Experts Say To Switch Browsers In Light of IE Vulnerability 455
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Those that haven't already changed... (Score:5, Insightful)
Vulnerability (Score:5, Insightful)
The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.
Microsoft should just scrap IE (Score:4, Insightful)
Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.
Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.
Re:Red header (Score:5, Insightful)
I guess some good came out of it after all.
Re:Those that haven't already changed... (Score:5, Insightful)
Re:Those that haven't already changed... (Score:5, Insightful)
Corps won't change either, cause their most computer-illiterate users happens to be their CIO and his/her underlings.
If something huge happens, FF may actually get into corps even without a Mozilla-created, Corp-approved MSI package.
I'm no fan of MS... (Score:4, Insightful)
.. in fact I'm a diehard linux fanman (too old to be a fanboi!)
But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!
Re:Those that haven't already changed... (Score:5, Insightful)
I was listening to BBC Radio 1, and they had a news item about it this morning. But I think GP is right - I can't imagine it will make many users switch. However, as more and more people within the technical community become jaded with the consistent poor quality in Microsoft's offerings, MS will inevitably loose mind-share, and hence their strangle hold on the industry will loosen.
It's this sort of thing that made me switch over to Linux a year ago. I haven't looked back.
Re:Is any browser safe? (Score:2, Insightful)
Re:Is any browser safe? (Score:5, Insightful)
So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.
Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs ... vs random browsing.
Re:I'm no fan of MS... (Score:2, Insightful)
So look around you to spot the glass before you start chucking any stones!
The problem is that this isn't some little application. There are 750 MILLION users of IE. Each user will have paid somewhere between $20 and $200 for the privalege of using their bundled browser - and Microsoft is rich! beyond the dreams of avarice.
Is it wrong for us to expect a little quality in IE? Especially considering the number of users, it's importance as an app, and the amount of cash MS has?
Re:I'm no fan of MS... (Score:3, Insightful)
Heh... You'd just have other exploitable issues, either within the Java JVM or in poorly written code- just not the same class of them. I don't place blind faith in a language to clean up after myself.
Re:Is any browser safe? (Score:5, Insightful)
Few browsers enable privilege escalation like IE does on a regular basis.
Re:Is any browser safe? (Score:4, Insightful)
Re:Microsoft should just scrap IE (Score:5, Insightful)
They won't, because there are only two things shoring up their critical desktop OS monopoly in the enterprise at this point: Office and IE.
User and developer dependencies on IE's peculiarities makes not having access to Windows inconvenient. Microsoft's own web software are designed to provide users of alternative browsers with inferior experience.
Keeping those "poor schmucks" dependent on IE is worth a great deal of money to MS.
Re:Is any browser safe? (Score:5, Insightful)
Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.
Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.
Re:I'm no fan of MS... (Score:3, Insightful)
Re:Microsoft should just scrap IE (Score:5, Insightful)
Yeah, believe me, I've done a lot of corporate consulting, and there's plenty of places with stuff that they'd have to recode to move off IE. Stuff that uses client side VBScript and extensive ActiveX controls. Sometimes it's 3rd party apps from a timesheet system vendor or whatever.
It already works. So why recode just to make the computer geeks happy?
Re:another OS (Score:4, Insightful)
"PEBKAC - problem existing between keyboard and chair".
Ahhh okay. I don't see how Firefox freezing for twenty seconds is a problem caused by the user. Why do you blame the user and not the programmers?
Re:Those that haven't already changed... (Score:5, Insightful)
Re:Microsoft should just scrap IE (Score:2, Insightful)
They won't, because there are only two things shoring up their critical desktop OS monopoly in the enterprise at this point: Office and IE.
Thank your lucky stars your enterprise doesn't use sharepoint then.
Re:I'm no fan of MS... (Score:4, Insightful)
Do you have anything more recent than 10 years ago?
It's not unreasonable, after all the security improvements that have been put into Vista, that the prevailing attitude may have changed somewhat in a decade.
Re:Red header (Score:5, Insightful)
For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company?
You mean like how they host the code that runs their site on a publicly available CVS server and FTP site? Open source means that you can modify the code however you want, not that other people will modify the code however you want.
Re:Those that haven't already changed... (Score:2, Insightful)
Re:In other news ... (Score:5, Insightful)
Re:Red header (Score:3, Insightful)
OK, is this whole red thing some kind of mass troll, or is a new format change about to be hoist on us all? Screenshots, or it never happened.
Re:Red header (Score:5, Insightful)
Sure, but I think the more valid point (the one the parent was trying to make) is that ./ would do well to have some sort of Changelog page that also includes changes to come. This way, folks aren't "adjusting their television sets" when the feature de jour makes an appearance. They'll have a place to RTFM.
Re:Even that isn't necessarily enough (Score:3, Insightful)
Well phishing doesn't depend on client side vulnerability anyway--it's a social hack.
I like this quote (Score:2, Insightful)
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group. If we finish the sentence, it's:
"I cannot recommend people switch due to this one flaw, because I'd loose my job." said John Curran, head of Microsoft UK's Windows group.
Re:Those that haven't already changed... (Score:1, Insightful)
Too bad karma only goes to +5 for the parent of this thread. An MSI from Mozilla is critical to the future of Firefox.
Despite being at a Top 10 University, no, that Frontmotion MSI doesn't do it. It's not Mozilla Firefox. The logo is different. People can't figure it out. They furrow their brows in a failed attempt to understand.
Re:Those that haven't already changed... (Score:3, Insightful)
Corps won't change either, cause their most computer-illiterate users happens to be their CIO and his/her underlings.
Many "corps" will not switch because they have internal applications that require IE for some reason (ActiveX...)
Re:another OS (Score:2, Insightful)
People should go there and read it. (Score:4, Insightful)
And then read the fallout where the readers debunk what the article says, including posts to problems with IE that for some reason were completely ignored when doing the compilation.
I will just point out that Firefox is #1 because they *patched* the most vulnerabilities.
Only in Bizarro Planet this would define the most unsafe application.
Re:I'm no fan of MS... (Score:4, Insightful)
Usability is inversely proportional to security
This is a common myth.
I'll grant that there is often tension between security and usability, but to say that they're inversely proportional is flat wrong. It's very easy to build software that is neither usable nor secure and it's possible to build software that is both very usable and very secure.
Further, the usability/security tension that exists in some situations is irrelevant in the present context. This security flaw -- like many, many others -- has no relationship whatsoever to usability. IE would be equally usable (or not) if the flaw didn't exist, and the usability of IE will not decrease once the hole is repaired.
In short, your statement is both a red herring, and wrong.
Re:In other news ... (Score:5, Insightful)
Which is what Microsoft always says: You're gonna get screwed if you use our crappy browser, but at least we warned you.
No software is perfect, and everything has security flaws, but it seems to me, even 8 years after Microsoft (claimed they) took a serious position on security, they still seem to have an order of magnitude more problems than everyone else. Yeah, I know, they're the biggest target, but for crying out loud, Google wrote chrome from scratch* in less time than IE7 was in beta (or if not, it wasn't too far off) and came up with a browser that blows away IE in every single way except the number of desktops that have it installed.
Microsoft is at the point where they can do little but admit that there's nothing constructive they can do any more. It's been obvious for years to people in the know, but they've reached a point of diminishing returns: It obviously takes more effort to keep their bloated corpse of an operating system (and its 10-years-out-of-date browser) just working and free of 0-day exploits (leave alone catching up with the competition) than it would be to start over like Apple did with OSX.
How much longer will it take for MS to wake up? When the amount of effort needed for them to keep Windows limping along exceeds to man-power of the entire planet? It probably won't begin until the chair-tosser-in-chief is gone, and then it take years for them to recover. It used to be that Microsoft put as much effort into maintaining their monopoly as they did in their software. Now it seems maintaining their monopoly receives all but the smallest fraction of attention. The rest goes to plugging holes in the about-to-collapse dyke.
* For certain values of "from scratch"
Re:In other news ... (Score:4, Insightful)
The Church of England does not consider itself the only true Christian church in the world - they recognize the Old Catholics, for example.
And yes, Anglicans consider themselves to belong to the Catholic Church of all faithful Christians, just as any other Christian denomination that subscribes to the Nicene Creed (this includes all Protestants, too). It stems from the following line in the Creed:
"We believe ... In one, holy, catholic, and apostolic Church"
(note that this was written before the Great East-West Schism)
Here [wikipedia.org] are some, hopefully, more coherent explanations of this. I'm not a theologian, so I can only push the limits of sanity so far :)
Cycle of Abuse (Score:3, Insightful)
so it's not actually Microsoft that's suggesting that people switch browsers
Au contraire. "I cannot recommend people switch due to this one flaw". Translation: We've given you countless reasons to switch already. Here's one more.
IE users (and Windows users in general) remind me of the plight of the abused spouse, caught in the endless cyle of abuse [heart-2-heart.ca]. This is phase 2. A fix has been promised for tomorrow. That's phase 3. How many times is the average victim victimized before they leave? Way too many.
db