Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Say To Switch Browsers In Light of IE Vulnerability

Posted by timothy on from the here's-my-number-if-the-place-burns-down dept.

It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.

17 of 455 comments (clear)

  1. Those that haven't already changed... by celardore · · Score: 5, Insightful

    ...probably won't. Most uneducated users that read the article will probably be of the mindset "oh, it won't happen to me".

    1. Re:Those that haven't already changed... by SkankinMonkey · · Score: 4, Insightful

      Yea but the ones that they support and frequently think it's a good idea to click on the 'Hit the target to get a free iPod' ad is a good idea.

    2. Re:Those that haven't already changed... by denis-The-menace · · Score: 4, Insightful

      Corps won't change either, cause their most computer-illiterate users happens to be their CIO and his/her underlings.

      If something huge happens, FF may actually get into corps even without a Mozilla-created, Corp-approved MSI package.

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    3. Re:Those that haven't already changed... by joelholdsworth · · Score: 5, Insightful

      I was listening to BBC Radio 1, and they had a news item about it this morning. But I think GP is right - I can't imagine it will make many users switch. However, as more and more people within the technical community become jaded with the consistent poor quality in Microsoft's offerings, MS will inevitably loose mind-share, and hence their strangle hold on the industry will loosen.

      It's this sort of thing that made me switch over to Linux a year ago. I haven't looked back.

    4. Re:Those that haven't already changed... by minerat · · Score: 5, Insightful

      Yes, but it's often many days out of sync with the official releases. In more bureaucratic organizations you're not going to get some random 3rd party build of an application that handles as much sensitive data as a web browser approved. Mozilla needs to realize that wider corporate adoption requires easy manageability. MSI + Group Policy Template FROM MOZILLA would be huge.

      --
      ...and you've eaten your pen. simply stunning.
  2. Vulnerability by conureman · · Score: 5, Insightful

    The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.

    --
    The cost of that cleanup, of course, will be borne by taxpayers, not industry.
  3. Re:Red header by jadrian · · Score: 5, Insightful

    I used to spend all day on Slashdot and now I only check it occasionally.

    I guess some good came out of it after all.

  4. Re:Is any browser safe? by Raenex · · Score: 5, Insightful

    So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

    Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs ... vs random browsing.

  5. Re:Is any browser safe? by Svartalf · · Score: 4, Insightful

    Few browsers enable privilege escalation like IE does on a regular basis.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  6. Re:Is any browser safe? by LtGordon · · Score: 4, Insightful

    Running web content in a sand boxed environment is exactly one of the features Google emphasized with Chrome. Web content is inherently untrustworthy so this is a smart move. It's sort of like wearing a web-condom: used to be that going bare-browser was mostly safe as long as you were careful who you interacted with, but nowadays even the pretty ones can burn you, so your best bet is to just wrap your tool ... with a sandbox. (I'm still working on the analogy)

  7. Re:Microsoft should just scrap IE by hey! · · Score: 4, Insightful

    They won't, because there are only two things shoring up their critical desktop OS monopoly in the enterprise at this point: Office and IE.

    User and developer dependencies on IE's peculiarities makes not having access to Windows inconvenient. Microsoft's own web software are designed to provide users of alternative browsers with inferior experience.

    Keeping those "poor schmucks" dependent on IE is worth a great deal of money to MS.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  8. Re:Is any browser safe? by chrisgeleven · · Score: 5, Insightful

    Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.

    Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.

  9. Re:Microsoft should just scrap IE by Reality+Master+201 · · Score: 5, Insightful

    Yeah, believe me, I've done a lot of corporate consulting, and there's plenty of places with stuff that they'd have to recode to move off IE. Stuff that uses client side VBScript and extensive ActiveX controls. Sometimes it's 3rd party apps from a timesheet system vendor or whatever.

    It already works. So why recode just to make the computer geeks happy?

  10. Re:Red header by mhall119 · · Score: 5, Insightful

    For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company?

    You mean like how they host the code that runs their site on a publicly available CVS server and FTP site? Open source means that you can modify the code however you want, not that other people will modify the code however you want.

    --
    http://www.mhall119.com
  11. Re:In other news ... by funehmon · · Score: 5, Insightful

    I think shoes flying is more accurate.

  12. Re:Red header by Fastball · · Score: 4, Insightful

    Sure, but I think the more valid point (the one the parent was trying to make) is that ./ would do well to have some sort of Changelog page that also includes changes to come. This way, folks aren't "adjusting their television sets" when the feature de jour makes an appearance. They'll have a place to RTFM.

  13. Re:In other news ... by ConceptJunkie · · Score: 4, Insightful

    Which is what Microsoft always says: You're gonna get screwed if you use our crappy browser, but at least we warned you.

    No software is perfect, and everything has security flaws, but it seems to me, even 8 years after Microsoft (claimed they) took a serious position on security, they still seem to have an order of magnitude more problems than everyone else. Yeah, I know, they're the biggest target, but for crying out loud, Google wrote chrome from scratch* in less time than IE7 was in beta (or if not, it wasn't too far off) and came up with a browser that blows away IE in every single way except the number of desktops that have it installed.

    Microsoft is at the point where they can do little but admit that there's nothing constructive they can do any more. It's been obvious for years to people in the know, but they've reached a point of diminishing returns: It obviously takes more effort to keep their bloated corpse of an operating system (and its 10-years-out-of-date browser) just working and free of 0-day exploits (leave alone catching up with the competition) than it would be to start over like Apple did with OSX.

    How much longer will it take for MS to wake up? When the amount of effort needed for them to keep Windows limping along exceeds to man-power of the entire planet? It probably won't begin until the chair-tosser-in-chief is gone, and then it take years for them to recover. It used to be that Microsoft put as much effort into maintaining their monopoly as they did in their software. Now it seems maintaining their monopoly receives all but the smallest fraction of attention. The rest goes to plugging holes in the about-to-collapse dyke.

    * For certain values of "from scratch"

    --
    You are in a maze of twisty little passages, all alike.