Slashdot Mirror
Microsoft Says Upgrade To IE8, Even Though It's Vulnerable
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.
So saying it is a 'problem' on Vista or Win7 is stretching the truth.
Yeah use our cool browser that reports almost all of you browsing back to us. We won't be evil, we promise!
My addiction: Arguing with idiots. AKA Slashdot!
That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.
After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes the browser of choice for public Internet use?
* note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker). Also, there's the fact that Microsoft has a lot of old baggage around that it can ill afford to simply stop supporting.
Quo usque tandem abutere, Nimbus, patientia nostra?
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
The road to tyranny has always been paved with claims of necessity.
Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.
As usual, another analogy on /. fails...
Your comment is outrageous. The submission consists of a factual statement and some literal quotes from Microsoft.
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.
Fair point on the former, but the latter could be managed to an extent via GPO - you just have to roll your own policies to do it.
Quo usque tandem abutere, Nimbus, patientia nostra?
The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?
I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?
(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)
WTF? First of all how do .NET programmers have anything to do with IE6 installs? Second - why pick on .NET and not on Java which came first or even Python and Ruby which claim to be even easier? Oh yeah... the first from Microsoft and the others are open source... And btw these programmers you are talking about would still be employed and would be doing much more damage if it was not for .NET and Java to keep them from producing billions of buffer overflows and memory leaks.
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Pain is merely failure leaving the body
(due to hordes of crap .NET programmers*)
You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.
I am TheRaven on Soylent News
We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.
The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.
I'm a virgo and on Slashdot. Coincidence? Yes.
Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
That is a misrepresentation, at best.
The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Actually, IE5 is the only version not effected. You should be downgrading not upgrading.
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
"But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.
http://p8ste.com - Web based Clipboard
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
That's simple B.S. Every person I deal with in supporting their machine I get rid of every shortcut to IE and tell them that they have a new browser. They all love Firefox and Opera. I use Firefox (with noscript) to fix computers with alot of kids. This is good because some kids click everything they can find online! For slow systems I install Opera. It uses the least system resources and starts the fastest. This makes the user very happy cuz all they want is for their machine to function as advertised. So they don't really love the browser, they couldn't give two shits, they just know if it works on facebook, or takes forever loading up a 'heavy' page.
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration.
Ya, well then you're going out of your way to make yourself vunerable again. At which point, I'd have to ask... why did you bother to upgrade?
Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collective hands. We decide how and when Firefox is fixed and we decide how thorough that fix is.
And to the average user, there is no differnce. They'll have to way for FF to update itself to get the patch as well, as they're waiting on the mozilla people to do so.
So while you're probably not a programmer
Actually I am.
, like most computer users, you have options with Firefox that you don't have with IE. You could learn to program and help fix Firefox's code. You stand virtually no chance of doing this with IE's code no matter how expert you become. It is of no help to look at this as though Firefox hackers are your workers so you can sit back and wait for them to deliver a fix ("I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out?").
Ya, in the real world, thats not going to happen. By the time the average user learned to progam, they'd be a new version of both IE and FF out already. As I explained, to the average user, there is no difference between FF and IE; either browser you're still at the mercy of a 3rd party for a patch.
Software freedom changes the game by giving you permission to control your computer; the more free software you run, the more control you have. Like with any other freedom how much of that permission you're willing to leverage is up to you
No, it doesn't. It puts users are the mercy of the OS community (which has an attitude "if you didn't pay for it you don't have a right to complain") instead of a company. But at the end of the day, its the same for them. Don't be delusional; people just want to USE their computers, not spend time learning to program to fix other people's software.
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
Nonsense. We manage something like 2,800 apps centrally for 60,000+ desktops using a 3rd party tool. We have another 400 or so apps that we manage for our 11,000 servers. Total staff to package and update this environment? About a dozen.
Firefox is just another app to us.
https://developer.mozilla.org/En/A_Brief_Guide_to_Mozilla_Preferences
If the administrators can write to the application directory and prevent the user from doing so, then they can enforce profile settings in Firefox (and almost any Mozilla app).