UK Gov't Says "No Evidence" IE Is Less Secure 342
aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"
Re:Probably true, even. (Score:3, Interesting)
I notice Slashdot is quietly ignoring the IRC exploit currently in the wild for Firefox.
Re:Probably true, even. (Score:3, Interesting)
I'm very happy that majority of users use IE. This makes it still the most attractive target for hackers. In turn that means that they have less time to work on exploits for the browser I'm using. "Security through obscurity" works in this case (though of course the phrase comes originally from open source vs. closed source).
Re:Probably true, even. (Score:4, Interesting)
That most attacks come through plugins is exactly why Firefox is better than IE [mozilla.com]
Re:Probably true, even. (Score:3, Interesting)
Re:Probably true, even. (Score:4, Interesting)
This is the same UK government which thought that Windows for Subs was a good idea, right?
http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/ [theregister.co.uk]
Royal Navy warships lose email in virus infection
* Alert
* Print
Windows for Warships(TM) combat kit unaffected, says MoD
By Lewis Page Get more from this author
Posted in Malware, 15th January 2009 16:53 GMT
Free whitepaper - What Exchange can't do - and Dell can
The Ministry of Defence confirmed today that it has suffered virus infections which have shut down "a small number" of MoD systems, most notably including admin networks aboard Royal Navy warships.
The Navy computers infected are the NavyStar (N*) system, based on a server cabinet and cable-networked PCs on each warship and used for purposes such as storekeeping, email and similar support functions. N* ship nets connect to wider networks by shore connection when vessels are in harbour and using satcomms when at sea.
Re:Probably true, even. (Score:2, Interesting)
That's very likely true, as the stupidity of the user remains the weakest factor in security.
While that may be true, that is the right answer to a different question.
The original Question was:
To ask Her Majesty’s Government what discussions they have had with the governments of France and Germany about security risks of using Internet Explorer; and whether they will encourage public sector users to use another web browser. [HL1420]
The problem Google and others had was that they were not using "the latest and fully patched version of IE", but instead outdated but fully supported version from Microsoft, full of security holes. Even the UK governmaneprobably isn't using the "lastest and fully patched version of IE" [guardian.co.uk]
Also, MIcrosoft has a 6 months check cycle for patches, that simply doesn't correspond to today's security landscape where both criminal organisations and state governments have people on payroll searching for vulnerabilities to turn into money or somehthing more valuable, as soon as they are found.
Re:Probably true, even. (Score:3, Interesting)
"So why it that using a browser should be any different?"
Because, morally speaking, if your computer is made into part of a botnet that eventually steals billions of dollars, incidentally wiping out the savings of Ma and Pa Kettle - you are responsible.
Secure your system. The law may not come after you to get Ma and Pa Kettle's money back, but you're still a snake for helping to rip them off.
Re:in case any other Americans are confused (Score:2, Interesting)
Other countries don't play poker, apparently -- but even in that game winning is accomplished by putting card on the table and demonstrating which card one has.
I think American English use is misguided.
But then, I'm biased, I think the entire English language is braindamaged.
Re:This is eveidence for something else... (Score:2, Interesting)
That would be an actual good use for augmented reality.
Extremists could even overlay content that made their opposites actually look like monsters.
Good times a' comin'.
Re:Probably true, even. (Score:1, Interesting)
The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.
True. On the other hand, if the plugin exploit is not itself powerful enough to do real harm, but is powerful enough to then employ local browser security issues, IE is once again inferior. It is, after all, "An Integral Part of the Windows Operating System", per Microsoft's assertions at the anti-trust trials.
Firefox leaks (Score:3, Interesting)
Re:Probably true, even. (Score:2, Interesting)
Yeah well. If you're logged in as an admin user to your computer, while surfing the web, then it's your (!!!) own fault if your computer gets infected.
Do not blame the creator of the OS.
Inconvenience?? What inconvenience?? The only time you need to be admin, is when you install software and/or make changes to your OS. At all other times, admin privileges are not required.
Yes - I know. Some software out there still requires admin privileges to run. These should be banned and burned.
I could believe that (Score:3, Interesting)
"there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure."
So if you have Windows 7 with all patches and MSIE 8 with all patches
INCLUDING NONPUBLIC MICROSOFT INTERNAL PATCHES (to fix bugs not patched for yet)
then yes you could be just as safe as if you had another browser.
But what are the chances that somebody will be able to get all the patches without getting tagged?
Re:Probably true, even. (Score:3, Interesting)
>How do you educate people on computer security when they don't want to learn?
It's a good question. What I have done with my parents is to give them a Mac. There the "updates" show up every now and then and I've trained them to click on the "download and install" button, promising them that it doesn't break anything. All (apple) applications update through a single interface, simplifying matters greatly.
The alternative may be to require an "internet drivers license" (which they had in the Netherlands for a while, voluntarily), but that would restrict access and speech and thus be too obtrusive.
Option three is to accept things _as is_ for home users, but provide mandatory instruction courses at work. For everyone. One of my pet peeves is employee carelessness with data, they never back up until it is too late. IMO this is to be considered as data loss due to carelessness and this could be considered as a reason for firing employees.
I'm also thinking the iPad may actually provide a solution: a closed platform on which only _allowed_ applications can be run. As a user this sucks, but from an IT perspective I can understand it.
Re:Probably true, even. (Score:3, Interesting)
The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.
Speaking of the PDF weaknesses, are those inherent to the spec, or are they vulnerabilities that only show up in Adobe's implementation?
Re:*No* evidence? (Score:2, Interesting)
Re:Probably true, even. (Score:3, Interesting)
On another note, there should be plenty of evidence of flaws and exploits which were in IE but not in Firefox, Opera, or even Safari. Things where IE has intimate knowledge with stuff like ActiveX, COM, their JavaScript engine, and all the other tentacles going from IE into the Windows OS.
Therefore the comment that there is "no evidence" sounds too much like it came from Microsoft because it is really a question asking for technical proof and you are not going to get that in a parliamentary discussion. And notice he didn't say he's asking for proof, he stated there is "no evidence" so he seems to think he's some kind of expert in this area.
Proof of even one flaw due directly to unique ties between IE and the Windows OS is proof that it is less secure because the others do not have those ties. Counting security updates is invalidated by the facts that Microsoft withholds flaws and public information on flaws. So either Microsoft must open source IE to prove the flaw count issue or it must be declared less secure. IMO
LoB
Re:Probably true, even. (Score:3, Interesting)
You know... one reason for this has to be the acquisition procedures.
My company pays about $2,000 for desktops and laptops that I can buy at fry's for $490 to $700.
As a result, it can take 90 to 120 days to get a laptop which we could buy directly the same day. I have two projects waiting on hardware as a result.
Re:Probably true, even. (Score:3, Interesting)
As the others have said, it's probably one or more of your plugins.
I had a severe performance problem after adding one plugin that cleared up as soon as I disabled it.
After running firefox for days, with 10 open tabs at this moment, the memory footprint is now: 166,500 K. (win7)
My plugins are:
Adblock
Noscript
WOT
BetterPrivacy
Cooliris
DownloadHelper
Skipscreen
TheCamelizer
Re:So security through wishful thinking is better? (Score:3, Interesting)
" The theoretical possibility that you can examine the source code is just security theatre unless you actually spend the time and resources to do it."
Except that both thory and History disproved that. Read about Bentham's panopticon.
Easy answer.. (Score:1, Interesting)
The answer is on the Microsoft pages themselves. I'm just singling out one simple example [microsoft.com] (check where he worked before he joined MS) but it would be unfair on the guy to claim he's the only one: MS employs people from the sectors they want to sell into.
If you have influence in a sector and are planning to leave, MS will pay for your network. It's not unusual - happens everywhere - but I must admit it has worked spectacularly well with New Labour.
It's a sort of reverse McKinsey where leavers get an exit bonus so they'll ring their pals if they need any consulting done.