Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Say To Switch Browsers In Light of IE Vulnerability

Posted by timothy on from the here's-my-number-if-the-place-burns-down dept.

It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.

5 of 455 comments (clear)

  1. Re:Those that haven't already changed... by Andr+T. · · Score: 4, Interesting

    I think that most people that read news about IT don't use IE already.

    --

    Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.

  2. Is any browser safe? by Toreo+asesino · · Score: 5, Interesting

    Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
    To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.

    So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

    And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.

    Just a thought.

    --
    throw new NoSignatureException();
  3. Re:Those that haven't already changed... by fuzzyfuzzyfungus · · Score: 5, Interesting

    Speaking as an institutional IT underling, a Mozilla created MSI for Firefox would be really, really handy. As would a mechanism for installing extensions and updates in a more manageable way. Here, at any rate, there is no real opposition to FF per se; but deployment has, thus far, mostly foundered. "Well, IE updates can be deployed within the system with WSUS, FF updates will happen per machine and be blocked by the firewall, and there is no way in hell we'll be able to keep all the machines updated manually." Which is largely true.

    Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)

  4. Non technical users are getting the message. by jotaeleemeese · · Score: 4, Interesting

    In BBC Radio 5 Live an MS representative was giving the suggested steps to protect Windows machines, the full 4 of them.

    The newsreader and presenter, Anita Anand asked if it would not be easier just to switch to another browser.

    The MS guy replied with the platitudes to be expected, the important point is that mainstream non technical media are getting the idea.

    --
    IANAL but write like a drunk one.
  5. Re:Red header by Blakey+Rat · · Score: 4, Interesting

    I have nothing against "AJAX", I just have this thing against "ugly."

    Slashdot had a huge competition to design a new look only a couple of years ago, and it actually looked pretty good for a long time. Then, relatively recently, they've decided they wanted to add dynamic features, and the look has gone into the crapper. The only recourse is to keep Slashdot set to "Classic" appearance, which is less vomit-inducing, but the "version 2" appearance keeps leaking in.

    See, for example, these bugs:
    https://sourceforge.net/tracker2/?func=detail&aid=2144813&group_id=4421&atid=104421
    https://sourceforge.net/tracker2/?func=detail&aid=2159787&group_id=4421&atid=104421
    https://sourceforge.net/tracker2/?func=detail&aid=2348173&group_id=4421&atid=104421
    https://sourceforge.net/tracker2/?func=detail&aid=1939546&group_id=4421&atid=104421
    https://sourceforge.net/tracker2/?func=detail&aid=1939531&group_id=4421&atid=104421

    and probably a dozen others I've noticed but not bothered to submit. (BTW, if anybody at Slashdot tells you to submit your issue as a bug report to get it looked at, they're lying. They never look at bug reports.)

    --
    Comment of the year