Slashdot Mirror
Microsoft Says Upgrade To IE8, Even Though It's Vulnerable
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...
"...I think the Microsoft hatred is a disease." - Linus Torvalds
...or Death
Security theater to keep people on their, similarly defective, latest product is the best thing MS could do for now, it seems. I'm waiting for comment from Bruce Schneier...
One that hath name thou can not otter
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
This whole article should be marked redundant. Whoever could upgrade to 8 did it.
Some people just can not afford to do it; if it is a question IE6 or access to internet it will be IE6.
"Blah blah blah." - [citation needed]
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.
So saying it is a 'problem' on Vista or Win7 is stretching the truth.
Looking back at the whole story it seems that Google planed this in advance. They got hacked for real... but then someone had an idea: this an IE exploit so lets benefit from this. Let's show everyone how bad IE really is. So they posted on their blog saying that they will get out of China because of this attack (very dramatic so everybody heard about it) but I suspect that they have no intention to do that. I think they used their blog just to let people know: "we are Google, we know stuff about security but we've been hacked, we will lose this big market and it's all because of this flawed IE". Now everybody is running away from IE (finally).
Not sure if this is evil but I'm sure IE will lose because of this.
You know what struck me as strange when I read this post? I thought about the issue that Firestone went through a few years back with their faulty tires causing a few deadly accidents. By comparison:
If Firestone were to beg people to buy their faulty product, even though it was dangerous, people would think that Firestone being rather twisted and greedy.
When Microsoft basically does the same thing with their faulty product, it's somehow "OK"?
I guess the "go fix your shit and don't come back until it's done" mentality is rather dead these days...
That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.
After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes the browser of choice for public Internet use?
* note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker). Also, there's the fact that Microsoft has a lot of old baggage around that it can ill afford to simply stop supporting.
Quo usque tandem abutere, Nimbus, patientia nostra?
Upgrade to Firefox!!!
Get rid of that Microsoft Virus masquerading as an operating system!
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
That's a bad analogy, because the TFA only suggests customers to upgrade to IE8 from a previous version. It doesn't appear to be a money grab, i.e. (no pun intended) there's no recommendation to switch from say Firefox to IE8.
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
The road to tyranny has always been paved with claims of necessity.
Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.
As usual, another analogy on /. fails...
Your comment is outrageous. The submission consists of a factual statement and some literal quotes from Microsoft.
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.
Fair point on the former, but the latter could be managed to an extent via GPO - you just have to roll your own policies to do it.
Quo usque tandem abutere, Nimbus, patientia nostra?
Agreed - he made a fair point.
Quo usque tandem abutere, Nimbus, patientia nostra?
The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?
I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?
(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)
The currently known attacks do not affect IE.
However, it is possible and likely that existing attacks could be modified to work on IE8.
That's what they're saying. Yeah, it's Marketing speak, but i've seen worse.
Incorrect... The fault was Ford stuck the tires on as OEM parts, and actually UNDER-INFLATED the tires. The issue that occurred with the Firestone tire would have happened with ANY P or UV tired that was also under-inflated on that vehicle at highway speeds. An under inflated tire causes major heat build up, and leads to tire failure.
As another posted said, a crap analogy.
I haven't used IE in any form for 5 years. Any web page that I can't see in Firefox doesn't want my business. The only way to start IE on my computer is to run the .exe file since there are no shortcuts or icons anywhere.
Professional Politicians are not the solution, they ARE the problem.
WTF? First of all how do .NET programmers have anything to do with IE6 installs? Second - why pick on .NET and not on Java which came first or even Python and Ruby which claim to be even easier? Oh yeah... the first from Microsoft and the others are open source... And btw these programmers you are talking about would still be employed and would be doing much more damage if it was not for .NET and Java to keep them from producing billions of buffer overflows and memory leaks.
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Pain is merely failure leaving the body
IE8 has the same bug, but it has further protective measures that limit the bug from being harmful. Defense in depth.
(due to hordes of crap .NET programmers*)
You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.
I am TheRaven on Soylent News
Really? Impossible! I fully expected them to say it would be better to use Firefox or Opera.
Seriously. What did you expect? Be honest.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Firestone still took the contract, they weren't going to turn down a sale of millions of tires.. They knew what Ford was putting them on.
Except that using a faulty browser isn't more likely to kill than people riding with faulty tires on something that moves really fast.
I assume you aren't a political activist in China.
In many ways if you are going to stick to using Internet Explorer, then it might as well be the latest one. If there is a flaw that affects IE8 less than the other two, then it is still the lesser risk. Even if it doesn't and is still major, then Microsoft will most probably concentrate on providing a security fix for IE8, and not the others. Heck, beyond hyper-conservative company policy (aka "let's stick with 10 year old software, no matter what"), there is very little reason not to upgrade and plenty of reasons to upgrade. To name three: its free, its more standards compliant and it is probably more secure that the previous to versions.
If you are still using IE5, then I have nothing good to say.
Jumpstart the tartan drive.
It wasn't even that "exotic" of a problem. Ford recommended a low tire pressure for a softer ride - trying to make a truck not ride like a truck. Low tire pressure generates excess heat, which ultimately causes the tire failure. And because the other tires on the vehicle are also under-inflated, the changes in the vehicle's handling are magnified and everything goes to hell.
People who ran the tires at (for example) 35PSI instead of 30PSI didn't have problems.
Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.
Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.
Proud member of the Weirdo-American community.
Well I DID say it was an attempt at a bad analogy.
The point I was trying to make was similar to that of some other folks. Yes IE8 does not fix this specific flaw, however it does address many other vulnerabilities and outright flaws in IE6.
I believe the expression is "throwing the baby out with the bathwater".
We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.
The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.
I'm a virgo and on Slashdot. Coincidence? Yes.
Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
That is a misrepresentation, at best.
The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Seriously, while there's no security change by getting users to upgrade from IE6 to IE8 (with respect to this flaw), there's a massive net gain in getting another IE6 off the streets. Thank you Microsoft, for using every means possible to move users away from IE6.
Actually, IE5 is the only version not effected. You should be downgrading not upgrading.
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
"But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration. Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collective hands. We decide how and when Firefox is fixed and we decide how thorough that fix is.
So while you're probably not a programmer, like most computer users, you have options with Firefox that you don't have with IE. You could learn to program and help fix Firefox's code. You stand virtually no chance of doing this with IE's code no matter how expert you become. It is of no help to look at this as though Firefox hackers are your workers so you can sit back and wait for them to deliver a fix ("I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out?").
Software freedom changes the game by giving you permission to control your computer; the more free software you run, the more control you have. Like with any other freedom how much of that permission you're willing to leverage is up to you.
Digital Citizen
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.
http://p8ste.com - Web based Clipboard
It has been since it debuted in an XP service pack.
So if you "disable" DEP to make some apps work, it still isn't disabled for IE8, because IE8 opts-in for it.
http://lkml.org/lkml/2005/8/20/95
My memory of that if far different. The tires were faulty but in a small percentage of tires. There was a manufacturing defect that would cause tread separation. The number of faulty tires was relatively small.
The real problem was that Ford Explorers were rolling over in accidents. Ford wanted to blame it all on the tires when in reality that particular defect was a factor in only a small number of accidents. The real cause of the issue was the instability of the Ford Explorer. It is a simple matter of physics. SUVs like the Ford Explorer have a high center of gravity. Sudden motions (like those that occur in an emergency) would cause the vehicle to roll over.
An overview of the data showed that:
Logically one would conclude that the problem wasn't so much the Firestone tire but the vehicle based on the percentages. But Ford had more money to spend on lobbyists and PR. And most people want to believe that the real issue is a $100 tire that can be replaced instead of the $30,000 vehicle that cannot be easily replaced.
There was a Frontline report which uncovered that Ford knew their SUVs had roll over issues since the Bronco II which came out ten years earlier.
Well, there's spam egg sausage and spam, that's not got much spam in it.
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
It sounds like marketing speak to me. That sentence reads a lot differently if you add one word:
Customers using Internet Explorer 8 are not affected by some|most currently known attacks and exploits due to the improved security protections in IE8
I doubt they're trying to claim that IE8 is immune to all known attacks.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Is this an ActiveX thing?
No, it doesn't appear so at this time. But it could be.
I mean how the hell do you get the pointer in the first place? And how do you keep the browser from page faulting?
I'm so confused!
The attacker actually don't "get the pointer". He discovered some bug where IE would deallocate an object but still hold a pointer to it. A "dangling" pointer.
The attacker then typically allocates *a lot* of other objects, hoping that they will take up the address pointed to by the "dangling" pointer. He will try to arrange the allocations such that the allocated "data" is actually attack code if ever executed as instructions. The attacker could hide attack code in string constants/buffers etc.
Then he proceeds to prompt IE to actually *follow* the dangling pointer. If he's lucky (and skillful) IE will now hit something which was actually "data" - but when executed as CPU instruction it is actually malicious attack code.
This is why DEP will kill this attack. As soon as the CPU is jumping into a NX memory block, it faults. And the heap/stack are marked as NX (DEP) in all recent MS OSes for IE8.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
> The real cause of the issue was the instability of the Ford Explorer.
The real cause of the problem (that's *problem*, not "issue") was idiot drivers who bought trucks and drove them like pancake cars. Trucks necessarily have high centers of gravity. It is obvious to anyone with any brains that you can't drift a truck around a corner. Most modern cars are so low and flat (in the interest of fuel economy) that they are almost impossible to roll. People get used to that and then try to drive trucks the same way.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I had the pressure recommendation wrong. Ford had recommended 26 PSI. That's well below "normal" pressure for most road vehicles, especially heavier ones like SUVs.
http://en.wikipedia.org/wiki/Firestone_and_Ford_tire_controversy
So Ford specified possibly weak tires, and then went on to change their recommendations in such a way that it made them weaker without changing the tire specs.
May is such a definitive word. If I had a million dollars on a project, may is not going to cut it. And how much faith would you put into DEP? I don't: http://uninformed.org/?v=2&a=4&t=sumry
Also do you think M$ will come out and say that, "IE8 is exploitable, please use something else."?
Half of writing history is hiding the truth.
That's simple B.S. Every person I deal with in supporting their machine I get rid of every shortcut to IE and tell them that they have a new browser. They all love Firefox and Opera. I use Firefox (with noscript) to fix computers with alot of kids. This is good because some kids click everything they can find online! For slow systems I install Opera. It uses the least system resources and starts the fastest. This makes the user very happy cuz all they want is for their machine to function as advertised. So they don't really love the browser, they couldn't give two shits, they just know if it works on facebook, or takes forever loading up a 'heavy' page.
Essentially you are blaming the driver. Yes, you can't drive a SUV like you can a passenger, what Frontline uncovered was that even in low speeds, the SUV was unstable:
Futhermore, Ford knew this at least a decade before and did not address the situation directly:
Well, there's spam egg sausage and spam, that's not got much spam in it.
I did some reading up on this. I don't use Firestone tires, nor do I drive a Ford, so I didn't follow it too carefully. Last I heard, there was talk of a defect in the Ford assembly line that compromised the tires at the factory. That talk seems to have gone away though.
What I did find is, after rollover problems were found in their pre-sales testing, they reduced the recommended tire pressure from 30psi to 26psi. I guess it was a problem where the tires were too hard, so they softened them up a little to keep the truck from rolling over, possibly because of the high CG. This minor reduction in pressure wouldn't lower the CG much (like 0.0090") The rated max tire pressure was 35psi, which would cause problems if driven at highway speeds for a long duration. Depending on the tire, 30psi cold could easily become 35psi on a long trip. 26psi wouldn't be enough to make the tire overheat.
Car & Driver magazine did a test in the Explorers, inducing a blowout. With professional drivers on a closed course, the blowouts did not cause a rollover. It was likely a combination of a mechanical failure (blown tire) and poor emergency driving skills.
Serious? Seriousness is well above my pay grade.
I work for one of those such big FTSE companies. I tried using Firefox but repeatidly came across too many sites which either didn't work or rendered badly.
Off the top of my head, these don't work with Firefox:
The only thing which does work is the Safecom print queue system! Note that I'm not blaming the Firefox devs here, all the applications have been written to work in IE and IE only.
In the end, I still use Firefox but also have IE View running with a large list of domains to run in Internet Explorer. I tried IE Tab but it doesn't like ActiveX which seems to be the main issue on a lot of these sites.
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory
Almost true, but not entirely. I happen to prefer it over Firefox because if you use the Google Pack installer, it installs to Program files and installs google updater which keeps Chrome up to date, and refuses to let the updater be tampered with (even with runas) if the current user is not admin. Plus, I can (if i really need adobe reader instead of foxit) have Google Updater keep adobe up to date
TBQH Im not terribly concerned with what google may be doing with anonymous data from the users as much as I am with the users having a browser that doesnt beg them to update by hand. At least with googlepack/chrome i can know theyre always running the current version.
Sorry for double post, but forgot to mention that nothing prevents you from rolling your own GooglePack-Chrome MSI package and deploying that via GPO.
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT departments.
If we measured the effectiveness of corporate IT by individual uptime (instead of by number of tickets closed), there would be a newfound appreciation for browsers that run in user space and resist infection. But with the economy the way it is, we need to "manage" as many things as we can get our hands on, lest management find out what we really do and how easily they could downsize the help desk by making better architecture choices.
In more than a few companies, IE "puts the beer on the table" for level 1 help desk technicians.
The place I work is still running IE 6. About 6 months ago they did a big effort to upgrade to IE 7, tested all their apps, and then decided that they weren't ready. There is currently no time table to upgrade to IE7 let alone 8.
A company I interned at had IE 4.0 for the longest time, even after 5 came out, and the latest versions of netscape....
I think what our friends at Microsoft don't realize is that big companies (especially big regulated companies) are really slow to move on things. Upgrade to IE 8 is not really a valid answer. A large regulated company will spend months testing, and in many cases it will take years to go upgrade. Now if IE didn't encourage people to violate web standards, then it wouldn't be that bad. But unfortunately it does and people do. So fixing things to work with IE7 or even IE8 after IE 6 is a pretty big deal.
So good luck with that. I know my company is going to be running IE 6 for at least another year, maybe more. They have to go slow because it is a financial company and they are subject to all sorts of SOX controls and regulations. Also upgrading browsers does not immediately generate revenue so it is not a high priority. They don't even use the right resources for testing so it drags out much longer than it should....
I worked at a Microsoft Fanboy company but even then it took a good 6 months to test all the apps with IE 7 and there the roll out wasn't company wide, just that division. There was also a project in Parallel to fix the issues and move all development projects to Visual Studio 2005. They properly staffed based on what they had, and it still took 6 months. And they were Microsoft Fanboys. I mean SQL SErver 2005 comes out, they need to upgrade within a year. SQL Server 2008 comes out, they put on a project to upgrade within a year. Windows Vista comes out, they need to upgrade.... And even there 6 months time is a lot of time to be exposed to a vulnerability. And they are the exception not the rule.
For many companies a security issue or browser upgrade does not generate revenue and is super low priority....
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Given that any ClickOnce application does the exact same thing - and it is by design! - why single out Chrome in particular?
It's not like users can't use "portable" applications (like Firefox), either. And if you block USB and CD drives, they can still mail one to themselves, or download it from the web.
He may have a point, since most ASP programmers of old have "migrated" to ASP.NET + VB.NET ("migrated" here more often than not means "learned the minimum basic skills required to use the new stuff in the old way", and the code produced is usually horrible).
It's not a fault of .NET as such, rather than the fact that it was a designated migration path for those people.
Microsoft should have said to use Firefox or other browser in the meantime. That is real (at least temporary) solution and workaround for the problem.
Using IE6 problems to advertise IE8 is not.
Not sure what you mean. What the heck does support mean? Obviously, people have and do use other browsers as their default in windows. Which means that they are no longer vulnerable to ie's problems when surfing the web. What does support firefox mean? Training you staff to know where to click to disable bad extensions? Isn't that pretty trivial?
How difficult would it be to create a custom installation of firefox in the style of IEAK? It is open source...
I don't mean to say there aren't barriers to making the switch, but it seems in the light of all of IE's problems that its much better in the long term to get away from it. As time goes on the list of excuses just seems to get lamer and lamer.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Comcast will not accept an non-IE browser. So, I suppose it does make to stay with msie, at least it's accepted by more websites.
Could you elaborate on this? This is not one that I have heard about. Yeah I may have been in cave for a while or just not reading the right stuff.
I have a few clients that are chained to IE because they use ADP and they do not support ANY other browser because of an individual user cert that has to be loaded.
Hey KID! Yeah you, get the fuck off my lawn!
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
Nonsense. We manage something like 2,800 apps centrally for 60,000+ desktops using a 3rd party tool. We have another 400 or so apps that we manage for our 11,000 servers. Total staff to package and update this environment? About a dozen.
Firefox is just another app to us.
Excuse me, HOW MUCH is Microsoft worth nowadays? And for all that money, they can't STILL YET seem to fix a bloody software problem? They can't still seem to get just ONE PROGRAM RIGHT? Not one? Even a teeny-weeny little program? And they're worth HOW MUCH MONEY? Just a simple program? What? Nothing?
YankDownUnder Veni, Vidi, volo in domum redire
Group policy is built into the OS? It'd be great if Firefox et al. added ADMX files to manage Firefox via the registry or somesuch.
As a web developer I am elated that this might help drop IE 6/7's market share. If in the near future I only needed to make fixes for IE 8 my life would be a lot easier.
Having radio button somewhere that makes your OS vulnerable to _KNOWN_ exploit is really stupid idea.
You can only idiot-proof the OS so much. The end users need to have some responsibility for their actions.
It's like putting a lock on your door and leaving it unlocked. Should the lock manufacturer prevent you from leaving the door unlocked? They can, but then when you have a situation where you need the door always unlocked you're out of luck.
There are situations where you need to run IE and Windows in lower security modes, mostly due to poorly written legacy software. Microsoft can only help you so much, they have been pushing security since NT 3.1, most companies ignored the guidelines, (AOL, Apple, Macromedia/Adobe, EA, Sony and Google to name a few HUGE ones). MS finally got tough with them with Vista and 7. The problem is, now lots of users run out and disable UAC or DEP because some app doesn't play nice with it, or they have to run Everquest as an administrator, because games need admin access for some reason, or older versions of AIM needed to violate DEP, or Google Toolbar wouldn't run in IE7 with high security on. Who's fault is this? MS for not breaking legacy apps, software companies for writing sloppy code, or end users for putting up with this crap?
note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker).
Sure and the legions that flocked to Java from trade schools and intro to CompSci 101 fared much better....
-- Posted from my parent's basement
Care to share how you enforce settings in Firefox and others?
I am a viral sig. Please copy me and help me spread. Thank you.
What about Chrome Frame Plugin? You could get security (and speed, standards and some other etcs) in internet sites and old IE6 renderer for the intranet, all in the same browser.
https://developer.mozilla.org/En/A_Brief_Guide_to_Mozilla_Preferences
If the administrators can write to the application directory and prevent the user from doing so, then they can enforce profile settings in Firefox (and almost any Mozilla app).
Now I am an expert in this area but is this: (http://www.frontmotion.com/), not a centrally managed Firefox?
Troll is not a replacement for I disagree.
I have been around long enough to remember when a browser was JUST a browser ( no I am not talking about Linx ) but early versions of NetScape.
The problem fundamentally one of overreaching..
It is all part of the "Hey look what I can make this thing do!!" syndrome.
And yes this is a syndrome and all of us, myself included, are suffering from it. We want to impress our peers, we want to make the computer sit and beg, rollover and play dead whatever ...
NONE of this yummy was ever thought all the way through and I mean since HTML version 0.01, CSS 0.01 and beyond. We still have the checkbox control that is never returned by the browser unless it's checked! and how long have we all had to write stupid work around's for that stupidity.
We want the browser to be everything text rendering program, application container, remote control device you name it. We gave it the ability to get to the OS ( upload files through your browser much? ), we started giving it hooks into everything without thinking about the consequences of our actions, "Hey lets make the browser a Word Processor, lets make it a spreadsheet!! Hey wow look at what I can do!", lets give it a scripting language, lets give it the ability to do XYZ and all of that has to hook into the OS at various levels.
In typical Microsoft style the had to one up everyone and do it badly, but we led them down this garden path, so really we have no one to blame but ourselves for the current mess of security problems that effect all browsers but more so Microsoft because they chose to allow the browser to go even deeper into the OS then anyone.
Hey KID! Yeah you, get the fuck off my lawn!
I believe most browsers run in user space.
I change the icon for Firefox to the IE icon, and most users dont even notice it is not IE. Works great!
Our administrative staff actually love Firefox once we setup Forecastbar for them. Something about having the weather constantly displayed brings them inner joy and peace. Plus then they don't ask for Weatherbug which we have had problems with in the past.
Unfortunately noscript was too difficult for the majority of them to grasp. Once they realized how to allow everything that is what they did. Go to a page, it doesn't work, & click allow. So we compromised and use Adblock & Flashblock. Doesn't protect from nearly as much as noscript, but less confusing.
Don't anthropomorphize computers. They *hate* that.
That's a bad analogy, because the TFA only suggests customers to upgrade to IE8 from a previous version. It doesn't appear to be a money grab, i.e. (no pun intended) there's no recommendation to switch from say Firefox to IE8.
#1. They are still recommending that you upgrade from one faulty product to another.
#2. You're absolutely right. They are NOT recommending a different browser, and therefore, it is absolutely about a money grab. Remember that there are literally millions of potential waiting in the wings with aging hardware looking to upgrade to a new computer and new OS at any given moment. I'd say Microsoft is doing everything in their power(with right or wrong recommendations) to keep said group from upgrading to a Mac.
Claim, no of course not. A claim is something you can be held to.
Microsoft merely wish to imply this.
Calling someone a "hater" only means you can not rationally rebut their argument.
The problem is you need to invest a lot of time, money and expertise into setting something like that. For a big shop like yours, that's no problem - the cost of initial setup is easily justified by the fact you have to manage 60k+ desktops and over 2,000 apps, and doing that manually would cost a fortune.
Most of us aren't that large though. We've got maybe 150 desktops/laptops, which is enough to make managing them manually impractical, but not enough to justify purchasing and learning systems management and package management software and the ins and outs of crafting your own package for each application and so on.
You say that "Firefox is just another app to us", but I'm sure you (or someone) spent a long time figuring out how to pull apart the installer and repackage it for your environment and to have everything working for the users but without giving them too much control over bits you want/need to manage centrally, and so on. Again, if you're already set up and have the knowledge of doing that for thousands of other apps, it's not too big a deal. But for us, nobody has that knowledge, and even if they did, nobody has the time to sit around working out how to repackage the application of the month; especially when it's only going to be required by a handful of people.
So either you need to buy some fantastic systems management software ($$$) and hope the vendor supplies packages/scripts/instructions for packaging the apps you use; or you buy packaging tools and learn to do it yourself ($$ + time), or you just use the stuff the more-or-less works out of the box ($). It's no surprise then that most smaller shops use Microsoft's software across the board, and then manually manage installs of additional software in the few cases where they're really needed.
I was listening on the radio this morning and a supposed Microsoft statement was read out on ABC (Australia) AM. As well as upgrading Internet Exploder they also reccomended 'users of Windows XP' upgrade to later versions of Windoze.
Microsoft even exploits bad publicity for their upgrade cycle.
Linux has bugs. Windows has holes. I am +10/11GMT.
I guess the "go fix your shit and don't come back until it's done" mentality is rather dead these days...
Internet Explorer has been vulnerable since the first version, but that's still what most people use. Microsoft says to "upgrade" anyway. And most people will -- whether Microsoft fixes their shit or not.
The productivity wasted as 80 percent of the country's computer users install patches every week or two has to be staggering. And you'll still be vulnerable. Not to worry, though. Another security patch will be on the way.
No registry hacks are necessary to set configuration information in Firefox. It's all text files, the way God intended config files to be. :)
Why? Each application on a machine is that many more potential vulnerabilities which need to be managed for risks. If users are allowed to install applications that aren't managed by IT, they cannot guarantee the security of the network or the integrity of the systems. Google Chrome may have privacy issues which make it unacceptable for use, for example. Plus, it automatically updates, which may or may not cause problems of it's own (if it breaks, consumes too much network bandwidth, etc.).
This was kind of the reason the user/admin dichotomy was created. It's pretty basic stuff. Chrome makes it easy for users to ignore IT policy by ignoring the conventions for Windows programs.
The road to tyranny has always been paved with claims of necessity.
Yeah and it'd be awesome if there was a standard way to configure it to trust certain sites, certificates, etc, from group policy. And for said group policy to work cross-version or at least present all versions simultaneously. The group policy extensions for IE show 5-6, 7 and 8 simultaneously, for example.
You're clearly assuming a Windows centric view of system administration that spends more time re-inventing the wheel badly than it does in getting the job done. There are lots of other ways to accomplish the same task that are cross platform. Cross platform apps tend to prefer such methodologies. :)
For example, since we are talking about text config files: Simply parse and insert the correct verbiage in a template file once. Package it with your favorite distribution tool and you're done.
Need to update a text file company wide? Just push it.
Need to automatically create a diff and only insert changes? That's a solved problem and has been since Unix was first deployed more than 30 years ago. All of it triggerable in a multitude of ways.