Dept. of Homeland Security Says to Stop Using IE 1069
LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News:
'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
DUPE!... well, mostly. (Score:3, Informative)
We did this story on Sunday... [slashdot.org]
However, in CowboyNeal's defense, both articles cited here were published after that story on Sunday, and we now have the news of Microsoft's rather weak reaction claiming that CERT didn't mean what we all saw them say and Mozilla's reaction that downloads are up since the first reports. Still, that's a Slashback, not a new story.
Amazing...BTW, if you haven't used.. (Score:5, Informative)
Re:DUPE!... well, mostly. (Score:5, Informative)
Firefox will install with 'power user' access (Score:5, Informative)
You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.
Happy browsing!
Re:If it's broke...well....we'll fix it later (Score:5, Informative)
Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...
Firefox, Mozilla and performance (Score:4, Informative)
A fix for IE?? (Score:5, Informative)
Re:Bad Bureaucrat! Naughty! (Score:5, Informative)
Re:Who cares about security, (Score:3, Informative)
Firefox's Gestures (Score:4, Informative)
Re:Firefox will install with 'power user' access (Score:2, Informative)
Re:Give advice to alternative browser newbies! (Score:2, Informative)
2. I believe it will work when you set Firefox as the default browser
3. Yes but you can set it to close when download is complete
Re:Firefox will install with 'power user' access (Score:4, Informative)
http://johnhaller.com/jh/mozilla/portable_firefox/
Re:If it's broke...well....we'll fix it later (Score:5, Informative)
Ummm... I don't think so.... here is a link to the US-CERT Vulnerability Note VU#713878 [cert.org] which (I think) is where this all starts. Go right to the bottom (OK, this is slashdot, so I'll cut-and-paste)
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
The way I read that last sentence, CERT say you are not safe unless you get rid of the IE6 functionality.
True.. but you're forgetting one thing. (Score:5, Informative)
NO ACTIVE X. That means no sneaky little programs in your system.
The open source movement is well on top of issues like this... always have been.
Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.
Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.
Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
Don't forget (Score:2, Informative)
*breathes sigh of relief*
Comment removed (Score:4, Informative)
lies, damn lies and statistics (Score:3, Informative)
Some of us Moz/FF/Op users set up our browsers to masquerade as IE, because -some- sites still seem to insist on it...
To help convince non-techie users... (Score:5, Informative)
http://www.dmiessler.com/reading/ie.html
How to get plugins to work (Score:3, Informative)
This has information on plugins like: Adobe Reader, Java Plugin, Macromedia Flash Player, Macromedia Shockwave Player, QuickTime, RealPlayer 10, Windows Media Player, etc.
Re:Give advice to alternative browser newbies! (Score:3, Informative)
IE is a lot of things but I don't see how you can say that. IE is very fast loading on every system I have used it on because of the fact that it is so integrated wit the OS. IE loaded much faster then the 0.8 build of firefox. The 0.9x build is much faster but I havn't compared it with IE.
What feature bloat are you talking about with IE? The tabbed-browsing? The pop-up blocking? No, it has neither. IE browses and that's it.
And finally, what exactly is over complicated about it? The only thing that I can possibly think of is the "Advanced" tab in the preferences. It is called "Advanced" for a reason. Most users do not need to modify anything in that tab. Most features that users will need are on the first tab in the preferences.
Firefox is a much superior browser and IE has a lot of flaws but didn't hit on any of them.
Re:True.. but you're forgetting one thing. (Score:3, Informative)
Microsoft is always looking for ways to provide innovative solutions to our vic^H^H^Hcustomers:
Perrin: Proof of concept to infect JPG files [about.com].
TROJ_BMPAGENT: Infected BMP files [about.com]:
> Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
No argument there, except for s/EXPRESS//g.
In the meantime, HomeSec recommends the use of Mozilla as a first line of defence against terrorists infecting your box with Islamic Militant Bukkake Kitten [fark.com].
Re:Its About time (Score:4, Informative)
Re:LOL! Are you kidding me? (Score:1, Informative)
You've missed the point - the notifications are what show that OSS folks are on top of things. As soon as a vulnerability is known, it's published, along with a workaround so people can defend against it until it's patched.
Compare/contrast with closed-source companies that try to hide evidence of exploits until they're fixed, and preferably, until well after the servicepack that fixes it has been released (with ALL NEW FEATURES! to get their customers to upgrade). Customers never know there was a problem, which is NOT the same as saying there wa no problem to begin with.
Good PR != good vulnerability management.
Re:Its About time (Score:1, Informative)
Not if it is an electronic display clock or 24 hour time cycle clock.
Served.
Mozilla is vulnerable too (Score:5, Informative)
Did anyone RTFM from the Yahoo link. It says at the very bottom that Mozilla is vulnerable too. I use Mozilla myself but it appears that the real culpret is ActiveX which you can install on Mozilla [mozdev.org]. I don't think this plug in will work on platforms other than windows so it's really a platform issue.
link to the US-CERT announcement (Score:5, Informative)
Re:Now if only Mozilla (or FireFox) was faster!!! (Score:3, Informative)
I wish this were the case everywhere. In most of the businesses I work with, the upgrade cycle is about 4-6 years depending on the scope of the project and the machine's use. Desktop office PCs tend to be upgraded every 4 years, project-specific machines every 6. Very specific setups, when usually not connected to the LAN, often never get upgraded. It "just works".
Security patches are deployed fairly quickly. OS updates are rare and generally occur at the start of a new project. Right now, XP SP1 is the most common on the office desktop, but Win2K is very close behind. For most existing projects, Win2K is pretty much the standard. Some projects nearing their end are still on NT4 SP6 (thank heavens for our good network security). A couple of the smaller businesses still a lot of Win98 (ack!) but most jumped to NT4 or better long time ago.
Keyboards, mice, and monitors typically aren't hard to request as needed, but a full system upgrade is like pulling teeth. Exception: recptionists. They generally have a new Dell with a 20" LCD. (Or 17" LCD iMac G4). Their machines are updated often. They generally spend their days forwarding email poems and chain letters to their friends.What a lovely world.
Re:Profit (Score:1, Informative)
Re:Firefox will install with 'power user' access (Score:4, Informative)
Re:Yeah Right (Score:5, Informative)
First a committee/team has to be put together to verify the recommendation not to use IE. Then an alternative will have to be selected. This means another committee/team will have to determine what the alternatives are. Once the alternative web browsers are identified, they will have to be tested to make sure that they are secure and compatible they are. This testing can very depending on how indepth they go and how soon they realize that a large number of military web sites are IE only!! Once a replacement browser is selected, a Plan of Action has to be determined to figure out how the new web browser will be installed and how the completed installation is reported back up the chain of command. Once all of this has been completed, it will then be briefed to the head shed at the Pentagon who will then make some modifications before giving an order that all computers have a new web browser installed.
This doesn't take into account any turf battles that may come up during this process, fixing all of the IE only military web sites, complaints and stubborn refusal from users (IE will have to be completely removed otherwise people will still use it), all of the modifications to the Plan of Action as it goes down the chain of command, the several weeks it will take for each DOIM and unit to figure out how they are going to implement the Plan of Action, DoD civilians.....
It should take the military a few months to install a new web browser.....
Re:Firefox will install with 'power user' access (Score:3, Informative)
The correct link is here: Firefox 0.9.1 (zip) [mozilla.org]
Re:Give advice to alternative browser newbies! (Score:4, Informative)
1) Firefox is lighter
2) Whatever browser is set as the default is what the Run box will open. Firefox will never be as integrated as IE, but that integration is part of the problem. It is a good thing. Open Firefox from an icon and use it as just a web browser, not as a file browser, desktop viewer, whatever else IE wants to be.
3a) In Mozilla you can disable the download manager by going to Edit->Preferences. Under the Navigator section select Downloads. On the right side of the screen you can choose Download Manager, Progress Dialog, or nothing for downloads.
3b) Under Firefox (0.9.1) you can trun off the Download Manager, but the alternative is no Progress Dialog of any kind. To do this go to Edit->Preferences. Select Downloads on the left. On the right side set the download folder to whatever you want and then look at the settings for the download manager.
This is all from a Linux box, but the settings for the Windows version of Mozilla and Firefox should have identical settings.
I have never been able to use WindowsUpdate from Mozilla. Of course even if you uninstall IE from XP or 2000 all the parts of it are still there, just the icon is gone.
HTH
the_crowbar
Re:Bad Bureaucrat! Naughty! (Score:5, Informative)
http://georgewbush.com was running Microsoft-IIS on Windows 2000 when last queried at 25-Jun-2004 13:05:27 GMT
CERT gave the warning nearly a month ago (Score:5, Informative)
The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.
CERT gave the warning on June 10 [cert.org]. BBC reported this on June 14 [bbc.co.uk].
Re:Mozilla is vulnerable too (Score:5, Informative)
Uh, it is reported that the trojan only automatically installs itself with IE. For other browsers, you have to download and run a GIF image that is disgused as an EXE with the infamouse double-extension social engineering trick.
Did you read the page you linked to?
Re:Let's turn this around, shall we (Score:4, Informative)
Open Source software can be (and often is) of better quality, especially when it comes to security.
The only "security issues", I've heard about Mozilla were about reading files or crashing - and those were instantly fixed. IE is so flushed with real grave security holes (like "take over computer") that crashing or reading files isn't even worth reporting, never mind fixing.
Microsoft usually does nothing unless there is an exploit - then maybe they do something - or (like with IE lately) they still don't do anything unless the exploit is used by a lot of people.
Re:If it's broke...well....we'll fix it later (Score:2, Informative)
Re:Yeah Right (Score:4, Informative)
Re:If it's broke...well....we'll fix it later (Score:4, Informative)
Yeah, but, wasn't it just a few weeks ago, that a company got out of legal problems involved with privacy (an airline?), because they argued that most of the plantiffs probably did not read the privacy statement they clicked to agree with....and therefore it wasn't binding.
Well, if that works in reverse...just claim you never read those click through EULA's.....and therefore aren't bound by them...and so you can sue.
Seems fair....?
Hate to bust your bubble... (Score:4, Informative)
Sure, but he's been replaced by another DRM-lover. Trust me, there's no clue coming to the MPAA.
* AU sets up a free CA.
Ok, I'll agree with you about this bit of good news... once I see it in IE's default CA list.
* European software patents are being rejected.
Wrong. The Dutch reversed their vote. This does not *yet* invalidate them, although it is a good start... keep the pressure up on your EU representatives!
A patch has been released. (Score:3, Informative)
Re:Mozilla is vulnerable too (Score:1, Informative)
On the mozilla ActiveX plugin* it clearly says:
"which can be a security risk"
How much more handholding do you want Mozilla to do? Do you want the developers to look over your shoulder and tell you whether each individual page is safe or not.
You have to download and manually install a plugin marked dangerous to make Mozilla vulnerable!
* NOT INCLUDED BY DEFAULT, SO YOU SPECIFICALLY HAVE TO DOWNLOAD AND INSTALL IT MANUALLY.
Re:Closed captioned for the PR impared (Score:5, Informative)
I don't think the media misreported that.
Re:If it's broke...well....we'll fix it later (Score:4, Informative)
Re:Stupid Question: Why Scripting, ActiveX, Java? (Score:4, Informative)
Yes there is good reasons to have Java/ActiveX on a web page. E.g. on an internal private network, where you have trusted users and want things like signature pads uploading signatures to a database. Or how about on a public network, there is a wonderful tool to trace a route with a cool picture of the globe (but this is done without violating network security).
With Java you have to actively accept the dismantling of security, if someone clicks yes to trusting an unknown source then they will get an ugly lesson in trusted computing. With ActiveX it comes out of the box with no security and one has to actively enable security. Given the majority of home users are never going to do this, and the majority are using Windows, a massive ripe resource for worms/viruses/spammers exist. Active X suffers from fundamental security flaws, and is going to cost Microsoft a lot to fix the damage to reputation and loss of customers.
Re:True.. but you're forgetting one thing. (Score:3, Informative)
All of these programs suffer from the same vulnerabilities, namely those that affect the Internet Explorer rendering engine. Any program that uses this redering engine is at risk of all sorts of nasty exploits. These programs include MSIE, Outlook, Outlook Express, Windows Explorer (really MSIE with a different skin) and any application that embeds the MSIE rendering engine.
The problem, of course, is that Microsoft broke one of the fundamental rules applying to internet security when it allowed this rendering engine to execute remote code locally with all the privileges of the user running the program. In some cases, it even allows remote exploits to be run under system privileges. The chief vehicle for this ability is ActiveX, but there are other ways. This was done in the name of convenience and presentation with little to no concern for the privacy and security of their customers. To make matters worse, it was done in such a way as to be completely transparent to the user, such that the user often has no idea that a compromise occurred.
When you compare that to the operation of other browsers (none of which take this bone-headed approach), it is small wonder that Microsoft is held in such low esteem by internet engineers and programmers alike.
Re:Yup, they sure did! (Score:3, Informative)
Slashcode spits out incredibly bad HTML. Don't take my word for it - paste the source into a validator sometime to see for yourself. Given that, it's not meaningful to say that any given browser "doesn't display Slashdot right" since there's no clear answer to how it's supposed to appear.
Slashdot's a great site, but noone's ever praised it for the beautiful HTML. It's just kind of one of those things.
Re:Bad Bureaucrat! Naughty! (Score:3, Informative)
the second richest man in the world, Warren Buffett, has thrown his weight behind the [Kerry] campaign.
Would ya look at that... the super-rich backing their home boy. Of course, eight of the 10 richest Senators are also Democrats...
They must be the "party of money."
Re:SQUID proxy configs for Firefox??? (Score:3, Informative)
http://www.clavister.com/support/kb/10026/
googled for 'squid user-agent' - result # 23 or so.
I haven't tested this, please reply to this thread with your results
How to disable IE (Score:3, Informative)
@echo off
C:
cd "\Program Files\Internet Explorer"
if not exist IEXPLORE.EXE goto End
if exist IEXPLORE.EX_ del IEXPLORE.EX_
if not exist IEXPLORE.DIR md IEXPLORE.DIR
if not exist IEXPLORE.DIR goto End
attrib -r -h -s IEXPLORE.EXE
ren IEXPLORE.EXE IEXPLORE.EX_
if exist IEXPLORE.EXE goto End
ren IEXPLORE.DIR IEXPLORE.EXE
echo IE disabled.
echo If prompted, click "Cancel" then "Yes" on File Protection restore.
echo Run enable-ie.bat to allow IE to run again.
It still runs if you put a URL into a window bar though, but if your alternative browser is the default browser then it'll launch for everything else.
To re-enable Bill's little helper:
@echo off
C:
cd "\Program Files\Internet Explorer"
if not exist IEXPLORE.EX_ goto End
if not exist IEXPLORE.EXE goto Activate
attrib -r -h -s IEXPLORE.EXE
rd IEXPLORE.EXE
if exist IEXPLORE.EXE del IEXPLORE.EXE
ren IEXPLORE.EX_ IEXPLORE.EXE
echo IE enabled.
I.E. Active X object, not just any HTML renderer (Score:4, Informative)
More often this is used in applications like AOL (IE is the default browser in AOL), where they use this ActiveX component to display web content. I think AOL uses their own e-mail system, however. You can also see this in the Real Player application, again if they are going to display web content instead of playing music or an audio/video clip. (Try this if you have Real Player.) Other application also use this, in things like About boxes or even a cool splash screen when you start an application. Sometimes they even do full TCP/IP http requests for content, including machine-specific data. A good security hole if I ever heard of one, and a cheap and easy spy app as well.
Mozilla does not use the I.E. rendering engine... they have their very own, so they don't need it. A while back it was a common task for CS instructors to assign students to make their own HTML rendering engine. I wrote one myself just to see if it could be done. Not a beginner task, but still something well within the capabilities of any recent CS college graduate (if they actually taught you anything).
Basically... (Score:3, Informative)
Here's a report from the field to the home office: (Score:1, Informative)
The hospital I work at has a "good" security section with proxy, firewall, SMS server, intrustion detection all the gee-wiz-bang security tools that you would expect an organization lible to the tune of $25k per privacy violation (thanks to HIPPA) to have. Still, I have to deal, on a daily basis, with computers that have spyware installed on them. Not only that, but when the Blaster worm hit (and remember, we had all these security tools prior to its arrival), it still managed to wriggle its way on to our network and in less than 5 minutes infecting every vulnerable computer. My standard response to reimage any desktop that is found with spyware, virus or worm as a matter of policy. For instances of Spyware, I consider this to be punishment for the miscreadent behind the keyboard (very likely a "smart" person with a PhD or MD). The other, non-user initiated instances, we are currently looking at PXE booting our Windoze desktops from solid, known-good image each and every time the user starts up their desktop. We have a gigabit backbone, so we can get away with this. I think the long term decision that needs to be made, however, is to remove windows from the equation entirely.
Now, on to that part-time moonlighting gig. First, I decided to do this to get a better understanding of how users operate at home vice work (with the hope that it would lead to some insight about why things go wrong at work). Second, the pay was good if done right. I discovered that home users are completely insane with regard to security. About 10% to 15% of the user's desktops I encounter have IE so comletely dorked up beyond recognition as a functioning browser that I *MUST* manually download mozilla from the command prompt to get the user through the web based section of the sign-up process. Another +30% of the users have marginally functioning browsers with fairly benign malware (pop-ups, web page redirection, unwanted browser plug-ins, lowered volume modem dialing scamware, etc.). I have a time limit on my installs (user needs to be signed up within at least 20 minutes or else it's not economically worth my while to be out there); so, I usually point them at mozilla.org before I leave. There is a certain large percentage to users (say between 3% to 5%) who's computers are so throughly fscked that I will just walk away from the install after demonstrating, with my laptop, that their internet connection works, but their windoze computer doesn't. To these poor, unfortunate folks, I hand them a live CD distro before I leave.
If you do the math, over half of home Windows users are fscked to some degree. Now I understand why call centers are being farmed out to India. It just simply isn't a matter of cheaper labor; it's actually an economic necessity in light of Windows market share.
I think that Microsoft, in its desperation to "get" the internet, made some really bad design and business decisions that will end up truly demonstraiting that they didn't "get" the internet at all.
The other half of the equation, which has not been tested, is the curse of market share. It will be very interesting to see, over time as the Open Source market share starts to re-take the browser and over take the desktop, how the open source community patches and updates flawed software (fortunately, Microsoft has demonstraited some good ideas that didn't work; maybe, with a little luck, the Open Source community will learn from these mistakes and either correct the fundamental flaw(s) or build something better). Regardless of all the drivle that comes out of Open Source advocates' mouthes, this will be the single feature that defines the difference between Open Source and Microsoft.