Microsoft Says Upgrade To IE8, Even Though It's Vulnerable 279
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
IE8 has the flaw but is immune... (Score:5, Informative)
Re: (Score:3, Interesting)
But even at Google they apparently have some stuff that requires them to disable it. You can bet a lot of the shops that can't ditch IE will have to disable DEP for backwards compatibility with the crappy apps that are the only reason they don't switch to something better anyway.
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
This whole problem is based on fact that MS is not willing/able to fix this issue for quite long time (days?). Other browsers are different in a way that they are fixing security issues ASAP.
Re: (Score:3, Insightful)
Re:IE8 has the flaw but is immune... (Score:5, Insightful)
Re: (Score:2)
OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?
One could argue that, in the corporate IT world, Microsoft's known patch schedule is more desirable than random updates from Mozilla appearing whenever they're finished.
Re:IE8 has the flaw but is immune... (Score:5, Informative)
They are aiming for both backwards compatibility and security, but above all, they are aiming to put out a fix that isn't broke. I'm honestly not trying to be the Microsoft apologist here, but the complexity of putting out a patch for IE is a lot more complex than you might first think, even compared to other browsers. Here's why:
Using Firefox as an example, when Mozilla finds a security flaw in Firefox, they simply release a new point release of all supported versions of Firefox (currently 3.0 and 3.5) that contains the fix, as well as all previous fixes, and usually several other security/stability fixes bundled into that particular point release. So, this means a release across two product versions, which can be expanded to releasing on the architectures supported for those particular versions as well as supported platforms. The source code change probably isn't architecture or platform specific (wrong?) so can thus be inserted into the correct maintenance trees in the source repository and the binaries/sources made available.
Using Microsoft as an example, when Microsoft finds a security flaw in Internet Explorer, they need to patch every supported version of IE on every supported version of Windows down to specific IE patch level possibly also impacted by Windows patch level. For a security flaw like this that affects IE6 through IE8, that means patches for every version of Windows from 2000 to 7, for every architecture (x86, x86_64, ia64), for numerous patch levels. For example, in many versions of Windows two separate patch levels of IE might be simultaneously supported (e.g. IE6 SP1 on Windows 2000 and IE6 SP2(SP3?) on XP). Keep in mind that the binaries for the same exact patch level of IE on two different versions of Windows on the same architecture are highly unlikely to be the same (e.g. IE7 on XP will not be the same as IE7 on Vista, nor will the patch binaries be the same, and OS SP level may also make a difference). Versions of Internet Explorer on Windows CE/Mobile might also be impacted resulting in further patch complexity. Oh, and x64 versions of Windows (and ia64?) have both the 32-bit and 64-bit versions installed side-by-side, due to issues with plug-in compatibility (you can't load 32-bit code into a 64-bit application). So, you'll need to patch both versions on 64-bit platforms, and once again, the 32-bit binaries for 64-bit systems are unlikely to be identical to the 32-bit binaries for 32-bit systems. In summary, we are talking a huge number of binary patches that all need to be thoroughly tested, passed through regression suites, and so forth, because if even one of these patches breaks something, odds are, you'll have a lot of pissed off users.
That being said, this is largely Microsoft's fault. By integrating the browser so closely to the OS, they've managed to create this complexity. A clean(er) separation of web browser from OS internals would, while not making things simple, would surely reduce the current clusterfuck. Doing so would bring you much closer to the model that most (every?) other web browser uses, and should drastically reduce the amount of testing that would need to be done. For now, this isn't the case, and the present reality is that patching every version of IE since 2001 is a very messy business.
Re:IE8 has the flaw but is immune... (Score:4, Interesting)
A security fix which breaks other required functionality isn't much better though is it? A patch rushed out the door without much testing isn't a patch I necessarly want to install.
Re: (Score:2)
Joe Sixpack might be upset, but yes, it is _much_ better then leaving your computer vulnerable.
Re: (Score:2)
Re: (Score:3, Insightful)
Microsoft provides the ability to be up to date and secure as well as backwards compatibility, its the users risk for which he chooses not Microsofts.
Re:IE8 has the flaw but is immune... (Score:5, Insightful)
Re: (Score:2)
At the very least I'd expect a hotfix that disables the button for the time being, with info to their customers that those who need the functionality should not apply it but have to be aware they're vulnerable.
Sounds like a good solution to me.
Re:IE8 has the flaw but is immune... (Score:5, Informative)
Re: (Score:2)
If the user is on Vista or Win7 they'll have to disable protected mode as well in order for the exploit to be able to do anything meaningful.
So if a user running IE6 on XP, who doesn't enable DEP gets exploited, who is really to blame? This is an ancient configuration and Microsoft has, for a long time, provided products and technologies to address the problems in it.
DEP is controller per-task on Windows (Score:2)
It has been since it debuted in an XP service pack.
So if you "disable" DEP to make some apps work, it still isn't disabled for IE8, because IE8 opts-in for it.
Re: (Score:3, Insightful)
Re: (Score:2)
"Other measures recommended by Microsoft include running the browser in Protected Mode and ensuring users aren't running with administrator privileges."
Translate to: "Don't blame us, it's the fucking lusers who operate their browsers in default mode."
So they're not Evil, or Incompetent, it's us!
Re:IE8 has the flaw but is immune... (Score:4, Insightful)
Even though you're being sarcastic, to an extent you're correct. It is the fault of corporate IT, not Microsoft, that IE6 and IE7 are in such wide use and being exploited, when everyone should already be running on IE8. It would be the same situation as if you had tons of people running Firefox 1.5 and refusing to upgrade because it would break something they're used to, despite being vulnerable to a series of known problems. In that situation it's not Mozilla's fault that their user base hasn't upgraded any more than it's Microsoft's fault now.
Re:IE8 has the flaw but is immune... (Score:4, Interesting)
Re: (Score:2)
They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.
Actually, Microsoft has a policy of not taking protected mode, low integrity processes, DEP/NX, ASLR and other memory corruption protection mechanisms into consideration when assigning severity levels or reporting bugs.
This means that MS reports the bug as being in IE8, but the several layers of extra protection in both IE8 and Vista/7 may very well neuter it completely.
Re:IE8 has the flaw but is immune... (Score:5, Informative)
True, DEP is enabled by default on the Win 7 / IE8 combo. OTOH, neither will run (very well, anyway) a horde of old enterprise services and suites that still linger about the industry, compatibility modes be damned.
There are fixes and workarounds, but they can get rather expensive (and usually involve an XP Mode server of sorts, or Terminal Services seat licenses, etc).
Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.
Re: (Score:2)
Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.
That's not either/or, that's and. There will be a lot of code rewritten, AND a lot of business hanging on to IE6 until then, AND a lot of them getting exploited in the mean time. I wonder if it's cheaper to upgrade your internal applications so that they'll work with every browser for the next 10 years, or clean up a company-wide infection (and then rewrite the code anyway).
Re: (Score:2)
Shhhh. Quite... We want to live in a world were every Microsoft bug will remain unfix and slowly become so problematic that we can life fat dumb and happy with the alternatives.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Yea, after reading the article (some of us do) I found that this summary is a piss poor one, more aimed at bashing MS than giving the real facts. We don't need to make up imaginary reasons to hate MS, they already provide plenty of real reasons.
Re: (Score:3, Insightful)
Sandboxing & virtualization of a sick browser is not a panacea. If the sandboxed application is compromised, it could still be controlled in its own domain and compromise cookies, passwords and anything else that it obtainable in its virtual space. It could still be used for malicious purposes, purposes that can could result in a knock on the door from the law.
Sandboxing and virtualization are sane for ANY application which is processing content from untrusted sources, regardless of whether you think th
Free software puts fix schedule in your hands. (Score:2)
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration. Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collec
Re: (Score:3, Insightful)
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration.
Ya, well then you're going out of your way to make yourself vunerable again. At which point, I'd have to ask... why did you bother to upgrade?
Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser
Re: (Score:3, Insightful)
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy.
Yes of course, the largest computer software company in the world should be given a hearty slap on the back for "coming a long way". I mean, they're only the standards that everyone else is following it's not like they matter.
Re:IE8 has the flaw but is immune... (Score:4, Interesting)
The real solution is not open source browsers specifically...
The real solution is diversity.
All software will have bugs, but they are a lot more difficult to exploit if there are a handful of different browsers running on a handful of different platforms and hardware architectures that your targets could be running. Also, having an even split in the market would force all the different software makers to compete on quality... If one vendors drags their feet they will face losing lots of market share... MS can drag their feet without risk of losing anything right now because people are locked in to them.
The attacks recently succeeded proved the dangers of monoculture, if your a hacker looking to target any large corporation or government you can be sure that your target will be running windows/ie/msoffice so one exploit, trojan and skillset will suffice against any number of targets.
Nature has proven the importance of diversity...
Re: (Score:3, Insightful)
It's clear that you need one. Maybe you could start by changing your worldview that all open source software is secure by virtue of being open source, and all proprietary software is crap. Maybe a look at Opera would prove otherwise. If you're not aware of the several security features which Microsoft has added to Windows 7 and IE8 (not to mention much-needed support for several missing standards), then maybe you can make yourself familiar with those before claiming that everything which you can't read t
Re: (Score:2)
I'm not totally blaming the user, but most of the exploited folks are running unpatched, pirated windows versions with every option turned off just to make it "easier" to usw (say UAC)
Re: (Score:2)
I'm not totally blaming the user, but most of the exploited folks are
using Internet Explorer. Period.
Re: (Score:2)
I'm not totally blaming the user, but most of the exploited folks are running unpatched, pirated windows versions
Can you show the numbers from your survey where you asked everyone who got exploited if they're running a pirated version? I'm interested to see just how much more than 50% of them are pirated.
"Everyone is the same. Quick to point the blame. All I know is that life is a struggle"
Hmm, indeed..
Re: (Score:2)
Sandboxing & virtualization of a sick browser is not a panacea.
No, but it's better than not sandboxed.
I notice you don't mention that IE8 is not actually vunerable unless you reconfigure it that way because DEP is on.
A hale and open sourced browser is the only safe way to go. Screw IE, any version.
Because those have no bugs?
MOD PARENT DOWN (INFORMATIVE?) (Score:5, Insightful)
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
Always Look on the Bright Side of Life (Score:2)
...or Death
Security theater to keep people on their, similarly defective, latest product is the best thing MS could do for now, it seems. I'm waiting for comment from Bruce Schneier...
Marketing must be pleased (Score:5, Funny)
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Re:Marketing must be pleased (Score:5, Insightful)
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."
Vista, Win7 - really? (Score:5, Interesting)
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.
So saying it is a 'problem' on Vista or Win7 is stretching the truth.
Re:Vista, Win7 - really? (Score:5, Interesting)
Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.
By default, IE8 on 7 is pretty secure.
Re: (Score:3, Insightful)
So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.
By default, IE8 on 7 is pretty secure.
So it's ok if a buggy webpage can wipe out My Documents, so long as it doesn't break my system?
I'm not sure many users would agree with you there.
Re:Vista, Win7 - really? (Score:4, Informative)
Re:Vista, Win7 - really? (Score:4, Informative)
Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.
Microsoft has come a long way in securing their OS, but they still have a long way to go before claiming that their product is as secure as, say, FreeBSD or OSX.
Re: (Score:2)
Re: (Score:3, Informative)
...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.
The folks who write IE (as well as other MS developers) are very well aware of the nature privilege escalation vulnerabilities. This [amazon.com] is effectively the required read around here, and, while rather high-level, it does give a good overview of these kinds of attacks.
Regardless, more security layers are always better, especially when you can't guarantee the code to be absolutely, definitely 100% secure. Things like sandbox, DEP, ASLR etc are absolutely not a replacement for writing proper code, security review
well done Google (Score:2, Interesting)
Re:well done Google (Score:4, Funny)
Re: (Score:2)
Google has never said they will leave China. They have said they will (that's *will*, not have) refuse to continue to censor, which will probably result in them being forced to leave, but it is clear that in the unlikely event the Chinese government agrees to let them stop censoring they will stay.
The right time to upgrade (Score:5, Informative)
The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?
I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?
(Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)
Re:The right time to upgrade (Score:4, Interesting)
So I was doing an install of ATT DSL a few months ago. You don't just plug it in, you have to authenticate.
Only IE works with their server, and the install disc includes IE6 in case you don't have it.
Re: (Score:2)
You can install it without their crap CD, but it's a PITA because there's zero documentation and you have to discover everything for yourself, if you run Linux for example. But all you need is any browser.
The same applies to the majority of home networking gear out there.
Re: (Score:2)
> ...the web app developers should have their Geek status revoked...
Most Web developers don't qualify for geek status.
Who cares? (Score:2)
Re: (Score:2, Insightful)
I'd disagree. Open up "My Computer" and type in "http://www.google.com/" into the address bar.
Enjoy your IE.
Re: (Score:3, Informative)
Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.
Re: (Score:2)
Yeah, because Firefox's exploit stats aren't worse than any other modern browser right? Maybe you need to do a little research.
When will we change programming practices? (Score:5, Insightful)
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Re: (Score:2)
I was wondering that too. Microsoft says C# and .net will alleviate these types of problems with "managed code" in your wares, but apparently they don't feel the need to use it for their own products.
Re: (Score:2)
Developers who know what they're doing had it drummed into their heads that they need to watch memory allocation, array boundaries, null pointers, unsafe library functions and the like.
The problem is if you hire hordes of less qualified programmers and let them loose on a project that requires low level programming.
Unfortunately, anything using C or C++ amounts to low level programming.
Re: (Score:2)
Right - so we're coming down to relying on (expensive) greybeards but most of the work is being done by whippersnappers who can spin out code but aren't obeying best practices with powerful but unsafe tools.
Perhaps a secure coding certification is mandatory?
I know this will be an unpopular idea and that some terrific code has been crafted by amateurs but something has to be done.
How about free code analysis for FOSS apps?
Re: (Score:2)
1. I'm not a programmer - do some of your own legwork, read the Wikipedia page on Buffer overrun exploits or just fucking Google it.
2. I'm not so sure about "older stuff works and needs few patches" - exploits have been found in "older, working stuff". I recall a problem with BSD FTP that affected pretty much every Unix version going back 10+ years.
And, i think at least one exploit with image-handling was found when the source for Win2K was released into the wild.
DUH! (Score:2)
Really? Impossible! I fully expected them to say it would be better to use Firefox or Opera.
Seriously. What did you expect? Be honest.
Let's just fix one (Score:2)
In many ways if you are going to stick to using Internet Explorer, then it might as well be the latest one. If there is a flaw that affects IE8 less than the other two, then it is still the lesser risk. Even if it doesn't and is still major, then Microsoft will most probably concentrate on providing a security fix for IE8, and not the others. Heck, beyond hyper-conservative company policy (aka "let's stick with 10 year old software, no matter what"), there is very little reason not to upgrade and plenty of
Pentagon thinking (Score:3, Insightful)
Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.
Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.
Microsoft's advisory admits that both IE7 and IE8 (Score:4, Informative)
Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
That is a misrepresentation, at best.
The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx [technet.com]
It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.
IE5 rules supreme (Score:4, Informative)
Actually, IE5 is the only version not effected. You should be downgrading not upgrading.
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/ [theregister.co.uk]
"But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."
Good Luck With that.... (Score:3, Insightful)
A company I interned at had IE 4.0 for the longest time, even after 5 came out, and the latest versions of netscape....
I think what our friends at Microsoft don't realize is that big companies (especially big regulated companies) are really slow to move on things. Upgrade to IE 8 is not really a valid answer. A large regulated company will spend months testing, and in many cases it will take years to go upgrade. Now if IE didn't encourage people to violate web standards, then it wouldn't be that bad. But unfortunately it does and people do. So fixing things to work with IE7 or even IE8 after IE 6 is a pretty big deal.
So good luck with that. I know my company is going to be running IE 6 for at least another year, maybe more. They have to go slow because it is a financial company and they are subject to all sorts of SOX controls and regulations. Also upgrading browsers does not immediately generate revenue so it is not a high priority. They don't even use the right resources for testing so it drags out much longer than it should....
I worked at a Microsoft Fanboy company but even then it took a good 6 months to test all the apps with IE 7 and there the roll out wasn't company wide, just that division. There was also a project in Parallel to fix the issues and move all development projects to Visual Studio 2005. They properly staffed based on what they had, and it still took 6 months. And they were Microsoft Fanboys. I mean SQL SErver 2005 comes out, they need to upgrade within a year. SQL Server 2008 comes out, they put on a project to upgrade within a year. Windows Vista comes out, they need to upgrade.... And even there 6 months time is a lot of time to be exposed to a vulnerability. And they are the exception not the rule.
For many companies a security issue or browser upgrade does not generate revenue and is super low priority....
Re: (Score:3, Insightful)
That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.
After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes th
Re:Not fixing it in IE6... (Score:5, Insightful)
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
Re:Not fixing it in IE6... (Score:5, Insightful)
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK [microsoft.com]. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
Re: (Score:2)
Agreed - he made a fair point.
Re:Not fixing it in IE6... (Score:5, Insightful)
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.
Re:Not fixing it in IE6... (Score:4, Informative)
Nonsense. We manage something like 2,800 apps centrally for 60,000+ desktops using a 3rd party tool. We have another 400 or so apps that we manage for our 11,000 servers. Total staff to package and update this environment? About a dozen.
Firefox is just another app to us.
Re: (Score:3, Insightful)
The problem is you need to invest a lot of time, money and expertise into setting something like that. For a big shop like yours, that's no problem - the cost of initial setup is easily justified by the fact you have to manage 60k+ desktops and over 2,000 apps, and doing that manually would cost a fortune.
Most of us aren't that large though. We've got maybe 150 desktops/laptops, which is enough to make managing them manually impractical, but not enough to justify purchasing and learning systems management a
Re: (Score:3, Informative)
https://developer.mozilla.org/En/A_Brief_Guide_to_Mozilla_Preferences [mozilla.org]
If the administrators can write to the application directory and prevent the user from doing so, then they can enforce profile settings in Firefox (and almost any Mozilla app).
Re: (Score:3, Informative)
No registry hacks are necessary to set configuration information in Firefox. It's all text files, the way God intended config files to be. :)
Re:Not fixing it in IE6... (Score:4, Interesting)
My compromise to the problem of users installing Firefox is simply to accept it and push updates to them.
I have a GPO with computer startup script that checks if Firefox is installed, if it's not the latest version it installs the latest version. The downside of this approach is that I have to manually update the script everytime there is an update, and this does nothing to update add-ons. IE at least gets updated via wsus and I don't even have to think about it.
Re:Not fixing it in IE6... (Score:4, Informative)
Fair point on the former, but the latter could be managed to an extent via GPO - you just have to roll your own policies [3sharp.com] to do it.
Re:Not fixing it in IE6... (Score:5, Informative)
We were in a similar situation when we wanted to migrate away from IE6. We have several client sites that we must use that are IE6 only and were not compatible with IE8's backwards compatibility.
The solution we came up with was to deploy Firefox throughout the company with IETab already installed with a list of rules to load incompatible pages into an Internet Explorer tab within Firefox. This is completely transparent to our users and the majority of web browsing is done with Firefox.
Re:Not fixing it in IE6... (Score:4, Interesting)
Re: (Score:3, Insightful)
Re:Not fixing it in IE6... (Score:5, Insightful)
(due to hordes of crap .NET programmers*)
You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.
Re:Faulty Products. A comparison. (Score:5, Informative)
Your memory fails you. Firestone said the problem was that their tire wasn't rated to the standards which were required for a particular Ford model. Ford installed them as OEM tires anyway. When it came out, Ford said Firestone made a faulty tire, but Firestone responded that the tire wasn't designed to be used in the environment created by Fords one SUV model.
As usual, another analogy on /. fails...
Re: (Score:3, Informative)
Firestone still took the contract, they weren't going to turn down a sale of millions of tires.. They knew what Ford was putting them on.
Re: (Score:2)
It wasn't even that "exotic" of a problem. Ford recommended a low tire pressure for a softer ride - trying to make a truck not ride like a truck. Low tire pressure generates excess heat, which ultimately causes the tire failure. And because the other tires on the vehicle are also under-inflated, the changes in the vehicle's handling are magnified and everything goes to hell.
People who ran the tires at (for example) 35PSI instead of 30PSI didn't have problems.
Re: (Score:2)
I had the pressure recommendation wrong. Ford had recommended 26 PSI. That's well below "normal" pressure for most road vehicles, especially heavier ones like SUVs.
http://en.wikipedia.org/wiki/Firestone_and_Ford_tire_controversy [wikipedia.org]
So Ford specified possibly weak tires, and then went on to change their recommendations in such a way that it made them weaker without chang
Re: (Score:2)
My memory of that if far different. The tires were faulty but in a small percentage of tires. There was a manufacturing defect that would cause tread separation. The number of faulty tires was relatively small.
The real problem was that Ford Explorers were rolling over in accidents. Ford wanted to blame it all on the tires when in reality that particular defect was a factor in only a small number of accidents. The real cause of the issue was the instability of the Ford Explorer. It is a simple matter o
Re: (Score:2)
> The real cause of the issue was the instability of the Ford Explorer.
The real cause of the problem (that's *problem*, not "issue") was idiot drivers who bought trucks and drove them like pancake cars. Trucks necessarily have high centers of gravity. It is obvious to anyone with any brains that you can't drift a truck around a corner. Most modern cars are so low and flat (in the interest of fuel economy) that they are almost impossible to roll. People get used to that and then try to drive trucks th
Re: (Score:2)
Except that using a faulty browser isn't more likely to kill than people riding with faulty tires on something that moves really fast.
I assume you aren't a political activist in China.
Re:Channeling BadAnalogyGuy (Score:5, Informative)
If this is FUD about explorer it is Microsoft FUD about explorer and not the submitters.
Re: (Score:2)
Well I DID say it was an attempt at a bad analogy.
The point I was trying to make was similar to that of some other folks. Yes IE8 does not fix this specific flaw, however it does address many other vulnerabilities and outright flaws in IE6.
I believe the expression is "throwing the baby out with the bathwater".
Re: (Score:2)
IE8 has the same bug, but it has further protective measures that limit the bug from being harmful. Defense in depth.
Re: (Score:2)
It sounds like marketing speak to me. That sentence reads a lot differently if you add one word:
Customers using Internet Explorer 8 are not affected by some|most currently known attacks and exploits due to the improved security protections in IE8
I doubt they're trying to claim that IE8 is immune to all known attacks.
Re: (Score:2)
They can't afford to do what? Rewrite their software? The alternative is to get exploited, then clean up the mess, then end up rewriting anyway to make sure you don't get exploited again.
So, if we're talking about money, is it cheaper to:
A) Rewrite the software
B) Get exploited, clean up the mess, and rewrite the software
It doesn't matter how long you wait, you're going to need to rewrite eventually. The question is how long you want to remain vulnerable before upgrading.
Re: (Score:3, Interesting)
Is this an ActiveX thing?
No, it doesn't appear so at this time. But it could be.
I mean how the hell do you get the pointer in the first place? And how do you keep the browser from page faulting?
I'm so confused!
The attacker actually don't "get the pointer". He discovered some bug where IE would deallocate an object but still hold a pointer to it. A "dangling" pointer.
The attacker then typically allocates *a lot* of other objects, hoping that they will take up the address pointed to by the "dangling" pointer. He will try to arrange the allocations such that the allocated "data" is actually attack code if ever executed as instructions. The attacker could hide
Re: (Score:2)
Firefox replaces operating systems now?