Forgot your password?
typodupeerror
Internet Explorer Microsoft

German Government Advises Public To Stop Using IE 320

Posted by Soulskill
from the enough-is-enough dept.
An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"
This discussion has been archived. No new comments can be posted.

German Government Advises Public To Stop Using IE

Comments Filter:
  • A stinging lesson (Score:5, Interesting)

    by Senes (928228) on Saturday January 16, 2010 @09:04AM (#30790006)
    This is just a personal anecdote, but take it as you will. About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled. Mind you, this was a week ago. Fortunately I'm on a dual boot system and I was able to go into Linux to delete the malignant exe files, which gave me a foothold to manually recover from the rest of it. IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.
    • by headbulb (534102)

      I had a similar thing happen to me. Browsers really could use better plugin controls I should be able to disable any plugin without having to uninstall it.. Why does someone need to view a pdf in a browser anyways?

      I am on a netbook so I am back on linux. (didn't come with a windows cd)

      A worm can move through a pdf file quick.

      • Re: (Score:2, Informative)

        by maxume (22995)

        Firefox gives you the option of disabling plugins without uninstalling them (as does IE8, those are the only 2 browsers I have installed).

        Adobe Reader also gives you the option of not loading pdfs in the browser (the browser simply prompts you to save the file).

      • by sopssa (1498795) * <sopssa@email.com> on Saturday January 16, 2010 @11:04AM (#30790740) Journal

        Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.

        And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.

    • by dangitman (862676)

      About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled.

      What kind of web page was that, and what was so compelling about it that you decided to use IE to get it to load?

      • by Idiomatick (976696) on Saturday January 16, 2010 @10:37AM (#30790562)
        Natalie Portman.
      • by mlts (1038732) *

        You would be surprised. There are still a lot of websites out there which will not just tell you to take a hike if you are not using IE, but actually run JavaScript tests to check if someone spoofed the user agent field.

        My solution: Run IE... but in a limited user session in a virtual machine that rolls back to a known good snapshot when closed. This works on Macs, and Windows boxes. Since Windows 7 offers XP as a download, might as well take advantage of it. This way, any zero days just mean that the

        • by mlts (1038732) *

          Clarification here: This is for versions of IE less than 8. IE 8 is good enough to use as an everyday browser, as long as you have Protected Mode selected for all zones (even trusted), and that DEP is on (it ships that way.)

          It is crazy, but there are sites out there that consider anything but IE6 unauthorized, and actually do scripting tests to validate what someone is using.

        • Re: (Score:3, Insightful)

          by IdleTime (561841)
          And I do take a hike in those cases.

          If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.
          • Re: (Score:3, Insightful)

            by Bert64 (520050)

            The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.

        • There are still a lot of websites out there which will not just tell you to take a hike if you are not using IE, but actually run JavaScript tests to check if someone spoofed the user agent field.

          A lot?

          I haven't seen any for years.

          Examples please?

        • by Nathrael (1251426)
          My solution: *do* take a hike and don't deal with the morons trying to shove IE down your throat.
    • You probably already know that, but as you probably do with linux, you should not use stuff like IE with your Admin account.

    • what version of windows ?

      do you login as an admin by default ?

    • Stop using Windoze or anything created by M$, since it is clear the US government is ever going to hold them responsible for anything. It is all a crock of shit.

      And if you have to, run it in a VM, set up so you can re-image the C: drive at any time.

      If US law worked, vide SCO v IBM, M$ would have been sued into bankruptcy years ago.
    • The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled

      I guess my question would be, why were you running Windows as an admin account that would even let you, as a user, have permissions to do any of this stuff. I mean, you can tout Linux as much as you want, but in this case, the real culprit is your shoddy use of Windows security tools. I mean

      • I mean, would you run FireFox as root in Linux?

        What would happen if I did that and went to the same website?

    • by couchslug (175151)

      Links please?

      I'd like to those that using a VM. (VirtualBox for teh convenient win!)

    • Solution: firewall IE to anything non localhost and switch to Firefox or Opera.

    • Re: (Score:3, Insightful)

      by BitZtream (692029)

      You do realize that the fact that FireFox was crashing shows that its also effected by the exploit that hit IE ... right?

      The ignorance in your post and the fanboys that drool over this sort of thing is mind boggling and is a good example of why people outside of slashdot don't take you or FireFox seriously.

    • Re: (Score:3, Informative)

      by CyclistOne (896544)
      This happened to a friend of mine. His system was totally hijacked. Couldn't run any .exe. I finally got into the registry and disabled the malware, and things were seemingly back to normal. But we re-imaged the machine and restored his backed-up data. It was a pain, but it didn't take that long. But it was a similar thing, I think. Firefox crashing - go try IE, and bang.
  • by ansak (80421) on Saturday January 16, 2010 @09:05AM (#30790010) Homepage Journal
    Use Internet Exploder for web browsing, Use Outlook or Outlook Distress for reading e-mail. nuff said...ank
    • by Presto Vivace (882157) <marshall@prestovivace.biz> on Saturday January 16, 2010 @09:22AM (#30790114) Homepage Journal
      You know your product's reputation is in trouble when a government advises the public to dump it.
      • by Ilgaz (86384) on Saturday January 16, 2010 @09:42AM (#30790220) Homepage

        I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."

        Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.

        • by gbjbaanb (229885) on Saturday January 16, 2010 @10:07AM (#30790356)

          Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Anything more dangerous than IE? Yeah. Adobe Flash. One implementation, almost the same code, across every browser and on several platforms.

          Oh, wait, wasn’t there just a 0day in that?

          Also, that exploit is the other “Chinese” 0day, which targets Adobe Reader, rather than IE. Firefox would be just as vulnerable if the Adobe Reader plugin was installed, or if you subsequently opened that PDF in Adobe Reader (other PDF readers are, of course, not affected).

          They didn’t find this vuln them

          • Security Tracker [securitytracker.com], best tool I know of to track security vulnerabilities.
          • Adobe says their tool wasn't abused on this case. What makes you think I don't say same thing to Adobe? In fact, just 3 days ago, I suggested Adobe to fire entire Mac department. A "browser" is the platform to access to web, plugins can always be abandoned but browser is more like the "kernel". I don't want to panic anyone but even if they use Firefox, disable access to IE, as long as IE shared dlls used for HTML rendering in various tools (e.g. "what's new today"), they are still vulnerable.

            While I won't t

          • Re: (Score:3, Informative)

            by Bert64 (520050)

            The problem at least as far as PDF readers go, is that most users don't realise PDF is a standard and that there are multiple implementations... They think Adobe make the only pdf reader available.
            I would never install acrobat reader, the default pdf readers in macos and linux work much better, far less bloated, and there are plenty of alternatives available for other platforms too.

        • Did it occur to you, that maybe the reason for their “non-reaction” is that either
          A) They are the ones who chose for those holes to be in there in the first place?
          B) MS and those TLAs got so many revolving doors that they are practically one?
          C) Somethingsomething... PROFIT? ;)

        • The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.

          Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS

      • by miknix (1047580)

        Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Maybe the summary shouldn't have let out the most important word: temporary. Here a translation of the headlines:

        original:
        Kritische Sicherheitslücke im Internet Explorer
        BSI empfiehlt die vorübergehende Nutzung alternativer Browser

        translation:
        Critical securiy hole in Internet Explorer
        BSI recommends to temporarily use alternative browsers

      • You know your product's reputation is in trouble when a government advises the public to dump it.

        Dude, that was the case back ten years ago, too. Facts and technical data don't play a role in situations where Microsoft products get deployed.

        You know you have a cult-like following when governments, research universities and a handful of computer magazines advise the public to dump your product and it still retains market share [groklaw.net]. Having EULAs that prohibit benchmarking doesn't hurt either. Nor does it hurt to have insiders [linuxtoday.com] paid for by the victim's own budget.

        How long must this go on? Put a dollar

  • by FlyingBishop (1293238) on Saturday January 16, 2010 @09:06AM (#30790022)

    This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.

    Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.

    • Yeah sure (Score:5, Informative)

      by SmallFurryCreature (593017) on Saturday January 16, 2010 @09:15AM (#30790064) Journal

      It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.

      MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.

      • by awitod (453754)

        DESPITE claimed complete rewrites of the code

        Claims by who? Do you have a link? If this is true I'm not surprised your post is currently 5:Informative because I have never heard of this and I like to think I pay close attention in this space.

        • Re:Yeah sure (Score:4, Informative)

          by Maxo-Texas (864189) on Saturday January 16, 2010 @10:41AM (#30790602)

          He's probably thinking of articles like this:
          http://www.itwriting.com/blog/541-mshtml-layout-engine-completely-rewritten-for-internet-explorer-8.html [itwriting.com]

          Interesting article here: http://www.joelonsoftware.com/articles/fog0000000069.html [joelonsoftware.com]

          "[netscape killed themselves by rewriting]
          Well, yes. They did. They did it by making the single worst strategic mistake that any software company can make:
          They decided to rewrite the code from scratch."

          Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

          • There is some value in that statement, but it's also true that code is like a map of the problem domain, and that once you have mapped a particular area, there's often a better path through it than the one you originally took.

          • Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

            That works if the architecture of the existing code is reasonably sound, and only some minor flaws have to be corrected.

            In the case of IE I doubt that. The close integration into the operating system alone makes it suspect, because that is the opposite of modular programming. The long history of security flaws also suggests that the coding isn't the best. IE may well be one of those abominations that are best terminated and replaced by something else.

        • Er, isn't a complete rewrite what's supposed to happen when the developer increments the main version number (like going from IE 6 to IE 7)? Even if there's no documentation of Microsoft explicitly saying that IE was completely rewritten, I would think that the incremented version number is claim enough.

        • by Joe U (443617)

          I'm guessing it was to get rid of the last bits of Spyglass Mosaic code, so they would stop having to license it.

    • by sakdoctor (1087155) on Saturday January 16, 2010 @09:17AM (#30790072) Homepage

      Why be fair to Microsoft in this case? Bashing where bashing is due;
      IE is a highly dangerous lump of toxic/radioactive waste, with a half life of over 20 years.

      Microsoft did everything wrong. Wrote the piece of shit in the first place. Tightly integrated it into windows, for leveraging purposes. Didn't even try to keep on top of updates letting it stagnate.
      It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.

      • by McGiraf (196030) on Saturday January 16, 2010 @09:32AM (#30790170) Homepage

        "Wrote the piece of shit in the first place"

        No, they bought/stole the Microsoft way from Spyglass.

        http://en.wikipedia.org/wiki/Spyglass,_Inc [wikipedia.org].

        (the link ends with a dot slashdot moves it after "[wikipedia.org]". bug! )

        • Interesting thanks.
          I joined the party mid to late browser wars, so that was a bit before my time, but I do remember reinstalling windows, 5 times in a day because IE4 was so volatile.

          IE (4-5-6) has always been a complete disappointment, and the day someone told me about the plucky little upstart Firebird 0.6, I never had to use it as my main browser again.

        • by Kjella (173770)

          Use html and it'll work [wikipedia.org]. I'd say it's possibly a feature to avoid extra dots from a sentence ending which are not part of the URL.

        • No worries, I made a redirect.

    • by peragrin (659227) on Saturday January 16, 2010 @09:19AM (#30790086)
      Of course the fact that MSFT let the chinese view the source code for http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html [cnet.com] windows. Has nothing to do with it. Sure it was 6 years ago, the question is how long was china running the operation and how many field tests did they get away with and for how long?

      Something like this has been in at least limited operation for a couple of years.
    • If’t not at all about who it could have happened to.
      It’s about the fact that with no other browser developer would dare to still not have a patch available.
      The Mozilla team would probably have released a patch in about 3 hours of a furious team effort. The Opera team maybe even more because their business depends on these things. And even Apple and Google would not dare taking that long.

      Then again, knowing what a huge mess of spaghetti code of an upside-down pyramid the Trident engine is, I

  • by yupie (772822) on Saturday January 16, 2010 @09:07AM (#30790026)
    Ironically, in Belgium they have just had a (somewhat controversial) campaign, where a new all-Belgian browser "Paladin" (http://www.getpaladin.be/splash.php) was going to be launched, which appeared to be just fake, pointing to and arguing for the already super-safe IE8 browser :-)
  • Right Decision? (Score:3, Insightful)

    by Henry V .009 (518000) on Saturday January 16, 2010 @09:10AM (#30790048) Journal
    According the original article, DEP (enabled by default in IE8) and sandbox mode (Windows 7, Vista) all stop this zero day.

    If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.
    • by Anonymous Coward on Saturday January 16, 2010 @09:16AM (#30790070)

      However, it seems that IE has some pretty good built-in protections that Firefox lacks.

      Sir, your power of deductive reasoning is astonishing!!

      Now if it was Firefox that was hacked, the previous statement would be in your favor.

      Instead...

    • by MtHuurne (602934)
      I don't think it still counts as a 0-day at this moment, since the vendor has been informed. I do agree that Firefox would benefit from sandboxing and other extra security measures, but those are no substitution for quick patching.
    • Re:Right Decision? (Score:5, Interesting)

      by benjymouse (756774) on Saturday January 16, 2010 @09:35AM (#30790184)

      DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.

      But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.

      The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.

      Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

      Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.

      • Re: (Score:3, Interesting)

        by TheRaven64 (641858)

        Java inherently has the ability to both write and execute code

        But not at the same time. One of the OpenBSD guys had to do with their port (which is now in mainstream), and which I helped implement for LLVM, is W^X support. DEP is Microsoft's implementation of W^X, i.e. no page may have both write and execute permission at the same time (although they only support it properly on CPUs with the NX bit; OpenBSD does it using horrible hacks involving relocating pages within segments in the absence of NX page protection). That means that you can't execute data that you wr

      • Re:Right Decision? (Score:5, Insightful)

        by theLOUDroom (556455) on Saturday January 16, 2010 @12:26PM (#30791400)
        Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days

        What a bunch of crap!
        Where's your proof?

        #1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
        #2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement.
        #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.
      • Re: (Score:3, Insightful)

        by jthill (303417)

        Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

        The rest of your post, including the sandboxing point, deserves that 5. This one doesn't belong on the same page.

        Everyone paying attention can see that Firefox (and open-source general practice) reports and patches as critical security holes [mozilla.org] bugs for which there's only theoretic or even just heuristic [mozilla.org] evidence of a potential security breach, while Microsoft's usual reports are of bugs that have actually been exploited and are often actually leaking data in the wild, and eventually releases patches for

    • by lukas84 (912874)

      DEP, which is a Windows feature and not an IE feature, is also active for recent versions of Firefox.

      What Firefox lacks though is the sandboxing using a lower-privileged logon (Protected Mode).

    • That would be like saying Chernobyl has some pretty good built-in protections that domestic nuclear plants lack, because they have to wrap another new sarcophagus around it every couple of years!

      And because all of them will explode sometime.

      Yeah, great argument! ;)

  • "patch from Microsoft is still nowhere to be seen"


    Isn't it just easier to upgrade to IE 8?
    • Perhaps they can't (Score:4, Interesting)

      by Ilgaz (86384) on Saturday January 16, 2010 @09:48AM (#30790252) Homepage

      Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?

      What would happen?

      In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.

      • As someone else suggested, you could roll out Firefox (or Opera...) and tell everyone to use that for everything except the intranet. If possible, block IE6 from accessing the Internet, so the new browser is the only one that works for accessing dubious sites.

        Yes I realize that some of your users will be pissed. That's why you need management behind that sort of discussion. Talk to your boss first. Maybe he needs to take it even higher, lest the CEO comes down on you for making his porn surfing less conveni

  • by kill-1 (36256) on Saturday January 16, 2010 @09:29AM (#30790158)

    It's a German federal agency, not the German government. And they warn users about IE every time there is a major unpatched security hole.

    • by dangitman (862676)

      It's a German federal agency, not the German government.

      ???

  • At work we use MSIE 7 on Vista. Although my employer is open to alternatives it must be strictly planned before making such a switch. Is it possible to switch to, say, Firefox, while still retaining update possibilities? All users are limited in rights, so no admin rights, which Firefox normally needs to be updated. Imho Mozilla needs to work harder to get companies to run their software.
    • by Ilgaz (86384) on Saturday January 16, 2010 @09:55AM (#30790286) Homepage

      Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

      IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.

      Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.

      It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ [sourceforge.net] ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.

      • Feel free to package MSI packages for your clients.

        • Re: (Score:3, Insightful)

          by Bacon Bits (926911)

          Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.

        • That is what my large system administrator friends are doing for years and some of them are really sick and tired of doing it over and over. Some administrators won't really care to package "your" application or download from 3rd party (must be insane). Even 5 user home networks using OS X/Remote Desktop are starting to get bugged about no OS X PKG.

          One more thing: MSI has advantages like package verification, signing and _repair_. It is what RPM is to a Redhat OS or DEB to Debian. Ignoring it is really chil

      • by Arker (91948)

        Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

        Yeah, sad but true. This is why Debian had to ditch firefox after all.

        Maybe people running Windows in large organisations should switch to debian and iceweasel instead of trying to wrestle. In fact that sounds like an excellent idea!

        Alternatively, it is quite possible to roll a customised firefox/windows setup as well. A "large organisati

      • Re: (Score:2, Informative)

        by Ysangkok (913107)
      • by BitZtream (692029) on Saturday January 16, 2010 @12:57PM (#30791668)

        You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.

        Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.

        All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.

        People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.

        For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.

        Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.

    • by lseltzer (311306)

      You do realize that IE7/Vista is not (by default) vulnerable to the Aurora attacks, don't you? So this incident isn't really a lesson for them to switch.

      Perhaps you can get them to use Chrome. Google's a real company after all.

  • Use fascist GPOs (Score:5, Interesting)

    by mousse-man (632412) on Saturday January 16, 2010 @10:00AM (#30790304) Homepage

    In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:

    - run javascript
    - directly launch an associated application (like a PDF)
    - run Flash
    - run ActiveX
    - change of the default home page
    - install toolbars
    - use any other search provider except Google

    amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.

    Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.

  • by Azureflare (645778) on Saturday January 16, 2010 @10:29AM (#30790500)
    IE6 will never die. I wish it would, to be honest; I agree that I hate IE6 with a passion as a web developer and wish it would go the way of the dinosaur.

    However, here's a little anecdote of why IE6 will never die:

    Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.

    Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.

    It makes me a sad panda :( Especially when I realize there are so many people still using IE6 in that company that have opened themselves up to huge security breaches just by browsing the web.

    Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.
    • by couchslug (175151)

      "Perhaps it will take some huge widespread event (like Operation Aurora)"

      Attacks breed robustness by killing off the "slowest zebras". If we want strong systems, we need malicious players to make running vulnerable systems so dangerous that they are replaced.

      People will not run secure systems unless their insecure systems are broken for them.

  • by prefec2 (875483) on Saturday January 16, 2010 @10:43AM (#30790616)

    The "Bundesamt für Sicherheit in der Informationstechnik" (BSI), engl. Federal Bureau for Security in Information Technology, is not a governmental, but a state institution. It is not strictly driven by the government. And it is controlled by the parliament. Even though it works in the domain of the ministry of the interior. So no minister was involved in the "do not use IE" speech.

    BTW: IE has not the biggest market share in Germany.

What the world *really* needs is a good Automatic Bicycle Sharpener.

Working...