Microsoft Says Upgrade To IE8, Even Though It's Vulnerable 279
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
Not fixing it in IE6... (Score:0, Insightful)
.. now *that* would be real fun.
Re:IE8 has the flaw but is immune... (Score:3, Insightful)
Microsoft provides the ability to be up to date and secure as well as backwards compatibility, its the users risk for which he chooses not Microsofts.
Re:IE8 has the flaw but is immune... (Score:3, Insightful)
Re:Not fixing it in IE6... (Score:3, Insightful)
That does bring up a good question - given the huge numbers of IE 6 installs that persist (due to hordes of crap .NET programmers*), Microsoft not supporting IE6 is likely what would help drive Firefox (or Chrome, Safari, Opera, etc) adoption.
After all, if one cannot have IE6 and IE8 existing on the same machine at the same time, but IE6 on the Internet is the next best thing to suicide, then why not modify IT policy and the prebuilds so that IE6 is internal-only, while Firefox (or whatever else) becomes the browser of choice for public Internet use?
* note that this isn't a knock against the language itself, but against the fact that while it was widely adopted, it was widely implemented by a lot of programmers who had no business being programmers (at least w/ lower-level languages, bad code tends to die off or get re-written much quicker). Also, there's the fact that Microsoft has a lot of old baggage around that it can ill afford to simply stop supporting.
Re:IE8 has the flaw but is immune... (Score:3, Insightful)
Re:IE8 has the flaw but is immune... (Score:5, Insightful)
Re:Not fixing it in IE6... (Score:5, Insightful)
it's a nice thought, but a) most end users won't accept using two different browsers and b) it's not just intranet pages that keep IE around. the biggest thing holding back other browsers in the corporate world is the inability to manage them centrally through group policy or something similar.
Re:IE8 has the flaw but is immune... (Score:5, Insightful)
Re:IE8 has the flaw but is immune... (Score:3, Insightful)
Sandboxing & virtualization of a sick browser is not a panacea. If the sandboxed application is compromised, it could still be controlled in its own domain and compromise cookies, passwords and anything else that it obtainable in its virtual space. It could still be used for malicious purposes, purposes that can could result in a knock on the door from the law.
Sandboxing and virtualization are sane for ANY application which is processing content from untrusted sources, regardless of whether you think them secure or not.
A hale and open sourced browser is the only safe way to go. Screw IE, any version.
Right, because FF hasn't had any major security holes. Open source does not mean secure. It means you can see the code.
Was it not the browser that would install keyloggers and dialers through the press of the [Enter] key as it would default on installation of any "signed" ActiveX, not matter how fucked up it was? Yes! Did these people have any idea of what was happening on the Internet? Yes! Fuckit, the said, system-browser integration is not debatable; Microsoft had their fun killing Netscape, now we have our fun watching them trying to fix the mess. (They wont).
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy. I think the problem is that you're upset that, even with problems in MS software, people would STILL rather use it than your favorite OS.
Also, I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out? oh ya, it took way too long, they should have rushed it out without any kind of testing, like open source does.
Re:Not fixing it in IE6... (Score:5, Insightful)
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK [microsoft.com]. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
Re:Not fixing it in IE6... (Score:3, Insightful)
When will we change programming practices? (Score:5, Insightful)
It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
the old "we've always done things this way and it would be too expensive to change" is real crap.
What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?
Isn't it past time that things changed?
Re:Not fixing it in IE6... (Score:5, Insightful)
(due to hordes of crap .NET programmers*)
You mean hordes of crap ASP programmers. It's ASP and ActiveX in intranets that keep people on IE6, not .NET.
Re:Who cares? (Score:2, Insightful)
I'd disagree. Open up "My Computer" and type in "http://www.google.com/" into the address bar.
Enjoy your IE.
Pentagon thinking (Score:3, Insightful)
Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.
Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.
Re:Marketing must be pleased (Score:5, Insightful)
Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."
Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"
Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."
Re:IE8 has the flaw but is immune... (Score:4, Insightful)
Even though you're being sarcastic, to an extent you're correct. It is the fault of corporate IT, not Microsoft, that IE6 and IE7 are in such wide use and being exploited, when everyone should already be running on IE8. It would be the same situation as if you had tons of people running Firefox 1.5 and refusing to upgrade because it would break something they're used to, despite being vulnerable to a series of known problems. In that situation it's not Mozilla's fault that their user base hasn't upgraded any more than it's Microsoft's fault now.
Re:Not fixing it in IE6... (Score:5, Insightful)
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT depatments.
Re:Vista, Win7 - really? (Score:3, Insightful)
So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.
By default, IE8 on 7 is pretty secure.
So it's ok if a buggy webpage can wipe out My Documents, so long as it doesn't break my system?
I'm not sure many users would agree with you there.
Re:IE8 has the flaw but is immune... (Score:3, Insightful)
It's clear that you need one. Maybe you could start by changing your worldview that all open source software is secure by virtue of being open source, and all proprietary software is crap. Maybe a look at Opera would prove otherwise. If you're not aware of the several security features which Microsoft has added to Windows 7 and IE8 (not to mention much-needed support for several missing standards), then maybe you can make yourself familiar with those before claiming that everything which you can't read the code for is insecure.
Re:IE8 has the flaw but is immune... (Score:3, Insightful)
Ignoring the fact that they've come along way in both securing the browser and supporting standards shows nothing they do would make you happy.
Yes of course, the largest computer software company in the world should be given a hearty slap on the back for "coming a long way". I mean, they're only the standards that everyone else is following it's not like they matter.
MOD PARENT DOWN (INFORMATIVE?) (Score:5, Insightful)
If you had any idea what OP was talking about, you're realize that this isn't "sandboxing and virtualization". Thus, the attacker won't be taking control of the browser in a non-priv account or in a virtual space. This is DEP, data execution prevention. You may also know it as the NX bit. It's disallowing the execution of code from non-code areas such as the stack/heap. Thus it LITERALLY disallows the code from being run. So while the vulnerability is academically "there" the reality is, it does not run code, at all. Not in some restricted domain, not as some no-priv user. It simply doesn't run. Thus it cannot be used for malicious purposes.
Your entire post is anti-IE hate, and you have no idea what you're talking about. Then you go on to drag in some ActiveX bashing. Of course you've been modded up as "informative" even though your entire post is factually incorrect. I mean this is Slashdot right?
Re:Free software puts fix schedule in your hands. (Score:3, Insightful)
One of the problems Microsoft (and this /. thread) gets at is how out of control Microsoft's users are. Microsoft wants you to upgrade to a version of a proprietary browser that can still be compromised with some reconfiguration.
Ya, well then you're going out of your way to make yourself vunerable again. At which point, I'd have to ask... why did you bother to upgrade?
Because IE is proprietary, all IE users must wait until Microsoft genuinely fixes the bugs that allow remote code to compromise the browser even after said reconfiguration. Firefox, while vulnerable even in a default install, is free software. Firefox's destiny is in our collective hands. We decide how and when Firefox is fixed and we decide how thorough that fix is.
And to the average user, there is no differnce. They'll have to way for FF to update itself to get the patch as well, as they're waiting on the mozilla people to do so.
So while you're probably not a programmer
Actually I am.
, like most computer users, you have options with Firefox that you don't have with IE. You could learn to program and help fix Firefox's code. You stand virtually no chance of doing this with IE's code no matter how expert you become. It is of no help to look at this as though Firefox hackers are your workers so you can sit back and wait for them to deliver a fix ("I haven't seen any indication that they aren't working on a fix. What will you say if the patch comes out?").
Ya, in the real world, thats not going to happen. By the time the average user learned to progam, they'd be a new version of both IE and FF out already. As I explained, to the average user, there is no difference between FF and IE; either browser you're still at the mercy of a 3rd party for a patch.
Software freedom changes the game by giving you permission to control your computer; the more free software you run, the more control you have. Like with any other freedom how much of that permission you're willing to leverage is up to you
No, it doesn't. It puts users are the mercy of the OS community (which has an attitude "if you didn't pay for it you don't have a right to complain") instead of a company. But at the end of the day, its the same for them. Don't be delusional; people just want to USE their computers, not spend time learning to program to fix other people's software.
IE "puts the beer on the table" (Score:1, Insightful)
Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory.
Think of that, a web browser that runs in user space. Seems like it should be loved by competent IT departments.
If we measured the effectiveness of corporate IT by individual uptime (instead of by number of tickets closed), there would be a newfound appreciation for browsers that run in user space and resist infection. But with the economy the way it is, we need to "manage" as many things as we can get our hands on, lest management find out what we really do and how easily they could downsize the help desk by making better architecture choices.
In more than a few companies, IE "puts the beer on the table" for level 1 help desk technicians.
Good Luck With that.... (Score:3, Insightful)
A company I interned at had IE 4.0 for the longest time, even after 5 came out, and the latest versions of netscape....
I think what our friends at Microsoft don't realize is that big companies (especially big regulated companies) are really slow to move on things. Upgrade to IE 8 is not really a valid answer. A large regulated company will spend months testing, and in many cases it will take years to go upgrade. Now if IE didn't encourage people to violate web standards, then it wouldn't be that bad. But unfortunately it does and people do. So fixing things to work with IE7 or even IE8 after IE 6 is a pretty big deal.
So good luck with that. I know my company is going to be running IE 6 for at least another year, maybe more. They have to go slow because it is a financial company and they are subject to all sorts of SOX controls and regulations. Also upgrading browsers does not immediately generate revenue so it is not a high priority. They don't even use the right resources for testing so it drags out much longer than it should....
I worked at a Microsoft Fanboy company but even then it took a good 6 months to test all the apps with IE 7 and there the roll out wasn't company wide, just that division. There was also a project in Parallel to fix the issues and move all development projects to Visual Studio 2005. They properly staffed based on what they had, and it still took 6 months. And they were Microsoft Fanboys. I mean SQL SErver 2005 comes out, they need to upgrade within a year. SQL Server 2008 comes out, they put on a project to upgrade within a year. Windows Vista comes out, they need to upgrade.... And even there 6 months time is a lot of time to be exposed to a vulnerability. And they are the exception not the rule.
For many companies a security issue or browser upgrade does not generate revenue and is super low priority....
Re:Not fixing it in IE6... (Score:3, Insightful)
The problem is you need to invest a lot of time, money and expertise into setting something like that. For a big shop like yours, that's no problem - the cost of initial setup is easily justified by the fact you have to manage 60k+ desktops and over 2,000 apps, and doing that manually would cost a fortune.
Most of us aren't that large though. We've got maybe 150 desktops/laptops, which is enough to make managing them manually impractical, but not enough to justify purchasing and learning systems management and package management software and the ins and outs of crafting your own package for each application and so on.
You say that "Firefox is just another app to us", but I'm sure you (or someone) spent a long time figuring out how to pull apart the installer and repackage it for your environment and to have everything working for the users but without giving them too much control over bits you want/need to manage centrally, and so on. Again, if you're already set up and have the knowledge of doing that for thousands of other apps, it's not too big a deal. But for us, nobody has that knowledge, and even if they did, nobody has the time to sit around working out how to repackage the application of the month; especially when it's only going to be required by a handful of people.
So either you need to buy some fantastic systems management software ($$$) and hope the vendor supplies packages/scripts/instructions for packaging the apps you use; or you buy packaging tools and learn to do it yourself ($$ + time), or you just use the stuff the more-or-less works out of the box ($). It's no surprise then that most smaller shops use Microsoft's software across the board, and then manually manage installs of additional software in the few cases where they're really needed.