Slashdot Mirror
Microsoft Blames Add-Ons For Browser Woes
darthcamaro writes "Running IE and been hacked? Don't blame Microsoft — at least that's what their security types are now arguing. 'One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore,' Eric Lawrence, Security Program Manager on Microsoft's Internet Explorer team, said. 'The browser is becoming a harder target and there are many more browsers. So attackers are targeting add-ons.'
This kinda makes sense since whether you're running IE, Firefox, Safari or Chrome you could still be at risk if there is a vulnerability in Flash, PDF, QuickTime or another popular add-on. Or does it?"
Did anyone seriously believe Microsoft wouldn't try to make Internet Explorer look at least "not as bad as they say"?
!news
Craptacular interface, ignoring standards, sluggish, bloated, lacking usable features... I'm sure I've miss some.
And if the Add on's were given far more permission than they actually need? If the browser works right, then the damage a poorly written add on can do should be minimal.
excitingthingstodo.blogspot.com
The biggest part of internet security is paying attention to where you go. I used IE from the day I started using the internet until the day Chrome was released, and in those years, I got a virus/spyware exactly once: by stupidly going to a keygen site my friend suggested, which was full of malware. The rest of the time, I was fine.
This isn't to say that the technology side should be ignored, but if people actually used their damn heads on the internet, it wouldn't matter much at all which browser they used.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
If it's Firefox, it's perfectly OK to blame the add-ons.
Those hundreds of memory leaks the FF team fixed in 3.0? All attributed to add-ons, until they were fixed.
And don't get me wrong, FF is a far superior browser to IE any day of the week, but people in crystal rooms shouldn't be hurling stones at others. Or something along those lines.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Around here, and many other places, I suspect, the generally-accepted practice is to first blame the network when problems arise.
The network usually isn't at fault but we are still forced to jump through hoops before we can tell the user the network is fine, it's their poorly-implemented config/script/filter that caused their problems.
I see this as a similar practice... if some crap comes through the browser, it must be the browser's fault. Nevermind that some toolbar or plugin or other enhacement left a few doors open.
Never ask for directions from a two-headed tourist! -Big Bird
Microsoft made add-ons essentially super-user in the browser space, and now they complain about add-ons being ill-behaved? If you don't want kids to bang their heads on your playground, perhaps design it better?
This is my sig.
Many non-power-users don't use addons at all.
If what was being said were true, only us techies would be affected. ...and if that were true no one would care (including us techies) because we know how to protect ourselves.
These posts express my own personal views, not those of my employer
It's browser woes are because the browser is the operating system and the operating system is the browser. Tie the two together and you reap what you sow!
With the likes of ActiveX, and Silverlight out there, who could blame IE?
I aren't go after the browser, neither! I can has cheezburger nao?
I like to place meaningful quotes in my sig, so people will know that I know what meaningful quotes are.
micosoft are just looking for any excuse to hide the fact that ie is really insecure and crap.
Would an example of this include the Active X Control you have to install to be able to run Windows Update?
Aren't the responsible for the plugin model in their browser? Aren't they responsible for the OS security?
Take a look at how Chrome handles plugins and then try to pass the buck.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
It doesn't matter that you only visit known websites with plugins enabled. These days almost all websites embed content from other servers, in the form of ads, widgets and toolkit scripts. Computer security is ever more resembling biological immune systems instead of the old-fashioned "absolute" security approach. Software isn't written to be secure, systems aren't designed to be correct. It's as if we've accepted that a certain level of infection is unavoidable. That's a dangerous game when pieces of data as little as 16 bytes can totally compromise a system.
(Sorry... can't find the video; SNL's crackin' down, I guess. All I got is some transcript.)
After what was expected to be an unusually quiet Patch Tuesday, Microsoft has released eight patches for applications with an insufficient number of security holes.
The updates include "critical" patches to Windows Media Player visualisations, Zune player software, that really cute dinosaur cursor and Age Of Empires II. The exploits opened by these patches allow a malicious user to take webcam pictures of your pimply butt, steal your pizza delivery and have sex with your girlfriend. The exploits have already been marketed to the Dark Security market by Microsoft Russia.
"Windows 7 won't be vulnerable!" added marketing marketer Jonathan Ness. "Did we mention how fantastic Windows 7 will be? Also, Vista's pretty good! Really! The London Stock Exchange was probably still on XP!"
http://rocknerd.co.uk
This behavior is not exclusive to Microsoft...
WOE(s) be unto THEM!
What is scary as hell, though, is:
"Microsoft to aid in war on terror, builds software for DHS"
http://arstechnica.com/news.ars/post/20081121-microsoft-to-aid-in-war-on-terror-builds-software-for-dhs.html
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Well one can always hope they kill off ActiveX now that everything is "primed" for silverlight... *coug* *cough* ... old tech meet the new tech... at the end of the day same ole same ole.
What better way to get massive adoption of new stuff?
I see people trying to install the free "Spyware Removal" and "Registry Scanner" all the time on our Citrix servers. They fail, of course, but it doesn't stop them from trying. And what warning does the OS give you when a site is trying to install something?
A yellow bar that suggest you click here to proceed. It might mention that some content may be harmful.
It should say something like: "This web site is trying to crap on your computer. If you enjoy getting crapped on and ripped off in your personal life, click here to proceed." If they do click, then it should say: "People like you are why syphilis is still a common disease".
Add-on's for IE??
Exploits for specific document types make compromising people's machines an issue. However, what 99.9% of people that revel in schadenfreude with IE's woes miss or fail to understand (yeah including many people on Slashdot) is that most Windows XP users (which are most Windows users, Vista is only 20%) run as as "root"!!! ("administrator" in the Windows vernacular)
I wrote a utility called RemoveAdmin available on Download.com that leverages an API in Windows (CreateRestrictedToken) that strips administrative rights:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol&cdlPid=10835515
The installer will create shortcuts for IE and Fifrefox but if you look carefully it's really a program with the browser .EXE passed as an argument.
Which means you can strip administrative rights on anything you run... in fact that's exactly what I do. I don't run *anything* that talks on the Net without this.
This means if you stumble across rigged .PDFs, Word documents, etc., etc., you won't suddenly have a keyboard logger installed because ignorant you is running with admin rights.
(Some caveats)
This is version 0.1. What would 1.0 have? A FAQ and user guide for starters. Also, I've seen this version not work in some cases, largely situations where AD is in play (probably because a user has multiple admin credentials).
If you need to run ActiveX controls on a site (poor you if you use IE), just quit IE, go to the site, have the controls installed. Quit IE and re-run IE with the secure link. Likewise this is what you would do before going to WindowsUpate.
And finally, to convince yourself the utility does something useful. Go to any site, "View Source" after you run your browser with the secure link and try to save the resultant .HTML/JavaScript to C:\Windows. You'll find you can't.... since your browser process doesn't have administrative rights (root) and thus any process it launches doesn't either (think of this as a plug-in scenario).
Maybe I'll educate some % of the IT world yet...
Respectfully,
-M
I like the sex analogies; I think this should be a new standard for /.
Yours has some good points but:
Surfing the web with IE is like if you were to go to a convenience store to buy eggs and discovered that you had to have sex with the mysterious man behind the counter in order to accomplish this task.
Sure, you can be safe about it: wear condoms, only go to reputable convenience stores with clean-looking men behind the counter, etc. But isn't part of you wondering why you have to open yourself up in this way?
There are many sites that bring the whole system nearly to a halt when konqueror loads the page. Looking into the CPU usage with top shows that 99% of the CPU time is being used by kde-gnash. Doing a "killall kde-gnash" brings everything back to normal, with a grey square where the flash was.
You are right that konqueror does not crash the whole computer, but that's still very far from the desired result.
Yes it's not their fault that Vista was a fuck up. It's not their fault that it takes half an hour to upgrade to IE7.
It's not as if we should care that the Internet is in a dark age for the last 7 years..
This is another good reason to use the Opera, and one of the key reason that Opera users and devs have been arguing for a very long time against plugins and extensions.
There can be little doubt that Opera is the safest browser out there, particularly if you like to routinely browse questionable websites; while the safe sandbox of userJS, userCSS and widgets in addition to the plethora of out-of-the-box features means that there's very little need for extensions anyway.
Firefox is a great browser, and much more secure than IE, but since its growth in popularity combines with the number of malicious extensions out there it can no longer be considered to be a completely secure browsing environment.
Don't take my word for it, check out Secunia's own advisories.
sebt :)
How about sandboxing the entire thing so that no matter what, with the flip of a switch, no writes to the HD are allowed, period (cookies or otherwise, I don't care to be tracked, and can remember more than one complex password). We could call it something scary, like jail. Or chroot jail.
Think about it, next generation. I've given up on the current one.
Hi, I Boris. Hear fix bear, yes?
This is marking. Blame ABM, Anybody But Microsoft.
Truth is that IE is not the best browser, but is better than it was.
Firefox is also better than it was, so is Opera, so is Webkit (Safari). In the future, I expect Chrome, if it survives, to be better too.
Why is any of this news? It is really just a marketing departments attemt to deflect blame away from where it belongs.
Everybody knows 3 people with my name.
It's quite simple. You/They/We can define a very simple interface that displays some stuff and allows a few simple user inputs and maybe after a few years of debugging we might have a reliable browser suitable for basic stuff -- including financial data transfers and buying and selling stuff.
Or we can continue to try to do everything in the world in our browsers and then act really surprised when our PC starts relaying 20 thousand spam messages a day or our money and/or data and/or identity ends up in Lichtenstein, Haute Volta, or Inner Mongolia.
It's quite clear to me that we -- all of us -- are going to go with the second option. That's fine. Now can we quit pretending that web insecurity is someone else's fault?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
I installed Windows Vista on my Mac Pro in order to run the one program I wanted that I couldn't get for Mac OS the other day (Fallout 3) and while waiting for the install to finish I viewed a few web pages. I'm not talking about pornindex2000.ru here, however it wasn't cnet, either. On a scale of amish to thai hooker I was in solid girl in high school who smoked out back territory.
In any case, I didn't really care what sort of virus or malware or autodialer or rootkit or killprog or hypnotoad I picked up because it would steal my Fallout saved games and then be deleted along with the ntfs partition when I was done playing. However, out of curiosity I installed virus protection some days later and lo and behold within about four or five domains on a fully updated Vista and completely unmodified IE7 I had picked up something. Either a production install of Fallout gave me something, or it was IE. Sooo, no, MS. Go directly to jail, do not collect my license fee.
And if you believe that I've got this great piece of land I'd like to sell you.
Now lets see... why is it that we need addons for something a simple as playing a video on youtube or streaming sound? Oh yea, that's right there's no cross platform open standards for doing so because SOMEBODY keeps failing to implement it. Seriously, even if the problem is buggy addons like Flash the whole reason we need those addons is because Microsoft has kept sabotaging the open standards that would have made them redundant. If it was not for Microsoft's continued hampering of web standards the majority of stuff flash is currently being used for could easily have been implemented using just html and javascript. So blame the browser or blame the addons, it's still all your fault in the end.
None of the other browsers are integrated into the OS the way IE is, With all the other browsers you at least have that bit of security. Your browser and OS are not the same program.
Marketable skills you can learn and expand in the military should include programming. But since they've chosen to outsource some of its core duties to Blackwater, it's not at all surprising that they don't make their own software. Just wrong.
"I can't imagine how things could get any worse!" (some guy) "That could just be failure of imaginatioÂn on your p
Wait, did Microsoft just admit that ActiveX is one of the largest security holes ever?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
MICROSOFT!
More finger pointing by Microsoft to cover up an already poorly written operating system.
Microsoft is a bunch of chumps.
What a bunch of horse's arse!
The plugin's NoScript and FlashBlock make FireFox even more secure!
I dont see them for IE any where do you?
Hey look some one used Micro$oft and Security in the same sentence. /facepalm /headdesk /braintoilet
This is true. I've been supporting PCs for 10 years now. 90% of the computer problems I've encountered were resolved by removing or disabling IE add-ons.
addons do browser woes, drivers do vista woes, writers do word woes, analysts do excel woes, math teacher do calculator woes. everybody do woes except man who throw chair. guy who jump in front of car get tired. ancient chinese proverb.
It's because of that that I'll ever prefer linx. It's the most secure browser!!
Linux is for people who don't mind RTFM.
http://members.whattheythink.com/dilbert/dilbert040730.cfm
Quick note: This article is a spin off of what Eric had to say during the most recent Black Hat Webcast, where Jeremiah Grossman was talking about clickjacking and other related browser issues. Eric made a lot of sense talking about plug ins and addons being the cross platform low hanging fruit.
Listen and watch the webinar to hear what he had to say and keep everything in context:
http://w.on24.com/r.htm?e=122494&s=1&k=05ED21C1734D531D2D84CA56F4ADB0F2
Or download the .m4b audio file when we get it online next week here:
https://www.blackhat.com/html/webinars/webinars-index.html
My Mac is invulnerable to uiru[3qo4iutl2hkety;ehjokgheghjndgbnjgdscf
"If your parents never had children, chances are you wonât either." -Dick Cavett
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
I fix computers ever day. For the past 4 years the majority of my time is spent removing malware from computers. I can tell you unequivocally that the add-ons to the browser, though they are a threat, are not the primary way that computers get infected (while using IE).
One of the things that I do is look at the add-ons to see what is installed, what is known to be bad, and what is unknown and a possible threat.
Very few infection issues come from the add-ons as the primary source of infection. When one investigates the infections it is obvious that some are coming from add-ons but not primarily. Most are coming from defects in the OS that allow the nefariously infected site to add software without the customer's knowledge.
The problem here is that most of you, yes you slashdot participants, are totally ignorant of all the really nasty flaws in the Windows OS. If you don't want to get infected stay the fuck away from Internet Explorer. There are better browsers out there and you can significantly reduce your chance of infection by using them.
Microsoft is lazy when it comes to security. Now, of course BHOs are an issue, just not the primary issue and to have Microsoft make that statement endangers every IE user.
Malware does not generally get on through requesting permission from the user, though sometimes users are prompted. These messages are either JS or a Windows prompt to install something, but those Microsoft messages are extremely unclear.
So, even if the BHO is an issue for any given machine the problem is in the lazy nature of Microsoft (which presents cryptic messages that the average person doesn't understand) and in order to rid themselves of the popup message they OK it.
This means that the foundation (the basic design) is wrong and it is wrong at the heart of the OS not just in IE's use of BHOs. Firefox for instance has a significantly different design for add-ons which help greatly in ensuring that infection doesn't occur as a result of them.
The Windows OS is a swiss cheese of security and one of those holes is IE and one smaller hole is the add-on (BHO). To say that the BHO is the primary cause of infection is to give an erection to those writing this shit cause they know Microsoft is on the wrong fucking track, and Microsoft is in denial.
You can lead a man with reason but you can't make him think.
This sounds like it is the same guy who wrote the excellent freeware Fiddler monitor. Of course Eric Lawrence is not that uncommon a name.
I wonder if he could add more value to MS and the world by working on that instead of this kind of thing (which is really just a blame game).
Every time IE or Acrobat crashes my machine, it reminds me that a data viewer should not be deeply emdedded into the OS. It's all downhill from there.
This is where we end up going in circles...
Windows has had problems for YEARS because of the moody s/w written by the likes of Adobe, etc. - and they'll still pretend that it's *essential* to run several apps in the background, all day, in case you *might* want to access them - as well as several that you *don't* (Nero Indexer, anyone?). And now the problem has been replicated onto the browser plugins. But let's all blame MS/ IE, it's easier...
It isn't as if companies such as Adobe, Apple and the like don't have the resources, beta OS's or time to write decent code for IE, or even Windows itself. How many YEARS did it take Apple to write a decent Quicktime player? Why did it take another YEAR for Adobe to write an installer for IE7/ Vista that wasn't tripped up by the sandbox? But let's all blame MS, it's easier...
These companies will always blame MS/ IE, because all the fanboys will then roll their eyes and say "well, no surprise there" and leave it at that. It seems that every time MS try and implement something new, everyone throws their arms in the air and collectively shout "standards! standards!" (I can still remember being told that AD would never get anywhere with Novell in place) - and yet here we all are, raving about Chrome being able to run seperate instances (old news for IE), and Firefox being more secure - more secure? I'm now on 50+ users who have all looked on in horror as I expose their passwords in English with two clicks. Oh, you can secure the p/w list, but I haven't seen a single user do that yet - *not one*. You won't get any arguement from me about FF being technically better and nicer to use - but at the end of the day, your non-tech client won't be interested in your protestations about browser security when their laptop has been stolen and their bank accounts emptied (even when they themselves installed it 'because my son said it was beter'). So we're really talking about swapping the frying pan for the fire, as opposed to a one-stop-shop for all.
Which means no easy way out - but you could do worse than start learning about Group Policy/ local settings, and stop assuming that the browser will just protect you from anything by default - otherwise you may as well just assume that Windows 'is set up right' and not bother configuring that either....which is, of course, what loads of users have done with Vista itself - and those same users (for instance) then turn off UAC 'because it's annoying', and still see nothing wrong with blaming MS when they come unstuck because that in turn disables IE protected mode...
As for plugins, I generally block my clients' plugins by default anyway. Flash may be wonderful, but if Yahoo insist on using it to drive a landrover in front what I'm trying to read (for example), then no thanks. Realplayer? It was years before I realised that they were actually seperate from Gator (remember them?), simply because of their softwares' behaviour. Quicktime? No, I don't want to install Safari sneaky-style just because updating Quicktime seemed like a good idea. And then there's the Gator (sorry, Google) toolbar....The list goes on - but hey, let's just blame MS. If they block s/w, they're being non-standard - if they allow the sort of power coders want, their OS/ browser is rubbish.
No-one is asking *why* it has taken Firefox three versions to get it right, and everyone is ignoring the second browser war that's only making losers out of everyone (and if you don't think there's a second format-war on already, try signing up to Be Unlimited with IE - yup, written for FF, won't work in IE).
Right now, plugins are the least of our worries.
Well, they could at least have brought a little more evidence to the table than "because we say so".
Or do people trust claims based on the claims rather than based on the evidence?
Great!
Now a new entrance in our 64-bit OS is here with the all new, shiny Flash for Linux.
And although there is no IE there, I bet there will be a hack one of these days. Didn't anybody hack an Apple via Flash?
The beste security advisory _ever_ would be to deny interactive plugins that work without user intervention (javascript, Flash, silverlight) so that we can go back to basics: read information.
Microsoft is currently blaming plugins (Flash, Java, QuickTime, etc) for security problems. These typically come with your computer, and if you uninstall them, some sites stop working. On Windows, each one uses a different automatic update mechanism, each of which is confusing and/or evil in its own way, resulting in the majority of users having outdated plugins.
Firefox fans on Slashdot have blamed extensions (Adblock, Forecastfox, etc.) for memory leaks. Plenty of people use Firefox without extensions. Most extensions do not interact with data from web pages, so while they can cause memory leaks, they rarely cause security holes. When an extension does have a security hole, Blake Kaplan improves APIs to make similar holes less likely in the future.
I work for Mozilla, and I agree with Microsoft that plugin security holes are a major problem.
The shareholder is always right.
Windows is insecure by design.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga