Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Internet Explorer The Internet Security United States

Dept. of Homeland Security Says to Stop Using IE 1069

LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News: 'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."
This discussion has been archived. No new comments can be posted.

Dept. of Homeland Security Says to Stop Using IE

Comments Filter:
  • by LostCluster ( 625375 ) * on Friday July 02, 2004 @11:52AM (#9592471)
    Been there, done that, got the t-shirt.
    We did this story on Sunday... []

    However, in CowboyNeal's defense, both articles cited here were published after that story on Sunday, and we now have the news of Microsoft's rather weak reaction claiming that CERT didn't mean what we all saw them say and Mozilla's reaction that downloads are up since the first reports. Still, that's a Slashback, not a new story.
  • Firefox, you need to do yourself a favor. Flawless pop-up blocking, the beauty of tabbed browsing...real standards implementation...the list goes on and on. Now, if only Windows would be declared a national security risk...
  • by arieswind ( 789699 ) * on Friday July 02, 2004 @11:55AM (#9592511) Homepage
    That was CERT's announcement, this is actually the Department of Homeland Security making this recoomendation. 2 different orginizations, same recommendation.
  • by tabdelgawad ( 590061 ) on Friday July 02, 2004 @11:58AM (#9592541)
    For those considering installing Firefox on Win2k PCs they don't have 'administrator' accounts on, I can report that it installs and works perfectly well from a 'power user' account. Perfect for those considering an installation on a work PC.

    You should probably find out if IE uses any work-related proxy-server and change that setting manually in Firefox once the install is complete.

    Happy browsing!
  • by jo42 ( 227475 ) on Friday July 02, 2004 @12:00PM (#9592562) Homepage

    Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...

  • by Midnight Thunder ( 17205 ) on Friday July 02, 2004 @12:01PM (#9592570) Homepage Journal
    I use Mozilla for most things, though on my Mac I increasingly use Safari, for the simple reason that I feel that Mozilla's rendering engine needs work. Gecko is slower at rendering pages than the engine powering Safari. Maybe had I a more recent computer I wouldn't notice the difference so much, but for many people this could be a sticking point. Some people I have spoken to still feel Mozilla and Firebird lose out against IE for just this reason. Other than that, I like the browser (Mozilla that is), and I am using the most recent release.
  • A fix for IE?? (Score:5, Informative)

    by Sergeant Beavis ( 558225 ) on Friday July 02, 2004 @12:02PM (#9592588) Homepage
    Microsoft [] released a fix for this issue today. Basically it disables the ADODB.Stream object. However, it requires a regedit to implement. I imagine a hotfix is forthcomming. Still, Firefox and Mozilla don't suck at all, so people should at least use this as an excuse to give them a try IMO.
  • by daringone ( 710585 ) on Friday July 02, 2004 @12:03PM (#9592614) Journal
    A more important question is, do Firefox and Mozilla format the webpages correctly?
    As long as the people writing the pages aren't intentionally hosing your browser... []
  • Firefox's Gestures (Score:4, Informative)

    by Ruonkrak ( 788831 ) on Friday July 02, 2004 @12:04PM (#9592618)
    After making the switch to Mozilla Firefox and using it for two days, I'm hooked. I downloaded the All-in-One Gestures extension, and I can't for the life of me figure out how I ever lived without it. It's a whole new paradigm in browsing. This is another milestone in the MS exodus towards open source and Linux. Disclaimer: I do not work for Mozilla... just a satisfied user.
  • by bheer ( 633842 ) <rbheer@gm a i l .com> on Friday July 02, 2004 @12:08PM (#9592682)
    Here's your Win32 zip [] - IIRC you can run this even on a guest account as long as you have access to some unzip software.
  • by Osgyth ( 790644 ) on Friday July 02, 2004 @12:12PM (#9592723) Homepage
    1. IMHO Firefox is cleaner and lighter

    2. I believe it will work when you set Firefox as the default browser

    3. Yes but you can set it to close when download is complete

  • by Unnngh! ( 731758 ) on Friday July 02, 2004 @12:12PM (#9592726)
    Heck, you can even get an install of firefox that will fit on a 16MB USB key and requires no installation, and leaves little to no trace:

  • by mge ( 120046 ) on Friday July 02, 2004 @12:14PM (#9592754) Homepage Journal
    "In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."

    Ummm... I don't think so.... here is a link to the US-CERT Vulnerability Note VU#713878 [] which (I think) is where this all starts. Go right to the bottom (OK, this is slashdot, so I'll cut-and-paste)

    Use a different web browser

    There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

    The way I read that last sentence, CERT say you are not safe unless you get rid of the IE6 functionality.
  • by El Camino SS ( 264212 ) on Friday July 02, 2004 @12:16PM (#9592772)
    You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.

    NO ACTIVE X. That means no sneaky little programs in your system.

    The open source movement is well on top of issues like this... always have been.

    Also, politically speaking, the open sourcers and black hats are cousins on different sides of a moral question. Virus writers and spyware jockeys don't go out and try to attack open source. They know what they are up against. They prey on the weak.

    Remember, Open Source is dragging Microsoft down on a mayonnaise sandwich budget. They know who not to mess with.

    Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.
  • Don't forget (Score:2, Informative)

    by CiXeL ( 56313 ) on Friday July 02, 2004 @12:17PM (#9592786) Homepage
    We still have SCO.

    *breathes sigh of relief*
  • by pandrijeczko ( 588093 ) on Friday July 02, 2004 @12:17PM (#9592790)
    In answer:

    1. Which of the two browsers is simpler / less bulky, Mozilla, or Firebox?

    Firefox is less bulky (about 5MB download) as it is just the browser. Mozilla also has an email/news client, chat client & HTML editor built in.

    2. Can either of them merge with Windows the way IE does?

    Not quite. A URL is really just a filetype determinied by the file extension (.htm, .html, etc.) In Windows, you can point those (and other) filetypes to whatever applications you want - even when you install Mozilla/Firefox, it asks to be the default browser, in which case it will open most URLs, even from the run box.

    Unfortunately, Microsoft specific sites, like "Windows Update" never seem to open anything other than IE and seem to deliberately bork any other browser. Also, because IE essentiall underpins Windows Explorer, you can never really weld in a 3rd party browser as tightly as IE.

    3. Does Mozilla still have that stupid "download manager"? How do I turn it off?

    There is a download manager that opens a smaller window for the files you are downloading. It has been improved in Firefox, it is not obtrusive particularly and I find it more useful to have it there than to not have it there. You can set it to download each file to a directory of choice or just have it download everything to one place you specify.

    Firefox is also themeable, has the Google search bar built in and a lot of pop-up blocking. It REALLY is a better browser, full stop.

  • by BeerMilkshake ( 699747 ) on Friday July 02, 2004 @12:18PM (#9592804)
    Any decrease in IE use as seen by your logs is not a true picture.

    Some of us Moz/FF/Op users set up our browsers to masquerade as IE, because -some- sites still seem to insist on it...
  • by danielrm26 ( 567852 ) * on Friday July 02, 2004 @12:20PM (#9592838) Homepage
    Here's my piece I did on the topic about a week before the CERT announcement:
  • by feepcreature ( 623518 ) on Friday July 02, 2004 @12:21PM (#9592861) Homepage
    If you find some sorts of plugins don't work, there are instructions for fixing that on your windows box on the Mozilla Plugin Support Page []. A longer list of FAQs is at [].

    This has information on plugins like: Adobe Reader, Java Plugin, Macromedia Flash Player, Macromedia Shockwave Player, QuickTime, RealPlayer 10, Windows Media Player, etc.

  • by ViolentGreen ( 704134 ) on Friday July 02, 2004 @12:28PM (#9592942)
    I don't want something slow loading, bloated with features, and overcomplicated. You know, IE.

    IE is a lot of things but I don't see how you can say that. IE is very fast loading on every system I have used it on because of the fact that it is so integrated wit the OS. IE loaded much faster then the 0.8 build of firefox. The 0.9x build is much faster but I havn't compared it with IE.

    What feature bloat are you talking about with IE? The tabbed-browsing? The pop-up blocking? No, it has neither. IE browses and that's it.

    And finally, what exactly is over complicated about it? The only thing that I can possibly think of is the "Advanced" tab in the preferences. It is called "Advanced" for a reason. Most users do not need to modify anything in that tab. Most features that users will need are on the first tab in the preferences.

    Firefox is a much superior browser and IE has a lot of flaws but didn't hit on any of them.
  • by Tackhead ( 54550 ) on Friday July 02, 2004 @12:29PM (#9592969)
    > You're right, but remember that they cannot run anything unless they have a brilliant and ingenious way to transform jpegs and boldface text into an infection.

    Microsoft is always looking for ways to provide innovative solutions to our vic^H^H^Hcustomers:

    Perrin: Proof of concept to infect JPG files [].

    TROJ_BMPAGENT: Infected BMP files []:

    "The exploit involves a specially crafted BMP file that can allow code to run with the privileges of the impacted user. In the case of TROJ_BMPAGENT a.k.a. the Agent trojan, the user receives an email carrying the specially crafted BMP image file. When received on systems with IE 5 or IE 5.5 installed, viewing the BMP drops the file sys.exe to the root of drive C:\ and executes it.

    > Now if we could only get Homeland Security to start talking about OUTLOOK EXPRESS, then I would dance a jig.

    No argument there, except for s/EXPRESS//g.

    In the meantime, HomeSec recommends the use of Mozilla as a first line of defence against terrorists infecting your box with Islamic Militant Bukkake Kitten [].

  • Re:Its About time (Score:4, Informative)

    by RoLi ( 141856 ) on Friday July 02, 2004 @12:34PM (#9593013)
    IE has been discontinued on MacOS, too.
  • by Anonymous Coward on Friday July 02, 2004 @12:35PM (#9593030)
    > If the open source people are on top of things, why does it seem that there is always a new OSS expliot every week?

    You've missed the point - the notifications are what show that OSS folks are on top of things. As soon as a vulnerability is known, it's published, along with a workaround so people can defend against it until it's patched.

    Compare/contrast with closed-source companies that try to hide evidence of exploits until they're fixed, and preferably, until well after the servicepack that fixes it has been released (with ALL NEW FEATURES! to get their customers to upgrade). Customers never know there was a problem, which is NOT the same as saying there wa no problem to begin with.

    Good PR != good vulnerability management.
  • Re:Its About time (Score:1, Informative)

    by Anonymous Coward on Friday July 02, 2004 @12:41PM (#9593092)
    A broken clock is right twice a day.

    Not if it is an electronic display clock or 24 hour time cycle clock.

  • by stecoop ( 759508 ) * on Friday July 02, 2004 @12:41PM (#9593094) Journal
    Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines

    Did anyone RTFM from the Yahoo link. It says at the very bottom that Mozilla is vulnerable too. I use Mozilla myself but it appears that the real culpret is ActiveX which you can install on Mozilla []. I don't think this plug in will work on platforms other than windows so it's really a platform issue.
  • by tcyun ( 80828 ) on Friday July 02, 2004 @12:42PM (#9593102) Journal
    a link [] ( to the US-CERT pub recommendation. It is also interesting to note that the suggestion to "use a different web broswer" is the last offered (see section III. Solution).
  • by green pizza ( 159161 ) on Friday July 02, 2004 @12:42PM (#9593104) Homepage
    Considering normal computer replacement cycle is 3-4 years

    I wish this were the case everywhere. In most of the businesses I work with, the upgrade cycle is about 4-6 years depending on the scope of the project and the machine's use. Desktop office PCs tend to be upgraded every 4 years, project-specific machines every 6. Very specific setups, when usually not connected to the LAN, often never get upgraded. It "just works".

    Security patches are deployed fairly quickly. OS updates are rare and generally occur at the start of a new project. Right now, XP SP1 is the most common on the office desktop, but Win2K is very close behind. For most existing projects, Win2K is pretty much the standard. Some projects nearing their end are still on NT4 SP6 (thank heavens for our good network security). A couple of the smaller businesses still a lot of Win98 (ack!) but most jumped to NT4 or better long time ago.

    Keyboards, mice, and monitors typically aren't hard to request as needed, but a full system upgrade is like pulling teeth. Exception: recptionists. They generally have a new Dell with a 20" LCD. (Or 17" LCD iMac G4). Their machines are updated often. They generally spend their days forwarding email poems and chain letters to their friends.What a lovely world.
  • Re:Profit (Score:1, Informative)

    by Anonymous Coward on Friday July 02, 2004 @12:43PM (#9593124)
    <br> is your friend. use it next time, or post in "plain old text" mode
  • A 'power user' still has admin rights, just not permissions to read other user's home directories. The 'power user' group in NT5 is pretty much worthless. You should be using only the administrator and user groups.
  • Re:Yeah Right (Score:5, Informative)

    by armypuke ( 172430 ) on Friday July 02, 2004 @12:48PM (#9593189) Homepage
    Same here in the Army. But you are expecting a LOT if you think that the military will change the web browser overnight.

    First a committee/team has to be put together to verify the recommendation not to use IE. Then an alternative will have to be selected. This means another committee/team will have to determine what the alternatives are. Once the alternative web browsers are identified, they will have to be tested to make sure that they are secure and compatible they are. This testing can very depending on how indepth they go and how soon they realize that a large number of military web sites are IE only!! Once a replacement browser is selected, a Plan of Action has to be determined to figure out how the new web browser will be installed and how the completed installation is reported back up the chain of command. Once all of this has been completed, it will then be briefed to the head shed at the Pentagon who will then make some modifications before giving an order that all computers have a new web browser installed.

    This doesn't take into account any turf battles that may come up during this process, fixing all of the IE only military web sites, complaints and stubborn refusal from users (IE will have to be completely removed otherwise people will still use it), all of the modifications to the Plan of Action as it goes down the chain of command, the several weeks it will take for each DOIM and unit to figure out how they are going to implement the Plan of Action, DoD civilians.....

    It should take the military a few months to install a new web browser.....
  • Your link is to 0.9 -- however, 0.9.1 came out earlier this week.
    The correct link is here: Firefox 0.9.1 (zip) []
  • by the_crowbar ( 149535 ) on Friday July 02, 2004 @12:52PM (#9593257)
    Ok here is a little more detail:

    1) Firefox is lighter

    2) Whatever browser is set as the default is what the Run box will open. Firefox will never be as integrated as IE, but that integration is part of the problem. It is a good thing. Open Firefox from an icon and use it as just a web browser, not as a file browser, desktop viewer, whatever else IE wants to be.

    3a) In Mozilla you can disable the download manager by going to Edit->Preferences. Under the Navigator section select Downloads. On the right side of the screen you can choose Download Manager, Progress Dialog, or nothing for downloads.

    3b) Under Firefox (0.9.1) you can trun off the Download Manager, but the alternative is no Progress Dialog of any kind. To do this go to Edit->Preferences. Select Downloads on the left. On the right side set the download folder to whatever you want and then look at the settings for the download manager.

    This is all from a Linux box, but the settings for the Windows version of Mozilla and Firefox should have identical settings.

    I have never been able to use WindowsUpdate from Mozilla. Of course even if you uninstall IE from XP or 2000 all the parts of it are still there, just the icon is gone.

  • by MikeXpop ( 614167 ) <mike.redcrowbar@com> on Friday July 02, 2004 @12:53PM (#9593271) Journal was running Apache on Linux when last queried at 26-Jun-2004 10:33:54 GMT was running Microsoft-IIS on Windows 2000 when last queried at 25-Jun-2004 13:05:27 GMT
  • by Anonymous Writer ( 746272 ) on Friday July 02, 2004 @12:55PM (#9593290)

    The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.

    CERT gave the warning on June 10 []. BBC reported this on June 14 [].

  • by Anonymous Coward on Friday July 02, 2004 @01:02PM (#9593377)

    Uh, it is reported that the trojan only automatically installs itself with IE. For other browsers, you have to download and run a GIF image that is disgused as an EXE with the infamouse double-extension social engineering trick.

    Did you read the page you linked to?
    This plugin is included with Netscape 7.1, and is configured to only work with the Windows Media Player control.
  • by RoLi ( 141856 ) on Friday July 02, 2004 @01:02PM (#9593391)
    Apache has sustained much more "pressure" and has a very good security track record - just like Mozilla by the way.

    Open Source software can be (and often is) of better quality, especially when it comes to security.

    The only "security issues", I've heard about Mozilla were about reading files or crashing - and those were instantly fixed. IE is so flushed with real grave security holes (like "take over computer") that crashing or reading files isn't even worth reporting, never mind fixing.

    Microsoft usually does nothing unless there is an exploit - then maybe they do something - or (like with IE lately) they still don't do anything unless the exploit is used by a lot of people.

  • by Satan Dumpling ( 656239 ) on Friday July 02, 2004 @01:03PM (#9593403) Homepage
    If you wanna test, this ebay page has the Scob virus... gory=48685&item=5705210428
  • Re:Yeah Right (Score:4, Informative)

    by sehryan ( 412731 ) on Friday July 02, 2004 @01:10PM (#9593478)
    NOAA has also told its employees to stop using IE. Unfortunately for us, though, Netscape 4.7 is the only other browser that is default installed (goes with the mail client), so now everyone is using that, and wondering why all the pages suddenly look like crap (we stopped designing for 4.7 a year ago). There was a rumor that we are being upgraded to NS7.2, but I have yet to hear any further details.
  • by cayenne8 ( 626475 ) on Friday July 02, 2004 @01:11PM (#9593495) Homepage Journal
    "Doesn't the click-wrap license agreement stipulate that you agree to "indemnify and hold harmless" (or however it's phrased) Microsoft, such that you don't have recourse to lawsuit?"

    Yeah, but, wasn't it just a few weeks ago, that a company got out of legal problems involved with privacy (an airline?), because they argued that most of the plantiffs probably did not read the privacy statement they clicked to agree with....and therefore it wasn't binding.

    Well, if that works in reverse...just claim you never read those click through EULA's.....and therefore aren't bound by them...and so you can sue.

    Seems fair....?

  • by david_reese ( 460043 ) on Friday July 02, 2004 @01:13PM (#9593519)
    * Valenti gets the boot.

    Sure, but he's been replaced by another DRM-lover. Trust me, there's no clue coming to the MPAA.

    * AU sets up a free CA.

    Ok, I'll agree with you about this bit of good news... once I see it in IE's default CA list.

    * European software patents are being rejected.

    Wrong. The Dutch reversed their vote. This does not *yet* invalidate them, although it is a good start... keep the pressure up on your EU representatives!
  • by SpaceCadetTrav ( 641261 ) on Friday July 02, 2004 @01:16PM (#9593548) Homepage
    This patch disables ADODB.Stream, which should eliminate any vulnerability. You can download it here: 669 []
  • by Anonymous Coward on Friday July 02, 2004 @01:17PM (#9593562)
    The real question is "can you read?"

    On the mozilla ActiveX plugin* it clearly says:
    "which can be a security risk"

    How much more handholding do you want Mozilla to do? Do you want the developers to look over your shoulder and tell you whether each individual page is safe or not.

    You have to download and manually install a plugin marked dangerous to make Mozilla vulnerable!

  • by Beryllium Sphere(tm) ( 193358 ) on Friday July 02, 2004 @01:25PM (#9593641) Homepage Journal says in boldface "Use a different web browser".

    I don't think the media misreported that.
  • The problem is that OEMs are not free to change the browser. If you are a Microsoft OEM, you CANNOT replace IE at all. This is the root of the problem. Computers are bought as a package deal from OEMs, and Microsoft has prevented OEMs from including competitive software in the default installs.
  • Yes there is good reasons to have Java/ActiveX on a web page. E.g. on an internal private network, where you have trusted users and want things like signature pads uploading signatures to a database. Or how about on a public network, there is a wonderful tool to trace a route with a cool picture of the globe (but this is done without violating network security).

    With Java you have to actively accept the dismantling of security, if someone clicks yes to trusting an unknown source then they will get an ugly lesson in trusted computing. With ActiveX it comes out of the box with no security and one has to actively enable security. Given the majority of home users are never going to do this, and the majority are using Windows, a massive ripe resource for worms/viruses/spammers exist. Active X suffers from fundamental security flaws, and is going to cost Microsoft a lot to fix the damage to reputation and loss of customers.

  • by bheerssen ( 534014 ) <> on Friday July 02, 2004 @01:53PM (#9593974)
    I'd like to take this opportunity to point out something that is obvious, yet not often commented on.

    All of these programs suffer from the same vulnerabilities, namely those that affect the Internet Explorer rendering engine. Any program that uses this redering engine is at risk of all sorts of nasty exploits. These programs include MSIE, Outlook, Outlook Express, Windows Explorer (really MSIE with a different skin) and any application that embeds the MSIE rendering engine.

    The problem, of course, is that Microsoft broke one of the fundamental rules applying to internet security when it allowed this rendering engine to execute remote code locally with all the privileges of the user running the program. In some cases, it even allows remote exploits to be run under system privileges. The chief vehicle for this ability is ActiveX, but there are other ways. This was done in the name of convenience and presentation with little to no concern for the privacy and security of their customers. To make matters worse, it was done in such a way as to be completely transparent to the user, such that the user often has no idea that a compromise occurred.

    When you compare that to the operation of other browsers (none of which take this bone-headed approach), it is small wonder that Microsoft is held in such low esteem by internet engineers and programmers alike.
  • by Just Some Guy ( 3352 ) <> on Friday July 02, 2004 @02:13PM (#9594168) Homepage Journal
    Ironically, it doesn't display Slashdot right sometimes, either.

    Slashcode spits out incredibly bad HTML. Don't take my word for it - paste the source into a validator sometime to see for yourself. Given that, it's not meaningful to say that any given browser "doesn't display Slashdot right" since there's no clear answer to how it's supposed to appear.

    Slashdot's a great site, but noone's ever praised it for the beautiful HTML. It's just kind of one of those things.

  • by 1010011010 ( 53039 ) on Friday July 02, 2004 @02:21PM (#9594241) Homepage

    the second richest man in the world, Warren Buffett, has thrown his weight behind the [Kerry] campaign.

    Would ya look at that... the super-rich backing their home boy. Of course, eight of the 10 richest Senators are also Democrats...

    They must be the "party of money."
  • by YetAnotherDave ( 159442 ) on Friday July 02, 2004 @04:42PM (#9595532)
    Howto - Browser version control with the Squid HTTP cache

    googled for 'squid user-agent' - result # 23 or so.

    I haven't tested this, please reply to this thread with your results
  • How to disable IE (Score:3, Informative)

    by gilgongo ( 57446 ) on Friday July 02, 2004 @05:18PM (#9595820) Homepage Journal
    I got the following batch files off the net somewhere, and it seems to work for Win2K and probably XP. To disable IE, run:

    @echo off
    cd "\Program Files\Internet Explorer"
    if not exist IEXPLORE.EXE goto End
    if exist IEXPLORE.EX_ del IEXPLORE.EX_
    if not exist IEXPLORE.DIR md IEXPLORE.DIR
    if not exist IEXPLORE.DIR goto End
    attrib -r -h -s IEXPLORE.EXE
    if exist IEXPLORE.EXE goto End
    echo IE disabled.
    echo If prompted, click "Cancel" then "Yes" on File Protection restore.
    echo Run enable-ie.bat to allow IE to run again. :End

    It still runs if you put a URL into a window bar though, but if your alternative browser is the default browser then it'll launch for everything else.

    To re-enable Bill's little helper:

    @echo off
    cd "\Program Files\Internet Explorer"
    if not exist IEXPLORE.EX_ goto End
    if not exist IEXPLORE.EXE goto Activate
    attrib -r -h -s IEXPLORE.EXE
    if exist IEXPLORE.EXE del IEXPLORE.EXE :Activate
    echo IE enabled. :End

  • That is not what they are talking about. Internet Explorer allows you to embed IE inside of another application. You can even put a different name on the taskbar and call it another application, even with your own icon. In theory, some scam artist could write their own "web browser" in about 15 minutes. The problem here is that you really are using Internet Explorer, even if you are claiming to be some other application.

    More often this is used in applications like AOL (IE is the default browser in AOL), where they use this ActiveX component to display web content. I think AOL uses their own e-mail system, however. You can also see this in the Real Player application, again if they are going to display web content instead of playing music or an audio/video clip. (Try this if you have Real Player.) Other application also use this, in things like About boxes or even a cool splash screen when you start an application. Sometimes they even do full TCP/IP http requests for content, including machine-specific data. A good security hole if I ever heard of one, and a cheap and easy spy app as well.

    Mozilla does not use the I.E. rendering engine... they have their very own, so they don't need it. A while back it was a common task for CS instructors to assign students to make their own HTML rendering engine. I wrote one myself just to see if it could be done. Not a beginner task, but still something well within the capabilities of any recent CS college graduate (if they actually taught you anything).
  • Basically... (Score:3, Informative)

    by Svartalf ( 2997 ) on Friday July 02, 2004 @08:58PM (#9597096) Homepage
    They're redirecting all the common worm and trojan exploit attempts for IIS to MS' website. Nice.
  • by Anonymous Coward on Saturday July 03, 2004 @11:50PM (#9603780)
    I work in the IT industry as a system/network administrator at a large hospital during the day and I do part time work at night and on the weekends doing internet installs for the local ASDL, FTTH and Cable internet service providers.

    The hospital I work at has a "good" security section with proxy, firewall, SMS server, intrustion detection all the gee-wiz-bang security tools that you would expect an organization lible to the tune of $25k per privacy violation (thanks to HIPPA) to have. Still, I have to deal, on a daily basis, with computers that have spyware installed on them. Not only that, but when the Blaster worm hit (and remember, we had all these security tools prior to its arrival), it still managed to wriggle its way on to our network and in less than 5 minutes infecting every vulnerable computer. My standard response to reimage any desktop that is found with spyware, virus or worm as a matter of policy. For instances of Spyware, I consider this to be punishment for the miscreadent behind the keyboard (very likely a "smart" person with a PhD or MD). The other, non-user initiated instances, we are currently looking at PXE booting our Windoze desktops from solid, known-good image each and every time the user starts up their desktop. We have a gigabit backbone, so we can get away with this. I think the long term decision that needs to be made, however, is to remove windows from the equation entirely.

    Now, on to that part-time moonlighting gig. First, I decided to do this to get a better understanding of how users operate at home vice work (with the hope that it would lead to some insight about why things go wrong at work). Second, the pay was good if done right. I discovered that home users are completely insane with regard to security. About 10% to 15% of the user's desktops I encounter have IE so comletely dorked up beyond recognition as a functioning browser that I *MUST* manually download mozilla from the command prompt to get the user through the web based section of the sign-up process. Another +30% of the users have marginally functioning browsers with fairly benign malware (pop-ups, web page redirection, unwanted browser plug-ins, lowered volume modem dialing scamware, etc.). I have a time limit on my installs (user needs to be signed up within at least 20 minutes or else it's not economically worth my while to be out there); so, I usually point them at before I leave. There is a certain large percentage to users (say between 3% to 5%) who's computers are so throughly fscked that I will just walk away from the install after demonstrating, with my laptop, that their internet connection works, but their windoze computer doesn't. To these poor, unfortunate folks, I hand them a live CD distro before I leave.

    If you do the math, over half of home Windows users are fscked to some degree. Now I understand why call centers are being farmed out to India. It just simply isn't a matter of cheaper labor; it's actually an economic necessity in light of Windows market share.

    I think that Microsoft, in its desperation to "get" the internet, made some really bad design and business decisions that will end up truly demonstraiting that they didn't "get" the internet at all.

    The other half of the equation, which has not been tested, is the curse of market share. It will be very interesting to see, over time as the Open Source market share starts to re-take the browser and over take the desktop, how the open source community patches and updates flawed software (fortunately, Microsoft has demonstraited some good ideas that didn't work; maybe, with a little luck, the Open Source community will learn from these mistakes and either correct the fundamental flaw(s) or build something better). Regardless of all the drivle that comes out of Open Source advocates' mouthes, this will be the single feature that defines the difference between Open Source and Microsoft.

Did you hear that two rabbits escaped from the zoo and so far they have only recaptured 116 of them?