UK Gov't Says "No Evidence" IE Is Less Secure

aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"

Probably true, even.

[toQDuj]

That's very likely true, as the stupidity of the user remains the weakest factor in security.

Re:Probably true, even.

[MichaelSmith]

That's very likely true, as the stupidity of the user remains the weakest factor in security.

And this is a constant in the UK Government?

Re:

[toQDuj]

I have no evidence for believing otherwise. OTOH, I do know there are (very) stupid people working in the government of the Netherlands, or so my friend working there indicates. IT savvy people perhaps don't try to get work at the UK government.

Re:

[jonbryce]

I don't know if they try to get work or not, but judging by the governments' computer systems, they certainly don't succeed.

Re:

[xaxa]

The bit of government I work for (a non-departmental public body) still has Windows 2000 and IE6 on most desktops. Unfortunately, the budget for this organisation has remained static for over a decade -- if the next government is serious about increasing science spending (rather than just talking about it) then maybe the budget will be increased! But I doubt it.

Re:

[Maxo-Texas]

You know... one reason for this has to be the acquisition procedures.

My company pays about $2,000 for desktops and laptops that I can buy at fry's for $490 to $700.

As a result, it can take 90 to 120 days to get a laptop which we could buy directly the same day. I have two projects waiting on hardware as a result.

Re:Probably true, even.

[Runaway1956]

This is the same UK government which thought that Windows for Subs was a good idea, right?

http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/ [theregister.co.uk]

Royal Navy warships lose email in virus infection

        * Alert
        * Print

Windows for Warships(TM) combat kit unaffected, says MoD

By Lewis Page Get more from this author

Posted in Malware, 15th January 2009 16:53 GMT

Free whitepaper - What Exchange can't do - and Dell can

The Ministry of Defence confirmed today that it has suffered virus infections which have shut down "a small number" of MoD systems, most notably including admin networks aboard Royal Navy warships.

The Navy computers infected are the NavyStar (N*) system, based on a server cabinet and cable-networked PCs on each warship and used for purposes such as storekeeping, email and similar support functions. N* ship nets connect to wider networks by shore connection when vessels are in harbour and using satcomms when at sea.

Re:Probably true, even.

[roscocoltran]

I loled at this fake, then I type "windows for warships" in google... We are living in a strange world.

Re:

[ibsteve2u]

I lollled when I thought of Microsoft's having started offshoring back in 2004 [seattlepi.com]; the thought of Indian programmers writing code for their old colonial master's warships is...amusing.

Of course, I also find the thought of having blind faith in the golden handcuffs of capitalism to be amusing.

Re:Probably true, even.

[Culture20]

I lollled when I thought of Microsoft's having started offshoring back in 2004; the thought of Indian programmers writing code for their old colonial master's warships is...amusing.

Funnier than American programmers writing code for their old colonial master's warships?

Re:

[mjwx]

I loled at this fake, then I type "windows for warships" in google... We are living in a strange world.

Meanwhile, on a Royal Navy warship.

[Captain] Leftenant, time to impact.
[Officer] 15 seconds sir,
[Officer] 13 seconds to impact sir,
[Officer] 23 seconds sir,
[Officer] 2 minutes?

Re:

[PopeRatzo]

And this is a constant in the UK Government?

And really, is this the kind of thing that the "Home Office" does in the UK?

Y'all be weird over there.

Re:Probably true, even.

[rich_r]

Home Office as in 'Office of Home Affairs'. A bit like 'Homeland Security'...

Re:Probably true, even.

[SimonTheSoundMan]

The MoD have sent me a letter three times stating they have lost personal data about me. One was a CD, another a pen drive, and a laptop was stolen from the premises.

Data that went missing was my name, address, passport number, national insurance number, photograph, medical history and criminal record. Obviously nothing important.

This data was unencrypted.

Re:Probably true, even.

[BikeHelmet]

But the trend of users getting infected seems to indicate IE is worse. User stupidity hurts, but so do unpatched remote code execution flaws.

Microsoft likes to tout how insecure other browsers and OS's are because they receive more security updates, but I'm not convinced. It's a poor measurement of security.

There's no way to know how many landmine exploits are in IE. I consider Firefox more secure, because as its market share goes up, the number of ITW exploits doesn't seem to be exploding.

Re:

[abigsmurf]

The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.

There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one [theregister.co.uk].

Re:

[Shisha]

I'm very happy that majority of users use IE. This makes it still the most attractive target for hackers. In turn that means that they have less time to work on exploits for the browser I'm using. "Security through obscurity" works in this case (though of course the phrase comes originally from open source vs. closed source).

Re:Probably true, even.

[palegray.net]

The fundamental issue here actually is "security through obscurity," although not in the context that you use it (instead, referring to the traditional context). With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done. Microsoft has a terrible track record in this department; more times than I can count I've become aware of a security issue they were alerted to weeks or months late.

With Firefox, there is generally a very high degree of transparency when it comes to security problems. Additionally, fixes are pushed out quickly. Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.

So security through wishful thinking is better?

[Anonymous Brave Guy]

With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done.

This argument endlessly amuses me. Do you really think the exact same thing is not true of OSS-based browsers such as Firefox and Chrome?

Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them. The theoretical possibility that you can examine the source code is just security theatre unless you actually spend the time and resources to do it.

Hint #2: Which OSS browser do you think has a public bug database listing all known vulnerabilities, whether or not they have yet been patched, and keeps that database updated immediately every time a new vulnerability is reported?

With Firefox, there is generally a very high degree of transparency when it comes to security problems.

Unless you are one of the select few with access to the full security issue process, you don't know that.

Additionally, fixes are pushed out quickly.

Or that.

Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.

Or any of that.

If you really don't see the blind spot you're exhibiting here, try answering these simple questions (and be honest with yourself):

• When you bashed IE above, how many exploited vulnerabilities in the latest version of IE did you actually know about?
• How many confirmed cases could you name where damage had been caused as a result of one of the exploits you just listed (if there were any)?
• Did you know whether those vulnerabilities (if you could actually name any) had been patched, and if so, how quickly?
• How would you answer the same questions for the latest versions of the major OSS-based browsers?

If you can't immediately answer those questions, and provide yourself with objective, factual data to support your claims above, then please consider that you may just be projecting your own prejudices based on IE6 from many years ago onto the IE8 of today, while letting your own faith in OSS onto other browsers convince you that they are more secure even though you don't have access to all the facts.

Answers you won't listen to

[Anonymous Coward]

Answers you won't listen to:

When 20 other people have gone through a door and come back out again, I will assume that it's safe to walk through the door. Likewise though I may not have read all the code in Firefox, if there were any big problems, someone WOULD have seen it: Microsoft do not have half the world's web browser writers,

How many people HAVE the latest version of IE? Now how many NEVER use flash or Adobe plugins? Because they require you turn off the security and then IE8 becomes vulnerable again. Did you know that?

Google would have got dinged. Likewise, please do the same about Firefox. You've narrowed the window so small there's nothing left of the hole.

And how would YOU answer?

IE8 today has many or most of the downsides that IE6 has. Unless you lock it down so much you can't use it.

But FF 3.5 when locked down as much is still usable. Putting it under LIDS makes it much safer. Adding RBAC from NSA makes it yet more secure.

And still usable.

You cannot say the same of IE and Windows.

Re:

[Cl1mh4224rd]

How many have the latest version of Firefox? One of the websites I maintain is showing traffic from 66 versions of Firefox over the past 30 days. The oldest version? 0.9.2. Ouch.

I just wanted to add the following, from the site I mentioned above:

Firefox (top 5 of 66)
3.5.7 : 45.29%
3.5.6 : 15.55%
3.0.17 : 14.19%
3.0.16 : 6.97%
3.5.5 : 2.66%

Internet Explorer (top 5 of 6)
8.0 : 46.29%
7.0 : 36.44%
6.0 : 17.25%
5.5 : 0.01%
5.23 : 0.00%

Re:

[turbidostato]

" The theoretical possibility that you can examine the source code is just security theatre unless you actually spend the time and resources to do it."

Except that both thory and History disproved that. Read about Bentham's panopticon.

Re:So security through wishful thinking is better?

[palegray.net]

Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them.

Speaking of tired old arguments, you lost all credibility right there. Thankfully, it was in the opening statement of your "rebuttal," so I don't feel too compelled to slog through a more lengthy reply.

Suffice it to say there are a lot of eyes on Firefox, for both the code itself and for evaluating and testing exploits. This process occurs transparently; anyone can (and a crapload of people do) participate. This is absolutely the opposite of Microsoft's model, and no amount of denial or hand-waving on your part is going to change that.

Re:

[palegray.net]

By doing what, expressing a sentiment that is not popular around here?

No. You're expressing a sentiment that is patently wrong; it isn't a matter of opinion. I don't need to personally babysit the codebase for Firefox, as there is a ton of transparent, active development on it. Security issues are reported by both the community and third party vendors, and they're handled rapidly. On the other hand, I have absolutely no assurance that Microsoft will either (1) be aware of security issues, or (2) responsibly handle them. How many times do we have to get stung by holes that wer

Re:

[Aldenissin]

"Security through obscurity" works in this case (though of course the phrase comes originally from open source vs. closed source).

I believe that you are referring to "Security through lack of interest for malicious intent due to popularity or rarity", while the meaning of the phrase "Security through obscurity" would be clearer with the word obfuscation instead. But hey, then it wouldn't rhyme or be as memorable either.

Re:

[cl!p]

There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one [theregister.co.uk].

This is not a exploit in firefox. This is a vurnabillity in some IRC servers. The Freenode people agree [freenode.net]. They are moving to a new IRCd.

Re:

[abigsmurf]

It is ALSO an IRC server vuln. You can't tell me that starting up an IRC session without the user's knowledge is something that should be expected.

Re:

[cl!p]

You can't tell me that starting up an IRC session without the user's knowledge is something that should be expected.

Thats not what is happening. Firefox is just running a post request to a IRC server. The Irc server happely ignores all the http protocol headers and iterprets the data in the post request as a irc protocol data. So the only thing firefox is doing "wrong" is allowing a post request to a non-standard port.

Re:

[Trepidity]

But it's part of the HTTP spec that you should be able to POST form data to any port.

Re:Probably true, even.

[darthflo]

Bullshit. Being able to choose what port a request is directed to is covered by specifications, expected to work and built on in several real-world situations. Most commonly, configuration interfaces: If you're using some kind of shared hosting, chances are they might be running Plesk (defaults to alt-https, i.e. 8443) or ispCP (defaults to https on 81) or a similar project. Use webmin? The httpd that runs the config interface requires permissions you wouldn't want the http that serves your normal pages to have.
Going on, ever used CoralCDN? That's .nyud.net:8080 (alt-http) or 8070 for you. Maybe you'd like to configure an irc daemon or bouncer? Another non-standard port there. Most application servers don't run on port 80, either. The load balancer will, but you might want to get around it for testing purposes or some such.
What I'm saying: It's all expected behaviour. Throw in a PING Math.rand() from the server before actually throwing out those RAW001-4 and the spamming problem is instanty solved. Or, to make things even simpler: If you're an ircd, kill whatever starts it's requests with HTTP POST. Chances are, it's not an IRC client.

Re:Probably true, even.

[Anonymous Coward]

The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.

That most attacks come through plugins is exactly why Firefox is better than IE [mozilla.com]

Re:

[zach_the_lizard]

The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.

Speaking of the PDF weaknesses, are those inherent to the spec, or are they vulnerabilities that only show up in Adobe's implementation?

Re:Probably true, even.

[Daengbo]

I might actually believe that a fully patched IE8 is on par with other browsers, but the UK gov't will undoubtedly take the Home Office's decision to mean that IE6 is OK, too. That's scary.

Re:

[toQDuj]

Still, the user would have to browse to a malicious site. Perhaps the users who "choose" IE (or not choose at all and end up with the default browser), are the type of users more likely to browse to particular types of sites. Changing them to choose another browser, therefore, would not prevent them from browsing to sites with malicious code. This malicious code can then still be executed if it's a vulnerability in a plug-in instead of the browser.

Now I think the browser should keep the plug-ins in check..

Re:

[toQDuj]

>How do you educate people on computer security when they don't want to learn?

It's a good question. What I have done with my parents is to give them a Mac. There the "updates" show up every now and then and I've trained them to click on the "download and install" button, promising them that it doesn't break anything. All (apple) applications update through a single interface, simplifying matters greatly.

The alternative may be to require an "internet drivers license" (which they had in the Netherlands for

Re:Probably true, even.

[hedwards]

Well, there's a couple things going on there. Other vendors actually patch flaws rather than just adding them to the errata because they didn't feel like fixing them. Sure they don't fix all of them, but things which aren't fixed are far less likely to come back and bite the user or require changes to the code base which aren't reasonable on the current revision. But they do get fixed or some how addressed in future versions.

The other thing is that other vendors actually acknowledge when there's a vulnerability which they can't patch post haste which makes it seem like they've got more bugs since they don't have a secret list of unpatched vulnerabilities. Nor do many of them have the option of dong so. Sunshine is the best disinfectant after all.

Re:

[Locutus]

there is ample evidence that flaws existed in MS IE for months, and sometimes years, and Microsoft knew about them and did not fix. That in itself throws out the idea that anyone outside of Microsoft has any clue as to how many flaws there have been or are. Hiding flaws does not mean they do not exist.

On another note, there should be plenty of evidence of flaws and exploits which were in IE but not in Firefox, Opera, or even Safari. Things where IE has intimate knowledge with stuff like ActiveX, COM, their

Firefox leaks

[tepples]

I can think of two reasons that Firefox would have to use a lot of memory: DOM caching and plug-in leaks. DOM caching stores information about pages you have recently visited so that the back button, undo close tab (Cmd-Shift-T), and undo close window (Cmd-Shift-W) work quickly. As for plug-in leaks, use Flashblock and they will be less noticeable, which should hold you over until Firefox implements Chrome-style multiprocessing [mozilla.org].

Re:

[Maxo-Texas]

As the others have said, it's probably one or more of your plugins.

I had a severe performance problem after adding one plugin that cleared up as soon as I disabled it.
After running firefox for days, with 10 open tabs at this moment, the memory footprint is now: 166,500 K. (win7)

My plugins are:
Adblock
Noscript
WOT
BetterPrivacy
Cooliris
DownloadHelper
Skipscreen
TheCamelizer

Re:

[abigsmurf]

Except there is no evidence that a fully patched version of IE could be exploited. The bug was there but it was impossible to exploit with the default security settings.

I notice Slashdot is quietly ignoring the IRC exploit currently in the wild for Firefox.

Re:

[toQDuj]

I have never seen anyone use a browser for IRC, so perhaps the impact of the bug is not very heavy.. But then again, I don't know what the current youth is into.

Re:

[MrMr]

Let me give you the official microsoft reply:

It is a feature

If you ask for data to be transported via ftp, smb, irc, or whatever protocol you need, that's what firefox does. The fact that some IRC servers don't want large amounts of automatically generated data but still fail to block it is not a firefox bug.

Re:

[hedwards]

Somebody else already posted about that, and it's not a Firefox exploit, it's an IRC server exploit. The only thing that Firefox is doing that's possibly wrong is allowing one to post to a weird port. The server failing to properly interpret the packets coming to it is really not something that the Firefox devs can reasonably be expected to fix.

Bullshit

[YA_Python_dev]

Thanks to the China exploit most IE versions out there execute arbitrary code just by visiting a web site. I don't think this is true for any other browser: e.g. when new vulnerabilities are discovered in Firefox they are patched quickly (Microsoft sits on bugs for months or years) and most user actually upgrade to the latest Fx version because they don't have to fear that a security upgrade will cripple their computer.

Re:Bullshit

[Runaway1956]

You get your IT news from the register? Coool!

More seriously - you link to that page, with words that seem to indicate there are a LOT of Firefox exploits in the wild. Care to name some? The IRC exploit only counts as one.

One more time, I'll point up Firefox's main advantage over IE: Vulnerabilities are made public, and people actually address the vulnerabilities as quickly as possible. Firefox exploits aren't hidden under a mountain of shit by some corporate boss, so that he hopes they can go away.

IMHO, Firefox is just about as safe as a browser can be, today, based on current knowledge. It ranks right up there with Chrome and Opera, and Safari, and Konqueror.

IMHO, Internet Explorer MIGHT be almost as secure - if and when people finally upgrade from IE6 to at least 7, and preferably 8. MIGHT BE. You'll notice that MS didn't publicize this newest vulnerability, until Google and others had already done so.

Re:

[abigsmurf]

http://www.google.co.uk/search?q=firefox+exploit [google.co.uk]

5 seconds of searching returns what looks like 3 seperate examples of unpatched bugs being exploited in the last year just on the first page.

Re:

[Xest]

To be fair I think his point was partially valid.

You're right that Firefox core has the advantage of public vulnerabilities, but the issue is that Firefox allows for non-sandboxed extensions, which are often proprietary (i.e. Flash) and so effectively leaves Firefox with the same issue.

Firefox certainly isn't as safe as any browser can be, simply because of the fact extensions are vulnerable in this manner.

I think what the UK gov is getting at is quite valid- not that IE has the same or less security flaws

Re:Bullshit

[icebraining]

That's NOT a Firefox exploit. That's Firefox send a normal HTTP request to a non-standard port (6667), and the IRC server *wrongly* interprets it as IRC protocol.

The only thing they say Firefox does "wrong" is actually connecting to a non-standard port, which I dispute: there are plenty of reasons to run webservers in non-standard ports, and I want to be able to connect to them.

Re:

[NoPane]

It really doesn't matter what browser they use, they will still copy unencrypted data onto CDs and then put them in the post, send unencrypted emails to each other, leave laptops and memory sticks on the train or if that fails, stand in front of photographers with confidential information showing. The 'Chinese' (or whoever) really don't need to bother with browser attacks.

No, WRONG

[omb]

1. This is the POLITICAL part of government and is as easily bought as ISO, maybe easier.

2. Look at the record of UK Government IT projects.

3. It is not IE that makes Windoze insecure, it is the OS and the design philosophy

-- COM is a security disaster

-- executing any vaguely executable rubbish based on its extension is a disaster

4. Backward compatibility, and a zillion features that assume an essentially insecure and trusted
world are a disaster. M$ has no way out.

Re:

[AftanGustur]

That's very likely true, as the stupidity of the user remains the weakest factor in security.

While that may be true, that is the right answer to a different question.

The original Question was:
To ask Her Majesty’s Government what discussions they have had with the governments of France and Germany about security risks of using Internet Explorer; and whether they will encourage public sector users to use another web browser. [HL1420]

The problem Google and others had was that they were not using "the latest and fully patched version of IE", but instead outdated but fully supported version

Re:Probably true, even.

[Geirzinho]

Users are the weakest link in the security chain. And the least trained users are normally those on the de facto standard of Windows with IE, which implies a higher infection rate on thos systems.

If we substitute eg. Firefox for IE as the default browser in Windows, unskilled users will still remain unskilled users. They will still follow any shady link they come over, some of which will undoubtedly manage to poke a hole in FF's security.

The challenge and solution to security in the current environment is to educate the "average person."

Re:

[JackieBrown]

Then maybe the default settings should be more secure and allow for the "more trained" users to weaken the security.

Honestly, if we know that the user is the weakest link, why isn't MS setting the defaults to compensate for that?

Re:Probably true, even.

[Geirzinho]

Let's assume for a second we've educated each and every single user and made them security conscious on the Internet. An educated user browses a site which contains an image that is constructed to exploit a security flaw in the browser without the user ever doing anything but viewing the image. Unknowingly the user's browser is compromised and in the hands of the attackers despite the fact that the user is well educated and security conscious, which means education alone is not the solution. Better software is the solution.

Absolutely. But what we stated was that, as of right now, users are the weakest link in the security chain. By educating users, you strengthen that link and make another link the weakest. Even so, you have by training improved the security of the system.

To get exploited in your scenario, assuming the user now sticks to "honest" sites and doesn't follow all email links) would require something like a web server exploit such a XSS. This is more difficult than simply tricking the user into executing a trojan.

Normally to safely cross the street you only need to look left and right to check for traffic, you don't have to look up for falling objects, you don't have to check the road for mines, tripwires or other booby traps, you don't have to check for sniper fire

We should not ignore software security just because the user is the weakest link. But to borrow your analogy: the problem today is that pedestrians don't look left and right before crossing the street. Training them to do this would save more lives than any piano transportation safety regulation.

Re:

[Runaway1956]

"So why it that using a browser should be any different?"

Because, morally speaking, if your computer is made into part of a botnet that eventually steals billions of dollars, incidentally wiping out the savings of Ma and Pa Kettle - you are responsible.

Secure your system. The law may not come after you to get Ma and Pa Kettle's money back, but you're still a snake for helping to rip them off.

Re:

[toQDuj]

But the study was on whether the implementation of other browsers beside IE would increase security. If the user is the weakest link, the choice of browser would not affect the level of security much. The user should be just as big a part of the security assessment as anything else, since testing the browser without the user will not give you a real-world risk level.

Re:

[toQDuj]

I'm just saying that your average government employee might not be the most savvy cookie in control of a browser.

"latest fully patched"

[Doviende]

Sorry, how many users are actually using the latest fully patched version of IE? Google is still trying desperately to phase out IE 6, of which there are still many users. Perhaps as a "neutral" gesture to throw MS a bone, they could make an announcement saying "Upgrade to the latest IE8, or to another browser such as Firefox, Chrome, etc. Your current version of IE is probably ass^H^H^Hinsecure".

Re:

[thetoadwarrior]

Microsoft is fine to go ahead and do things behind the users back but they won't force IE updates on people. If they would do this (and quit worrying about if they've pirated Windows before allowing them to get IE updates) then we would have fewer problems. For once can't they abuse their monopoly in a way that helps society?

*No* evidence?

[henrypijames]

It's one thing to say there is insufficient evidence, but *no* evidence?!

Re:

[MrMr]

If you've personally handled the evidence I can see a way in which you could truthfully claim that.
But I'm a cynic.

in case any other Americans are confused

[Trepidity]

In UK governmental English, "to table" apparently means something like "to propose" or "to bring up for consideration", almost exactly the opposite of the U.S. meaning, which is "to withdraw from further consideration".

I guess there's some international disagreement over whether this mythical table is where you put things to be considered, or where you put things to die. Perhaps to Britons, putting things on a table is officially proposing them, whereas to Americans, if it's on the table it's inert, and if you want it proposed, you had better have it in your hand waving it in someone's face.

Re:

[twisting_department]

Think about King Arthur and the Knights of The Round Table. Obviously questions were brought to the table, asked, answered and debated. Nothing "inert" about it. I guess any part of the history of our ancestors prior to the discovery of America is not taught over there very much.

Re:

[Tim C]

Perhaps to Britons, putting things on a table is officially proposing them

Well I don't know for sure, but I'd always assumed that it was from "to bring something to the table", which is a fairly common expression here in the UK. (Think meeting room table, and bringing something with you for consideration (or perhaps even a dining table))

Re:

[Trepidity]

Yeah, oddly, "to bring something to the table" is the same in US English. But "to table" something is the opposite--- to take it off the table, so to speak.

Re:

[Aldenissin]

Think of "to table" something as setting it down in US English, as opposed to putting it up on the table in the UK. Context clues help to make it clear, and I have heard it used the "UK" way in the US. E.G. "Alright, lets table that, what else have you got?" - Lets set it down and move on; "Good idea Frank! However keep in mind if we (put this on the) table this now, we wont have time for your other presentation." - What are we about to look at or talk about?

Re:

[TechyImmigrant]

'To table' has colloquial meaning that might change from place to place. However in both the US and UK, when you are operating under Roberts Rules or a variant of it, an item (e.g. motion) is 'on the floor' when its being discussed. Passing a motion 'To table' it is to figuratively take it from the floor (where people on the floor are discussing it) and place it on the table (so we don't forget it). A motion to take it from the table is a motion to bring it back to the floor for discussion. Sometimes the 't

Re:in case any other Americans are confused

[gigne]

Yes, indeed you are correct.

UK: To place an item on the agenda for discussion.
US: To remove the item from consideration.

In the UK we shelve discussion items when they are removed from consideration.

Re:

[Stuart Gibson]

Because we're tidier?

Re:in case any other Americans are confused

[TheRaven64]

Until we run out of shelves, then we table them until the table is cluttered, and then we floor them.

Re:

[Anonymous Coward]

Other countries don't play poker, apparently -- but even in that game winning is accomplished by putting card on the table and demonstrating which card one has.

I think American English use is misguided.

But then, I'm biased, I think the entire English language is braindamaged.

IE (on Windows) is safer than Firefox

[Manip]

A fully patched IE8 running on either Vista or Windows 7 is far safer than Firefox. Why?
  - Low privileged mode. IE8 runs with lower rights than the logged in user, Firefox doesn't...
  - DEP is turned on for IE8 by default. Firefox has to be added (or the "all applications" option).
  - IE8 patches can be deployed from the Domain very easily. Firefox on a corporate network is a pain in the butt...

Now I entirely grant that this is Microsoft's browser running on Microsoft's OS and thus it gains unfair advantages but that doesn't change the facts or reality of the situation.

Re:

[Anonymous Coward]

There are currently 23 unpatched advisories for IE 6.x http://secunia.com/advisories/product/11/
There are currently 10 unpatched advisories for IE 7.x http://secunia.com/advisories/product/11/
There are currently 3 unpatched advisories for IE 8.x http://secunia.com/advisories/product/11/

Advisories often contain multiple vulnerabilities. Doing a little quick math, that comes out to around 59 vulnerabilities (not an exact number, just a ballpark estimate) for those 3 versions of IE

This is compared to 0 unpatc

Re:

[trifish]

IE has something better. Learn something about Trusted Sites and the myriads of settings you can apply to them (like enabling scripting).

You can argue about easy of use, but that's not what you talked about. You talked about security. And blocking scripts on per-site basis (using lists) IS possible already in IE6.

Re:

[Anne Thwacks]

If you consider ~20% of people to be "almost nobody" then we might agree.

Maybe in your country. I very much doubt 20% of the UK population has even seen Vista or Win7.
In all probability IE6 usage in the UK exceeds Vista usage, and in Government institutions, IE6 usage probably exceeds all other browsers. Win2k is still widely used, and XP still being installed.

Lack of evidence shouldn't be a problem

[noidentity]

They just need grow suspicious of IE harboring WMDs. Then the lack of evidence wouldn't be a problem at all.

Internet Explorer is safe for them...

[AHuxley]

What would the cubicle spooks at the UK Government Communications Headquarters do without MS?
They would have to learn to hack real operating systems and would have messy logs to correct everytime.
No more UFO hunters with perl scripts.
Forward intelligence teams and community policing with their 'sneak and peek' anti gang, eco and domestic terrorist operations.
All the ex spooks selling back MS cracks, ip loggers, websites, tools with polished gui's at dreamy consulting fees.
Then you have the bureaucrat

There IS no evidence!

[guyminuslife]

The latest patched version of Internet Explorer fixed the bugs that Microsoft found. The latest patched version of other browsers fixed the bugs that other browser-manufacturers found. Ergo, there is no evidence that the latest patched version of Internet Explorer are less secure, since the officially "known" security features have been fixed.

In fact, there's no evidence that there are any bugs at all in the latest patched versions of any software ever written, unless the manufacturers have explicitly stated that there are. In which case, in order for policymakers to accept such a report, they would need to prove that this is the case, by lobbying the government to the effect that their software is inferior.

Re:

[Anonymous Coward]

Please forgive me if I'm wrong but I was under the impression Microsoft had know about this latest flaw for several months, but had deemed it not important enough to fix, so there IS evidence that they do not immediately fix all know security holes.

Re:

[guyminuslife]

I have no idea, I was going for "Funny" but somehow got "Insightful."

"Not please" Slashdot readers?

[Jane Q. Public]

I don't know why it would "not please" Slashdot readers. I am very pleased. That is the funniest thing I've read all week.

Nothing like a good laugh to start your morning.

Are these the same people....

[Joce640k]

Are these the same people who said IRAQ was full of WMDs and terrorists?

This is why...

[lattyware]

I fucking hate our government. Seriously. They just all appear compeltely incompetent.

Re:This is why...

[malkavian]

Probably because they are.
By "insufficient evidence" they usually mean "we've not heard enough to convince us". Which means "Someone was telling us stuff, but we don't really understand the field that they were trying to explain about. Instead of trying to understand the stuff we don't understand, we prefer to play nice with the money, because that tells us it's all good.".
The prime qualifications in Labour are history, classics, and a few Lawyers, advertising and marketing. Not really anyone with any solid scientific skills.
So, rather than work out the hard stuff, and make scientific dispassionate decisions which will make the country stronger and genuinely safer, they prefer to use rhetoric and assume that things work by fiat (we say the world works that way, ergo it does, because we say, which is why it lost pretty much the core of its drugs advisory group because the scientific advice of some highly qualified and internationally renowned people was completely ignored, and the opposite decision was made as policy, AND the politician hounded the scientist for not backing him up and twisting scientific results to fit into what he wanted things to be like).
I don't trust 'em as far as I can spit 'em. They need to understand scientific method, not empty rhetoric.

Possibly related to this...

[gilgongo]

... maybe:

http://www.computerweekly.com/Articles/2009/05/11/235953/Is-the-Microsoft-public-sector-deal-good-value-for-Britain.htm [computerweekly.com]

Missing the point

[sparky81]

"The reason for this statement by the UK government is very simple - it has intranet and business systems in virtually every government department which work only with IE. They frequently ridiculously old versions at that - IE6 take a bow - giving the lie to the "latest, fully patched" comment anyway. There is no way that the UK government is going to incur the conversion costs for these systems at this moment given the state of its books at the moment. Stating that IE was insecure would create an inexorable pressure to do exactly that. This statement has nothing to with security, and everything to do with internal government politics.

Re:Missing the point

[M-RES]

I was going to mention this very issue and you beat me to it. I know people who work in local government, both as 'users' of the in-house systems and 'sysadmins' on those same systems, and they all tell me how outdated their setups are. They're by and large using IE6 across the board, because the browser-based apps they use work in IE6 and if there's the slightest glitch in updating the browser they won't touch it - they just don't have the budget to deal with the issue and test it rolled out across such huge networks.

If it doesn't work someone would have to take the blame and we all know how civil servants do everything they can to avoid having any responsibility whatsoever for any decisions, hence the 'committee'. The committee provides plausible deniability wherein any single member can say "I didn't agree with the decision, but the committee decided...".

Welcome to the cosy sheltered world of civil service. People who work there genuinely couldn't survive in the 'real world' of private business/industry!

Is not talking about home user

[DaveGod]

The quote bears no reflection of any opinion on the security or quality of IE in general. The "user" being referred to in the quote is UK government staff, using UK government IT, and his response is wholly within that context. As is very often the case on Slashdot (and, to be fair, much of the media), the summary shifts the context slightly and then omits significant information and thus infers something other than what was communicated at the time.

Immediately after the quoted text, unmissable except by the most... Let's give the benefit of the doubt and say hurried of submitters and editors, is the following: (my emphasis added for the most hurried of Slashdot readers)

26 Jan 2010 : Column WA317

Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

They're not using the correct research data

[bl8n8r]

only need to google it for chrissakes:
    IE ~ 1200: http://www.google.com/#hl=en&q= [google.com]"internet+explorer"+site%3Awww.us-cert.gov
    Firefox ~ 800: http://www.google.com/#hl=en&q= [google.com]"firefox"+site%3Awww.us-cert.gov

No wonder IE has no issues.

[cvtan]

Evidence was gathered on a Tuesday.

I could believe that

[RobertLTux]

"there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure."

So if you have Windows 7 with all patches and MSIE 8 with all patches
INCLUDING NONPUBLIC MICROSOFT INTERNAL PATCHES (to fix bugs not patched for yet)
then yes you could be just as safe as if you had another browser.

But what are the chances that somebody will be able to get all the patches without getting tagged?

Of course it will make people more secure

[DrXym]

In a monoculture the attack surface is large since everyone is using the same code and therefore vulnerable to the same bugs. Just moving users onto a mix of other browsers lowers the attack surface even if each individual browser has its own fair share of bugs.

IE or "the latest fully patched versions" of IE?

[jc42]

What I notice is that the headline and most of the discussion here talk about the security of "IE", while the Home Office said "the latest fully patched versions of Internet Explorer". There seems to be little understanding that these aren't synonyms.

But does anyone here work for an organization of any sort (government, industry, academia, whatever) that requires that everyone use "the latest fully patched versions of Internet Explorer"?

In all the cases that I know of, when there's such standardization, it's for releases that existed shortly before the standard was established. It's now years later, and the standard is still in place (though often violated by workers who want better security or more features).

A number of people have written about organizations that are still standardized on IE6 and don't permit upgrades to IE8. Is there any data available on how widespread this might be? In my experience, such data is hard to come by, since both governments and private corporations tend to be secretive about their inner workings.

So could the Home Office be pushing for upgrades to W7+IE8? Nah; I thought not.

Well excuse me. but i trust germans over brits in

[unity100]

matters like these. with their paranoid attention to detail, psychopathic inclination to procedure, and ungodly patience with working on intricate technical details, any word from germans in that area would trample any word from britain at any point for me.

the fact that u.k. government has been shitting and screwing up in every other field for the last 10 years does not help either.

Define "prove"

[CAIMLAS]

The level/degree of proof the UK government seems to be requiring for this is the 'scientific' type. For most things in life, statistical analysis tends to be enough.

What this guy said is akin to saying that North Korea has the strongest army in the world, because there's no proof to the contrary.

Pick any of these:

1) Lackluster/no security features.
2) Lack of improvement over the years. One of the cardinal rules for security is continual improvement.
3) Repeated exploit of said piece of crap.
4) Microsoft itself more-or-less admitting it's insecure and unrepairable - they effectively abandoned it years ago.
5) Anecdotal evidence from tens of thousands of computer repair types; I guarantee you IE is the vector for 9 out of 10 malware infections, and most of those are probably IE.

I'd wager they've been paid off. Anyone with even the slightest amount of intellect can look at the information available and determine that IE6 is rubbish. It's a hell of a lot less proof than most governmental bodies act - often, said bodies act in direct contradiction to the facts for the purpose of special interests money.

Re:

[atomic777]

I saw an idea somewhere that politicians these days should require NASCAR/Formula-1 style sponsor patches to be worn on their suits at all times, to indicate which corporations are funding their campaigns.

Then when someone says there is no evidence of IE being less secure, we can Look for the logo [microsoft.com]

Re:

[Eunuchswear]

Uh, why?

He asked a reasonable question.

It was the Home Office that gave the reply some people don't like, even if it is probably true.

Re:Lord Avebury.....

[jimicus]

It was the Home Office that gave the reply some people don't like, even if it is probably true.

Only on a technicality.

Technically, at this moment in time there are precisely no publicly known exploits for a fully patched up to date copy of IE, a fully patched up to date copy of Firefox or a fully patched up to date copy of Opera.

The fact that history has shown us that exploits for IE tend to show up more frequently, are often nastier than exploits for Firefox or Opera and are almost never dealt with in an out-of-cycle patch (and so will be exploitable for that much longer) is neither here nor there. This is absolutely typical of any UK government department (and probably the same in many Western countries) - when you're asked a question which you don't necessarily like, interpret it in a fashion which allows you to give an answer which you do like.

Admitting that IE may be more dangerous isn't in and of itself a huge problem but it may well invite a lot more questions like "How many internal government systems only work with IE?" - and I bet you anything you like the answer is not "Zero".

Re:

[Svartalf]

Admitting that IE may be more dangerous isn't in and of itself a huge problem but it may well invite a lot more questions like "How many internal government systems only work with IE?" - and I bet you anything you like the answer is not "Zero".

I do believe that the aforementioned quote is likely to be the source of the response from the Home Office there. The answer is probably going to be closer to "Most of them". That's not an answer people would like to hear at all- probably less than we want to hear t

Who else is going to do it?

[SmallFurryCreature]

We can't trust companies because they have obvious profit motives. Leaves only one thing.

We use governments to test the water, the food, the air, the cars, everything pretty much which is essential to our lives but we do not have individually the resources to test.

The government doesn't test my cooking (that is what kids are for) because I have means to test that myself (if the milk still comes out of the carton, it is fresh enough for guests) but I do not have the means to test a can of Coke I buy on the