It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Not this week, I heard the chair budget got cut on account of increased costs from the United Union of Broken Windows.(Look hard for the double meaning there)
by Anonymous Coward
on Tuesday December 16 2008, @09:19AM (#26132081)
last time I checked, *my* pope was orthodox. or to be more precise, Pope and Patriarch of All Africa on the Holy Orthodox and Apostolic Throne of Saint Mark the Evangelist and Holy Apostle.
last time I checked, *my* pope was orthodox. or to be more precise, Pope and Patriarch of All Africa on the Holy Orthodox and Apostolic Throne of Saint Mark the Evangelist and Holy Apostle.
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7...... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.
It has been relegated to a game console status though, at least for me.
that's all news that is true, this article is not actually true:
Said [Trend Micro's] Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
He added: "We're trying to get this resolved as soon as possible.
so it's not actually Microsoft that's suggesting that people switch browsers, Microsoft has only "urged people to be vigilant while it investigated and prepared an emergency patch to resolve it."
Which is what Microsoft always says: You're gonna get screwed if you use our crappy browser, but at least we warned you.
No software is perfect, and everything has security flaws, but it seems to me, even 8 years after Microsoft (claimed they) took a serious position on security, they still seem to have an order of magnitude more problems than everyone else. Yeah, I know, they're the biggest target, but for crying out loud, Google wrote chrome from scratch* in less time than IE7 was in beta (or if not, it wasn't too far off) and came up with a browser that blows away IE in every single way except the number of desktops that have it installed.
Microsoft is at the point where they can do little but admit that there's nothing constructive they can do any more. It's been obvious for years to people in the know, but they've reached a point of diminishing returns: It obviously takes more effort to keep their bloated corpse of an operating system (and its 10-years-out-of-date browser) just working and free of 0-day exploits (leave alone catching up with the competition) than it would be to start over like Apple did with OSX.
How much longer will it take for MS to wake up? When the amount of effort needed for them to keep Windows limping along exceeds to man-power of the entire planet? It probably won't begin until the chair-tosser-in-chief is gone, and then it take years for them to recover. It used to be that Microsoft put as much effort into maintaining their monopoly as they did in their software. Now it seems maintaining their monopoly receives all but the smallest fraction of attention. The rest goes to plugging holes in the about-to-collapse dyke.
by Anonymous Coward
on Tuesday December 16 2008, @09:19AM (#26132089)
Yea but the ones that they support and frequently think it's a good idea to click on the 'Hit the target to get a free iPod' ad is a good idea.
I won one of these a few days ago. Just to let you know, they don't actually give you an iPod directly. Instead, they ask for your bank account information and deposit $250 (they say it's for tax purposes). I should be getting my money any day now!
sounds like a stereotypical trojan/adware/malware infection. at least all you're getting are pop-ups. the last one i had to deal with at work also used DNS-hijacking to redirect any webpage request to their spam (porn) site, preventing any web surfing. to make things worse, it wouldn't even allow the user to run certain programs, like notepad, Hijack This!, Internet Explorer (this malware targeted Firefox).
a fresh install is probably the easiest/quickest way to fix it, but it's not the only solution. with a little sleuthing (Windows Task Manager & Hijack This!) you can usually identify the file & process name(s) of the malware. all the times i've had to deal with that sort of thing, i found the solution in forum discussions on tech support sites (found by googling the file/process name of the trojan). if you're lucky, someone will have made a cleaner program for that particular malware program.
one of the more frequently encountered malware/adware programs is SmitFraud [wikipedia.org]. that's one i've encountered several times. it cannot be removed by AV programs or spyware/malware removers (though it'll try to get you to purchase and install rogue AV/Anti-Spyware programs). if you do have SmitFraud, then your best shot is SmitFraudFix [urz.free.fr].
I was listening to BBC Radio 1, and they had a news item about it this morning. But I think GP is right - I can't imagine it will make many users switch. However, as more and more people within the technical community become jaded with the consistent poor quality in Microsoft's offerings, MS will inevitably loose mind-share, and hence their strangle hold on the industry will loosen.
It's this sort of thing that made me switch over to Linux a year ago. I haven't looked back.
My wife has just come over to me (she listens to Radio 1) and told me that I need to install another browser on all our machines.. I guess she has never noticed that we are a Ubuntu household!!
At least the message is getting across to normal non techie users at the moment that IE is bad..
Speaking as an institutional IT underling, a Mozilla created MSI for Firefox would be really, really handy. As would a mechanism for installing extensions and updates in a more manageable way. Here, at any rate, there is no real opposition to FF per se; but deployment has, thus far, mostly foundered. "Well, IE updates can be deployed within the system with WSUS, FF updates will happen per machine and be blocked by the firewall, and there is no way in hell we'll be able to keep all the machines updated manually." Which is largely true.
Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)
Yes, but it's often many days out of sync with the official releases. In more bureaucratic organizations you're not going to get some random 3rd party build of an application that handles as much sensitive data as a web browser approved.
Mozilla needs to realize that wider corporate adoption requires easy manageability. MSI + Group Policy Template FROM MOZILLA would be huge.
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae.
Can't you open any folder and then enter the URL in the address bar?
I just tried at my work computer, it opens Firefox on WinXP. I guess that's because Firefox is my default browser.
Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.
Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.
They won't, because there are only two things shoring up their critical desktop OS monopoly in the enterprise at this point: Office and IE.
User and developer dependencies on IE's peculiarities makes not having access to Windows inconvenient. Microsoft's own web software are designed to provide users of alternative browsers with inferior experience.
Keeping those "poor schmucks" dependent on IE is worth a great deal of money to MS.
Yeah, believe me, I've done a lot of corporate consulting, and there's plenty of places with stuff that they'd have to recode to move off IE. Stuff that uses client side VBScript and extensive ActiveX controls. Sometimes it's 3rd party apps from a timesheet system vendor or whatever.
It already works. So why recode just to make the computer geeks happy?
Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock. To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs... vs random browsing.
Running web content in a sand boxed environment is exactly one of the features Google emphasized with Chrome. Web content is inherently untrustworthy so this is a smart move. It's sort of like wearing a web-condom: used to be that going bare-browser was mostly safe as long as you were careful who you interacted with, but nowadays even the pretty ones can burn you, so your best bet is to just wrap your tool... with a sandbox. (I'm still working on the analogy)
Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.
Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.
by Anonymous Coward
on Tuesday December 16 2008, @10:00AM (#26132635)
Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.
Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.
So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.
Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.
IE exports a COM object, which lets developers add HTML rendering to an application with one line of code. So, that's one reason why they don't want you uninstalling it - HTML rendering is something a lot of Windows applications are expecting the OS to export.
The closest it came to "welded to the kernel" was Active Desktop where the Windows shell used it to render a web page on your desktop. I think it was also used if you had an HTML background for folders, too. Not sure what happened to it in XP or Vista.
About the only things that count as kernel-welded in Windows land are device drivers and services, of which IE is neither.
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.
.. in fact I'm a diehard linux fanman (too old to be a fanboi!)
But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!
Do you have anything more recent than 10 years ago?
It's not unreasonable, after all the security improvements that have been put into Vista, that the prevailing attitude may have changed somewhat in a decade.
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
FTA:
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.
As much as I'd like to push out firefox for my users, I have many users in a domain environment with mapped applications directory; firefox is simply unmanageable in this environment.
Of all the improvements they are making in firefox, they are ignoring a potentially very large audience by not including some way to manage the browser in a corporate environment.
For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company?
You mean like how they host the code that runs their site on a publicly available CVS server and FTP site? Open source means that you can modify the code however you want, not that other people will modify the code however you want.
Sure, but I think the more valid point (the one the parent was trying to make) is that./ would do well to have some sort of Changelog page that also includes changes to come. This way, folks aren't "adjusting their television sets" when the feature de jour makes an appearance. They'll have a place to RTFM.
I have nothing against "AJAX", I just have this thing against "ugly."
Slashdot had a huge competition to design a new look only a couple of years ago, and it actually looked pretty good for a long time. Then, relatively recently, they've decided they wanted to add dynamic features, and the look has gone into the crapper. The only recourse is to keep Slashdot set to "Classic" appearance, which is less vomit-inducing, but the "version 2" appearance keeps leaking in.
and probably a dozen others I've noticed but not bothered to submit. (BTW, if anybody at Slashdot tells you to submit your issue as a bug report to get it looked at, they're lying. They never look at bug reports.)
In other news ... (Score:5, Funny)
Water still wet.
Pope still Catholic.
Re:In other news ... (Score:5, Funny)
and chairs still fly
Parent
Re:In other news ... (Score:5, Funny)
and chairs still fly
Not this week, I heard the chair budget got cut on account of increased costs from the United Union of Broken Windows.(Look hard for the double meaning there)
Parent
Re:In other news ... (Score:5, Insightful)
Parent
Re:In other news ... (Score:4, Funny)
happy flamebait!
Parent
Re:In other news ... (Score:5, Funny)
Otherwise known as "Leroy".
Parent
another OS (Score:4, Interesting)
Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7... ... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.
It has been relegated to a game console status though, at least for me.
Parent
Re:another OS (Score:4, Insightful)
"PEBKAC - problem existing between keyboard and chair".
Ahhh okay. I don't see how Firefox freezing for twenty seconds is a problem caused by the user. Why do you blame the user and not the programmers?
Parent
Re:In other news ... (Score:5, Informative)
so it's not actually Microsoft that's suggesting that people switch browsers, Microsoft has only "urged people to be vigilant while it investigated and prepared an emergency patch to resolve it."
Parent
Re:In other news ... (Score:5, Insightful)
Which is what Microsoft always says: You're gonna get screwed if you use our crappy browser, but at least we warned you.
No software is perfect, and everything has security flaws, but it seems to me, even 8 years after Microsoft (claimed they) took a serious position on security, they still seem to have an order of magnitude more problems than everyone else. Yeah, I know, they're the biggest target, but for crying out loud, Google wrote chrome from scratch* in less time than IE7 was in beta (or if not, it wasn't too far off) and came up with a browser that blows away IE in every single way except the number of desktops that have it installed.
Microsoft is at the point where they can do little but admit that there's nothing constructive they can do any more. It's been obvious for years to people in the know, but they've reached a point of diminishing returns: It obviously takes more effort to keep their bloated corpse of an operating system (and its 10-years-out-of-date browser) just working and free of 0-day exploits (leave alone catching up with the competition) than it would be to start over like Apple did with OSX.
How much longer will it take for MS to wake up? When the amount of effort needed for them to keep Windows limping along exceeds to man-power of the entire planet? It probably won't begin until the chair-tosser-in-chief is gone, and then it take years for them to recover. It used to be that Microsoft put as much effort into maintaining their monopoly as they did in their software. Now it seems maintaining their monopoly receives all but the smallest fraction of attention. The rest goes to plugging holes in the about-to-collapse dyke.
* For certain values of "from scratch"
Parent
Re:In other news ... (Score:5, Funny)
A: A physics-nazi that feels compelled to scrutinize the minutia of jokes.
Parent
Those that haven't already changed... (Score:5, Insightful)
Re:Those that haven't already changed... (Score:5, Interesting)
Parent
Re:Those that haven't already changed... (Score:5, Insightful)
Parent
Re:Those that haven't already changed... (Score:5, Funny)
I won one of these a few days ago. Just to let you know, they don't actually give you an iPod directly. Instead, they ask for your bank account information and deposit $250 (they say it's for tax purposes). I should be getting my money any day now!
Parent
Re:Those that haven't already changed... (Score:5, Informative)
sounds like a stereotypical trojan/adware/malware infection. at least all you're getting are pop-ups. the last one i had to deal with at work also used DNS-hijacking to redirect any webpage request to their spam (porn) site, preventing any web surfing. to make things worse, it wouldn't even allow the user to run certain programs, like notepad, Hijack This!, Internet Explorer (this malware targeted Firefox).
a fresh install is probably the easiest/quickest way to fix it, but it's not the only solution. with a little sleuthing (Windows Task Manager & Hijack This!) you can usually identify the file & process name(s) of the malware. all the times i've had to deal with that sort of thing, i found the solution in forum discussions on tech support sites (found by googling the file/process name of the trojan). if you're lucky, someone will have made a cleaner program for that particular malware program.
one of the more frequently encountered malware/adware programs is SmitFraud [wikipedia.org]. that's one i've encountered several times. it cannot be removed by AV programs or spyware/malware removers (though it'll try to get you to purchase and install rogue AV/Anti-Spyware programs). if you do have SmitFraud, then your best shot is SmitFraudFix [urz.free.fr].
Parent
Re:Those that haven't already changed... (Score:5, Insightful)
I was listening to BBC Radio 1, and they had a news item about it this morning. But I think GP is right - I can't imagine it will make many users switch. However, as more and more people within the technical community become jaded with the consistent poor quality in Microsoft's offerings, MS will inevitably loose mind-share, and hence their strangle hold on the industry will loosen.
It's this sort of thing that made me switch over to Linux a year ago. I haven't looked back.
Parent
Re:Those that haven't already changed... (Score:5, Funny)
Parent
Non technical users are getting the message. (Score:5, Interesting)
In BBC Radio 5 Live an MS representative was giving the suggested steps to protect Windows machines, the full 4 of them.
The newsreader and presenter, Anita Anand [bbc.co.uk] asked if it would not be easier just to switch to another browser.
The MS guy replied with the platitudes to be expected, the important point is that mainstream non technical media are getting the idea.
Parent
Re:Those that haven't already changed... (Score:5, Insightful)
Corps won't change either, cause their most computer-illiterate users happens to be their CIO and his/her underlings.
If something huge happens, FF may actually get into corps even without a Mozilla-created, Corp-approved MSI package.
Parent
Re:Those that haven't already changed... (Score:5, Interesting)
Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)
Parent
Re:Those that haven't already changed... (Score:5, Informative)
http://www.frontmotion.com/Firefox/ [frontmotion.com]
Like this?
Parent
Re:Those that haven't already changed... (Score:5, Insightful)
Parent
Vulnerability (Score:5, Insightful)
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.
Re:Vulnerability (Score:5, Funny)
This is to prevent unfit users from not using one of the other browsae.
for everyone's sake, I hope that's a fucking typo.
Parent
Re:Vulnerability (Score:5, Funny)
This is to prevent unfit users from not using one of the other browsae.
for everyone's sake, I hope that's a fucking typo.
No it's not a typo, there are many wordae like that.
Parent
Re:Vulnerability (Score:4, Informative)
I just tried at my work computer, it opens Firefox on WinXP. I guess that's because Firefox is my default browser.
Parent
Microsoft should just scrap IE (Score:4, Insightful)
Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.
Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.
Re:Microsoft should just scrap IE (Score:5, Insightful)
They won't, because there are only two things shoring up their critical desktop OS monopoly in the enterprise at this point: Office and IE.
User and developer dependencies on IE's peculiarities makes not having access to Windows inconvenient. Microsoft's own web software are designed to provide users of alternative browsers with inferior experience.
Keeping those "poor schmucks" dependent on IE is worth a great deal of money to MS.
Parent
Re:Microsoft should just scrap IE (Score:5, Insightful)
Yeah, believe me, I've done a lot of corporate consulting, and there's plenty of places with stuff that they'd have to recode to move off IE. Stuff that uses client side VBScript and extensive ActiveX controls. Sometimes it's 3rd party apps from a timesheet system vendor or whatever.
It already works. So why recode just to make the computer geeks happy?
Parent
Re:Microsoft should just scrap IE (Score:4, Interesting)
So why recode just to make the computer geeks happy?
Who cares about the computer geeks?
Recode to make the Chief Security Officer happy.
Parent
Is any browser safe? (Score:5, Interesting)
Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.
Just a thought.
Re:Is any browser safe? (Score:5, Insightful)
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs ... vs random browsing.
Parent
Re:Is any browser safe? (Score:5, Funny)
...use separate sandboxed browsers for finance vs email vs ... vs porn browsing.
Fixed that for you.
Parent
Re:Is any browser safe? (Score:5, Insightful)
Few browsers enable privilege escalation like IE does on a regular basis.
Parent
Re:Is any browser safe? (Score:4, Insightful)
Parent
Re:Is any browser safe? (Score:5, Insightful)
Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.
Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.
Parent
Re:Is any browser safe? (Score:5, Informative)
Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.
Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.
So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.
Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.
Parent
Re:Is any browser safe? (Score:5, Informative)
IE never was "welded to the kernel."
IE exports a COM object, which lets developers add HTML rendering to an application with one line of code. So, that's one reason why they don't want you uninstalling it - HTML rendering is something a lot of Windows applications are expecting the OS to export.
The closest it came to "welded to the kernel" was Active Desktop where the Windows shell used it to render a web page on your desktop. I think it was also used if you had an HTML background for folders, too. Not sure what happened to it in XP or Vista.
About the only things that count as kernel-welded in Windows land are device drivers and services, of which IE is neither.
Parent
Wrong summary (Score:5, Informative)
I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.
Now, if you don't mind, I'll go back to my nap.
I'm no fan of MS... (Score:4, Insightful)
.. in fact I'm a diehard linux fanman (too old to be a fanboi!)
But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!
Re:I'm no fan of MS... (Score:4, Insightful)
Do you have anything more recent than 10 years ago?
It's not unreasonable, after all the security improvements that have been put into Vista, that the prevailing attitude may have changed somewhat in a decade.
Parent
No, Microsoft did NOT say to use another browser (Score:5, Informative)
RTFA.
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Uhhh, no... (Score:5, Informative)
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
FTA:
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.
Unfortunately, not practical (Score:4, Informative)
As much as I'd like to push out firefox for my users, I have many users in a domain environment with mapped applications directory; firefox is simply unmanageable in this environment.
Of all the improvements they are making in firefox, they are ignoring a potentially very large audience by not including some way to manage the browser in a corporate environment.
Re:Red header (Score:5, Insightful)
I guess some good came out of it after all.
Parent
Re:Red header (Score:5, Insightful)
For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company?
You mean like how they host the code that runs their site on a publicly available CVS server and FTP site? Open source means that you can modify the code however you want, not that other people will modify the code however you want.
Parent
Re:Red header (Score:5, Insightful)
Sure, but I think the more valid point (the one the parent was trying to make) is that ./ would do well to have some sort of Changelog page that also includes changes to come. This way, folks aren't "adjusting their television sets" when the feature de jour makes an appearance. They'll have a place to RTFM.
Parent
Re:Red header (Score:5, Funny)
Obama performs stupid /. changelog tricks with Ubuntu!
Frontpage material
Parent
Re:Red header (Score:5, Interesting)
I have nothing against "AJAX", I just have this thing against "ugly."
Slashdot had a huge competition to design a new look only a couple of years ago, and it actually looked pretty good for a long time. Then, relatively recently, they've decided they wanted to add dynamic features, and the look has gone into the crapper. The only recourse is to keep Slashdot set to "Classic" appearance, which is less vomit-inducing, but the "version 2" appearance keeps leaking in.
See, for example, these bugs:
https://sourceforge.net/tracker2/?func=detail&aid=2144813&group_id=4421&atid=104421 [sourceforge.net]
https://sourceforge.net/tracker2/?func=detail&aid=2159787&group_id=4421&atid=104421 [sourceforge.net]
https://sourceforge.net/tracker2/?func=detail&aid=2348173&group_id=4421&atid=104421 [sourceforge.net]
https://sourceforge.net/tracker2/?func=detail&aid=1939546&group_id=4421&atid=104421 [sourceforge.net]
https://sourceforge.net/tracker2/?func=detail&aid=1939531&group_id=4421&atid=104421 [sourceforge.net]
and probably a dozen others I've noticed but not bothered to submit. (BTW, if anybody at Slashdot tells you to submit your issue as a bug report to get it looked at, they're lying. They never look at bug reports.)
Parent