Dept. of Homeland Security Says to Stop Using IE

LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News: 'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."

If it's broke...well....we'll fix it later

[erick99 (743982)]

Rather than come right out and say that their I.E. browser is not yet up to snuff in terms of security issues, Microsoft issues this absolutely delicious serving of corporate double-speak:

"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."

This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer. You gotta love this. You just cannot make stuff up like this!

Cheers!

Erick

Re:If it's broke...well....we'll fix it later

[jo42 (227475)]

Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...

Re:If it's broke...well....we'll fix it later

[Platinum Dragon (34829)]

Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...

That last sentence gives me a better idea... forget the lawsuit. Encourage their spouses to deny them until those bugs get fixed.

Call it Project Lysistrata.

Uhh... that assumes they have spouses to deny them. If not, distribute their pictures to every singles bar and sweaty-palm dating site, with a "DO NOT TOUCH THIS PERSON." warning.

If they're not plugging holes now, they certainly won't be plugging holes until the bugs get fixed!*

* "or get plugged", depending upon gender and orientation. Deny, deny, deny until the bugs are fixed!

Re:If it's broke...well....we'll fix it later

[finkployd (12902)]

The difference of course is that Sendmail and Apache fix security vulnerabilities in a reasonable amount of time (usually days, if not hours)

Furthermore, there are generally also configuration changes you can make in the mean time to these products to nullify the vulnerabiltiy. There is nothing you can do with IE except disable ActiveX and set the security level to high which (1) makes IE somewhat unusable and (2) STILL doesn't completly protect you.

Finkployd

Translation for the Layman

[ackthpt (218170)]

Original: "In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."

This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer.

Translation: After all those horses get out of the way, we'll have your barn door fixed in a jiffy.

Re:If it's broke...well....we'll fix it later

[mge (120046)]

"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."

Ummm... I don't think so.... here is a link to the US-CERT Vulnerability Note VU#713878 [cert.org] which (I think) is where this all starts. Go right to the bottom (OK, this is slashdot, so I'll cut-and-paste)

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

The way I read that last sentence, CERT say you are not safe unless you get rid of the IE6 functionality.

Re:If it's broke...well....we'll fix it later

[cK-Gunslinger (443452)]

Well, at least the DoHS didn't recommend cover your Windows with plastic and using duct-tape to seal the cracks this time...

Its About time

[arieswind (789699)]

Horray for the Department of Homeland Security! LWATCDR is not the only person that has been saying "get off of IE" for a long time.

Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.

It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.

Re:Its About time

[mike77 (519751)]

Horray for the Department of Homeland Security!

I feel so....conflicted.

They say IE is bad, which is good, but they're big brother which is bad. My brain 'splode now, thank you.

Don't worry!

[plj (673710)]

You just need learn to love the big brother. It may take time, but in the end, you will love him. We will take care of that.

Now, how many fingers?

Of course

[savagedome (742194)]

resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers

Duh. All our friends at Microsoft need it too.

*grin*
*grin*

Yup, they sure did!

[by Anonymous Coward]

I didn't listen to them when they asked me to duct tape and plastic wrap my house, I didn't listen to them when they raised the alert level 5 different times, I didn't listen to them when they told me to trust them, but I am glad that other people do... Perhaps this will do double duty! It will fix websites that cater to IE only so that they work with the currently "broken" Firefox so that I don't have to refresh or cross my fingers to get it to work.

Great News

[devphaeton (695736)]

"According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."

I hope that this also translates into a large spike of donations to the mozilla organization. Firefox and T-bird are teh moh scheezi, and i started using mozilla years ago.

I've donated about $150 over the years, how bout y'all?

And yet from the justice dept

[ch-chuck (9622)]

the courts have ruled that Msft's bundling and pushing IE with every OS purchase is good for the consumer. Let business be free to manipulate their customers! It's good for the economy.

Man, this'll be just liek when video games normed

[laigle (614390)]

Now all us computer nerds will lose our counter culture edge. Plus you'll no longer be able to detect a fellow geek merely by his browsing choice. I guess we'll have to go back to tossing off random Kevin Smith quotes and seeing who catches on.

Re:Man, this'll be just liek when video games norm

[arieswind (789699)]

Well, if you really want to be counter culture, just wait a few months, then start using IE again after the bulk of computer using Americans move over, that will really shock your friends, it can be like a cult

Amazing...BTW, if you haven't used..

[Dagny Taggert (785517)]

Firefox, you need to do yourself a favor. Flawless pop-up blocking, the beauty of tabbed browsing...real standards implementation...the list goes on and on. Now, if only Windows would be declared a national security risk...

Re:Amazing...BTW, if you haven't used..

[finkployd (12902)]

You know, everyone says that but I never have problems. I've been using Mozilla (and then FireFox) for ages and I constantly do online banking (psecu), access my (admittedly too many) credit cards (mbna, discover, amex, etc) via web sites, get all my news online, buy stuff online, etc. The only time I ever had a serious problem using a website that was designed for IE and didn't work in Mozilla was AT&T's Blackberry webmail client. Seriously, that is THE ONLY ONE.

I think this whole "IE is required for banks, online stores, etc". is a big FUDdy myth. Start pointing out sites that do not work with standards if there are so many and let's all encourage those sites to fix their broken stuff.

Finkployd

Profit

[richdun (672214)]

1) Create product that a smaller portion of the population uses, thus keeping the effectiveness of attacks on your product less desirable than the other 2) Give your product away for free, open sourced, and up to date with all the latest standards, oh, and make it more secure (novel idea, really) 3) ??? (wait about five or six years for a government agency to declare your competitor's product unsafe enough to get the CERT all riled up) 4) Profit, or How Mozilla Pays M$ Back for The Whole Killing of Netscape Thing

switch

[damballah (691477)]

Hopefully people switching to FF will mean that more bugs will be squatched from it. Perfect timing for that 1.0 release.

Homeland Security actualy works!!!

[the_2nd_coming (444906)]

wow!!

Heh, oops...

[Malor (3658)]

From the Yahoo article:

Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines.

Phew, thank goodness the open source coders are smart enough to leave those nasty HTML rendering engines out of web browsers!

Lynx

[nizo (81281)]

The only really safe browser! Not so good for browsing porn sites, but since you want to download the images anyway, maybe lynx is good for that too!

Homeland Security Be Damned

[RabidChicken (684107)]

Recently I was cleaning rather obnoxious spyware off of my sister's laptop. To prevent further infection, I was asking her to install Firefox. I said it'll block popups. Still reluctant. Tabbed browsing? Nope. More secure? Nu uh, still stubborn. Stop the spyware? No. (She's getting irritated at this point). CERT Recommended to stop using IE? Still won't let me install it.
*pause*
She then asks if our mother uses it. I said yes (thanks to me).
"Ok, install it."

Homeland security be damned, it's the MOTHERS we need to convert.

Re:Homeland Security Be Damned

[Groucho (1038)]

I've got a better way to convince users.

We need to stand up and tell all the family members and friends we're supporting for free - we are, after all, unpaid Microsoft technical support, without whom the users might as well be using command-line Unix - that they can either stop using IE, stop calling us for support, or expect a $200.00 per hour charge, with a one hour minimum per call.

Enough is enough. No more unpaid work cleaning up after Bill. It's like walking behind an elephant with a dustpan and a broom.

Re:Homeland Security Be Damned

[mandolin (7248)]

We need to stand up and tell all the family members and friends we're supporting for free - we are, after all, unpaid Microsoft technical support, without whom the users might as well be using command-line Unix - that they can either stop using IE, stop calling us for support, or expect a $200.00 per hour charge, with a one hour minimum per call.

Riiiight... see, if you do that, your family might kick you out of the basement. Not that I would know or anything. Nosiree.

(What, did you think you were good for anything else?)

Firefox will install with 'power user' access

[tabdelgawad (590061)]

For those considering installing Firefox on Win2k PCs they don't have 'administrator' accounts on, I can report that it installs and works perfectly well from a 'power user' account. Perfect for those considering an installation on a work PC.

You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.

Happy browsing!

Yeah Right

[BigDork1001 (683341)]

Homeland Security says to stop using IE but in the Air Force we're still using it and I haven't heard any plans to switch to something else. It's good to know that the DoD is listening to the security measures of the other departments.

Kinda funny...

[devphaeton (695736)]

Not 4 months ago MSN.com (obviously slanted) was trumpeting around "BROWSER WAR IS OVER!!!" and proclaiming that IE was the clear victor (though they never gave the conditions that made it a victor, they just sensationalized and re-iterated the same shit over and over in different wording in True Fox News Style(tm))

MS to "win the browser war" just in time to have their browser shot down every time they turn.

They had better wake up to this, too... These days, "internet" is about 85% of what computing is about. MS with all their attempts to blur the lines between your computer and the internet, and their flagship web application is poo.

tough to get employers to listen

[bodrell (665409)]

Where I work, the new management is enamored of IE. Although our current IT dept. installed Mozilla on all our computers (and REMOVED IE) I hear we'll be forced to use Outlook for email in the near future. It makes me want to vomit. Whenever family or friends tell me about their computer problems, whether viruses or adware or whatever, my main advice is 1) stop using Internet Explorer and 2) stop using Outlook.

I've been posting news articles like this one around the workplace, but man, is it hard to get anyone to listen. If HQ won't even listen to this headquarters's own IT department, why should they listen to someone in R&D?

Bah. Anyone have any advice on this?

Re:tough to get employers to listen

[BeerMilkshake (699747)]

You mu$t phra$e your propo$al$ in term$ that management under$tand$ ... Seriously, though, you need to obtain quantifiable evidence that proves the organization will save money, and how much. Anybody who knows what you are doing will resist you, so watch out...

A fix for IE??

[Sergeant Beavis (558225)]

Microsoft [microsoft.com] released a fix for this issue today. Basically it disables the ADODB.Stream object. However, it requires a regedit to implement. I imagine a hotfix is forthcomming. Still, Firefox and Mozilla don't suck at all, so people should at least use this as an excuse to give them a try IMO.

don't click on links in IE

[mgoss (790921)]

A support article [microsoft.com] by Microsoft suggests a solution to the holes in their product, specifically the one where an address can be spoofed and displays a different url than the one you're actually at. Solution: Don't click on links! :)

"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself."

Serious for MS

[Decaff (42676)]

This kind of thing could be serious for Microsoft. Their strategy is 'thick client' - the browser and other features are integrated into the operating system. If security issues remain while the browser becomes a fundamental part of future Windows use, their are in trouble.

Re:Serious for MS

[Richy_T (111409)]

Actually, I thought their strategy was "thick customer"

Rich

Closed captioned for the PR impared

[LostCluster (625375)]

"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.

Let's see what we have here.
- First sentance tells us that Microsoft isn't going to try to attack the credibility of CERT because that'd be unlikely to get anywhere.
- Second sentance is trying to blame "the media" for misreporting the story, but the media's working from a primary source that has a section heading called "Use a different web browser". I don't know how you're "misrepresenting" that when you take that as a suggesting to download any browser that isn't Internet Explorer which means Mozzila, Opera, Netscape or any other compeitor out there. They want CERT to take back the recomendation to just stop using IE... that's the only kind of "clarification" that's possible here.

Microsoft clearly wants a CERT retraction. But do they stand any chance at getting one?

So here's a question...

[devphaeton (695736)]

1) IBM is our friend
2) Apple is no longer just for coddled sheep
3) Sun is dying
4) Sun is embracing linux
5) Sun is no longer embracing linux
6) SGI is dying
7) ???

8) We might be watching the beginning of the end for Microsoft. Not just in this, but the whole pile of events over the last couple of years. If Microsoft loses relevance, and market share, and withers away...

Who Is Going To Be The New Evil Empire????

I want to know who to unconditionally hate next!!

Lawsuits and whining?

[Platinum Dragon (34829)]

Anyone want to place bets on whether some clever MS lawyer is preparing to argue that any antitrust action related to the browser bundling should be tossed out, because the feds are now encouraging people to use browsers written by the competition? After all, if the government acknowledges that there is legitimate competition, then clearly, MS must not be abusing its desktop monopoly, since so many people are now downloading those free alternatives... right?

As an alternative... imagine if DHS came out and said that a flaw in GM vehicles aided terrorists, and people should purchase Ford and Chrysler vehicles until the flaw is repaired. Do you think GM would immediately start demanding financial compensation for lost sales and market share from the federal government?

Now, extend that to MS, despite the fact that IE is, effectively, free. If the whole thing still seems unbelievable, insert Robert Heinlein's quote about corporations thinking they have an unassailable right to make a profit above all else here. I'll bet good money MS is already preparing the legal briefs for some kind of retaliation.

Now for all the badly designed web sites

[Midnight Thunder (17205)]

Cool, will that mean that some of the idiot web designers will actually start taking non-compatibility complaints seriously? Like those ladened with Javascript that works nowhere else but with IE. Take Expedia.com, where the calendar pop-ups [expedia.com] only work with IE or Priston Tale web site [pristontale.com] where the side menus don't appear if you don't have IE (I already supplied a fix which was ignored) - actually this one should be lumped with the GIS2 web site for excesive use of Flash.

Maybe pigs will fly first?

Just one note Mozilla has one big advantage over Opera and Safari for MS base corportate networks: it supports NTLM.

Ahem, Ahem

[WhiteWolf666 (145211)]

I'd like to take this opportunity to emphasize the negatives of an unhealthy competitive market.

When monopolists crush the competition, and you have one company with 95% marketshare, that company gets lazy.

It produces shitty products, slows development (compare development now with when they were trying to crush netscape), all the while making monopoly profits.

Thankfully, the GPL seriously reduces the barriers to entry, because it would be DAMN hard to get either Gecko/Mozilla or KHTML/Konqueror/Safari relicensed and 'shut-down', or integrated into the MS lineup.

Mark my words, if there was no one else but Opera, MS would think long and hard about crushing it.

Monpoly bad, folks, m-kay?

A side effect of Pop-Up blocking

[devphaeton (695736)]

Netcraft confirmed in a report today that the beleagured Pop-Up Advertisement industry is citing Mozilla and Firefox as the driving force that has snuffed out their livelihood and threatens to drive them into extinction....

(c'mon, someone else can do this better than me) :-D

In other news.... when parasites and popups are no longer possible, what sorts of nefarious crap will the nefarious-mongers do next?

What goes around comes around...

[newt (3978)]

Wow. Think how much worse this'd be for Microsoft if IE was a core part of the operating system!

- mark

To help convince non-techie users...

[danielrm26 (567852)]

Here's my piece I did on the topic about a week before the CERT announcement:

http://www.dmiessler.com/reading/ie.html

Criticism of MS unfair...

[ctid (449118)]

It's easy to bash Microsoft, but I think we should give credit where it is due. After all, Microsoft has acted very quickly to fix this problem; users who have patched their version of IE can no longer access the Department of Homeland Security's webpage [dhs.gov].

Re:DUPE!... well, mostly.

[arieswind (789699)]

That was CERT's announcement, this is actually the Department of Homeland Security making this recoomendation. 2 different orginizations, same recommendation.

Re:DUPE!... well, mostly.

[LostCluster (625375)]

Not really. This is the original source document... [networks.org]

Notice that it's the Department of Homeland Security seal at the top of the document. For our purposes, CERT is a subset of DoHS... it's just that the media is now picking up on the more known name of the larger organization to bring the story to the masses.

Re:Bad Bureaucrat! Naughty!

[ScottGant (642590)]

Billy G. is looking through his bribe-book and is making a big cross-out in it.

Now he's trying to find John Kerry's phone number to tell him "hey, wanna be President? No problem, you're in...the stuff that happens in November is just a formality, but trust me, my next call is to Diebold to finally tell them who I want to win...just remember to have your guy tell everyone that IE and Windows is the OS of choice now...buh bye"

Re:Bad Bureaucrat! Naughty!

[Gropo (445879)]

Sorry, Steve Jobs already beat BillyGoat Gates to the punch [theinquirer.net].

True.. but you're forgetting one thing.

[El Camino SS (264212)]

You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.

NO ACTIVE X. That means no sneaky little programs in your system.

The open source movement is well on top of issues like this... always have been.

Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.

Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.

Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.

Re:Let's turn this around, shall we

[at_kernel_99 (659988)]

Then it will be interesting to see if Mozilla has the same inherent weaknesses as IE, won't it? For years MS has used the excuse that they're the largest installed base, thus the target for most virii, etc. I say lets see if thats true.