Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Say To Switch Browsers In Light of IE Vulnerability

Posted by timothy on from the here's-my-number-if-the-place-burns-down dept.

It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.

22 of 455 comments (clear)

  1. In other news ... by elronxenu · · Score: 5, Funny

    Water still wet.

    Pope still Catholic.

    1. Re:In other news ... by Anonymous Coward · · Score: 5, Funny

      and chairs still fly

    2. Re:In other news ... by Pollardito · · Score: 5, Informative
      that's all news that is true, this article is not actually true:

      Said [Trend Micro's] Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

      But Microsoft counselled against taking such action.

      "I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

      He added: "We're trying to get this resolved as soon as possible.

      so it's not actually Microsoft that's suggesting that people switch browsers, Microsoft has only "urged people to be vigilant while it investigated and prepared an emergency patch to resolve it."

    3. Re:In other news ... by funehmon · · Score: 5, Insightful

      I think shoes flying is more accurate.

  2. Those that haven't already changed... by celardore · · Score: 5, Insightful

    ...probably won't. Most uneducated users that read the article will probably be of the mindset "oh, it won't happen to me".

    1. Re:Those that haven't already changed... by joelholdsworth · · Score: 5, Insightful

      I was listening to BBC Radio 1, and they had a news item about it this morning. But I think GP is right - I can't imagine it will make many users switch. However, as more and more people within the technical community become jaded with the consistent poor quality in Microsoft's offerings, MS will inevitably loose mind-share, and hence their strangle hold on the industry will loosen.

      It's this sort of thing that made me switch over to Linux a year ago. I haven't looked back.

    2. Re:Those that haven't already changed... by Anonymous Coward · · Score: 5, Funny

      Yea but the ones that they support and frequently think it's a good idea to click on the 'Hit the target to get a free iPod' ad is a good idea.

      I won one of these a few days ago. Just to let you know, they don't actually give you an iPod directly. Instead, they ask for your bank account information and deposit $250 (they say it's for tax purposes). I should be getting my money any day now!

    3. Re:Those that haven't already changed... by fuzzyfuzzyfungus · · Score: 5, Interesting

      Speaking as an institutional IT underling, a Mozilla created MSI for Firefox would be really, really handy. As would a mechanism for installing extensions and updates in a more manageable way. Here, at any rate, there is no real opposition to FF per se; but deployment has, thus far, mostly foundered. "Well, IE updates can be deployed within the system with WSUS, FF updates will happen per machine and be blocked by the firewall, and there is no way in hell we'll be able to keep all the machines updated manually." Which is largely true.

      Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)

    4. Re:Those that haven't already changed... by notaspunkymonkey · · Score: 5, Funny

      My wife has just come over to me (she listens to Radio 1) and told me that I need to install another browser on all our machines.. I guess she has never noticed that we are a Ubuntu household!! At least the message is getting across to normal non techie users at the moment that IE is bad..

    5. Re:Those that haven't already changed... by minerat · · Score: 5, Insightful

      Yes, but it's often many days out of sync with the official releases. In more bureaucratic organizations you're not going to get some random 3rd party build of an application that handles as much sensitive data as a web browser approved. Mozilla needs to realize that wider corporate adoption requires easy manageability. MSI + Group Policy Template FROM MOZILLA would be huge.

      --
      ...and you've eaten your pen. simply stunning.
  3. Vulnerability by conureman · · Score: 5, Insightful

    The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.

    --
    The cost of that cleanup, of course, will be borne by taxpayers, not industry.
    1. Re:Vulnerability by cerberusss · · Score: 5, Funny

      This is to prevent unfit users from not using one of the other browsae.

      for everyone's sake, I hope that's a fucking typo.

      No it's not a typo, there are many wordae like that.

      --
      8 of 13 people found this answer helpful. Did you?
  4. Re:Red header by jadrian · · Score: 5, Insightful

    I used to spend all day on Slashdot and now I only check it occasionally.

    I guess some good came out of it after all.

  5. Is any browser safe? by Toreo+asesino · · Score: 5, Interesting

    Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
    To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.

    So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

    And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.

    Just a thought.

    --
    throw new NoSignatureException();
    1. Re:Is any browser safe? by Raenex · · Score: 5, Insightful

      So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

      Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs ... vs random browsing.

    2. Re:Is any browser safe? by chrisgeleven · · Score: 5, Insightful

      Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.

      Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.

    3. Re:Is any browser safe? by Anonymous Coward · · Score: 5, Informative

      Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.

      Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.

      So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.

      Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.

  6. Wrong summary by OhHellWithIt · · Score: 5, Informative

    Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.

    I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.

    Now, if you don't mind, I'll go back to my nap.

    --
    "Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
  7. No, Microsoft did NOT say to use another browser by Anonymous Coward · · Score: 5, Informative

    RTFA.

    Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

    But Microsoft counselled against taking such action.

    "I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

  8. Re:Microsoft should just scrap IE by Reality+Master+201 · · Score: 5, Insightful

    Yeah, believe me, I've done a lot of corporate consulting, and there's plenty of places with stuff that they'd have to recode to move off IE. Stuff that uses client side VBScript and extensive ActiveX controls. Sometimes it's 3rd party apps from a timesheet system vendor or whatever.

    It already works. So why recode just to make the computer geeks happy?

  9. Re:Red header by mhall119 · · Score: 5, Insightful

    For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company?

    You mean like how they host the code that runs their site on a publicly available CVS server and FTP site? Open source means that you can modify the code however you want, not that other people will modify the code however you want.

    --
    http://www.mhall119.com
  10. Re:Red header by Daimanta · · Score: 5, Funny

    Obama performs stupid /. changelog tricks with Ubuntu!

    Frontpage material

    --
    Knowledge is power. Knowledge shared is power lost.