Slashdot Mirror
Experts Say To Switch Browsers In Light of IE Vulnerability
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
...probably won't. Most uneducated users that read the article will probably be of the mindset "oh, it won't happen to me".
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.
Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.
I used to spend all day on Slashdot and now I only check it occasionally.
I guess some good came out of it after all.
.. in fact I'm a diehard linux fanman (too old to be a fanboi!)
But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!
But not all browsers are welded to the kernel.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs ... vs random browsing.
Few browsers enable privilege escalation like IE does on a regular basis.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Running web content in a sand boxed environment is exactly one of the features Google emphasized with Chrome. Web content is inherently untrustworthy so this is a smart move. It's sort of like wearing a web-condom: used to be that going bare-browser was mostly safe as long as you were careful who you interacted with, but nowadays even the pretty ones can burn you, so your best bet is to just wrap your tool ... with a sandbox. (I'm still working on the analogy)
Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.
Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.
"PEBKAC - problem existing between keyboard and chair".
Ahhh okay. I don't see how Firefox freezing for twenty seconds is a problem caused by the user. Why do you blame the user and not the programmers?
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company?
You mean like how they host the code that runs their site on a publicly available CVS server and FTP site? Open source means that you can modify the code however you want, not that other people will modify the code however you want.
http://www.mhall119.com
I think shoes flying is more accurate.
OK, is this whole red thing some kind of mass troll, or is a new format change about to be hoist on us all? Screenshots, or it never happened.
May the Maths Be with you!
Sure, but I think the more valid point (the one the parent was trying to make) is that ./ would do well to have some sort of Changelog page that also includes changes to come. This way, folks aren't "adjusting their television sets" when the feature de jour makes an appearance. They'll have a place to RTFM.
Well phishing doesn't depend on client side vulnerability anyway--it's a social hack.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group. If we finish the sentence, it's:
"I cannot recommend people switch due to this one flaw, because I'd loose my job." said John Curran, head of Microsoft UK's Windows group.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
Most likely the 150 extensions and plugins? That has been the cause of most of Firefox's slowness, in my experience.
And then read the fallout where the readers debunk what the article says, including posts to problems with IE that for some reason were completely ignored when doing the compilation.
I will just point out that Firefox is #1 because they *patched* the most vulnerabilities.
Only in Bizarro Planet this would define the most unsafe application.
IANAL but write like a drunk one.
Which is what Microsoft always says: You're gonna get screwed if you use our crappy browser, but at least we warned you.
No software is perfect, and everything has security flaws, but it seems to me, even 8 years after Microsoft (claimed they) took a serious position on security, they still seem to have an order of magnitude more problems than everyone else. Yeah, I know, they're the biggest target, but for crying out loud, Google wrote chrome from scratch* in less time than IE7 was in beta (or if not, it wasn't too far off) and came up with a browser that blows away IE in every single way except the number of desktops that have it installed.
Microsoft is at the point where they can do little but admit that there's nothing constructive they can do any more. It's been obvious for years to people in the know, but they've reached a point of diminishing returns: It obviously takes more effort to keep their bloated corpse of an operating system (and its 10-years-out-of-date browser) just working and free of 0-day exploits (leave alone catching up with the competition) than it would be to start over like Apple did with OSX.
How much longer will it take for MS to wake up? When the amount of effort needed for them to keep Windows limping along exceeds to man-power of the entire planet? It probably won't begin until the chair-tosser-in-chief is gone, and then it take years for them to recover. It used to be that Microsoft put as much effort into maintaining their monopoly as they did in their software. Now it seems maintaining their monopoly receives all but the smallest fraction of attention. The rest goes to plugging holes in the about-to-collapse dyke.
* For certain values of "from scratch"
You are in a maze of twisty little passages, all alike.
The Church of England does not consider itself the only true Christian church in the world - they recognize the Old Catholics, for example.
And yes, Anglicans consider themselves to belong to the Catholic Church of all faithful Christians, just as any other Christian denomination that subscribes to the Nicene Creed (this includes all Protestants, too). It stems from the following line in the Creed:
"We believe ... In one, holy, catholic, and apostolic Church"
(note that this was written before the Great East-West Schism)
Here are some, hopefully, more coherent explanations of this. I'm not a theologian, so I can only push the limits of sanity so far :)
so it's not actually Microsoft that's suggesting that people switch browsers
Au contraire. "I cannot recommend people switch due to this one flaw". Translation: We've given you countless reasons to switch already. Here's one more.
IE users (and Windows users in general) remind me of the plight of the abused spouse, caught in the endless cyle of abuse. This is phase 2. A fix has been promised for tomorrow. That's phase 3. How many times is the average victim victimized before they leave? Way too many.
db
I am literally 3000 tokens away from the chaotic crossbow --Stephen