France Tells Its Citizens To Abandon IE, Others Disagree

Freistoss writes "Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers to attack Google. After sample code was posted on a website, calls began for Microsoft to release an out-of-cycle patch. Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch. Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well." PCWorld seems to be taking the opposite stance arguing that blaming IE for attacks is a dangerous approach that could cause a false sense of security.

Tear down

[drDugan]

"Don't Kill the Messenger: Blaming IE for Attacks is Dangerous"

Actually, IE is not the messenger, its the source of at least one know security hole that participated in this problem.

The article fails to explain how blaming the software with a known exploit is dangerous.

They assert it will create a "false sense of security" because there exist other methods of attack (other software with security flaws). Even if they did have support for other security holes, this reasoning is an absurd logical fallacy. Amazingly, the author doesn't even have support for the premise of the illogic it's based on an *implication* from a quote by McAfee CTO George Kurtz.

  FTA:

The main thing to keep in mind is that these attacks go beyond Internet Explorer and that simply switching browsers is not an adequate defense.

This is completely absurd FUD. IE *was used*, it is insecure, and there is no fix (yet). These conclusions come right from this article and others.

Obvious conclusion: use different software. This conclusion is also supported by the long and consistent history of security issues with IE. I think, after reading this and other articles, it is more dangerous to continue to assert that IE is secure.

Re:Tear down

[Blakey+Rat]

I think the big issue is "people are not upgrading."

There should be zero copies of IE6 in the wild right now. I don't care how big your corporation is, how shitty the "enterprise" software you purchased back in '99 is, but figure it the fuck out and get your people off IE6 right now. And then? There's no excuse for this bullshit, and I don't want to hear any sob stories.

IE7 has been out now for over 3 years, if you can't figure out how to move to it by now, you should be fired.

Re:Tear down

[Dynedain]

You're right, people aren't upgrading - because that costs money and the mantra "If it ain't broke, don't fix it" trumps all when it comes to finances.

There are plenty of machines and tasks out there that Windows 2000 is still perfectly adequate for. Replacing Win2K with WinXP or later is a non-zero cost (both in labor and licensing) and may trigger many other software and hardware upgrades or replacements. IE6 is the last version available for Win2K and I'm sure many Win2K installations won't be replaced until complete hardware failure occurs.

Granted, at my office we can get away with installing Firefox on all the Win2K boxes - but that's not a solution for everyone as many of those stupid "Enterprise" level web apps only work on IE.

Everybody knows OTHERS are stupid...

[viraltus]

duh!

False sense of security

[sunderland56]

PCWorld seems to be taking the opposite stance arguing that blaming IE for attacks is a dangerous approach that could cause a false sense of security.

Well, of course they'd say that - they are running a PC/Windows/Microsoft magazine, after all.

AppleWorld, on the other hand, has been blaming hacker attacks on Microsoft Windows for many years now - and the general population seems to agree with them, even though it does lead to a false sense of security in OSX.

Importance of Competitive Choices

[reporter]

This incident underscores the importance of fighting monopolies and ensuring the availability of competitive choices. If Microsoft had succeeded in driving all other browsers out of the market in 2000, then today, we would not have any other choice and would be forced to use a browser with a dangerous security risk.

We should applaud the recent work by the European Commission in demanding that Microsoft design their European version of Windows to allow users to choose the browser that they want -- thus, allowing them to never install Internet Explorer. The European Commission has been better advocate of free-market competition than the American Federal Trade Commission.

Therein lies a bit of irony. Washington often claims that the USA is a freer free market than the European Union. Yet, the Union is the political body which hit -- hard -- Microsoft's anticompetitive behavior.

Re:Importance of Competitive Choices

[Blakey+Rat]

Microsoft didn't driver browsers out of the market, Opera was "in the market" the entire time you're referring to.

Microsoft's (serious) competitors gave up, once that happened, Microsoft had no incentive to work on improving IE whatsoever. If Netscape had continued to put out products instead of doing their bullshit rewrite crap, none of this would have happened in the first place.

That's not to say Microsoft has no blame, but on the other hand if Netscape had stopped releasing products *regardless of the reason*, we would have ended up with the same problem.

Re:Importance of Competitive Choices

[jadin]

Therein lies a bit of irony. Washington often claims that the USA is a freer free market than the European Union. Yet, the Union is the political body which hit -- hard -- Microsoft's anticompetitive behavior.

You just disproved your own statement. A free market would allow a monopoly to continue it's anti-competitve behavior even to the detriment of the market. You're arguing for better regulation not a freer market.

[note: unless my definition of free market is off, which is quite possible]

Re:Importance of Competitive Choices

[SydShamino]

Microsoft didn't driver browsers out of the market, Opera was "in the market" the entire time you're referring to.

That's the "If" in "If Microsoft had succeeded".

Netscape gave up because their business model was completely undercut by the fact that Microsoft made IE mandatory on every computer sold. Opera survived as a niche, and Mozilla was born from Netscape's ashes, both of which are signs that Microsoft didn't succeed.

Re:Importance of Competitive Choices

[nmb3000]

If Microsoft had succeeded in driving all other browsers out of the market in 2000, then today, we would not have any other choice and would be forced to use a browser with a dangerous security risk.

This is a completely invalid argument and I can't believe you're at +5 already. The rabid anti-Microsoft/IE crowd is out in force today I suppose.

Even if every single browser other than IE stopped development in 2000, what bearing at all does that have on potential future development? Firefox was released in 2004, some four years after your hypothetical extermination of all other browsers. Are you suggesting that if IE was the single available browser that Firefox wouldn't have been developed? I suggest the exact opposite - if IE stood alone development would have been accelerated. The funny part of your claim is that for all intents and purposes IE did drive all other browsers out of the market circa 2000 if you consider pure market share. This fact alone pretty much nulls your argument.

For you car enthusiasts, it's like saying that if Henry Ford had driven (ha ha) all other car companies out of business back in, say, 1905 with the Model T then the only choice we'd have today for a vehicle today would be a Ford. Obviously this is completely bogus.

We should applaud the recent work by the European Commission in demanding that Microsoft design their European version of Windows to allow users to choose the browser that they want

No, we shouldn't. Users of Windows were already free to choose any browser they wish to use; there was no increase in "freedom" due to the EU's meaningless requirement. You can argue that giving the user the option to remove IE from their system is good, but even that is of marginal value considering the technical aspects (only the UI is removed, the core rendering engine remains to support applications that rely on it).

If Microsoft was preventing users from downloading or installing alternative browsers I would applaud the actions of the EU. Unfortunately this isn't even close to reality and all they've really done is make using the operating system more confusing for new users. Every single modern operating system comes bundled with software and users now expect this. They want a web browser and a multimedia player out-of-the-box, both reasonable expectations. I've yet to see a situation or practical explanation which shows that requiring a "ballot box" for either application has any meaningful bearing on user freedom or choice.

Therein lies a bit of irony. Washington often claims that the USA is a freer free market than the European Union.

You do realize that in a truly free market there wouldn't be any governmental oversight, right? As soon as the government starts throwing its weight around a certain amount of freedom is lost. Sometimes this is a good thing, but don't try to twist that into being more free.

Yet, the Union is the political body which hit -- hard -- Microsoft's anticompetitive behavior.

Has Microsoft engaged in anti-competitive behavior in the past? Yes. Is their current bundling of IE and WMP with Windows anti-competitive? No.

Re:Importance of Competitive Choices

[Korin43]

So in other words, Microsoft "conquered" the market by making the best product, and then once they stopped producing the best product, other companies began reentering the market? It's almost like the free market destroyed a monopoly, but of course that's impossible because everyone knows that the free market props up failing businesses.

Re:Importance of Competitive Choices

[bargainsale]

No, they conquered the market by abusing their dominance of the desktop OS market to crush competition, by twisting the arm of vendors to make them ship all their computers with the MS inferior product preinstalled.

If it had really been a superior product, nobody would have been making a fuss. It wasn't.

Possibly you also believe that Windows' stranglehold on the desktop is due to the intrinsic virtues of the OS too?

Re:Importance of Competitive Choices

[Low+Ranked+Craig]

Because if you don't ship a browser with the OS most people would never find the Internets. I never understood this from an anti-competitive perspective. If I remember correctly, a significant factor in the MS case was that you couldn't uninstall the browser, which I again, don't really understand. A browser is integral to most computers. If you don't ship the OS with a browser, most users wouldn't be able to get on the net to find a browser. I suppose that not allowing an FTP client on the system would be next? The whole "distributing IE with Windows" is anti-competitive is predicated on the fact that if IE exists on the system most users will be too stupid to make their own choices, which in fact may be true, but I'm not a big fan of protecting people from their own stupidity by making life harder for others. I HATE IE. Do I want Windows to ship without it? No. That would make downloading Firefox that much more difficult. Using this logic cars shouldn't ship with stereos installed because that is anti-competitive vis-a-vis aftermarket manufacturers.

Re:Importance of Competitive Choices

[Low+Ranked+Craig]

In a Free market there could not be a monopoly.

In a free market there can absolutely be monopolies, and monopolies are not in and of themselves illegal.

In a free market everyone can decide to purchase services or products from the same vendor. That's not a problem. The problem come into play when the monopoly starts using their position in an uncompetitive manner, like by requiring system builders to install only your browser, and punishing them if they do otherwise. This behavior is perfectly acceptable in a fragmented market, but not in a monopolized one.

Re:Importance of Competitive Choices

[Blakey+Rat]

If it had really been a superior product, nobody would have been making a fuss. It wasn't.

I'm sorry, do you *remember* Netscape 4? IE was a far superior product, on both Windows and Macintosh. (And on Macintosh it won the market fair and square, there being no "stranglehold.")

Re:Importance of Competitive Choices

[supremebob]

That said, if Netscape actually made a browser that was worth a damn during the reign of Internet Explorer 5 and 6, it might still be around today.

Keep in mind that Internet Explorer is STILL bundled on almost every new PC that's been released in the past ten years, yet competitors like Firefox and Chrome have taken significant market share from it. Why? Because Mozilla and Google finally put out a better product that was faster, more secure, and and cooler features.

Re:Importance of Competitive Choices

[dhavleak]

The problem come into play when the monopoly starts using their position in an uncompetitive manner, like by requiring system builders to install only your browser, and punishing them if they do otherwise.

Such an arrangement does limit choice -- but it limits choice irrespective of market shares/monopoly status. Either such deals should be legal (at 5% market share or 95% market share) or they should be illegal (at 5% market share or 95% market share). Same rules for all players, and no need for antitrust-law and all the associated politics. Same case with protocols, file-formats, etc. Either everyone is required to license their formats/specs/IP at some pre-determined cost, or nobody is. It makes no fucking sense to always wait for someone to become 80%-of-the-market big and then introduce all kinds of retarded special-cases under which they need to operate.

Re:Importance of Competitive Choices

[Capsaicin]

I'm really confused...

That's because the real world comes in shades of grey. A free market cannot exist without some intervention of the state. Minimally a state has to defend against Viking raiders and to establish legal property relations.

Moreover the free market obeys the dialectic of things tending towards their own negation. That is to say the goal of participants in the free market is to eliminate the competition creating a monopoly in a market and thus to defeat the freedom of that market. Rather cruelly, this is when the state is once again required to step in move the goal posts. You've got to feel sorry for successful corporations, don't you?

Re:Importance of Competitive Choices

[Andrew_T366]

I remember Netscape 4. In fact, I was using it semi-regularly (albeit on my Windows 3.1 computer) as late as 2003.

Although it wasn't quite as lightweight as Netscape 3 (which was undoubtedly their high-water mark), it was generally stable and ran just fine on a 486.
It had none of the security issues that Internet Explorer 4 invited by going above and beyond the definition of what a web browser should do.
If it crashed, it seldom took the whole system down with it as IE would always do.
It didn't take the entire system hostage. It left the Windows shell well enough alone. It was uninstallable, like a normal application.
Its rendering capability was no worse than IE 4's. (If it seems worse now--and frankly, most people haven't used IE 4 in years so they don't really know--that's only because IE got ahead of it in rendering capability after Netscape had its air supply cut off and was in a mad scramble to do anything other than fade away without a trace.)

It was a more robust browser than IE 4 in practically every way. And if Netscape had been able to develop the software in a more natural manner (a la version 1-3) without a monopolist breathing fire at their heels with blatantly-illegal marketing practices, I'm sure it would have been better still.

(And before you claim that IE won the Macintosh market "fair and square," remember that Microsoft threatened to discontinue Office for the Mac if Apple didn't bundle IE as the default browser on its systems.)

Re:Importance of Competitive Choices

[Artifakt]

In the theoretical free market, everyone has perfect knowledge of the values involved. For example, the person signing a mortgage knows everything relevant to the same extent as the bank issuing it. Obviously, that fits your shades of grey model. When a state, for just one example, makes efforts to require people with inside knowledge to reveal it to the people they are negotiating with, that is actually a move towards a perfect free market. Let me repeat that for the people who think they are capitalists but are really Mercantilists or something - State involvement is a fundamental method of getting and preserving free markets, not an anti-market force.
      The theory behind antitrust law is the government has to step in when a monopoly is being abused, not merely because it exists. This can include both situations where a monopoly is damaging other businesses and, alternatively, where it is damaging the public at large.
      Microsoft's influence over the hardware market might be considered an example of damage to other businesses - either established businesses such as Gateway or AMD, or possible startups we may have never heard from. This story, on the other hand, is about a case of possible damage to the public, and has little or nothing to do with the other possible abuses.
      Many of the EU/Microsoft claims have involved damage to other businesses. They don't really prove anything about what Microsoft has done to the public one way or another - this claim has to stand or fall on its own. France's publicising the vulnerability is a move to provide more perfect knowledge, so it's arguably an effort towards a more perfect free market. In fact, it's up to the people criticising France to show how there's a flaw in the action - it's normally what a State should do, some would argue what a State is required to do, and moves things closer to a free market, unless there is a substantial falsehood in France's claim.

Re:Importance of Competitive Choices

[Artifakt]

The reason monopoly matters, is it's a precondition for success at anticompetitive or abusive conduct.
        Imagine a situation where somebody makes a threat against another person, specifically a threat to beat them up bare handed. If the person making the threat is an 87 lb., wheelchair bound person with a known heart condition, threatening a normally healthy adult who could evade the attack by simply walking away, what does the law say about the normally healthy person claiming they were so threatened they had to draw a pistol and empty it into their 'assailant'? Now, let's flip the situation - the person making the threat is a 245 lb. linebacker, he has already picked up a 2x4 with nails in it, and he is blocking the only exit. What does the law say now?
        Monopoly is somewhat like that - it's a claim that the business had the power to be able to act badly successfully, when without that power, whatever it was doing doesn't need the law to stop it, because it would have failed, or done so much damage to the company that it wouldn't have been worth it. If a company with a 5% market share tells vendors "We won't give you a discount rate unless you don't bundle our competition." the vendor laughs and walks off. At 80% or more, apparently they give in. The law doesn't need to act in the first case - a threat that has no teeth resolves itself.

Re:Importance of Competitive Choices

[mstahl]

The problem wasn't that a browser is really important and everyone needs one; the problem was that Microsoft had integrated their browser into the operating system in such a way that the operating system itself could not work without it, effectively making it impossible to uninstall it even if the user preferred another browser. Part of what makes other browsers more secure than IE de facto is that they don't have their tentacles as deep into the system as IE does. I'm sure someone will shoot back that it's not true, but really if you have a browser that's able to change system settings like IE can without asking for a password first, you're doing it wrong.

Nobody's really proposing that windows ship without a web browser; I think the current idea is to force them to give users a choice of web browser when they install it.

Re:Importance of Competitive Choices

[JAlexoi]

In short: Free market is as much a utopia, as much as communism is a utopia.

Don't switch?

[mounthood]

"You may also have web-based applications that don't work well, or even at all, unless they are accessed with Internet Explorer. That's not going to be good for productivity. And finally, what if your replacement browser itself turns out to contain a vulnerability? Are you going to switch again?"

That's the sort of shallow, thoughtless attitude that got you stuck with IE6 in the first place.

Re:Don't switch?

[Jeff+DeMaagd]

I guess having more than one browser installed is apparently something that would cause the universe collapse. It's not something that really takes much work either, if there's a known bug, use something else until it's fixed.

I blame the IE 'mentality'

[brxndxn]

I remember Steve Ballmer screaming 'Developers! Developers! Developers! Developers!' and that has been the IE 'menality' ever since. The mentality is "Give the developers (especially big huge companies like Microsoft, Adobe, Symantec, Google) complete control over the users' computers just by clicking 'ok' in Internet Explorer one time." That has got to be seen as a security hole. Every goddamn piece of software now wants to run as a service, check for updates, annoy the user, and prioritize itself. For example, once you install Adobe Flash, it is there.. on every web page.. despite whether the user might want to choose not to load the annoying flash for that particular web page. I am not complaining just about flash - just about the lack of options to make installed software optional. Why can't I have an option to 'right click, show flash' on all my flash animations? and for that matter.. all other software that wants to open by default without giving me an option to save?

Here's how I would make IE more secure in a general sense:

1. Program the 'stop' button as the highest priority. IE is useless if it decides it has to load an entire complicated web page (or malware site) before I can click 'stop' and cancel all of it.

2. Put options in IE to disallow resizing of IE windows by script, removing of toolbar buttons, preventing the user from resizing windows, and using 100% of system resources to process a web page.

3. Remove the ability for a 'Windows popup button' to prevent the user from stopping a script. How asinine is it that a web page can merely repeatedly pop up system messages forcing the user to click ok before allowing the user to click stop? IE screws this up royally with Java helping.

4. Put a 'cookie tracker' right inside Internet Explorer.. Allow the user to control whether a site can modify a cookie. Notify the user (at the bottom status bar - not in his fucking face) that 'a cookie was created or modified' when visiting a web page. User might get suspicious when his favorite porn site tries to modify the 'gmail' cookie.

5. Never allow web pages to stop me from right-clicking. Fuck you. It's my computer.

I'm sure there's a whole lot of other things I could say that Microsoft will continue to ignore..

Re:Actually not that bad of a suggestion.

[sakdoctor]

The two faces to this argument are that IE on windows gets hacked left right and centre because it's popular, and that (picking a browser at random) KHTML is ONLY secure because it's very obscure.

OpenSSH has a massive user base, and is practically a monoculture in remote access on the *nix platform. An exploit would be extremely valuable ... Oh right, it turns out security is a physical property of a system, and not just some statistic.
Bottom line is that IE really has sucked all its life; and not just statistically.

Re:PCWorld is ignoring security

[Thundarr+Trollgrim]

PC World make a lot of money providing malware / virus removal for non-tchies, selling anti-virus software and more importantly, selling new computers to people whose old computers have slowed down due to misuse, rather than cleaning them up.

It's not really in their interest for people to use more secure browsers.

This is exactly why I let my kids play with

[nedlohs]

the toys we know have been painted with paint with high amounts of lead in it.

After all, if I took those away from them I'd just be giving myself a false sense of security since it's likely there are some other toys with lead in them that I don't know about.

Same reason I smoke, sure I know smoking causes cancer but not doing it would just give me a false sense of security given there are numerous other things that also cause cancer.

IE8 Not vulnerable? Microsoft seems to think it is

[RobertM1968]

But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.

Someone needs to do a lot better research when writing these articles or posting them to Slashdot or both.

THIS is blatantly wrong:

Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well."

Heck, simply reading Slashdot would have turned up this:
Slashdot Article on this

Or this from Microsoft themselves which states even Microsoft believe no such thing.
Microsoft Admits IE7 and IE8 are vulnerable to this too

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

I posted something similar about this days ago on yet another similar topic, but was laughed at by the MS/IE zealots who claim Microsoft said only IE6 is vulnerable... so, since they cant read obviously, there it is again... with the relevant section BOLDED this time.

C'mon folks, these RCEs are not new stuff, and seem to exist in EVERY version of IE since the beginning of time till now with "patches" that never fully address the issue (hence, as MICROSOFT themselves noted, this issue is... well... still an issue... even for IE7 and IE8).

Their lame (see story link above) answer that people should upgrade to IE8 as if that was the solution to this problem is idiotic. Yeah, people should upgrade to IE8 (if their machines can actually run it - some of my clients have older, slower machines and no budget to replace them)... but Microsoft should also be working on actually fixing all the RCE exploits and buffer issues in the IE line.

Regardless, my point is, with so much coverage over this (on Slashdot alone), you'd think the "Story Approvers" or author would have gotten that glaringly misleading (and incorrect) point correct. Oh well.

The Part I don't Get.

[jellomizer]

While Microsoft won the browser war they failed their objectives.

The point of winning the browser war was so Microsoft could change the direction of web standards, eg pushing Active X except for Java Applets. VB script vs Javascript etc. This failed miserably for Microsoft now they are putting time and effort into IE a Free OS Addon to the product and they are not getting anything really out of it. Except for this big push to make IE seem like this great browser they should just well use Firefox it is just as good if not better, we will keep IE going and as secure as possible for a while but will phase it out in about 10 years.

Staying #1 in the browser market where every version you are pushed to follow everyone elses standards is just a wast of your time and money, espectially when you have a slew of other people making good alternatives. Firefox, Chrome, Safari, etc... That really want to follow the standards. Let IE fall too 20% market share, this is OK.

Re:Are the changes that different from Win2k and X

[RoboRay]

Well, that plan wouldn't sell any new copies of Win7, now would it?

I'm sick and tired of reading that crap

Every single time EU regulates USA companies, some Americans come and say "They are just being hard on USA companies". But no. They have been very strict to other companies too (Just google about EU and Samsung, Siemens, ABB, Alstom, Saint-Gobain... The list really goes on. Go ahead, check by yourself. They have been handing out massive fines here and there for anti-competitive practices.).

It's just that the media in USA doesn't pay that much attention to EU fining european companies. In addition, european countries in general have stricter regulation on national level so antitrust investigations on smaller european corporations are done at that level.

Re:love the recommendation

[Fluffeh]

"Hey, I heard you're running IE6. You know that's there's an alternative that's safer and free? It's called INTERNET EXPLORER NUMBER #(!&#* 8!!!!!"

Don't be so simplistic. Yes, I know it's free. There is a good chance that most people know it's free. However, things just aren't that simple. I work for a large company based in Australia (around 200k employees) and the SOE here is Win XP, IE6, Office 2002 (Yes, 2002). We have access from our licensing to upgrade to the latest office versions for free, but the real cost would be massive. We can certainly go out and upgrade our SOE to use IE8 which is free, but again the cost would be massive.

A free download doesn't mean there isn't a cost associated with it. You need to take into account all the things like training users (many of which aren't tech savvy) to use the new functions, ensure that all of our intranet which is mainly created in Sharepoint Portal Server 2003 work with the new browser (there is a LOT of rather funky and archaic code running that, which certainly doesn't work in Firefox for example). Oh yeah, what about all the people who suddenly "lose" all their favorites and links to pages they use? Then look into the costs of raising all the problems with helpdesk, managing those, the time it takes to explain to people again how to do something they need to do for their job.

Now, with all that in mind, you can see how it is difficult to convince upper management that upgrading to something with more security rather then spending that same money on developing something else is a tops idea. However, you might just get them more inclined to agree if the government of your country is saying that even their experts are suggesting it's a worthwhile investment of company time and money.

Locks and burglars

[Exitar]

Of course if a burglar breaks in my apartment thank to a defect of my lock and steal my fornitures I blame the burglar for the theft.
But I change my lock afterward.