Dept. of Homeland Security Says to Stop Using IE

LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News: 'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."

Its About time

[arieswind]

Horray for the Department of Homeland Security! LWATCDR is not the only person that has been saying "get off of IE" for a long time.

Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.

It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.

Great News

[devphaeton]

"According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."

I hope that this also translates into a large spike of donations to the mozilla organization. Firefox and T-bird are teh moh scheezi, and i started using mozilla years ago.

I've donated about $150 over the years, how bout y'all?

Re:Amazing...BTW, if you haven't used..

[garcia]

Real standards implementation is worthless in a world where people don't follow them.

Yeah Right

[BigDork1001]

Homeland Security says to stop using IE but in the Air Force we're still using it and I haven't heard any plans to switch to something else. It's good to know that the DoD is listening to the security measures of the other departments.

Kinda funny...

[devphaeton]

Not 4 months ago MSN.com (obviously slanted) was trumpeting around "BROWSER WAR IS OVER!!!" and proclaiming that IE was the clear victor (though they never gave the conditions that made it a victor, they just sensationalized and re-iterated the same shit over and over in different wording in True Fox News Style(tm))

MS to "win the browser war" just in time to have their browser shot down every time they turn.

They had better wake up to this, too... These days, "internet" is about 85% of what computing is about. MS with all their attempts to blur the lines between your computer and the internet, and their flagship web application is poo.

Give advice to alternative browser newbies!

[2Flower]

I've been interested in switching browsers for awhile now -- particularly since my windows is borked and despite owning it legitimately (won in a contest) it think it's pirated and refuses to get any IE security patches.

But a few confusion points are holding me back. Likely holding back a lot of folks who might switch, so if you know, dive in and lay down some evidence...

1. Which of the two browsers is simpler / less bulky, Mozilla, or Firebox? I don't want something slow loading, bloated with features, and overcomplicated. You know, IE.

2. Can either of them merge with Windows the way IE does? Running URLs from the Run box, for instance. I don't want to accidentally launch IE by the old methods.

3. Does Mozilla still have that stupid "download manager"? How do I turn it off? Every time I wanted to save a file that thing would pop up when I just wanted the simple windows of an IE download that go away when done.

Obviously, I am t3h n00b. But that means I'm the audience you need to sell on the idea of ditching Microsoft the most -- and I plan to pass it on to friends, coworkers, etc.

But monopolies are good!

[chia_monkey]

Yeah...monopolies are great! See...you can um, build a browser that doesn't really follow any w3c standards. But since you're a monopoly, it doesn't matter and it forces everyone to code for your browser instead of by the standards. And then...you don't have to worry about that pesky competition and the innovation that is created by competition. That silly innovation could lead to very secure browsers all around.

Oh wait...now it's all tumbling down. Who would have guessed being a monopoly and then not even following any standards but marching to the beat of your own drum would end up hurting you?

Yet...I still wonder how this will affect Microsoft. Do they even care?

Re:DUPE!... well, mostly.

[LostCluster]

Not really. This is the original source document... [networks.org]

Notice that it's the Department of Homeland Security seal at the top of the document. For our purposes, CERT is a subset of DoHS... it's just that the media is now picking up on the more known name of the larger organization to bring the story to the masses.

Re:Its About time

[plj]

If I was MicroSoft, I would be scared at this point.

Well, they are. According to wired (emphasis mine):

Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.

"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.

In other words, Ballmer has probably already contacted Bush to remind him about the terms of his re-election campaign funding by MS...

Serious for MS

[Decaff]

This kind of thing could be serious for Microsoft. Their strategy is 'thick client' - the browser and other features are integrated into the operating system. If security issues remain while the browser becomes a fundamental part of future Windows use, their are in trouble.

Cert Advisory

[Anonymous Coward]

The CERT advisory specifies:"Such a decision (remove IE) may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX."

OK, tranlation, less popup, less flashing colors, less annoying mouse cursor with trailing text, and no more auto-install of spyware. hmmm, I don't see a problem here.

This is great

[EnglishTim]

I've now moved my family over from IE to Firefox - before I wouldn't really have been able to do it as they would have complained when something didn't work the same, but now I have a great reason (stopping our computers getting compromised), and they're all behind it.

My daughters actually prefer it now - citing the way that they don't get pop-up ads any more.

It's good - I think by the time Microsoft come out with a patch they'll be so used to Firefox they won't want to go back to IE.

This won't change anything

[GuyMannDude]

Horray for the Department of Homeland Security!

This is the same Homeland Security that advised Americans to duct tape their windows to safeguard against a biological or chemical attack, no? I'm not sure they are really all that well-regarded by anyone with half a brain anymore. I would have been a lot happier to see some other organization -- one with more credibility -- come out with this warning.

Now the pressure is on Microsoft to get their shit together and make IE more secure, or risk losing their commanding lead in the web browser department. Even my dad, who would rather not use a computer than have to start using different programs, has asked me to put FireFox on his system. And my dad's boss, who is quite possibly one of the most computer illiterate people in the world, has expressed interest to him in moving the whole office off of IE onto another browser.

I'm not doubting what you are telling us, I would just caution against believing that this sudden urge to shore up their security is a long-term thing. First, people are lazy. They may say that they want to switch to a different browser, or lose 10 pounds by the end of summer, but that doesn't mean they are going to put forth any effort to do so. And even if they do make the switch to another browser, there are so many webpages that are "optimzed for IE" (i.e., won't render correctly with any other web browser) that I suspect many of those will switch back.

It really says something for how widespread this news is. If I was MicroSoft, I would be scared at this point.

I suspect MS is more "irked" right now than scared. I think it's too early to tell whether this story has any "legs". I strongly suspect that it's going to last for a few days and then will fall off the map. Microsoft has survived bigger problems in the past with no lasting effects. I'm really doubtful that this will have any measurable impact on them in the long term.

Call me a pessimist, but that's how I see this one.

GMD

A side effect of Pop-Up blocking

[devphaeton]

Netcraft confirmed in a report today that the beleagured Pop-Up Advertisement industry is citing Mozilla and Firefox as the driving force that has snuffed out their livelihood and threatens to drive them into extinction....

(c'mon, someone else can do this better than me) :-D

In other news.... when parasites and popups are no longer possible, what sorts of nefarious crap will the nefarious-mongers do next?

MS is a greedy and lazy bastard

[fermion]

The fact that the most popular browser is broken and the MS does not want to fix is a result of two factors. First, MS was allowed to become and stay a monopoly, and therefore not subject to the normal free market forces. Second, the computer industry was allowed to put forth this fiction of not being responsible for the incompetent design of their products, and therefore not subject to the litigation that has protected the American public from predatory corporate practices.

I do not for a second believe that there is anything in IE that could not be fixed. However, MS has continued to refuse to implement even the simple stuff, like pop-up blockers. And there is no reason why they should. The view from the bottom line dictates to spend only that money needed to keep market share and profits. Therefore it is very reasonable to give deep discounts to institutional customers, but would be silly to waste money on improving the product merely to meet end user needs, especially when those changes could negatively impact profit in other areas.

We all need a kick in the ass to become responsible. MS has never received that kick, so all it design decision, like the deep integration between the kernel and services, between data and presentation, arbitrary changes in protocols and standards, are geared to protect market share rather than customer service.

The admonishing to stop using IE, or modify the defaults to make it more secure, are not practical. To protect market share MS has encourage Industry, Government, and Academia to use those very features that endanger the user. To redesign those web sites to work with other browsers, if at all possible, would require massive efforts. Efforts that likely would not find sufficient funding.

Make no mistake. This is a result of irresponsible behavior of a person or group of persons that prize money over all else. These problems have been know for a long time. There has been plenty of time for MS to design IE properly. There has been plenty of time for Windows to be designed properly. In fact they completely squandered the opportunity to make NT better, and then implement the better OS into the consumer version. MS could have worked on open standards that would let all browsers work instead of pushing IE only sites. Instead they chose the side of evil.

I can't imagine why...

[callipygian-showsyst]

I can't imagine why Microsoft [microsoft.com] doesn't immediatly release a "patch" that resets the settings in IE to make it more secure.

I've switched to Firefox [robert.to] (and Thunderbird!), but it seems to me that it's possible to go into IE preferences, disable cross-domain frames, JavaScript, and ActiveX controls, and come up with something that's pretty safe, and roughly comparable to Mozilla.

I'm a big Microsoft fan, but their reaction to these latest attacks against them has me confused.

What's wrong with IE? Huh? News to me...

[Saeed al-Sahaf]

I think its interesting (and I really don't know what to make of it) that this has created almost no buzz at all in the mainstream media. One would think that a recommendation from CERT might raise some news outlets eyebrows, but nary a word in most papers, on most news. The related story at CNN leads one to believe that the main issue with the latest Trojan is IIS, with IE just a minor player. Fox had nothing as of this morning, and of course here in Microsoft Land (Seattle), the papers wouldn't dare besmirch the Sacred Cow that is MS.

Sorry to say, until the big 2 (Fox News / CNN) and the evening news picks this up, it's just more of the same: a bunch of techies preaching to the choir.

windows update at risk?

[bratboy]

my question is, if 1) there's no patch yet for IIS servers to defend against the attack, and 2) the microsoft update servers are all IIS, then how can we know that microsoft update hasn't been hacked? hmm? (oh the humanity!)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Nobody goes there anymore... It's too popular.

[Anonymous Coward]

I love the Firefox, have been using it since Phoenix days... It's great browser, and I've gotten a few of my friends to switch, especially when seeing the browsing features, let alone the security advantages, of which, I confess, I know little about. It's one of those "well, this is more secure, so use it."

But the thing is, now that more people are flocking to it, Firefox could become a target. The script kiddies will start looking for flaws in Firefox and attempting to exploit them. I mean, why go to the trouble of writing any type of malicious code unless you're going to impact the greatest number of users?

I'm not saying that Firefox has many, if any, known security issues (too lazy to research that right now), but if they're out there, they're sure to get exploited once it becomes attractive to do so.

I know that there are many /.ers that can school me on the finer points of Firefox security, so please, explain it's security advatages in layman's terms, and how they can remain secure from a determined hacker.

Thanks in advance.

Not to sound stupid, but...

[apoplectic]

Can't these people simply disable the ActiveX functionality in IE in the Security settings? Is this REALLY that much harder than downloading and installing a new browser?!

Advanced Security Technologies (AST) to Save Us

[Random BedHead Ed]

Schare said the Windows XP Service Pack 2 with Advanced Security Technologies, expected to be released later this summer, will deliver improved security infrastructure that will help reduce a PC's vulnerability to certain types of attacks.

You can almost see the little TM symbol next to the Advanced Security Technologies, reassuring us that Microsoft is busily developing corporate-speak acronyms to protect our systems.

Of course my experience using and supporting products with the "improved security" underlying those acronyms is that I get nagged all the time about apparent bugs that are actually "features." Outlook Express and Outlook, for example, protect users from attachments that could be harmful by ... (drumroll) ... hiding the attachments. What moron decided that was a good idea? I guess the calls to the help desk saying "Everyone else got that attachment except me" help keep me at work, but I'm still not impressed. And my boss can't sync his Palm with Outlook without being warned that an external program is trying to access his address book. Microsoft omitted the "allow this particular program to do this and never pester me about it again" button, so I get complaints about this "feature" every couple months.

While Microsoft now tries to clean up this mess by asking CERT to "rephrase" their warning (wait a couple days - they will), I'll keep suggesting my users switch away from their products. It's been a good solution so far.

Re:This just means..

[quantaman]

..that the hackers will start targetting Mozilla/FireFox now as it might become the dominant browser out there.

They will always target the browser having the most user base as the probablity of exploit becoming successfull increases.

Except in this case Mozilla/FireFox is inarguably more secure with the default install, key quotes from the article (from a mozilla guy I believe but they're still accurate).

Mozilla's Hofmann agreed that ActiveX is only part of the story, pointing also to IE's tight integration into the Window's operating system, and differences in IE and Mozilla's default security settings and architecture as other reasons why Mozilla browsers are more secure.

"Tight integration of the browser with the operating system provides some convenience and power for Windows developers and users, but has also been a continuing source that allows malicious hackers to leverage that same convenience and power for their exploits," said Hofmann.

If 90% of people used moz instead of IE a heck of a lot less people would be getting hacked.

Cool, just after a PHB here

[mi]

Instructed the internal webmaster team to ignore all other browsers -- to save valuable time and effort, of course. Which -- since they use Microsoft web tools only -- instantly led to the whole intranet web-site becoming disfunctional in Mozilla, Konqueror, and Opera.

I objected and got called "Ayatollah of web-compliance" :-)

Re:Of course

[bmongar]

Some folks at microsoft recommend [msn.com] firefox. Ok slate isn't directly microsoft but it is an msn publication.

As if people listen to DHS...

[slackerboy]

the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers

I'm sure the spike in downloads has absolutely nothing to do with the recent release of new versions of Firefox & Thunderbird [slashdot.org]...

Re:If it's broke...well....we'll fix it later

[tsarin]

Doesn't the click-wrap license agreement stipulate that you agree to "indemnify and hold harmless" (or however it's phrased) Microsoft, such that you don't have recourse to lawsuit? IANAL, but that's my reading of it.

Leaving aside whether or not click-wrap licenses are actually enforceable, I suggest that all the folks who aren't using any MS products at all (myself included) -- and as such haven't agreed to any such nonsense -- band together to join a class action suit against them. Whether it's for all the time we're stuck burning, having to fix the Windows PCs our friends, family, &c constantly need fixed, network outages caused by virii that use Windows exploits as a vector (my ISP [cable] was more or less buried under the overload in traffic from MyDoom and Welchia or whatever they were called, to the point that their only recourse was turning off infected users' connections).

Does "people who don't use a product but are still inconvenienced, put out and may even have suffered financial loss (as did a friend of mine when our ISP choked on virus traffic) because of its foreseeable and preventable problems" consitute a class?

Re:Slashdot does not render in Firefox

[fscmj]

I have had this same problem as well but it hasn't been limited to Firefox. Netscape has shown similar issues. Problems haven't been limiited to my windows box at work either. At home I run Mac OS X and firefox has problems there as well. Safari seems to do fine. At work I have resorted to (ironically) using IE for all my slashdot viewing and Firefox for everything else because of it.

You can always use Proximitron

[Anonymous Coward]

There's a thread on the Proximitron (Yahoo) mailing list about creating a filter set that deals with all known exploits.

Proximitron (unsupported, source not availible) is a web proxy that has a very extensive "regex" language for changing HTML on the fly. It's mostly used for ad blocking, but you can do just about anything with it. The reason I put "regex" in quotes is that the language was tuned quite extensively for handling real world HTML. As such, it's really only useful to people that are willing to get down and dirty with another complicated special purpose language.

On the other hand, that sounds like the Slashdot audience!

John Roth

Incorrect Wired conclusion?

[guido1]

"CERT's subsequent recommendation ... resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."

I hate to ask, but didn't the CERT recommendation happen right around the same time as release of 0.9.1?

Without sources I can't refute or support the Wired's article, but it provides no support of it's conclusion itself...

Re:If it's broke...well....we'll fix it later

[str8]

As pointed out, IE & IIS and such are paid for. Another factor is that despite the weak remedy of the DOJ antitrust suit, MS was still found to be a monopoly. This puts them into a different class than most other software.

Despite the click-wrap license which claims no liability, I think it would be easy to show the contrary and the class action is a good idea. MS is a for-profit company and as such their goal is to make money. They aren't going to write any code unless it affects the balance sheet. Time to make the exploits show up on the 10-Q.

There's more truth in Dilbert than in Farenheit 9/11

Re:If it's broke...well....we'll fix it later

[pipingguy]

Bunch of bumbling fubars

Doesn't this describe the entire rush to computerization and PHB's reliance on it?

I've decided to keep my knowledge of how to draw manually and design things, just in case.

It is amazing how "engineering" has been transformed over the past 20 years. The computer crowd has bastardized the term to mean something which it is not.

But never fear, we'll eventually get it right. Right?

Re:Homeland Security Be Damned

[Anonymous Coward]

for my aunt... i just redirected the Internet Explorer link to Mozilla, changed moz around a lil to make it look as much like IE as possible, & changed its icon to the big blue E.

she has yet to notice the difference.

Large Spike?

[Riturno]

How much of this "large spike in downloads" was from downloading the recently released 0.9.1? While certainly downloads have increased, I'd like to know what amount is new users versus old users downloading the new release.

Migration.

[DJTodd242]

I made the switch last night myself. Moved from a hodgepodge of using Mozilla's mail/news client to Thunderbird, and from IE to Firefox. Why? Because I got tired of pop-ups defeating the Google toolbar, and I figured the individual packages would get updated more often.

The Firefox move was painless, and I'm not missing IE.

Whoever decided to skip any sort of wizard to migrate Mozilla mail to Thunderbird has made a mistake. That was *not* painless, and the average user is going to balk at editing text files.

Re:switch

[Optic7]

I have used it. I love it and prefer it as my main browser, but it is not stable. I have not tried the 0.9x versions yet, but on 0.6, 0.7, and 0.8 on two different loads of Windows (first 2000 and then XP), the thing often just disappears from my screen without so much as a warning, error, or anything. Just poof! Gone!

I understand from some of the reviews that 0.9 might have fixed this though...

SQUID proxy configs for Firefox???

[Anonymous Coward]

Yeah I know this should be an "Ask Slashdot" question, but I figured I might hijack this thread and get lucky for some tech help :-)

I run a Squid proxy server for my company. My boss want me to configure the proxy to limit which browsers can go thru the Squid to reach out on the Internet. We have several internal Intranet web apps which must use IE6 so the order has come down from management have installed both Firefox and IE6 on everyone's workstations and for the users to use IE for only internal apps and Firefox for surfing the public Internet. The only problem is that the users will not comply. They know how to configure the proxy settings in the browser and keep using IE to access external sites. Anybody know how I can configure the Squid proxy to detect what browser the user has and allow Firefox yet block IE from accessing the outside web? I've been googling for the past half day trying to find a solution and so far come up dry. Anybody know if this is even possible with Squid?

Reality Check

[bonaman_24]

Does anybody realize just how hard it is to make people change their browser or OS? I work in IT and almost no one has even heard of Firefox. Only one (besides me) has it installed...and we are IT. This is not the end of anything for the evil empire, this CERT notification won't move M$ market share of browsers by more than 1%. And since the overwhelming majority run IE, we will all still have to have IE just to be able to continuously repair and troubleshoot it. Sorry for the reality check, but end-users are skeptical about any change, unless they feel 100% sure they will gain much, loose little. People say this is the end of the empire, but most people who run Linux and OS X have a Windows PC also.

Possibly a repeat, but very funny

[gwoodrow]

Did anyone else notice this tidbit in the article:

Gary Schare, director of the Windows Client Division at Microsoft, said that CERT's advice had been misrepresented in much of the press coverage.

"Microsoft certainly respects the work CERT does to help protect the Internet and users. Regarding the consideration that users switch browsers, it is unfortunate that the published articles have misrepresented CERT's suggestions, and we are working with CERT to clarify their advice," Schare said.

My jaw just dropped open. How are the reports misrepresenting CERT's statements? Get a new web browser can mean only one thing - GET A NEW FRICKIN' WEB BROWSER! How could that possibly be "misrepresented"?

It's basic english - we use it every day! Are you honestly working with computers while not knowing ordinary conversational language? Perhaps we need to tell Microsoft what the definition of IS is.

But in my mind I can see a Microsoft lackey going - "No, no, no, what the really meant was get a new blouse. Um, CERT doesn't like turquoise tops.... uh, yeah that's what they meant."

I don't know what's more pathetic - the fact that Microsoft is trying to accuse others of misrespresenting them, or the fact that many people will believe them and just stick with IE.

Ugh it just disgusts me how blatant and open they are about their lies and coverups. It makes me feel dirty just to see the little IE icon up on slashdot now.

But I'll tell you one thing - people who work for Microsoft certainly must be gearing up for very successful careers in politics.

Re:If it's broke...well....we'll fix it later

[AstroDrabb]

Apache and sendmail can be acquired for zero cost. If one could (legally) get MS Windows XP with IE for zero cost as well, then it would be in the same boat as Apache/sendmail. However, I know that if I spend money on a product, I expect that product to live up to its claimed specifications. Just because MS (and other commercial companies) put crap in their EULA, doesn't mean that those EULA are legal in court and that those commercial companies are not liable due to negligence.

Imagine if you purchased a car from Ford and Ford knew that the brakes had problems and needed to be replaced. However, Ford did not tell you about the brakes and chose not to do a recall because that information is corporate "IP". I am sure you (and many others) would have a case against Ford for negligence if you were in an accident.

This is no differenct the the MS situation. MS has access to their code "IP" and are aware of tons of security problems since MS as a company have not taken security seriously until the last two years or so. However, they are keeping that information from end-users because it is their "IP" and the end-users suffer from it. These problems have cost MS customers billions of dollars in recovery and prevention costs. Those costs you will never see in an MS funded TCO study.

Re:Its About time

[shotfeel]

i've been thinking this would be a good time for Apple to release that Safari for Windows that's been rumored to be in the works.

Re:Homeland Security Be Damned

[Anonymous Coward]

You can just tell them Mozilla IS the fix. People seem to try to sell Mozilla as a replacement to IE, but it should be sold as a FIX for IE.

Re:Its About time

[1gkn1ght]

She got the Trojan from IE, and the Trojan installed all that on her computer, every time I would get rid of it, then reboot, it would reinstall it.

I used Sygate Firewall and when I had IE try and use the ineternet, I told Sygate to block all traffic from IE, and allow Mozilla.

Re:Reality Check

[kryptkpr]

Does anybody realize just how hard it is to make people change their browser or OS?

Huh? I find it's really easy to make people switch.. the conversation goes something like this:

Them: "Why is my computer running so slow? And Why do I have all these popups when I'm not doing anything?"
Me: "Your system is infected with malware.. I will clean it"
[an hour or so passes as Spybot and Adaware do their thing, and I do my thing with Toolbarcop]
Them: "How do I keep this from happening again?"
Me: "Internet Explorer is not secure. If you use it, this WILL happen again, and there is nothing you can do about it. Oh, and Russian Hackers will steal your passwords and credit cards. The only thing you can do is switch browsers to this new one called Firefox."
Them: "What does it look like? Does it have a googlebar? Will my popup blocker still work?"
Me: "Looks pretty much the same as IE, except Favorites are called Bookmarks."
Them: "Bookmarks! I remember those from Netscape"
Me: "You'll feel right at home then. Google search and pop-up blocker are built into the browser"
Them: "Sign me up!"
[I set IE to high security, add windowsupdate to trusted sites, and install Firefox making it default browser. Remove all IE icons, put Firefox icons in their place.]

I've converted 5 people in the last week.

I have 1 suggestions for the firefox people: Bundle (or at least provide an installation page that opens when you first run the browser with links to install) Flash, Shockwave, and Java.. With those 3 things installed, there is no reason to open IE again.

The large vendors...

[Julia Cameron]

First CERT, now Homeland Security. With the threat level so high, the large companies who build the PCs that the average users buy, companies like Dell, Gateway, and Compaq, should immediately begin to load Mozilla and Firefox onto their systems. It's criminal to sell a system with such shoogly software to people who, even if they have heard about the serious security problems with IE, haven't a clue how to go about making their systems more secure, beyond updating the service packs and running an anti-virus programme.

It's so easy for us to lose sight of the fact that, for most people, computers are work tools. People who use them shouldn't have to be constantly on the lookout for problems, simply because the bampots at Microsoft can't be arsed to write decent code. At least, let the companies who sell people their systems add a more secure e-mail client and browser.

Re:Its About time

[AstroDrabb]

Holy smokes batman! I don't know if anyone else read this article [securityfocus.com], however it says that IE has had 153 holes since 18 April 2001, and 6 this month alone! I knew IE was bad, but that is not even acceptable.

Re:Capitolism

[jedidiah]

That still doesn't address previous damages. Fleeing to another product only prevents FUTURE damages. A harm has still been done. Harm will likely continue to be perpetrated until the careless party is made to be accountable.

Individuals are subjected to the "Crime and Punishment" mentality, corporate persons should be given no special treatment in this regard.

Re:If it's broke...well....we'll fix it later

[niittyniemi]

> THIS SOFTWARE IS PROVIDED "AS-IS" WITHOUT ANY WARRANTIES....

In this country (UK) the EULA isn't worth the paper it's written on. All goods have to be "fit for purpose".

The EULA is a grossly misleading document when it comes to informing you of your rights with regards to the software you have bought. MS should be told by a court to remove it, or the worthless statements that are contained therein (wouldn't leave much of the EULA though).

I can't see how XP is currently fit for purpose. Stick it on the 'net and you get infected in pretty short order. Most reputable businesses give you stuff that is fit for purpose but MS have made a habit of selling software that isn't. Nice if you've got a monopoly isn't it?

My guess is that MS haven't fallen foul of consumer law yet because:

- they've got an army of lawyers (more than coders)

- they've got deep pockets

- they play the buck passing game: "The OEM sold you the software".

- they can argue in court that equivalent commercial software is garbage too.

The OEMs don't dare complain to MS about it, remember that Judge Jackson found that the cost of MS softs went up for OEMs that caused "trouble" for MS.

One day though somebody will take them to court and they'll get buried. Good job too, I hate companies that rip off their customers whilst simultaneously advertising how wonderful their software - certainly not from a security POV.

I thought Ralph Nader had set himself up as the consumer's champion in the states. He's turned politician now but I would have thought a fight with MS might win him a few votes (put him in the public eye if nothing else).

Re:If it's broke...well....we'll fix it later

[Phragmen-Lindelof]

"My impression is that the stuff being forced onto the Linux desktop is as huge of a bloated and hacked mess as anything coming out of Redmond,"
Where do you get this impression? With Linux, you have lots of choices. If you like KDE (as I do), you may have larger files; however, I do not find my desktop to be "a bloated and hacked mess." If you want to save hard drive space, use a smaller desktop or use Knoppix [knoppix.net]. Linux is about allowing you to configure your computer the way you want it. I find that I like gentoo [gentoo.org] a great deal.
I believe you are misinformed about Linux. If you have specific examples of bloated and hacked desktop applications on Linux, I am curious to hear about them.

Sue MS for malpractice

[Shannon Love]

Even though the software is provided "as-is" and one cannot sue if it fails in anyway, I think a case could be made for suing on the basis of malpractice. Malpractice means "bad practice" and the concept differs significantly from product warranty. Doctors, Lawyers, accountants and other similar professionals are sued based not on outcome but on the methods and procedures they followed to reach that outcome. A Doctor is not contractually obligated to cure you nor an a lawyer obligated to win your case but they are obligated to follow broadly accepted standards of method and procedure. If they do not and a negative outcome occurs they can then be held liable. No other standard is possible as no Doctor can guarantee a cure nor a lawyer a victory in court. Similarly, no software provider can guarantee that their products are free of bugs or other defects. Too much of actual process of running software lays outside the control of any single provider. Software providers can't predict how their product will fair until it actually meets the real world But software providers could be legally required to follow standard practices of design and development and be held accountable if they do not. Microsoft made conscious design decisions that opened up severe security holes in their products even though they were warned before hand the problem would occur. They did so for marketing reason even though every security expert warned at the time it was a bad practice. In short, MS needs to be held accountable not for the actual broken software they released but for the studied disregard for the basic "good practices" of secure reliable design that created the flawed software in the first place.

Re:If it's broke...well....we'll fix it later

[Trepalium]

Oh, please. A managed runtime is not a magical security bullet. In the case of Internet Explorer here, these are not the buffer overflows, off-by-one or signedness errors that a managed runtime could ever protect against. These are simple security design errors. Microsoft wanted to show how great their IE engine was and implemented security zones so that local HTML-only applications could exist using the engine. They are being burned by this, now, as people find new ways to turn the higher security 'Internet Zone' into the lower security 'My Computer' or 'Trusted Sites' zones.

Of all programming errors, buffer overflows, off-by-one, and signed mistakes are some of the easiest spot and to fix. Other errors, like SQL injection, privledge separation, races and the dozens of other errors that can cause crashes, security vulnerabilities, or denial of service attacks, can not be protected against by a managed language because they're outside the scope of the language itself.

Re:Here's one

[Le Marteau]

Technically yes, they had a choice, reasonably, no, there was little choice, and still not much.

The real blame lies with those who told the unwashed that the Internet was a fine place for Gramma and the kiddies. The Internet is still like a digital ghetto, where one had either be stree-wise or armed.

It's kind of like getting pissed off because someone gets burned by fire, or drowned by water. It is the NATURE of fire to burn when not handled properly, and the NATURE of water to drown on occasion. That is why one does not handle fire or jump into water unless one is prepared.

Likewise with the Internet. One cannot just jack in and have fun without running the very real risk of getting burned. One must be prepared, and know what one is dealing with.

Again, a measure of blame lies with those who positioned the Internet as an amusement park rather than the serious business that it is, but ultimatly the blame lies in those who surf the web without being prepared. And if they can't prepare themselves, or are unwilling to pay to become prepared, then stay the hell off the Internet.

No. Not at all.

[Anonymous Coward]

"Minimum consumer implied warranties"?

Ford et al will warrant that your car is safe to drive. If it isn't, big payouts and recalls all round. They will not warrant that your car is unstealable if you park it in a rough neighbourhood. They don't give you a replacement car because yours was stolen or damaged. That's what insurance is for.

Guess what, the Internet is a rough neighbourhood. Even the best, most secure cars can be stolen by professional car thieves. There are professional computer hackers out there on the internet, and you can only hope that they're busy hacking banks and not you.

You can't warrant that there are no exploitable bugs, because you simply can't know that, no matter who you are or how good your software security is. You can certainly advertise that you've made a much greater effort in securing your browser.

I'm all for systems honestly advertising their security against h4x0ring, if only people would pay attention to that. Nobody would buy a car if they knew 90% of them were stolen without an after-market add-on called "a lock". But they'll take MSIE without question. Do they even know there are other browsers, not ready-to-run on their Wintel system thanks to anti-competitive actions by Microsoft?

Re:If it's broke...well....we'll fix it later

[PeterPumpkin]

i have one windows computer and one doing my first ever stage1 install of gentoo... wish me luck

Good luck! Oh, when you get through the hand book, don't forget to hit up the Gentoo Linux Desktop Configuration Guide [gentoo.org]. Its easy to miss, and I sorta messed up my first install of Gentoo by not finding it/reading through it.

And I REALLY recommend using Knoppix to install. Once you're past emerging the system, you can reboot into knoppix, open up the root shell, and do the old:
# cd /
# mkdir gentoo
# mount /dev/hda3 /gentoo
# mount /dev/hda1 /gentoo/boot
# mount -t proc none /gentoo/proc
# chroot /gentoo /bin/bash
# env-update
# source /etc/profile

...And there you have your Gentoo system, pick up where you left off as if nothing happened. You can fire up Mozilla or play one of the included games while it compiles in the background. Very nice cause you dont have to get up for another computer to read the online handbook.

Re:Homeland Security actualy works!!!

[Anonymous Coward]

Hell, this is the first reccomendation from them that would actually make me feel safter... (that is, the other folks not using IE, I've used Mozilla for ages).

Informative IE Links - IE Bashing Extraordinaire

[qwasty]

This browser warning [zesiger.com] page thoroughly trashes MSIE, but every phrase is linked to a news article that uses the exact same verbiage in order to demonstrate that it isn't just anti MS FUD - It's the honest truth. It's designed and maintained for webmasters to deliver to the IE-using visitors to their webpages. You can read the source code for some more information about that. In case you're curious, here's a paste of the text and links that it has - This should prove quite effective with anyone you're trying to convince to stop using IE:

Warning!

Your web browser - a version of Microsoft Internet Explorer - may not function properly on this website [com.com], and could have a large number of problems [microsoft.com] that allow hackers to hijack it [pcworld.com] with viruses [microsoft.com]. These viruses could be used by criminals to secretly take over your computer [cnn.com], download child-pornography [theage.com.au], or to commit acts of terrorism [channelnewsasia.com] and fraud [guardian.co.uk]. You may automatically update it now [microsoft.com] with Microsoft's available patches, however, there is a possibility that a necessary patch will not be available [techweb.com] due to Microsoft's somewhat sluggish development schedule [ecommercetimes.com].

The US Department of Homeland Security [yahoo.com] strongly suggests [wired.com] that you stop using Internet Explorer immediately.

There are several standards-compliant [webstandards.org] web browsers that you may use instead of Internet Explorer. Please install one of them as a replacement.

• Opera [opera.com] [Download Now [opera.com]]
• Mozilla [mozilla.org] [Download Now [mozilla.org]]
• Netscape [netscape.com] [Download Now [netscape.com]]
• K-Meleon [sourceforge.net] [Download Now [sourceforge.net]]

If you suspect that your computer is already being used for criminal activity, it is critical that you seek help from a computer professional in your local area. You may also try one of the free web-based virus scanners [wilders.org] that are available.

Re:Sue MS for malpractice

[Shannon Love]

Actually, malpractice lawsuits predate the era the government sanction and regulation by several hundred years. It is not the authority of the state that defines malpractice but rather the general practices of a professional group. You do not have to demonstrate that a doctor or lawyer broke any law or regulation to successfully sue for malpractice, you must simply demonstrate they operated outside of accepted practice.

Professionals certified each other long before the government took any interest. In fact, most state sponsored professional standards are a mere legal gloss on the standards of private associations. It is in the interest of responsible members of a profession that they can be readily identified by the lay consumers of their work as such. I think something similar will evolve for programmers.

Your example of a college student and the buffer overflow would not constitute malpractice. Mistakes everybody makes aren't malpractice. Malpractice isn't about the actual result of the work performed but rather HOW the work was preformed. If a doctor treats a patient using methods known to be dangerous they can be held accountable. Likewise, programmers who use methods and designs known to be dangerous should likewise be held accountable.

Microsoft used methods known to be dangerous in the design of IE, Outlook and other products. Most of the severe security problems resulted from design decision universally recognized as dangerous when they were made. Microsoft just did not care. They assumed their market dominance would allow them to escape any serious consequent and so far they have been correct. Law and the general proffesion of programming has not caught up with them.

Re:If it's broke...well....we'll fix it later

[Anonymous Coward]

Imdenities don't work that way. Microsoft is marketing IE as a secure platform. They know it's broken.

If I'm selling guns on eBay, and know it will fire backwards into the shooter rather than out the correct end, whether my customer signs a paper saying I will not be held responsible if they shoot themselves or not, I can still be held responsible if I don't make it blatantly obvious as in a big arrow saying "bullet comes out this end" that the product will malfunction, my customer can sue me.

I sold the gun as a normal every day gun, I had them sign a general waiver "I will not hold you responsible if I shoot myself". The waiver should say, "This weapon discharges out of the wrong end, I cannot hold you responsible if I shoot myself because of this defect" that way they are being informed that it could happen, and waiving that specific right.

That's why the "I cannot hold liable for anything." waivers do not exist, and if you sign one, you will not be bound by it. Specific rights must be named.

1/2

[zogger]

I agree with half, disagree with the other.

No, people mostly DON'T know there are alternatives, due to industry collusion and fraud at very high levels, levels such that it is mostly ignored by the government, because even there they profit individually from the congame of maintaining this monopoly, although they claim they don't and had a whitewash "judicial hearing" and series of lawsuits over it. It was a coverup joke whitewash effort *at best*.. There is no prohibition from governmental employees using their income or knowledge to help make scam profits in the markets, just a joke level,or nothing really stopping them accepting "fees" on the side,just a joke level, or nothing really stopping them from getting blackmailed, that's not a joke but it happens to politicians and bureaucrats and dare I say to judges. It just depends on the situation.

As to not being able to make a safer better browser able to surf without getting hijacked within 15 minutes? Well, all I can say is, not coming from an insecure buggy windows background, or very complicated unix background, but a mac classic simple functional OS/brosewr background, I will assert to you that I ran for YEARS on the net with NO antivirus, no firewall, no anything but the default browser (netscape) that came with the OS install. YM obviously varied from that I would guess, so you have that viewpoint "it's almost impossible, it can't be done", etc.

I *never* had to jump through *any* hoops just to surf simply. I went to any website I wanted to go to, read any email. Nothing. I know a few viruses existed, but I never got one, and I don't think there was a remote exploit for mac classic, or at least to be honest and fair I never heard of one or read about one. The first firewall I ever used on a personal machine was two years ago with linux because you need one, same as windows, but at least they give you one that works with linux. With windows, nope, all the installs I ever saw were woefully overpriced, incomplete to a fault, and failed to function very well. And insecurity isn't an issue, they *are* insecure as shipped, you MUST jump through hoops to even approach a dismal-security range, let alone a pretty good-security range.

Re:If it's broke...well....we'll fix it later

[kir]

Yes. Outlook has some of its own problems, but it uses IE to render HTML email (as do many Windows MUAs).

Filtering out html email would be wonderful (and I'm pitching that next week), but I can't see it happening on my cutsomer's network (a rather high overseas joint headquarters). The first time General Dingleshits gets a blank email from his buddy General Whatshisnuts (because no plain-text version was included in the email), the HTML filter gets whacked. Such is life in the DoD.

Re:I.E. Active X object, not just any HTML rendere

[shadowbearer]

Can (or do) those other applications embedding the IE engine use the zone controls and otherwise follow any of the security settings for IE itself?

God, I'd hope so, otherwise that could be a right nasty mess (and would explain some of the weirdness I used to encounter back when I used/troubleshot Windows :)

SB

Re:If it's broke...well....we'll fix it later

[MrCreosote]

If your bank site is IE only, ask if they will indeminify against any fraud on your accounts as a results of the security failings of IE

Re:I.E. Active X object, not just any HTML rendere

[shadowbearer]

I don't know, I can imagine quite a bit :) Lord, what a clusterfuck this all sounds like.

What I do know, after fixing many hundreds of Win 9x systems for people, is that I decided I was going pure Linux and not looking back. I've found it relaxing. I spend almost no time in maintenance after initial setup and pretty much zero time worrying about system security.

Dumb, dumb. Microsoft is really going to take it on the chin this year, methinks. Which in the long run will be a good thing, perhaps; but in the meantime a lot of people are getting screwed (like my folks; every week I get another phone call...)

Not to mention the weird stuff I encounter at work, where we now run XP Pro on all our systems. FE, we have one box, identical to the others, where the network card driver pukes on a random daily basis. Easy enough to fix - go to the hardware manager and re-enable the card - but WTF?! So far nobody either at Corporate or MS has been able to fix it - and it's not hardware, either. What a PITA.

(also three times now in the last two weeks getting a call from corporate telling us to reboot all our boxes because they could no longer VNC into them. Rebooting fixes it. Ah, Oh Lauded Stability of XP. *snort* Other than kernel upgrades my home boxes never get rebooted. Never; and they work a lot harder than the work boxes do. Windows. Bah. ;) )

Cheers,
SB