Slashdot Mirror
Experts Say To Switch Browsers In Light of IE Vulnerability
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
I think that most people that read news about IT don't use IE already.
Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.
Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.
Just a thought.
throw new NoSignatureException();
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7... ... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.
It has been relegated to a game console status though, at least for me.
Speaking as an institutional IT underling, a Mozilla created MSI for Firefox would be really, really handy. As would a mechanism for installing extensions and updates in a more manageable way. Here, at any rate, there is no real opposition to FF per se; but deployment has, thus far, mostly foundered. "Well, IE updates can be deployed within the system with WSUS, FF updates will happen per machine and be blocked by the firewall, and there is no way in hell we'll be able to keep all the machines updated manually." Which is largely true.
Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)
Really it's not that simple. I was a supporter of firefox in my organization, and to my surprise I pretty much won. We use Firefox for nearly everything. Nearly. I have content adviser turned on for each of the machines which for the most part cripples IE and makes it nearly impossible to actually browse the web. IE is still very necessary for many sites which are required for our operation. Not internal "we developed in house badly designed pages", but actual corporate sites to manage various accounts on the Internet. That's surprising in 2008 that companies could have their head stuck in the sand that badly, but they seem to be all over the place... and unfortunately in places required for essential function.
I'm fortunate that the medium sized company goes along with this, because in any other organization we'd just use IE and that would be the end of it. Just managing the work arounds has actually been a lot of work, although in my mind it comes out to a wash in being a bit more proactive in preventing the vulnerabilities that flood IE.
In my organization, we use Macs. We don't have to, but we do, because everyone used to have their own operating system and their own trouble and having to use another computer for a while was a pain when you were a linux fan-boy and the other person was using windows or when someone simply didn't have any gui apps because he's a console fan-boy, etc.
We're writing software that should be accessible via ssh and web, so the solution was simple: everyone will use Macs (honestly, it took me ONE day to get used to mine and configure it the way I like it) and whoever deals with the web interface gets licenses for virtualisation software and windows + kubuntu. This way, everything will be tested on Safarai, Firefox, Opera, IE, Konqueror and Chrome. Of course, everything is also easily tested to work in SSH, thanks to the wonders of mac's console. If one person has to temporarily use another person's computer, it won't be too much of a hassle because you've always got mac's spotlight to find whatever applications you need and everyone is used to the same interface.
You can and you should use Macs for development, if it's technically possible. This will ensure a uniform environment and, if you need to just test your applications under other operating systems, you can always use VMware or whatever. The low number of apps available for macs ensure that everyone is using mostly the same software and there aren't huge differences like jumping from Vista to the My Own Tiny Linux console. [we developed our own tiny linux version, because it's needed to run our software and some of the devs actually enjoyed using it for development]
So why recode just to make the computer geeks happy?
Who cares about the computer geeks?
Recode to make the Chief Security Officer happy.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
In BBC Radio 5 Live an MS representative was giving the suggested steps to protect Windows machines, the full 4 of them.
The newsreader and presenter, Anita Anand asked if it would not be easier just to switch to another browser.
The MS guy replied with the platitudes to be expected, the important point is that mainstream non technical media are getting the idea.
IANAL but write like a drunk one.
I have nothing against "AJAX", I just have this thing against "ugly."
Slashdot had a huge competition to design a new look only a couple of years ago, and it actually looked pretty good for a long time. Then, relatively recently, they've decided they wanted to add dynamic features, and the look has gone into the crapper. The only recourse is to keep Slashdot set to "Classic" appearance, which is less vomit-inducing, but the "version 2" appearance keeps leaking in.
See, for example, these bugs:
https://sourceforge.net/tracker2/?func=detail&aid=2144813&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=2159787&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=2348173&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=1939546&group_id=4421&atid=104421
https://sourceforge.net/tracker2/?func=detail&aid=1939531&group_id=4421&atid=104421
and probably a dozen others I've noticed but not bothered to submit. (BTW, if anybody at Slashdot tells you to submit your issue as a bug report to get it looked at, they're lying. They never look at bug reports.)
Comment of the year