Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Gov't Says "No Evidence" IE Is Less Secure

Posted by timothy on from the maxwell-smart-elocution dept.

aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"

12 of 342 comments (clear)

  1. in case any other Americans are confused by Trepidity · · Score: 5, Informative

    In UK governmental English, "to table" apparently means something like "to propose" or "to bring up for consideration", almost exactly the opposite of the U.S. meaning, which is "to withdraw from further consideration".

    I guess there's some international disagreement over whether this mythical table is where you put things to be considered, or where you put things to die. Perhaps to Britons, putting things on a table is officially proposing them, whereas to Americans, if it's on the table it's inert, and if you want it proposed, you had better have it in your hand waving it in someone's face.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    1. Re:in case any other Americans are confused by gigne · · Score: 4, Informative

      Yes, indeed you are correct.

      UK: To place an item on the agenda for discussion.
      US: To remove the item from consideration.

      In the UK we shelve discussion items when they are removed from consideration.

      --
      Signature v3.0, now with 42% less memory usage.
  2. Re:Probably true, even. by cl!p · · Score: 3, Informative

    There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one.

    This is not a exploit in firefox. This is a vurnabillity in some IRC servers. The Freenode people agree. They are moving to a new IRCd.

  3. IE (on Windows) is safer than Firefox by Manip · · Score: 3, Informative

    A fully patched IE8 running on either Vista or Windows 7 is far safer than Firefox. Why?
      - Low privileged mode. IE8 runs with lower rights than the logged in user, Firefox doesn't...
      - DEP is turned on for IE8 by default. Firefox has to be added (or the "all applications" option).
      - IE8 patches can be deployed from the Domain very easily. Firefox on a corporate network is a pain in the butt...

    Now I entirely grant that this is Microsoft's browser running on Microsoft's OS and thus it gains unfair advantages but that doesn't change the facts or reality of the situation.

    1. Re:IE (on Windows) is safer than Firefox by Anonymous Coward · · Score: 3, Informative

      There are currently 23 unpatched advisories for IE 6.x http://secunia.com/advisories/product/11/
      There are currently 10 unpatched advisories for IE 7.x http://secunia.com/advisories/product/11/
      There are currently 3 unpatched advisories for IE 8.x http://secunia.com/advisories/product/11/

      Advisories often contain multiple vulnerabilities. Doing a little quick math, that comes out to around 59 vulnerabilities (not an exact number, just a ballpark estimate) for those 3 versions of IE

      This is compared to 0 unpatched advisories for the 3.x line (19 months old, now) and 3 unpatched advisories for the 2.x line. http://secunia.com/advisories/vendor/18/

      Mozilla also generally gets their patches out faster than Microsoft.

  4. Is not talking about home user by DaveGod · · Score: 5, Informative

    The quote bears no reflection of any opinion on the security or quality of IE in general. The "user" being referred to in the quote is UK government staff, using UK government IT, and his response is wholly within that context. As is very often the case on Slashdot (and, to be fair, much of the media), the summary shifts the context slightly and then omits significant information and thus infers something other than what was communicated at the time.

    Immediately after the quoted text, unmissable except by the most... Let's give the benefit of the doubt and say hurried of submitters and editors, is the following: (my emphasis added for the most hurried of Slashdot readers)

    26 Jan 2010 : Column WA317

    Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

    A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

  5. They're not using the correct research data by bl8n8r · · Score: 3, Informative

    only need to google it for chrissakes:
        IE ~ 1200: http://www.google.com/#hl=en&q="internet+explorer"+site%3Awww.us-cert.gov
        Firefox ~ 800: http://www.google.com/#hl=en&q="firefox"+site%3Awww.us-cert.gov

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
  6. Re:Probably true, even. by darthflo · · Score: 4, Informative

    Bullshit. Being able to choose what port a request is directed to is covered by specifications, expected to work and built on in several real-world situations. Most commonly, configuration interfaces: If you're using some kind of shared hosting, chances are they might be running Plesk (defaults to alt-https, i.e. 8443) or ispCP (defaults to https on 81) or a similar project. Use webmin? The httpd that runs the config interface requires permissions you wouldn't want the http that serves your normal pages to have.
    Going on, ever used CoralCDN? That's .nyud.net:8080 (alt-http) or 8070 for you. Maybe you'd like to configure an irc daemon or bouncer? Another non-standard port there. Most application servers don't run on port 80, either. The load balancer will, but you might want to get around it for testing purposes or some such.
    What I'm saying: It's all expected behaviour. Throw in a PING Math.rand() from the server before actually throwing out those RAW001-4 and the spamming problem is instanty solved. Or, to make things even simpler: If you're an ircd, kill whatever starts it's requests with HTTP POST. Chances are, it's not an IRC client.

  7. Re:Probably true, even. by SimonTheSoundMan · · Score: 4, Informative

    The MoD have sent me a letter three times stating they have lost personal data about me. One was a CD, another a pen drive, and a laptop was stolen from the premises.

    Data that went missing was my name, address, passport number, national insurance number, photograph, medical history and criminal record. Obviously nothing important.

    This data was unencrypted.

  8. Re:Probably true, even. by rich_r · · Score: 4, Informative

    Home Office as in 'Office of Home Affairs'. A bit like 'Homeland Security'...

  9. Answers you won't listen to by Anonymous Coward · · Score: 4, Informative

    Answers you won't listen to:

    When 20 other people have gone through a door and come back out again, I will assume that it's safe to walk through the door. Likewise though I may not have read all the code in Firefox, if there were any big problems, someone WOULD have seen it: Microsoft do not have half the world's web browser writers,

    How many people HAVE the latest version of IE? Now how many NEVER use flash or Adobe plugins? Because they require you turn off the security and then IE8 becomes vulnerable again. Did you know that?

    Google would have got dinged. Likewise, please do the same about Firefox. You've narrowed the window so small there's nothing left of the hole.

    And how would YOU answer?

    IE8 today has many or most of the downsides that IE6 has. Unless you lock it down so much you can't use it.

    But FF 3.5 when locked down as much is still usable. Putting it under LIDS makes it much safer. Adding RBAC from NSA makes it yet more secure.

    And still usable.

    You cannot say the same of IE and Windows.

  10. Re:So security through wishful thinking is better? by palegray.net · · Score: 4, Informative

    Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them.

    Speaking of tired old arguments, you lost all credibility right there. Thankfully, it was in the opening statement of your "rebuttal," so I don't feel too compelled to slog through a more lengthy reply.

    Suffice it to say there are a lot of eyes on Firefox, for both the code itself and for evaluating and testing exploits. This process occurs transparently; anyone can (and a crapload of people do) participate. This is absolutely the opposite of Microsoft's model, and no amount of denial or hand-waving on your part is going to change that.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.