Slashdot Mirror
German Government Advises Public To Stop Using IE
An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"
This is just a personal anecdote, but take it as you will. About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled. Mind you, this was a week ago. Fortunately I'm on a dual boot system and I was able to go into Linux to delete the malignant exe files, which gave me a foothold to manually recover from the rest of it. IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.
This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.
Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.
Ironically, in Belgium they have just had a (somewhat controversial) campaign, where a new all-Belgian browser "Paladin" (http://www.getpaladin.be/splash.php) was going to be launched, which appeared to be just fake, pointing to and arguing for the already super-safe IE8 browser :-)
Sig (appended to the end of comments I post, 120 chars)
It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.
MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
However, it seems that IE has some pretty good built-in protections that Firefox lacks.
Sir, your power of deductive reasoning is astonishing!!
Now if it was Firefox that was hacked, the previous statement would be in your favor.
Instead...
It is not a question of living in a glass house. No application is 100% secure. At issue with Microsoft products; your ass is hanging in the wind for at least 30 days from a security vulnerability... unless they deem it serious enough to issue one outside their update window. At least with Firefox and the other Mozilla based browsers, your ass is hanging out there much less, and that is the real issue when dealing with security issues.
My karma is not a Chameleon.
DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.
But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.
The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.
Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.
Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."
Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.
Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".
Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days
What a bunch of crap!
Where's your proof?
#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement. #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.
Life is too short to proofread.
You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.
Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.
All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.
People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.
For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.
Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager