Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security

CERT Recommends Mozilla, Firefox 529

EvilStein writes "According to this article, "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera." Quite a statement from CERT - this is related to a fairly recent IIS or IE exploit that has already affected some high traffic web sites, such as the Kelley Blue Book website."
This discussion has been archived. No new comments can be posted.

CERT Recommends Mozilla, Firefox

Comments Filter:
  • by LostCluster ( 625375 ) * on Sunday June 27, 2004 @11:17AM (#9543373)
    CERT's recommendation usually is to download the patch. However, since this hole has an exploit in the wild, and there isn't a patch to be found... use something else is the only recommendation left to issue.
    • by Anonymous Coward on Sunday June 27, 2004 @11:26AM (#9543480)
      You'd think that, but most mainstream news reports that I've seen (such as CNN's) make no mention at all of alternative browsers, recommending that the best solution is to update antivirus software and up the security settings on IE.
      • by Anonymous Coward on Sunday June 27, 2004 @11:37AM (#9543590)
        BBC mentions other browsers.
      • by papercut2a ( 759330 ) on Sunday June 27, 2004 @12:01PM (#9543819) Journal
        A local newscast in Atlanta last night mentioned switching to Mozilla or Opera to avoid the problem (although it was clear from her expression and slightly stumbling speech that the bleachblondenewsbimbo doing the reporting had no clue what either of them was--she probably thought Mozilla was a type of cheese).
      • by f.money ( 134147 ) on Sunday June 27, 2004 @12:36PM (#9544112)
        You'd think that, but most mainstream news reports that I've seen (such as CNN's) make no mention at all of alternative browsers, recommending that the best solution is to update antivirus software and up the security settings on IE.

        Too bad that won't work. The cross zone attacks work regardless of your security settings in IE. And AV products don't pick up the attacks (as far as I'm aware). This is a fundamental flaw in IE that _needs_ to be fixed, but isn't (it's over 10 months old).

        jon
        • by Anonymous Coward on Sunday June 27, 2004 @08:55PM (#9547312)
          It have only been majorly exploted for 10 months. The fault goes back to 1995. We are lucky that our current population of Hackers did not use it well before now. We are verry lucky that we don't have a good population of Hackers most are script kiddys that don't know how to find these back doors and pick on them.

          The big question is how many times it has been used to get information out of companys.

          Basicly it effects win 95+ I still have to test ie6sp1 to see of a javascript can still buffer overflow and crash the machine like to use to. But that one worked also from 1995 and was reported in 1995 1996 1998 by me same sample code and no fix even in 6 just have not tested 6sp1 for it. Basicly I have been wasting my breath telling them they do nothing.

          There is a short form of the responce you are not ment to code a webpage like that.

          My code did not follow coding rules correct yes but a cracker does not have to flow rules it just has to work. The funny part is that the code works flawlessly with Netscape and Mozilla and Netscape created Javascript(ie the standard).

          Now I get into trouble because I hate Microsoft and people cannot understand why ie you must be a zelot or something. No I am not a Zelot I just hate people not fixing problems I report.

          Also I wish people would stop reporting directly to microsoft but start reporting in the press. It seams to be the only way to get them off there tail.

          Please note a lot of problems inside IE extend back to them not flowing standard or breaking them for a pratical reason.(them controling the market).

          The most effect way to explot this back door is to send a email containing a automatic direct link to the web site and install the spyware. Nice little ie flaw merged with a nice little outlook express flaw creating Access to a machine to extract data.

          The Cracker uses of this have been heavyly over looked for far to long. If you are using outlook or IE change now.
      • CBS News, ABC News, and MSNBC all recommend (last paragraph, though, but don't mention the Microsoft fix) Mozilla or Opera. Yes, MSNBC recommends Moz and Opera, and doesn't mention a way to keep using IE, even though the MS in MSNBC stands for Microsoft.
      • by Prof. Pi ( 199260 ) on Sunday June 27, 2004 @04:34PM (#9545812)

        Write to their feedback page, letters to the editor, or ombudsman. Tell them: 1) their failure to mention that this only affects Windows users running IE needlessly worries people using other OSes and browsers, and 2) their failure to mention alternative browsers means they missed an opportunity to assist the general public on an important matter.

        I did. I also did this a couple of years ago when some Windows virus came out (can't remember which one -- there are so many) and CNN failed to mention it was a Windows-only problem. The next time a major virus came out (I think it was a few weeks), I noticed that CNN actually mentioned that non-Windows users were not at risk.

        Obviously, we need to keep reminding them.

        Oh, and if you do, be polite!!!

        (And if you already did, then good for you! And my apologies for implying you didn't.)

      • by Spacejock ( 727523 ) on Sunday June 27, 2004 @08:21PM (#9547110)
        Gates fussy over security in Sydney [theage.com.au]

        Couple of choice quotes:

        "The Microsoft co-founder and one of the world's richest men is in Sydney today for a press appearance so tightly scripted and controlled it could have been orchestrated by US President George W. Bush's media office."

        "At least the assembled do not have to submit their retinas or fingerprints for scanning - possibly because Microsoft can't come to grips with good security."

        "Those running the market-leading open source Apache web server, who use desktop operating systems such as Mac OS X or GNU/Linux, or Windows web browsers other than Explorer (such as Opera or Mozilla) were inoculated from the virus."

        There's quite a bit more, all fun reading.
    • How many people do you think actually look to CERT before choosing what web browser to use? And among that group of people, how many are already using an alternative browser?
  • by suso ( 153703 ) on Sunday June 27, 2004 @11:18AM (#9543383) Journal

    Mac, Linux and other non-Windows operating systems are immune from this attack.

    At least he said "this attack" instead of "attacks".

    • by __aajqwr7439 ( 239321 ) on Sunday June 27, 2004 @11:29AM (#9543521)
      At least he said "this attack" instead of "attacks".

      Hoorah! Lord knows Code Red, Nimda, Blaster, Sasser and the like were nightmares for us Mac and Linux people.

      Really, tho: to what recent widespread non-Windows "attacks" are you referring?

      xox,
      Dead Nancy
      • by nwbvt ( 768631 ) on Sunday June 27, 2004 @11:36AM (#9543583)
        I think what the gp was saying was that Linux and Macs are not immune to being attacked in similar ways. They may be generally safer and immune to most attempts so far, but that is different from being immune.
      • by secondsun ( 195377 ) <secondsun@gmail.com> on Sunday June 27, 2004 @12:11PM (#9543900) Journal
        The Lion worm gave my University's Linux server's hell a couple of years back. They were al running unpached RedHat 7.3 and it wasn't pretty.
    • by twitter ( 104583 ) on Sunday June 27, 2004 @12:11PM (#9543898) Homepage Journal
      At least he said "this attack" instead of "attacks".

      Credit is being given where credit belongs. The softies can try to spin this, but they will fail as there is little hope for them to fix their platform's underlying design flaws. Microsoft remains a security dissaster.

      While no one will tell you that free software is immune to attack, they can tell you that free software users are not monthly victims attacks that take advantage of moronic software design. Can anyone point to a single free software worm that auto propagated?

      The variety of free software and it's quality makes such stuff very difficult to design. Imagine that you did find an exploit for a popular linux desktop that could propagate itself. Right away, you are limited to less than half of the linux population. I use KDE, others use Gnome, Window Maker, OLVWM and so on to console emacs. Typically, news of the exploit is trumpted with bug fixes and patches. Problem solved, usually without loss of data.

      The widespread, spam sending, net threatening DoS attacks that we have seen on the Microsoft monoculture won't happen with free software.

  • A list of sites (Score:5, Interesting)

    by OYAHHH ( 322809 ) on Sunday June 27, 2004 @11:19AM (#9543386)
    Anybody have a list of which sites were affected by this IE/IIS problem. Seems as though it's been kept under wraps pretty well so far.

    San Jose Mercury news indicates Yahoo!, Earthlink, and EBay. True, not true?

    Now KBB?

    Thanks.
    • Re:A list of sites (Score:5, Informative)

      by LostCluster ( 625375 ) * on Sunday June 27, 2004 @11:26AM (#9543487)
      Netcraft reports that Yahoo runs FreeBSD and Earthlink runs Solaris so both of them can't possiby be spreading the worm. eBay runs IIS, but I doubt they've been hit or it'd be more widely reported.
      • Re:A list of sites (Score:5, Informative)

        by One Louder ( 595430 ) on Sunday June 27, 2004 @11:30AM (#9543534)
        According to some people, the exploit can be passed through complex banner ads hosted by servers using IIS - if that's true, then any site including such ads in their pages, including those not using IIS themselves, could still be vectors.
        • Re:A list of sites (Score:5, Interesting)

          by bigberk ( 547360 ) <bigberk@users.pc9.org> on Sunday June 27, 2004 @11:36AM (#9543582)
          Go to a computer that has had a lot of browsing activity last week, and dig through their cache:
          grep -i -R javascript *.jpg
          grep -i -R javascript *.gif

          When the server is infected it puts javascript content in any document retrieved, even images. I have done this on our work and home computers and have found no matches, but if someone can do this on a high-volume public browsing computer then I'm sure we can dig up the infected sites.
          • by R-66Y ( 150658 ) on Sunday June 27, 2004 @12:13PM (#9543916) Homepage
            We have a problem: grep doesn't exist on any computer that has a lot of browsing activity.

            (Please go easy on me, it's a joke.)

            Later,
            Patrick
            • Re:A list of sites (Score:4, Informative)

              by Devi0s ( 759123 ) on Sunday June 27, 2004 @06:27PM (#9546475) Journal
              findstr is the windows version of grep.

              Searches for strings in files.

              FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/P] [/F:file]
              [/C:string] [/G:file] [/D:dir list] [/A:color attributes] [/OFF[LINE]]
              strings [[drive:][path]filename[ ...]] /B Matches pattern if at the beginning of a line. /E Matches pattern if at the end of a line. /L Uses search strings literally. /R Uses search strings as regular expressions. /S Searches for matching files in the current directory and all
              subdirectories. /I Specifies that the search is not to be case-sensitive. /X Prints lines that match exactly. /V Prints only lines that do not contain a match. /N Prints the line number before each line that matches. /M Prints only the filename if a file contains a match. /O Prints character offset before each matching line. /P Skip files with non-printable characters. /OFF[LINE] Do not skip files with offline attribute set. /A:attr Specifies color attribute with two hex digits. See "color /?" /F:file Reads file list from the specified file(/ stands for console). /C:string Uses specified string as a literal search string. /G:file Gets search strings from the specified file(/ stands for console). /D:dir Search a semicolon delimited list of directories
              strings Text to be searched for.
              [drive:][path]filename
              Specifies a file or files to search.

              Use spaces to separate multiple search strings unless the argument is prefixed
              with /C. For example, 'FINDSTR "hello there" x.y' searches for "hello" or
              "there" in file x.y. 'FINDSTR /C:"hello there" x.y' searches for
              "hello there" in file x.y.

              Regular expression quick reference:
              . Wildcard: any character
              * Repeat: zero or more occurances of previous character or class
              ^ Line position: beginning of line
              $ Line position: end of line
              [class] Character class: any one character in set
              [^class] Inverse class: any one character not in set
              [x-y] Range: any characters within the specified range
              \x Escape: literal use of metacharacter x
              \ Word position: end of word

              For full information on FINDSTR regular expressions refer to the online Command
              Reference.
    • Re:A list of sites (Score:5, Informative)

      by lylonius ( 20917 ) on Sunday June 27, 2004 @11:36AM (#9543584)
      That is hard to say. Some Ad networks that were hit by this IIS problem had cascading problems throughout their distribution networks.

      One site that I host (FreeBSD/Apache) has many banner ads and popups. The logic of the site layout though, loads the ads first, then the site, so we appeared to be down.

      Also, the javascript used to spawn the popups were hosted externally also. Our XP users also went into an infinite loop of popups...
    • Re:A list of sites (Score:5, Informative)

      by httptech ( 5553 ) on Sunday June 27, 2004 @11:37AM (#9543595) Homepage
      Yahoo, Earthlink and Ebay are not spreading the trojan; they are just the targets for the phishing the trojan performs. Sites like Kelly Blue Book and BuyMicro were actually spreading the trojan through compromised IIS servers.

      My writeup of the trojan and the incident is here:

      http://www.lurhq.com/berbew.html [lurhq.com]

  • i agree with CERT (Score:5, Insightful)

    by theguywhosaid ( 751709 ) on Sunday June 27, 2004 @11:19AM (#9543388) Homepage
    but joe user wont read this or know about it. too bad eh?
    the only way is to hijack people's computer, install a real broswer, and put the IE icon on it.

    • Re:i agree with CERT (Score:5, Informative)

      by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Sunday June 27, 2004 @11:21AM (#9543411) Homepage
      This from the Washington Post - which some joe users (at least those based in washington presumably) will be reading.
    • by ev1lcanuck ( 718766 ) on Sunday June 27, 2004 @12:00PM (#9543817)
      Is there an IE theme available for Mozilla or better yet Firefox? This would make it a lot easier for people like my grandmother who had to re-learn what all the buttons did when i sent her to Firefox. Also, the default 0.8 buttons are too small for her to see clearly. The new 0.9 buttons are great but 0.9 has a lot of problems right now.

      Anyways, my point still stands - someone should make an IE theme for Firefox if one doesn't currently exist.

      • by XryanX ( 775412 )
        There is one here. [mozdev.org]
      • by acariquara ( 753971 ) on Sunday June 27, 2004 @12:32PM (#9544075) Journal
        1. Get Firesomething extension for Firefox 0.9
        2. In the dialog box, remove "Mozilla" vendor and add "Microsoft". Remove all prefixes also and add "Internet". Remove all names and add "_Explorer" (substitute the underline for a leading space). Enable the "single name mode". Apply.
        3. While you are at it, get the Luna Blue 0.4 theme from http://www.intraplanar.net/projects/lunablue/
        4. Adjust the icons so they look really like explorer. The order should be back, forward, STOP, RELOAD, home, separator, favourites, history, separator, mail, print
        5. Rename the shortcut to "Internet Explorer" and change the icon to the blue "e" (do this on the Desktop and Quick Launch bar as well)
        6. Never again worry about worms.
  • For your benefit (Score:5, Interesting)

    by bigberk ( 547360 ) <bigberk@users.pc9.org> on Sunday June 27, 2004 @11:20AM (#9543400)
    Here's the beta version of my freeware program popURL [pc-tools.net] (for Windows, sorry!). You can copy a URL to the clipboard (Copy Link Location) then click the tray icon, and popURL will pop up an info box on the URL telling you the software running on the remote server (IIS, Apache, whatever); the MIME type of the document, and its size if available. Potentially useful for safe, IIS-free browsing :) On UNIX you can get the same info using wget -S though somewhat less convenient.
  • Yeah, (Score:3, Insightful)

    by lord_paladine ( 568885 ) <wdnm91q02@sneakemail.com> on Sunday June 27, 2004 @11:20AM (#9543404)

    But this is Slashdot, aren't they really just preaching to the choir on this one?
  • by Homology ( 639438 ) on Sunday June 27, 2004 @11:21AM (#9543417)
    that some security flaws are Windows only. In a local newpapers there was a small article about the latest security exploit that could install a trojan on your machine, and thus possibly empty your bank account. For once, it was said this only was an issue for users using Microsoft Windows in combination with Internet Explorer. Usually, when a Microsoft Windows virus/trojan/worm is reported, no reference is made to Windows as such.
    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Sunday June 27, 2004 @11:45AM (#9543675)
      Comment removed based on user account deletion
    • Yep, they sure do. (Score:4, Interesting)

      by twitter ( 104583 ) on Sunday June 27, 2004 @12:26PM (#9544035) Homepage Journal
      It may take two years for the word to get out, but it does [slashdot.org], sooner or later. Billions of dollars in propaganda spending, non-competitive agreements and other nonsense can only slow the market down. It won't stop people from realizing a better value. CERT, for it's part, is recommending the only solution available in the face of continued Microsoft security failures.

      The quote is so rich, I think I'll include it.

      CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions.

      Good bye, anti-competitive little nasty. IE was M$'s attempt to push it's desktop monopoly into the web. I'm going to be so happy when I quit running into pages that ignorantly tell me they are best viewed in IE. With it will go a whole host of proprietary crap.

  • Operating system (Score:5, Insightful)

    by Alsee ( 515537 ) on Sunday June 27, 2004 @11:21AM (#9543418) Homepage
    Well, considering that Internet Explorer is an "integral part of the operating system" they are only a hair shy of telling people to switch to an operating system that isn't vulnerable to so many damn critical remote vulnerabilities.

    -
    • Re:Operating system (Score:3, Interesting)

      by vsprintf ( 579676 )

      Well, considering that Internet Explorer is an "integral part of the operating system" they are only a hair shy of telling people to switch to an operating system that isn't vulnerable to so many damn critical remote vulnerabilities.

      The advisory did mention that just changing browsers doesn't mean you're safe. It pointed out that IE may still be opened under certain circumstances or by other applications. So, yeah, it does seem like they're edging closer to saying it in plain English.

  • I'm vindicated... (Score:5, Interesting)

    by danielrm26 ( 567852 ) * on Sunday June 27, 2004 @11:22AM (#9543426) Homepage
    My piece, written for the non-techie masses, on why they should consider other browsers:
    http://channels.lockergnome.com/news/ar chives/2004 0615_why_you_should_dump_internet_explorer.phtml

    I am glad to see CERT step up and make a decision like this despite the fact that they are guaranteed to be flogged for it.
  • by Sikmaz ( 686372 ) on Sunday June 27, 2004 @11:22AM (#9543427)
    I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.

    Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
    • by jesser ( 77961 ) on Sunday June 27, 2004 @12:50PM (#9544245) Homepage Journal
      An exploit has been discovered that can cause you to open a web site in Internet Explorer, which can then lead to a system compromise. Disabling JavaScript in Firefox does not make you immune. The full text of the exploit follows.
      <b>Sorry, this site requires Microsoft Internet Explorer.</b>
      The workaround is to e-mail the site admin, telling them that they are promoting the insecure practice of using Internet Explorer for sites that claim to require it. Unfortunately, some sites require Internet Explorer even to contact the site admin, leading to a catch-22.
  • by LostCluster ( 625375 ) * on Sunday June 27, 2004 @11:23AM (#9543434)
    What seems to be novel about this attack is that it uses holes in both IIS and IE. When an IIS server is attacked, the payload is to compromise the site such that malicious code is inserted into every page with no outward sign that anything's wrong. That code in turn exploits a hole in IE to get onto a user's PC, which in turn goes looking for more IIS sites to compromise.

    This worm depends on there being flaws in both programs. It wouldn't be nearly as powerful if those two flaws couldn't be used in concert.
  • by gmuslera ( 3436 ) on Sunday June 27, 2004 @11:23AM (#9543435) Homepage Journal
    ... they should add to the list of Microsoft software users to consider safer alternatives the users of Outlook, IIS, MSSQL, Windows 9x/Me and Windows NT/2000/XP. All of them are good examples of ticking timebombs.
  • Just Like.... (Score:5, Insightful)

    by SomeOtherGuy ( 179082 ) on Sunday June 27, 2004 @11:23AM (#9543446) Journal
    I think this is just like the straw that broke IIS's back on the server side. Big holes, no solutions...The big boys say your only solution is to use a safe product - all of a sudden Apache is golden. And this is not like your neighbor geek saying "hey, check out this browser" -- next we just need gartner to say -- do not use IE....and then that will be all she wrote. RIP IE. With all of your popups, tabless browsing and thousand of security holes, good riddence. Rot in hell.
    • Re:Just Like.... (Score:5, Insightful)

      by Zocalo ( 252965 ) on Sunday June 27, 2004 @11:39AM (#9543608) Homepage
      I think this is just like the straw that broke IIS's back on the server side. Big holes, no solutions...

      In the interests of accuracy, there *is* a patch for the IIS exploit which has been around for a while; it's IE that has the unpatched vulnerability. What is particularly shameful about this is that the patch to secure IIS, MS04-011, has been around for a while are should have been installed to prevent infection by Sasser and its brethren. "Named and shamed" doesn't even begin to describe what I'd like to see happen to the companies whose IIS servers are responsible for the spread of this one...

    • RIP IE. With all of your popups, tabless browsing and thousand of security holes, good riddence. Rot in hell.

      Yes. Yes. Coz IE's really dying. really dying [google.com], it is.
  • by andhravodu ( 698763 ) on Sunday June 27, 2004 @11:24AM (#9543466)
    Good recommendation from CNET. I am a windows user (mostly) and get a chance to use unix boxes only at work. if using a web-browser, IE was the default choice since it's bundled with windows. I installed opera, netscape but they had issues loading a couple of webpages. I then tried mozilla but it was too slow. I then tried avant browser and it worked wonders albeit for a short period of time. The popup's were still coming, and there isn't a shortcut for opening a new tab. Finally, I moved on to Firefox 0.8 and 95% of the time, I am a die-hard user of firefox.

    I now use IE only to open my native language webpages since they aren't encoded properly in firefox. I would be grateful to anyone if they can show me how to open www.eenadu.net in Firefox. The native language is Telugu, if anyone needs it

    V
    • I then tried avant browser and it worked...

      From Avant Browser FAQ [avantbrowser.com]:

      Is Avant Browser a secure browser?
      Yes, Avant Browser is secure. Since it's based on Internet Explorer, Avant Browser is as secure as Internet Explorer.

      :)

      You are using same rendering engine. I suspect that Scob would get you in Avant Browser too. Same goes to other IE clones.

    • The page source says the charset should be both "windows-1252", "iso-8859-1" (and even "x-user-defined"). These are Western, ie. Latin character sets - I'm imagine Telugu doesn't relate to these in any way?

      You should contact the authors and make them fix the page.

      z
    • by mnewton32 ( 613590 ) on Sunday June 27, 2004 @12:06PM (#9543854) Homepage
      Off-topic I know, but the site is using some Javascript code to check for Netscape 4 or Internet Explorer. It is then sending a browser-specific downloadable font to either of those browsers.
      The problem is that they are using a European character set, and just replacing the Latin characters with Telugu ones. This used to be acceptable practice, but now that all modern browsers support unicode and multiple character sets, it's really not necessary.
      You should contact the site owners and have them update the site. Who uses Netscape 4 any more?
  • by kristofme ( 791986 ) on Sunday June 27, 2004 @11:27AM (#9543493)
    I switched a month ago from Outlook to Thunderbird, which went so well that I switched last week from IE to Firefox. Especially the ease of importing of previous Outlook/IE settings was astonishing!
    On the other hand, I found out that it is not that simple to get rid of IE though, a quick search reveals that it is not always simple [google.com][google].
  • by tmk ( 712144 ) on Sunday June 27, 2004 @11:28AM (#9543501)
    There are first malicious programmers that try to infiltrate mozilla users. An example ist http://xxxtoolbar.com/ (sexually explicit!) that tries to install an "toolbar" per XPI. Fortunately this needs an Win32 system and a users who clicks without thinking.

    Have you ever seen an signed mozilla extension?

  • by rastakid ( 648791 ) on Sunday June 27, 2004 @11:29AM (#9543513) Homepage Journal
    "CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera."

    Ofcourse they are advising something else: IE has a past of insecurity. This has two causes:

    1) IE is crappy coded (it's closed-source, so there's no 'second opinion' on the code). 2) IE is wildly used, so very attractive to find a security bug in it (for malicious activities).

    Therefor I recommend a non-IE browser (prefferably Opera or Firefox) to everyone.
    • IE is crappy coded (it's closed-source, so there's no 'second opinion' on the code).

      The number of "second opinions" on code has more to do with code review process than it does with whether the program is open-source. mozilla.org requires most new code to be reviewed by 2 people. I think that does more for the quality of the code than the wide availability of source code.

      Of the 50 or so security holes I've found in Mozilla (see my resume for a link to the list), I only found 2 of them by looking at the
  • by mst76 ( 629405 ) on Sunday June 27, 2004 @11:30AM (#9543526)
    Seriously, I suspect that anyone who know what CERT is already runs Mozilla (or at least know he should). More significant is that this is on the Washington Post. With all respect for CERT, the mainstream press is what we need here.
  • by ites ( 600337 ) on Sunday June 27, 2004 @11:30AM (#9543531) Journal
    That is how long I give Microsoft before they find themselves confronted by a revolution from their users due the their inability to deliver secure products.

    Instead of spending their effort trying to destroy their competitors (which, today, means open source software), Microsoft should be closing the gap.

    Yes, all software has potential insecurities. Yes, Microsoft is targetted because they are the dominant monoculture.

    But no, this changes nothing. A burglar will always go for the easiest target, and Microsoft users will always be the target so long as Windows et al. is even just slightly less secure than the alternatives.

    Microsoft should release a service pack to Windows that sets the security settings on MSIE to their highest levels, even at the risk of breaking many web sites. They should sponsor anti-spyware software developers with large prizes for the best anti-spyware software. They should be talking to major ISPs for ways to detect and disable zombies.

    Redmond, listen: Make Windows Secure.

    Otherwise you will be tarred and feathered by your long-suffering users who will prefer any viable alternative to one more "surf at your own risk" experience.
    • by jfengel ( 409917 ) on Sunday June 27, 2004 @11:42AM (#9543641) Homepage Journal
      I wish I could believe your 24-month hypothesis, but I'm afraid it's unlikely. The lock-in is extremely strong. Offices are reluctant to switch because of the retraining costs and incompatabilities with existing systems (making a phased switch-over even more expensive.) Home users are comfortable with Windows, which are cheap and readily available. People are reluctant to use one system at work and another at home, making a feedback loop.

      I wish security were a strong enough consideration, but given how many people are spyware-riddled and don't even know it, I suspect security is just not on people's minds when they choose a computer. Perhaps when enough people lose enough money or data to an exploit this will change, but today price and familiarity are more important to them.

      That doesn't mean that there aren't opportunities. The lengthy delays in Longhorn are a huge opportunity for Apple and Linux. As people buy new computers, they expect new ones to be better than old ones. If they go to the store and say, "XP again? I had it and it's really buggy," they'll start looking for alternatives. They expect bugs, but they also expect each new release to be better than the old one. Deprive them of that and they may start looking around.
    • "Microsoft should release a service pack to Windows that sets the security settings on MSIE to their highest levels, even at the risk of breaking many web sites."

      "Redmond, listen: Make Windows Secure."

      No.

      Let's face it. Even if MS cancelled all other development for a year on all other products and just focused on making IE, IIS and Windows "secure", they would not become 100% secure, because there is no such thing. There is always a risk of bugs and bad undiscovered design faults and so on.

      We do not l

  • by Arathrael ( 742381 ) on Sunday June 27, 2004 @11:34AM (#9543563)

    CERT have suggested using a different browser before (e.g. here [cert.org]).

    I wouldn't read too much into it myself though. If one browser has a vulnerability, and another doesn't, surely it's an obvious thing to suggest? And in the past, they've pointed out the potential problems with not using IE (i.e. incompatibilities with IE-dependent sites). More a suggestion than a recommendation I'd say.

  • Only 50 visitors? (Score:5, Interesting)

    by Vlad_the_Inhaler ( 32958 ) on Sunday June 27, 2004 @11:38AM (#9543598)
    Jennifer Scharff, vice president of marketing for MinervaHealth, said some of the company's clients reported the problem on Thursday. The company has since fixed its site, she said. Scharff said no more than 50 visitors browsed the Web site during the time it was serving up the hostile code.

    I had never heard of the company, but is it realistic that only 50 visitors browsed the site after it had been cracked? That seems very low, especially for a problem which was previously unknown to the Virus scanners.
  • by vijaya_chandra ( 618284 ) on Sunday June 27, 2004 @11:40AM (#9543622)
    Recommending explorer users to use mozilla/firefox is fine.

    From the article
    The attack takes advantage of several recently discovered security flaws in Microsoft's Internet browser and Internet Information Services Web software. Microsoft released a patch in April to fix one security hole in its Internet browser; the company is still working on a patch for the other flaw, which security researchers publicly detailed less than two weeks ago.

    But a recommendation for the people running web servers that are vulnerable to this attack would *really* have been more useful. Excuse me if there's already some recommendation (Having a link to that in the news item'd have been better in that case)
  • by shrubya ( 570356 ) on Sunday June 27, 2004 @11:46AM (#9543690) Homepage Journal
    I think the journalist may have mixed up his notes. None of the recent CERT advisories [cert.org] mention Mozilla, Opera, or non-Windows OSes. However, friday's SANS report [sans.org] says:
    we recommend that you (*) install and maintain anti virus software (*) if possible turn off javascript, or use a browser other then MSIE until the current vulnerabilities in MSIE are patched.
  • by TheLink ( 130905 ) on Sunday June 27, 2004 @11:53AM (#9543757) Journal
    And while you are at it you may wish to change the security settings for your "My Computer" zone.

    Read this:
    Description of Internet Explorer security zones registry entries [microsoft.com]

    Then edit the relevant key (if you don't know how, then you should just switch to using a different O/S or browser):

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings\Zones\0

    Change Flags from 0x21 to 0x01 to make it visible.

    Once you do that you can more easily change the security settings for the My Computer zone.

    You could also add your own custom zone, but if you have to ask me how to do it, you shouldn't.

    Note that while disabling javascript and stuff in the My Computer zone protects you from numerous IE exploits[1], the web style windows explorer and other stuff require active scripting and other stuff to be enabled. So you would have to switch to the classic style. I don't see what benefits the web style has - other than make monitor/LCD vendors happy - it takes up more screen space.

    [1] many attacks involve cross zone exploits with the aim of running the exploit in the My Computer zone which has lower security levels by default - raising the security levels e.g. requiring prompts before active-X stuff is run, disabling active scripting (I see very little need for scripts to be enabled on locally stored HTML pages, heck I see very little need for most websites to use javascript).
  • IIS? (Score:3, Interesting)

    by reuben04 ( 740293 ) on Sunday June 27, 2004 @11:56AM (#9543775)
    The issue is two fold... One, they are able to force IIS (only IIS) to serve out a footer to every html, jpeg, etc. that the web server sends out. This then contains code that then executes on the browser. This isn't just Internet Explorers fault, it is the company's fault that uses IIS to serve out it's web pages. We have long since known that IIS is not secure, and yet still we have major sites that use this for their front end. I am not sure, but couldn't a reverse proxy stop this from happening at all? Aren't the major web sites responsible for serving out viral web pages. My problem is this: You cannot browse all of the web with only mozilla. You must use IE to browse some sites, or they don't look right. The content is sometimes unreadable without IE. I agree that Mozilla is comparable. I use both. I recently designed a site for a company, and the hardest part was getting it to look right in IE, Mozilla, and Opera. But when it was done, I knew that it was done right. This is the problem. Web designers don't want to take the time to worry about standards compliancy. The statistics still say that around 80% of all browsers are IE. Why would they need to worry that much, all of the people reviewing the sites are using IE (executives and marketing). We are not going to get all users, or even the majority of users to switch to Mozilla, they have been using IE for years and as some of you have said, some users still think that "E" stands for the internet. It is going to take time. What I think we really need is to stop relying on Microsoft to be the internet facing web applications. They can be the business worlds desktop, and even the enterprise servers, but they cannot continue to be the web facing application servers.
  • by Knights who say 'INT ( 708612 ) on Sunday June 27, 2004 @12:00PM (#9543810) Journal
    I'm actually surprised no one mentioned this yet. Yes, I read all coments so far.

    This CERT (whatever it is) is _not_ endorsing the Mozilla family of products, it is recommending against Internet Explorer and other browser-apps (Avant/Neoplanet anyone?) who use IE's rendering engine.

    Next thing, headlines will read "CERT endorses Linux apps for web browsing", merely because Mozilla and Firefox happen to run on Linux.

  • by TeddyR ( 4176 ) on Sunday June 27, 2004 @12:16PM (#9543946) Homepage Journal
    we would instatly switch to using firefox if they added support for proxy autoconfiguration via wpad. (either DNS or dhcp based wpad would be fine). We have laptops that need to be able to pick up their proxy configs automatically since they roam between offices....
  • I started (Score:3, Interesting)

    by BCW2 ( 168187 ) on Sunday June 27, 2004 @12:19PM (#9543967) Journal
    with Netscape over ten years ago and stuck with it. I didn't switch to IE at first because I didn't want to. Then it became an issue of; Gates didn't pay for my computer, or the electricity to run it, so where does he get the idea he has any say in the software on it. Then I found Linux, Konquerer was cool, then Mozilla. My current box is dual boot, XP and RH9. In windows I use Mozilla. The only time IE can be found is for update. No icons, no place on the start menu. I consider it a virus trap and treat it that way.
  • by quantaman ( 517394 ) on Sunday June 27, 2004 @12:23PM (#9544001)
    Robyn Eckard, a spokeswoman for the Irvine, Calif.-based Kelley Blue Book, said the company learned about the problem late Wednesday after Web site visitors said their antivirus software tipped them off to the code. Eckard said Kelly Blue Book removed the malicious code from its site by late Thursday afternoon.

    There wasn't any mention of their site being down so that means a period of what could be almost a full day where they knew their website was infecting customers with this virus but continued to let it run. Are they really allowed to do that? Perhaps they figgured the bad PR or loss of buisness from their site being down would be greater than the bad PR and loss of buisness by their customers being infected by this thing then possibly robbed when their bank info was lifted. Perhaps the article was just mistaken, google returns multiple sites [google.com] and at netcraft I can't make heads or tails of the first one but the second site appears to have remained up [netcraft.com] could they be charged for this it seems kinda like one of those people with AIDS who doesn't tell partners thier infected and goes around having unprotected sex.
  • by fudgefactor7 ( 581449 ) on Sunday June 27, 2004 @12:37PM (#9544120)
    This particular vulnerability has been patched for two months (MS04-011). Had the administrators applied that patch when it becase available this would have been half fixed. Then all you'd need to do is get an IE fix. And then that would be the end of this particular issue. Since the patch existed before any known use of the exploit, the blame is squarely on the shoulders of two groups: (1) the malware author(s) themselves; and, (2) the lazy sysetm administrator too slow or stupid to deploy the patch in a timely manner.

    Really, this is an issue settled by termination of the employee responsible for not keeping a good record of patches and updates. Of course, that still leaves the IE problem, but with the IE team recently recreated, probably for Longhorn, but perhaps they're therer just to release an update to IE to fix this type of crap, we may see the end of these types of things. If only people would quite exploiting innocent code... Sadly, people left to their own devices will revert to base and vile activities, then add in the anonymity of the internet, you get the jerks who think it's fun to spoil the party for everyone.
  • by BabyDriver ( 749379 ) on Sunday June 27, 2004 @12:38PM (#9544135)
    If there isn't a patch for the IE hole yet, there can't possibly be an exploit in the wild [slashdot.org]
  • Interesting (Score:5, Interesting)

    by arvindn ( 542080 ) on Sunday June 27, 2004 @12:46PM (#9544215) Homepage Journal
    A lot of things are happening at the same time:

    *Google shows a slight upswing in Gecko marketshare in the last couple of months

    *Firefox 0.9 is an awesome release, and 1.0 promises to be a killer

    *Mozilla foundation hires former Netscape marketing guy and also starts major grassroots marketing effort

    *MSIE is hit with more security vuln's than ever before

    *More and more mainstream tech news outlets start recommending firefox

    *Microsoft is sufficiently scared to reconstitute MSIE dev team

    Could this be the beginning of another round of browser wars??!!

  • by SirDaShadow ( 603846 ) on Sunday June 27, 2004 @01:23PM (#9544519)
    Folks:

    I have been using a nice IE add-on called Slimbrowser. It has a lot of features and I really come to like it. But I also have been using Firefox and noticed rendering is 2-3 times faster than IE/SB! Would love to move from SB to FF but I noticed I want certain features that SB that I
    haven't been able to find on Mozilla's website. Can anyone point me to the right direction and tell me where to download the right Windows extensions that can make Firefox have the:

    1) Ability of running any Windows shortcut or folder within the browser or explorer.
    2) Autologin of websites (form filling-username, pass)
    3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)
    4) "Groups" of websites that open in tabs at the same time
    5) In-line Flash/Advertsing blocks (I noticed one of Achilles' Heels of FF is that it eats
    cpu like crazy when flash is used on the page)

    I would appreciate any help you can give me!
    • by beware1000 ( 678753 ) on Sunday June 27, 2004 @01:48PM (#9544692)
      1) not that I know of
      2) use the firefox password manager (it is built in)
      3) try adding a bookmark to yahoo, removing the search criteria from the url and replacing it with %s. then assign it a keyword.

      that way you can just type.. 'yahoo searchciteriahere'

      4) groups of tabs. add the group of tabs to a bookmark folder, right click the folder and open all tabs

      5) try the adblock firefox extention. it is on the extention website.

      there has never been a better time to try it IMO
      • Actually there is an extension that will open external applications and folders.

        http://texturizer.net/firefox/extensions/#extern al app

        For a while, I had a Firefox shortcut in my Startup folder. Since I always log in and open Firefox, I figured why not. With this extension, I could open other apps right from the Firefox toolbar.

        To open a folder, you have to open Windows Explorer with a location as an argument.

        It's easier than it sounds. Really.
    • by Anonymous Coward on Sunday June 27, 2004 @01:55PM (#9544739)

      1 Ability of running any Windows shortcut or folder within the browser or explorer.

      Firefox is a web browser. Are your computer running a web server, and if not, why would you expect your web browser to be able to 'explore' your folders in the browser view?. Try "Open file". There, you can "explore" and "open" at your leisure.

      2) Autologin of websites (form filling-username, pass)

      Security hazard. I don't care how much you think this is a great idea; it isn't. Sometimes us developers must protect you against yourselves.

      3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)

      I just put all the search engines I like in a HTML-page that is my default page. What you want is trivial to do in Opera BTW, and probably in FF too (after all, there's always the source, worst case).

      4) "Groups" of websites that open in tabs at the same time

      This is standard. Are you trolling? Open bookmark folder, click "Open in tabs". What a waste of time.

      5) In-line Flash/Advertsing blocks

      Plugin: Adblock

    • by Too Much Noise ( 755847 ) on Sunday June 27, 2004 @03:23PM (#9545365) Journal
      to complete the answers you have so far

      3. see here [mozdev.org] for documentation on how to make your own Mozilla search plugins.

      5. Besides the already-mentioned Adblock plugin, use Flash Click To View to replace flash with a button you can 'click to view'.
      • Clarification (Score:3, Informative)

        by MachDelta ( 704883 )
        Just as a note, Flash Click To View is now known as FlashBlock [mozdev.org].
        Now there's good news and bad news about it. The bad news is, it hasn't been updated for v0.9. The good news is, it still works with 0.9 flawlessly (i'm running it right now). The only problem is it won't show up in your extensions menu, so disabling or removing it could be a pain.
        Now I say could be, because if you grab a little gadget known as Show Old Extensions [pikey.me.uk], FlashBlock and any other pre-0.9 extensions you have installed will appear in
    • by 0x0d0a ( 568518 ) on Sunday June 27, 2004 @08:50PM (#9547275) Journal
      1) Ability of running any Windows shortcut or folder within the browser or explorer.

      You absolutely do not want this. The mingling of file browser and web browser are what cause a huge number of IE security holes.

      You could probably just set up a helper or something, but you don't want to. Really. Mozilla is not a file manager.

      2) Autologin of websites (form filling-username, pass)

      Exists, and I've seen it, but I don't know what plugin to use. IIRC Mozilla has this built-in.

      3) Make your own search engines (like if I want to add yahoo maps and all i type is the destination)

      Firefox rocks at this. Do a search, bookmark it, and replace the query text in the address field in the bookmark's properties with "%s", and then give it an alias (say, "gg"). If I did this with a Google search, I can just type "gg foobar" to Google for "foobar". I have imdb, google, and tons of other databases usable through Firefox directly. Absolutely wonderful.

      4) "Groups" of websites that open in tabs at the same time

      Create a folder in your bookmarks, and choose the menu item "open in tabs" for that folder under the Boomarks menu in Firefox.

      5) In-line Flash/Advertsing blocks (I noticed one of Achilles' Heels of FF is that it eats
      cpu like crazy when flash is used on the page)


      You want Click to View [mozdev.org].
  • by unoengborg ( 209251 ) on Sunday June 27, 2004 @03:08PM (#9545257) Homepage
    Switching browsers browsers is not enough. Who knows, Mozilla could be the target of some malware tomorrow. Switching to Mozilla just buys you some time.

    To be more secure we need an OS that prevents the browser from executing unauthorized code and prevents the browser from accesing sensitive information or applications on our systems. The browser should not be allowed to be the only layer of security.

    One way would be to swich to some Linux, using a distro that make use of the SELinux stuff enables mandatory access control and set up a good security policy.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...