US and UK Governments Advise Avoiding Internet Explorer Until Bug Fixed

martiniturbide (1203660) writes "Reuters is reporting that 'The U.S. and UK governments on Monday advised computer users to consider using alternatives to Microsoft Corp's Internet Explorer browser until the company fixes a security flaw that hackers used to launch attacks.' The article states that 'The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system.'"

Oh Noes!

[Ol+Olsoc]

How are people going to download Firefox?

Re:Oh Noes!

I telnet to getfirefox.org, you insensitive clod!

Re:Oh Noes!

[jonyen]

I telnet to getfirefox.org, you insensitive clod!

Why telnet if you can use butterflies to communicate with the server.

Using butterflies would cause too many latency issues, whether you're using the butterflies for direct transmission or generating cosmic rays via the butterfly effect.

Re:Oh Noes!

[tepples]

With the numerous gaping holes in security discovered in IE over the years, it's incredible that people are still using it. I guess they don't know there are alternatives?

Someone who knows of alternatives may happen not to have ready access to another PC that already has Firefox. It's not like you can get public releases of Firefox through FTP anymore:

220- releases.mozilla.org now points to our CDN distribution network and no longer works for FTP traffic
[...]
230- Notice: This server is the only place to obtain nightly builds and needs to
230- remain available to developers and testers. High bandwidth servers that
230- contain the public release files are available at ftp://releases.mozilla.org/
230- If you need to link to a public release, please link to the release server,
230- not here. Thanks!
230-
230- Attempts to download high traffic release files from this server will get a
230- "550 Permission denied." response.

Re:Oh Noes!

[viperidaenz]

Real men use telnet to port 443.

Re:Oh Noes!

[sharknado]

Butterfly communication has become unreliable due to destruction of milkweed corridors. http://thinkprogress.org/clima...

Re:Oh Noes!

[SeaFox]

Not directly through Mozilla. But there are third-party FTP servers run by trustworthy organizations that host it I'm sure.

Re:Oh Noes!

[VortexCortex]

How are people going to download Firefox?

Open the command terminal* : [Towel Key + R]
  "cmd" [Enter]

In the resultant terminal:

ftp
open ftp.mozilla.org

The username and password are both "anonymous" (sans quotes).

cd pub/mozilla.org/firefox/releases/latest/win32/en-US
ls
binary
get "Firefox Setup [version].exe"
bye

Firefox Setup [version].exe

Replace [version] above with the version number you wish to download. You may also "lcd [directory]" to change the local directory the download will appear in. Selecting a 64 bit version of Firefox or downloading and installing Internet Explorer on GNU/Linux is a trolling exercise left to the reader.

* Known as the "Super Key" more recently by some -- A possible mutation by association considering that towels are super.
Translator's note: The labels have been removed from the largest and most important key of all boards to prevent human rediscovery of its true purpose;
However, traces of the vestigial memory remains after the wipe hilariously causing them to naturally associate the unlabeled key with our "Space Bar".
For so long as the humans remain contently oblivious the situation has been deemed "mostly harmless".

On it!

[American+AC+in+Paris]

Downloading Mosaic as we speak!

Convenient timing.

[nurb432]

Just in time for XP to go out of support for most people, now you get this 'well publicized' bug that wont get patched, in effect. I expect only the latest version of IE to be patched, which will NOT run on XP even if you wanted to.

Re:Convenient timing.

[koreanbabykilla]

Care to cite any sources you have refuting this?

I was firmly under the impression XP updates are no more unless you are a huge company/government.

Source: http://windows.microsoft.com/e...

The solutions listed are:
"Upgrade" to win8.
Buy a new computer.

What the fuck makes you think they are 100% going to patch versions that work on XP?
I would even settle for why you believe it to be "likely not true"

Re:Convenient timing.

[triffid_98]

I'm fairly sure that the corporate customers running 2003 might take exception to that, and by "take exception" of course we mean sue.

That OS doesn't officially EOL until next year.

Re: Government

Numerous NYS web pages whos use is MANDATED for local government REQUIRES IE 8. For the Win7 machines (dictated by HIPPA as securable) we have to disable ActiveX security, add it to trusted sites, AND fire up the developer tools to get it into IE 7 compatability. The page I am specifically thinking of is the Department of Health... you know where all your medical records are.

Security is poorly spun illusion at this point. If the feds wanted the Internet to be secure then they should have reigned in the spooks in the beginning.

Some people don't care

AC because my boss reads /.

My boss, in all his good business instincts and mostly great technical attributes, insists on installing java and downgrading all computers to ie9 instead of going with 11. Now I know 11 had issues with compatibility from time to time, but I am hard pressed to believe that running ie9 with Java is a great way to stay virus free.

Then again we are in the small business and home user repair market maybe he is just trying to go for reoccurring client repairs

Re:Some people don't care

[edman007]

Don't worry, I work in a government agency, IE8 is the only authorized browser (with java of course), and if you gained access to that computer you would have plenty of access to sensitive (but not classified) stuff.

Re:Kinda funny...

[tepples]

If your position does not require use of a browser, use no browser until it is repaired. If your position requires use of a browser, print out the advisory at home and show it to your supervisor.

Re:Don't buy garbage, or set UA header

[tepples]

Don't buy garbage, stuff that works only in a specific version of a specific browser.

Three software products dominate a particular vertical market. When your employer chose to adopt one of these products, all three were garbage by your definition. Are you recommending that people in the affected industry resign en masse and retrain for a different industry?

90%+ plus, you can just set the user agent header in Seamonkey, Firefox, or Chrome to SAY it's IE and things work just fine.

Which works fine until an ActiveX control fails to load, or an IE-specific event listener fails to attach.

Could they....

[Moppusan]

Couldn't they have just said "Don't use Internet Explorer, anytime, anywhere, ever?" That's so much easier.

Re:Could they....

[Anomalyst]

Couldn't they have just said "Don't use Microsoft Products, anytime, anywhere, ever?" That's so much easier.

FTFY

Re:Recommended browser for old XP machines?

[SeaFox]

I'd say Firefox with Adblock Plus, so they wont get fooled by malicious ads on sites.

so you followed my suggestion. Example?

[raymorris]

> When your employer chose to adopt one

If your employer did that before you arrived, or over your strong objections, then you followed my advice - you didn't buy garbage. Unfortunately someone else did.

However, I've dealt with a few different businesses and can't think of such a situation where all three leading solutions are ActiveX / IE only. I can think of one where for the GUI, you had to choose between ActiveX, Java, or a local client. A network CLI was also available. I'm curious what case you have in mind?

If I ddid run into a theoretical situation where a critical piece of software would rely on ActiveX, and therefore put the enterprise at the mercy of changing IE versions, I'd look at the broader picture and evaluate the business processes that are setting up that risk.

sorry you screwed yourself

[raymorris]

I'm sorry you got fucked. To avoid putting yourself in that situation again, you might want to do two things. First, recognise that vendor lock-in is a risk to the enterprise, and that risk has an accountable cost. When you choose to be locked into TWO vendors, the software vendor AND a supported version of IE, your risk is the multiple of two components.

Secondly, when you find yourself in a situation where such a risk seems unavoidable, broaden your perspective to look at the business processes that create that context. Perhaps there is no acceptable software that meets the defined requirements. In that case, you can take another look at the requirements from a broader enterprise perspective.

As you may know, I've been running businesses for 25 years, and we've NEVER put ourselves in the position of sole-vendor risk like that. It takes forethought, but it absolutely is possible to avoid that situation.

Re:Actual recommendation from US gov

[whoever57]

"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds."

But don't confuse that with recommending not to use the browser.

Don't confuse a partial reading of the page with the full text, which goes on to say:

Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser.

Re:Government

[JosKarith]

All of them. Numerous embedded systems are built around IE for UK government - I know this for a fact as I'm working for them at the moment.