Slashdot Mirror
Experts Say To Switch Browsers In Light of IE Vulnerability
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
I think that most people that read news about IT don't use IE already.
Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.
It's obviously another change brought in by the owners.
For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company? When was the last time there was any proper discussion or announcement about changes being made? The site itself is merging into some web 2.0 bollocks, the site has lost it's intuitiveness, the firehose doesn't even work properly in Opera and a million other crappy changes that have made this site degenerate.
I used to spend all day on Slashdot and now I only check it occasionally.
Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.
Just a thought.
throw new NoSignatureException();
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7... ... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.
It has been relegated to a game console status though, at least for me.
Poor MS, what with Vista they have been having a bad time of it recently.
Poor Microsoft? You've gotta be kidding me. If your main products are crap, you get what you deserve. Anyone who thinks that Windows or IE are great obviously hasn't even tried anything else seriously.
At the Trenton Computer Fair earlier this year I was handed an Ubuntu disc. I've subsequently loaned this disc to others, made copies, etc., etc, and everyone that actually put it in their computer and tried it came back to me to tell me how amazing it was.
If given a viable alternative, PEOPLE WILL SWITCH, and move away from MS/IE/Windows, and it's associated legacy crud.
And yes, I own a PC running Windows (2000). But I also own an iMac, an EEE-pc, and various SGI and SUN boxen. And a machine running Ubuntu.
If telephones are outlawed, then only outlaws will have telephones.
Speaking as an institutional IT underling, a Mozilla created MSI for Firefox would be really, really handy. As would a mechanism for installing extensions and updates in a more manageable way. Here, at any rate, there is no real opposition to FF per se; but deployment has, thus far, mostly foundered. "Well, IE updates can be deployed within the system with WSUS, FF updates will happen per machine and be blocked by the firewall, and there is no way in hell we'll be able to keep all the machines updated manually." Which is largely true.
Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)
This is especially strange news in light of an article from zdnet, http://blogs.zdnet.com/security/?p=2304, saying that firefox is the top bad example from a list of 12 programs with the worst security record. More interestingly, they don't even mention Internet Explorer as having bad security problems, despite news like this. Does Microsoft just pay journalists to write things like this on the day before they know they have bad news to release in hopes that people won't notice their security problems?
Really it's not that simple. I was a supporter of firefox in my organization, and to my surprise I pretty much won. We use Firefox for nearly everything. Nearly. I have content adviser turned on for each of the machines which for the most part cripples IE and makes it nearly impossible to actually browse the web. IE is still very necessary for many sites which are required for our operation. Not internal "we developed in house badly designed pages", but actual corporate sites to manage various accounts on the Internet. That's surprising in 2008 that companies could have their head stuck in the sand that badly, but they seem to be all over the place... and unfortunately in places required for essential function.
I'm fortunate that the medium sized company goes along with this, because in any other organization we'd just use IE and that would be the end of it. Just managing the work arounds has actually been a lot of work, although in my mind it comes out to a wash in being a bit more proactive in preventing the vulnerabilities that flood IE.
That does not sound practical. I mean obviously they will try it and sometimes it will work - but a company cannot just write away all liability for their goods in a contract, life does not work that way. And it rather depends on the local laws at point of use surely?
I am pretty sure that some risks cannot be written off in a contract and you are always liable.
But, INAL and I am sure that most of the people who browse this will know more than I do - so whats the real angle here?
Can MS simply add #17 to their EULA and expect all liability to vanish or are they being optimistic?
No, after the install windows (2000) I "remove" IE as an application. It doesn't show up anywhere, but you can still launch it through run > iexplore. For regular users that require this (usually people who have to manage things like our fuel accounts and such) I re-enable it. I leave content adviser on, and basically have to enable it to browse the site. Unfortunately content adviser is sort of brain dead and I've never gotten wild cards to work, so many sites redirect you all over the place, and pull images from sub domains etc. I also have to be logged in as Administrator for the changes to stick so it becomes this big circus just to browse a site.
So they have the IE icon, but it doesn't function for anything but those sites. I considered trying to solve this with a proxy, but it seemed like it would be too much to try to juggle two browsers through while only allowing one to have unrestricted access.
The internet is large. One out of every 5000 sites is a lot. Cut your losses and run while you can.
In my organization, we use Macs. We don't have to, but we do, because everyone used to have their own operating system and their own trouble and having to use another computer for a while was a pain when you were a linux fan-boy and the other person was using windows or when someone simply didn't have any gui apps because he's a console fan-boy, etc.
We're writing software that should be accessible via ssh and web, so the solution was simple: everyone will use Macs (honestly, it took me ONE day to get used to mine and configure it the way I like it) and whoever deals with the web interface gets licenses for virtualisation software and windows + kubuntu. This way, everything will be tested on Safarai, Firefox, Opera, IE, Konqueror and Chrome. Of course, everything is also easily tested to work in SSH, thanks to the wonders of mac's console. If one person has to temporarily use another person's computer, it won't be too much of a hassle because you've always got mac's spotlight to find whatever applications you need and everyone is used to the same interface.
You can and you should use Macs for development, if it's technically possible. This will ensure a uniform environment and, if you need to just test your applications under other operating systems, you can always use VMware or whatever. The low number of apps available for macs ensure that everyone is using mostly the same software and there aren't huge differences like jumping from Vista to the My Own Tiny Linux console. [we developed our own tiny linux version, because it's needed to run our software and some of the devs actually enjoyed using it for development]
So why recode just to make the computer geeks happy?
Who cares about the computer geeks?
Recode to make the Chief Security Officer happy.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
In BBC Radio 5 Live an MS representative was giving the suggested steps to protect Windows machines, the full 4 of them.
The newsreader and presenter, Anita Anand asked if it would not be easier just to switch to another browser.
The MS guy replied with the platitudes to be expected, the important point is that mainstream non technical media are getting the idea.
IANAL but write like a drunk one.
I've been able to run Firefox to some extent in a corporate environment and keep it updated - I just create an MSI package whenever a new version of Firefox comes out (3.0.3, 3.0.4, etc) and then roll it out via group policy. Then I just let my users know they should use Firefox for all of their browsing, and use IE only for craptastic activex/VB intranet apps.
You're right though - they really need to make it easier. Keeping plugins, etc updated is impossible.
Just disrupt the deflector shield with a tachyon burst.
I have nothing against "AJAX", I just have this thing against "ugly."
Slashdot had a huge competition to design a new look only a couple of years ago, and it actually looked pretty good for a long time. Then, relatively recently, they've decided they wanted to add dynamic features, and the look has gone into the crapper. The only recourse is to keep Slashdot set to "Classic" appearance, which is less vomit-inducing, but the "version 2" appearance keeps leaking in.
See, for example, these bugs:
https://sourceforge.net/tracker2/?func=detail&aid=2144813&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=2159787&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=2348173&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=1939546&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=1939531&group_id=4421&atid=104421
and probably a dozen others I've noticed but not bothered to submit. (BTW, if anybody at Slashdot tells you to submit your issue as a bug report to get it looked at, they're lying. They never look at bug reports.)
Comment of the year
No, I have not. Every Christian church considers itself the (or a part of a) "One, holy, catholic, and apostolic Church" from the Nicene creed. Roman Catholics are simply the largest denomination, and the most dominant in areas in which the modern Western civilization arose, so they monopolized the word (at least in European languages). But you can ask any local Orthodox priest if his church is "catholic". Or you may just read the Wikipedia article.
Note that I'm talking about this from personal experience. I'm not Christian, but I live in a country where Orthodox Christianity is the dominant religion, and the Russian Orthodox Church calls itself "sobornaya", which is a direct translation of the Greek world "katholikos" to Russian as used in the Russian translation of the Creed (sometimes, they also use a plain transliteration - "kafolicheskaya").
That said, it is still true that unqualified "Catholic" in everyday use usually means "Roman Catholic". In Russian specifically, we have a handy distinction: "kafolic" always refers to Orthodox, and "katolic" always to Roman Catholic (we don't have a sound corresponding to "th" directly, hence the approximations).