Slashdot Mirror
German Government Advises Public To Stop Using IE
An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"
According the original article, DEP (enabled by default in IE8) and sandbox mode (Windows 7, Vista) all stop this zero day.
If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.
"patch from Microsoft is still nowhere to be seen"
Isn't it just easier to upgrade to IE 8?
Check if you're in a glass house first.
Please help metamoderate.
It's probably safer anyway to use different browsers for intranet and internet.
The Tao of math: The numbers you can count are not the real numbers.
You know your product's reputation is in trouble when a government advises the public to dump it.
At work we use MSIE 7 on Vista. Although my employer is open to alternatives it must be strictly planned before making such a switch. Is it possible to switch to, say, Firefox, while still retaining update possibilities? All users are limited in rights, so no admin rights, which Firefox normally needs to be updated. Imho Mozilla needs to work harder to get companies to run their software.
Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.
IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.
Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.
It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.
Not a problem at all for those of us who aren't forced to run Microsoft software.
Not a problem at all for those of us who choose to not use Adobe's software.
Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".
IE6 will never die. I wish it would, to be honest; I agree that I hate IE6 with a passion as a web developer and wish it would go the way of the dinosaur.
:( Especially when I realize there are so many people still using IE6 in that company that have opened themselves up to huge security breaches just by browsing the web.
However, here's a little anecdote of why IE6 will never die:
Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.
Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.
It makes me a sad panda
Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.
Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.
And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.
TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?
By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.
I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.
Quo usque tandem abutere, Nimbus, patientia nostra?
And I do take a hike in those cases.
If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.
If you mod me down, I *will* introduce you to my sister!
I'm required to use adobe's horrible products.
As far as I'm concerned, Adobe is a far greater security threat to my network than IE. I do not understand why people insist on using Adobe products. They are a pain to administer, and not particularly useful. Rather than concentrate on MS, why doesn't the EU take a look at a real threat, Adobe.
Hoist Number One and Number Six.
The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You do realize that the fact that FireFox was crashing shows that its also effected by the exploit that hit IE ... right?
The ignorance in your post and the fanboys that drool over this sort of thing is mind boggling and is a good example of why people outside of slashdot don't take you or FireFox seriously.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Affected by the exploit? In a word, yes. Affected in the same way? Doesn't sound like it one bit.
I'd rather have my browser crash than simply hand over the keys to my entire OS.
Does it make you happy you're so strange?
The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.
Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS don't have to care because they know that regardless of how bad their software is, the majority of their customers won't be able to move away. In fact, they are more likely to buy new versions in the hope that they will solve the security problems.
If we had a competitive market, anyone with such a poor reputation would be forced to fix things or face going bankrupt. And anyone looking to attack, would have to investigate multiple platforms and do some research on which of these their intended victim was using.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
a) Almost everybody has PDF reader installed (it's preinstalled on most PCs)
b) Firefox managed to contain it.
c) We all know IE is way more promiscuous than other browsers.
No sig today...
Please tell me you aren't a programmer, you clearly don't get it.
If its crashing, they've got 95% of what it takes to own you, the next part is just figuring out how to use that to get some code to run.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
That's no trouble. If they're that dumb, then I don't need their content.
Don't take life so seriously. No one makes it out alive.
Actually, web developers are the fundamental root cause of the web becoming less secure.
Used to be you could run in the high security zone, click a link, go to the next page. Well, except for online shopping, cookies had to be enabled. Now, on several sites those links are JavaScript this and JavaScript that. Click a JavaScript infested link with JavaScript disabled--nothing happens. So now JavaScript has to be enabled--gotta lower that browser security.
Used to be that a web page having graphics was GIF or JPEG or even PNG. Now, it's all video crap so a page can be one big SWF at the homepage with not even a no-flash link. Want to access the page, need to install the plug-in with all its security risks.
Truth is, MSIE 7 will not even allow a PDF to open in the High security zone. Adobe Reader won't even get launched.
Guys, if you want to do all this Web 2.0 crap that is all well and good, but you really also need a low-bandwidth Web 1.0 alaternative for those who still value browsing securely.
They bundle it with Windows and say to Spyglass: we sell Windows IE is a free bonus so no royalties for you.
Then they turn around and say to the DOJ: IE is an integral part of windows and they cannot be separated.
I think Spyglass had ground for a lawsuit there. Spyglass "not-so-great" choice was to accept just $8M instead of going to trial. Maybe they did not have the money to finance a long legal fight with Microsoft.