German Government Advises Public To Stop Using IE

An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"

A stinging lesson

[Senes]

This is just a personal anecdote, but take it as you will. About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled. Mind you, this was a week ago. Fortunately I'm on a dual boot system and I was able to go into Linux to delete the malignant exe files, which gave me a foothold to manually recover from the rest of it. IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.

Re:A stinging lesson

[PNutts]

Not a problem at all for those of us who aren't forced to run Microsoft software.

Not a problem at all for those of us who choose to not use Adobe's software.

Re:A stinging lesson

[maxume]

Firefox gives you the option of disabling plugins without uninstalling them (as does IE8, those are the only 2 browsers I have installed).

Adobe Reader also gives you the option of not loading pdfs in the browser (the browser simply prompts you to save the file).

Re:A stinging lesson

[Idiomatick]

Natalie Portman.

Re:A stinging lesson

[sopssa]

Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.

And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.

Re:A stinging lesson

[Penguinisto]

TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?

By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.

I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.

Re:A stinging lesson

[IdleTime]

And I do take a hike in those cases.

If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.

Re:A stinging lesson

[Stargoat]

I'm required to use adobe's horrible products.

As far as I'm concerned, Adobe is a far greater security threat to my network than IE. I do not understand why people insist on using Adobe products. They are a pain to administer, and not particularly useful. Rather than concentrate on MS, why doesn't the EU take a look at a real threat, Adobe.

Re:A stinging lesson

[Bert64]

The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.

Re:A stinging lesson

[BitZtream]

You do realize that the fact that FireFox was crashing shows that its also effected by the exploit that hit IE ... right?

The ignorance in your post and the fanboys that drool over this sort of thing is mind boggling and is a good example of why people outside of slashdot don't take you or FireFox seriously.

Re:A stinging lesson

[CyclistOne]

This happened to a friend of mine. His system was totally hijacked. Couldn't run any .exe. I finally got into the registry and disabled the malware, and things were seemingly back to normal. But we re-imaged the machine and restored his backed-up data. It was a pain, but it didn't take that long. But it was a similar thing, I think. Firefox crashing - go try IE, and bang.

Re:A stinging lesson

[ozmanjusri]

your online assessment and training solution for Microsoft Office 2007

You got any that aren't Microsoft affiliated?

Re:A stinging lesson

[Joce640k]

a) Almost everybody has PDF reader installed (it's preinstalled on most PCs)

b) Firefox managed to contain it.

c) We all know IE is way more promiscuous than other browsers.

Re:A stinging lesson

[BitZtream]

Please tell me you aren't a programmer, you clearly don't get it.

If its crashing, they've got 95% of what it takes to own you, the next part is just figuring out how to use that to get some code to run.

Re:A stinging lesson

[jim_v2000]

That's no trouble. If they're that dumb, then I don't need their content.

Re:A stinging lesson

[ls671]

A quick visit later, it seems to work fine in firefox...

Re:A stinging lesson

[Threni]

> Why does someone need to view a pdf in a browser anyways?

Why does a program to interpret and display the data in a PDF have to expose you to danger anyway? Text and graphics, right?

Wouldn't it be better if there were a wysiwyg mode as part of HTML? So you could genuinely display it the same on each browser, assuming you had the screen resolution required, or didn't mind scrolling? (There's a PDF reader on my phone, and that has a 'reflow' option to wrap text so I don't have to tediously scroll around the image anyway)

Friends don't let friends....

[ansak]

Use Internet Exploder for web browsing, Use Outlook or Outlook Distress for reading e-mail. nuff said...ank

Re:Friends don't let friends....

[Presto+Vivace]

You know your product's reputation is in trouble when a government advises the public to dump it.

Re:Friends don't let friends....

Maybe the summary shouldn't have let out the most important word: temporary. Here a translation of the headlines:

original:
Kritische Sicherheitslücke im Internet Explorer
BSI empfiehlt die vorübergehende Nutzung alternativer Browser

translation:
Critical securiy hole in Internet Explorer
BSI recommends to temporarily use alternative browsers

To be fair to Microsoft

[FlyingBishop]

This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.

Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.

Re:To be fair to Microsoft

[sakdoctor]

Why be fair to Microsoft in this case? Bashing where bashing is due;
IE is a highly dangerous lump of toxic/radioactive waste, with a half life of over 20 years.

Microsoft did everything wrong. Wrote the piece of shit in the first place. Tightly integrated it into windows, for leveraging purposes. Didn't even try to keep on top of updates letting it stagnate.
It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.

Re:To be fair to Microsoft

[peragrin]

Of course the fact that MSFT let the chinese view the source code for http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html windows. Has nothing to do with it. Sure it was 6 years ago, the question is how long was china running the operation and how many field tests did they get away with and for how long?

Something like this has been in at least limited operation for a couple of years.

Re:To be fair to Microsoft

[McGiraf]

"Wrote the piece of shit in the first place"

No, they bought/stole the Microsoft way from Spyglass.

http://en.wikipedia.org/wiki/Spyglass,_Inc.

(the link ends with a dot slashdot moves it after "[wikipedia.org]". bug! )

Re:To be fair to Microsoft

[McGiraf]

They bundle it with Windows and say to Spyglass: we sell Windows IE is a free bonus so no royalties for you.

Then they turn around and say to the DOJ: IE is an integral part of windows and they cannot be separated.

I think Spyglass had ground for a lawsuit there. Spyglass "not-so-great" choice was to accept just $8M instead of going to trial. Maybe they did not have the money to finance a long legal fight with Microsoft.

IE8 alledgedly super-safe

[yupie]

Ironically, in Belgium they have just had a (somewhat controversial) campaign, where a new all-Belgian browser "Paladin" (http://www.getpaladin.be/splash.php) was going to be launched, which appeared to be just fake, pointing to and arguing for the already super-safe IE8 browser :-)

Right Decision?

[Henry+V+.009]

According the original article, DEP (enabled by default in IE8) and sandbox mode (Windows 7, Vista) all stop this zero day.

If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Re:Right Decision?

However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Sir, your power of deductive reasoning is astonishing!!

Now if it was Firefox that was hacked, the previous statement would be in your favor.

Instead...

Re:Right Decision?

[benjymouse]

DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.

But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.

The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.

Re:Right Decision?

[lukas84]

DEP, which is a Windows feature and not an IE feature, is also active for recent versions of Firefox.

What Firefox lacks though is the sandboxing using a lower-privileged logon (Protected Mode).

Re:Right Decision?

[TheRaven64]

Java inherently has the ability to both write and execute code

But not at the same time. One of the OpenBSD guys had to do with their port (which is now in mainstream), and which I helped implement for LLVM, is W^X support. DEP is Microsoft's implementation of W^X, i.e. no page may have both write and execute permission at the same time (although they only support it properly on CPUs with the NX bit; OpenBSD does it using horrible hacks involving relocating pages within segments in the absence of NX page protection). That means that you can't execute data that you write into memory unless you issue a system call to change the page permission. To do this you must already be able to make the program do what you want, so you need some other exploit.

Re:Right Decision?

[amiga3D]

Troll? Isn't "WHY don't they patch it allready" a valid question? Micro$oft has a history of not patching well known security holes, it's not like this is the first time. They deserve the scorn I heaped on them. It's one thing to sell buggy software. It's another thing entirely to ignore full blown exploits like this. Call me troll if you like but I'm right and I think that's what pisses off the M$ shills the most.

Re:Right Decision?

[theLOUDroom]

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days

What a bunch of crap!
Where's your proof?

#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement. #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.

Re:Right Decision?

[jthill]

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

The rest of your post, including the sandboxing point, deserves that 5. This one doesn't belong on the same page.

Everyone paying attention can see that Firefox (and open-source general practice) reports and patches as critical security holes bugs for which there's only theoretic or even just heuristic evidence of a potential security breach, while Microsoft's usual reports are of bugs that have actually been exploited and are often actually leaking data in the wild, and eventually releases patches for those.

Microsoft, understandably given their nature as a marketing company, is only too happy to persuade the gullible that the two different counts are comparable.

Yeah sure

[SmallFurryCreature]

It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.

MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.

Re:Yeah sure

[Maxo-Texas]

He's probably thinking of articles like this:
http://www.itwriting.com/blog/541-mshtml-layout-engine-completely-rewritten-for-internet-explorer-8.html

Interesting article here: http://www.joelonsoftware.com/articles/fog0000000069.html

"[netscape killed themselves by rewriting]
Well, yes. They did. They did it by making the single worst strategic mistake that any software company can make:
They decided to rewrite the code from scratch."

Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

Shouldn't they be upgrading before complaining?

[cjeze]

"patch from Microsoft is still nowhere to be seen"


Isn't it just easier to upgrade to IE 8?

Before anyone starts throwing stones...

[SuperBanana]

Check if you're in a glass house first.

Re:Before anyone starts throwing stones...

[Stumbles]

It is not a question of living in a glass house. No application is 100% secure. At issue with Microsoft products; your ass is hanging in the wind for at least 30 days from a security vulnerability... unless they deem it serious enough to issue one outside their update window. At least with Firefox and the other Mozilla based browsers, your ass is hanging out there much less, and that is the real issue when dealing with security issues.

Re:Before anyone starts throwing stones...

[ilguido]

Mozilla Firefox 3.5.x: unpatched 0 of 6 Secunia advisories.

MS Internet Explorer 8.x: unpatched 4 of 8 Secunia advisories.

MS Internet Explorer 7.x: unpatched 11 of 42 Secunia advisories.

Opera 10.x: unpatched 0 of 3 Secunia advisories.

I can't see your point, are you trolling?

Re:Good

[maxwell+demon]

It's probably safer anyway to use different browsers for intranet and internet.

It's not the "government"

[kill-1]

It's a German federal agency, not the German government. And they warn users about IE every time there is a major unpatched security hole.

How to convince my employer to switch?

[Octopuz]

At work we use MSIE 7 on Vista. Although my employer is open to alternatives it must be strictly planned before making such a switch. Is it possible to switch to, say, Firefox, while still retaining update possibilities? All users are limited in rights, so no admin rights, which Firefox normally needs to be updated. Imho Mozilla needs to work harder to get companies to run their software.

Not a bit late? It is like a spy platform already

[Ilgaz]

I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."

Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.

Perhaps they can't

[Ilgaz]

Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?

What would happen?

In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.

Re:People are used to it

[miknix]

Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???

Firefox doesn't even ship official MSI

[Ilgaz]

Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.

Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.

It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.

Re:Firefox doesn't even ship official MSI

[Bacon+Bits]

Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.

Re:Firefox doesn't even ship official MSI

[Ysangkok]

JFGI

http://www.frontmotion.com/Firefox/

Re:Firefox doesn't even ship official MSI

[mindbooger]

Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason

You're not _supposed_ to use installer packages for simple self-contained apps (which Firefox is) on OS X. Drag-n-drop from a compressed DMG is the preferred way except for exceptional case that need to install frameworks or kernel extensions outside of the .app bundle.

A self-contained app can be distributed by a network admin quite simply with rsync or ARD or an Automator script or umpteen other ways that are fully automatable. People need to stop expecting Microsoft-looking "solutions" for non-Microsoft platforms.

Re:Firefox doesn't even ship official MSI

[BitZtream]

You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.

Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.

All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.

People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.

For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.

Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.

Use fascist GPOs

[mousse-man]

In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:

- run javascript
- directly launch an associated application (like a PDF)
- run Flash
- run ActiveX
- change of the default home page
- install toolbars
- use any other search provider except Google

amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.

Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.

Re:Not a bit late? It is like a spy platform alrea

[gbjbaanb]

Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".

Re:Not a bit late? It is like a spy platform alrea

Anything more dangerous than IE? Yeah. Adobe Flash. One implementation, almost the same code, across every browser and on several platforms.

Oh, wait, wasn’t there just a 0day in that?

Also, that exploit is the other “Chinese” 0day, which targets Adobe Reader, rather than IE. Firefox would be just as vulnerable if the Adobe Reader plugin was installed, or if you subsequently opened that PDF in Adobe Reader (other PDF readers are, of course, not affected).

They didn’t find this vuln themselves. They bought it off the black market from a blackhat, like anyone else could have. They bought the Gh0st RAT (remote access trojan) tool as well, which isn’t particularly brilliant but clearly got the job done due to some very clever and determined targeting. Probably a budget of less than $30k-worth for this whole operation. Very cheap, considering some of the quality SIGINT they got.

Besides, this particular 0day targets XP. As it stands it is non-functional in Windows Vista or 7, due to the ASLR changes. (It could be modified to extend that, as all versions have the bug, but that work hasn’t been done yet and the particular exploit may not reach 100% reliability.)

MS will probably issue an out-of-cycle patch. It’s Adobe you should be angry at.

IE6 is the zombie browser.

[Azureflare]

IE6 will never die. I wish it would, to be honest; I agree that I hate IE6 with a passion as a web developer and wish it would go the way of the dinosaur.

However, here's a little anecdote of why IE6 will never die:

Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.

Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.

It makes me a sad panda :( Especially when I realize there are so many people still using IE6 in that company that have opened themselves up to huge security breaches just by browsing the web.

Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.

Not the German Government

[prefec2]

The "Bundesamt für Sicherheit in der Informationstechnik" (BSI), engl. Federal Bureau for Security in Information Technology, is not a governmental, but a state institution. It is not strictly driven by the government. And it is controlled by the parliament. Even though it works in the domain of the ministry of the interior. So no minister was involved in the "do not use IE" speech.

BTW: IE has not the biggest market share in Germany.

How long must this go on?

[SgtChaireBourne]

You know your product's reputation is in trouble when a government advises the public to dump it.

Dude, that was the case back ten years ago, too. Facts and technical data don't play a role in situations where Microsoft products get deployed.

You know you have a cult-like following when governments, research universities and a handful of computer magazines advise the public to dump your product and it still retains market share. Having EULAs that prohibit benchmarking doesn't hurt either. Nor does it hurt to have insiders paid for by the victim's own budget.

How long must this go on? Put a dollar value on the damage and then put out warrants for Microsoft executives and interns, past and present.

Re:Not a bit late? It is like a spy platform alrea

[Bert64]

The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.

Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS don't have to care because they know that regardless of how bad their software is, the majority of their customers won't be able to move away. In fact, they are more likely to buy new versions in the hope that they will solve the security problems.

If we had a competitive market, anyone with such a poor reputation would be forced to fix things or face going bankrupt. And anyone looking to attack, would have to investigate multiple platforms and do some research on which of these their intended victim was using.

Re:Not a bit late? It is like a spy platform alrea

[Bert64]

The problem at least as far as PDF readers go, is that most users don't realise PDF is a standard and that there are multiple implementations... They think Adobe make the only pdf reader available.
I would never install acrobat reader, the default pdf readers in macos and linux work much better, far less bloated, and there are plenty of alternatives available for other platforms too.

Re:Mozilla is working on an MSI package

[Culture20]

Mozilla is working on an MSI package. There's a bug in bugzilla for that. Vote for it and/or help with coding testing.

You're funny.
Bug 52052 was opened in 2000.
Bug 231062 was opened in 2004 when 52052 was closed with "WONTFIX"
Sure, there's been recent activity, but it's been TEN years. Until MSI becomes a blocker for 3.6 or 3.7, they'll drop it for the new shiny like they've always done.