Slashdot Mirror
Microsoft Says Upgrade To IE8, Even Though It's Vulnerable
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
.. now *that* would be real fun.
And thats Microsofts fault how?
Microsoft provides the ability to be up to date and secure as well as backwards compatibility, its the users risk for which he chooses not Microsofts.
Maybe in the default configuration but every place I've worked, IT changes the configuration of IE due to needs of the company. Home users might not okay with using default configuration but some companies will not be.
Well, there's spam egg sausage and spam, that's not got much spam in it.
IE is used by corporations, and corporations do not want patches for patches for hotfixes and all that jazz, they expect the patch to be tested and corporations are the ones who wanted a monthly release for patches so the IT staff are not patching and testing patches all month long.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Having radio button somewhere that makes your OS vulnerable to _KNOWN_ exploit is really stupid idea.
839*929
OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?
839*929
Sandboxing & virtualization of a sick browser is not a panacea. If the sandboxed application is compromised, it could still be controlled in its own domain and compromise cookies, passwords and anything else that it obtainable in its virtual space. It could still be used for malicious purposes, purposes that can could result in a knock on the door from the law.
Sandboxing and virtualization are sane for ANY application which is processing content from untrusted sources, regardless of whether you think them secure or not.
A hale and open sourced browser is the only safe way to go. Screw IE, any version.
Right, because FF hasn't had any major security holes. Open source does not mean secure. It means you can see the code.
Was it not the browser that would install keyloggers and dialers through the press of the [Enter] key as it would default on installation of any "signed" ActiveX, not matter how fucked up it was? Yes! Did these people have any idea of what was happening on the Internet? Yes! Fuckit, the said, system-browser integration is not debatable; Microsoft had their fun killing Netscape, now we have our fun watching them trying to fix the mess. (They wont).
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy. I think the problem is that you're upset that, even with problems in MS software, people would STILL rather use it than your favorite OS.
Also, I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out? oh ya, it took way too long, they should have rushed it out without any kind of testing, like open source does.
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Pain is merely failure leaving the body
>The only way to start IE on my computer is to run the .exe file since there are no shortcuts or icons anywhere.
I'd disagree. Open up "My Computer" and type in "http://www.google.com/" into the address bar.
Enjoy your IE.
Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.
Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.
Proud member of the Weirdo-American community.
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."
Even though you're being sarcastic, to an extent you're correct. It is the fault of corporate IT, not Microsoft, that IE6 and IE7 are in such wide use and being exploited, when everyone should already be running on IE8. It would be the same situation as if you had tons of people running Firefox 1.5 and refusing to upgrade because it would break something they're used to, despite being vulnerable to a series of known problems. In that situation it's not Mozilla's fault that their user base hasn't upgraded any more than it's Microsoft's fault now.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.
By default, IE8 on 7 is pretty secure.
So it's ok if a buggy webpage can wipe out My Documents, so long as it doesn't break my system?
I'm not sure many users would agree with you there.
It's clear that you need one. Maybe you could start by changing your worldview that all open source software is secure by virtue of being open source, and all proprietary software is crap. Maybe a look at Opera would prove otherwise. If you're not aware of the several security features which Microsoft has added to Windows 7 and IE8 (not to mention much-needed support for several missing standards), then maybe you can make yourself familiar with those before claiming that everything which you can't read the code for is insecure.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy.
Yes of course, the largest computer software company in the world should be given a hearty slap on the back for "coming a long way". I mean, they're only the standards that everyone else is following it's not like they matter.
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration.
Ya, well then you're going out of your way to make yourself vunerable again. At which point, I'd have to ask... why did you bother to upgrade?
Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collective hands. We decide how and when Firefox is fixed and we decide how thorough that fix is.
And to the average user, there is no differnce. They'll have to way for FF to update itself to get the patch as well, as they're waiting on the mozilla people to do so.
So while you're probably not a programmer
Actually I am.
, like most computer users, you have options with Firefox that you don't have with IE. You could learn to program and help fix Firefox's code. You stand virtually no chance of doing this with IE's code no matter how expert you become. It is of no help to look at this as though Firefox hackers are your workers so you can sit back and wait for them to deliver a fix ("I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out?").
Ya, in the real world, thats not going to happen. By the time the average user learned to progam, they'd be a new version of both IE and FF out already. As I explained, to the average user, there is no difference between FF and IE; either browser you're still at the mercy of a 3rd party for a patch.
Software freedom changes the game by giving you permission to control your computer; the more free software you run, the more control you have. Like with any other freedom how much of that permission you're willing to leverage is up to you
No, it doesn't. It puts users are the mercy of the OS community (which has an attitude "if you didn't pay for it you don't have a right to complain") instead of a company. But at the end of the day, its the same for them. Don't be delusional; people just want to USE their computers, not spend time learning to program to fix other people's software.
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT departments.
If we measured the effectiveness of corporate IT by individual uptime (instead of by number of tickets closed), there would be a newfound appreciation for browsers that run in user space and resist infection. But with the economy the way it is, we need to "manage" as many things as we can get our hands on, lest management find out what we really do and how easily they could downsize the help desk by making better architecture choices.
In more than a few companies, IE "puts the beer on the table" for level 1 help desk technicians.
The place I work is still running IE 6. About 6 months ago they did a big effort to upgrade to IE 7, tested all their apps, and then decided that they weren't ready. There is currently no time table to upgrade to IE7 let alone 8.
A company I interned at had IE 4.0 for the longest time, even after 5 came out, and the latest versions of netscape....
I think what our friends at Microsoft don't realize is that big companies (especially big regulated companies) are really slow to move on things. Upgrade to IE 8 is not really a valid answer. A large regulated company will spend months testing, and in many cases it will take years to go upgrade. Now if IE didn't encourage people to violate web standards, then it wouldn't be that bad. But unfortunately it does and people do. So fixing things to work with IE7 or even IE8 after IE 6 is a pretty big deal.
So good luck with that. I know my company is going to be running IE 6 for at least another year, maybe more. They have to go slow because it is a financial company and they are subject to all sorts of SOX controls and regulations. Also upgrading browsers does not immediately generate revenue so it is not a high priority. They don't even use the right resources for testing so it drags out much longer than it should....
I worked at a Microsoft Fanboy company but even then it took a good 6 months to test all the apps with IE 7 and there the roll out wasn't company wide, just that division. There was also a project in Parallel to fix the issues and move all development projects to Visual Studio 2005. They properly staffed based on what they had, and it still took 6 months. And they were Microsoft Fanboys. I mean SQL SErver 2005 comes out, they need to upgrade within a year. SQL Server 2008 comes out, they put on a project to upgrade within a year. Windows Vista comes out, they need to upgrade.... And even there 6 months time is a lot of time to be exposed to a vulnerability. And they are the exception not the rule.
For many companies a security issue or browser upgrade does not generate revenue and is super low priority....