Slashdot Mirror
Experts Say To Switch Browsers In Light of IE Vulnerability
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Whoa what happened to Slashdot's main page...
This story's title header was red.. Is that like "woop woop warning warning" red? Or something else?
Water still wet.
Pope still Catholic.
...probably won't. Most uneducated users that read the article will probably be of the mindset "oh, it won't happen to me".
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.
Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.
Wow.... at least something new in the middle of the slow news day.
Does this effect IE8 compatability mode?
really what choice did they have? I can see a class action from *lots* of angry people who's computers have been hosed and bank accounts hoovered would cost far more then not acting. Not to mention the loss of faith.
Now all we need is a certain percentage of people who try the fox being either to taken with it or too lazy to change it back.
Poor MS, what with Vista they have been having a bad time of it recently.
Waaaay back when I used I.E all anti-spyware apps used to find a ton of spyware. Since switching to Firefox (0.6 I think it was at the time) I hardly ever have to run any anti-spyware, when I do the list is very short and is always just minor issues. Just switching to a decent browser that is separate from the OS instead of being buried so deep in the OS makes a huge difference - and makes a lot of sense to me :) Remember that SSL security issue in I.E and the fix was in the Windows kernel, niiiiice, real nice, me no touchy IE anymore.
Lets face it - there's no shortage of "other" browsers to choose from these days.
Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.
Just a thought.
throw new NoSignatureException();
I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.
Now, if you don't mind, I'll go back to my nap.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
.. in fact I'm a diehard linux fanman (too old to be a fanboi!)
But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!
Ow. :(
I guess Microsoft should have programmed Internet Explorer in Java. Serves them right.
It rubs the karma on its skin, or it gets the mod again.
RTFA.
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7... ... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.
It has been relegated to a game console status though, at least for me.
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
FTA:
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.
When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space.
I don't use IE, but from the summary, doesn't it sound like simply dis-enabling data binding would keep the hole from being exploited?
http://www.geoffreylandis.com
My laptop has an older IE; version 5 I believe..... will this flaw affect that too, or is it just a flaw in the current version of IE?
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
Especially since it happens nearly every day. Oh noes!!!! Everybody panic!!! Another exploit in Windows/Office/Explorer. WOE is us!!!
Perhaps if we phrased it like a sponsored ad: "Todays exploit brought to you by yet another buffer overflow error!" "This morning's gaping security hole sponsored by Stormworm. Stormworm: The worm of choice for the discerning mailbot."
Help stamp out iliturcy.
This is especially strange news in light of an article from zdnet, http://blogs.zdnet.com/security/?p=2304, saying that firefox is the top bad example from a list of 12 programs with the worst security record. More interestingly, they don't even mention Internet Explorer as having bad security problems, despite news like this. Does Microsoft just pay journalists to write things like this on the day before they know they have bad news to release in hopes that people won't notice their security problems?
step 1:
we need an exploit for it, which will install firefox and replace the internet explorer on the victims pc.
step 2:
put this exploit on every website we have access to.
step 3:
hooray!
Good news for firefox
Don't just switch browsers, switch Desktop Distros. If fact, for any kind of online financial activity use a bootable CD. Before you say it, you won't have to pay rent on these Live CDs
davecb5620@gmail.com
This post reads, "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched."
TFA reads, "Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it." Also, "Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed."
Microsoft gets enough bashing in here that frot page posts don't need to lie to give them more negative press. This is growing more into Digg every day... can has some moderation on posts pls?
I don't use IE, unless when I have to. At home its Safari or Firefox (less since I have been getting the _JS_FloorLog2 issue, which nobody wants to fix), on my Mac and then at the office, with Windows XP, it is generally Firefox and SR Iron. Since I do work in web development I do have to check stuff with IE7 (we have just been given the green light to drop IE6 :) ), since like it or not the market share is still too large.
Jumpstart the tartan drive.
"Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed"
davecb5620@gmail.com
If I had any mod points, I'd moderate you -1 Redundant for saying that the article summary is incorrect and states things that are unsupported by the linked articles. There's a comment like this on almost every discussion thread and if that doesn't fit the definition of redundant, then I don't know what is.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
"Botnets, spammer's botnets!
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets.
All running Windows, FOO!"
I'm running Mac OS X 10.5.6, here.
Why, yes. Yes, I AM a smug bastard. Why do you ask?
Why, yes. I AM a smug bastard!
Thanks for asking.
Guaranteed! This comment 100% Anthrax free!
"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."
Then
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
So NO, it's not Microsoft who recommends switching browsers, they even say
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
I wanted to clarify it since the story wasn't that clear...
The article says many thousands of web sites were compromised ,
HINT It's not only a browser problem
Anyone think of locking down the website ? .. those with the money prevail in courts and that's what's wrong with our screwed up legal system today.
Why not secure your website and wise up you webmasters ?.
If hackers wrote data to your site, Never mind the Web browser !!
fix the people.
It's people: ISP's site hosting personnel and security that's lacking no?\
I help lawyers in legal battles , I'm not a lawyer, but I'm proud to be able to help them fix the blame where it belongs.
Otherwise Rich idiots guilty as hell,
Why don't these big INEPT corporations fire their inept so called webmasters
Why not add the thousand of websites to a list like sex offenders ?
who let the hacksters write their websites ? why cant they fix their problems ? /inept people problem too.
Now here's a through for you all.
Web Browsers don't write web sites . ineptitude and Negligence allows for hacker to compromise them.
It's just as much the fault of the webmaster as it is the Browser.
It isn't just a browser problem, It's stupid
We live in a dummy down society and that's another problem
People with no guts refuse to blame people anymore , it's so much easier for them to blame this on inanimate objects security flaws,
Yes we should stop using IE till fixed , but lets not forget about how the sites were compromised, IE didn't do that, Peoples inability let this happen .
You could visit a phishing site and a bank site in one session.
(only really works for Vista, and I -think- is the default in 64 bit...isn't in 32 bit for compatibility reason, but works fine on my side...)
Step 1: Make sure IE is running in protected mode
Step 2: In internet option, in advanced, in Security, make sure "Enable Memory protection..." is enabled (need to run IE as admin to toggle that)
There, exploit doesn't work anymore. It Crash IE, yes, but it can't do much anymore. Thats not so bad, knowing that even a buffer overflow that should be able to totally own your system can, at best, crash your browser...
The only issue here is that in 32 bit Vista, memory protection is done in software and can cause issues, so its not the default... If it was, this would be an annoyance at best.
The internet is large. One out of every 5000 sites is a lot. Cut your losses and run while you can.
"I cannot recommend people switch due to this one flaw,"
How about the thousand and one other "flaws" that have been in IE? Which "Flaw" will break the camel's back?
Perhaps that is MS' problem right there, they are looking at each flaw individually, and not the aggregate nor the systemic problems.
Where's the good journalism followup question ... "is there any flaw that would cause you to recommend switching? "
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
- Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
- By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
---
In other words, if you are running IE7 or IE8 on Vista, about the most that happen is your browser crashes.
This is another example of where people telling their friends and users to stay with XP screws them over.
As much as people want to hate Vista, there are some real GOOD freaking reasons average users should be using it.
If you want a goog RealLife example, find a friend that has both an XP machine and Vista that has the same users on each computer (like your neighor's family) and notice there are tons of spyware crap on the XP computer and 99.9% of the time NONE on the Vista machine.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group. If we finish the sentence, it's:
"I cannot recommend people switch due to this one flaw, because I'd loose my job." said John Curran, head of Microsoft UK's Windows group.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
Microsoft is not telling people to use alternate browsers as this /. article states. They just recommend people be "vigilant" when browsing with IE.
As much as I'd like to push out firefox for my users, I have many users in a domain environment with mapped applications directory; firefox is simply unmanageable in this environment.
Of all the improvements they are making in firefox, they are ignoring a potentially very large audience by not including some way to manage the browser in a corporate environment.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
Will this patch be provided in a manner that does not require one to run the vulnerable browser to download and install it?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
"I cannot recommend people switch due to this one flaw,"
so he's recommending ppl switch due to numerous bugs then? :o)
there are thousands of windows applications that don't work on Linux - thankfully
Comment removed based on user account deletion
Comment removed based on user account deletion
Well, anyone with public relations skills (I know, I know, this IS Slashdot) will recognize that they are actually saying "Switch to an alternative browser to save yourselves!!! But I can't really say that in clear language, since it will not sound good to the PHB".
"The fate of the technology became apparent when Google Chrome was launched in September 2008: several former GreenBorder employees were named in a description of the new browser's sandboxing ability."
http://en.wikipedia.org/wiki/GreenBorder
In BBC Radio 5 Live an MS representative was giving the suggested steps to protect Windows machines, the full 4 of them.
The newsreader and presenter, Anita Anand asked if it would not be easier just to switch to another browser.
The MS guy replied with the platitudes to be expected, the important point is that mainstream non technical media are getting the idea.
IANAL but write like a drunk one.
In order to pretend they were not acting anti competitively (yeah, right) they made explorer pretty much the core of your desktop experience.
This,as any Linux/UNIX (even OSX) knows, is not necessary at all.
By growing a little Frankenstein driven by marketing and legalese rather than need and technical merit, they are left with an unworkable pile of binary mess that will be almost impossible to untangle.
Their bad actions are coming back to haunt them...
IANAL but write like a drunk one.
Websites nowadays rely on Java, Flash, and Javascript to present their content. Unfortunately, it is all too easy to get malicious code onto a user's computer using these scripts. In addition, most websites present cross-scripts from other sites (usually in the form of "ads") which they neither monitor nor control. Therefore, a user that visits even a "trusted" site is exposed to potentially malicious scripts. There is only one solution in existence for this problem: the free plugin for Firefox called NoScript. NoScript filters all scripts by default and displays a list of the scripts on the website. The user then chooses which scripts to run. This is the only safe way to visit a website. Allowing scripts indiscriminately is highly dangerous. No browser has a method for selectively filtering scripts by default (not even Firefox). Only NoScript provides this protection (and it is free). I never surf without NoScript.
Out of billions of computers, 6000 sounds infinitesimally tiny. It's a fraction of a fraction of a percent at best... I understand prevention is important, but I mean, can we blow this up anymore? Yeeesh...
Fact: Everything I say is fiction.
Or maybe the problems weren't as big as the one facing IE. I guess that doesn't play to the "oh noez - they being menz 2 duh Microsoftzerz" MS-Fanboi propogandists.
And then read the fallout where the readers debunk what the article says, including posts to problems with IE that for some reason were completely ignored when doing the compilation.
I will just point out that Firefox is #1 because they *patched* the most vulnerabilities.
Only in Bizarro Planet this would define the most unsafe application.
IANAL but write like a drunk one.
Those Linux hippies and their complicated nonsense.
So once again, Protect mode? Where is that in the Control Panel? Why is the memory not protected by default? I am Joe the Plumber, why should I care!
32 bits Vista!? Is that cheaper or more expensive than 31 bits Vista? And 33?
Argh ....
IANAL but write like a drunk one.
Poor MS, what with Vista they have been having a bad time of it recently.
I don't know that that is completely true. IIRC Microsoft have always had a pretty bad time of it.
The difference now is that there are real alternatives.
Take Linux, for example, I've been using it for about 10 years now, but it really is only recently that I can show off - most hardware works and there aren't really any applications that are beyond the OS (other than games).
Apple is also far more acceptable as an alternative - I would imagine because of iPod, iPhones and iTunes etc.
(And as we all know XP is also a real alternative to Vista).
Same with Firefox, because "broken" websites that could only work with IE5.5 were all the rage, Firefox failed (even though it was the better product). But more and more websites are aware of its 20%-40% market share and the IE specific websites are less prevalent. And Firefox is really shining.
Genesis 1:32 And God typed
In the internet the world "only" has very little meaning.
IANAL but write like a drunk one.
I'm a CIO. We don't support IE as a browser. Our internal apps don't work with IE. Any application that required IE to work is removed from consideration for purchase or deployment, period.
From the article: "What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. What does he think the people stealing the game passwords are? They're CRIMINALS. Stealing passwords to snag items from games, sell them in game, then sell the gold for PROFIT. The second market gold selling business has a LARGE amount of money flowing through it with a big profit margin.
Never been Catholic.
It doesn't mean much now, it's built for the future.
I've been able to run Firefox to some extent in a corporate environment and keep it updated - I just create an MSI package whenever a new version of Firefox comes out (3.0.3, 3.0.4, etc) and then roll it out via group policy. Then I just let my users know they should use Firefox for all of their browsing, and use IE only for craptastic activex/VB intranet apps.
You're right though - they really need to make it easier. Keeping plugins, etc updated is impossible.
Just disrupt the deflector shield with a tachyon burst.
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7." :D
"Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched."
Then
According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
So, which is it?
It's bullshit editing like this that keeps slashdot and other sites like it from being taken seriously by anyone other than the fervent geeks that perpetuate it. Seriously.
When a title and a summary both contain conflicting statements, the article shouldn't even run.
--Toll_Free
The article linked in the text Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while quotes a Trend Micro spokesman advising users to switch and a Microsoft spokesman explicitly saying he can't advise users to switch over one flaw. This contradicts the summary text.
Security experts first recommended "WHAT THE HELL ARE YOU DOING? STOP USING THE IE TOXIC WASTE FIREHOSE!" in 2004. So far 20% of people appear to have gotten the message. Perhaps it's a Darwinian process at this stage.
http://rocknerd.co.uk
This expert says to switch away from Microsoft if any alternative exists in any application.
It's impressive that no one has commented on the programming languages...
Seriously, for how long would we have to put up with these inferior languages? their design flaws have cost so far billions of dollars!!!
The bug only affects users who "Browse webpages with IE", which MS warns you not to do in the use manual!
so it's not actually Microsoft that's suggesting that people switch browsers
Au contraire. "I cannot recommend people switch due to this one flaw". Translation: We've given you countless reasons to switch already. Here's one more.
IE users (and Windows users in general) remind me of the plight of the abused spouse, caught in the endless cyle of abuse. This is phase 2. A fix has been promised for tomorrow. That's phase 3. How many times is the average victim victimized before they leave? Way too many.
db
I am literally 3000 tokens away from the chaotic crossbow --Stephen
A few days ago ZoneAlarm reported the iexplore.exe was changed, and I don't recall downloading any updates. Hope this wasn't it. Avast should pick up an infection, right?
The computer industry seems compelled to repeat the same mistakes, think
Ken Olsen (CEO DEC) Unix is snakeoil
Immer geleich!
I run IE6 (don't ask/our change control board is insane) at the office, and it's still reasonably secure. Why? Because we're running a dynamically updated proxy server that can accurately pick out heuristics like this and block them before they hit the client.
There are solutions beyond redoing a user's desktop.
You need a little zest to your Internet experience. A little edge. That's what IE gives you... it brings back that intrepid day you first browsed the 'net when you clicked with trembling finger, alert to the fact that this was so new, anything could happen.
Pfft on Firefox and noscript. You're not hanging it all out there surfing with the big boys and earning your mad dog network security wizard chops until you're surfing with IE without even a firewall!
Help stamp out iliturcy.
The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer
Should have coded it in Java.
[ FLAME SHIELDS ON ]
Sorry, it WAS a typo, but I liked how it turned out, and thought I'd run it.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Anyone else read the tags "wow" and "firefox" as "wontfix"... considering this is about a IE bug?
Firefox freezes like this if it is trying to load the details of too previously downloaded files to display in the "downloads" list window. Clear that window (Ctrl-J or Cmd-J to get window, hit "clear list") and problem usually goes. OTOH it could be something else.
-- open source? sounds like the real book --
Perhaps this would be an opportunity for Sun Microsystems to get themselves involved?
So the ratio seems to depend on the sorts of people that a site attracts. On SlashDot, FF is going to be ahead of IE -- when I got SlashDotted some months back, the ratio shot over in favour of FF. For some "computery" sites, FF users may also be regarded as potentially "higher value" visitors than IE users.
I guess that there may still be some in-house corporate sites that require IE, but since some of those sites don't work under Vista, and the future of XP is uncertain, "IE-only" isn't such a safe option any more. What if your corporation wants to equip a few people with netbooks? You can still buy netbooks with XP preinstalled, but if you'd believed MS a few months back, netbooks would be Linux-only by now.
Eric Baird
However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.
I recently had to use a site where IE6 was recommended, and it turned out to use an old "interactive presentation" Adobe app that broke if you had IE7 installed on the system. Even if you used a different browser to access the site, you still had to uninstall IE7, because the associated Adobe software would look for the IE code and try to use it (I think it used HTML container code for its dialog boxes) and that code must have changed under IE7 (probably when IE7 added tabs).
It took a whole afternoon to work out the list of things I had to do to my system (installing, downloading, updating, de-updating) to get that sodding thing to work. Funny thing was, a few weeks later I absent-mindedly tried accessing the same site from someone's Linux Eee PC, and it ran straight away, without having to install or tinker with a thing. Go figure.
Eric Baird
+1, insightful
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Realization-wall hit me hard.