Slashdot Mirror
Experts Say To Switch Browsers In Light of IE Vulnerability
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Whoa what happened to Slashdot's main page...
This story's title header was red.. Is that like "woop woop warning warning" red? Or something else?
Water still wet.
Pope still Catholic.
...probably won't. Most uneducated users that read the article will probably be of the mindset "oh, it won't happen to me".
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.
Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.
really what choice did they have? I can see a class action from *lots* of angry people who's computers have been hosed and bank accounts hoovered would cost far more then not acting. Not to mention the loss of faith.
Now all we need is a certain percentage of people who try the fox being either to taken with it or too lazy to change it back.
Poor MS, what with Vista they have been having a bad time of it recently.
Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.
Just a thought.
throw new NoSignatureException();
According to an earlier story I read on Slashdot Microsoft said it effects all versions of IE.
I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.
Now, if you don't mind, I'll go back to my nap.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
.. in fact I'm a diehard linux fanman (too old to be a fanboi!)
But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!
RTFA.
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7... ... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.
It has been relegated to a game console status though, at least for me.
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
FTA:
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.
Waaaay back when I used I.E all anti-spyware apps used to find a ton of spyware.
And since then, they've also learned how to make anti-spyware apps that distinguish between real spyware and cookies that just track what websites you go to for advertising purposes.
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space.
I don't use IE, but from the summary, doesn't it sound like simply dis-enabling data binding would keep the hole from being exploited?
http://www.geoffreylandis.com
My laptop has an older IE; version 5 I believe..... will this flaw affect that too, or is it just a flaw in the current version of IE?
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
Especially since it happens nearly every day. Oh noes!!!! Everybody panic!!! Another exploit in Windows/Office/Explorer. WOE is us!!!
Perhaps if we phrased it like a sponsored ad: "Todays exploit brought to you by yet another buffer overflow error!" "This morning's gaping security hole sponsored by Stormworm. Stormworm: The worm of choice for the discerning mailbot."
Help stamp out iliturcy.
And since then, they've also learned how to make anti-spyware apps that distinguish between real spyware and cookies that just track what websites you go to for advertising purposes.
Aaaah I didnt realise I was jumping forward in time before running anti-apyware after browsing with FF :)
This is especially strange news in light of an article from zdnet, http://blogs.zdnet.com/security/?p=2304, saying that firefox is the top bad example from a list of 12 programs with the worst security record. More interestingly, they don't even mention Internet Explorer as having bad security problems, despite news like this. Does Microsoft just pay journalists to write things like this on the day before they know they have bad news to release in hopes that people won't notice their security problems?
Don't just switch browsers, switch Desktop Distros. If fact, for any kind of online financial activity use a bootable CD. Before you say it, you won't have to pay rent on these Live CDs
davecb5620@gmail.com
This post reads, "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched."
TFA reads, "Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it." Also, "Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed."
Microsoft gets enough bashing in here that frot page posts don't need to lie to give them more negative press. This is growing more into Digg every day... can has some moderation on posts pls?
I don't use IE, unless when I have to. At home its Safari or Firefox (less since I have been getting the _JS_FloorLog2 issue, which nobody wants to fix), on my Mac and then at the office, with Windows XP, it is generally Firefox and SR Iron. Since I do work in web development I do have to check stuff with IE7 (we have just been given the green light to drop IE6 :) ), since like it or not the market share is still too large.
Jumpstart the tartan drive.
"Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed"
davecb5620@gmail.com
"Botnets, spammer's botnets!
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets.
All running Windows, FOO!"
I'm running Mac OS X 10.5.6, here.
Why, yes. Yes, I AM a smug bastard. Why do you ask?
Why, yes. I AM a smug bastard!
Thanks for asking.
Guaranteed! This comment 100% Anthrax free!
"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."
Then
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
So NO, it's not Microsoft who recommends switching browsers, they even say
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
I wanted to clarify it since the story wasn't that clear...
(only really works for Vista, and I -think- is the default in 64 bit...isn't in 32 bit for compatibility reason, but works fine on my side...)
Step 1: Make sure IE is running in protected mode
Step 2: In internet option, in advanced, in Security, make sure "Enable Memory protection..." is enabled (need to run IE as admin to toggle that)
There, exploit doesn't work anymore. It Crash IE, yes, but it can't do much anymore. Thats not so bad, knowing that even a buffer overflow that should be able to totally own your system can, at best, crash your browser...
The only issue here is that in 32 bit Vista, memory protection is done in software and can cause issues, so its not the default... If it was, this would be an annoyance at best.
The internet is large. One out of every 5000 sites is a lot. Cut your losses and run while you can.
"I cannot recommend people switch due to this one flaw,"
How about the thousand and one other "flaws" that have been in IE? Which "Flaw" will break the camel's back?
Perhaps that is MS' problem right there, they are looking at each flaw individually, and not the aggregate nor the systemic problems.
Where's the good journalism followup question ... "is there any flaw that would cause you to recommend switching? "
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Well phishing doesn't depend on client side vulnerability anyway--it's a social hack.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group. If we finish the sentence, it's:
"I cannot recommend people switch due to this one flaw, because I'd loose my job." said John Curran, head of Microsoft UK's Windows group.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
Microsoft is not telling people to use alternate browsers as this /. article states. They just recommend people be "vigilant" when browsing with IE.
As much as I'd like to push out firefox for my users, I have many users in a domain environment with mapped applications directory; firefox is simply unmanageable in this environment.
Of all the improvements they are making in firefox, they are ignoring a potentially very large audience by not including some way to manage the browser in a corporate environment.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
Will this patch be provided in a manner that does not require one to run the vulnerable browser to download and install it?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
"I cannot recommend people switch due to this one flaw,"
so he's recommending ppl switch due to numerous bugs then? :o)
there are thousands of windows applications that don't work on Linux - thankfully
Comment removed based on user account deletion
Comment removed based on user account deletion
Vista came out around jan. 2007. Windows 7 will be here sometime 2009. I don't think MS can get away with pushing a new OS every 2 years.
Besides, isn't Windows 2K supported till 2010? People who spent good money on MS software want their patches, pronto.
If you're migrating to Vista, might as well go over to OSX or even linux. A lot of inhouse apps are not compatible with anything above XP. Which means splash money to fix all your inhouse apps. and then splash more money to upgrade to Vista. Oh, and then splash more money to upgrade hardware too.
That's why people hate Vista.
Well, anyone with public relations skills (I know, I know, this IS Slashdot) will recognize that they are actually saying "Switch to an alternative browser to save yourselves!!! But I can't really say that in clear language, since it will not sound good to the PHB".
In BBC Radio 5 Live an MS representative was giving the suggested steps to protect Windows machines, the full 4 of them.
The newsreader and presenter, Anita Anand asked if it would not be easier just to switch to another browser.
The MS guy replied with the platitudes to be expected, the important point is that mainstream non technical media are getting the idea.
IANAL but write like a drunk one.
Windows 7 was schedule for 2010, and now they say 2009, so its safe to say it will be near the end of 2009, which is almost 3 years, and basically in line with how MS did things until the XP fluke (which pissed off a lot of people, especially since Software Insurance licensing is only really cost effective if there's a new version every 2-3 years). It was also out in 2006, just not in retail boxes. XP is an obsolete OS that needs to be replace. I mean come on: When XP came out, I was going around rooting up to date Linux servers using script kiddie hacks. Thats how old XP is.
Inhouse apps also have to constantly be fixed and updated... so updating it slightly so it works in Vista, or updating it when daylight saving time dates change (because it hardcoded it for whatever reason), same deal...if you have inhouse apps, you're already doing this on a daily basis anyway =P
In order to pretend they were not acting anti competitively (yeah, right) they made explorer pretty much the core of your desktop experience.
This,as any Linux/UNIX (even OSX) knows, is not necessary at all.
By growing a little Frankenstein driven by marketing and legalese rather than need and technical merit, they are left with an unworkable pile of binary mess that will be almost impossible to untangle.
Their bad actions are coming back to haunt them...
IANAL but write like a drunk one.
Websites nowadays rely on Java, Flash, and Javascript to present their content. Unfortunately, it is all too easy to get malicious code onto a user's computer using these scripts. In addition, most websites present cross-scripts from other sites (usually in the form of "ads") which they neither monitor nor control. Therefore, a user that visits even a "trusted" site is exposed to potentially malicious scripts. There is only one solution in existence for this problem: the free plugin for Firefox called NoScript. NoScript filters all scripts by default and displays a list of the scripts on the website. The user then chooses which scripts to run. This is the only safe way to visit a website. Allowing scripts indiscriminately is highly dangerous. No browser has a method for selectively filtering scripts by default (not even Firefox). Only NoScript provides this protection (and it is free). I never surf without NoScript.
Out of billions of computers, 6000 sounds infinitesimally tiny. It's a fraction of a fraction of a percent at best... I understand prevention is important, but I mean, can we blow this up anymore? Yeeesh...
Fact: Everything I say is fiction.
And then read the fallout where the readers debunk what the article says, including posts to problems with IE that for some reason were completely ignored when doing the compilation.
I will just point out that Firefox is #1 because they *patched* the most vulnerabilities.
Only in Bizarro Planet this would define the most unsafe application.
IANAL but write like a drunk one.
Those Linux hippies and their complicated nonsense.
So once again, Protect mode? Where is that in the Control Panel? Why is the memory not protected by default? I am Joe the Plumber, why should I care!
32 bits Vista!? Is that cheaper or more expensive than 31 bits Vista? And 33?
Argh ....
IANAL but write like a drunk one.
Poor MS, what with Vista they have been having a bad time of it recently.
I don't know that that is completely true. IIRC Microsoft have always had a pretty bad time of it.
The difference now is that there are real alternatives.
Take Linux, for example, I've been using it for about 10 years now, but it really is only recently that I can show off - most hardware works and there aren't really any applications that are beyond the OS (other than games).
Apple is also far more acceptable as an alternative - I would imagine because of iPod, iPhones and iTunes etc.
(And as we all know XP is also a real alternative to Vista).
Same with Firefox, because "broken" websites that could only work with IE5.5 were all the rage, Firefox failed (even though it was the better product). But more and more websites are aware of its 20%-40% market share and the IE specific websites are less prevalent. And Firefox is really shining.
Genesis 1:32 And God typed
In the internet the world "only" has very little meaning.
IANAL but write like a drunk one.
From the article: "What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. What does he think the people stealing the game passwords are? They're CRIMINALS. Stealing passwords to snag items from games, sell them in game, then sell the gold for PROFIT. The second market gold selling business has a LARGE amount of money flowing through it with a big profit margin.
Never been Catholic.
It doesn't mean much now, it's built for the future.
Vista came out around jan. 2007. Windows 7 will be here sometime 2009. I don't think MS can get away with pushing a new OS every 2 years.
Besides, isn't Windows 2K supported till 2010? People who spent good money on MS software want their patches, pronto.
I don't disagree with you here.
My point was that a lot of people keep telling their friends to 'downgrade' to XP or buy XP for their new computers. This is what is INSANE.
Just yesterday, I had a friend bring a spyware filled laptop with XP. It was released earlier this year and was designed for Vista, but her 'expert friends' insisted she put XP on it and she even went as far to buy a retail copy of XP Professional.
If you have a choice, CHOOSE Vista, if you are buying an OS, buy Vista unless your computer was made before the year 2000. PERIOD.
I don't expect users to fork out money every couple of years, but if you getting a new computer and still are picking XP, or getting it and reformating Vista and install XP, it is INSANE.
The whole upgrade cost cycle is one reason I actually don't mind Windows, as the cost is factored into your computer based on the OEM price, and an XP computer from 2002 has had free updates and SPs and even new application accessories released for it every year without ANY additional cost.
Contrast this to OS X when the 'new' versions are less than a Windows SP and have cost about $500 for users in the same time period as XP owners that get the same level of updates and application software updates for free.
As for Vista and Windows 7, if you look at the timeframe it is much like Win2k and XP. The first was the architectual jump, the second expanded on the features the previous one made possible. So the release timeframes for each will be close.
--
However, don't give up on Vista, just like XP, MS continues to bring newer technology to the previous versions.
Even with XP and Vista, MS released as much new features from Vista for XP as they could based on the XP architecture. (Desktop Search, Defender, WMP, IE, WPF/.NET3.5, etc) - So many in fact, it has made it less appealing for users to spend $$ to upgrade, even at MS's own financial detriment.
And they have specifically said that some of the new features of Windows 7 WILL be provided to Vista users, even DirectX11, since its architecture can handle it, unlike the break from XP to Vista where the Video driver model couldn't handle DirectX10.
Roughly the same could be said of XP if the user is actually a user rather than running everything as an administrator.
Actually, no...
Even as a 'user' on XP, the processes you launch get your security level. So IE7 on XP running as a 'user' would still be able to screw with your profile, documents, files, settings, just not the system files.
On Vista, no matter what your security level, whether you are an administrator or an user, IE runs at a lower and 'special' security level.
It is actually a smart idea, as when a exploit like the one we are talking about today is used, the browser by default protects the user from it, as the vulnerability can't get outside the IE protected mode security box.
I wish Firefox and other browsers would consider this type of approach as well, there is no reason that they could not set their own security policies and then run Firefox in a lower restricted security mode as well.
Anyway, the difference is IE on Vista keeps it from being able to screw with even user items that IE has no business touching, so FS and registry security step in to back IE off and prevent it from doing something outside it's protected mode 'box' and exploits spun from the IE process inherent the same restrictions by proxy.
I've been able to run Firefox to some extent in a corporate environment and keep it updated - I just create an MSI package whenever a new version of Firefox comes out (3.0.3, 3.0.4, etc) and then roll it out via group policy. Then I just let my users know they should use Firefox for all of their browsing, and use IE only for craptastic activex/VB intranet apps.
You're right though - they really need to make it easier. Keeping plugins, etc updated is impossible.
Just disrupt the deflector shield with a tachyon burst.
That bothers me so much. Last place I worked for, people came to see our main sysadmin for advices on stuff like this. The guy has been sysadmin for longer than many people on Slashdot have been born, and he manages douzens of thousands of Windows PCs, so people assume he knows his stuff. He kept telling people, not just to "upgrade to XP from Vista", but that anyone using Vista was a flipping moron. Obviously all these people did much like the story you tell, go out and buy XP Pro, reformat the machine, etc.
Turns out the guy never tried Vista. Never installed it, never looked into it. He has never even seen what a UAC popup looks like. He kept bragging about the superiority of MacOSX, yet when that happened, he had never TOUCHED MaxOSX before (regardless of how great or not OSX is, you can't really recommend something you've never TRIED). But hey, he's a senior sysadmin and network architect, why shouldn't people listen to him!
Awkward...
"Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched."
Then
According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
So, which is it?
It's bullshit editing like this that keeps slashdot and other sites like it from being taken seriously by anyone other than the fervent geeks that perpetuate it. Seriously.
When a title and a summary both contain conflicting statements, the article shouldn't even run.
--Toll_Free
The article linked in the text Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while quotes a Trend Micro spokesman advising users to switch and a Microsoft spokesman explicitly saying he can't advise users to switch over one flaw. This contradicts the summary text.
Security experts first recommended "WHAT THE HELL ARE YOU DOING? STOP USING THE IE TOXIC WASTE FIREHOSE!" in 2004. So far 20% of people appear to have gotten the message. Perhaps it's a Darwinian process at this stage.
http://rocknerd.co.uk
This expert says to switch away from Microsoft if any alternative exists in any application.
It's impressive that no one has commented on the programming languages...
Seriously, for how long would we have to put up with these inferior languages? their design flaws have cost so far billions of dollars!!!
The bug only affects users who "Browse webpages with IE", which MS warns you not to do in the use manual!
so it's not actually Microsoft that's suggesting that people switch browsers
Au contraire. "I cannot recommend people switch due to this one flaw". Translation: We've given you countless reasons to switch already. Here's one more.
IE users (and Windows users in general) remind me of the plight of the abused spouse, caught in the endless cyle of abuse. This is phase 2. A fix has been promised for tomorrow. That's phase 3. How many times is the average victim victimized before they leave? Way too many.
db
I am literally 3000 tokens away from the chaotic crossbow --Stephen
A few days ago ZoneAlarm reported the iexplore.exe was changed, and I don't recall downloading any updates. Hope this wasn't it. Avast should pick up an infection, right?
The computer industry seems compelled to repeat the same mistakes, think
Ken Olsen (CEO DEC) Unix is snakeoil
Immer geleich!
You need a little zest to your Internet experience. A little edge. That's what IE gives you... it brings back that intrepid day you first browsed the 'net when you clicked with trembling finger, alert to the fact that this was so new, anything could happen.
Pfft on Firefox and noscript. You're not hanging it all out there surfing with the big boys and earning your mad dog network security wizard chops until you're surfing with IE without even a firewall!
Help stamp out iliturcy.
Sorry, it WAS a typo, but I liked how it turned out, and thought I'd run it.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Firefox freezes like this if it is trying to load the details of too previously downloaded files to display in the "downloads" list window. Clear that window (Ctrl-J or Cmd-J to get window, hit "clear list") and problem usually goes. OTOH it could be something else.
-- open source? sounds like the real book --
So the ratio seems to depend on the sorts of people that a site attracts. On SlashDot, FF is going to be ahead of IE -- when I got SlashDotted some months back, the ratio shot over in favour of FF. For some "computery" sites, FF users may also be regarded as potentially "higher value" visitors than IE users.
I guess that there may still be some in-house corporate sites that require IE, but since some of those sites don't work under Vista, and the future of XP is uncertain, "IE-only" isn't such a safe option any more. What if your corporation wants to equip a few people with netbooks? You can still buy netbooks with XP preinstalled, but if you'd believed MS a few months back, netbooks would be Linux-only by now.
Eric Baird
However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.
I recently had to use a site where IE6 was recommended, and it turned out to use an old "interactive presentation" Adobe app that broke if you had IE7 installed on the system. Even if you used a different browser to access the site, you still had to uninstall IE7, because the associated Adobe software would look for the IE code and try to use it (I think it used HTML container code for its dialog boxes) and that code must have changed under IE7 (probably when IE7 added tabs).
It took a whole afternoon to work out the list of things I had to do to my system (installing, downloading, updating, de-updating) to get that sodding thing to work. Funny thing was, a few weeks later I absent-mindedly tried accessing the same site from someone's Linux Eee PC, and it ran straight away, without having to install or tinker with a thing. Go figure.
Eric Baird
+1, insightful
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
If I had any mod points, I'd moderate you -1 Redundant for saying that the article summary is incorrect and states things that are unsupported by the linked articles. There's a comment like this on almost every discussion thread and if that doesn't fit the definition of redundant, then I don't know what is.
If I had mod points, I'd give you +1 Funny for that one. By your definition, 99% of the comments on /. are -1 Redundant -- including this one that I'm writing.
My God, I must be caught in a Monty Python sketch!
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell