Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Experts Say To Switch Browsers In Light of IE Vulnerability

timothy posted more than 5 years ago | from the here's-my-number-if-the-place-burns-down dept.

Security 455

It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.

cancel ×

455 comments

Sorry! There are no comments related to the filter you selected.

Red header (1, Funny)

LingNoi (1066278) | more than 5 years ago | (#26131821)

Whoa what happened to Slashdot's main page...

This story's title header was red.. Is that like "woop woop warning warning" red? Or something else?

Re:Red header (1)

LingNoi (1066278) | more than 5 years ago | (#26131837)

Ok, never mind it's gone now.. I guess it's because the story was new.

Re:Red header (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26131905)

It's obviously another change brought in by the owners.

For all Slashdot's leanings toward open source and hatred of all things microsfot or proprietary, does anyone else find that Slashdot itself acts like a closed source company? When was the last time there was any proper discussion or announcement about changes being made? The site itself is merging into some web 2.0 bollocks, the site has lost it's intuitiveness, the firehose doesn't even work properly in Opera and a million other crappy changes that have made this site degenerate.

I used to spend all day on Slashdot and now I only check it occasionally.

Re:Red header (5, Insightful)

jadrian (1150317) | more than 5 years ago | (#26131949)

I used to spend all day on Slashdot and now I only check it occasionally.

I guess some good came out of it after all.

Re:Red header (1)

Justin Hopewell (1260242) | more than 5 years ago | (#26132143)

Zinger!

Re:Red header (2, Funny)

Midnight Thunder (17205) | more than 5 years ago | (#26132443)

Normally this is reserved for subscribers, so maybe it was a subliminal attempt to get you to subscribe ;)

In other news ... (5, Funny)

elronxenu (117773) | more than 5 years ago | (#26131825)

Water still wet.

Pope still Catholic.

Re:In other news ... (5, Funny)

Anonymous Coward | more than 5 years ago | (#26131993)

and chairs still fly

Re:In other news ... (4, Funny)

Anonymous Coward | more than 5 years ago | (#26132081)

last time I checked, *my* pope was orthodox. or to be more precise, Pope and Patriarch of All Africa on the Holy Orthodox and Apostolic Throne of Saint Mark the Evangelist and Holy Apostle.

happy flamebait!

another OS (3, Interesting)

TheMeuge (645043) | more than 5 years ago | (#26132131)

Next week's news: "Microsoft experts" advise users to switch to temporarily switch to a different OS, as they prepare to roll out Windows 7... ... jokes aside I haven't been THAT peeved with Vista. The interface is awkward, file transfers are dramatically slower than Ubuntu, and downloading a file over the internet invokes a 20 second freeze in Firefox. Other than that, it seems more stable than XP, and is responsive enough on my recently upgraded desktop.

It has been relegated to a game console status though, at least for me.

Re:another OS (1)

WhatAmIDoingHere (742870) | more than 5 years ago | (#26132289)

"...and downloading a file over the internet invokes a 20 second freeze in Firefox."

You know what that is? PEBKAC.

I don't hate Vista as much as most people, I use it as my main OS on my gaming rig, but I did notice that a lot of the changes made just added more actions between a blank desktop and changing any settings.

Re:another OS (3, Insightful)

theaveng (1243528) | more than 5 years ago | (#26132681)

"PEBKAC - problem existing between keyboard and chair".

Ahhh okay. I don't see how Firefox freezing for twenty seconds is a problem caused by the user. Why do you blame the user and not the programmers?

Slashdotters switched -to SALINE SCROTUM INJECTION (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26131857)

I buy my saline kits from Chase Union Ltd in Movi, Michigan. The cost of a 1000 cc bag of sterile saline, drip tubing, sterile wipes (to wipe down your sac and all around) and catheter needle is with shipping around $25.
You can call them at +01 (248) 348-8191 and ask for item "MF 100" a scrotal inflation kit.

To do the saline, take the bag of saline and put in a microwave for about 5.5 minutes at low heat to warm to a bit above body temperature;about 100 degrees or so. Unwrap the outer plastic packaging and put the saline bag aside. Unwrap the drip tubing which comes with the kit and move the clamping system down toward the end opposite the vial type thing and CLOSE IT SHUT. Take the larger end of the drip tubing and uncap the protective cap........open the warmed bag of saline and remove the clear cap. Insert the drip tubing nozzle into the saline bag opening. Find a curtain rod, pot rack (which i have and use in the kitchen) shower rod or something elevated above you. Hang the bag of saline with the tubing attached and shut off. THEN VERY IMPORTANT. SQUEEZE SOME OF THE SALINE INTO THE VIAL ABOUT HALF WAY -THEN OPEN THE CLAMPING DEVICE AND BLEED ALL AIR OUT OF THE TUBING. YEAH YOU LOOSE A LITTLE BIT OF SALINE BUT THIS IS A MUST. YOU DON'T WANT ANY AIR OR AIR BUBBLES IN THE DRIP TUBING! REPLACE THE CAP ON THE WORKING END OF THE TUBING.

Before hand, while the bag of saline is warming either take a hot shower, or fill a basin or kitchen sink with very warm water sit in it for 4-7 minutes. The idea is to warm your ballsac skin up and let it get loose and hang.

When you have finished warming your sac, and you have the bag of saline (BLED FROM AIR), you are ready to grow.

With your sac still very warm use the wipes provided with the kit to wipe down your cock and ballsac. By the way, you will want an adjustable leather cock ring , nylon rope, or other type of removable cock/ball ring to wrap around cock and ballsac after inserting the catheter needle.

With you sac still warm and wiped down with antiseptics, sit in a chair with a towel underneath. Open the catheter needle don't get pansy here but with one hand, take the catheter needle and the teflon sheath that covers it and WITH THE OTHER HAND TAKE YOUR BALLSAC MOVING YOUR COCK OUT OF THE WAY AND DECIDE ON THE LOCATION OF THE INTENDED CATHETER NEEDLE. YOU NEED TO FOCUS ON THE AREA EITHER TO THE LEFT OR RIGHT SIDE OF YOUR BALLSAC AND UP CLOSE TO WHERE THE COCK CONNECTS. YOU PLACE THE CATHETER NEEDLE RIGHT BELOW THE COCK OR A LITTLE LOWER BUT TO ONE SIDE OR THE OTHER OF THE DARKER SKIN DIVIDING SKIN WHICH IS IN THE MIDDLE OF YOUR SAC.

DON'T GET SQUEEMISH BECAUSE THIS DOES NOT HURT. BUT INSERT THE CATHETER STRAIGHT DOWN CAUTIOUSLY INTO YOUR SAC. MOVE YOUR TESTICLE ASIDE YOU ARE GOING TO GO INTO THE BALLSAC CAVITY NOT THE TESTICLE.

YOU WILL EXPERIENCE A PRICK SENSATION,THEN A POP SENSATION AS THE CATHETER NEEDLE PIERCES THE MUSCLE TISSUE OF THE SCROTUM.

KEEP PUSHING THE CATHETER NEEDLE IN. IF IT GOES IN AND YOU FEEL FROM THE OTHER/OPPOSITE SIDE OF YOUR BALLSAC THAT THE NEEDLE IS THERE, THEN STOP.

Pull out the needle itself leaving the teflon sheath inserted into you sac. Tie yourself (cock and balls) off with some sort of removable cock ring or rope or robe tie or whatever.

Sit down, don' t plan to move around too much for the next 30 minutes - hour. Have your beers/soft drinks or whatever already out of the fridge. You will want to stay idle and focused while you do this.

While sitting, and close to the hanging bag of saline and the drip tubing, remove the protective cover of the end of the drip tubing, connect the drip tubing to the catheter sheath in you sac. THEN START ADJUSTING THE CLAMPING DEVICE OPEN TO ALLOW SALINE DRIPPING TO APPEAR IN THE VIAL UP BY THE BAG OF SALINE. ADJUST FOR AN EVEN DRIP DRIP DRIP FLOW AND NOT A STEADY STREAM OF SALINE.

If the saline doesn't drip at first, try pulling the catheter sheath out a bit until you at first experience a small burning sensation;it goes away almost immediately.
Work on the sheath depth and the clamp until you get a good flow of saline going into your sac.

Don't move around too much......or be cognizant of how much you move around while the saline drips into and starts to bloat out your sac. You can always shut off the flow of saline with the clamp, disconnect and move around take a p, whatever......
If you disconnect, take the small stopper thing that is still attached to the needle and plug the teflon sheath to prevent leakage.

I like to use liquid vitamin E on my sac while it stretching and expanding;you should / can put oil or handcream on your sac while it is expanding. The sac is very stretchable but to expand up to 18-20 inches within an hour or so stresses the tissues,so things need to be lubricated somewhat..

GO SLOWLY.DON'T TRY TO REACH A MAX THE FIRST TIME. GO WITH WHAT YOUR BODY/SAC IS FEELING THEN STOP.

When you have finished doing the amount of saline you want to, feel comfortable with, can accept, close off the saline bag with the clamp, and disconnect.

Over filling/stress of the sac can cause osmosis leaking/sweating.. Do an amount of saline at first that is comfortable and not stressfull/hurting by all means. I have over done before and.you don't want to walk around with your sac dripping water out of it.and the after results cause chapping etc which takes a few days to peel and recover from.

Some of the saline is going to migrate into your cock. Your cock girth is going to become much larger than you have ever experienced.

AFTER YOU DISCONNECT FROM THE SALINE BAG, SIT AND WITH "SUPER GLUE", YES SUPER GLUE ON HAND, WITHDRAW THE CATHETER SHEATH.
AND WITH A TOWEL, PLACE SOME PRESSURE OVER THE HOLE THE NEEDLE CREATED......YOU MAY HAVE SOME BLOOD OR BLOOD MIXED WITH SALINE TRYING TO EXIT YOUR SAC! THEREFORE THE TOWELS

DON'T WORRY KEEP PRESSURE OVER AND DOWN ONTO THE HOLE FOR A COUPLE OF MINUTES TO LET THINGS REST AND ANY BLOOD COAGULATE.

REMOVE THE "PRESSURE" TOWEL AND WITH SUPER GLUE, PLACE A FEW DROPS ON THE HOLE TO HOPEFULLY SEAL IT UP QUICKLY. KEEP THE COCK RING OR EQUIVALENT ON DURING THIS AND CONTINE TO LUBE YOUR SAC.

IF ALL IS GOING VERY WELL, IN A COUPLE OF MINUTES, YOUR SAC AND THE HOLE IS SEALED AND YOU ARE DONE.

IF ALL THINGS ARE NOT GOING WELL, YOU MIGHT NOT GET A GOOD SEAL THE FIRST TIME JUST PEAL OFF THE SUPER GLUE RESIDUE AND START OVER.

At first your sac will be very tight,but over the next few hours or over night, keeping the cock ring on less tightly or without a cock ring your sac will relax and begin to stretch.

The saline will take a couple of days or more to absorb into you body. That is okay,Saline is sterile water adjusted to normal body PH.

Enjoy it, flaunt it if you are inclined, watch the perm stretch and sac tissue growth that happens over time.

You will need to p a little more often than regular as the saline absorbs into your body, but just enjoy the weight and feel of what is between your legs.

I hope this helps....If your nuts and sac are normally pretty big or even small and you want more, this will blow you away with the results.

Take care
Read the rest of this comment...

Re:Slashdotters switched -to SALINE SCROTUM INJECT (0)

Anonymous Coward | more than 5 years ago | (#26131889)

Wow.... at least something new in the middle of the slow news day.

Re:Slashdotters switched -to SALINE SCROTUM INJECT (0)

Anonymous Coward | more than 5 years ago | (#26132059)

Ow. :(

Re:Slashdotters switched -to SALINE SCROTUM INJECT (0, Offtopic)

moteyalpha (1228680) | more than 5 years ago | (#26132087)

It rubs the karma on its skin, or it gets the mod again.

Those that haven't already changed... (5, Insightful)

celardore (844933) | more than 5 years ago | (#26131873)

...probably won't. Most uneducated users that read the article will probably be of the mindset "oh, it won't happen to me".

Re:Those that haven't already changed... (4, Interesting)

Andr T. (1006215) | more than 5 years ago | (#26131901)

I think that most people that read news about IT don't use IE already.

Re:Those that haven't already changed... (4, Insightful)

SkankinMonkey (528381) | more than 5 years ago | (#26131967)

Yea but the ones that they support and frequently think it's a good idea to click on the 'Hit the target to get a free iPod' ad is a good idea.

Re:Those that haven't already changed... (5, Funny)

Anonymous Coward | more than 5 years ago | (#26132089)

Yea but the ones that they support and frequently think it's a good idea to click on the 'Hit the target to get a free iPod' ad is a good idea.

I won one of these a few days ago. Just to let you know, they don't actually give you an iPod directly. Instead, they ask for your bank account information and deposit $250 (they say it's for tax purposes). I should be getting my money any day now!

Re:Those that haven't already changed... (0)

Anonymous Coward | more than 5 years ago | (#26132155)

And those are the ones we harvest for botnets.

YUM. Gotta love those idiots.

Re:Those that haven't already changed... (5, Insightful)

joelholdsworth (1095165) | more than 5 years ago | (#26132063)

I was listening to BBC Radio 1, and they had a news item about it this morning. But I think GP is right - I can't imagine it will make many users switch. However, as more and more people within the technical community become jaded with the consistent poor quality in Microsoft's offerings, MS will inevitably loose mind-share, and hence their strangle hold on the industry will loosen.

It's this sort of thing that made me switch over to Linux a year ago. I haven't looked back.

Re:Those that haven't already changed... (5, Funny)

notaspunkymonkey (984275) | more than 5 years ago | (#26132331)

My wife has just come over to me (she listens to Radio 1) and told me that I need to install another browser on all our machines.. I guess she has never noticed that we are a Ubuntu household!! At least the message is getting across to normal non techie users at the moment that IE is bad..

Re:Those that haven't already changed... (1)

kolicha (1236594) | more than 5 years ago | (#26132625)

I agree. I think most people that read the article probably aren't using IE anyway. However, the BBC is advertising it quite a bit and as the BBC appeals to both technical and non-technical computer users it may make the non-technical users aware that other browsers exist, which may cause a few to investigate and switch.

Re:Those that haven't already changed... (2)

LingNoi (1066278) | more than 5 years ago | (#26131955)

Same thing with backups, they're never taken seriously until the company loses all its data and goes out of business.

Re:Those that haven't already changed... (4, Insightful)

denis-The-menace (471988) | more than 5 years ago | (#26132009)

Corps won't change either, cause their most computer-illiterate users happens to be their CIO and his/her underlings.

If something huge happens, FF may actually get into corps even without a Mozilla-created, Corp-approved MSI package.

Re:Those that haven't already changed... (5, Interesting)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26132317)

Speaking as an institutional IT underling, a Mozilla created MSI for Firefox would be really, really handy. As would a mechanism for installing extensions and updates in a more manageable way. Here, at any rate, there is no real opposition to FF per se; but deployment has, thus far, mostly foundered. "Well, IE updates can be deployed within the system with WSUS, FF updates will happen per machine and be blocked by the firewall, and there is no way in hell we'll be able to keep all the machines updated manually." Which is largely true.

Now, this mostly comes down to the fact that Windows doesn't have anything nearly as nice as real package management(WSUS for MS apps and drivers only is the closest they really come), so apps end up rolling their own with varying degrees of success, which sucks. If we were running *nix this wouldn't be an issue. Unfortunately, that isn't really my option. If FF had a decently manageable MSI option, I'd probably install it on all user machines tomorrow; but until then I'll have to stick with using it on a more limited scale(You think I would use IE for anything beyond the broken intranet stuff?)

Re:Those that haven't already changed... (3, Interesting)

archen (447353) | more than 5 years ago | (#26132505)

Really it's not that simple. I was a supporter of firefox in my organization, and to my surprise I pretty much won. We use Firefox for nearly everything. Nearly. I have content adviser turned on for each of the machines which for the most part cripples IE and makes it nearly impossible to actually browse the web. IE is still very necessary for many sites which are required for our operation. Not internal "we developed in house badly designed pages", but actual corporate sites to manage various accounts on the Internet. That's surprising in 2008 that companies could have their head stuck in the sand that badly, but they seem to be all over the place... and unfortunately in places required for essential function.

I'm fortunate that the medium sized company goes along with this, because in any other organization we'd just use IE and that would be the end of it. Just managing the work arounds has actually been a lot of work, although in my mind it comes out to a wash in being a bit more proactive in preventing the vulnerabilities that flood IE.

Re:Those that haven't already changed... (1)

AlterRNow (1215236) | more than 5 years ago | (#26132583)

Are you launching IE as another application or using something like IEtab [mozdev.org] ?

Vulnerability (5, Insightful)

conureman (748753) | more than 5 years ago | (#26131885)

The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae. I seldom format & install windows now, unlike before I took that measure.

Re:Vulnerability (1)

n3tcat (664243) | more than 5 years ago | (#26132207)

You can still run it through windows, but you gotta unhide the files in the IE folder.

Re:Vulnerability (1)

Akral (975984) | more than 5 years ago | (#26132535)

The only way to open iexplore.exe in my home computers is through the "run" tab. This is to prevent unfit users from not using one of the other browsae.

Can't you open any folder and then enter the URL in the address bar?

Microsoft should just scrap IE (3, Insightful)

Reality Master 201 (578873) | more than 5 years ago | (#26131887)

Just start over. The thing's a chunk of crap that doesn't render stuff properly and must be a nightmare to maintain.

Pick another rendering engine - WebKit or Gecko - and build a browser around it. Maybe provide IE classic for those poor schmucks who are at jobs with crappily coded intranet apps full of client side VBScript, but don't make it the default.

Re:Microsoft should just scrap IE (0, Troll)

LingNoi (1066278) | more than 5 years ago | (#26131979)

If it wasn't invented by Microsoft they're not going to use it.

You can forget about them using anything standards base. If they did replace the rendering engine they would build a new one which would introduce even more non-compliant rendering.

Re:Microsoft should just scrap IE (1)

Reality Master 201 (578873) | more than 5 years ago | (#26132019)

Supposedly, making IE standards compliant is a big drive in IE8. But they still can't let go of the backwards compatibility that would allow people to keep from using their shitty intranet apps.

Seems like a waste of effort. Build new IE with something quick and easy to use, and maintain classic IE for corporate distribution.

And, yeah, it wasn't a suggestion I'd expect to be taken seriously in Redmond. Even if the programmers wanted to do it that way, it'd never fly with the executives.

Re:Microsoft should just scrap IE (1)

poetmatt (793785) | more than 5 years ago | (#26132141)

Most people can get their intranet apps working on firefox. Plenty of places are just afraid to do it as it represents a releasing of control in the corporate workplace.

Re:Microsoft should just scrap IE (5, Insightful)

Reality Master 201 (578873) | more than 5 years ago | (#26132347)

Yeah, believe me, I've done a lot of corporate consulting, and there's plenty of places with stuff that they'd have to recode to move off IE. Stuff that uses client side VBScript and extensive ActiveX controls. Sometimes it's 3rd party apps from a timesheet system vendor or whatever.

It already works. So why recode just to make the computer geeks happy?

Re:Microsoft should just scrap IE (1)

Touvan (868256) | more than 5 years ago | (#26132575)

They didn't invent IE, they bought it from some other company (so long ago, that I guess you could say they invented it's current state).

Licensing Gecko or WebKit would be exactly the same thing, except it's an open source code base (LGPL - not copy left). They seem to have an unreasonable allergy to anything with the words "open source" in it - even though I can't see why it would make any sense at all to enhance their own rendering and Javascript engines at this point.

Talk about unnecessary expense. Maybe that's why it costs so much for a non-crippled version of Vista.

Re:Microsoft should just scrap IE (4, Insightful)

hey! (33014) | more than 5 years ago | (#26132213)

They won't, because there are only two things shoring up their critical desktop OS monopoly in the enterprise at this point: Office and IE.

User and developer dependencies on IE's peculiarities makes not having access to Windows inconvenient. Microsoft's own web software are designed to provide users of alternative browsers with inferior experience.

Keeping those "poor schmucks" dependent on IE is worth a great deal of money to MS.

google chrome (0)

Anonymous Coward | more than 5 years ago | (#26131919)

Does this effect IE8 compatability mode?

Re:google chrome (1)

LingNoi (1066278) | more than 5 years ago | (#26131987)

According to an earlier story I read on Slashdot Microsoft said it effects all versions of IE.

bear. woods. pope. hat. (1)

apodyopsis (1048476) | more than 5 years ago | (#26131923)

really what choice did they have? I can see a class action from *lots* of angry people who's computers have been hosed and bank accounts hoovered would cost far more then not acting. Not to mention the loss of faith.

Now all we need is a certain percentage of people who try the fox being either to taken with it or too lazy to change it back.

Poor MS, what with Vista they have been having a bad time of it recently.

Re:bear. woods. pope. hat. (2, Interesting)

tekrat (242117) | more than 5 years ago | (#26132195)

Poor MS, what with Vista they have been having a bad time of it recently.

Poor Microsoft? You've gotta be kidding me. If your main products are crap, you get what you deserve. Anyone who thinks that Windows or IE are great obviously hasn't even tried anything else seriously.

At the Trenton Computer Fair earlier this year I was handed an Ubuntu disc. I've subsequently loaned this disc to others, made copies, etc., etc, and everyone that actually put it in their computer and tried it came back to me to tell me how amazing it was.

If given a viable alternative, PEOPLE WILL SWITCH, and move away from MS/IE/Windows, and it's associated legacy crud.

And yes, I own a PC running Windows (2000). But I also own an iMac, an EEE-pc, and various SGI and SUN boxen. And a machine running Ubuntu.

Re:bear. woods. pope. hat. (1)

apodyopsis (1048476) | more than 5 years ago | (#26132361)

Hmmm, sarcasm is hard to get online. I apologize! As a Linux only user for >8 years at home, I assure you I am not a fan of MS.

In this case they reap what they sow - and this is nice illustration of the problems of security by obfuscation.

Re:bear. woods. pope. hat. (1)

TheP4st (1164315) | more than 5 years ago | (#26132595)

really what choice did they have? I can see a class action from *lots* of angry people who's computers have been hosed and bank accounts hoovered would cost far more then not acting. Not to mention the loss of faith.

Not blody likely, read #17 in the XP EULA. Any other MS EULA are bound to say something similar. I would have quoted it but the filter objected to the caps usage hence the link below.

http://www.microsoft.com/windowsxp/eula/home.mspx [microsoft.com]

Re:bear. woods. pope. hat. (0)

Anonymous Coward | more than 5 years ago | (#26132643)

well, no.

nobody would want to take a class action against the EULA for the first time, specially one which starts with "I am the Lord your God, who brought you out of the land of Unix, out of the house of IBM" and contains capitalized that no liability could be taken in courts. More so if the guy you're suing has billion$ of arguments

Makes sense to me (1)

bigpistol (1311191) | more than 5 years ago | (#26131941)

Waaaay back when I used I.E all anti-spyware apps used to find a ton of spyware. Since switching to Firefox (0.6 I think it was at the time) I hardly ever have to run any anti-spyware, when I do the list is very short and is always just minor issues. Just switching to a decent browser that is separate from the OS instead of being buried so deep in the OS makes a huge difference - and makes a lot of sense to me :) Remember that SSL security issue in I.E and the fix was in the Windows kernel, niiiiice, real nice, me no touchy IE anymore. Lets face it - there's no shortage of "other" browsers to choose from these days.

Re:Makes sense to me (1)

Endo13 (1000782) | more than 5 years ago | (#26132281)

Waaaay back when I used I.E all anti-spyware apps used to find a ton of spyware.

And since then, they've also learned how to make anti-spyware apps that distinguish between real spyware and cookies that just track what websites you go to for advertising purposes.

Re:Makes sense to me (2, Funny)

bigpistol (1311191) | more than 5 years ago | (#26132467)

And since then, they've also learned how to make anti-spyware apps that distinguish between real spyware and cookies that just track what websites you go to for advertising purposes.

Aaaah I didnt realise I was jumping forward in time before running anti-apyware after browsing with FF :)

Is any browser safe? (5, Interesting)

Toreo asesino (951231) | more than 5 years ago | (#26131963)

Personally I don't use IE for most things, but I don't use FireFox for reasons of security at all; just because the extensions rock.
To my mind, all browsers have more or less the same number of security problems; name me a single mainstream browser that's not had a vulnerability this year for example.

So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

And that, ladies and gentlemen, is why if I had to choose my browser on purely default security scope, I'd go for IE7/Vista or some customised FireFox setup that nailed it to the floor.

Just a thought.

Re:Is any browser safe? (3, Insightful)

bigpistol (1311191) | more than 5 years ago | (#26132083)

But not all browsers are welded to the kernel.

Re:Is any browser safe? (0, Troll)

El Lobo (994537) | more than 5 years ago | (#26132411)

Still living in 1997? Reality check...

Re:Is any browser safe? (1)

bigpistol (1311191) | more than 5 years ago | (#26132487)

Admittedly I dont use Windows very much these days - is it possible to uninstall I.E completely now?

Re:Is any browser safe? (5, Informative)

Anonymous Coward | more than 5 years ago | (#26132635)

Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.

Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.

So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.

Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.

Re:Is any browser safe? (5, Insightful)

Raenex (947668) | more than 5 years ago | (#26132129)

So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

Except the browser is an excellent application to hack, even if sandboxed, because it has network access and is used for nearly everything these days, including online banking. If you want to be safer you'll have to use separate sandboxed browsers for finance vs email vs ... vs random browsing.

Re:Is any browser safe? (1)

Chrisq (894406) | more than 5 years ago | (#26132245)

That is a very good point. Isolation from the underlying operating system is obviously good but it is not sufficient to protect against hackers.

Re:Is any browser safe? (2, Interesting)

nschubach (922175) | more than 5 years ago | (#26132561)

Unless the sandbox is created with a fresh copy of the executable every time it starts... Start Browser, OS copies a clean executable/settings into a sandbox and runs said executable. Upon exiting, sandbox is deleted along with any garbage that was injected by malicious sites.

Re:Is any browser safe? (4, Insightful)

Svartalf (2997) | more than 5 years ago | (#26132183)

Few browsers enable privilege escalation like IE does on a regular basis.

Re:Is any browser safe? (4, Insightful)

LtGordon (1421725) | more than 5 years ago | (#26132205)

Running web content in a sand boxed environment is exactly one of the features Google emphasized with Chrome. Web content is inherently untrustworthy so this is a smart move. It's sort of like wearing a web-condom: used to be that going bare-browser was mostly safe as long as you were careful who you interacted with, but nowadays even the pretty ones can burn you, so your best bet is to just wrap your tool ... with a sandbox. (I'm still working on the analogy)

Re:Is any browser safe? (2, Funny)

Bearpaw (13080) | more than 5 years ago | (#26132323)

It's sort of like wearing a web-condom: used to be that going bare-browser was mostly safe as long as you were careful who you interacted with, but nowadays even the pretty ones can burn you, so your best bet is to just wrap your tool ... with a sandbox. (I'm still working on the analogy)

Try adding a reference to "extensions". That'll help.

Re:Is any browser safe? (2, Funny)

IceCreamGuy (904648) | more than 5 years ago | (#26132215)

The Links browser? Stallman knows what's up! What do you guys think, Lynx or Links? I prefer Links, just seems easier to use to me. Lynx actually did have a vulnerability disclosed in October, http://web.nvd.nist.gov/view/vuln/detail;jsessionid=031729623a47404f1389622ff35a?execution=e1s1 [nist.gov] . That damn Lynx has just gotten too mainstream to be safe these days!

Re:Is any browser safe? (1)

mc900ftjesus (671151) | more than 5 years ago | (#26132261)

Choosing a browser with security as the only concern? Opera.

Too small of a target to bother with. ...well, actually that would be Safari for Windows, but come on, I'm no masochist.

Re:Is any browser safe? (2, Funny)

British (51765) | more than 5 years ago | (#26132657)

Choosing a browser with security as the only concern? Opera.

"Eeeeverybody's getting secure browsers!"
"You get a secure browser!"
"YOU get a secure browser!"
"You get a secure browser!"

Re:Is any browser safe? (5, Insightful)

chrisgeleven (514645) | more than 5 years ago | (#26132279)

Firefox to me is more secure in a way because it usually has security patches released within 48 hours or so after a 0-day exploit, sometimes even within 24 hours. Microsoft on the other hand has been known to leave 0-day exploits unpatched for months.

Also, Microsoft patches have to wait for their nightly automatic install or when a user shuts down their PC. I believe Firefox checks every time it is launched for updates and installs them. The odds are, you are going to get patched quicker using Firefox then IE.

Re:Is any browser safe? (2, Interesting)

the_B0fh (208483) | more than 5 years ago | (#26132305)

First of all - Firefox was designed with security in mind.

IE was not. That alone is enough to drive me off IE. Go to the Risks digest and read what Bob Atkinson wrote about Authenticode - he basically says that a broken screen saver has higher priority than security issues - and authenticode is the security technology behind ActiveX. And Atkinson is the fucking author of authenticode.

http://catless.ncl.ac.uk/php/risks/search.php?query=authenticode [ncl.ac.uk]

And what you want - that technology already exists. A company called GreenBorder made it. Guess what - google bought it. Hopefully, the big G will release it soon.

Re:Is any browser safe? (0)

Anonymous Coward | more than 5 years ago | (#26132325)

So in other words, we should find ways to seal off browsers from the normal desktop; lock it down in some low-rights, sandboxed safe environment planning that when it is hacked, it at least will be very limited in scope.

This can be done in 5 easy steps...

Step 1 - Set up a partition with a separate, bare bones operating system.

Step 2 - Give this system guest access, a minimal desktop environment with auto-login, and only install a web browser and necessary web extensions.

Step 3 - Virtualize this in your main OS of choice.

Step 4 - ...

Step 5 - Profit!

For even better security protection - use wget (or a similar tool) to download the page you want to visit. Disconnect your wireless and/or ethernet connection(s) and view your page in a text only browser. To get to another page you only have to reestablish you wireless and/or ethernet connection(s) and repeat the process.

Such an easy thing to enforce; internet security. I wonder why so many people just can't seem to do it right???

Re:Is any browser safe? (2, Informative)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26132365)

VMware is a downloadable image, essentially FF plus minimal linux, designed for their VMware Player, that essentially does that. It isn't what I'd call an elegant solution; but the improvement in security is substantial.

Re:Is any browser safe? (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26132381)

Ach, that should say "VMware has", not "VMware is".

Re:Is any browser safe? (0)

Anonymous Coward | more than 5 years ago | (#26132465)

name me a single mainstream browser that's not had a vulnerability this year for example.

mosaic

Wrong summary (5, Informative)

OhHellWithIt (756826) | more than 5 years ago | (#26132029)

Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.

I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.

Now, if you don't mind, I'll go back to my nap.

Re:Wrong summary (2, Informative)

Sebilrazen (870600) | more than 5 years ago | (#26132237)

Mod parent up, I RTFA and the mentions to switch are provided by Ferguson who's a TrendMicro guy, Curran, a UK Microsoft guy said, "Whoa... that's not what we meant..." roughly.

experts say switch browsers .. (1)

rs232 (849320) | more than 5 years ago | (#26132655)

"Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed"

I'm no fan of MS... (3, Insightful)

Viol8 (599362) | more than 5 years ago | (#26132033)

.. in fact I'm a diehard linux fanman (too old to be a fanboi!)

But even I'm getting sick of the hysterical anti MS reaction every single time some exploit appears for some or other program. Some people particularly media commentators need to get a sense of perspective and understand that no complex piece of software can really ever be bug free and these sorts of errors will creep in occasionally. Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine? Probably all of us. So look around you to spot the glass before you start chucking any stones!

Re:I'm no fan of MS... (0)

MosesJones (55544) | more than 5 years ago | (#26132111)

Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time

What are these bugs of which you speak? Sometimes I add problems for the testers to find, but that is done on purpose, its not my fault if they aren't smart enough.

Oh and I've debugged your english for you

Who here

Unless that was irony.

Now the serious bit. I used to work in safety critical software, we designed, tested added redundancy and used languages (e.g. Ada) which don't have overflow problems. This isn't a performance thing (we had to be high performance as well) its about choosing quality and security from the first day.

Re:I'm no fan of MS... (1)

Andr T. (1006215) | more than 5 years ago | (#26132113)

Who hear who codes in C or C++ hasn't had a similar bug in their own code from time to time even though you were sure you'd debugged everything and the code passed through testing fine?

That's why you should use Java. This would never happen!

Re:I'm no fan of MS... (2, Insightful)

Svartalf (2997) | more than 5 years ago | (#26132165)

Heh... You'd just have other exploitable issues, either within the Java JVM or in poorly written code- just not the same class of them. I don't place blind faith in a language to clean up after myself.

Re:I'm no fan of MS... (1)

Andr T. (1006215) | more than 5 years ago | (#26132197)

Sir, you've been diagnosed [slashdot.org] . Please go to the nearest hospital.

Re:I'm no fan of MS... (0)

Anonymous Coward | more than 5 years ago | (#26132605)

http://secunia.com/advisories/product/12878/?task=statistics

Re:I'm no fan of MS... (2, Insightful)

joelholdsworth (1095165) | more than 5 years ago | (#26132151)

So look around you to spot the glass before you start chucking any stones!

The problem is that this isn't some little application. There are 750 MILLION users of IE. Each user will have paid somewhere between $20 and $200 for the privalege of using their bundled browser - and Microsoft is rich! beyond the dreams of avarice.

Is it wrong for us to expect a little quality in IE? Especially considering the number of users, it's importance as an app, and the amount of cash MS has?

Re:I'm no fan of MS... (2, Insightful)

IceCreamGuy (904648) | more than 5 years ago | (#26132307)

Unlike the South Park episode in which pure cash was the cure for AIDS, there is no cure for imperfect code. I dare you to write a Hello World which you can guarantee to be completely secure until the end of time. Not like this isn't serious, and not like Microsoft has had a great track record with security, however throwing "cash" at an app doesn't guarantee unequivocal perfection. Usability is inversely proportional to security; if you want an app that will be usable by the majority of the world, then it will have security flaws no matter what. If you want an app that's completely secure forever, then your app will have to never be used by anyone ever.

Re:I'm no fan of MS... (1)

nschubach (922175) | more than 5 years ago | (#26132607)

Not to mention, somewhere along the way you would have to make a note to make a test so it never happens again. Possibly compartmentalizing the code and bringing it forward when a new version is released instead of writing new code.

The shrieking is a bit tedious (2, Funny)

symbolset (646467) | more than 5 years ago | (#26132431)

Especially since it happens nearly every day. Oh noes!!!! Everybody panic!!! Another exploit in Windows/Office/Explorer. WOE is us!!!

Perhaps if we phrased it like a sponsored ad: "Todays exploit brought to you by yet another buffer overflow error!" "This morning's gaping security hole sponsored by Stormworm. Stormworm: The worm of choice for the discerning mailbot."

Re:I'm no fan of MS... (-1, Troll)

the_B0fh (208483) | more than 5 years ago | (#26132445)

And I have a serious dislike for people who can't tell the difference between software engineering and slapping code together and compiling until it works - and worse dislike for people who forgive that behavior.

http://catless.ncl.ac.uk/php/risks/search.php?query=authenticode [ncl.ac.uk] basically has the fucking author of Authenticode saying that security is so unimportant that even a broken screen saver has a higher priority at Microsoft.

So, forgive me if the security geek in me feels a little fucking pissed off. Nobody is saying all the software has to be perfect. But what I'm fucking pissed off about is that they INTENTIONALLY DESIGNED A FUCKING PIECE OF SHIT AND CALLED IT SECURITY AND CRAMMED IT DOWN OUR COLLECTIVE THROATS and the damned IT media just rolls over while crying BOHICA.

Invalid pointer? (0)

Anonymous Coward | more than 5 years ago | (#26132071)

I guess Microsoft should have programmed Internet Explorer in Java. Serves them right.

No, Microsoft did NOT say to use another browser (5, Informative)

Anonymous Coward | more than 5 years ago | (#26132121)

RTFA.

Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

Uhhh, no... (4, Informative)

IceCreamGuy (904648) | more than 5 years ago | (#26132137)

FTS:

Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.

FTA:

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.

Re:Uhhh, no... (1)

Chapter80 (926879) | more than 5 years ago | (#26132233)

THANK YOU!

Internet Explorer has a serious vulnerability != news

Microsoft advises users to switch to an alternate browser = HUGE news (also false!)

Re:Uhhh, no... (1)

LingNoi (1066278) | more than 5 years ago | (#26132265)

So how many flaws does it take? 2,3... 4 before Johnny boy can recommend competitors?

I'm guessing it's probably the same value you get when you divide by zero.

Re:Uhhh, no... (1)

IceCreamGuy (904648) | more than 5 years ago | (#26132327)

It might actually be an imaginary number, but the math is so complex that you would need a beowulf cluster to crunch it.

Re:Uhhh, no... (0)

Anonymous Coward | more than 5 years ago | (#26132341)

Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.

FTS:

According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

So no, the summary IS correct. You just need to read the whole thing before jumping to conclusions.

Re:Uhhh, no... (1)

IceCreamGuy (904648) | more than 5 years ago | (#26132457)

Seriosly? I must be missing something, because not only does that statement, to me, not imply that Microsoft is asking people to switch browsers, but it also doesn't come anywhere close to Microsoft "flooding media outlets" with advice to that effect.

Data binding? (1)

Geoffrey.landis (926948) | more than 5 years ago | (#26132285)

From the summary:

When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space.

I don't use IE, but from the summary, doesn't it sound like simply dis-enabling data binding would keep the hole from being exploited?

Will this flaw affect "old" IE browsers? (2, Funny)

theaveng (1243528) | more than 5 years ago | (#26132427)

My laptop has an older IE; version 5 I believe..... will this flaw affect that too, or is it just a flaw in the current version of IE?

Strange news (2, Interesting)

femtoguy (751223) | more than 5 years ago | (#26132473)

This is especially strange news in light of an article from zdnet, http://blogs.zdnet.com/security/?p=2304 [zdnet.com] , saying that firefox is the top bad example from a list of 12 programs with the worst security record. More interestingly, they don't even mention Internet Explorer as having bad security problems, despite news like this. Does Microsoft just pay journalists to write things like this on the day before they know they have bad news to release in hopes that people won't notice their security problems?

here comes the masterplan (0)

Anonymous Coward | more than 5 years ago | (#26132545)

step 1:
we need an exploit for it, which will install firefox and replace the internet explorer on the victims pc.

step 2:

put this exploit on every website we have access to.

step 3:

hooray!

Mick (0)

Anonymous Coward | more than 5 years ago | (#26132563)

Good news for firefox

don't just switch browsers .. (1)

rs232 (849320) | more than 5 years ago | (#26132585)

Don't just switch browsers, switch Desktop Distros [distrowatch.com] . If fact, for any kind of online financial activity use a bootable CD. Before you say it, you won't have to pay rent on these Live CDs [livecdlist.com]

This flamebait doesn't even match TFA! (1)

urbanriot (924981) | more than 5 years ago | (#26132633)

This post reads, "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched."

TFA reads, "Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it." Also, "Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed."

Microsoft gets enough bashing in here that frot page posts don't need to lie to give them more negative press. This is growing more into Digg every day... can has some moderation on posts pls?

Alternatives (1)

Midnight Thunder (17205) | more than 5 years ago | (#26132641)

I don't use IE, unless when I have to. At home its Safari or Firefox (less since I have been getting the _JS_FloorLog2 issue, which nobody wants to fix), on my Mac and then at the office, with Windows XP, it is generally Firefox and SR Iron [srware.net] . Since I do work in web development I do have to check stuff with IE7 (we have just been given the green light to drop IE6 :) ), since like it or not the market share is still too large.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?