UK Gov't Says "No Evidence" IE Is Less Secure 342
aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"
in case any other Americans are confused (Score:5, Informative)
In UK governmental English, "to table" apparently means something like "to propose" or "to bring up for consideration", almost exactly the opposite of the U.S. meaning, which is "to withdraw from further consideration".
I guess there's some international disagreement over whether this mythical table is where you put things to be considered, or where you put things to die. Perhaps to Britons, putting things on a table is officially proposing them, whereas to Americans, if it's on the table it's inert, and if you want it proposed, you had better have it in your hand waving it in someone's face.
Re:Probably true, even. (Score:2, Informative)
There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one [theregister.co.uk].
Re:Bullshit (Score:1, Informative)
It's true for every single browser that runs an adobe or java plugin. Failing that, there are no shortages of Firefox exploits in the wild [theregister.co.uk]. It's a myth that firefox can't get malware through regular browsing.
Re:in case any other Americans are confused (Score:2, Informative)
Re:Probably true, even. (Score:3, Informative)
There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one [theregister.co.uk].
This is not a exploit in firefox. This is a vurnabillity in some IRC servers. The Freenode people agree [freenode.net]. They are moving to a new IRCd.
Re:in case any other Americans are confused (Score:3, Informative)
Perhaps to Britons, putting things on a table is officially proposing them
Well I don't know for sure, but I'd always assumed that it was from "to bring something to the table", which is a fairly common expression here in the UK. (Think meeting room table, and bringing something with you for consideration (or perhaps even a dining table))
IE (on Windows) is safer than Firefox (Score:3, Informative)
A fully patched IE8 running on either Vista or Windows 7 is far safer than Firefox. Why?
- Low privileged mode. IE8 runs with lower rights than the logged in user, Firefox doesn't...
- DEP is turned on for IE8 by default. Firefox has to be added (or the "all applications" option).
- IE8 patches can be deployed from the Domain very easily. Firefox on a corporate network is a pain in the butt...
Now I entirely grant that this is Microsoft's browser running on Microsoft's OS and thus it gains unfair advantages but that doesn't change the facts or reality of the situation.
Re:in case any other Americans are confused (Score:5, Informative)
Yes, indeed you are correct.
UK: To place an item on the agenda for discussion.
US: To remove the item from consideration.
In the UK we shelve discussion items when they are removed from consideration.
Re:Probably true, even. (Score:2, Informative)
You can't tell me that starting up an IRC session without the user's knowledge is something that should be expected.
Thats not what is happening. Firefox is just running a post request to a IRC server. The Irc server happely ignores all the http protocol headers and iterprets the data in the post request as a irc protocol data. So the only thing firefox is doing "wrong" is allowing a post request to a non-standard port.
No, WRONG (Score:3, Informative)
2. Look at the record of UK Government IT projects.
3. It is not IE that makes Windoze insecure, it is the OS and the design philosophy
-- COM is a security disaster
-- executing any vaguely executable rubbish based on its extension is a disaster
4. Backward compatibility, and a zillion features that assume an essentially insecure and trusted
world are a disaster. M$ has no way out.
Re:There IS no evidence! (Score:2, Informative)
Please forgive me if I'm wrong but I was under the impression Microsoft had know about this latest flaw for several months, but had deemed it not important enough to fix, so there IS evidence that they do not immediately fix all know security holes.
Re:IE (on Windows) is safer than Firefox (Score:3, Informative)
There are currently 23 unpatched advisories for IE 6.x http://secunia.com/advisories/product/11/
There are currently 10 unpatched advisories for IE 7.x http://secunia.com/advisories/product/11/
There are currently 3 unpatched advisories for IE 8.x http://secunia.com/advisories/product/11/
Advisories often contain multiple vulnerabilities. Doing a little quick math, that comes out to around 59 vulnerabilities (not an exact number, just a ballpark estimate) for those 3 versions of IE
This is compared to 0 unpatched advisories for the 3.x line (19 months old, now) and 3 unpatched advisories for the 2.x line. http://secunia.com/advisories/vendor/18/
Mozilla also generally gets their patches out faster than Microsoft.
Is not talking about home user (Score:5, Informative)
The quote bears no reflection of any opinion on the security or quality of IE in general. The "user" being referred to in the quote is UK government staff, using UK government IT, and his response is wholly within that context. As is very often the case on Slashdot (and, to be fair, much of the media), the summary shifts the context slightly and then omits significant information and thus infers something other than what was communicated at the time.
Immediately after the quoted text, unmissable except by the most... Let's give the benefit of the doubt and say hurried of submitters and editors, is the following: (my emphasis added for the most hurried of Slashdot readers)
Re:IE (on Windows) is safer than Firefox (Score:2, Informative)
Re:Bullshit (Score:3, Informative)
5 seconds of searching returns what looks like 3 seperate examples of unpatched bugs being exploited in the last year just on the first page.
They're not using the correct research data (Score:4, Informative)
only need to google it for chrissakes:
IE ~ 1200: http://www.google.com/#hl=en&q= [google.com]"internet+explorer"+site%3Awww.us-cert.gov
Firefox ~ 800: http://www.google.com/#hl=en&q= [google.com]"firefox"+site%3Awww.us-cert.gov
Re:Probably true, even. (Score:3, Informative)
But it's part of the HTTP spec that you should be able to POST form data to any port.
Re:Probably true, even. (Score:5, Informative)
Bullshit. Being able to choose what port a request is directed to is covered by specifications, expected to work and built on in several real-world situations. Most commonly, configuration interfaces: If you're using some kind of shared hosting, chances are they might be running Plesk (defaults to alt-https, i.e. 8443) or ispCP (defaults to https on 81) or a similar project. Use webmin? The httpd that runs the config interface requires permissions you wouldn't want the http that serves your normal pages to have. .nyud.net:8080 (alt-http) or 8070 for you. Maybe you'd like to configure an irc daemon or bouncer? Another non-standard port there. Most application servers don't run on port 80, either. The load balancer will, but you might want to get around it for testing purposes or some such.
Going on, ever used CoralCDN? That's
What I'm saying: It's all expected behaviour. Throw in a PING Math.rand() from the server before actually throwing out those RAW001-4 and the spamming problem is instanty solved. Or, to make things even simpler: If you're an ircd, kill whatever starts it's requests with HTTP POST. Chances are, it's not an IRC client.
Re:Probably true, even. (Score:5, Informative)
The MoD have sent me a letter three times stating they have lost personal data about me. One was a CD, another a pen drive, and a laptop was stolen from the premises.
Data that went missing was my name, address, passport number, national insurance number, photograph, medical history and criminal record. Obviously nothing important.
This data was unencrypted.
No evidence, huh? (Score:1, Informative)
This is what happens when you go to monkeys for advice instead IT security professionals.
The UK government needs to stop consulting with people who claim to know what the hell they are advising on and actually go to professionals for advice.
You want evidence, even though the UK tax payers have paid you to do the research, which you haven't and probably didn't for an in ordinate fee, which you took for your "Opinion," Which isn't worth squat Lord Avebury. You absolute joke.
Here, for free is evidence and I think it's high time Lord Avebury looked for a new job.
Microsoft Internet Explorer :
http://secunia.com/advisories/product/21625/?task=statistics
Unpatched 38% (3 of 8 Secunia advisories)
Mozilla Firefox 3.6 :
http://secunia.com/advisories/product/28698/
Unpatched 0% (0 of 0 Secunia advisories)
Google Chrome 4.x :
http://secunia.com/advisories/product/28713/
Unpatched 100% (1 of 1 Secunia advisories)
Opera 10.x :
http://secunia.com/advisories/product/26745/
Unpatched 0% (0 of 3 Secunia advisories)
Once again, we are faced with a situation where someone who is not a professional, is asked for their "Opinion" in a serious policy making decision.
It is like the blind leading the blind and it MUST stop now.
Re:Probably true, even. (Score:3, Informative)
The bit of government I work for (a non-departmental public body) still has Windows 2000 and IE6 on most desktops. Unfortunately, the budget for this organisation has remained static for over a decade -- if the next government is serious about increasing science spending (rather than just talking about it) then maybe the budget will be increased! But I doubt it.
Re:Bullshit (Score:1, Informative)
Firefox 3.5x - 48 vulnerabilities
IE 8 - 30 vulnerabilities
http://secunia.com/advisories/product/21625/?task=advisories [secunia.com]
http://secunia.com/advisories/product/25800/?task=statistics [secunia.com]
Re:Probably true, even. (Score:5, Informative)
Re:in case any other Americans are confused (Score:3, Informative)
'To table' has colloquial meaning that might change from place to place. However in both the US and UK, when you are operating under Roberts Rules or a variant of it, an item (e.g. motion) is 'on the floor' when its being discussed. Passing a motion 'To table' it is to figuratively take it from the floor (where people on the floor are discussing it) and place it on the table (so we don't forget it). A motion to take it from the table is a motion to bring it back to the floor for discussion. Sometimes the 'table' is literal and bits of paper are used to record the motion that is tabled.
The procedural difference between anything else you might do to defer work is that in a motion to table you can't say "let's table this until 3.30pm", you can only table it. To take it from the table requires a new motion to take it from the table.
UK and US parliamentary procedural rules and Robert's rules of order (used in formal meetings everywhere) are all in the same family of rule sets.
It's quite possible that in UK parlimentary rules you could table a motion so that it's up for future discussion, without it ever having been on the floor, but I don't know the specifics of the UK rules. However in either case, being 'tabled' means it's not being formally considered, it's just on the table waiting to be picked up for future discussion.
Answers you won't listen to (Score:4, Informative)
Answers you won't listen to:
When 20 other people have gone through a door and come back out again, I will assume that it's safe to walk through the door. Likewise though I may not have read all the code in Firefox, if there were any big problems, someone WOULD have seen it: Microsoft do not have half the world's web browser writers,
How many people HAVE the latest version of IE? Now how many NEVER use flash or Adobe plugins? Because they require you turn off the security and then IE8 becomes vulnerable again. Did you know that?
Google would have got dinged. Likewise, please do the same about Firefox. You've narrowed the window so small there's nothing left of the hole.
And how would YOU answer?
IE8 today has many or most of the downsides that IE6 has. Unless you lock it down so much you can't use it.
But FF 3.5 when locked down as much is still usable. Putting it under LIDS makes it much safer. Adding RBAC from NSA makes it yet more secure.
And still usable.
You cannot say the same of IE and Windows.
Check the links again (Score:1, Informative)
Check the links again. FF3.5 vulns are less severe. FF vulns include all known vulnerabilities whereas IE8 is unavailable for perusal.
Re:So security through wishful thinking is better? (Score:5, Informative)
Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them.
Speaking of tired old arguments, you lost all credibility right there. Thankfully, it was in the opening statement of your "rebuttal," so I don't feel too compelled to slog through a more lengthy reply.
Suffice it to say there are a lot of eyes on Firefox, for both the code itself and for evaluating and testing exploits. This process occurs transparently; anyone can (and a crapload of people do) participate. This is absolutely the opposite of Microsoft's model, and no amount of denial or hand-waving on your part is going to change that.
Re:Answers you won't listen to (Score:3, Informative)
How many have the latest version of Firefox? One of the websites I maintain is showing traffic from 66 versions of Firefox over the past 30 days. The oldest version? 0.9.2. Ouch.
I just wanted to add the following, from the site I mentioned above:
Firefox (top 5 of 66)
3.5.7 : 45.29%
3.5.6 : 15.55%
3.0.17 : 14.19%
3.0.16 : 6.97%
3.5.5 : 2.66%
Internet Explorer (top 5 of 6)
8.0 : 46.29%
7.0 : 36.44%
6.0 : 17.25%
5.5 : 0.01%
5.23 : 0.00%
Re:Probably true, even. (Score:2, Informative)
I might actually believe that a fully patched IE8 is on par with other browsers...
Ahm no, not really. Browser Comparison [wikipedia.org]