Slashdot Mirror
France Tells Its Citizens To Abandon IE, Others Disagree
Freistoss writes "Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers to attack Google. After sample code was posted on a website, calls began for Microsoft to release an out-of-cycle patch. Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch. Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well." PCWorld seems to be taking the opposite stance arguing that blaming IE for attacks is a dangerous approach that could cause a false sense of security.
The link to the official French recommendation is here: CERTA-2010-ALE-001
Quoting from it (rough translation): "while waiting for the editor [Microsoft] to correct this vulnerability, we recommend people use an alternate browser.
--
are you a startup founder looking for co-founders?
"Don't Kill the Messenger: Blaming IE for Attacks is Dangerous"
Actually, IE is not the messenger, its the source of at least one know security hole that participated in this problem.
The article fails to explain how blaming the software with a known exploit is dangerous.
They assert it will create a "false sense of security" because there exist other methods of attack (other software with security flaws). Even if they did have support for other security holes, this reasoning is an absurd logical fallacy. Amazingly, the author doesn't even have support for the premise of the illogic it's based on an *implication* from a quote by McAfee CTO George Kurtz.
FTA:
The main thing to keep in mind is that these attacks go beyond Internet Explorer and that simply switching browsers is not an adequate defense.
This is completely absurd FUD. IE *was used*, it is insecure, and there is no fix (yet). These conclusions come right from this article and others.
Obvious conclusion: use different software. This conclusion is also supported by the long and consistent history of security issues with IE. I think, after reading this and other articles, it is more dangerous to continue to assert that IE is secure.
duh!
Dear
PCWorld seems to be taking the opposite stance arguing that blaming IE for attacks is a dangerous approach that could cause a false sense of security.
Well, of course they'd say that - they are running a PC/Windows/Microsoft magazine, after all.
AppleWorld, on the other hand, has been blaming hacker attacks on Microsoft Windows for many years now - and the general population seems to agree with them, even though it does lead to a false sense of security in OSX.
We should applaud the recent work by the European Commission in demanding that Microsoft design their European version of Windows to allow users to choose the browser that they want -- thus, allowing them to never install Internet Explorer. The European Commission has been better advocate of free-market competition than the American Federal Trade Commission.
Therein lies a bit of irony. Washington often claims that the USA is a freer free market than the European Union. Yet, the Union is the political body which hit -- hard -- Microsoft's anticompetitive behavior.
"You may also have web-based applications that don't work well, or even at all, unless they are accessed with Internet Explorer. That's not going to be good for productivity. And finally, what if your replacement browser itself turns out to contain a vulnerability? Are you going to switch again?"
That's the sort of shallow, thoughtless attitude that got you stuck with IE6 in the first place.
tomorrow who's gonna fuss
France and Germany agree on something?
The IE threat must be greater than previously imagined. Or...something.
coding is life
I remember Steve Ballmer screaming 'Developers! Developers! Developers! Developers!' and that has been the IE 'menality' ever since. The mentality is "Give the developers (especially big huge companies like Microsoft, Adobe, Symantec, Google) complete control over the users' computers just by clicking 'ok' in Internet Explorer one time." That has got to be seen as a security hole. Every goddamn piece of software now wants to run as a service, check for updates, annoy the user, and prioritize itself. For example, once you install Adobe Flash, it is there.. on every web page.. despite whether the user might want to choose not to load the annoying flash for that particular web page. I am not complaining just about flash - just about the lack of options to make installed software optional. Why can't I have an option to 'right click, show flash' on all my flash animations? and for that matter.. all other software that wants to open by default without giving me an option to save?
Here's how I would make IE more secure in a general sense:
1. Program the 'stop' button as the highest priority. IE is useless if it decides it has to load an entire complicated web page (or malware site) before I can click 'stop' and cancel all of it.
2. Put options in IE to disallow resizing of IE windows by script, removing of toolbar buttons, preventing the user from resizing windows, and using 100% of system resources to process a web page.
3. Remove the ability for a 'Windows popup button' to prevent the user from stopping a script. How asinine is it that a web page can merely repeatedly pop up system messages forcing the user to click ok before allowing the user to click stop? IE screws this up royally with Java helping.
4. Put a 'cookie tracker' right inside Internet Explorer.. Allow the user to control whether a site can modify a cookie. Notify the user (at the bottom status bar - not in his fucking face) that 'a cookie was created or modified' when visiting a web page. User might get suspicious when his favorite porn site tries to modify the 'gmail' cookie.
5. Never allow web pages to stop me from right-clicking. Fuck you. It's my computer.
I'm sure there's a whole lot of other things I could say that Microsoft will continue to ignore..
--- We need more Ron Paul!
...you know, the place that already doesn't have browser monoculture. Therefore, your premise doesn't hold true - they don't want to shatter IE monoculture, create variation in the market. They just don't want people to use IE.
And especially in Europe, that's very much four engines, not three, with one or two places having Opera as number one browser, few other as number one alternative browser, and in many it has quite respectable usage share.
One that hath name thou can not otter
When I said this was all an elaborate ruse to Market Chrome.
Clearly I'm the only one here parano^H^H^H^H^H^HSensible enough to see whats plainly in front of us.
Take Microsoft vs Google. Google's brand name is made up of 50% vowels, 50% consonants, whereas Microsoft is 33-67. This is a clever method designed to make you think that Google is fairer and wishes to have an equal representation of all letters. However, this is just plain deceiptful, because "Chrome" is only 33% vowels wheras "IE" (we'll abbreviate it) is 100% vowels, thus making up for the lack of vowels in "Microsoft". There are also even spreads across such MS products as "Office" and "Live". Apple has felt the need to keep up with the proper representation of vowels by throwing in a single lowercase i in front of every one of their new products. Good on them.
So I know what you're thinking: What do vowels and consonants have to do with ACTA and Net Neutrality? Absolutely nothing! But they DO have a lot to do with the recent attacks made against Google. As you can recall, its been recently discovered that the attacks originated in China. Surprising to some people, English has not been fully adopted yet, and many Chinese citizens still speak Mandarin and that other language no one can remember. All traditional chinese languages use characters, not letters. (To those who program or are DBA's, a letter is what normal people call a char). Now, what is Mandarin missing that English has? You guessed it; VOWELS. It's clear and obvious that Google is behind all of it. What the end goal is, I'm not entirely sure, I'm still trying to connect the dots.
What's important about this article is that its happening in FRANCE. This is a bit of a PR stunt for France. You see, everyone hates Microsoft, and everyone hates France. This hurts the French industries of exporting Cheese, Wine, and arrogant behavior. So France is hoping that by declaring they hate Microsoft as well, everyone will look on them in a better light. WE MUST NOT ALLOW THIS. If people start liking the French more, Baguettes will be everywhere. And I mean everywhere. Breakfast lunch and dinner. Baguettes at home, baguettes at work, baguette soup, baguette sandwhiches. Don't get me wrong I like a baguette every now and then but if we let them get a single foothold on the breadmarket they will take it over completely. There is nothing stronger then the relentless pursuits of a French Bunmaster.
So please, everyone, I beg of you. Keep using IE8, if you already do. Not because its secure, because it isn't. Not because of Google, no matter how evil they secretly are...
But because the standard loaf shape of bread is under attack, and if we don't come to defend it, no one will.
Don't Kill the Messenger: Blaming IE for Attacks is Dangerous
Don't obfuscate the message. Blaming IE for being susceptible to attacks is entirely valid.
So is blaming Mozilla, Chrome, Opera, Konquerer, and Safari when they are vulnerable.
It's all nice and tidy to say "The attackers are to blame." But we don't have control over them. We do have control over which software we use. And if we continually abandon less secure software for more secure alternatives, we will have a continually improving software ecosystem. That will not always mean abandoning IE (well, it may not always mean abandoning IE -- seriously, someday IE might be the most secure option -- stop laughing, it could happen, hypothetically), but it does mean always abandoning whoever fucked up most egregiously most recently. Feedback works.
Stop-Prism.org: Opt Out of Surveillance
the toys we know have been painted with paint with high amounts of lead in it.
After all, if I took those away from them I'd just be giving myself a false sense of security since it's likely there are some other toys with lead in them that I don't know about.
Same reason I smoke, sure I know smoking causes cancer but not doing it would just give me a false sense of security given there are numerous other things that also cause cancer.
Wrong... the problem is in ALL versions of IE from at least 6 upwards on ALL operating systems from at least XP upwards. Microsoft themselves admitted that.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
Microsoft Advisory
Why are people still perpetuating the myth that this does not affect IE7 or IE8 when Microsoft themselves claim it does?!?!?! Just curious.
StarTrekPhase2 - The Five Year Mission Continues!
While Microsoft won the browser war they failed their objectives.
The point of winning the browser war was so Microsoft could change the direction of web standards, eg pushing Active X except for Java Applets. VB script vs Javascript etc. This failed miserably for Microsoft now they are putting time and effort into IE a Free OS Addon to the product and they are not getting anything really out of it. Except for this big push to make IE seem like this great browser they should just well use Firefox it is just as good if not better, we will keep IE going and as secure as possible for a while but will phase it out in about 10 years.
Staying #1 in the browser market where every version you are pushed to follow everyone elses standards is just a wast of your time and money, espectially when you have a slew of other people making good alternatives. Firefox, Chrome, Safari, etc... That really want to follow the standards. Let IE fall too 20% market share, this is OK.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Bottom line is that IE really has sucked all its life; and not just statistically.
Remember back in the days competing with Netscape, IE was actually good for the time. It wasn't until Microsoft held the browser monopoly that it remained stagnant, while the rest of the browsers moved ahead.
For any software, if you're running stuff that is basically 12 years out of date, you should expect your setup to be exploitable. You don't see a lot of people running MacOS 8, early revisions of Slackware, or Netscape 5.5 anymore, right? Neglecting to update IE is about the stupidest thing anyone with some regard for their personal security could put off. It's easily the most exploited piece of software in the history of...software. That's what having a near 100% dominance in the very sketchy playing field of the late 90's/early 00's Internet does for you. I'm no Microsoft fan, but anyone who thinks that code that was written 12 years ago is perfectly fine to use nowadays...switching to another browser isn't going to fix their problem. Medication and a good shrink will fix their problem. And maybe a Computer Science course or two. If you never updated the virus defs in your virus scanner...and you got a virus...switching virus scanners isn't going to fix the fact that you're too undisciplined to wait a few seconds and let your virus defs download no matter what setup you use. If people won't update from IE6, you can bet they won't update any other browser they install, either.
Sorry, but if you get exploited running IE6, I have absolutely NO pity for you. You're just plain stupid, and your stupidity most likely has caused you to infect other systems probably more than once. You're like a driver who plows down a couple margaritas before you go out driving on a Sunday afternoon.
Every single time EU regulates USA companies, some Americans come and say "They are just being hard on USA companies". But no. They have been very strict to other companies too (Just google about EU and Samsung, Siemens, ABB, Alstom, Saint-Gobain... The list really goes on. Go ahead, check by yourself. They have been handing out massive fines here and there for anti-competitive practices.).
It's just that the media in USA doesn't pay that much attention to EU fining european companies. In addition, european countries in general have stricter regulation on national level so antitrust investigations on smaller european corporations are done at that level.
Of course if a burglar breaks in my apartment thank to a defect of my lock and steal my fornitures I blame the burglar for the theft.
But I change my lock afterward.