Slashdot Mirror
UK Gov't Says "No Evidence" IE Is Less Secure
aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"
That's very likely true, as the stupidity of the user remains the weakest factor in security.
Every experiment which ends in a big bang is a good experiment.
Sorry, how many users are actually using the latest fully patched version of IE? Google is still trying desperately to phase out IE 6, of which there are still many users. Perhaps as a "neutral" gesture to throw MS a bone, they could make an announcement saying "Upgrade to the latest IE8, or to another browser such as Firefox, Chrome, etc. Your current version of IE is probably ass^H^H^Hinsecure".
"The value of a man resides in what he gives,
and not in what he is capable of receiving."
--Albert Einstein
It's one thing to say there is insufficient evidence, but *no* evidence?!
In UK governmental English, "to table" apparently means something like "to propose" or "to bring up for consideration", almost exactly the opposite of the U.S. meaning, which is "to withdraw from further consideration".
I guess there's some international disagreement over whether this mythical table is where you put things to be considered, or where you put things to die. Perhaps to Britons, putting things on a table is officially proposing them, whereas to Americans, if it's on the table it's inert, and if you want it proposed, you had better have it in your hand waving it in someone's face.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
A fully patched IE8 running on either Vista or Windows 7 is far safer than Firefox. Why?
- Low privileged mode. IE8 runs with lower rights than the logged in user, Firefox doesn't...
- DEP is turned on for IE8 by default. Firefox has to be added (or the "all applications" option).
- IE8 patches can be deployed from the Domain very easily. Firefox on a corporate network is a pain in the butt...
Now I entirely grant that this is Microsoft's browser running on Microsoft's OS and thus it gains unfair advantages but that doesn't change the facts or reality of the situation.
I saw an idea somewhere that politicians these days should require NASCAR/Formula-1 style sponsor patches to be worn on their suits at all times, to indicate which corporations are funding their campaigns.
Then when someone says there is no evidence of IE being less secure, we can Look for the logo
They just need grow suspicious of IE harboring WMDs. Then the lack of evidence wouldn't be a problem at all.
The latest patched version of Internet Explorer fixed the bugs that Microsoft found. The latest patched version of other browsers fixed the bugs that other browser-manufacturers found. Ergo, there is no evidence that the latest patched version of Internet Explorer are less secure, since the officially "known" security features have been fixed.
In fact, there's no evidence that there are any bugs at all in the latest patched versions of any software ever written, unless the manufacturers have explicitly stated that there are. In which case, in order for policymakers to accept such a report, they would need to prove that this is the case, by lobbying the government to the effect that their software is inferior.
I don't believe in time. It's a grand conspiracy designed to sell watches.
1. This is the POLITICAL part of government and is as easily bought as ISO, maybe easier.
2. Look at the record of UK Government IT projects.
3. It is not IE that makes Windoze insecure, it is the OS and the design philosophy
-- COM is a security disaster
-- executing any vaguely executable rubbish based on its extension is a disaster
4. Backward compatibility, and a zillion features that assume an essentially insecure and trusted
world are a disaster. M$ has no way out.
I don't know why it would "not please" Slashdot readers. I am very pleased. That is the funniest thing I've read all week.
Nothing like a good laugh to start your morning.
Are these the same people who said IRAQ was full of WMDs and terrorists?
No sig today...
I fucking hate our government. Seriously. They just all appear compeltely incompetent.
-- Lattyware (www.lattyware.co.uk)
You get your IT news from the register? Coool!
More seriously - you link to that page, with words that seem to indicate there are a LOT of Firefox exploits in the wild. Care to name some? The IRC exploit only counts as one.
One more time, I'll point up Firefox's main advantage over IE: Vulnerabilities are made public, and people actually address the vulnerabilities as quickly as possible. Firefox exploits aren't hidden under a mountain of shit by some corporate boss, so that he hopes they can go away.
IMHO, Firefox is just about as safe as a browser can be, today, based on current knowledge. It ranks right up there with Chrome and Opera, and Safari, and Konqueror.
IMHO, Internet Explorer MIGHT be almost as secure - if and when people finally upgrade from IE6 to at least 7, and preferably 8. MIGHT BE. You'll notice that MS didn't publicize this newest vulnerability, until Google and others had already done so.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
"The reason for this statement by the UK government is very simple - it has intranet and business systems in virtually every government department which work only with IE. They frequently ridiculously old versions at that - IE6 take a bow - giving the lie to the "latest, fully patched" comment anyway. There is no way that the UK government is going to incur the conversion costs for these systems at this moment given the state of its books at the moment. Stating that IE was insecure would create an inexorable pressure to do exactly that. This statement has nothing to with security, and everything to do with internal government politics.
That's NOT a Firefox exploit. That's Firefox send a normal HTTP request to a non-standard port (6667), and the IRC server *wrongly* interprets it as IRC protocol.
The only thing they say Firefox does "wrong" is actually connecting to a non-standard port, which I dispute: there are plenty of reasons to run webservers in non-standard ports, and I want to be able to connect to them.
Dilbert RSS feed
The quote bears no reflection of any opinion on the security or quality of IE in general. The "user" being referred to in the quote is UK government staff, using UK government IT, and his response is wholly within that context. As is very often the case on Slashdot (and, to be fair, much of the media), the summary shifts the context slightly and then omits significant information and thus infers something other than what was communicated at the time.
Immediately after the quoted text, unmissable except by the most... Let's give the benefit of the doubt and say hurried of submitters and editors, is the following: (my emphasis added for the most hurried of Slashdot readers)
That would be an actual good use for augmented reality.
Extremists could even overlay content that made their opposites actually look like monsters.
Good times a' comin'.
Nerd rage is the funniest rage.
http://www.google.co.uk/search?q=firefox+exploit
5 seconds of searching returns what looks like 3 seperate examples of unpatched bugs being exploited in the last year just on the first page.
only need to google it for chrissakes:
IE ~ 1200: http://www.google.com/#hl=en&q="internet+explorer"+site%3Awww.us-cert.gov
Firefox ~ 800: http://www.google.com/#hl=en&q="firefox"+site%3Awww.us-cert.gov
boycott slashdot February 10th - 17th check out: altSlashdot.org
I can think of two reasons that Firefox would have to use a lot of memory: DOM caching and plug-in leaks. DOM caching stores information about pages you have recently visited so that the back button, undo close tab (Cmd-Shift-T), and undo close window (Cmd-Shift-W) work quickly. As for plug-in leaks, use Flashblock and they will be less noticeable, which should hold you over until Firefox implements Chrome-style multiprocessing.
Evidence was gathered on a Tuesday.
Sorry, but gray text on gray background is making my eyes bleed.
Maybe in your country. I very much doubt 20% of the UK population has even seen Vista or Win7.
In all probability IE6 usage in the UK exceeds Vista usage, and in Government institutions, IE6 usage probably exceeds all other browsers. Win2k is still widely used, and XP still being installed.
Sent from my ASR33 using ASCII
It was the Home Office that gave the reply some people don't like, even if it is probably true.
Only on a technicality.
Technically, at this moment in time there are precisely no publicly known exploits for a fully patched up to date copy of IE, a fully patched up to date copy of Firefox or a fully patched up to date copy of Opera.
The fact that history has shown us that exploits for IE tend to show up more frequently, are often nastier than exploits for Firefox or Opera and are almost never dealt with in an out-of-cycle patch (and so will be exploitable for that much longer) is neither here nor there. This is absolutely typical of any UK government department (and probably the same in many Western countries) - when you're asked a question which you don't necessarily like, interpret it in a fashion which allows you to give an answer which you do like.
Admitting that IE may be more dangerous isn't in and of itself a huge problem but it may well invite a lot more questions like "How many internal government systems only work with IE?" - and I bet you anything you like the answer is not "Zero".
"there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure."
So if you have Windows 7 with all patches and MSIE 8 with all patches
INCLUDING NONPUBLIC MICROSOFT INTERNAL PATCHES (to fix bugs not patched for yet)
then yes you could be just as safe as if you had another browser.
But what are the chances that somebody will be able to get all the patches without getting tagged?
Any person using FTFY or editing my postings agrees to a US$50.00 charge
To be fair I think his point was partially valid.
You're right that Firefox core has the advantage of public vulnerabilities, but the issue is that Firefox allows for non-sandboxed extensions, which are often proprietary (i.e. Flash) and so effectively leaves Firefox with the same issue.
Firefox certainly isn't as safe as any browser can be, simply because of the fact extensions are vulnerable in this manner.
I think what the UK gov is getting at is quite valid- not that IE has the same or less security flaws per-se, I think they probably accept that it does, but that no other browser really is built with a truly secure architecture either, such that even if you switch away from IE, whilst Firefox itself may be secure, many users will end up with extensions that aren't and so will remain vulnerable to something or other regardless.
I do believe that the aforementioned quote is likely to be the source of the response from the Home Office there. The answer is probably going to be closer to "Most of them". That's not an answer people would like to hear at all- probably less than we want to hear the weasel wording from the Home Office there.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
In a monoculture the attack surface is large since everyone is using the same code and therefore vulnerable to the same bugs. Just moving users onto a mix of other browsers lowers the attack surface even if each individual browser has its own fair share of bugs.
What I notice is that the headline and most of the discussion here talk about the security of "IE", while the Home Office said "the latest fully patched versions of Internet Explorer". There seems to be little understanding that these aren't synonyms.
But does anyone here work for an organization of any sort (government, industry, academia, whatever) that requires that everyone use "the latest fully patched versions of Internet Explorer"?
In all the cases that I know of, when there's such standardization, it's for releases that existed shortly before the standard was established. It's now years later, and the standard is still in place (though often violated by workers who want better security or more features).
A number of people have written about organizations that are still standardized on IE6 and don't permit upgrades to IE8. Is there any data available on how widespread this might be? In my experience, such data is hard to come by, since both governments and private corporations tend to be secretive about their inner workings.
So could the Home Office be pushing for upgrades to W7+IE8? Nah; I thought not.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
matters like these. with their paranoid attention to detail, psychopathic inclination to procedure, and ungodly patience with working on intricate technical details, any word from germans in that area would trample any word from britain at any point for me.
the fact that u.k. government has been shitting and screwing up in every other field for the last 10 years does not help either.
Read radical news here
We can't trust companies because they have obvious profit motives. Leaves only one thing.
We use governments to test the water, the food, the air, the cars, everything pretty much which is essential to our lives but we do not have individually the resources to test.
The government doesn't test my cooking (that is what kids are for) because I have means to test that myself (if the milk still comes out of the carton, it is fresh enough for guests) but I do not have the means to test a can of Coke I buy on the street, so I expect/need someone else to check that these things are not made by just putting any old sugar and water and rust together, but only properly tested sugar, water and rust.
I would reason that computers have become such a common part of our lives and that we can get into so much trouble if we get it wrong, that government warning us about unsafe products, is the right thing to do.
Or wouldn't you want forced warnings and recalls if the brakes on your car turn out to be faulty? Guess who does that? You car maker? Think again, goverment regulators, my those guys just seem to be everywhere don't they.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
The level/degree of proof the UK government seems to be requiring for this is the 'scientific' type. For most things in life, statistical analysis tends to be enough.
What this guy said is akin to saying that North Korea has the strongest army in the world, because there's no proof to the contrary.
Pick any of these:
1) Lackluster/no security features.
2) Lack of improvement over the years. One of the cardinal rules for security is continual improvement.
3) Repeated exploit of said piece of crap.
4) Microsoft itself more-or-less admitting it's insecure and unrepairable - they effectively abandoned it years ago.
5) Anecdotal evidence from tens of thousands of computer repair types; I guarantee you IE is the vector for 9 out of 10 malware infections, and most of those are probably IE.
I'd wager they've been paid off. Anyone with even the slightest amount of intellect can look at the information available and determine that IE6 is rubbish. It's a hell of a lot less proof than most governmental bodies act - often, said bodies act in direct contradiction to the facts for the purpose of special interests money.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I think this is a question we should all ask of our goverments - loudly - until we get an answer.
Help stamp out iliturcy.
As someone who has worked in the U.S., the U.K. and continental Europe, I have to say that both public and private sectors in the UK have an unparalleled blind allegiance to Microsoft. It's like nothing I've ever seen.
I recall seeing a timeline of the Internet's development at a display in London, and the first two dots were the 1973 launch of DARPAnet and then, incredibly, the founding of Microsoft in 1979. There was no dot for anything from Britain's own Tim Berners-Lee, for the development of DNS by Mockapetris, or other real milestones.
Honestly, it's sad to see what has happened to the land of Francis Bacon, Newton, Babbage and Turing. The UK today seems run by men without an original thought in their entire being, who slavishly follow fads from American business schools and figure one is always right if you tie your fortunes to those of Microsoft. This doesn't bode well for the future of that island nation, is all I can say. You can't rely forever on frothy financial instruments to fund purchases of food, energy and all technology from someone else.
With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done.
This argument endlessly amuses me. Do you really think the exact same thing is not true of OSS-based browsers such as Firefox and Chrome?
Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them. The theoretical possibility that you can examine the source code is just security theatre unless you actually spend the time and resources to do it.
Hint #2: Which OSS browser do you think has a public bug database listing all known vulnerabilities, whether or not they have yet been patched, and keeps that database updated immediately every time a new vulnerability is reported?
With Firefox, there is generally a very high degree of transparency when it comes to security problems.
Unless you are one of the select few with access to the full security issue process, you don't know that.
Additionally, fixes are pushed out quickly.
Or that.
Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.
Or any of that.
If you really don't see the blind spot you're exhibiting here, try answering these simple questions (and be honest with yourself):
If you can't immediately answer those questions, and provide yourself with objective, factual data to support your claims above, then please consider that you may just be projecting your own prejudices based on IE6 from many years ago onto the IE8 of today, while letting your own faith in OSS onto other browsers convince you that they are more secure even though you don't have access to all the facts.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Answers you won't listen to:
When 20 other people have gone through a door and come back out again, I will assume that it's safe to walk through the door. Likewise though I may not have read all the code in Firefox, if there were any big problems, someone WOULD have seen it: Microsoft do not have half the world's web browser writers,
How many people HAVE the latest version of IE? Now how many NEVER use flash or Adobe plugins? Because they require you turn off the security and then IE8 becomes vulnerable again. Did you know that?
Google would have got dinged. Likewise, please do the same about Firefox. You've narrowed the window so small there's nothing left of the hole.
And how would YOU answer?
IE8 today has many or most of the downsides that IE6 has. Unless you lock it down so much you can't use it.
But FF 3.5 when locked down as much is still usable. Putting it under LIDS makes it much safer. Adding RBAC from NSA makes it yet more secure.
And still usable.
You cannot say the same of IE and Windows.