Source: http://news.bbc.co.uk/2/hi/technology/8463516.stm
( Saturday, 16 January 2010 )
The German government has warned web users to find an alternative browser to Internet Explorer to protect security
The warning from the Federal Office for Information Security comes after Microsoft admitted IE was the weak link in recent attacks on Google's systems. Microsoft rejected the warning, saying that the risk to users was low and that the browsers' increased security setting would prevent any serious risk. However, German authorities say that even this would not make IE fully safe.
Thomas Baumgaertner, a spokesman for Microsoft in Germany, said that while they were aware of the warning, they did not agree with it, saying that the attacks on Google were by "highly motivated people with a very specific agenda".
"These were not attacks against general users or consumers," said Mr Baumgaertner.
"There is no threat to the general user, consequently we do not support this warning," he added.
Microsoft says the security hole can be shut by setting the browser's security zone to "high", although this limits functionality and blocks many websites. However, Graham Cluley of anti-virus firm Sophos, told BBC News that not only did the warning apply to 6, 7 and 8 of the browser, but the instructions on how to exploit the flaw had been posted on the internet.
"This is a vulnerability that was announced in the last couple of days. Microsoft have no patch yet and the implication is that this is the same one that exploited on the attacks on Google earlier this week," he said.
( This is not the complete article. )
Oh dear, Hope my college likes me using IE.
Yeah, I heard about this. Finally. IE is just one walking security breach.
The sooner people switch from IE to Firefox, Opera, Safari, Chrome, Lynx, Links, W3, Mosaic, Seamonkey, Konqueror, Mozilla, Netscape Navigator, Communicator, Dillo--anything else--the better.
Quote from: superluser on January 18, 2010, 04:52:23 PM
Yeah, I heard about this. Finally. IE is just one walking security breach.
The sooner people switch from IE to Firefox, Opera, Safari, Chrome, Lynx, Links, W3, Mosaic, Seamonkey, Konqueror, Mozilla, Netscape Navigator, Communicator, Dillo--anything else--the better.
It's amazing that it hasn't been in the newspapers over here. At least, not that I know of.
Quote from: Tytaj on January 18, 2010, 05:37:20 PMIt's amazing that it hasn't been in the newspapers over here. At least, not that I know of.
Oh, it's been everywhere in the States. China hacked into Gmail accounts using a flaw in Microsoft's^H^H^H^H^H^H^H^H^H^H^Ha web browser. They're certainly not going to say which web browser if it belongs to a Fortune 500 company, especially one that owns a major news source.
On the other hand, every single tech news outlet has been running daily stories about how everyone is telling people to stop using IE. Latest news:
France tells its citizens to stop using IE (http://yro.slashdot.org/story/10/01/18/2030224/France-Tells-Its-Citizens-To-Abandon-IE-Others-Disagree). I've seen stories running on Ars Technica, and even on Engadget.
yeah, it's a pity that security flaws are forcing people to switch browsers...
yeah, I said that, a pity. I happen to like IE6 (I just don't use it, because I happen to like not getting my computer infected more) because it doesn't have a bunch of stupid features that can't be turned off(like FF3's frecency sorted [complete opposite of]'awesome' bar).
Funny story, I can't administer my company's firewall hardware because FF won't accept it's certificate and I can't force it to load the page anyway; I have to use IE for that one task.
That said, whatever the security flaw is specifically, and the way to pull off the hack is available on the net, so it won't be too hard to find out, will be patched soon enough, and IE will go back to being just as secure as any other browser (no, FF is not any more secure unless you use a bunch of add-ons that enhance security, like no script and flash block... the only truly secure browser is the browser that never accesses the internet)
Quote from: Reese Tora on January 18, 2010, 11:38:17 PMThat said, whatever the security flaw is specifically, and the way to pull off the hack is available on the net, so it won't be too hard to find out, will be patched soon enough, and IE will go back to being just as secure as any other browser (no, FF is not any more secure unless you use a bunch of add-ons that enhance security, like no script and flash block... the only truly secure browser is the browser that never accesses the internet)
Well, agreed. I thought that Flashblock was basic browsing hygiene, though. (I'll admit that I don't use noscript, because it's far too much of a hassle)
Honestly, I don't use noscript either, only adblock and flash block, but It's always getting mentioned in browser security threads. In any case, default FF doesn't come with either, and the average user switching from IE may not even realize they have the option.
I use Firefox with NoScript, RequestPolicy (cross-site image, CSS, etc. request whitelisting). cookie whitelisting, don't send Referer, and probably disable other stuff that I can't recall at the moment. For specific trusted but especially poorly-designed sites I'll occasionally create single-use profiles as well if I really need to use them, but it's rare.
Honestly, it's hard for me to imagine browsing without these features despite the slight extra management required---occasionally I have to use someone else's browser or watch someone else browsing and am really rather shocked at the things people put up with on the Web. :B
Quote from: Fibre on January 19, 2010, 07:25:33 AM
<Snip> -occasionally I have to use someone else's browser or watch someone else browsing and am really rather shocked at the things people put up with on the Web. :B
The porn is everywhere! D:
and you secretly like it. >:3
Quote from: Tytaj on January 19, 2010, 07:59:01 AM
The porn is everywhere! D:
and you secretly like it. >:3
Heh, not sure if that was a joke or not, though no, I am not personally interested in adult content. But I'm not sure what it has to do with the part you quoted or my whole comment at all...
Sure it does. Everyone knows the internet is for porn.
But... but I thought that the Internet is for scholarly research. :<
You've clearly been lied to.
Quote from: Fibre on January 19, 2010, 08:16:22 AM
Quote from: Tytaj on January 19, 2010, 07:59:01 AM
The porn is everywhere! D:
and you secretly like it. >:3
Heh, not sure if that was a joke or not, though no, I am not personally interested in adult content. But I'm not sure what it has to do with the part you quoted or my whole comment at all...
Quote from: Fibre on January 19, 2010, 07:25:33 AM
<Snip> -occasionally I have to use someone else's browser or watch someone else browsing and am really rather shocked at the things people put up with on the Web ( The internet is for porn ) :B
It was sort of implied and I am perverted.
Quote from: Reese Tora on January 19, 2010, 02:38:38 AMHonestly, I don't use noscript either, only adblock and flash block, but It's always getting mentioned in browser security threads. In any case, default FF doesn't come with either, and the average user switching from IE may not even realize they have the option.
I think Firefox now suggests that you should install Flashblock when you install Firefox (maybe I'm mistaken).
Quote from: Fibre on January 19, 2010, 07:25:33 AMdon't send Referer
If you're going that far, you might as well use Lynx. If you don't send a referrer, every other image is going to be either
(http://i158.photobucket.com/albums/t102/superluser/goinggoing.gif)
or goatse.
Quote from: Tytaj on January 19, 2010, 11:58:01 AM
It was sort of implied and I am perverted.
I still don't get it, sorry... the parts you highlighted from my post were referring to user abuse on the part of many websites, such as obnoxious ads and tracking. The parenthesized portion that you quoted as being from me was not in my post. :confused
Quote from: superluser on January 19, 2010, 12:02:40 PM
If you're going that far, you might as well use Lynx. If you don't send a referrer, every other image is going to be either
(bandwidth thief)
or goatse.
I wondered if that would be an issue, but it hasn't been at all. I have encountered exactly two sites (both comic sites) that have issues with not sending Referer, and they simply refuse the request rather than serving up alternate imagery. If someone wants to serve up goatse, fine, though I might not visit their site anymore. I have actually only ran across it once about 10 years ago following a link from a Usenet post. It was a pretty stupid image, but I don't see why it's anything to be concerned about. If lack of Referer actually turned into a problem it'd be pretty trivial just to send along a fake Referer from the same domain anyway.
I do use Lynx as well and have tried other browsers (Midori and Arora look promising but are rather unstable at the moment) but for general-purpose use I haven't found anything as nice for me as a locked-down Firefox, despite its issues...
Quote from: superluser on January 19, 2010, 12:02:40 PM
Quote from: Reese Tora on January 19, 2010, 02:38:38 AMHonestly, I don't use noscript either, only adblock and flash block, but It's always getting mentioned in browser security threads. In any case, default FF doesn't come with either, and the average user switching from IE may not even realize they have the option.
I think Firefox now suggests that you should install Flashblock when you install Firefox (maybe I'm mistaken).
Could be, I generally don't allow my browsers to display the 'welcome' page because I like to go in and set everything myself.
Referrer wise, I use RefControl, with settings "forge, for third party requests only". This allows me to view hotlinked content that otherwise would be blocked, and I generally don't care that a site knows what pages of that site I've been on - But if you care about that, RefControl can be set to block/forge any referrer you want.
Quote from: Reese Tora on January 18, 2010, 11:38:17 PMyeah, it's a pity that security flaws are forcing people to switch browsers...
yeah, I said that, a pity. I happen to like IE6 (I just don't use it, because I happen to like not getting my computer infected more) because it doesn't have a bunch of stupid features that can't be turned off(like FF3's frecency sorted [complete opposite of]'awesome' bar).
Funny story, I can't administer my company's firewall hardware because FF won't accept it's certificate and I can't force it to load the page anyway; I have to use IE for that one task.
That said, whatever the security flaw is specifically, and the way to pull off the hack is available on the net, so it won't be too hard to find out, will be patched soon enough, and IE will go back to being just as secure as any other browser (no, FF is not any more secure unless you use a bunch of add-ons that enhance security, like no script and flash block... the only truly secure browser is the browser that never accesses the internet)
http://secunia.com/advisories/product/21625/ (38% known security flaws unpatched)
http://secunia.com/advisories/product/25800/ (No known security flaws unpatched)
I don't see how does that make IE "just as secure"
As for the software not running on FF, yeah, it's a sad thing so many developers thought the only thing in the world was IE and never heard of W3C
Quote from: Jack McSlay on January 28, 2010, 08:07:20 AM
As for the software not running on FF, yeah, it's a sad thing so many developers thought the only thing in the world was IE and never heard of W3C
Oh, no, neither browser likes the security certificate, it's just FF doesn't have an obvious way for me to override the security settings and load the page anyway; IE has a popup that tells me the certificate is bad but gives the option to load the page.
FF guys might be awesome at programming secure software, but they have yet to show me a browser that I would rather use than IE6. This is a personal opinion, not a debatable fact.
--edit--
Had a chance to take a look at those links you posted... One of us isn't reading that site correctly, because those two pages do not appear to back up what I think you were saying. For one thing, FF 3.5 has more known vulnerabilities than IE8 according to those two pages. They also do not make clear what the difference is between one of their alerts and a vulnerability.
Quote from: Reese Tora on January 28, 2010, 11:42:02 AMHad a chance to take a look at those links you posted... One of us isn't reading that site correctly, because those two pages do not appear to back up what I think you were saying. For one thing, FF 3.5 has more known vulnerabilities than IE8 according to those two pages. They also do not make clear what the difference is between one of their alerts and a vulnerability.
Click on List of Secunia Advisories (All time):
Secunia has issued a total of 6 Secunia advisories in 2003-2010 for Mozilla Firefox 3.5.x. Currently, 0% (0 out of 6) are marked as unpatched.
Secunia has issued a total of 8 Secunia advisories in 2003-2010 for Microsoft Internet Explorer 8.x. Currently, 38% (3 out of 8) are marked as unpatched with the most severe being rated Less critical
Mozilla gets a comparable number of advisories, but they get fixed.
Quote from: superluser on January 29, 2010, 03:34:31 AMClick on List of Secunia Advisories (All time):
Secunia has issued a total of 6 Secunia advisories in 2003-2010 for Mozilla Firefox 3.5.x. Currently, 0% (0 out of 6) are marked as unpatched.
Secunia has issued a total of 8 Secunia advisories in 2003-2010 for Microsoft Internet Explorer 8.x. Currently, 38% (3 out of 8) are marked as unpatched with the most severe being rated Less critical
Mozilla gets a comparable number of advisories, but they get fixed.
Right, but looking at the number of vulnerabilities, FF 3.5.x has half again as many vulnerabilities at IE8, and I looked around that site and didn't see anything that defines the difference between the various things they say. Numbers are worthless without proper definition.
This site does not clearly define the difference between these things anywhere that I looked, and I think that vulnerabilities sound a bit more important than whatever so called 'alerts' they happen to have.
Quote from: Reese Tora on January 29, 2010, 12:45:20 PMRight, but looking at the number of vulnerabilities, FF 3.5.x has half again as many vulnerabilities at IE8, and I looked around that site and didn't see anything that defines the difference between the various things they say. Numbers are worthless without proper definition.
This site does not clearly define the difference between these things anywhere that I looked, and I think that vulnerabilities sound a bit more important than whatever so called 'alerts' they happen to have.
Yeah, I've never really heard of Pecunia, so I think I'll go with CERT. Both Microsoft and Firefox have 49 vulnerabilities, but MS has 12 open ones, two of which apply to both MSIE and FF (most from 2007-2010, but one from 1997). With the exception of 515749, all of IE's vulnerabilities come from ActiveX (which naturally only applies to IE).
Firefox has three. Two of which apply to both MSIE and FF. The other one is from 2007, and depends on an obsolete version of Quicktime.
IE:
http://www.kb.cert.org/vuls/id/340420
http://www.kb.cert.org/vuls/id/179105
http://www.kb.cert.org/vuls/id/735441
http://www.kb.cert.org/vuls/id/963889
http://www.kb.cert.org/vuls/id/848873
http://www.kb.cert.org/vuls/id/908801
http://www.kb.cert.org/vuls/id/485961
http://www.kb.cert.org/vuls/id/515749
http://www.kb.cert.org/vuls/id/773545
http://www.kb.cert.org/vuls/id/204889
Firefox:
http://www.kb.cert.org/vuls/id/751808
Both:
http://www.kb.cert.org/vuls/id/120541
http://www.kb.cert.org/vuls/id/261869
Quote from: superluser on January 29, 2010, 04:01:16 PM
Quote from: Reese Tora on January 29, 2010, 12:45:20 PMRight, but looking at the number of vulnerabilities, FF 3.5.x has half again as many vulnerabilities at IE8, and I looked around that site and didn't see anything that defines the difference between the various things they say. Numbers are worthless without proper definition.
This site does not clearly define the difference between these things anywhere that I looked, and I think that vulnerabilities sound a bit more important than whatever so called 'alerts' they happen to have.
Yeah, I've never really heard of Pecunia, so I think I'll go with CERT. Both Microsoft and Firefox have 49 vulnerabilities, but MS has 12 open ones, two of which apply to both MSIE and FF (most from 2007-2010, but one from 1997). With the exception of 515749, all of IE's vulnerabilities come from ActiveX (which naturally only applies to IE).
Firefox has three. Two of which apply to both MSIE and FF. The other one is from 2007, and depends on an obsolete version of Quicktime.
So... basically, if I understand what you said correctly, if you block ActiveX controls, IE and FF are on roughly the same footing?
Quote from: Reese Tora on January 29, 2010, 10:44:43 PMSo... basically, if I understand what you said correctly, if you block ActiveX controls, IE and FF are on roughly the same footing?
Basically, IE vs FF with nothing disabled is 12(*) vs 3(*) unpatched vulnerabilities.
With ActiveX disabled and the most recent version of Quicktime installed, that goes to IE 3(*), FF 2(*). The remaining IE vulnerability is a flaw in the way IE interprets CSS.
(*) To be fair, 120541 (a vulnerability in SSL >=3.0 and TLS >=1.0) and 261869 (a flaw in Clientless SSL VPN) may not be vulnerabilities in IE, FF, or either. Both reports suggest calling the companies.
Ah, that clears things up pretty well, at least until someone discovers a new vulnerability in one or the other of them. :)
You are aware that Google is dropping support for IE6, right? Google Docs and Sites will no longer function correctly as of March, and in all likelihood youtube will go the same way at some stage too.
http://www.itworld.com/internet/94809/google-end-support-ie6
Quote from: superluser on January 30, 2010, 12:24:36 AM
Quote from: Reese Tora on January 29, 2010, 10:44:43 PMSo... basically, if I understand what you said correctly, if you block ActiveX controls, IE and FF are on roughly the same footing?
Basically, IE vs FF with nothing disabled is 12(*) vs 3(*) unpatched vulnerabilities.
With ActiveX disabled and the most recent version of Quicktime installed, that goes to IE 3(*), FF 2(*). The remaining IE vulnerability is a flaw in the way IE interprets CSS.
(*) To be fair, 120541 (a vulnerability in SSL >=3.0 and TLS >=1.0) and 261869 (a flaw in Clientless SSL VPN) may not be vulnerabilities in IE, FF, or either. Both reports suggest calling the companies.
... of course, the main reason to use IE is to use ActiveX controls written by moronic companies who haven't heard that the idea of the World Wide Web is communication, and the ability to view the content from anywhere.
But I digress.
Quote from: Tapewolf on January 30, 2010, 10:19:35 AMYou are aware that Google is dropping support for IE6, right? Google Docs and Sites will no longer function correctly as of March, and in all likelihood youtube will go the same way at some stage too.
http://www.itworld.com/internet/94809/google-end-support-ie6
Came here to say that. IE6, by the way, opens up a whole new load of unpatched vulnerabilities:
http://secunia.com/advisories/product/11/?task=advisories
Quote from: superluser on January 30, 2010, 10:39:08 AM
Quote from: Tapewolf on January 30, 2010, 10:19:35 AMYou are aware that Google is dropping support for IE6, right? Google Docs and Sites will no longer function correctly as of March, and in all likelihood youtube will go the same way at some stage too.
http://www.itworld.com/internet/94809/google-end-support-ie6
Came here to say that. IE6, by the way, opens up a whole new load of unpatched vulnerabilities:
http://secunia.com/advisories/product/11/?task=advisories
gee, I hope that isn't directed at me, because I actually use FF3.5.x on all my computers. Much as I might like the old browser, and much as I might hate the aw
fulesome bar, I'm not stupid enough to think that I can use it anymore.
Quote from: Reese Tora on January 30, 2010, 02:34:29 PM
gee, I hope that isn't directed at me, because I actually use FF3.5.x on all my computers. Much as I might like the old browser, and much as I might hate the awfulesome bar, I'm not stupid enough to think that I can use it anymore.
My apologies for attempting to be helpful. I will try to avoid this in future.
Quote from: Reese Tora on January 30, 2010, 02:34:29 PMgee, I hope that isn't directed at me, because I actually use FF3.5.x on all my computers. Much as I might like the old browser, and much as I might hate the awfulesome bar, I'm not stupid enough to think that I can use it anymore.
Sorry. I remembered you liking IE6 but forgot that you didn't use it.
no worries, just pointing out that I don't use it.
And, sorry, Tape, I didn't mean to sound hostile about it, and I don't mean to stop you from offering helpful advice in the future.
I think I did mention earlier that I don't use IE at all any more, but it was probably buried inside a larger chunk of text.
Quote from: Reese Tora on January 30, 2010, 04:05:35 PM
no worries, just pointing out that I don't use it.
And, sorry, Tape, I didn't mean to sound hostile about it, and I don't mean to stop you from offering helpful advice in the future.
Okay, in that case I take it back :3
QuoteI think I did mention earlier that I don't use IE at all any more, but it was probably buried inside a larger chunk of text.
Ah, right. Specifically, it was the line:
"FF guys might be awesome at programming secure software, but they have yet to show me a browser that I would rather use than IE6. This is a personal opinion, not a debatable fact."
... which strongly implied that you had resolved to keep using it come what may. Evidently I missed the other part, but as long as you're not going to be affected by Google's decision, that's the most important thing.
What is frustrating is when I go out of my way to try and help someone and they snap, which has happened a fair bit lately, so maybe I was taking it out on you a bit. Sorry about that.
hehe, yeah, I can see how you might take it that way. :)
I am an old curmudgeon, and I hate everything (in the current generation of browsers) Out of everything, FF is definitely the best one. Mostly I get upset when everyone keeps introducing new features and then forcing you to use the new features.
I'm curious. What is this highly ingrained FF feature that can't be disabled you so speak of? because I have a profile just for my bank account
http://i333.photobucket.com/albums/m376/jack_mcslay/foruns/simpff.png
and I don't see what's left that should be disable-able
actually, it's a fairly minor feature...
basically, the address bar has an auto complete feature, which I use for various purposes. Pretty much my entire pre FF3 browsing experience has me going to two sources for navigation: favorites, and address bar auto complete. In most browsers, what it does is it fills in with any URL that you have visited listed in alphabetical order (etc, you know this already)
FF3 includes a set of features that effect the way these results are generated and sorted, and these features cannot be turned off without turning off the entire auto complete feature (they can be modified, but it is impossible to restore the classic function as seen in other browser like, say, IE6) The fact that all this is stored in a database structure and it can take several seconds for FF to generate auto complete results is a bonus annoyance.
Whoop! Just under two weeks!
Quote from: superluser on January 19, 2010, 12:02:40 PMI think Firefox now suggests that you should install Flashblock when you install Firefox (maybe I'm mistaken).
After the recent security bulletin (http://www.us-cert.gov/current/index.html#adobe_releases_security_bulletins_fo), I decided to upgrade my Flash (you should, too). Turns out I was mistaken. It's *Gentoo* that suggests installing Flashblock:
QuoteFlash player is closed-source, with a long history of security issues. Please consider only running flash applets you know to be safe. The 'flashblock' extension may help for mozilla users: https://addons.mozilla.org/en-US/firefox/addon/433
Also, in Microsoft-related security news, the recent patch for the old MS DOS vulnerability seems to cause r00ted computers to crash (http://www.engadget.com/2010/02/13/windows-xp-patch-fiasco-gets-even-crazier-microsoft-now-scrambl/).
Quote from: superluser on February 13, 2010, 02:20:15 AM
Also, in Microsoft-related security news, the recent patch for the old MS DOS vulnerability seems to cause r00ted computers to crash (http://www.engadget.com/2010/02/13/windows-xp-patch-fiasco-gets-even-crazier-microsoft-now-scrambl/).
Huh...so that's why my computer has been getting so many auto-updates that make it automatically reboot lately... (the auto-reboot thing has been getting very irritating)
Quote from: Reese Tora on January 31, 2010, 01:51:32 PM
actually, it's a fairly minor feature...
According to this web page (http://www.trap17.com/index.php/Disable-Firefox39s-Awesome-Bar_t59174.html), in about:config you change browser.urlbar.matchOnlyTyped to "true".
There's also an add-on called Old Location Bar (https://addons.mozilla.org/en-US/firefox/addon/7637) which allows you to configure the address bar to your liking.
I've messed with that, Sofox, but it's the order and number of results that is at issue.
The order is not alphabetical (nor does it ignoring a server name of www- all those get put at the end; missmab.com and www.missmab.com should be next to each other, not half the list away)
And, while you can expand the max search results from the default, the database system that FF uses for storing your history in order to generate frecency stats means that the browser REALLY chugs when you set it to have enough search results that nothing is left out.
Also, match only typed doesn't allow me to use the address bar to find sites that I visited by following a link, since it means that FF will only return results that were typed into the address bar. This is not the desired behavior.
Believe me, I have previously spent over a day wrestling with this system trying to get it to work like I want.
And I do have oldbar installed. :)
The extension I linked to is not oldbar, it's a different plugin that has more features then oldbar (as well as doing everything oldbar does). Maybe one of those new features is what you need.
Quote from: Sofox on February 13, 2010, 03:03:39 PM
The extension I linked to is not oldbar, it's a different plugin that has more features then oldbar (as well as doing everything oldbar does). Maybe one of those new features is what you need.
hmmm... the only detectable difference is that the page title is no longer displaying to the right...
I think my problems are inherent to how FF stores history and uses frecency sorting, so it's not going to get fixed by just an add in.
Oh okay, well sorry about that.
Hope you can get it working in some way that suits you.