German Government Advises Public To Stop Using IE 320
An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"
A stinging lesson (Score:5, Interesting)
Re: (Score:2)
I had a similar thing happen to me. Browsers really could use better plugin controls I should be able to disable any plugin without having to uninstall it.. Why does someone need to view a pdf in a browser anyways?
I am on a netbook so I am back on linux. (didn't come with a windows cd)
A worm can move through a pdf file quick.
Re: (Score:2, Informative)
Firefox gives you the option of disabling plugins without uninstalling them (as does IE8, those are the only 2 browsers I have installed).
Adobe Reader also gives you the option of not loading pdfs in the browser (the browser simply prompts you to save the file).
Re:A stinging lesson (Score:5, Insightful)
Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.
And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.
Re:A stinging lesson (Score:5, Insightful)
a) Almost everybody has PDF reader installed (it's preinstalled on most PCs)
b) Firefox managed to contain it.
c) We all know IE is way more promiscuous than other browsers.
Re: (Score:2)
About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled.
What kind of web page was that, and what was so compelling about it that you decided to use IE to get it to load?
Re:A stinging lesson (Score:5, Funny)
Re: (Score:2)
You would be surprised. There are still a lot of websites out there which will not just tell you to take a hike if you are not using IE, but actually run JavaScript tests to check if someone spoofed the user agent field.
My solution: Run IE... but in a limited user session in a virtual machine that rolls back to a known good snapshot when closed. This works on Macs, and Windows boxes. Since Windows 7 offers XP as a download, might as well take advantage of it. This way, any zero days just mean that the
Re: (Score:2)
Clarification here: This is for versions of IE less than 8. IE 8 is good enough to use as an everyday browser, as long as you have Protected Mode selected for all zones (even trusted), and that DEP is on (it ships that way.)
It is crazy, but there are sites out there that consider anything but IE6 unauthorized, and actually do scripting tests to validate what someone is using.
Re: (Score:3, Insightful)
If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.
Re: (Score:3, Insightful)
The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.
Re:A stinging lesson (Score:5, Insightful)
Re: (Score:2)
A lot?
I haven't seen any for years.
Examples please?
Re: (Score:3, Interesting)
your online assessment and training solution for Microsoft Office 2007
You got any that aren't Microsoft affiliated?
Re: (Score:3, Interesting)
A quick visit later, it seems to work fine in firefox...
Re: (Score:2)
Re: (Score:2)
You probably already know that, but as you probably do with linux, you should not use stuff like IE with your Admin account.
Re: (Score:2)
what version of windows ?
do you login as an admin by default ?
The CURE (TM) (Score:2)
And if you have to, run it in a VM, set up so you can re-image the C: drive at any time.
If US law worked, vide SCO v IBM, M$ would have been sued into bankruptcy years ago.
Why were you running as an admin? (Score:2)
The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled
I guess my question would be, why were you running Windows as an admin account that would even let you, as a user, have permissions to do any of this stuff. I mean, you can tout Linux as much as you want, but in this case, the real culprit is your shoddy use of Windows security tools. I mean
Re: (Score:2)
What would happen if I did that and went to the same website?
Re: (Score:2)
Links please?
I'd like to those that using a VM. (VirtualBox for teh convenient win!)
Re: (Score:2)
Solution: firewall IE to anything non localhost and switch to Firefox or Opera.
Re: (Score:3, Insightful)
You do realize that the fact that FireFox was crashing shows that its also effected by the exploit that hit IE ... right?
The ignorance in your post and the fanboys that drool over this sort of thing is mind boggling and is a good example of why people outside of slashdot don't take you or FireFox seriously.
Re:A stinging lesson (Score:4, Insightful)
Please tell me you aren't a programmer, you clearly don't get it.
If its crashing, they've got 95% of what it takes to own you, the next part is just figuring out how to use that to get some code to run.
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Not a problem at all for those of us who aren't forced to run Microsoft software.
Not a problem at all for those of us who choose to not use Adobe's software.
Re:A stinging lesson (Score:4, Insightful)
I'm required to use adobe's horrible products.
As far as I'm concerned, Adobe is a far greater security threat to my network than IE. I do not understand why people insist on using Adobe products. They are a pain to administer, and not particularly useful. Rather than concentrate on MS, why doesn't the EU take a look at a real threat, Adobe.
Re: (Score:2)
http://en.wikipedia.org/wiki/List_of_PDF_software [wikipedia.org]
Plenty of free PDF readers, converters, writers listed...
Re:A stinging lesson (Score:5, Insightful)
TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?
By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.
I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.
Friends don't let friends.... (Score:4, Funny)
Re:Friends don't let friends.... (Score:5, Insightful)
Not a bit late? It is like a spy platform already (Score:5, Interesting)
I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."
Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.
Re:Not a bit late? It is like a spy platform alrea (Score:5, Insightful)
Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".
Re: (Score:2, Interesting)
Anything more dangerous than IE? Yeah. Adobe Flash. One implementation, almost the same code, across every browser and on several platforms.
Oh, wait, wasn’t there just a 0day in that?
Also, that exploit is the other “Chinese” 0day, which targets Adobe Reader, rather than IE. Firefox would be just as vulnerable if the Adobe Reader plugin was installed, or if you subsequently opened that PDF in Adobe Reader (other PDF readers are, of course, not affected).
They didn’t find this vuln them
Re: (Score:2)
IE is way more bigger deal than you think (Score:2)
Adobe says their tool wasn't abused on this case. What makes you think I don't say same thing to Adobe? In fact, just 3 days ago, I suggested Adobe to fire entire Mac department. A "browser" is the platform to access to web, plugins can always be abandoned but browser is more like the "kernel". I don't want to panic anyone but even if they use Firefox, disable access to IE, as long as IE shared dlls used for HTML rendering in various tools (e.g. "what's new today"), they are still vulnerable.
While I won't t
Re: (Score:3, Informative)
The problem at least as far as PDF readers go, is that most users don't realise PDF is a standard and that there are multiple implementations... They think Adobe make the only pdf reader available.
I would never install acrobat reader, the default pdf readers in macos and linux work much better, far less bloated, and there are plenty of alternatives available for other platforms too.
Re: (Score:2)
Did it occur to you, that maybe the reason for their “non-reaction” is that either ;)
A) They are the ones who chose for those holes to be in there in the first place?
B) MS and those TLAs got so many revolving doors that they are practically one?
C) Somethingsomething... PROFIT?
Re:Not a bit late? It is like a spy platform alrea (Score:3, Insightful)
The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.
Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS
Re:People are used to it (Score:3, Interesting)
Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???
Re: (Score:2, Informative)
Maybe the summary shouldn't have let out the most important word: temporary. Here a translation of the headlines:
original:
Kritische Sicherheitslücke im Internet Explorer
BSI empfiehlt die vorübergehende Nutzung alternativer Browser
translation:
Critical securiy hole in Internet Explorer
BSI recommends to temporarily use alternative browsers
How long must this go on? (Score:3, Interesting)
You know your product's reputation is in trouble when a government advises the public to dump it.
Dude, that was the case back ten years ago, too. Facts and technical data don't play a role in situations where Microsoft products get deployed.
You know you have a cult-like following when governments, research universities and a handful of computer magazines advise the public to dump your product and it still retains market share [groklaw.net]. Having EULAs that prohibit benchmarking doesn't hurt either. Nor does it hurt to have insiders [linuxtoday.com] paid for by the victim's own budget.
How long must this go on? Put a dollar
To be fair to Microsoft (Score:5, Interesting)
This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.
Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.
Yeah sure (Score:5, Informative)
It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.
MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.
Re: (Score:2)
Claims by who? Do you have a link? If this is true I'm not surprised your post is currently 5:Informative because I have never heard of this and I like to think I pay close attention in this space.
Re:Yeah sure (Score:4, Informative)
He's probably thinking of articles like this:
http://www.itwriting.com/blog/541-mshtml-layout-engine-completely-rewritten-for-internet-explorer-8.html [itwriting.com]
Interesting article here: http://www.joelonsoftware.com/articles/fog0000000069.html [joelonsoftware.com]
"[netscape killed themselves by rewriting]
Well, yes. They did. They did it by making the single worst strategic mistake that any software company can make:
They decided to rewrite the code from scratch."
Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".
Re: (Score:2)
There is some value in that statement, but it's also true that code is like a map of the problem domain, and that once you have mapped a particular area, there's often a better path through it than the one you originally took.
Re: (Score:2)
Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".
That works if the architecture of the existing code is reasonably sound, and only some minor flaws have to be corrected.
In the case of IE I doubt that. The close integration into the operating system alone makes it suspect, because that is the opposite of modular programming. The long history of security flaws also suggests that the coding isn't the best. IE may well be one of those abominations that are best terminated and replaced by something else.
Re: (Score:2)
Er, isn't a complete rewrite what's supposed to happen when the developer increments the main version number (like going from IE 6 to IE 7)? Even if there's no documentation of Microsoft explicitly saying that IE was completely rewritten, I would think that the incremented version number is claim enough.
Re: (Score:2)
Re: (Score:2)
I'm guessing it was to get rid of the last bits of Spyglass Mosaic code, so they would stop having to license it.
Re:To be fair to Microsoft (Score:5, Informative)
Why be fair to Microsoft in this case? Bashing where bashing is due;
IE is a highly dangerous lump of toxic/radioactive waste, with a half life of over 20 years.
Microsoft did everything wrong. Wrote the piece of shit in the first place. Tightly integrated it into windows, for leveraging purposes. Didn't even try to keep on top of updates letting it stagnate.
It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.
Re:To be fair to Microsoft (Score:5, Informative)
"Wrote the piece of shit in the first place"
No, they bought/stole the Microsoft way from Spyglass.
http://en.wikipedia.org/wiki/Spyglass,_Inc [wikipedia.org].
(the link ends with a dot slashdot moves it after "[wikipedia.org]". bug! )
Re: (Score:2)
Interesting thanks.
I joined the party mid to late browser wars, so that was a bit before my time, but I do remember reinstalling windows, 5 times in a day because IE4 was so volatile.
IE (4-5-6) has always been a complete disappointment, and the day someone told me about the plucky little upstart Firebird 0.6, I never had to use it as my main browser again.
Re: (Score:2)
Use html and it'll work [wikipedia.org]. I'd say it's possibly a feature to avoid extra dots from a sentence ending which are not part of the URL.
Re: (Score:2)
I know, but a workaround is no bug fix.
Link works now anyway (Score:2)
No worries, I made a redirect.
Re: (Score:3, Insightful)
They bundle it with Windows and say to Spyglass: we sell Windows IE is a free bonus so no royalties for you.
Then they turn around and say to the DOJ: IE is an integral part of windows and they cannot be separated.
I think Spyglass had ground for a lawsuit there. Spyglass "not-so-great" choice was to accept just $8M instead of going to trial. Maybe they did not have the money to finance a long legal fight with Microsoft.
Re:To be fair to Microsoft (Score:5, Interesting)
Something like this has been in at least limited operation for a couple of years.
Re: (Score:2)
If’t not at all about who it could have happened to.
It’s about the fact that with no other browser developer would dare to still not have a patch available.
The Mozilla team would probably have released a patch in about 3 hours of a furious team effort. The Opera team maybe even more because their business depends on these things. And even Apple and Google would not dare taking that long.
Then again, knowing what a huge mess of spaghetti code of an upside-down pyramid the Trident engine is, I
IE8 alledgedly super-safe (Score:5, Interesting)
Right Decision? (Score:3, Insightful)
If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.
Re:Right Decision? (Score:5, Funny)
However, it seems that IE has some pretty good built-in protections that Firefox lacks.
Sir, your power of deductive reasoning is astonishing!!
Now if it was Firefox that was hacked, the previous statement would be in your favor.
Instead...
Re: (Score:2)
Re:Right Decision? (Score:5, Interesting)
DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.
But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.
The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.
Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.
Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.
Re: (Score:3, Interesting)
Java inherently has the ability to both write and execute code
But not at the same time. One of the OpenBSD guys had to do with their port (which is now in mainstream), and which I helped implement for LLVM, is W^X support. DEP is Microsoft's implementation of W^X, i.e. no page may have both write and execute permission at the same time (although they only support it properly on CPUs with the NX bit; OpenBSD does it using horrible hacks involving relocating pages within segments in the absence of NX page protection). That means that you can't execute data that you wr
Re:Right Decision? (Score:5, Insightful)
What a bunch of crap!
Where's your proof?
#1) It's impossible to conclusively make this statement since we don't have access to Microsoft's internal bug tracker.
#2) The directly comparable indicators we do have (how many major exploits are actually published) do not agree with your statement. #3) Your statement ignores one other key factor: The time it takes the vendor to fix the bug. Who cares is a browser has only one major security exploit per year if it takes two years for the vendor to fix it? At that point, your ass is always hanging out in the wind.
Re: (Score:3, Insightful)
Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.
The rest of your post, including the sandboxing point, deserves that 5. This one doesn't belong on the same page.
Everyone paying attention can see that Firefox (and open-source general practice) reports and patches as critical security holes [mozilla.org] bugs for which there's only theoretic or even just heuristic [mozilla.org] evidence of a potential security breach, while Microsoft's usual reports are of bugs that have actually been exploited and are often actually leaking data in the wild, and eventually releases patches for
Re: (Score:2)
DEP, which is a Windows feature and not an IE feature, is also active for recent versions of Firefox.
What Firefox lacks though is the sandboxing using a lower-privileged logon (Protected Mode).
Re: (Score:2)
That would be like saying Chernobyl has some pretty good built-in protections that domestic nuclear plants lack, because they have to wrap another new sarcophagus around it every couple of years!
And because all of them will explode sometime.
Yeah, great argument! ;)
Re: (Score:3, Interesting)
Shouldn't they be upgrading before complaining? (Score:2, Insightful)
Isn't it just easier to upgrade to IE 8?
Perhaps they can't (Score:4, Interesting)
Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?
What would happen?
In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.
Re: (Score:2)
As someone else suggested, you could roll out Firefox (or Opera...) and tell everyone to use that for everything except the intranet. If possible, block IE6 from accessing the Internet, so the new browser is the only one that works for accessing dubious sites.
Yes I realize that some of your users will be pissed. That's why you need management behind that sort of discussion. Talk to your boss first. Maybe he needs to take it even higher, lest the CEO comes down on you for making his porn surfing less conveni
Before anyone starts throwing stones... (Score:2, Insightful)
Check if you're in a glass house first [secunia.com].
Re:Before anyone starts throwing stones... (Score:5, Insightful)
Re: (Score:3, Informative)
MS Internet Explorer 8.x: unpatched 4 of 8 Secunia advisories [secunia.com].
MS Internet Explorer 7.x: unpatched 11 of 42 Secunia advisories [secunia.com].
Opera 10.x: unpatched 0 of 3 Secunia advisories [secunia.com].
I can't see your point, are you trolling?
It's not the "government" (Score:5, Informative)
It's a German federal agency, not the German government. And they warn users about IE every time there is a major unpatched security hole.
Re: (Score:2)
It's a German federal agency, not the German government.
???
Re: (Score:2)
Re: (Score:2)
It is the federal IT security agency, branched out from the secret service. It is part of the ministry of the interior.
How to convince my employer to switch? (Score:2, Insightful)
Firefox doesn't even ship official MSI (Score:4, Insightful)
Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.
IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.
Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.
It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ [sourceforge.net] ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.
Re: (Score:2)
Feel free to package MSI packages for your clients.
Re: (Score:3, Insightful)
Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.
and we are surprised companies are using IE (Score:2)
That is what my large system administrator friends are doing for years and some of them are really sick and tired of doing it over and over. Some administrators won't really care to package "your" application or download from 3rd party (must be insane). Even 5 user home networks using OS X/Remote Desktop are starting to get bugged about no OS X PKG.
One more thing: MSI has advantages like package verification, signing and _repair_. It is what RPM is to a Redhat OS or DEB to Debian. Ignoring it is really chil
Re: (Score:2)
Yeah, sad but true. This is why Debian had to ditch firefox after all.
Maybe people running Windows in large organisations should switch to debian and iceweasel instead of trying to wrestle. In fact that sounds like an excellent idea!
Alternatively, it is quite possible to roll a customised firefox/windows setup as well. A "large organisati
Re: (Score:2, Informative)
JFGI
http://www.frontmotion.com/Firefox/ [frontmotion.com]
Re:Firefox doesn't even ship official MSI (Score:5, Interesting)
You've obviously never dealt with EXEs that are repackaged MSIs and the deadlocks that result during upgrades.
Firefox doesn't need to be an MSI in order to fit into network wide config/update systems.
All of it can be done via command line switches. They uses NSIS, as do I, and my corp users have no problem rolling out updates and installs via GPO or login scripts.
People that use the MSI excuse are just ignorant and don't know how to admin the network they are one.
For the record, WIX is a pile of shit, InstallShield is worse, and is notorious for fucking shit up because it likes to inject itself inbetween the start menu/desktop/quickstart icons and the app so it can 'check the integrity of the files and restore them to their original state if corrupted'. Translation: When you go to uninstall it, you fucking can't if you don't have the original MSI, and for fucks sake don't plan on upgrading if don't have the original MSI and the new one doesn't have all possible older versions embedded in it.
Anyone suggesting that MSI is a good idea has absolutely no experience or knowledge in the field, or they work for MS or InstallShield. In short, if you push MSI, you are, and I can't say this any nicer, a complete fucking moron.
Re: (Score:3, Informative)
Mozilla is working on an MSI package. There's a bug in bugzilla for that. Vote for it and/or help with coding testing.
You're funny.
Bug 52052 [mozilla.org] was opened in 2000.
Bug 231062 [mozilla.org] was opened in 2004 when 52052 was closed with "WONTFIX"
Sure, there's been recent activity, but it's been TEN years. Until MSI becomes a blocker for 3.6 or 3.7, they'll drop it for the new shiny like they've always done.
Re: (Score:2)
You do realize that IE7/Vista is not (by default) vulnerable to the Aurora attacks, don't you? So this incident isn't really a lesson for them to switch.
Perhaps you can get them to use Chrome. Google's a real company after all.
Use fascist GPOs (Score:5, Interesting)
In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:
- run javascript
- directly launch an associated application (like a PDF)
- run Flash
- run ActiveX
- change of the default home page
- install toolbars
- use any other search provider except Google
amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.
Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.
Re: (Score:2)
Its Active X in internet Explorer thats usually the issue. Turn it off
I'm sure I have seen this issue before about IE and the zero day issue in a news article.
Yep found it and it has those chinese hacker type persons in it as well in 2008. ;-)
http://www.h-online.com/security/news/item/Two-new-zero-day-exploits-dent-Microsoft-s-Patch-Tuesday-739273.html [h-online.com]
Here is micro$oft's advice on how to disable Active content.
http://support.microsoft.com/kb/154036 [microsoft.com]
IE6 is the zombie browser. (Score:3, Insightful)
However, here's a little anecdote of why IE6 will never die:
Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.
Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.
It makes me a sad panda
Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.
Re: (Score:2)
"Perhaps it will take some huge widespread event (like Operation Aurora)"
Attacks breed robustness by killing off the "slowest zebras". If we want strong systems, we need malicious players to make running vulnerable systems so dangerous that they are replaced.
People will not run secure systems unless their insecure systems are broken for them.
Not the German Government (Score:4, Informative)
The "Bundesamt für Sicherheit in der Informationstechnik" (BSI), engl. Federal Bureau for Security in Information Technology, is not a governmental, but a state institution. It is not strictly driven by the government. And it is controlled by the parliament. Even though it works in the domain of the ministry of the interior. So no minister was involved in the "do not use IE" speech.
BTW: IE has not the biggest market share in Germany.
Re: (Score:2, Insightful)
It's probably safer anyway to use different browsers for intranet and internet.
Re: (Score:2)
Re: (Score:2)
"to not go to dodgy fracking porn and wares sites"
Dodgy sites amuse me, and I expect the OS I run to survive exposure to the most vile corners of the Internet intact and undamaged.
It does, but I don't go there running Windows. I'm completely jaded yet without malware. Life is good.