German Government Advises Public To Stop Using IE 320
Posted
by
Soulskill
from the enough-is-enough dept.
from the enough-is-enough dept.
An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"
Right Decision? (Score:3, Insightful)
If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.
Shouldn't they be upgrading before complaining? (Score:2, Insightful)
Isn't it just easier to upgrade to IE 8?
Before anyone starts throwing stones... (Score:2, Insightful)
Check if you're in a glass house first [secunia.com].
Re:Good (Score:2, Insightful)
It's probably safer anyway to use different browsers for intranet and internet.
Re:Friends don't let friends.... (Score:5, Insightful)
Re:Before anyone starts throwing stones... (Score:5, Insightful)
How to convince my employer to switch? (Score:2, Insightful)
Firefox doesn't even ship official MSI (Score:4, Insightful)
Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.
IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.
Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.
It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ [sourceforge.net] ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.
Re:A stinging lesson (Score:2, Insightful)
Not a problem at all for those of us who aren't forced to run Microsoft software.
Not a problem at all for those of us who choose to not use Adobe's software.
Re:Not a bit late? It is like a spy platform alrea (Score:5, Insightful)
Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".
IE6 is the zombie browser. (Score:3, Insightful)
However, here's a little anecdote of why IE6 will never die:
Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.
Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.
It makes me a sad panda
Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.
Re:Firefox doesn't even ship official MSI (Score:3, Insightful)
Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.
Re:A stinging lesson (Score:5, Insightful)
Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.
And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.
Re:A stinging lesson (Score:5, Insightful)
TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?
By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.
I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.
Re:A stinging lesson (Score:3, Insightful)
If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.
Re:A stinging lesson (Score:4, Insightful)
I'm required to use adobe's horrible products.
As far as I'm concerned, Adobe is a far greater security threat to my network than IE. I do not understand why people insist on using Adobe products. They are a pain to administer, and not particularly useful. Rather than concentrate on MS, why doesn't the EU take a look at a real threat, Adobe.
Re:A stinging lesson (Score:3, Insightful)
The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.
Re:Right Decision? (Score:5, Insightful)
What a bunch of crap!
Where's your proof?
#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement. #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.
Re:A stinging lesson (Score:3, Insightful)
You do realize that the fact that FireFox was crashing shows that its also effected by the exploit that hit IE ... right?
The ignorance in your post and the fanboys that drool over this sort of thing is mind boggling and is a good example of why people outside of slashdot don't take you or FireFox seriously.
Re:A stinging lesson (Score:2, Insightful)
Affected by the exploit? In a word, yes. Affected in the same way? Doesn't sound like it one bit.
I'd rather have my browser crash than simply hand over the keys to my entire OS.
Re:Not a bit late? It is like a spy platform alrea (Score:3, Insightful)
The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.
Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS don't have to care because they know that regardless of how bad their software is, the majority of their customers won't be able to move away. In fact, they are more likely to buy new versions in the hope that they will solve the security problems.
If we had a competitive market, anyone with such a poor reputation would be forced to fix things or face going bankrupt. And anyone looking to attack, would have to investigate multiple platforms and do some research on which of these their intended victim was using.
Re:Firefox doesn't even ship official MSI (Score:2, Insightful)
Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason
You're not _supposed_ to use installer packages for simple self-contained apps (which Firefox is) on OS X. Drag-n-drop from a compressed DMG is the preferred way except for exceptional case that need to install frameworks or kernel extensions outside of the .app bundle.
A self-contained app can be distributed by a network admin quite simply with rsync or ARD or an Automator script or umpteen other ways that are fully automatable. People need to stop expecting Microsoft-looking "solutions" for non-Microsoft platforms.
Re:A stinging lesson (Score:5, Insightful)
a) Almost everybody has PDF reader installed (it's preinstalled on most PCs)
b) Firefox managed to contain it.
c) We all know IE is way more promiscuous than other browsers.
Re:A stinging lesson (Score:4, Insightful)
Please tell me you aren't a programmer, you clearly don't get it.
If its crashing, they've got 95% of what it takes to own you, the next part is just figuring out how to use that to get some code to run.
Re:A stinging lesson (Score:5, Insightful)
Re:Right Decision? (Score:3, Insightful)
Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.
The rest of your post, including the sandboxing point, deserves that 5. This one doesn't belong on the same page.
Everyone paying attention can see that Firefox (and open-source general practice) reports and patches as critical security holes [mozilla.org] bugs for which there's only theoretic or even just heuristic [mozilla.org] evidence of a potential security breach, while Microsoft's usual reports are of bugs that have actually been exploited and are often actually leaking data in the wild, and eventually releases patches for those.
Microsoft, understandably given their nature as a marketing company, is only too happy to persuade the gullible that the two different counts are comparable.
Re:Not a bit late? It is like a spy platform alrea (Score:1, Insightful)
Actually, web developers are the fundamental root cause of the web becoming less secure.
Used to be you could run in the high security zone, click a link, go to the next page. Well, except for online shopping, cookies had to be enabled. Now, on several sites those links are JavaScript this and JavaScript that. Click a JavaScript infested link with JavaScript disabled--nothing happens. So now JavaScript has to be enabled--gotta lower that browser security.
Used to be that a web page having graphics was GIF or JPEG or even PNG. Now, it's all video crap so a page can be one big SWF at the homepage with not even a no-flash link. Want to access the page, need to install the plug-in with all its security risks.
Truth is, MSIE 7 will not even allow a PDF to open in the High security zone. Adobe Reader won't even get launched.
Guys, if you want to do all this Web 2.0 crap that is all well and good, but you really also need a low-bandwidth Web 1.0 alaternative for those who still value browsing securely.
Re:To be fair to Microsoft (Score:3, Insightful)
They bundle it with Windows and say to Spyglass: we sell Windows IE is a free bonus so no royalties for you.
Then they turn around and say to the DOJ: IE is an integral part of windows and they cannot be separated.
I think Spyglass had ground for a lawsuit there. Spyglass "not-so-great" choice was to accept just $8M instead of going to trial. Maybe they did not have the money to finance a long legal fight with Microsoft.