Experts Say To Switch Browsers In Light of IE Vulnerability 455
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Wrong summary (Score:5, Informative)
I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.
Now, if you don't mind, I'll go back to my nap.
No, Microsoft did NOT say to use another browser (Score:5, Informative)
RTFA.
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Uhhh, no... (Score:5, Informative)
Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.
FTA:
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.
Re:Wrong summary (Score:3, Informative)
Re:Is any browser safe? (Score:3, Informative)
Re:Those that haven't already changed... (Score:5, Informative)
http://www.frontmotion.com/Firefox/ [frontmotion.com]
Like this?
Re:Is any browser safe? (Score:5, Informative)
Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.
Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.
So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.
Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.
Re:Vulnerability (Score:4, Informative)
I just tried at my work computer, it opens Firefox on WinXP. I guess that's because Firefox is my default browser.
Re:Those that haven't already changed... (Score:2, Informative)
From that website:
(not part of Mozilla Foundation)
Which is the same as nothing for any big business.
Re:Those that haven't already changed... (Score:3, Informative)
Re:Wrong summary (Score:2, Informative)
But Microsoft counselled against taking such action. "I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Re:Is any browser safe? (Score:5, Informative)
IE never was "welded to the kernel."
IE exports a COM object, which lets developers add HTML rendering to an application with one line of code. So, that's one reason why they don't want you uninstalling it - HTML rendering is something a lot of Windows applications are expecting the OS to export.
The closest it came to "welded to the kernel" was Active Desktop where the Windows shell used it to render a web page on your desktop. I think it was also used if you had an HTML background for folders, too. Not sure what happened to it in XP or Vista.
About the only things that count as kernel-welded in Windows land are device drivers and services, of which IE is neither.
Re:In other news ... (Score:5, Informative)
so it's not actually Microsoft that's suggesting that people switch browsers, Microsoft has only "urged people to be vigilant while it investigated and prepared an emergency patch to resolve it."
Not MS, it's Trend (Score:3, Informative)
"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."
Then
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
So NO, it's not Microsoft who recommends switching browsers, they even say
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
I wanted to clarify it since the story wasn't that clear...
Re:Is any browser safe? (Score:2, Informative)
First, thats really old. Second, if you go by the root of the browsers, Firefox has its root in development that was even less secure than IE. Third, if you have IE in protected mode with memory protection enabled, even if it has all the buffer overflows you can imagine, the worse an attacker can do is look at your temp files. I'd hardly say this isn't made with security in mind...
Unfortunately, not practical (Score:4, Informative)
As much as I'd like to push out firefox for my users, I have many users in a domain environment with mapped applications directory; firefox is simply unmanageable in this environment.
Of all the improvements they are making in firefox, they are ignoring a potentially very large audience by not including some way to manage the browser in a corporate environment.
Re:In other news ... (Score:2, Informative)
When a matter is covered by a liquid such as water, that matter becomes wet.
Yes, the Pope, on the other hand, does have to have the attribute "catholic==YES", otherwise it won't work (whatever "it" it is).
Re:Microsoft should just scrap IE (Score:2, Informative)
Huh... well it might not act like svn, because its not a version control system. You seem to horribly misunderstand what sharepoint is.
Re:Is any browser safe? (Score:3, Informative)
Re:Those that haven't already changed... (Score:5, Informative)
sounds like a stereotypical trojan/adware/malware infection. at least all you're getting are pop-ups. the last one i had to deal with at work also used DNS-hijacking to redirect any webpage request to their spam (porn) site, preventing any web surfing. to make things worse, it wouldn't even allow the user to run certain programs, like notepad, Hijack This!, Internet Explorer (this malware targeted Firefox).
a fresh install is probably the easiest/quickest way to fix it, but it's not the only solution. with a little sleuthing (Windows Task Manager & Hijack This!) you can usually identify the file & process name(s) of the malware. all the times i've had to deal with that sort of thing, i found the solution in forum discussions on tech support sites (found by googling the file/process name of the trojan). if you're lucky, someone will have made a cleaner program for that particular malware program.
one of the more frequently encountered malware/adware programs is SmitFraud [wikipedia.org]. that's one i've encountered several times. it cannot be removed by AV programs or spyware/malware removers (though it'll try to get you to purchase and install rogue AV/Anti-Spyware programs). if you do have SmitFraud, then your best shot is SmitFraudFix [urz.free.fr].
Re:another OS (Score:2, Informative)
NoScript plugin in firefox (Score:1, Informative)
Re:Microsoft should just scrap IE (Score:3, Informative)
IE has tons of backwards-compatibility cruft. They can't just yank it; there'd be thousands of apps that literally couldn't run because they depended on some obscure IE feature.
That said, Microsoft *does* have an excellent (if slow) rendering engine named Orcas. As opposed to IE's engine, named Trident. It's used for their also-excellent Expression Web product. And, I think, Visual Studio, but I don't have that installed so don't quote me on that.
Re:Red header (Score:3, Informative)
A changelog would imply they're following some kind of "design" or "plan" when they're clearly not. They make changes to people using the "version 1 discussion system" obviously intended for users of the "version 2 discussion system", like the Users page. They randomly break things, then half-repair them. i.e. listing the wrong content (submitted articles), then 'fixing' it by showing the intended content (recently posted comments) wrongly (incorrect scores).
Oh, and they're owned by the company that runs SourceForge, the site that frequently looks like this: http://schend.net/images/screenshots/slashdot/sourceforge_blank_window.png [schend.net] or this: http://schend.net/images/screenshots/slashdot/sourceforge_wish_it_was_a_blank_window.png [schend.net]
Slashdot seems to be a classic DailyWTF-esque "Developmestuction" environment: http://thedailywtf.com/Articles/The_Developmestuction_Environment.aspx [thedailywtf.com]
There isn't anybody at the entire Sourceforge/Slashdot corporate entity I'd call a "web developer".
What a crock of bullshit title (Score:3, Informative)
"Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched."
Then
According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
So, which is it?
It's bullshit editing like this that keeps slashdot and other sites like it from being taken seriously by anyone other than the fervent geeks that perpetuate it. Seriously.
When a title and a summary both contain conflicting statements, the article shouldn't even run.
--Toll_Free
Summary wording flawed (Score:3, Informative)
The article linked in the text Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while quotes a Trend Micro spokesman advising users to switch and a Microsoft spokesman explicitly saying he can't advise users to switch over one flaw. This contradicts the summary text.
Re:In other news ... (Score:3, Informative)
If you actually read about the Nontrinitarians at your link, you'll see that no original Nontrinitarian churches (e.g. Arians or Cathars) have survived to this day - they have been pretty much wiped out as the enemy of the religion and of the state. The list of the groups in that article really says it all - they are all fringe splinter groups (sometimes splinter groups from fringe groups, even).
So, yes, it is just a collection of oddball sects. Even more so as they don't actually form a single denomination - last I checked, Doukhobors didn't recognize the LDS, the LDS didn't recognize Jehovah's Witnesses, and so on.
Sure it is - mainstream Christianity as a whole is a heavily politicized, Roman-influenced religion, ever since Constantine made it the state religion of the Empire!