Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

German Government Advises Public To Stop Using IE

Soulskill posted more than 4 years ago | from the enough-is-enough dept.

Internet Explorer 320

An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"

Sorry! There are no comments related to the filter you selected.

A stinging lesson (5, Interesting)

Senes (928228) | more than 4 years ago | (#30790006)

This is just a personal anecdote, but take it as you will. About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled. Mind you, this was a week ago. Fortunately I'm on a dual boot system and I was able to go into Linux to delete the malignant exe files, which gave me a foothold to manually recover from the rest of it. IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.

Re:A stinging lesson (1)

headbulb (534102) | more than 4 years ago | (#30790144)

I had a similar thing happen to me. Browsers really could use better plugin controls I should be able to disable any plugin without having to uninstall it.. Why does someone need to view a pdf in a browser anyways?

I am on a netbook so I am back on linux. (didn't come with a windows cd)

A worm can move through a pdf file quick.

Re:A stinging lesson (2, Informative)

maxume (22995) | more than 4 years ago | (#30790424)

Firefox gives you the option of disabling plugins without uninstalling them (as does IE8, those are the only 2 browsers I have installed).

Adobe Reader also gives you the option of not loading pdfs in the browser (the browser simply prompts you to save the file).

Re:A stinging lesson (4, Insightful)

sopssa (1498795) | more than 4 years ago | (#30790740)

Which is why I don't understand parents point. The exploit was against Adobe PDF Reader, not against IE. It would have worked in other browsers.

And because Firefox crashed too, it was definitely getting past what it should had been. No browser should even crash on some code on website.

Re:A stinging lesson (1)

dangitman (862676) | more than 4 years ago | (#30790212)

About a week ago I noticed that Firefox kept crashing on some specific pages, so out of curiosity I decided to load one of them in IE - bad, bad idea. The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled.

What kind of web page was that, and what was so compelling about it that you decided to use IE to get it to load?

Re:A stinging lesson (5, Funny)

Idiomatick (976696) | more than 4 years ago | (#30790562)

Natalie Portman.

Re:A stinging lesson (1)

mlts (1038732) | more than 4 years ago | (#30790654)

You would be surprised. There are still a lot of websites out there which will not just tell you to take a hike if you are not using IE, but actually run JavaScript tests to check if someone spoofed the user agent field.

My solution: Run IE... but in a limited user session in a virtual machine that rolls back to a known good snapshot when closed. This works on Macs, and Windows boxes. Since Windows 7 offers XP as a download, might as well take advantage of it. This way, any zero days just mean that the VM user in the guest OS gets infected, and that infection gets dumped the second I'm done dealing with the website in question and close the VM.

Re:A stinging lesson (1)

mlts (1038732) | more than 4 years ago | (#30790756)

Clarification here: This is for versions of IE less than 8. IE 8 is good enough to use as an everyday browser, as long as you have Protected Mode selected for all zones (even trusted), and that DEP is on (it ships that way.)

It is crazy, but there are sites out there that consider anything but IE6 unauthorized, and actually do scripting tests to validate what someone is using.

Re:A stinging lesson (3, Insightful)

IdleTime (561841) | more than 4 years ago | (#30790918)

And I do take a hike in those cases.

If I encounter such a webpage, I simply move on as I am running Linux and have no interest in any web sites that think they need to force me to run any Windows crap.

Re:A stinging lesson (0)

Anonymous Coward | more than 4 years ago | (#30790246)

>IE basically just handed these people control over my system, with no input on my part other than loading a news article which happened to have the PDF on it.

When browsing the web myself, I use either Firefox or Arora, running under KDE 4.3.4, in trun running on Arch Linx x86_64. I use Okular to read PDF files. "Those people" would not have a hope of breaking through my system.

>The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled.

Not a problem at all for those of us who aren't forced to run Microsoft software.

Re:A stinging lesson (2, Insightful)

PNutts (199112) | more than 4 years ago | (#30790306)

Not a problem at all for those of us who aren't forced to run Microsoft software.

Not a problem at all for those of us who choose to not use Adobe's software.

Re:A stinging lesson (0)

Anonymous Coward | more than 4 years ago | (#30790320)

Of course you didn't browse the Internet being a member of Administrators group? Did you use Vista or 7 with protected mode enabled and vulnerable plugins from third parties like Adobe disabled?

Re:A stinging lesson (4, Insightful)

Penguinisto (415985) | more than 4 years ago | (#30790898)

TBH, if it takes all of that precaution just to run your web browser, maybe it's time to use a different one?

By default, Windows 7 w/ IE8 is supposed to already have those bits in place - DEP, permissions isolation, all that rot. But damn... now you're talking about checking that all 3rd-party plugins being off before going online, etc? There comes a point where it's just easier (not only safer but EASIER) to run Firefox, or take the next step and get Linux. It's certainly orders of magnitude easier to just get a Mac and use that instead.

I know, I know, marketshare, 'just a matter of time', whatever... but think about this: Most folks don't give a flying frig about the subtleties of defense-in-depth, they don't care about vuln counts (no matter how contrived), nor do they really care about what happens 3-5 years from now, when they'll have likely replaced their computer anyway. What most folks DO care about is how safe it is out there right now, and w/ a near-perfect record (of not becoming some 13-year-old script kiddie's bitch), Linux and Apple products make more and more sense to the individual once they realize that you don't even have to bother with running A/V on the things, or worry as much about malware, or etc. For those who don't want to make that big of a jump, it's a hell of a lot easier for them to just download and use Firefox, Chrome, whatever... and leave IE alone entirely.

Re:A stinging lesson (1)

caubert (1301759) | more than 4 years ago | (#30790370)

You really should give link to that site. I'd be happy to sandbox it and analyze the contents.

Re:A stinging lesson (1)

Simon (S2) (600188) | more than 4 years ago | (#30790396)

You probably already know that, but as you probably do with linux, you should not use stuff like IE with your Admin account.

Use Foxit Reader (1)

allcoolnameswheretak (1102727) | more than 4 years ago | (#30790460)

You might want to switch to Foxit PDF Reader
http://www.foxitsoftware.com/pdf/reader/ [foxitsoftware.com]

Smaller, faster, safer.

Re:Use Foxit Reader (0)

Anonymous Coward | more than 4 years ago | (#30790664)

I use Google Docs. I hope it is safe.

Re:A stinging lesson (1)

obarthelemy (160321) | more than 4 years ago | (#30790796)

what version of windows ?

do you login as an admin by default ?

The CURE (TM) (1)

omb (759389) | more than 4 years ago | (#30790838)

Stop using Windoze or anything created by M$, since it is clear the US government is ever going to hold them responsible for anything. It is all a crock of shit.

And if you have to, run it in a VM, set up so you can re-image the C: drive at any time.

If US law worked, vide SCO v IBM, M$ would have been sued into bankruptcy years ago.

Why were you running as an admin? (1)

tjstork (137384) | more than 4 years ago | (#30790876)

The page loaded a PDF and simply by visiting I was infected with one of the worst malware problems I ever had; task manager shut off, antivirus disabled, locked out of registry editor, windows was completely crippled

I guess my question would be, why were you running Windows as an admin account that would even let you, as a user, have permissions to do any of this stuff. I mean, you can tout Linux as much as you want, but in this case, the real culprit is your shoddy use of Windows security tools. I mean, would you run FireFox as root in Linux? Don't think so. So why did you do it to IE?

Friends don't let friends.... (3, Funny)

ansak (80421) | more than 4 years ago | (#30790010)

Use Internet Exploder for web browsing, Use Outlook or Outlook Distress for reading e-mail. nuff said...ank

Re:Friends don't let friends.... (4, Insightful)

Presto Vivace (882157) | more than 4 years ago | (#30790114)

You know your product's reputation is in trouble when a government advises the public to dump it.

Not a bit late? It is like a spy platform already (5, Interesting)

Ilgaz (86384) | more than 4 years ago | (#30790220)

I am surprised it took so long. I was expecting some guys from NSA, CIA and several visiting MS IE department and tell them "Guys, enough is enough, you are threatening our national security."

Think about it, is there anything more dangerous than IE with its flawed model currently? I mean look, you don't need to hire some black hats to code custom code, you just look for zero day flaws. Other browsers sure have zero day flaws but thanks to their model, it is fixed (unless Apple doesn't care). The browser's model is broken clearly. In fact, it threatens whole globe economy and security. Nothing that serious happened yet but it will sure happen one day. Another side effect is, every day, people are more bound to web/internet for their actual work. So as time passes, things go way more serious.

Re:Not a bit late? It is like a spy platform alrea (5, Insightful)

gbjbaanb (229885) | more than 4 years ago | (#30790356)

Perhaps they did - and then MS said "we'd listen to you, but we gave loads of money to a lobbyist organisation who then gave it to the senator on your oversight committee, so bog off".

Re:Not a bit late? It is like a spy platform alrea (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30790372)

Anything more dangerous than IE? Yeah. Adobe Flash. One implementation, almost the same code, across every browser and on several platforms.

Oh, wait, wasn’t there just a 0day in that?

Also, that exploit is the other “Chinese” 0day, which targets Adobe Reader, rather than IE. Firefox would be just as vulnerable if the Adobe Reader plugin was installed, or if you subsequently opened that PDF in Adobe Reader (other PDF readers are, of course, not affected).

They didn’t find this vuln themselves. They bought it off the black market from a blackhat, like anyone else could have. They bought the Gh0st RAT (remote access trojan) tool as well, which isn’t particularly brilliant but clearly got the job done due to some very clever and determined targeting. Probably a budget of less than $30k-worth for this whole operation. Very cheap, considering some of the quality SIGINT they got.

Besides, this particular 0day targets XP. As it stands it is non-functional in Windows Vista or 7, due to the ASLR changes. (It could be modified to extend that, as all versions have the bug, but that work hasn’t been done yet and the particular exploit may not reach 100% reliability.)

MS will probably issue an out-of-cycle patch. It’s Adobe you should be angry at.

Re:Not a bit late? It is like a spy platform alrea (1)

Presto Vivace (882157) | more than 4 years ago | (#30790526)

Security Tracker [securitytracker.com] , best tool I know of to track security vulnerabilities.

IE is way more bigger deal than you think (1)

Ilgaz (86384) | more than 4 years ago | (#30790592)

Adobe says their tool wasn't abused on this case. What makes you think I don't say same thing to Adobe? In fact, just 3 days ago, I suggested Adobe to fire entire Mac department. A "browser" is the platform to access to web, plugins can always be abandoned but browser is more like the "kernel". I don't want to panic anyone but even if they use Firefox, disable access to IE, as long as IE shared dlls used for HTML rendering in various tools (e.g. "what's new today"), they are still vulnerable.

While I won't touch Safari for my ordinary browsing, whenever Apple releases a Safari security update, I backup my stuff and rush to update for that exact same reason. System's default/core browser is a very big deal, way more big deal than anything else.

Re:Not a bit late? It is like a spy platform alrea (0)

Anonymous Coward | more than 4 years ago | (#30790692)

Achtung Leute:
IE ist Verboten!!
Soll sehr gut sein! Ausgezeichnet!!

Re:Not a bit late? It is like a spy platform alrea (1)

Hurricane78 (562437) | more than 4 years ago | (#30790854)

Did it occur to you, that maybe the reason for their “non-reaction” is that either
A) They are the ones who chose for those holes to be in there in the first place?
B) MS and those TLAs got so many revolving doors that they are practically one?
C) Somethingsomething... PROFIT? ;)

Re:People are used to it (2, Interesting)

miknix (1047580) | more than 4 years ago | (#30790256)

Having viruses and other types of malicious software running on the computer is so common that people don't care anymore. Seriously.. I see people working in the middle of a "adware popups up window, user closes it" kind of game and they don't even seem to bother. When is this going to change???

Re:Friends don't let friends.... (2, Informative)

Anonymous Coward | more than 4 years ago | (#30790656)

Maybe the summary shouldn't have let out the most important word: temporary. Here a translation of the headlines:

original:
Kritische Sicherheitslücke im Internet Explorer
BSI empfiehlt die vorübergehende Nutzung alternativer Browser

translation:
Critical securiy hole in Internet Explorer
BSI recommends to temporarily use alternative browsers

So did the swiss (0)

Anonymous Coward | more than 4 years ago | (#30790020)

As if IE was ever safe to use anyway... now when here was such a "public exploitation" they advise not to use it. It's ridiculous.

To be fair to Microsoft (5, Interesting)

FlyingBishop (1293238) | more than 4 years ago | (#30790022)

This could have happened to any browser. The Chinese searched high and low for a vulnerability, they would have found it regardless.

Of course, the fact that it was present across all versions of IE suggest some fundamental architecture flaws that Microsoft has yet to correct.

Yeah sure (5, Informative)

SmallFurryCreature (593017) | more than 4 years ago | (#30790064)

It could happen to any browser to have the same security flaw in 3 different versions DESPITE claimed complete rewrites of the code.

MS apologists, you got to admire their dedication. The Iraqi minister of information used windows as well.

Re:Yeah sure (1)

awitod (453754) | more than 4 years ago | (#30790440)

DESPITE claimed complete rewrites of the code

Claims by who? Do you have a link? If this is true I'm not surprised your post is currently 5:Informative because I have never heard of this and I like to think I pay close attention in this space.

Re:Yeah sure (3, Informative)

Maxo-Texas (864189) | more than 4 years ago | (#30790602)

He's probably thinking of articles like this:
http://www.itwriting.com/blog/541-mshtml-layout-engine-completely-rewritten-for-internet-explorer-8.html [itwriting.com]

Interesting article here: http://www.joelonsoftware.com/articles/fog0000000069.html [joelonsoftware.com]

"[netscape killed themselves by rewriting]
Well, yes. They did. They did it by making the single worst strategic mistake that any software company can make:
They decided to rewrite the code from scratch."

Joel's argument is "code doesn't go bad. it is better to sand it and polish it because a given code base has already had a lot of bugs found and removed. writing a new codebase brings you back to bug rich code".

Re:Yeah sure (0)

Anonymous Coward | more than 4 years ago | (#30790868)

There are some pieces of software that are so horribly broken that they should be rewritten from scratch. But each case is different and in this one, all versions of IE definitely fall into this category.

It seems like the larger the company, the more difficult this is to do. MS certainly has some competent programmers. And they certainly have the resources to pull it off but they still release turd after turd after turd across their product lines.

Perhaps the exception is Vista 7. But then again, who knows how many 0-days are lurking in there right now? There's no way to know since the code is closed off.

Re:Yeah sure (1)

icannotthinkofaname (1480543) | more than 4 years ago | (#30790790)

Er, isn't a complete rewrite what's supposed to happen when the developer increments the main version number (like going from IE 6 to IE 7)? Even if there's no documentation of Microsoft explicitly saying that IE was completely rewritten, I would think that the incremented version number is claim enough.

Re:Yeah sure (1)

Joe U (443617) | more than 4 years ago | (#30790902)

I'm guessing it was to get rid of the last bits of Spyglass Mosaic code, so they would stop having to license it.

Re:To be fair to Microsoft (5, Informative)

sakdoctor (1087155) | more than 4 years ago | (#30790072)

Why be fair to Microsoft in this case? Bashing where bashing is due;
IE is a highly dangerous lump of toxic/radioactive waste, with a half life of over 20 years.

Microsoft did everything wrong. Wrote the piece of shit in the first place. Tightly integrated it into windows, for leveraging purposes. Didn't even try to keep on top of updates letting it stagnate.
It will have a damaging effect on the web, web standards, and general computing, long after Microsoft drops support for any given version.

Re:To be fair to Microsoft (4, Informative)

McGiraf (196030) | more than 4 years ago | (#30790170)

"Wrote the piece of shit in the first place"

No, they bought/stole the Microsoft way from Spyglass.

http://en.wikipedia.org/wiki/Spyglass,_Inc [wikipedia.org] .

(the link ends with a dot slashdot moves it after "[wikipedia.org]". bug! )

Re:To be fair to Microsoft (1)

sakdoctor (1087155) | more than 4 years ago | (#30790210)

Interesting thanks.
I joined the party mid to late browser wars, so that was a bit before my time, but I do remember reinstalling windows, 5 times in a day because IE4 was so volatile.

IE (4-5-6) has always been a complete disappointment, and the day someone told me about the plucky little upstart Firebird 0.6, I never had to use it as my main browser again.

Re:To be fair to Microsoft (0)

Grygus (1143095) | more than 4 years ago | (#30790348)

IE (4-5-6) has always been a complete disappointment, and the day someone told me about the plucky little upstart Firebird 0.6, I never had to use it as my main browser again.

IE4 was terrible, and 6 was the one that drove me to Firefox never to return, but I quite liked IE5 at the time.

Re:To be fair to Microsoft (0)

Anonymous Coward | more than 4 years ago | (#30790812)

You're making that up. IE6 preceded Firefox by years. If IE6 had put you off that much, you would have switched to Opera or the Mozilla Suite, not Firefox.

Re:To be fair to Microsoft (1)

Kjella (173770) | more than 4 years ago | (#30790710)

Use html and it'll work [wikipedia.org] . I'd say it's possibly a feature to avoid extra dots from a sentence ending which are not part of the URL.

Re:To be fair to Microsoft (1)

McGiraf (196030) | more than 4 years ago | (#30790732)

I know, but a workaround is no bug fix.

Link works now anyway (1)

SteveFoerster (136027) | more than 4 years ago | (#30790886)

No worries, I made a redirect.

Re:To be fair to Microsoft (0)

Anonymous Coward | more than 4 years ago | (#30790910)

I use firefox on Ubuntu, and to be fair, I take all this stuff with a grain of salt, now that:
1. Google is in the browser business.
2. Bing is coming up strong in the search engine business.

Not saying that Google had a "hidden" agenda, but may work for them as well.

Re:To be fair to Microsoft (5, Interesting)

peragrin (659227) | more than 4 years ago | (#30790086)

Of course the fact that MSFT let the chinese view the source code for http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html [cnet.com] windows. Has nothing to do with it. Sure it was 6 years ago, the question is how long was china running the operation and how many field tests did they get away with and for how long?

Something like this has been in at least limited operation for a couple of years.

Re:To be fair to Microsoft - Curious... (0)

Anonymous Coward | more than 4 years ago | (#30790484)

> Something like this has been in at least limited operation for a couple of years.

Oh, really?

Wouldn't the US spy services know of this? Isn't it working like intended?

The Chinese might be in the business of cheap tin-foil hat production...

For anyoned concerned about this, instead of a tin-foil hat, what about a Red Hat?

NOPE (0)

Anonymous Coward | more than 4 years ago | (#30790112)

MS has a LONG HISTORY of being horrible WRT security. They still are. The China gov. will continue to use MS as a tool for stealing from the west because far too many gov.s worked with MS and pushed it in there.

To be fair to logic (0)

Anonymous Coward | more than 4 years ago | (#30790294)

A Police officer, an Airline pilot, and an undersea welder are doing their jobs. One of them gets shot by Glock .45 acp. Take a guess who.

I mean, technically.... This could happen to any person. Does one of these jobs lend itself to having a higher risk of being shot?

IE8 alledgedly super-safe (5, Interesting)

yupie (772822) | more than 4 years ago | (#30790026)

Ironically, in Belgium they have just had a (somewhat controversial) campaign, where a new all-Belgian browser "Paladin" (http://www.getpaladin.be/splash.php) was going to be launched, which appeared to be just fake, pointing to and arguing for the already super-safe IE8 browser :-)

Good (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30790028)

Joe public needs to upgrade already, and I don't care if governments have to dumb it down to "IE steals yu0r megahurtz, and means you support TERRORISM", so long as the message gets though.

(Screw the corporations that got locked into IE. They can use IE as an intranet client, and use a real web browser for ... wel browsing.)

Re:Good (2, Insightful)

maxwell demon (590494) | more than 4 years ago | (#30790108)

It's probably safer anyway to use different browsers for intranet and internet.

Re:Good (1)

bcmm (768152) | more than 4 years ago | (#30790266)

That's a very good idea, and it would be possible to prevent idiots from using IE anyway by having different proxy settings in each browser.

Right Decision? (3, Insightful)

Henry V .009 (518000) | more than 4 years ago | (#30790048)

According the original article, DEP (enabled by default in IE8) and sandbox mode (Windows 7, Vista) all stop this zero day.

If that is the case, doesn't that in IE's favor, nor against? All browsers have vulnerabilities. All of them have zero-days. However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Re:Right Decision? (5, Funny)

Anonymous Coward | more than 4 years ago | (#30790070)

However, it seems that IE has some pretty good built-in protections that Firefox lacks.

Sir, your power of deductive reasoning is astonishing!!

Now if it was Firefox that was hacked, the previous statement would be in your favor.

Instead...

Re:Right Decision? (0, Flamebait)

mjwalshe (1680392) | more than 4 years ago | (#30790124)

yess well germany does seem to have problems with getting this whole Internet thing - throuble is all the realy good people want to go into old skool engineering and work for audi and not Computers

Re:Right Decision? (0)

Anonymous Coward | more than 4 years ago | (#30790418)

Why do you spell really and school incorrectly? What you said seemed smart and then I just lost the point. I understand it was intentional, that was why I asked why. I never ask why someone has a typo, it's a typo.

Re:Right Decision? (1)

MtHuurne (602934) | more than 4 years ago | (#30790154)

I don't think it still counts as a 0-day at this moment, since the vendor has been informed. I do agree that Firefox would benefit from sandboxing and other extra security measures, but those are no substitution for quick patching.

Re:Right Decision? (5, Interesting)

benjymouse (756774) | more than 4 years ago | (#30790184)

DEP would have prevented the specific attack. Protected mode would have severely restricted the impact of a successful exploit.

But DEP is not the end-all solution. It is a significant barrier to exploiting memory corruption bugs, but with 3rd party software involved there is always the risk that the attacker could use those as stepping stones. Java is always a risk in this regard because of its hotspot compiler nature and a bad habit of placing string constants alongside code. Because of the hotspot technology and because it must execute in-process, Java inherently has the ability to both write and execute code. .NET always executes fully compiled and the code blocks are read-only. However, there was a bug (now patched) whereby an attacker could misrepresent the version of an assembly and cause .NET to "nicely" allow an attacker execute string constants.

The Vista/7 low-integrity process is effectively a sandbox. It works by dropping the rights of the process so low that IE cannot write *anywhere* on the system, except for a secluded cache store. To my knowledge this has *never* been broken. Again, 3rd party/external software may be the weak links. At a pwn2own an attack successfully circumvented the sandbox by exploiting a bug in a Flash helper process which executed *outside* the sandbox. Another vector seems to be pdf because the pdf reader is *also* running outside the sandbox with "normal" integrity level. The IE broker process which helps marshal downloads have never been broken.

Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd.

Especially in the light of Microsoft's bulletin which makes it very clear that this particular bug would be prevented by *both* DEP as well as protected mode.

Re:Right Decision? (1)

edxwelch (600979) | more than 4 years ago | (#30790846)

"Considering that certain other browsers (Firefox and Safari) experience many more security bugs these days, combined with the fact that none of these offer sandboxing, the recommendation does seem a bit odd. "
That's because if you actually look at the details you'll see most of those security bugs in Firefox are minor - i.e. don't allow execution of code on users machine.

Re:Right Decision? (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#30790892)

Java inherently has the ability to both write and execute code

But not at the same time. One of the OpenBSD guys had to do with their port (which is now in mainstream), and which I helped implement for LLVM, is W^X support. DEP is Microsoft's implementation of W^X, i.e. no page may have both write and execute permission at the same time (although they only support it properly on CPUs with the NX bit; OpenBSD does it using horrible hacks involving relocating pages within segments in the absence of NX page protection). That means that you can't execute data that you write into memory unless you issue a system call to change the page permission. To do this you must already be able to make the program do what you want, so you need some other exploit.

Re:Right Decision? (2)

lukas84 (912874) | more than 4 years ago | (#30790196)

DEP, which is a Windows feature and not an IE feature, is also active for recent versions of Firefox.

What Firefox lacks though is the sandboxing using a lower-privileged logon (Protected Mode).

Re:Right Decision? (1, Informative)

amiga3D (567632) | more than 4 years ago | (#30790278)

You may be correct, I can't say since I haven't used Windoze for anything to do with the internet in a long time. I do wonder though, why don't they just patch the damn thing? I mean really. They know a lot of people are getting infected, don't they give a shit? Ah...my bad. This is Micro$oft we're talking about here.

Shouldn't they be upgrading before complaining? (2, Insightful)

cjeze (596987) | more than 4 years ago | (#30790092)

"patch from Microsoft is still nowhere to be seen"


Isn't it just easier to upgrade to IE 8?

Re:Shouldn't they be upgrading before complaining? (1, Informative)

Anonymous Coward | more than 4 years ago | (#30790166)

"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/ [theregister.co.uk]

Perhaps they can't (3, Interesting)

Ilgaz (86384) | more than 4 years ago | (#30790252)

Can you try imagining your daily work depends on some intranet tool which only works in pre IE 8 and besides numerous claims by MS, IE 8 simply can't make that tool work?

What would happen?

In fact, even if a tool has upgrade and released by vendor, you can't roll IE 8 to all the machines without testing it yourself in numerous scenarios. It is not like launching Windows Update and click all security updates blindly. Even on OS X, as 10.6 shipped, companies/DTP/Video guys have finally moved to 10.5.8. When 10.7 ships, they may move to 10.6. People can't trust to Apple for updates let alone blindly updating/patching their windows which is way more complex.

Before anyone starts throwing stones... (2, Insightful)

SuperBanana (662181) | more than 4 years ago | (#30790104)

Re:Before anyone starts throwing stones... (5, Insightful)

Stumbles (602007) | more than 4 years ago | (#30790146)

It is not a question of living in a glass house. No application is 100% secure. At issue with Microsoft products; your ass is hanging in the wind for at least 30 days from a security vulnerability... unless they deem it serious enough to issue one outside their update window. At least with Firefox and the other Mozilla based browsers, your ass is hanging out there much less, and that is the real issue when dealing with security issues.

Re:Before anyone starts throwing stones... (0)

Anonymous Coward | more than 4 years ago | (#30790722)

"up to", not "at least".

what might be more to the point (1)

mjwalshe (1680392) | more than 4 years ago | (#30790106)

to not goto dodgy fracking porn and wares sites

German Goverment stops using jews. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30790122)

Uninstall all your jews today, or we will take it away on our removal trains.

Nostalgia (0)

Anonymous Coward | more than 4 years ago | (#30790130)

Ah, the 'Good Old Days'!

Signed,
a Linux user.

It's not the "government" (4, Informative)

kill-1 (36256) | more than 4 years ago | (#30790158)

It's a German federal agency, not the German government. And they warn users about IE every time there is a major unpatched security hole.

Re:It's not the "government" (0)

Anonymous Coward | more than 4 years ago | (#30790204)

Can you explain this? What is the difference?

Re:It's not the "government" (1)

Grygus (1143095) | more than 4 years ago | (#30790382)

I think "government" implies majority support from all agencies. We've repeatedly shown that various federal agencies can have all the necessary pieces of information to stop physical security breaches, but the government as a whole is powerless unless the agencies' interoperability is very good. Just because federal agency A says/knows/wants something doesn't mean the government as a whole says/knows/wants the same thing.

Re:It's not the "government" (1)

Elektroschock (659467) | more than 4 years ago | (#30790408)

It is the federal IT security agency, branched out from the secret service. It is part of the ministry of the interior.

Re:It's not the "government" (1)

dangitman (862676) | more than 4 years ago | (#30790236)

It's a German federal agency, not the German government.

???

Re:It's not the "government" (1)

morgen_m (1688614) | more than 4 years ago | (#30790726)

The German government itself uses trojans (e.g. Bundestrojaner [wikipedia.org] ) (which every ISP in Germany is required to install) for surveillance purposes.

How to convince my employer to switch? (2, Insightful)

Octopuz (622696) | more than 4 years ago | (#30790160)

At work we use MSIE 7 on Vista. Although my employer is open to alternatives it must be strictly planned before making such a switch. Is it possible to switch to, say, Firefox, while still retaining update possibilities? All users are limited in rights, so no admin rights, which Firefox normally needs to be updated. Imho Mozilla needs to work harder to get companies to run their software.

Firefox doesn't even ship official MSI (4, Insightful)

Ilgaz (86384) | more than 4 years ago | (#30790286)

Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

IE on the other hand, has amazing administrator capabilities and when coupled with that enterprise "ms update services", it is unbeatable.

Firefox resists to ship a Microsoft Installer (MSI) and Apple Installer (PKG) for some mysterious reason let alone doing the stuff above. Near all those ".exe" shareware etc. stuff you see are in fact MSI packages packed into .exe file for convenience and prevent web server issues.

It got more unexplaniable since there is a complete open source MSI packager which is hosted at sourceforge ( http://wix.sourceforge.net/ [sourceforge.net] ) and interesting thing is, InstallShield corp like guys would even donate their solutions to them with free automated setups. It is not some no name software, it is Firefox.

Re:Firefox doesn't even ship official MSI (1)

Elektroschock (659467) | more than 4 years ago | (#30790414)

Feel free to package MSI packages for your clients.

Re:Firefox doesn't even ship official MSI (2, Insightful)

Bacon Bits (926911) | more than 4 years ago | (#30790534)

Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.

and we are surprised companies are using IE (1)

Ilgaz (86384) | more than 4 years ago | (#30790626)

That is what my large system administrator friends are doing for years and some of them are really sick and tired of doing it over and over. Some administrators won't really care to package "your" application or download from 3rd party (must be insane). Even 5 user home networks using OS X/Remote Desktop are starting to get bugged about no OS X PKG.

One more thing: MSI has advantages like package verification, signing and _repair_. It is what RPM is to a Redhat OS or DEB to Debian. Ignoring it is really childish and no, it isn't really "anti MS" thing they are doing. Anti MS thing would be rejecting to release their browser to Windows. If they can do it, it is all fine with me.

Re:Firefox doesn't even ship official MSI (1)

Arker (91948) | more than 4 years ago | (#30790570)

Firefox/Mozilla guys live in some imaginary World where you maintain/install/update thousands of desktops/laptops just like a home user, clicking "firefox.exe" installer.

Yeah, sad but true. This is why Debian had to ditch firefox after all.

Maybe people running Windows in large organisations should switch to debian and iceweasel instead of trying to wrestle. In fact that sounds like an excellent idea!

Alternatively, it is quite possible to roll a customised firefox/windows setup as well. A "large organisation" should surely have someone on staff that can accomplish such a simple task.

Re:How to convince my employer to switch? (1)

lseltzer (311306) | more than 4 years ago | (#30790436)

You do realize that IE7/Vista is not (by default) vulnerable to the Aurora attacks, don't you? So this incident isn't really a lesson for them to switch.

Perhaps you can get them to use Chrome. Google's a real company after all.

File suit, not just follow suit (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30790168)

Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?

Surely you mean file suit. IE is so widespread that it should be possible for it to be treated like a public utility and then sue Microsoft despite their "no warranty" EULA clause. Cory Doctorow, we need your input on this.

Waiting for Al Gore's Advice (0, Flamebait)

stewbacca (1033764) | more than 4 years ago | (#30790206)

I'm not taking any advice from the government unless it comes from the Internet inventor himself!

Re:Waiting for Al Gore's Advice (0)

Anonymous Coward | more than 4 years ago | (#30790410)

That might've been funny many years ago, before that was debunked. These days it's not funny, is based upon an ignorant deliberate misunderstanding of what the man said many, many years ago.

Future speech from Balmer: (0)

Anonymous Coward | more than 4 years ago | (#30790268)

Security! Security! Security! *drenched in sweat* Security! Security! Security! Security! Security! Security! Security! Security! *even more sweat* Security! Security! Security! Security! *crazy eyes* SECURITY! SECURITY! SECURITY! *panting*

Good for them... (1)

rec9140 (732463) | more than 4 years ago | (#30790272)

Now they just need to take the next step!

Don't use win!

The lead by example and switch to a KDE 3.5.10 distro on all their systems.

Friends don't let friends use gnome or KDE 4.x!

Use fascist GPOs (4, Interesting)

mousse-man (632412) | more than 4 years ago | (#30790304)

In our company, we have resorted to implementing a fascist GPO to solve the problem. Actually, in the untrusted zone, IE can't:

- run javascript
- directly launch an associated application (like a PDF)
- run Flash
- run ActiveX
- change of the default home page
- install toolbars
- use any other search provider except Google

amongst others. It has become a sport to lock down IE as much as possible without removing it completely - this encourages using other browsers.

Annoying people so much that they switch browsers has actually been the best strategy so far to prevent IE security problems in a predominantly windows company.

Re:Use fascist GPOs (1)

tg123 (1409503) | more than 4 years ago | (#30790520)

Its Active X in internet Explorer thats usually the issue. Turn it off

I'm sure I have seen this issue before about IE and the zero day issue in a news article.

Yep found it and it has those chinese hacker type persons in it as well in 2008. ;-)
http://www.h-online.com/security/news/item/Two-new-zero-day-exploits-dent-Microsoft-s-Patch-Tuesday-739273.html [h-online.com]

Here is micro$oft's advice on how to disable Active content.
http://support.microsoft.com/kb/154036 [microsoft.com]

IE6 is the zombie browser. (2, Insightful)

Azureflare (645778) | more than 4 years ago | (#30790500)

IE6 will never die. I wish it would, to be honest; I agree that I hate IE6 with a passion as a web developer and wish it would go the way of the dinosaur.

However, here's a little anecdote of why IE6 will never die:

Company that uses a COTS product that runs ONLY on IE6 and fails to work on any other browser, refuses to upgrade from IE6. 2020 will likely roll around, and they will still be using IE6. This COTS product is irreplaceable and they use it for their core business.

Now, you may think the previous anecdote is laughable and never happens. I can tell you personally, that it is true.

It makes me a sad panda :( Especially when I realize there are so many people still using IE6 in that company that have opened themselves up to huge security breaches just by browsing the web.

Perhaps it will take some huge widespread event (like Operation Aurora) to change the minds of companies that rely on web products that only work in IE6, but I am not so sure. The risks have to outweigh the benefits.

Name of the Government Organization (1)

data2 (1382587) | more than 4 years ago | (#30790510)

Germany actually has a dedicated federal office just for information security. They gave this recommendation; in German it is called "Bundesamt für Sicherheit in der Informationstechnik". They also give out recommendations on how to secure private and corporate networks which are quite useful.

Not the German Government (3, Informative)

prefec2 (875483) | more than 4 years ago | (#30790616)

The "Bundesamt für Sicherheit in der Informationstechnik" (BSI), engl. Federal Bureau for Security in Information Technology, is not a governmental, but a state institution. It is not strictly driven by the government. And it is controlled by the parliament. Even though it works in the domain of the ministry of the interior. So no minister was involved in the "do not use IE" speech.

BTW: IE has not the biggest market share in Germany.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?