'm not applying Microsoft's partial fix and then using IE. That would be stupid. I don't use IE often anyhow so it won't be a big deal for me to avoid it until there is a full patch.