German Government Advises Public To Stop Using IE

An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"

A stinging lesson

[Senes]

This is just a personal anecdote, but take it as you will. About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled. Mind you, this was a week ago. Fortunately I'm on a dual boot system and I was able to go into Linux to delete the malignant exe files, which gave me a foothold to manually recover from the rest of it. IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.

Re:A stinging lesson

[headbulb]

I had a similar thing happen to me. Browsers really could use better plugin controls I should be able to disable any plugin without having to uninstall it.. Why does someone need to view a pdf in a browser anyways?

I am on a netbook so I am back on linux. (didn't come with a windows cd)

A worm can move through a pdf file quick.

Re:A stinging lesson

[dangitman]

About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled.

What kind of web page was that, and what was so compelling about it that you decided to use IE to get it to load?

Re:A stinging lesson

>IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.

When browsing the web myself, I use either Firefox or Arora, running under KDE 4.3.4, in trun running on Arch Linx x86_64. I use Okular to read PDF files. "Those people" would not have a hope of breaking through my system.

>The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled.

Not a problem at all for those of us who aren't forced to run Microsoft software.

Re:A stinging lesson

[PNutts]

Not a problem at all for those of us who aren't forced to run Microsoft software.

Not a problem at all for those of us who choose to not use Adobe's software.

Re:A stinging lesson

Of course you didn't browse the Internet being a member of Administrators group? Did you use Vista or 7 with protected mode enabled and vulnerable plugins from third parties like Adobe disabled?

Re:A stinging lesson

[caubert]

You really should give link to that site. I'd be happy to sandbox it and analyze the contents.

Re:A stinging lesson

[Simon+(S2)]

You probably already know that, but as you probably do with linux, you should not use stuff like IE with your Admin account.

Re:A stinging lesson

[maxume]

Firefox gives you the option of disabling plugins without uninstalling them (as does IE8, those are the only 2 browsers I have installed).

Adobe Reader also gives you the option of not loading pdfs in the browser (the browser simply prompts you to save the file).

Re:A stinging lesson

[Idiomatick]

Natalie Portman.

Re:A stinging lesson

[mlts]

You would be surprised. There are still a lot of websites out there which will not just tell you to take a hike if you are not using IE, but actually run JavaScript tests to check if someone spoofed the user agent field.

My solution: Run IE... but in a limited user session in a virtual machine that rolls back to a known good snapshot when closed. This works on Macs, and Windows boxes. Since Windows 7 offers XP as a download, might as well take advantage of it. This way, any zero days just mean that the VM user in the guest OS gets infected, and that infection gets dumped the second I'm done dealing with the website in question and close the VM.

Re:A stinging lesson

[sopssa]

Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.

And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.

Re:A stinging lesson

[mlts]

Clarification here: This is for versions of IE less than 8. IE 8 is good enough to use as an everyday browser, as long as you have Protected Mode selected for all zones (even trusted), and that DEP is on (it ships that way.)

It is crazy, but there are sites out there that consider anything but IE6 unauthorized, and actually do scripting tests to validate what someone is using.

Re:A stinging lesson

[obarthelemy]

what version of windows ?

do you login as an admin by default ?

Re:A stinging lesson

[Penguinisto]

TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?

By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.

I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.

Re:A stinging lesson

[IdleTime]

And I do take a hike in those cases.

If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.

Re:A stinging lesson

[ozmanjusri]

There are still a lot of websites out there which will not just tell you to take a hike if you are not using IE, but actually run JavaScript tests to check if someone spoofed the user agent field.

A lot?

I haven't seen any for years.

Examples please?

Re:A stinging lesson

[blai]

he was trying to open http://www.adobe.com/devnet/acrobat/pdfs/reader_overview.pdf

Re:A stinging lesson

[couchslug]

Links please?

I'd like to those that using a VM. (VirtualBox for teh convenient win!)

Re:A stinging lesson

[Antiocheian]

Solution: firewall IE to anything non localhost and switch to Firefox or Opera.

Re:A stinging lesson

This still isn't completely safe as hypervisor exploits can contaminate the host machine. For the near future this likely will remain a sophisticated attack beyond the typical malware, but as the virtual appliance concept goes mainstream we can expect to see more work in that area.

Re:A stinging lesson

[Nathrael]

My solution: *do* take a hike and don't deal with the morons trying to shove IE down your throat.

Re:A stinging lesson

[mr+exploiter]

That is not the worst malware problem you can have... the worst kind are those stealth enough you don't realize you have them. Although a possible strategy for one of those malware could be to create some obvious process and exes and hide the real payload so that it's still present after the user think it got ride of the problem. MMMmmm.

Re:A stinging lesson

[Stargoat]

I'm required to use adobe's horrible products.

As far as I'm concerned, Adobe is a far greater security threat to my network than IE. I do not understand why people insist on using Adobe products. They are a pain to administer, and not particularly useful. Rather than concentrate on MS, why doesn't the EU take a look at a real threat, Adobe.

Re:A stinging lesson

[Bert64]

The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.

Re:A stinging lesson

So on your system you don't use Flash Player at all?

Re:A stinging lesson

[Deathlizard]

I've seen sites with these vulnerabilities, and they can cruise right through Firefox if written correctly. Why Firefox was crashing instead of loading Acrobat is either you may have a plugin that blocks malicious strings, (Like Adblock Plus - Which I highly recommend) Firefox already patched a hole that the malware was trying to exploit or they were exploiting an IE hole to start Acrobat and Firefox didn't like the way it was called. Also Consider that Firefox crashed, which can also lead to a possible code injection attack if it can be exploited in a specific manner.

Ultimately, The real Culprit here is the PDF File. Adobe in in general is the attack of choice anymore. Most likely it was a malicious Flash Ad delivered from a Third party service, which then called for a malicious PDF, which the browser will happily open up using Acrobat's plugin.

If you really want to fix this, block the AD's (either with The Firefox plugin AdBlock Plus or with IE8's Inprivate Filtering and either get the latest Acrobat (which finally has some security in it) or replace it with Foxit Reader

Finally. Always Update IE Even if you exclusively use Firefox and never ever use IE. There is a lot of improvements that were made in security in IE8, and I have seen Flash apps that in Firefox will start IE to attempt to exploit unpatched IE holes. If you can't (Because Ye Be A Pirate Matey!! ARRR!! or because your company won't let you.) Then turn IE6 security to high for all security zones and use Firefox exclusively.

Re:A stinging lesson

[BitZtream]

You do realize that the fact that FireFox was crashing shows that its also effected by the exploit that hit IE ... right?

The ignorance in your post and the fanboys that drool over this sort of thing is mind boggling and is a good example of why people outside of slashdot don't take you or FireFox seriously.

Re:A stinging lesson

[Kenshin]

Affected by the exploit? In a word, yes. Affected in the same way? Doesn't sound like it one bit.

I'd rather have my browser crash than simply hand over the keys to my entire OS.

Re:A stinging lesson

[jasen666]

I just ran into one this week. myitlab.com

Re:A stinging lesson

[jasen666]

Yep, that is a bit scary. I've run across sites that cause FF to crash from time to time, even with NoScript running. It is not my first inclination to go and open that site in IE.

Re:A stinging lesson

[CyclistOne]

This happened to a friend of mine. His system was totally hijacked. Couldn't run any .exe. I finally got into the registry and disabled the malware, and things were seemingly back to normal. But we re-imaged the machine and restored his backed-up data. It was a pain, but it didn't take that long. But it was a similar thing, I think. Firefox crashing - go try IE, and bang.

Re:A stinging lesson

[ozmanjusri]

your online assessment and training solution for Microsoft Office 2007

You got any that aren't Microsoft affiliated?

Re:A stinging lesson

I have not seen a single one in years.

Can you name some examples?

Re:A stinging lesson

[Dupple]

yeah, give us the link, I'm feeling brave. I'll do it in Tiger and Safari, or another combination.

Sorry, I meant to say 'citation needed'

Re:A stinging lesson

[Blakey+Rat]

And obviously it's IE's fault and not the GIANT SECURITY HOLE MASCARADING AS UTILITY Adobe Reader?

What version if IE are you running, anyway? If you're in Vista or newer, or using IE7 or newer, even Adobe Reader shouldn't be able to do jack to you-- it runs in a sandbox. (And you wouldn't be logging in as admin.)

Also, it never occurred to you that Firefox's crashing was probably due to this site trying to execute code?

I mean, I'm not pretending that IE is the most secure browser ever. (Although I do believe that security in IE 8 + Windows 7 is on-par with all other browsers). But if I had the choice between IE and Adobe Reader, I'd pick IE in a heartbeat.

Re:A stinging lesson

The exploit is in the IE plugin, not Adobe Reader. The criminals probably figured out some exploit of Firefox that caused it to crash on the site knowing that Firefox users instinctively open IE when Firefox fails to load a site properly.

Re:A stinging lesson

[Joce640k]

a) Almost everybody has PDF reader installed (it's preinstalled on most PCs)

b) Firefox managed to contain it.

c) We all know IE is way more promiscuous than other browsers.

Re:A stinging lesson

[juancnuno]

As insecure as IE is, it really is only part of the problem. Were you running with administrator privileges at the time? If you were running as a limited user, as you and the rest of the world should, I doubt the damage would have been as extensive.

Re:A stinging lesson

Because Adobe's rivals aren't bribing EU officials.

Re:A stinging lesson

[Rokewaju]

Which is one reason why I don't run Windows. If I have a misbehaving web page in Firefox, it gets loaded in Chrome or Epiphany. Good thing I don't have Adobe Reader installed (Evince does the job just fine).

Re:A stinging lesson

You should never run IE outside of a virtual machine. It just is not safe.

Re:A stinging lesson

[Velex]

I'd rather have my browser crash than simply hand over the keys to my entire OS.

Yes, but some pointer somewhere got screwed up, maybe stack smashed, and that's why the OS killed the process. It's just a JMP to the left while someone figures out the correct alignment and you've got an exploit for Firefox now too.

Re:A stinging lesson

[BitZtream]

Please tell me you aren't a programmer, you clearly don't get it.

If its crashing, they've got 95% of what it takes to own you, the next part is just figuring out how to use that to get some code to run.

Re:A stinging lesson

I always got irritated with Evince because I can't grab the page. I usually run Windows and I use Sumatra, which doesn't have plugin capability.

Re:A stinging lesson

[jim_v2000]

This is why I use le Chrome.

Re:A stinging lesson

[jim_v2000]

That's no trouble. If they're that dumb, then I don't need their content.

Re:A stinging lesson

[ls671]

A quick visit later, it seems to work fine in firefox...

Re:A stinging lesson

"The exploit was against Adobe PDF Reader" that's just a dumb library, a minor accessory, a casualty. Saying that is like saying any virus ever written in C++ is an exploit against C++ language. Sure it may not have done the raping but it sure lubed up your computer for the thrashing.

And by "crash" he probably means the page borked out and puked pixels all over his screen when loaded with firefox. Most likely a counter measure for if the exploit fails so someone will load it up differently with another browser.

Re:A stinging lesson

[try_anything]

The exploit is in the IE plugin, not Adobe Reader. The criminals probably figured out some exploit of Firefox that caused it to crash on the site knowing that Firefox users instinctively open IE when Firefox fails to load a site properly.

More likely, Firefox and IE are both vulnerable to this attack, but the attackers had to pick one target, and they chose IE because of familiarity or target demographics. Executing the IE-targeted attack against Firefox has the random effect of crashing the browser.

Re:A stinging lesson

[Threni]

> Why does someone need to view a pdf in a browser anyways?

Why does a program to interpret and display the data in a PDF have to expose you to danger anyway? Text and graphics, right?

Wouldn't it be better if there were a wysiwyg mode as part of HTML? So you could genuinely display it the same on each browser, assuming you had the screen resolution required, or didn't mind scrolling? (There's a PDF reader on my phone, and that has a 'reflow' option to wrap text so I don't have to tediously scroll around the image anyway)

Re:A stinging lesson

[Threni]

So you're saying the exploit would succeed on Firefox under Linux?

Re:A stinging lesson

[binner1]

Adobe Reader...making sendmail look good since 2004! :)

-Ben

Re:A stinging lesson

[jasen666]

That's the funny part. It won't let you even login if you're not using IE, but if you use the User Agent Switcher add-on and set it to IE, the entire site seems to work just fine in FF.
(which is what I do)

Re:A stinging lesson

[jasen666]

It's a Pearson Education owned site. Pearson publishes a ton of college books. Just because they offer Office related training, you're going to discount them as an example of a website that doesn't allow FF?
Even most of MS's sites now work just fine in Firefox.

Re:A stinging lesson

I dealt with a site requiring IE6 off of my state's job bank yesterday. Similar with one from usajobs. However, a job is a job in this economy, even if they require IE for access.

Re:A stinging lesson

[mstahl]

c) We all know IE is way more promiscuous than other browsers.

Oh yeah. IE is a total whore.

Re:A stinging lesson

[selven]

100% > 95%. Once Firefox starts crashing, people notice and then you just wait until Tuesday when the bug will probably get fixed in a patch on both Firefox and IE, and the exploit is mostly unused.

Re:A stinging lesson

[sopssa]

Not the same one of course. But if you're using Adobe PDF Reader on Linux, and it has the same vulnerability, then yes, same kind of attack would succeed under Linux too (SELinux does protect some against this kind of things, but its pain in the ass otherwise too).

But of course the Linux desktop market share is only really minor, it consists mostly of advanced users, and isn't generally using Adobe's PDF reader, so theres no point targeting it.

Re:A stinging lesson

[indi0144]

I've been saying it for years, we should scrape HTML and evolve PDf to something like "XPDF" (XPDF=HTML+SVG+JS+VIDEO -- PDf actually support those), an OPEN markup language that renders PDF-like with the help of an OPEN plug-in, just one language, just one renderer.

I don't know its feasibility but it would SAVE many many millions of work hours for web developers and would make easy for anybody to make a website, thats the meaning for open information, anyone can do it, right?

Re:A stinging lesson

[dave87656]

And because Firefox crashed too, it was definitely getting past what it should had been.

But Firefox didn't allow the plugin to take control of his machine.

Re:A stinging lesson

[dave87656]

knowing that Firefox users instinctively open IE when Firefox fails to load a site properly.

If FF has a problem I instinctively know I'd better get off the Windows laptop and view it on my Linux box. Fortunately I do most of my stuff from the Linux box anyway.

Re:A stinging lesson

[dave87656]

More likely, Firefox and IE are both vulnerable to this attack

Ah, the ole, poor MS is targeted because they are so popular myth. Interesting that every software security organization has singled out IE. Sheesh, it's all a big conspiracy.

Re:A stinging lesson

[dave87656]

My solution: Run IE... but in a limited user session in a virtual machine that rolls back to a known good snapshot when closed. This works on Macs, and Windows boxes.

So, your suggestion is to use something you know will allow your system to be attacked but to create this elaborate environment to be able to restore your machine to some previous snapshot, losing anything that was done in the mean time, when you get hammered?

Any site which now-a-days doesn't work with Firefox is suspect to begin with. Though, I can't remember the last time I ran into a site which didn't work on FF, come to think of it.

Re:A stinging lesson

[dave87656]

That's no trouble. If they're that dumb, then I don't need their content.

My thoughts exactly.

Re:A stinging lesson

Please tell me you are a MS employee, you clearly are attempting to misinform.
A denial of service and a system hijack are worlds apart -even disregarding the fact that you can recover from the crash immediately.
"just figuring out how to use that to get some code to run" is the %99 percent of what takes to own you.

Re:A stinging lesson

[bemymonkey]

Weird, I use Chrome as my site-doesn't-work-on-Firefox-alternative too... on Win7 ;)

It's not like there's a lack of browsers on either system.

Re:A stinging lesson

[ssimpson]

https://secure1.globalexpense.com/ExpensesNet/login.aspx - painful as I have to use it every month for work related expenses

Re:A stinging lesson

In this economy you get what you can take, and there are a lot of state and Federal sites that are IE only. It is better to be working at a place that has an IE only policy than being foreclosed upon.

Re:A stinging lesson

[bingoUV]

For me it is working in firefox on linux with default user agent. It keeps working even after enabling javascript for the site. Worked in chrome on linux too.

Re:A stinging lesson

That hasn't happened to me... yet. At least not with PDF reader, I suspect flash was involved. Same thing - locked out of registry and everything. Plugins are becoming as much a security risk as browsers. That's why I uninstalled acrobat reader and replaced it with a 3rd party PDF reader. I've also got a plugin called flashblock installed on Firefox. And a sandbox setup as well.

Re:A stinging lesson

[try_anything]

You think I'm a Microsoft apologist? In case you didn't notice, I insulted IE users ("target demographics") and IE itself (by pointing out that malware writers are much more familiar with IE than with Firefox.) Funny you read that as a defense of IE.

In any case, the attack demonstrates an exploitable bug in Firefox. How exploitable is it? If you have some way of knowing, please tell me. My guess is the attackers put a higher priority on launching an effective attack as soon as possible than on trying to subvert Firefox as well.

Re:A stinging lesson

[shutdown+-p+now]

Firefox managed to contain it.

There's no evidence that it did so. If anything, the symptoms described by GGP are consistent with the successful use of an exploit in PDF plugin to execute arbitrary code, but said code then assuming that it runs in IE (remember, those code exploits usually only allow a relatively small payload, so you have to use hacks to bootstrap the rest). Which, in light of IE's 70% market share, makes perfect sense from malware writer's point of view.

Re:A stinging lesson

[yuhong]

Because the plug-in vulnerability would likely be still there, it would just be hidden by the fact that the exploit do not target other browsers, like what probably happened in this case.

Re:A stinging lesson

[yuhong]

In fact, my first inclination is to attach Firefox to the WinDbg debugger and do debugging on Firefox. I have both MS and Mozilla symbol servers in the symbol path to help in debugging.

Re:A stinging lesson

[Acaeris]

Um, the only thing he'd lose is the infection and the browser history as it's all contained in a VM. Everything else he wants to do he can do outside the VM safe from anything contained in VM. Microsoft even provide a VM setup that just does IE so that web developers can test their websites in IE6 (XP), IE7 (XP & Vista) and IE8 (XP & Vista) which you could use for this purpose.

Re:A stinging lesson

[ubersoldat2k7]

HTML is fine, the problem is more political since each provider wants to render it the way they want it according to their objectives of world domination. IMO the only browser which gets truly in the way is MSIE since a well made web page will work with any browser which is not it. Build for FF and Chrome, Opera and Safari will work also without much hassle. Another thing XPDF already exist, not just what you're thinking of: http://linux.die.net/man/1/xpdf

Re:A stinging lesson

[ubersoldat2k7]

Then you're not using Yahoo! Mail, right? It always shows this stupid message about "your Operating System haven't been tested"

Friends don't let friends....

[ansak]

Use Internet Exploder for web browsing, Use Outlook or Outlook Distress for reading e-mail. nuff said...ank

Re:Friends don't let friends....

[Presto+Vivace]

You know your product's reputation is in trouble when a government advises the public to dump it.

Re:Friends don't let friends....

Maybe the summary shouldn't have let out the most important word: temporary. Here a translation of the headlines:

original:
Kritische Sicherheitslücke im Internet Explorer
BSI empfiehlt die vorübergehende Nutzung alternativer Browser

translation:
Critical securiy hole in Internet Explorer
BSI recommends to temporarily use alternative browsers

Re:Friends don't let friends....

[Bert64]

They have a point, these attacks work primarily because for any given corporation or government you can be almost 100% certain that they are running windows desktops with msoffice installed and msie as the default browser. I have done a lot of contracts at different companies of varying sizes, and the only times i've seen anything else being used for workstations was either a small department in a huge organization, or an individual member of the tech staff on his own machine...
A little more diversity would be hugely beneficial.

The current measures being employed to mitigate these risks are largely useless, i have encountered many companies where mass spreading malware has penetrated because their chosen antivirus product doesn't recognise it, let alone a concentrated attack where the attackers would be using new malware which is not detected by anything.

Re:Friends don't let friends....

[Nyder]

Use Internet Exploder for web browsing,
Use Outlook or Outlook Distress for reading e-mail.

nuff said...ank

And friends don't let friends use Adobe Reader

So did the swiss

As if IE was ever safe to use anyway... now when here was such a "public exploitation" they advise not to use it. It's ridiculous.

To be fair to Microsoft

[FlyingBishop]

This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.

Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.

Re:To be fair to Microsoft

[sakdoctor]

Why be fair to Microsoft in this case? Bashing where bashing is due;
IE is a highly dangerous lump of toxic/radioactive waste, with a half life of over 20 years.

Microsoft did everything wrong. Wrote the piece of shit in the first place. Tightly integrated it into windows, for leveraging purposes. Didn't even try to keep on top of updates letting it stagnate.
It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.

Re:To be fair to Microsoft

[peragrin]

Of course the fact that MSFT let the chinese view the source code for http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html windows. Has nothing to do with it. Sure it was 6 years ago, the question is how long was china running the operation and how many field tests did they get away with and for how long?

Something like this has been in at least limited operation for a couple of years.

Re:To be fair to Microsoft

[McGiraf]

"Wrote the piece of shit in the first place"

No, they bought/stole the Microsoft way from Spyglass.

http://en.wikipedia.org/wiki/Spyglass,_Inc.

(the link ends with a dot slashdot moves it after "[wikipedia.org]". bug! )

Re:To be fair to Microsoft

[sakdoctor]

Interesting thanks.
I joined the party mid to late browser wars, so that was a bit before my time, but I do remember reinstalling windows, 5 times in a day because IE4 was so volatile.

IE (4-5-6) has always been a complete disappointment, and the day someone told me about the plucky little upstart Firebird 0.6, I never had to use it as my main browser again.

Re:To be fair to Microsoft

[Grygus]

IE (4-5-6) has always been a complete disappointment, and the day someone told me about the plucky little upstart Firebird 0.6, I never had to use it as my main browser again.

IE4 was terrible, and 6 was the one that drove me to Firefox never to return, but I quite liked IE5 at the time.

Re:To be fair to Microsoft

[Kjella]

Use html and it'll work. I'd say it's possibly a feature to avoid extra dots from a sentence ending which are not part of the URL.

Re:To be fair to Microsoft

[McGiraf]

I know, but a workaround is no bug fix.

Re:To be fair to Microsoft

You're making that up. IE6 preceded Firefox by years. If IE6 had put you off that much, you would have switched to Opera or the Mozilla Suite, not Firefox.

Re:To be fair to Microsoft

I use firefox on Ubuntu, and to be fair, I take all this stuff with a grain of salt, now that:
1. Google is in the browser business.
2. Bing is coming up strong in the search engine business.

Not saying that Google had a "hidden" agenda, but may work for them as well.

Re:To be fair to Microsoft

[Hurricane78]

If’t not at all about who it could have happened to.
It’s about the fact that with no other browser developer would dare to still not have a patch available.
The Mozilla team would probably have released a patch in about 3 hours of a furious team effort. The Opera team maybe even more because their business depends on these things. And even Apple and Google would not dare taking that long.

Then again, knowing what a huge mess of spaghetti code of an upside-down pyramid the Trident engine is, I’d not be surprised if it simply takes that long to find a bug in there. It would be like finding a straw in a haystack. ;)

Yes, the fundamental architectural flaws definitely make it easier to find a hole. Like finding one in a sieve. Just look. ;)

Re:To be fair to Microsoft

This could have happened to any browser.

But it didn't. No other browser attempts to be "An Integral Part of Microsoft Windows". To quote Steve Ballmer.

Re:To be fair to Microsoft

[Bert64]

It could have happened to any browser, but if you write an exploit for say firefox on linux - how many large corporations are you going to be able to target with that?
The specific target was windows systems running ie, because they knew that's what all of their targets would be using.

If you had a competitive market, with a mix of different platforms and different browsers then these attacks would have been a lot harder.

Re:To be fair to Microsoft

[paimin]

Spyglass...lol. Man, what foresight.

Re:To be fair to Microsoft

Did you ever consider the possibility that he continued to use 5 until long after 6 had come out? He did say he liked 5 after all. Then maybe when he got around to trying 6 out, he hated it and Firefox or one of its predecessors was available and he just moved to that.

Re:To be fair to Microsoft

The licensed the code from Spyglass. MS was legitimately not selling IE, there was no stealing there. The wikipedia article says that Spyglass continued to receive their licensing fees the whole time. There was nothing wrong, evil or in any way morally reprehensible about that. The agreement called for a flat license plus royalties on sales, but there were no sales, the agreement did not state that MS could not give the browser away. So Spyglass made a not-so-great choice and regretted it later and tried to sue, and MS found it easier to just give them $8M to STFU. It would have cost them that much to go to court, so why bother. Smart moves on MS's part the whole way around. A +4 informative on something so blatantly flamebait can only happen when you mention MS on /.

Re:To be fair to Microsoft

[BitZtream]

Wrote the piece of shit in the first place.

No, they didn't, the bought it.

Tightly integrated it into windows, for leveraging purposes.

You mean like WebKit in OSX and KDE, or whatever the renderer GNome uses? Don't both of them use that same renderer for the HELP system as well? So basically you're bitching that MS did it, but now everyone does it as well.

Didn't even try to keep on top of updates letting it stagnate. It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.

So it was OKAY that Netscape/Mozilla fell off the face of the Earth and didn't release a new version for years while they jerked themselves off with rewrite?

You're entire post is either wrong or happened to the other browsers as well.

Its cool how you blame MS and ignore the fact that everyone else does the exact same shit :)

Re:To be fair to Microsoft

[jim_v2000]

"Writing the piece of shit" and bundling it with Windows was partly responsible for the rapid growth of the internet in the mid 90s to the early 00s.

Re:To be fair to Microsoft

[sakdoctor]

Fine, I concede to you.

It wasn't wholly Microsoft's fault; Some of the blame also rests with the "This site only works in IE6-7" lazy bastard developers, back when alternative browsers were such a minority, they could be ignored along with any semblance of web standards.

We can't blame Microsoft for getting a browser monopoly, but I certainly do blame them for abusing it.

Re:To be fair to Microsoft

[McGiraf]

They bundle it with Windows and say to Spyglass: we sell Windows IE is a free bonus so no royalties for you.

Then they turn around and say to the DOJ: IE is an integral part of windows and they cannot be separated.

I think Spyglass had ground for a lawsuit there. Spyglass "not-so-great" choice was to accept just $8M instead of going to trial. Maybe they did not have the money to finance a long legal fight with Microsoft.

Re:To be fair to Microsoft

[shutdown+-p+now]

Practically any government can get access to Windows source code if it asks (and pays). Universities can (and do) that, too.

IE8 alledgedly super-safe

[yupie]

Ironically, in Belgium they have just had a (somewhat controversial) campaign, where a new all-Belgian browser "Paladin" (http://www.getpaladin.be/splash.php) was going to be launched, which appeared to be just fake, pointing to and arguing for the already super-safe IE8 browser :-)

Re:IE8 alledgedly super-safe

[PK+Tech+Guy]

Sounds like Mojave brussels-style. I guess they'll being making commercials with Jerry Seinfeld's Belgian equivalent next.

Re:IE8 alledgedly super-safe

[Le+Tmraire]

Microsoft is the absolute king of the Belgian software market. Especially for government and administration.

In my few years in the Belgian software business I have heard the most mind-numbing arguments from managers to promote yet another stupid Microsoft product over a better or equal equivalent.
"Everybody uses it, so it is better!"
"It is a corporate standard!"
"Outlook has got all sorts of features that others don't!" (this was a remark on my use of Gmail and Google calendar)

Good

Joe public needs to upgrade already, and I don't care if governments have to dumb it down to "IE steals yu0r megahurtz, and means you support TERRORISM", so long as the message gets though.

(Screw the corporations that got locked into IE. They can use IE as an intranet client, and use a real web browser for ... wel browsing.)

Re:Good

[maxwell+demon]

It's probably safer anyway to use different browsers for intranet and internet.

Re:Good

[bcmm]

That's a very good idea, and it would be possible to prevent idiots from using IE anyway by having different proxy settings in each browser.

Re:Good

[ArsenneLupin]

Screw the corporations that got locked into IE

Indeed. These corporations deserve to die, and the world will be a better place for it! Darwin knew this already more than a hundred years ago!

Re:Good

[John+Hasler]

> Indeed. These corporations deserve to die, and the world will be a better
> place for it!

Same goes for the locked-in governments.

Re:Good

[Risen888]

(Screw the corporations that got locked into IE. They can use IE as an intranet client, and use a real web browser for ... wel browsing.)

It's terrifying, really. I work for a very large American bank (not the one with America in the name, the other one), and we use IE6 for everything. I swear to God. I am scared to log in to my bank account from work. And I work at the bank.

Right Decision?

[Henry+V+.009]

According the original article, DEP (enabled by default in IE8) and sandbox mode (Windows 7, Vista) all stop this zero day.

If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Re:Right Decision?

However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Sir, your power of deductive reasoning is astonishing!!

Now if it was Firefox that was hacked, the previous statement would be in your favor.

Instead...

Re:Right Decision?

[mjwalshe]

yess well germany does seem to have problems with getting this whole Internet thing - throuble is all the realy good people want to go into old skool engineering and work for audi and not Computers

Re:Right Decision?

[MtHuurne]

I don't think it still counts as a 0-day at this moment, since the vendor has been informed. I do agree that Firefox would benefit from sandboxing and other extra security measures, but those are no substitution for quick patching.

Re:Right Decision?

[benjymouse]

DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.

But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.

The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.

Re:Right Decision?

[lukas84]

DEP, which is a Windows feature and not an IE feature, is also active for recent versions of Firefox.

What Firefox lacks though is the sandboxing using a lower-privileged logon (Protected Mode).

Re:Right Decision?

[amiga3D]

You may be correct, I can't say since I haven't used Windoze for anything to do with the internet in a long time. I do wonder though, why don't they just patch the damn thing? I mean really. They know a lot of people are getting infected, don't they give a shit? Ah...my bad. This is Micro$oft we're talking about here.

Re:Right Decision?

Why do you spell really and school incorrectly? What you said seemed smart and then I just lost the point. I understand it was intentional, that was why I asked why. I never ask why someone has a typo, it's a typo.

Re:Right Decision?

[edxwelch]

"Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd. "
That's because if you actually look at the details you'll see most of those security bugs in Firefox are minor - i.e. don't allow execution of code on users machine.

Re:Right Decision?

[TheRaven64]

Java inherently has the ability to both write and execute code

But not at the same time. One of the OpenBSD guys had to do with their port (which is now in mainstream), and which I helped implement for LLVM, is W^X support. DEP is Microsoft's implementation of W^X, i.e. no page may have both write and execute permission at the same time (although they only support it properly on CPUs with the NX bit; OpenBSD does it using horrible hacks involving relocating pages within segments in the absence of NX page protection). That means that you can't execute data that you write into memory unless you issue a system call to change the page permission. To do this you must already be able to make the program do what you want, so you need some other exploit.

Re:Right Decision?

[amiga3D]

Troll? Isn't "WHY don't they patch it allready" a valid question? Micro$oft has a history of not patching well known security holes, it's not like this is the first time. They deserve the scorn I heaped on them. It's one thing to sell buggy software. It's another thing entirely to ignore full blown exploits like this. Call me troll if you like but I'm right and I think that's what pisses off the M$ shills the most.

Re:Right Decision?

[Hurricane78]

That would be like saying Chernobyl has some pretty good built-in protections that domestic nuclear plants lack, because they have to wrap another new sarcophagus around it every couple of years!

And because all of them will explode sometime.

Yeah, great argument! ;)

Re:Right Decision?

Looking at the dozens of hacked top companies all I can say is: theory is a fickle bitch ;)

Re:Right Decision?

[mr+exploiter]

I know what I'm talking about and IE8 64 bits in windows 7 is MUCH more secure than firefox. Too bad it doesn't have plguins like firefox and so I can't use it, but that's also part of why it's more secure.

Re:Right Decision?

No, you're a fucking loser troll. Look at the faggotty dipshit hax0r way your spell Microsoft.

Re:Right Decision?

[mr+exploiter]

Troll? Isn't "WHY don't they patch it allready" a valid question? Micro$oft has a history of not patching well known security holes, it's not like this is the first time. They deserve the scorn I heaped on them. It's one thing to sell buggy software. It's another thing entirely to ignore full blown exploits like this. Call me troll if you like but I'm right and I think that's what pisses off the M$ shills the most.

You loose credibility when you use terms like "Windowze" and "Micro$oft" so you shouldn't be so surprissed to be modded as troll. And fixing software, doing regressing tests, and making sure the bug is really fixed takes time, I'm sure they're working on it.

Re:Right Decision?

[theLOUDroom]

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days

What a bunch of crap!
Where's your proof?

#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement. #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.

Re:Right Decision?

[amiga3D]

heh...what's wrong with spelling it Micro$oft? I've been doing it that way for so long, since 1992 on Bulletin Board Systems and Fidonet, that I don't really even think about it anymore. You must be one of the shills I was talking about. Stay anonymous...coward.

Re:Right Decision?

[colinrichardday]

sudo -u nobody firefox? At least in Linux/*BSD.

Re:Right Decision?

[amiga3D]

Leaving terminology behind, I'm suprised a huge corporation that drips money like Micro.....soft can't keep up with bug fixes on their browser. Firefox manages to keep it's product patched and their funding is much more limited. As a user of OSS I tend to be tolerant of bugs since I pay very little other than the occasional donation to the people that produce it. If, on the other hand, I had shelled out a bunch of cash to a certain software company in Redmond and I got hit by something like this I'd be LIVID. I mean ranting mad. It is inexcusable. Why do people put up with such sorry, buggy software that they PAID for? They actually make excuses for these guys. Unbelievable. Nah...I'm not trolling. I'm absolutely serious. It sucks to pay good money for something that performs so poorly.

Re:Right Decision?

[RightSaidFred99]

Yeah, because Windows doesn't have 'runas', amirite? Oh wait. It does.

Re:Right Decision?

[lukas84]

Yep. It's possible.

But do people actually do that? I know i don't.

Re:Right Decision?

That's not even necessary. Set up an apparmor profile for firefox to limit writing to only a few select places (like ~/.mozilla/firefox, and maybe a download folder) and you should be fine

Re:Right Decision?

[lukas84]

So, which distributions ship with such an AppArmor profile as a default configuration?

Re:Right Decision?

>> Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

What's odd is how you're also minimizing the fact that other browsers also get updated more frequently and diligently with this deceptive statement.

Re:Right Decision?

[MemoryDragon]

You overestimate the problem in java, Java is not C in this regard, true there are String constants in the code, but the code itself runs in VM which makes it hard to break out and reach the system and secondly Strings overflows are impossible, this is a C phenomenon, so even you alter the strings on bytecode level, what do you achieve with it in the end, you just altered a constant, but you cannot push any code on this level causing any overflow.
But if you reach the bytecode level nothing prevents you from placing your own code anyway, so the discussion ends there because then you can alter your program on the fly.

Re:Right Decision?

[jthill]

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

The rest of your post, including the sandboxing point, deserves that 5. This one doesn't belong on the same page.

Everyone paying attention can see that Firefox (and open-source general practice) reports and patches as critical security holes bugs for which there's only theoretic or even just heuristic evidence of a potential security breach, while Microsoft's usual reports are of bugs that have actually been exploited and are often actually leaking data in the wild, and eventually releases patches for those.

Microsoft, understandably given their nature as a marketing company, is only too happy to persuade the gullible that the two different counts are comparable.

Re:Right Decision?

[colinrichardday]

Oops, I don't use Windows much.

Re:Right Decision?

[colinrichardday]

Does Windows have the equivalent of the user "nobody"?

Re:Right Decision?

[benjymouse]

Actually, this is a design problem in Java and possibly JavaScript and .NET as well. The problem is that an attacker can design a "perfectly legal" Java applet. Only it may contain mostly string constants. Constants whose binary representation is actually machine code.

By "spraying" instances of such an applet all over the memory (by asking the browser to instantiate it) it will fill up the memory with strings constants. They are perfectly legal *from a Java perspective*. But if some kind of memory corruption (doesn't have to be in Java) bug sends the program counter astray, the attacker *may* just hit one of those strings - and now the CPU starts executing them as if they were code. That's what is meant when Java is referred to as a stepping stone. Formally this is not a Java problem. Java didn't cause the memory corruption. Java never started executing strings. It was merely a well intentioned assistant.

Similar problems have been reported with Javascript in certain browsers. And at some point .NET assemblies were dangerous this way as well. Only the Java problem is slightly more unique in that it uses a hotspot compiler. *First* it executes bytecode - which from the CPU perspective is just data. When a certain region of code is hit a little too often it will compile that region into executable code on the fly. It follows that Java *can write code* which it will then execute. This is a downright dangerous design. There are ways around it, see the response from TheRaven furter up.

Re:Right Decision?

[benjymouse]

What a bunch of crap!

Ignored.

Where's your proof?

Here: http://secunia.com/advisories/product/19089/

and here: http://secunia.com/advisories/product/21625/

FF3 and IE8 are about the same age. In the same time frame FF3 has raked up 144 vulnerabilities. IE8 has experienced 23.

And no, those FF bugs are not just trivialities. They are practically all of them rated "highly critical". And most of them are - tada - memory corruption bugs like the one exploited in this attack.

#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.

#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement.

#3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.

#1) We have access to Microsofts Security Bulletins - which are among the most detailed in the industry. Admins depend on those bulletins to be accurate. They need to make the right decisions on whether to block or allow patches. What do you think would happen if MS tried to sneak a patch by and it turned out to cause damage to systems? Simply put, there's nothing to support a suggestion that MS is sneaking anything by.

#2) Number of exploits is a function of profitability, is has no correlation to number of security bugs or software quality. One bug may give rise to many exploitation attempts. 144 vulnerabilities may never be exploited. Consider two lotteries, tickets the same price and the winning chances were same. Only in one lottery the prizes were 10x bigger. Given you could buy 10 tickets - how would you spend them?

#3 Time to fix is relevant. However, in this case it doesn't matter, because this was targeted attacks. Somebody had put in a lot of effort in finding a bug and prepare a cocktail attack (social engineering, pdf and IE). This was not a publicly disclosed bug. No vendor can patch a bug before they know of it. Simply put, the most important precaution is to up the QA standards and prevent the bugs in the first place. Then - when a bug is eventually discovered - it is important to fix it fast.

Mozilla certainly seems to patch fast. But they have 8 times more bugs to fix. That says something about their quality control as compared to Microsofts. Which shouldn't come as a surprise given how crash-happy Firefox has become.

Disclosure: I use Chrome. Safer and far less crash-happy than FF.

Re:Right Decision?

[theLOUDroom]

Here: http://secunia.com/advisories/product/19089/ and here: http://secunia.com/advisories/product/21625/ FF3 and IE8 are about the same age. In the same time frame FF3 has raked up 144 vulnerabilities. IE8 has experienced 23.

Apparently you did not even read your own source! QUOTE FROM YOUR OWN SOURCE:

PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.

Please go and read your source, they make this point for me.

We have access to Microsofts Security Bulletins - which are among the most detailed in the industry. Admins depend on those bulletins to be accurate. They need to make the right decisions on whether to block or allow patches. What do you think would happen if MS tried to sneak a patch by and it turned out to cause damage to systems? Simply put, there's nothing to support a suggestion that MS is sneaking anything by.

Wow, talk about calling your own objectivity into question. "The most detailed in the industry" Sheesh. Are they also the most well written, prepared by the best smelling employees?

You just don't get it. You can't tell if they're telling you everything because you don't have access to their bug tracker and you don't have access to the code. The can say they're changing a font size and fix 3 major vulnerabilities without telling you.
And as for what would happen if "it turned out to cause damage to systems", let me know when their EULA doesn't explicitly disclaim liability for that.

#2) Number of exploits is a function of profitability, is has no correlation to number of security bugs or software quality

Try reading your own statement out loud to yourself. It obviously does not make sense. Of course number of exploits is correlated to the number of bugs. It don't take a genius to realize that as the number of bugs reaches zero, the number of exploits will be forced to zero as well. This section is an example where you're using terms with very specific meanings like "correlation" without any data to back it up.

#3 Time to fix is relevant. However, in this case it doesn't matter, because this was targeted attacks.

This is another case where you're assuming things you can't possibly have data for, such as when MS first became aware of this vulnerability.

This really doesn't take a rocket scientist:
Pretend you're a software vendor and you want to look good to your customers, first and foremost.
You will group software updates into batches so as give the best impression of stability and security as possible.
You will have a pressure to do this even when particular flaws might be quite severe.
In an extreme case, you might even go so far as to only release your updates on a particular day.... maybe Tuesday?

Re:Right Decision?

[shutdown+-p+now]

You could use Guest.

Re:Right Decision?

[MemoryDragon]

Javascript has bigger problems, and the hotspot problems are exaggerated, basically every JIT has that problem, as I said, this is a problem which is overestimated, first you have to trigger a memory overflow in the VM secondly, you have a string length check at every string you pass third, if you can reach the bytecode level you can inject code directly, but normally you cannot reach it due to sandboxing happening. This is a way better security model than any C program has, but I never said it was entirely secure.
But even then the VM runs in user space normally so you have to break through that as well. But there are easier things to target than to target an Applet and try to break out of the sandbox by corrupting the VM and then trying to root the underlying machine. Simply hack the IE in any incarnation less effort, same result and a bigger audience.

Javascript however has bigger issues due to its dynamic nature, eval, you can replace entire functions on the fly in running code by just changing the prototype level etc... but again all this comes down to the point on how do you break out of the VM. Java in this regard is probably more secure than most other VMs due to its 13 years of existence and opensource nature by now. In Javascript it depends on the implementation and I assume again the IE implementation is the one easiest to hack.

Yeah sure

[SmallFurryCreature]

It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.

MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.

Re:Yeah sure

[awitod]

DESPITE claimed complete rewrites of the code

Claims by who? Do you have a link? If this is true I'm not surprised your post is currently 5:Informative because I have never heard of this and I like to think I pay close attention in this space.

Re:Yeah sure

[Maxo-Texas]

He's probably thinking of articles like this:
http://www.itwriting.com/blog/541-mshtml-layout-engine-completely-rewritten-for-internet-explorer-8.html

Interesting article here: http://www.joelonsoftware.com/articles/fog0000000069.html

"[netscape killed themselves by rewriting]
Well, yes. They did. They did it by making the single worst strategic mistake that any software company can make:
They decided to rewrite the code from scratch."

Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

Re:Yeah sure

[icannotthinkofaname]

Er, isn't a complete rewrite what's supposed to happen when the developer increments the main version number (like going from IE 6 to IE 7)? Even if there's no documentation of Microsoft explicitly saying that IE was completely rewritten, I would think that the incremented version number is claim enough.

Re:Yeah sure

There are some pieces of software that are so horribly broken that they should be rewritten from scratch. But each case is different and in this one, all versions of IE definitely fall into this category.

It seems like the larger the company, the more difficult this is to do. MS certainly has some competent programmers. And they certainly have the resources to pull it off but they still release turd after turd after turd across their product lines.

Perhaps the exception is Vista 7. But then again, who knows how many 0-days are lurking in there right now? There's no way to know since the code is closed off.

Re:Yeah sure

[Joe+U]

I'm guessing it was to get rid of the last bits of Spyglass Mosaic code, so they would stop having to license it.

Re:Yeah sure

[KarmaMB84]

No, that almost never happens.

Re:Yeah sure

[Dr_Barnowl]

There is some value in that statement, but it's also true that code is like a map of the problem domain, and that once you have mapped a particular area, there's often a better path through it than the one you originally took.

Re:Yeah sure

[Lonewolf666]

Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

That works if the architecture of the existing code is reasonably sound, and only some minor flaws have to be corrected.

In the case of IE I doubt that. The close integration into the operating system alone makes it suspect, because that is the opposite of modular programming. The long history of security flaws also suggests that the coding isn't the best. IE may well be one of those abominations that are best terminated and replaced by something else.

Re:Yeah sure

[MarkKB]

Er, isn't a complete rewrite what's supposed to happen when the developer increments the main version number (like going from IE 6 to IE 7)?

Er, no? Because that would be stupid?

A major version is merely where the developer feels that they've done enough to warrant a new major version. Sometimes, code does get rewritten, but it's usually never a complete rewrite. Rewrites take time and (if you're selling stuff) money, with no guarantee that the code you're writing is better than the code your replacing. If developers who didn't rewrite their code release multiple versions in the time it takes for you to release one, you more likely than not end up loosing users.

Netscape 6's complete rewrite, taking around three years, was one of the major contributers to the browser's downfall against Internet Explorer, which was able to get three major versions out in the time it took for Netscape to get version 6 out the door.

Re:Yeah sure

[MarkKB]

It could happen to any browser to have the same security flaw in 3 different versions

Er, yes. Believe it or not, Microsoft doesn't have this super-scanner thing that can predict all possible outcomes of all possible combinations of code. Nor does anyone else, for that matter. And, of course, security flaws don't just magically point themselves out when a new version is released.

Additionally, while the vulnerability is in all three versions, the exploit used in the attacks will only run in IE6.

DESPITE claimed complete rewrites of the code.

This is the first time I've heard of this. If you're referring to the layout engine, I'd like to talk to you about the difference between layout engines, scripting engines, and the browser itself. A flaw in the latters would be unaffected by a rewrite of the former.

Re:Yeah sure

[RightSaidFred99]

Neckbeards, you have to admire their brand of nerd sophistry.

You see, the reason IE has multiple versions is because Microsoft has to maintain backwards compatibility. And no, they are not complete rewrites and nobody has claimed they are. Firefox has the luxury of just telling people "Oh, just update". IE has no such luxury as Microsoft actually sells a product and must support it in a broad range of environments.

You dweebs really do crack me up. Seriously, do you think Firefox doesn't have security flaws? Some guy above was all proud that Firefox "just crashed" on a page while IE did something seemingly nefarious. Of course, some people understand that if your browser crashes on a page there's probably a flaw that can be exploited.

You guys are a hoot, really you are. Keep it up!

Re:Yeah sure

[Bert64]

If you read the history on that, they licensed it based on a percentage of sales... Since IE was never sold as a standalone product, they don't pay spyglass anything.

Re:Yeah sure

[Bert64]

Exploits are often extremely sensitive to differences in memory layout, loaded libraries, environment setup etc...

This makes commercial software somewhat easier to target, as there are less potential versions to write exploit code for. Contrast to most open source code, which could be compiled not only for different versions of linux, but several fundamentally different systems running on different host processors. And this code could have been compiled using a multitude of different compile time options and compiled against various versions of libraries and their header files.
By contrast, windows has only a handful of versions, and only really runs on one type of processor, although some variation comes in because they seem to use different compiles for different languages rather than loading localisation files at runtime.

Re:Yeah sure

[jthill]

Joel's argument is wrong in cases where it isn't the code that's bad, but the design. If internal boundaries are set wrong you're going to be essentially rewriting every part of the system with things on the wrong side anyway, and you know what doesn't work and what does in the code you're looking at while rewriting. I'm speaking from experience, rewriting drop-ins for two medium-sized subsystems and completely redesigning one substantial one.

Now, his point is subtly different from a what's-best-for-the-code argument: he's saying it's strategically bad at the corporate level, and discussing corporate-level rewrites of an entire product. I think that's interesting, because what I did was at the separately-installed-subsystem level, on code running in its own address space. Smaller companies have made a business out of selling things at that scale, and I can see that the exact same work on separately-sold products in a smaller company would be a strategically bad risk ... for the company.

But not necessarily for the product itself. He's talking about Netscape in 2000. It's ten years farther along now, and I think Firefox in 2010 pretty much QED's that.

Re:Yeah sure

[Joe+U]

There was also the license renewal a few years ago, I'm guessing spyglass got a nice amount of money.

Re:Yeah sure

[Blakey+Rat]

It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.

Claimed by my crazy uncle Ted who hears Jupiterians in his head?

Microsoft's certainly never claimed it. But good job spreading that bullshit around! You're a valuable soldier in the fight against facts.

Re:Yeah sure

[Blakey+Rat]

So wait. You honestly believe that, for example, NT6 (Windows Vista) is a *complete rewrite* of NT5 (Windows XP)? Seriously?

Where do you people get stuff like this? That's never been true.

Re:Yeah sure

[BitZtream]

Citation needed.

I've never heard any claim that any version of IE was a 'rewrite'.

Stop talking out your ass.

Re:Yeah sure

[Maxo-Texas]

I suspect the main problem with IE and many other packages are accounting rules that makes coding 50% more expensive if you are "maintaining" instead of "developing completely new code".

I've run into this at multiple companies-- they have good code, if they would let us refactor and polish it, it would just get better and better. But if they write new code, it's a capital expense.

Re:Yeah sure

[clong83]

Yes indeed. I hate hearing the argument that it is better to keep polishing a turd than to rewrite. I once wrote a small program to do something for me. It worked, but it took me days to write, was buggy, and ended up being about 15 printed pages long. It was a crappy program, but it eventually "worked" without bugs, and saved me time in the long run.

Awhile later, I had a need for the program to do something just a little bit different and more complex. Rather than edit the snakepit of code, I basically threw up my arms and started again from scratch. Knowing my past mistakes and inefficiencies I banged it out in about 3 hours, and it was about 3 printed pages long. It was less buggy, and it did something more complex. It was a tight and nifty little routine, well worth the effort.

I understand that a browser's codebase is a completely different animal than a small subroutine, but I think the point remains. Sometimes you should just scrap crappy/outdated/ineffecient code. Not always, but sometimes it is called for.

Shouldn't they be upgrading before complaining?

[cjeze]

"patch from Microsoft is still nowhere to be seen"


Isn't it just easier to upgrade to IE 8?

Re:Shouldn't they be upgrading before complaining?

"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/

Re:Shouldn't they be upgrading before complaining?

[cyber-vandal]

No it's very expensive. Now if MS had cared less about breaking the law and more about the quality of their code then perhaps things would be different.

Before anyone starts throwing stones...

[SuperBanana]

Check if you're in a glass house first.

Re:Before anyone starts throwing stones...

[Stumbles]

It is not a question of living in a glass house. No application is 100% secure. At issue with Microsoft products; your ass is hanging in the wind for at least 30 days from a security vulnerability... unless they deem it serious enough to issue one outside their update window. At least with Firefox and the other Mozilla based browsers, your ass is hanging out there much less, and that is the real issue when dealing with security issues.

Re:Before anyone starts throwing stones...

"up to", not "at least".

Re:Before anyone starts throwing stones...

[Hurricane78]

I don’t know if you were living in a rock the last time this was discussed, or if you are just trolling.

The list of known problems does not equal the list of actual problems.
Especially not for closed-source browsers of a company that threatens and sues every site that tries to track long-standing security holes.

And if you ever actually would have tried to write any web application for the IE, you would know that Trident is a horrible horrible piece of spaghetti shit in an upside-down pyramid of architecture that can’t really be described with words. Then it would be clearly obvious why IE is so much worse. Microsoft knows this too. They know that unless they do a complete rewrite, that will only become worse. But their management thinks that a complete rewrite will take forever. And the chance for it to result in a profit is extremely small. So they will keep what they can, and either slowly let IE die if they don’t think it’s gonna bring them some profit, or wait until there’s really really nothing to save anymore, and then do a complete re-start with the least possible effort and quality.

Also on top of that: Using IE brings you the hate of EVERY web developer out there. No exceptions. I worked in that business for five years.
Believe me, if those web developers get any chance from their management or clients, to punish you for using IE, they will!
Web application developers might even cry tears of joy and relief about it.

It’s just as much an unwise choice to use IE to surf websites, than it is to insult your cook at a restaurant. ;)

Re:Before anyone starts throwing stones...

[Bert64]

You have no guarantee that they will release a patch in the next patch cycle, you might have to wait 60, or 90 days, or they might not release a patch at all.
Blackhats launch new attacks just before (no time to rush a patch) or just after patch tuesday so they are guaranteed at least a month (worst case) before a patch is issued.
And due to the closed source nature of microsoft products, it is extremely difficult or impossible for anyone else to create a patch.

Re:Before anyone starts throwing stones...

[UnknowingFool]

So let me understand this: You're counting Firefox bugs as a way to excuse Microsoft's shoddy security record with IE? And you're not acknowledging all the bugs that were counted have been fixed unlike the vast number of open flaws that MS has. You're also not acknowledging that in the open source model, flaws are shown to the world and not obscured. This is different than the closed model where MS only discloses flaws at its whim. There have been cases where MS sat on bugs for years before disclosing them and quickly patching. This makes their "security" numbers look better because they have a short perceived turn around. Also you're not rating the severity of the bugs. A Firefox flaw that exposes user data might be less dangerous than say an IE bug that allows a remote takeover of a computer. Even if Firefox has a bad security record when comparing apples and oranges, it still doesn't mean IE has a good track record.

Re:Before anyone starts throwing stones...

[ilguido]

Mozilla Firefox 3.5.x: unpatched 0 of 6 Secunia advisories.

MS Internet Explorer 8.x: unpatched 4 of 8 Secunia advisories.

MS Internet Explorer 7.x: unpatched 11 of 42 Secunia advisories.

Opera 10.x: unpatched 0 of 3 Secunia advisories.

I can't see your point, are you trolling?

what might be more to the point

[mjwalshe]

to not goto dodgy fracking porn and wares sites

Re:what might be more to the point

[couchslug]

"to not go to dodgy fracking porn and wares sites"

Dodgy sites amuse me, and I expect the OS I run to survive exposure to the most vile corners of the Internet intact and undamaged.

It does, but I don't go there running Windows. I'm completely jaded yet without malware. Life is good.

NOPE

MS has a LONG HISTORY of being horrible WRT security. They still are. The China gov. will continue to use MS as a tool for stealing from the west because far too many gov.s worked with MS and pushed it in there.

Nostalgia

Ah, the 'Good Old Days'!

Signed,
a Linux user.

Re:Nostalgia

[Skarecrow77]

Do not taunt happy fun ball... er I mean do not taunt the exploiters. Remember when apple did that? The last thing I need is them turning their head in my direction (ubuntu 9.04 & firefox 3.5), thank you.

It's not the "government"

[kill-1]

It's a German federal agency, not the German government. And they warn users about IE every time there is a major unpatched security hole.

Re:It's not the "government"

Can you explain this? What is the difference?

Re:It's not the "government"

[dangitman]

It's a German federal agency, not the German government.

???

Re:It's not the "government"

[Grygus]

I think "government" implies majority support from all agencies. We've repeatedly shown that various federal agencies can have all the necessary pieces of information to stop physical security breaches, but the government as a whole is powerless unless the agencies' interoperability is very good. Just because federal agency A says/knows/wants something doesn't mean the government as a whole says/knows/wants the same thing.

Re:It's not the "government"

[Elektroschock]

It is the federal IT security agency, branched out from the secret service. It is part of the ministry of the interior.

Re:It's not the "government"

[morgen_m]

The German government itself uses trojans (e.g. Bundestrojaner) (which every ISP in Germany is required to install) for surveillance purposes.

Re:It's not the "government"

I think many Germans make a distincting between "the retards that are politicians" and "the various agencies that occasionally happen to have half a brain". I know I do.

Not all agencies are as full of shit as our blathering politicians. At the BSI there are least some people who know what they are talking about. It would be an insult to call them part of the same system :)

How to convince my employer to switch?

[Octopuz]

At work we use MSIE 7 on Vista. Although my employer is open to alternatives it must be strictly planned before making such a switch. Is it possible to switch to, say, Firefox, while still retaining update possibilities? All users are limited in rights, so no admin rights, which Firefox normally needs to be updated. Imho Mozilla needs to work harder to get companies to run their software.

Re:How to convince my employer to switch?

[lseltzer]

You do realize that IE7/Vista is not (by default) vulnerable to the Aurora attacks, don't you? So this incident isn't really a lesson for them to switch.

Perhaps you can get them to use Chrome. Google's a real company after all.

Re:How to convince my employer to switch?

[ajlisows]

I don't know what you environment is like precisely, but the biggest barrier to switching is if you are using Sharepoint, Outlook Web Access, or any Customer Built Web applications tested only to render properly with Internet Explorer's "Interpretation" of W3C standards. Web Access works in "Lite" mode, meaning not all features are available. Sharepoint is absolutely terrible, and any of those custom built applications could cease to work entirely.

Judging by the fact that you are still using IE 7 and have not been upgraded to IE 8, I'm guessing there are some major internal web apps written that are tailored to work with IE 7 (As working in IE 7 doesn't mean it will work in IE 8 or even IE 8 with compatability mode).

I've been in situation where I tried to have users only use Internet Explorer for Sharepoint and Firefox for browsing the web, but that just seems to confuse them and they end up completely ignoring Firefox. After all, Internet Explorer works for both Sharepoint and all External Web Sites. Firefox doesn't work for Sharepoint. Therefore, IE is better in their eyes.

File suit, not just follow suit

Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?

Surely you mean file suit. IE is so widespread that it should be possible for it to be treated like a public utility and then sue Microsoft despite their "no warranty" EULA clause. Cory Doctorow, we need your input on this.

Waiting for Al Gore's Advice

[stewbacca]

I'm not taking any advice from the government unless it comes from the Internet inventor himself!

Re:Waiting for Al Gore's Advice

That might've been funny many years ago, before that was debunked. These days it's not funny, is based upon an ignorant deliberate misunderstanding of what the man said many, many years ago.

Re:Waiting for Al Gore's Advice

[BitZtream]

Yes, everyone knows that, and thats part of what makes it funny.

Re:Waiting for Al Gore's Advice

[stewbacca]

Not to mention that, even if the sentiment is completely true (and it is), it still one of the most presumptuous, condescending, hubris-laden comments ever made by a politician.

I was key in getting governmental agencies to adapt the Internet is what he meant. What he said was "I invented the Internet". This is such an old argument because people who don't want to admit Al Gore is full of himself don't want to believe his claim is one of the most over-the-top claims of all time.

The only comment I've heard that is worse than the infamous Al-Gore-invented-the-Internet claim is when Janeane Garofalo claimed to be an expert on the Middle East because, "I have satellite news".

Not a bit late? It is like a spy platform already

[Ilgaz]

I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."

Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.

Perhaps they can't

[Ilgaz]

Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?

What would happen?

In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.

Re:Perhaps they can't

[Lonewolf666]

As someone else suggested, you could roll out Firefox (or Opera...) and tell everyone to use that for everything except the intranet. If possible, block IE6 from accessing the Internet, so the new browser is the only one that works for accessing dubious sites.

Yes I realize that some of your users will be pissed. That's why you need management behind that sort of discussion. Talk to your boss first. Maybe he needs to take it even higher, lest the CEO comes down on you for making his porn surfing less convenient ;-)

Re:Perhaps they can't

It is not MS's problem if your intranet app will not work on IE8. If you elected to use the whiz-bang features of IE6 that were not standards compliant, that was your fault, not theirs. the fix is to upgrade to IE8. If you can not do this due to other business decisions, then you made bad business decisions. MS *should not* correct this issue for IE6 or IE7. Perhaps leaving them unpatched would quicken the uptake of IE8, which is a reasonably compliant and reasonably stable browser, at least as much so as Firefox was 1 yr ago, and everyone talked about how great it was then. If Forefox was good a year ago, and IE8 is there now, then it is good now, otherwise you are all just blowing smoke up your asses.

Re:Perhaps they can't

"Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?"

Imagine? What's to imagine? It's the sad truth. I suspect that many people could cite examples. I regularly use a piece of commercial database/web-front-end software that A) is specified to work only with IE 6 (no Firefox, no Opera, no Chrome, no nothing else, and, no, fooling with the user-agent string doesn't work), B) if you ignore the advice of the site and use IE 7 anyway, you can cajole it into reluctantly working most of the time, but with scads of annoying popups, errors, and confirmation dialogs that you can't eliminate even after practically giving the relevant website "god mode" permissions within IE 7, and C) IE 8 doesn't work at all.

The amazing thing is, this highly expensive and specialized software is built by a global company that has many decades of experience with this kind of database application, yet their software looks like it was written (poorly) in the 1990s and hasn't been updated properly since. I'll save the embarrassment of naming them, but the situation is far from unique. Bad programmers that fail to write to web standards are all over the place, and given the atrocity that is IE 6 "standards compliance", the problem of browser-specific code is a legacy that we won't soon be without, even with serious security flaws. But, hey, if this spurs people to fix the defects in old web applications still dependent on IE 6, I'm all for it.

Re:Perhaps they can't

[Zaiff+Urgulbunger]

Or maybe use Chrome Frame so it's invisible to the users?

Re:People are used to it

[miknix]

Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???

Future speech from Balmer:

Security! Security! Security! *drenched in sweat* Security! Security! Security! Security! Security! Security! Security! Security! *even more sweat* Security! Security! Security! Security! *crazy eyes* SECURITY! SECURITY! SECURITY! *panting*

Good for them...

[rec9140]

Now they just need to take the next step!

Don't use win!

The lead by example and switch to a KDE 3.5.10 distro on all their systems.

Friends don't let friends use gnome or KDE 4.x!

Firefox doesn't even ship official MSI

[Ilgaz]

Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.

Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.

It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.

Re:Firefox doesn't even ship official MSI

[Elektroschock]

Feel free to package MSI packages for your clients.

Re:Firefox doesn't even ship official MSI

[Bacon+Bits]

Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.

Re:Firefox doesn't even ship official MSI

[Arker]

Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

Yeah, sad but true. This is why Debian had to ditch firefox after all.

Maybe people running Windows in large organisations should switch to debian and iceweasel instead of trying to wrestle. In fact that sounds like an excellent idea!

Alternatively, it is quite possible to roll a customised firefox/windows setup as well. A "large organisation" should surely have someone on staff that can accomplish such a simple task.

Re:Firefox doesn't even ship official MSI

[Ysangkok]

JFGI

http://www.frontmotion.com/Firefox/

Re:Firefox doesn't even ship official MSI

[mindbooger]

Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason

You're not _supposed_ to use installer packages for simple self-contained apps (which Firefox is) on OS X. Drag-n-drop from a compressed DMG is the preferred way except for exceptional case that need to install frameworks or kernel extensions outside of the .app bundle.

A self-contained app can be distributed by a network admin quite simply with rsync or ARD or an Automator script or umpteen other ways that are fully automatable. People need to stop expecting Microsoft-looking "solutions" for non-Microsoft platforms.

Re:Firefox doesn't even ship official MSI

[BitZtream]

You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.

Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.

All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.

People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.

For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.

Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.

Re:Firefox doesn't even ship official MSI

[BitZtream]

The only people who 'must have a MSI' are the idiots who don't actually know how to manage a network. GPO roll outs work fine with other installers as well.

I agree, the attitude here is bad and definitely reinforces that statement.

But in reality, the only people whining about an MSI are people that manage relatively small networks or will be soon since there is no requirement to use an MSI if you've got a third of a clue. And yes, I'm talking about doing it with all the standard MS tools.

Re:Firefox doesn't even ship official MSI

[MemoryDragon]

Mod that parent up, this is one of the reasons why Firefox is not rolled out on many corporations, that and the missing easy hooks into Windows AD which makes single singone solutions IE only...

Re:Firefox doesn't even ship official MSI

[Bert64]

Although there are firefox packages for the various linux distributions, and they do get updated centrally by the distributor... It is quite easy to maintain a linux network with up to date versions of firefox and various other things...

When it comes to windows networks, it is reasonably common to see system updates installed (ie windowsupdate) but you very rarely see other things updated where they are installed, msoffice, acrobat reader, backup software, antivirus etc, very rarely gets updated.

Re:Firefox doesn't even ship official MSI

[jim_v2000]

Your advice is to learn how to use yet another installer that is used a by a handful of apps, instead of just using one that he's already familiar with. Then you baselessly attack MSI. A masterful trolling post if I ever saw one.

Re:Firefox doesn't even ship official MSI

[Culture20]

When it comes to windows networks, it is reasonably common to see system updates installed (ie windowsupdate) but you very rarely see other things updated where they are installed, msoffice, acrobat reader, backup software, antivirus etc, very rarely gets updated.

I've never seen this except in places where there's not enough IT staff. Keeping most of these things updated only requires mediocre vigilance and/or tools, and it helps mitigate lots of problems. Once you get past ten windows machines, a sysadmin needs to look into doing things via pstools, 50-100: Active Directory should help, 101+: WSUS and/or HFnetchk[pro], 1000's: mirror servers for the above systems.
That said, the existence of 3rd party installation tools doesn't clear Mozilla from being stupid about their installation and updating programs.

Re:Firefox doesn't even ship official MSI

[ArsenneLupin]

Can I have some of what you are smoking?

Re:Firefox doesn't even ship official MSI

[arndawg]

Since your probably getting tired of acting like a smug asshole all of the time. How about you enlighten us and tell us how to roll out random installers with GPO? A link or two would be sufficient.

Re:Firefox doesn't even ship official MSI

[Jeremy+Visser]

FYI. (Admittedly, it only works for the "user configuration", not "computer configuration" part of GPO, but works well for all cases I've ever needed it for.)

Re:Firefox doesn't even ship official MSI

And you can't find or code a way around that?

Windows sysadmins suck even harder than I imagined.

Re:Firefox doesn't even ship official MSI

[BitZtream]

Yes, because it took me longer to read and respond to your post than it took me to make Firefox part of our GPO install policies on our network. The only time you're going to really care about 'learning a new installer' is if you work somewhere that has dedicated people constantly adding installation options to GPO otherwise you aren't going to remember the MSI 'standard' options either. The additional 3 minutes you spend 'learning' the new installer isn't going to be noticeable to anyone at his level.

He doesn't have to know shit about the installer other than 'it has these command line options available to use'. As far as the GPO editor GUI is concerned (which I'm going to assume he's using since he clearly doesn't know much about GPO installation options) it works the exact same.

I deal with MSI on both sides, from a network management perspective and dealing with all of its problems as well as a developer perspective. The only good side to it is that there are a bunch of Wizards from MS and MacroVision (installshield) to make installers. Other than that, it has no real advantage over anything and a LOT of problems.

Had you read my post you'd see the first line made a factual statement about an MSI issue. Do you know what baseless means or did you just not read the first line?

Re:Firefox doesn't even ship official MSI

[Elektroschock]

The lack of msi packaging shows that there is no commercial demand. If you don't do it for free you can pay someone to do it for you.

MSI packaging is no big deal.

Re:Firefox doesn't even ship official MSI

[Elektroschock]

You don't get it for free. As Firefox is a premium product you can pay a service who gets you MSI packages. I doubt there is demand.

But you can start a business if you like and package Firefox for MSI or do it as a non-for-profit hobby horse project. If a critical mass of users wanted MSI packages someone would provide them or pay a service.

If companies can afford to use an insecure browser, fine for me. But then don't complain about Chinese business espionage.

To be fair to logic

A Police officer, an Airline pilot, and an undersea welder are doing their jobs. One of them gets shot by Glock .45 acp. Take a guess who.

I mean, technically.... This could happen to any person. Does one of these jobs lend itself to having a higher risk of being shot?

Use fascist GPOs

[mousse-man]

In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:

- run javascript
- directly launch an associated application (like a PDF)
- run Flash
- run ActiveX
- change of the default home page
- install toolbars
- use any other search provider except Google

amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.

Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.

Re:Use fascist GPOs

[tg123]

Its Active X in internet Explorer thats usually the issue. Turn it off

I'm sure I have seen this issue before about IE and the zero day issue in a news article.

Yep found it and it has those chinese hacker type persons in it as well in 2008. ;-)
http://www.h-online.com/security/news/item/Two-new-zero-day-exploits-dent-Microsoft-s-Patch-Tuesday-739273.html

Here is micro$oft's advice on how to disable Active content.
http://support.microsoft.com/kb/154036

Re:Use fascist GPOs

[blai]

huh? In our untrusted zone, IE can't:

- run

Re:Use fascist GPOs

[Hurricane78]

Question: With all the time it took to come up with this, and set it all up... and all the money it cost because of this... you sure got a huge inertia of laziness to finally switch to something else...

It’s crazy how far people will go to just “keep what they have”. Even when it does not make any sense at all.

Re:Use fascist GPOs

[mr+exploiter]

This will only force your employees to switch to firefox that also has its own security problems.

Re:Use fascist GPOs

[BitZtream]

Don't bother, expecting slashdot fanboys to use logic or common sense and realizing that all software is exploitable is like thinking you can jump to the moon because you have a special pair of Nike's.

Re:Use fascist GPOs

The same applies to Microsoft fanboys.

Re:Use fascist GPOs

Don't bother, expecting slashdot fanboys to use logic or common sense and realizing that all software is exploitable

Yep, fanatics, usually astroturfing lowlifes, that can't cope with the rather simple idea that there are different degrees of exploitable are a significant problem.

Re:Not a bit late? It is like a spy platform alrea

[gbjbaanb]

Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".

Re:Not a bit late? It is like a spy platform alrea

Anything more dangerous than IE? Yeah. Adobe Flash. One implementation, almost the same code, across every browser and on several platforms.

Oh, wait, wasn’t there just a 0day in that?

Also, that exploit is the other “Chinese” 0day, which targets Adobe Reader, rather than IE. Firefox would be just as vulnerable if the Adobe Reader plugin was installed, or if you subsequently opened that PDF in Adobe Reader (other PDF readers are, of course, not affected).

They didn’t find this vuln themselves. They bought it off the black market from a blackhat, like anyone else could have. They bought the Gh0st RAT (remote access trojan) tool as well, which isn’t particularly brilliant but clearly got the job done due to some very clever and determined targeting. Probably a budget of less than $30k-worth for this whole operation. Very cheap, considering some of the quality SIGINT they got.

Besides, this particular 0day targets XP. As it stands it is non-functional in Windows Vista or 7, due to the ASLR changes. (It could be modified to extend that, as all versions have the bug, but that work hasn’t been done yet and the particular exploit may not reach 100% reliability.)

MS will probably issue an out-of-cycle patch. It’s Adobe you should be angry at.

Use Foxit Reader

[allcoolnameswheretak]

You might want to switch to Foxit PDF Reader
http://www.foxitsoftware.com/pdf/reader/

Smaller, faster, safer.

Re:Use Foxit Reader

[Maxo-Texas]

http://en.wikipedia.org/wiki/List_of_PDF_software

Plenty of free PDF readers, converters, writers listed...

Re:Use Foxit Reader

I use Google Docs. I hope it is safe.

Re:Use Foxit Reader

[illogicalpremise]

I use Foxit. Never had any trouble with it and never been bugged to pay for it either. Highly recommended. Adobe just make bloatware these days.

Re:To be fair to Microsoft - Curious...

> Something like this has been in at least limited operation for a couple of years.

Oh, really?

Wouldn't the US spy services know of this? Isn't it working like intended?

The Chinese might be in the business of cheap tin-foil hat production...

For anyoned concerned about this, instead of a tin-foil hat, what about a Red Hat?

IE6 is the zombie browser.

[Azureflare]

IE6 will never die. I wish it would, to be honest; I agree that I hate IE6 with a passion as a web developer and wish it would go the way of the dinosaur.

However, here's a little anecdote of why IE6 will never die:

Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.

Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.

It makes me a sad panda :( Especially when I realize there are so many people still using IE6 in that company that have opened themselves up to huge security breaches just by browsing the web.

Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.

Re:IE6 is the zombie browser.

Such events (like Operation Aurora) will never deter them from dropping IE6; the only achievement gained will be causing their IT departments to strongly recommend IE6 not ever being allowed to access the outside internet. Interestingly this solves the problem while keeping everybody (mostly) happy.

Re:IE6 is the zombie browser.

[couchslug]

"Perhaps it will take some huge widespread event (like Operation Aurora)"

Attacks breed robustness by killing off the "slowest zebras". If we want strong systems, we need malicious players to make running vulnerable systems so dangerous that they are replaced.

People will not run secure systems unless their insecure systems are broken for them.

Re:IE6 is the zombie browser.

[Hurricane78]

Hey, think about it this way:

Why do website designers still support it? Because too many users still use it. Right?
And why do users still use it? Because website designers still support it, and so: Because they can.
No why does this obvious feedback loop not break and crash? Because there are way too many people parroting the mindset of “it will never die” into other people’s heads.

All you three groups: STOP IT!
Every single one of you. You’re pathetic to just always blame the others.
Be a man, take a first step. If you act in a way that shows you’re sure about yourself, others will automatically follow. Lead.

Yes, you can kill IE6 today. Just dare to stand out of the mass.

I certainly did. I just write proper XHTML, modern JS and CSS. I do not even care to show a “your browser is outdated” message. Because after years of having worked in that business, I learned that if I just stop caring about those still use it, nothing bad will happen at all. If they care enough, they will make it work with my site. If not, I don’t need them anyway.
Because people who are that backwards, cost more effort, than they are worth. :)

Re:IE6 is the zombie browser.

[Skarecrow77]

I've heard of this many times, but I'm quite curious. What are these companies planning on doing in the very near future where they can no longer get IE6?

So far as I was aware, there are only a handful of manufacturers still shipping windows XP and you've got to call them up and specifically ask for it, and even then it's only on a handful of models.

Are these companies planning on ordering new windows 7 machines and having the IT team pop in old XP install discs (don't even want to touch legal problems with THAT with a 10 foot pole) so the systems can dual boot up XP so they can use IE6?

Is there some way to install IE6 on newer OSes? I've never tried, but in general microsoft doesn't seem too keen on letting you install older versions of programs. I know that windows pitched a bitch at my team when we tried to install MSTSC 5.2 on a vista system (MSTSC 6.0 native) for testing purposes.

Re:IE6 is the zombie browser.

As long as IE6 is locked down to intranet-only browsing and there is an alternative (safe) browser installed for web-usage I don't see this issue with that.

Re:IE6 is the zombie browser.

[Bert64]

More likely, they will panic, and rush out to buy whatever expensive product claims it will solve their security problems while still allowing them to run an ancient browser...

If you do have apps like that, put a single win2k3 box running remote desktop inside of an isolated network and give people access to that... They login, run ie6 and access the app, they can't browse to anything outside of the isolated network.

Also, don't give users internet access directly from their workstations, make them connect to another box, preferably a unix of some kind running nx.

Re:IE6 is the zombie browser.

[Bert64]

Attacks breed robustness in a competitive environment, that's how nature works...
MS have ensured that they exist in a non competitive environment, in such an environment a dominant creature (ms) can prosper because it has no predators, despite being a relatively weak creature. Look at the rabbit problems they had in australia a few years back.

Having horrendously insecure products and widespread highly publicised breaches would kill most vendors, ms can get away with it because most of their customers have nowhere else to go....

Re:IE6 is the zombie browser.

[ArsenneLupin]

The risks have to outweigh the benefits.

Make the risk bigger. If you run a web site, any web site, just put Aurora on it. This madness has to stop, and the earlier the better!

Re:IE6 is the zombie browser.

[John+Hasler]

> This COTS product is irreplaceable...

The company, however, is quite replaceable.

Re:IE6 is the zombie browser.

I'm a manager for a team of developers that maintain a business critical application which was developed over the past two years. Sadly this application is built around IE6. This was/is a sound business decision at the time since that's the browser that's installed by default in the corporate environment. IE7 was out but not really popular, and it did work about the same as IE6 did.
However it's now beginning be hurt us since our external users can't be trusted to have IE6 anymore, and since IE8 have started to follow web standards and doesn't work like IE6 did.
And what we're supposed to do when the corp upgrades to next version of windows (and IE8) I don't know since rewriting the application will take a lot of time. Telling the users that no new features will be added for 6 months because we have to rewrite large and critical parts of the application won't really go down well I'm afraid.

Bad times ahead.

Posted anonymously since I don't want to get anyone in trouble over disclosing "wrong" information. Especially not me.

Re:IE6 is the zombie browser.

They might find themselves running IE6 in a VM for their ridiculous legacy app, and a modern browser for the actual internet.

Or they could upgrade their COTS product. It has to happen sooner or later,

Re:IE6 is the zombie browser.

I only hope that someone else made that "sound business decision", because if you did, sir, you deserve to be fired, preferably out of a canon against a very hard wall of some kind. Two years, *two* years, it is now 2010, there has been reason to run from the mess that is IE6 for a lot longer than two years! IE7 was in beta long enough and it was well and widely known that is was going to break the broken behaviour of IE6. Maybe now that it is beginning to hurt, maybe your company will now see the foley in targeting a single proprietary platform and your next product will support standards first, vendor specific behaviour second.

Re:IE6 is the zombie browser.

[yuhong]

Well, did you try compatibility mode, which basically emulate IE7?

Name of the Government Organization

[data2]

Germany actually has a dedicated federal office just for information security. They gave this recommendation; in German it is called "Bundesamt für Sicherheit in der Informationstechnik". They also give out recommendations on how to secure private and corporate networks which are quite useful.

Re:Not a bit late? It is like a spy platform alrea

[Presto+Vivace]

Security Tracker, best tool I know of to track security vulnerabilities.

IE is way more bigger deal than you think

[Ilgaz]

Adobe says their tool wasn't abused on this case. What makes you think I don't say same thing to Adobe? In fact, just 3 days ago, I suggested Adobe to fire entire Mac department. A "browser" is the platform to access to web, plugins can always be abandoned but browser is more like the "kernel". I don't want to panic anyone but even if they use Firefox, disable access to IE, as long as IE shared dlls used for HTML rendering in various tools (e.g. "what's new today"), they are still vulnerable.

While I won't touch Safari for my ordinary browsing, whenever Apple releases a Safari security update, I backup my stuff and rush to update for that exact same reason. System's default/core browser is a very big deal, way more big deal than anything else.

Not the German Government

[prefec2]

The "Bundesamt für Sicherheit in der Informationstechnik" (BSI), engl. Federal Bureau for Security in Information Technology, is not a governmental, but a state institution. It is not strictly driven by the government. And it is controlled by the parliament. Even though it works in the domain of the ministry of the interior. So no minister was involved in the "do not use IE" speech.

BTW: IE has not the biggest market share in Germany.

Re:Not the German Government

[John+Hasler]

> It is not strictly driven by the government. And it is controlled by the
> parliament.

So the German parliament is some sort of a private club and not part of the government?

and we are surprised companies are using IE

[Ilgaz]

That is what my large system administrator friends are doing for years and some of them are really sick and tired of doing it over and over. Some administrators won't really care to package "your" application or download from 3rd party (must be insane). Even 5 user home networks using OS X/Remote Desktop are starting to get bugged about no OS X PKG.

One more thing: MSI has advantages like package verification, signing and _repair_. It is what RPM is to a Redhat OS or DEB to Debian. Ignoring it is really childish and no, it isn't really "anti MS" thing they are doing. Anti MS thing would be rejecting to release their browser to Windows. If they can do it, it is all fine with me.

Re:Not a bit late? It is like a spy platform alrea

Achtung Leute:
IE ist Verboten!!
Soll sehr gut sein! Ausgezeichnet!!

The CURE (TM)

[omb]

Stop using Windoze or anything created by M$, since it is clear the US government is ever going to hold them responsible for anything. It is all a crock of shit.

And if you have to, run it in a VM, set up so you can re-image the C: drive at any time.

If US law worked, vide SCO v IBM, M$ would have been sued into bankruptcy years ago.

Re:The CURE (TM)

[calzakk]

How would I play my Windows games then?! (Please don't even bother saying Wine, or Cedega, or whatever. The correct answer is "you wouldn't be able to".)

Re:The CURE (TM)

Do like I did when I switched to Linux and purchase a device that actually is, you know, designed to run games. I hope I haven't been unclear.

Re:The CURE (TM)

[welsh+git]

If you ask a question, you can't tell me what I can't answer.

I answer "wine" - works for me, though from what I gather for some reason wine seems more stable on freebsd that linux, as I've often heard linux people moaning about things not working properly when they do for me (spotify is one reoccurring example)

Re:The CURE (TM)

[CrossChris]

You want to play Windoze games? Buy an Xbox. It's just as much crap as Windoze. If you are stupid enough to keep using Windoze, then enjoy your viruses, instabilities and all the other people using your computer

Re:The CURE (TM)

[selven]

Wine, Cedega or whatever. There, I said it. A significant portion of Windows games work on Wine and Cedega - just look at all the games that run on Wine with minor or no issues. You got WoW, Eve Online, Call of Duty, BioShock, Fallout, The Sims. All the major titles.

Re:The CURE (TM)

[calzakk]

I tried Wine, and Cedega, and hated them both. Performance was crap, they're just not good enough (I couldn't even get Half Life 2 above 20fps when on Windows I get >60fps). I'm not a Linux expert... maybe that's the problem? ;)

Re:The CURE (TM)

[calzakk]

stupid enough to keep using Windoze, then enjoy your viruses, instabilities and all the other people using your computer

Be careful with what you say, you're calling a lot of people stupid. I use Windows and Linux. I've never had a virus. Not even once, and I've been using Windows since 3.1. I don't run as an admin, and I only use software that doesn't require me to be. Am I still stupid?

When did my XP or 7 boxes last blue screen? I really can't remember, a long time ago. When did my Ubuntu last freeze up? A few weeks ago, in fact it probably happens monthly.

Don't get me wrong, I like Linux. But Windows has its place too. Maybe you're just too stupid to use it properly?

Re:The CURE (TM)

[selven]

Maybe you're just not lucky with your hardware/software/particular choice of game. There are cases where Wine doesn't work at all, there are cases where Wine is slightly faster than Windows.

Re:Not a bit late? It is like a spy platform alrea

[Hurricane78]

Did it occur to you, that maybe the reason for their “non-reaction” is that either
A) They are the ones who chose for those holes to be in there in the first place?
B) MS and those TLAs got so many revolving doors that they are practically one?
C) Somethingsomething... PROFIT? ;)

Why were you running as an admin?

[tjstork]

The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled

I guess my question would be, why were you running Windows as an admin account that would even let you, as a user, have permissions to do any of this stuff. I mean, you can tout Linux as much as you want, but in this case, the real culprit is your shoddy use of Windows security tools. I mean, would you run FireFox as root in Linux? Don't think so. So why did you do it to IE?

Re:Why were you running as an admin?

[ozmanjusri]

I mean, would you run FireFox as root in Linux?

What would happen if I did that and went to the same website?

Re:Why were you running as an admin?

[MarkKB]

So, what would happen if I tried to run Mac or Linux* malware on Windows? ;)

* Linux malware is ATM theoretical, of course. ^^

Re:Why were you running as an admin?

[binner1]

...actually, we've been stung by some crap coming via either acrobat reader or flash since those last two exploits were noted. Our users are all unprivileged. Windows was fully patched, SAV up-to-date, etc. This stuff is ready and willing to run with limited rights. It doesn't hose the machine, as you can simply kill the local registry hive to clean it (worst case), but it was nasty none-the-less.

Not saying GP wasn't running as admin, but it's not necessarily a requirement for these nasties any more.

-Ben

Re:Why were you running as an admin?

[yuhong]

Yea, I said before that non-admin isolates but do not eliminate viruses before.

Link works now anyway

[SteveFoerster]

No worries, I made a redirect.

Re:Not a bit late? It is like a spy platform alrea

[IdleTime]

My company just moved to a new support system built upon Flash and used by thousands internally. It's a huge mess!

I've been livid but to no avail of course. Who the fuck designs a support system in flash?

Re:Not a bit late? It is like a spy platform alrea

[IdleTime]

Jawohl, Mein Herr!

Und was ist neu?

How long must this go on?

[SgtChaireBourne]

You know your product's reputation is in trouble when a government advises the public to dump it.

Dude, that was the case back ten years ago, too. Facts and technical data don't play a role in situations where Microsoft products get deployed.

You know you have a cult-like following when governments, research universities and a handful of computer magazines advise the public to dump your product and it still retains market share. Having EULAs that prohibit benchmarking doesn't hurt either. Nor does it hurt to have insiders paid for by the victim's own budget.

How long must this go on? Put a dollar value on the damage and then put out warrants for Microsoft executives and interns, past and present.

are you an actor or riaa person

if so i have no pity for you

Why don't you post a more useful link?

Such as this one: http://secunia.com/advisories/product/25800/

"There are no unpatched Secunia advisories affecting this product [Firefox]"

Unpatched 0% (0 of 6 Secunia advisories)

Or this one: http://secunia.com/advisories/product/21625/

"The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 8.x, with all vendor patches applied, is rated Extremely critical"

"Unpatched 50% (4 of 8 Secunia advisories)"

Mozilla is working on an MSI package

Mozilla is working on an MSI package. There's a bug in bugzilla for that. Vote for it and/or help with coding testing.

Re:Mozilla is working on an MSI package

Nice to know. BRB, voting...

Re:Mozilla is working on an MSI package

[Culture20]

Mozilla is working on an MSI package. There's a bug in bugzilla for that. Vote for it and/or help with coding testing.

You're funny.
Bug 52052 was opened in 2000.
Bug 231062 was opened in 2004 when 52052 was closed with "WONTFIX"
Sure, there's been recent activity, but it's been TEN years. Until MSI becomes a blocker for 3.6 or 3.7, they'll drop it for the new shiny like they've always done.

Why is there no FireFox LDAP Schema.

[Zombie+Ryushu]

I'm not talking about AD. I know why they don't include support AD GPOs. It would make FireFox a Windows specific app. But I must ask, considering every OS has its own variant of an LDAP server, why is there no support for managing FireFox from an LDAP schema?

Re:Why is there no FireFox LDAP Schema.

[BitZtream]

You do realize FireFox already reads and writes registry keys right ... which is all you need to do to honor GPO ...

So by your definition, they've already made it a 'windows specific app'.

Of course, they've also made it an OS X specific app and probably some others, by your definition.

Integrating with the OS is something every app should do, to provide a consistent experience for the users and administrators. Not doing it because it 'makes it OS specific' is a fucking retarded reason not to do it since you're going to have OS specific code for anything more than a basic command line app like Hello World.

If you're going to go to all your FireFox installs and set them up to talk to LDAP, you can probably just use some other configuration management system on your Unix machines. NFS for config files is pretty common, no need to do something else new so you can pretend to be Windows while at the same time not supporting Windows features.

And the alternative is ... ?

[BitZtream]

Show me the browser that isn't exploitable, or show me the browser thats been as popular for as long that is more secure.

Go ahead, I'll wait ...

I'm not saying IE is great, but the this sort of response is retarded and lead by fanboys who are too stupid to realize that all code has problems and exploits, its retarded to imply something else is better with no valid reason to assume so.

Good job Germany, you jumped on the FUD bandwagon.

Yes, I realize I'm going to be fanboy modded into oblivion, go ahead, you need something in your life to make you feel useful.

Re:And the alternative is ... ?

[theurge14]

Calling IE insecure means you're a fanboy?

Interesting.

Re:Not a bit late? It is like a spy platform alrea

[Bert64]

The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.

Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS don't have to care because they know that regardless of how bad their software is, the majority of their customers won't be able to move away. In fact, they are more likely to buy new versions in the hope that they will solve the security problems.

If we had a competitive market, anyone with such a poor reputation would be forced to fix things or face going bankrupt. And anyone looking to attack, would have to investigate multiple platforms and do some research on which of these their intended victim was using.

Re:Not a bit late? It is like a spy platform alrea

[Bert64]

The problem at least as far as PDF readers go, is that most users don't realise PDF is a standard and that there are multiple implementations... They think Adobe make the only pdf reader available.
I would never install acrobat reader, the default pdf readers in macos and linux work much better, far less bloated, and there are plenty of alternatives available for other platforms too.

Complete translation

There is a previously unknown security issue in Internet Explorer. The vulnerability allows attackers to inject and execute malicious code "into" Windows computers. The attack on Google and other US-based companies that was publicized last week probably used this vulnerability.

The affected versions of Internet Explorer are 6, 7, and 8, on Windows XP, Vista, and Windows 7. Microsoft released a security advisory that describes possibilities for risk mitigation and is already working on a patch that would fix the vulnerability. The BSI expects that this vulnerability will soon be used on the internet for attacks.

Executing Internet Explorer in "safe mode" and turning off "Acitve Scripting" [sic] makes attacks more difficult, but can't prevent them completely. Therefore, the BSI recommends that you use a different browser until Microsoft produces a patch.

The BSI will announce the fix of the vulnerability via its warning and information service "Burger-CERT." The BSI informs and warns citizens and small and middle-class companies about viruses, worms, and security vulnerabilities in applications using the Burger-CERT. The experts at the BSI analyze the current state of affairs regarding security on the internet 24/7 and send warnings and security advice via email.

I hate IE

My friend lives in an apartment complex where the main office set up for its residents to use has IE 6 on it. It's locked down and no one can update it. I talked to the manager about it and she said it's corporate's job. Wonderful. For at least a "computer lab" for regular people, I think it would be necessary to update IE to the latest version. Or at least offer an alternative browser.

I almost died the other day when I saw my public library computers all using IE 6, and people were surfing the Internet with it.

I want to say "I hate IE 6", but I think I don't like IE 7 either. In the public school system here, all the systems use IE 7 and it's slow as hell. I was trying to give a presentation the other day and every time I had to click a link on a website to show people something on a website, it would take forever to load. Of course, I blame some of this also on the terribly configured computers, but I'm pretty sure Firefox/Chrome would have loaded everything instantly.

In other words, I hate IE 6 the most. IE 7 still sucks. IE 8 is the only version of IE I would allow myself to use if I absolutely had to use it.

PDF is how they get IE to do it.

PDF is how they get IE to do it. It's still IE doing it.

Just like it's using your ethernet connection to infect your computer, but it isn't your Ethernet stack doing it.

Re:PDF is how they get IE to do it.

[Pieroxy]

One solution: The IE Awareness Initiative !!

Re:To be fair to Microsoft - Curious...

For anyoned concerned about this, instead of a tin-foil hat, what about a Red Hat?

so clever!

Firefox can't even update via CLI

[Culture20]

At least provide a good command line program to update Firefox. What's that? You say updater[.exe] works via command line on Linux, Mac, and Windows by use of .mar files? No, it does not work on all of them, and further, there is no quiet/silent switch for updater, so it opens an "updating % complete" window. This isn't a problem for Windows, where the System user can write stuff to the login screen, but if you use ssh or ARD to run Firefox's updater on a bunch of Macs, unless someone happens to be logged in (anyone, as long as the screen isn't at the login), you'll get a permission denied error. I've never bothered to test it on Linux because apt or yum always has the latest version anyway.

They could remove the GUI from updater[.exe] and make it download the latest .mar file for the sysadmin (configurable to a local source), and it would be suddenly scriptable for all platforms. But noooooo, they have to be speeeecial. Almost makes me want to start packaging a Windows version of Ice Weasel.

Re:Firefox can't even update via CLI

[Firehawke]

Did you put in a bug report on this, or at least check to see if one existed? If it's really a problem (and it sure looks like one) then there are mechanisms in place to tell the devs "Hey! I need this fixed!"

Note I never assured you that they'll LISTEN. That's a completely different angle, but you really can't complain unless there's at least a bug report on file.

More importantly...

[gillbates]

Because you have access to the Firefox source, you can "patch out" a vulnerability as soon as it is discovered. Maybe Mozilla doesn't have a patch, or won't for several weeks. In such a case, you can #ifdef 0 the vulnerable code, recompile, and use the crippled version until Mozilla issues a fix.

With proprietary code, your only option is to not use the application entirely. In Microsoft's case, that could mean (because IE is integrated into the OS) you have to leave your computer off until they have a fix. Much less convenient that merely compiling out the problematic code.

In short, the security options belong to the entity possessing the source code.

Re:More importantly...

[arndawg]

Maybe Mozilla doesn't have a patch, or won't for several weeks. In such a case, you can #ifdef 0 the vulnerable code, recompile, and use the crippled version until Mozilla issues a fix.
Much less convenient that merely compiling out the problematic code.

Sounds easy. I'll tell my mom to this from now on.

Sure there is advantages for using open-source. But this is NOT one of them. End-users don't give a crap about the code.

Re:More importantly...

[gillbates]

The end user doesn't have to care so much about the code when it is open source:

1. Your Mom would likely get the workaround binary from her employer, who would likely have someone on staff who knows how to compile from source.
2. Even if my employer doesn't care to update, they at least have the option of doing so. If you're using closed source, your security is subject to the whims of the vendor, whose security goals may be different than yours.
3. Having the source available, even if you never use it, is certainly not a drawback. Even at its best, closed source programs can only approach - never exceed - the security options provided by open source. So why would you use a product which at best is only comparable, and potentially much worse than its closed source equivalent? (Not for security reasons.)

Re:Not a bit late? It is like a spy platform alrea

Actually, web developers are the fundamental root cause of the web becoming less secure.

Used to be you could run in the high security zone, click a link, go to the next page. Well, except for online shopping, cookies had to be enabled. Now, on several sites those links are JavaScript this and JavaScript that. Click a JavaScript infested link with JavaScript disabled--nothing happens. So now JavaScript has to be enabled--gotta lower that browser security.

Used to be that a web page having graphics was GIF or JPEG or even PNG. Now, it's all video crap so a page can be one big SWF at the homepage with not even a no-flash link. Want to access the page, need to install the plug-in with all its security risks.

Truth is, MSIE 7 will not even allow a PDF to open in the High security zone. Adobe Reader won't even get launched.

Guys, if you want to do all this Web 2.0 crap that is all well and good, but you really also need a low-bandwidth Web 1.0 alaternative for those who still value browsing securely.

Clueless idiot

I love it when idiots rant about issues they have no real clue about. They think they are so clever that they end up looking stupid.

Firefox does not have an MSI ..... big deal. Neither do most of the software built for the Windows platform.

Is that a problem??? Only for incompetent idiots.

How many enterprise COTS tools that automate the installation software without human intervention are in the market?? HINT: You don't have enough fingers to count.

Tell that to Secunia ...

... and watch the laugh until they pee on themselves.

Metasploit module

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb

Came out yesterday. Oh and it works for IE 7 and 8 (just not 100% reliably, but that can be modified). This is definitely in the wild now.

Re:People are used to it

[JohnBailey]

Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???

When people stop seeing "Joe Average" as the target demographic for everything, and mock any product that requires a little common sense and thought to use. When even people here stop complaining about things not being intuitive, or that they need to learn something to use it and other bullshit. Basically.. When ignorance stops being an acceptable state. So in other words.. Probably never.

German Goverment warned and about Chrome in 2008

[Max_W]

http://blogoscoped.com/archive/2008-09-07-n33.html (September 2008)

It doesn't get any more "official" than this here. Yesterday, Saturday at around 20:07, Germany's oldest and perhaps biggest prime time news "Tagesschau" announced the following under the headline "Warning against internet browser":

"The Federal Office for Information Security warned internet users of the new browser Chrome. The application by the company Google should not be used for surfing the internet, as a spokesperson for the office told the "Berliner Zeitung"...

Actually...

[RichiH]

The BSI (a government agency and a subdivision of the Ministry of the Interior) issued a warning that people should use different browsers until the hole has been fixed.

Not quite the same, but still nice.

Re:Not a bit late? It is like a spy platform alrea

[yuhong]

Well, MS's patch model for IE is basically a cumulative update every 2 months as part of a Patch Tuesday.

You're NOT one to talk, Mr. "Skimmer"... apk

To whom it may concern (the person this skimming, bigmouth, & unjustifiable arrogant little 'noob' (in Bitztream), is "talking down to" here mainly I'd strongly wager)?

Take a read of the URL I post below next (because it puts BitZtream in his place, & so much so? HE RAN LIKE A TOTAL "BEYOTCH" right afterwards):

"Please tell me you aren't a programmer, you clearly don't get it." - by BitZtream (692029) on Saturday January 16, @02:05PM (#30792206)

http://tech.slashdot.org/comments.pl?sid=1512306&cid=30785704

I think that "little ditty" ought to "set YOU straight" about "shooting your mouth off" before you have read everything a person stated around here, don't you think?

Funny how you out & out RAN after I put that information out also, eh??

APK

P.S.=> You know, I wouldn't have done this to you, but I saw your ARROGANT REPLY here (and your erroneous skimming-a-thread reply to me on the same lines & tone from you too), so... you had it coming!

Now, the person who you are giving a hard time now here can just point you to that URL I just posted above, where you RAN, lol, after SHOOTING YOUR MOUTH OFF THE SAME WAY TO ME, only to have found you skimmed & overlooked I covered everything you noted & more (with simple, easy-to-understand math examples too no less, if you'd read it all that is)...

Nope - YOU had this coming! Especially after shooting your mouth off & trying to tell ME how MULTITHREADED PROGRAMMING WORKS (how/what/when/where/why to use it, or not) & I've been doing it quite possibly longer than you've ever been coding in total time yourself, is my guess here on this account.

So, please - FIRST: Learn patience with others, & realize, that MAYBE others haven't seen ALL you have, & one day? Those you attempt to "cut down" may very well become your superior in coding, OR, on the job period as a peer (if they're given time, & allowed to learn more etc. et al)...

SECONDLY: Tone down on the arrogance, because until you've a few "proofs of excellence" under your belt that anyone can see/verify easily enough? You do NOT have "what it takes" to attempt to "condescend", or to attempt to belittle others (because you NEVER KNOW WHO'S WATCHING, per the URL above I posted no less)... apk

Re:To be fair to Microsoft - Curious...

the USA spy agency also knew about the recent attempted christmas day bombing too.

Pay for what?

[Ilgaz]

If there is no MSI packaging, no central administration capability, commercial demand won't exist since they will simply use MS IE with Administration Kit&Policy.

Even Skype, a really consumer oriented voice solution has a MSI package for business users. Guess the reason for that?

I guess this is one of my most replied posts, it seems people really have hard time understanding why some "large, stupid" companies stay with IE solution. It is chicken and egg, basic as that.

Re:Pay for what?

[Elektroschock]

You just repeat your statement. I doubt there is demand for MSI packages. Packaging it would be cheap. Feel free to do it.