German Government Advises Public To Stop Using IE

An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"

A stinging lesson

[Senes]

This is just a personal anecdote, but take it as you will. About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled. Mind you, this was a week ago. Fortunately I'm on a dual boot system and I was able to go into Linux to delete the malignant exe files, which gave me a foothold to manually recover from the rest of it. IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.

Re:A stinging lesson

[Idiomatick]

Natalie Portman.

Re:A stinging lesson

[sopssa]

Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.

And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.

Re:A stinging lesson

[Penguinisto]

TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?

By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.

I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.

Re:A stinging lesson

[IdleTime]

And I do take a hike in those cases.

If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.

Re:A stinging lesson

[Stargoat]

I'm required to use adobe's horrible products.

As far as I'm concerned, Adobe is a far greater security threat to my network than IE. I do not understand why people insist on using Adobe products. They are a pain to administer, and not particularly useful. Rather than concentrate on MS, why doesn't the EU take a look at a real threat, Adobe.

Re:A stinging lesson

[CyclistOne]

This happened to a friend of mine. His system was totally hijacked. Couldn't run any .exe. I finally got into the registry and disabled the malware, and things were seemingly back to normal. But we re-imaged the machine and restored his backed-up data. It was a pain, but it didn't take that long. But it was a similar thing, I think. Firefox crashing - go try IE, and bang.

Re:A stinging lesson

[Joce640k]

a) Almost everybody has PDF reader installed (it's preinstalled on most PCs)

b) Firefox managed to contain it.

c) We all know IE is way more promiscuous than other browsers.

Re:A stinging lesson

[BitZtream]

Please tell me you aren't a programmer, you clearly don't get it.

If its crashing, they've got 95% of what it takes to own you, the next part is just figuring out how to use that to get some code to run.

Re:A stinging lesson

[jim_v2000]

That's no trouble. If they're that dumb, then I don't need their content.

Friends don't let friends....

[ansak]

Use Internet Exploder for web browsing, Use Outlook or Outlook Distress for reading e-mail. nuff said...ank

Re:Friends don't let friends....

[Presto+Vivace]

You know your product's reputation is in trouble when a government advises the public to dump it.

To be fair to Microsoft

[FlyingBishop]

This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.

Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.

Re:To be fair to Microsoft

[sakdoctor]

Why be fair to Microsoft in this case? Bashing where bashing is due;
IE is a highly dangerous lump of toxic/radioactive waste, with a half life of over 20 years.

Microsoft did everything wrong. Wrote the piece of shit in the first place. Tightly integrated it into windows, for leveraging purposes. Didn't even try to keep on top of updates letting it stagnate.
It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.

Re:To be fair to Microsoft

[peragrin]

Of course the fact that MSFT let the chinese view the source code for http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html windows. Has nothing to do with it. Sure it was 6 years ago, the question is how long was china running the operation and how many field tests did they get away with and for how long?

Something like this has been in at least limited operation for a couple of years.

Re:To be fair to Microsoft

[McGiraf]

"Wrote the piece of shit in the first place"

No, they bought/stole the Microsoft way from Spyglass.

http://en.wikipedia.org/wiki/Spyglass,_Inc.

(the link ends with a dot slashdot moves it after "[wikipedia.org]". bug! )

IE8 alledgedly super-safe

[yupie]

Ironically, in Belgium they have just had a (somewhat controversial) campaign, where a new all-Belgian browser "Paladin" (http://www.getpaladin.be/splash.php) was going to be launched, which appeared to be just fake, pointing to and arguing for the already super-safe IE8 browser :-)

Right Decision?

[Henry+V+.009]

According the original article, DEP (enabled by default in IE8) and sandbox mode (Windows 7, Vista) all stop this zero day.

If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Re:Right Decision?

However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Sir, your power of deductive reasoning is astonishing!!

Now if it was Firefox that was hacked, the previous statement would be in your favor.

Instead...

Re:Right Decision?

[benjymouse]

DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.

But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.

The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.

Re:Right Decision?

[theLOUDroom]

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days

What a bunch of crap!
Where's your proof?

#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement. #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.

Re:Right Decision?

[jthill]

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

The rest of your post, including the sandboxing point, deserves that 5. This one doesn't belong on the same page.

Everyone paying attention can see that Firefox (and open-source general practice) reports and patches as critical security holes bugs for which there's only theoretic or even just heuristic evidence of a potential security breach, while Microsoft's usual reports are of bugs that have actually been exploited and are often actually leaking data in the wild, and eventually releases patches for those.

Microsoft, understandably given their nature as a marketing company, is only too happy to persuade the gullible that the two different counts are comparable.

Yeah sure

[SmallFurryCreature]

It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.

MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.

Re:Yeah sure

[Maxo-Texas]

He's probably thinking of articles like this:
http://www.itwriting.com/blog/541-mshtml-layout-engine-completely-rewritten-for-internet-explorer-8.html

Interesting article here: http://www.joelonsoftware.com/articles/fog0000000069.html

"[netscape killed themselves by rewriting]
Well, yes. They did. They did it by making the single worst strategic mistake that any software company can make:
They decided to rewrite the code from scratch."

Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

Re:Before anyone starts throwing stones...

[Stumbles]

It is not a question of living in a glass house. No application is 100% secure. At issue with Microsoft products; your ass is hanging in the wind for at least 30 days from a security vulnerability... unless they deem it serious enough to issue one outside their update window. At least with Firefox and the other Mozilla based browsers, your ass is hanging out there much less, and that is the real issue when dealing with security issues.

It's not the "government"

[kill-1]

It's a German federal agency, not the German government. And they warn users about IE every time there is a major unpatched security hole.

Not a bit late? It is like a spy platform already

[Ilgaz]

I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."

Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.

Perhaps they can't

[Ilgaz]

Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?

What would happen?

In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.

Firefox doesn't even ship official MSI

[Ilgaz]

Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.

Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.

It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.

Re:Firefox doesn't even ship official MSI

[BitZtream]

You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.

Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.

All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.

People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.

For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.

Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.

Use fascist GPOs

[mousse-man]

In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:

- run javascript
- directly launch an associated application (like a PDF)
- run Flash
- run ActiveX
- change of the default home page
- install toolbars
- use any other search provider except Google

amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.

Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.

Re:Not a bit late? It is like a spy platform alrea

[gbjbaanb]

Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".

Not the German Government

[prefec2]

The "Bundesamt für Sicherheit in der Informationstechnik" (BSI), engl. Federal Bureau for Security in Information Technology, is not a governmental, but a state institution. It is not strictly driven by the government. And it is controlled by the parliament. Even though it works in the domain of the ministry of the interior. So no minister was involved in the "do not use IE" speech.

BTW: IE has not the biggest market share in Germany.

Re:Before anyone starts throwing stones...

[ilguido]

Mozilla Firefox 3.5.x: unpatched 0 of 6 Secunia advisories.

MS Internet Explorer 8.x: unpatched 4 of 8 Secunia advisories.

MS Internet Explorer 7.x: unpatched 11 of 42 Secunia advisories.

Opera 10.x: unpatched 0 of 3 Secunia advisories.

I can't see your point, are you trolling?