Germany, MS Explorer

[Suwako]

Source: http://news.bbc.co.uk/2/hi/technology/8463516.stm

( Saturday, 16 January 2010 )

The German government has warned web users to find an alternative browser to Internet Explorer to protect security

The warning from the Federal Office for Information Security comes after Microsoft admitted IE was the weak link in recent attacks on Google's systems.  Microsoft rejected the warning, saying that the risk to users was low and that the browsers' increased security setting would prevent any serious risk.  However, German authorities say that even this would not make IE fully safe.


Thomas Baumgaertner, a spokesman for Microsoft in Germany, said that while they were aware of the warning, they did not agree with it, saying that the attacks on Google were by "highly motivated people with a very specific agenda".

"These were not attacks against general users or consumers," said Mr Baumgaertner.

"There is no threat to the general user, consequently we do not support this warning," he added.

Microsoft says the security hole can be shut by setting the browser's security zone to "high", although this limits functionality and blocks many websites. However, Graham Cluley of anti-virus firm Sophos, told BBC News that not only did the warning apply to 6, 7 and 8 of the browser, but the instructions on how to exploit the flaw had been posted on the internet.

"This is a vulnerability that was announced in the last couple of days. Microsoft have no patch yet and the implication is that this is the same one that exploited on the attacks on Google earlier this week," he said.



( This is not the complete article. )


Oh dear, Hope my college likes me using IE.

[superluser]

Yeah, I heard about this.  Finally.  IE is just one walking security breach.

The sooner people switch from IE to Firefox, Opera, Safari, Chrome, Lynx, Links, W3, Mosaic, Seamonkey, Konqueror, Mozilla, Netscape Navigator, Communicator, Dillo--anything else--the better.

[Suwako]

Yeah, I heard about this.  Finally.  IE is just one walking security breach.

The sooner people switch from IE to Firefox, Opera, Safari, Chrome, Lynx, Links, W3, Mosaic, Seamonkey, Konqueror, Mozilla, Netscape Navigator, Communicator, Dillo--anything else--the better.

It's amazing that it hasn't been in the newspapers over here. At least, not that I know of.

[superluser]

It's amazing that it hasn't been in the newspapers over here. At least, not that I know of.

Oh, it's been everywhere in the States.  China hacked into Gmail accounts using a flaw in Microsoft's^H^H^H^H^H^H^H^H^H^H^Ha web browser.  They're certainly not going to say which web browser if it belongs to a Fortune 500 company, especially one that owns a major news source.

On the other hand, every single tech news outlet has been running daily stories about how everyone is telling people to stop using IE.  Latest news:

France tells its citizens to stop using IE.  I've seen stories running on Ars Technica, and even on Engadget.

[Reese Tora]

yeah, it's a pity that security flaws are forcing people to switch browsers...

yeah, I said that, a pity.  I happen to like IE6 (I just don't use it, because I happen to like not getting my computer infected more) because it doesn't have a bunch of stupid features that can't be turned off(like FF3's frecency sorted [complete opposite of]'awesome' bar).

Funny story, I can't administer my company's firewall hardware because FF won't accept it's certificate and I can't force it to load the page anyway; I have to use IE for that one task.

That said, whatever the security flaw is specifically, and the way to pull off the hack is available on the net, so it won't be too hard to find out, will be patched soon enough, and IE will go back to being just as secure as any other browser (no, FF is not any more secure unless you use a bunch of add-ons that enhance security, like no script and flash block... the only truly secure browser is the browser that never accesses the internet)

[superluser]

That said, whatever the security flaw is specifically, and the way to pull off the hack is available on the net, so it won't be too hard to find out, will be patched soon enough, and IE will go back to being just as secure as any other browser (no, FF is not any more secure unless you use a bunch of add-ons that enhance security, like no script and flash block... the only truly secure browser is the browser that never accesses the internet)

Well, agreed.  I thought that Flashblock was basic browsing hygiene, though. (I'll admit that I don't use noscript, because it's far too much of a hassle)

[Reese Tora]

Honestly, I don't use noscript either, only adblock and flash block, but It's always getting mentioned in browser security threads.  In any case, default FF doesn't come with either, and the average user switching from IE may not even realize they have the option.

[Fibre]

I use Firefox with NoScript, RequestPolicy (cross-site image, CSS, etc. request whitelisting). cookie whitelisting, don't send Referer, and probably disable other stuff that I can't recall at the moment. For specific trusted but especially poorly-designed sites I'll occasionally create single-use profiles as well if I really need to use them, but it's rare.

Honestly, it's hard for me to imagine browsing without these features despite the slight extra management required---occasionally I have to use someone else's browser or watch someone else browsing and am really rather shocked at the things people put up with on the Web.

[Suwako]

<Snip> -occasionally I have to use someone else's browser or watch someone else browsing and am really rather shocked at the things people put up with on the Web.

The porn is everywhere! D:

and you secretly like it. 

[Fibre]

The porn is everywhere! D:

and you secretly like it. 

Heh, not sure if that was a joke or not, though no, I am not personally interested in adult content. But I'm not sure what it has to do with the part you quoted or my whole comment at all...

[Mao]

Sure it does.  Everyone knows the internet is for porn.

[Fibre]

But... but I thought that the Internet is for scholarly research.

[Mao]

You've clearly been lied to.

[Suwako]

The porn is everywhere! D:

and you secretly like it.  

Heh, not sure if that was a joke or not, though no, I am not personally interested in adult content. But I'm not sure what it has to do with the part you quoted or my whole comment at all...

<Snip> -occasionally I have to use someone else's browser or watch someone else browsing and am really rather shocked at the things people put up with on the Web ( The internet is for porn )

It was sort of implied and I am perverted.

[superluser]

Honestly, I don't use noscript either, only adblock and flash block, but It's always getting mentioned in browser security threads.  In any case, default FF doesn't come with either, and the average user switching from IE may not even realize they have the option.

I think Firefox now suggests that you should install Flashblock when you install Firefox (maybe I'm mistaken).

don't send Referer

If you're going that far, you might as well use Lynx.  If you don't send a referrer, every other image is going to be either



or goatse.

[Fibre]

It was sort of implied and I am perverted.

I still don't get it, sorry... the parts you highlighted from my post were referring to user abuse on the part of many websites, such as obnoxious ads and tracking. The parenthesized portion that you quoted as being from me was not in my post.

If you're going that far, you might as well use Lynx.  If you don't send a referrer, every other image is going to be either

(bandwidth thief)

or goatse.

I wondered if that would be an issue, but it hasn't been at all. I have encountered exactly two sites (both comic sites) that have issues with not sending Referer, and they simply refuse the request rather than serving up alternate imagery. If someone wants to serve up goatse, fine, though I might not visit their site anymore. I have actually only ran across it once about 10 years ago following a link from a Usenet post. It was a pretty stupid image, but I don't see why it's anything to be concerned about. If lack of Referer actually turned into a problem it'd be pretty trivial just to send along a fake Referer from the same domain anyway.

I do use Lynx as well and have tried other browsers (Midori and Arora look promising but are rather unstable at the moment) but for general-purpose use I haven't found anything as nice for me as a locked-down Firefox, despite its issues...

[Reese Tora]

Honestly, I don't use noscript either, only adblock and flash block, but It's always getting mentioned in browser security threads.  In any case, default FF doesn't come with either, and the average user switching from IE may not even realize they have the option.

I think Firefox now suggests that you should install Flashblock when you install Firefox (maybe I'm mistaken).

Could be, I generally don't allow my browsers to display the 'welcome' page because I like to go in and set everything myself.

[RobbieThe1st]

Referrer wise, I use RefControl, with settings "forge, for third party requests only". This allows me to view hotlinked content that otherwise would be blocked, and I generally don't care that a site knows what pages of that site I've been on - But if you care about that, RefControl can be set to block/forge any referrer you want.

[Jack McSlay]

yeah, it's a pity that security flaws are forcing people to switch browsers...

yeah, I said that, a pity.  I happen to like IE6 (I just don't use it, because I happen to like not getting my computer infected more) because it doesn't have a bunch of stupid features that can't be turned off(like FF3's frecency sorted [complete opposite of]'awesome' bar).

Funny story, I can't administer my company's firewall hardware because FF won't accept it's certificate and I can't force it to load the page anyway; I have to use IE for that one task.

That said, whatever the security flaw is specifically, and the way to pull off the hack is available on the net, so it won't be too hard to find out, will be patched soon enough, and IE will go back to being just as secure as any other browser (no, FF is not any more secure unless you use a bunch of add-ons that enhance security, like no script and flash block... the only truly secure browser is the browser that never accesses the internet)

http://secunia.com/advisories/product/21625/ (38% known security flaws unpatched)
http://secunia.com/advisories/product/25800/ (No known security flaws unpatched)
I don't see how does that make IE "just as secure"

As for the software not running on FF, yeah, it's a sad thing so many developers thought the only thing in the world was IE and never heard of W3C

[Reese Tora]

As for the software not running on FF, yeah, it's a sad thing so many developers thought the only thing in the world was IE and never heard of W3C

Oh, no, neither browser likes the security certificate, it's just FF doesn't have an obvious way for me to override the security settings and load the page anyway; IE has a popup that tells me the certificate is bad but gives the option to load the page.

FF guys might be awesome at programming secure software, but they have yet to show me a browser that I would rather use than IE6.  This is a personal opinion, not a debatable fact.

--edit--

Had a chance to take a look at those links you posted... One of us isn't reading that site correctly, because those two pages do not appear to back up what I think you were saying.  For one thing, FF 3.5 has more known vulnerabilities than IE8 according to those two pages.  They also do not make clear what the difference is between one of their alerts and a vulnerability.

[superluser]

Had a chance to take a look at those links you posted... One of us isn't reading that site correctly, because those two pages do not appear to back up what I think you were saying.  For one thing, FF 3.5 has more known vulnerabilities than IE8 according to those two pages.  They also do not make clear what the difference is between one of their alerts and a vulnerability.

Click on List of Secunia Advisories (All time):

Secunia has issued a total of 6 Secunia advisories in 2003-2010 for Mozilla Firefox 3.5.x. Currently, 0% (0 out of 6) are marked as unpatched.

Secunia has issued a total of 8 Secunia advisories in 2003-2010 for Microsoft Internet Explorer 8.x. Currently, 38% (3 out of are marked as unpatched with the most severe being rated Less critical

Mozilla gets a comparable number of advisories, but they get fixed.

[Reese Tora]

Click on List of Secunia Advisories (All time):

Secunia has issued a total of 6 Secunia advisories in 2003-2010 for Mozilla Firefox 3.5.x. Currently, 0% (0 out of 6) are marked as unpatched.

Secunia has issued a total of 8 Secunia advisories in 2003-2010 for Microsoft Internet Explorer 8.x. Currently, 38% (3 out of are marked as unpatched with the most severe being rated Less critical

Mozilla gets a comparable number of advisories, but they get fixed.

Right, but looking at the number of vulnerabilities, FF 3.5.x has half again as many vulnerabilities at IE8, and I looked around that site and didn't see anything that defines the difference between the various things they say.  Numbers are worthless without proper definition.

This site does not clearly define the difference between these things anywhere that I looked, and I think that vulnerabilities sound a bit more important than whatever so called 'alerts' they happen to have.

[superluser]

Right, but looking at the number of vulnerabilities, FF 3.5.x has half again as many vulnerabilities at IE8, and I looked around that site and didn't see anything that defines the difference between the various things they say.  Numbers are worthless without proper definition.

This site does not clearly define the difference between these things anywhere that I looked, and I think that vulnerabilities sound a bit more important than whatever so called 'alerts' they happen to have.

Yeah, I've never really heard of Pecunia, so I think I'll go with CERT.  Both Microsoft and Firefox have 49 vulnerabilities, but MS has 12 open ones, two of which apply to both MSIE and FF (most from 2007-2010, but one from 1997).  With the exception of 515749, all of IE's vulnerabilities come from ActiveX (which naturally only applies to IE).

Firefox has three.  Two of which apply to both MSIE and FF.  The other one is from 2007, and depends on an obsolete version of Quicktime.

IE:
http://www.kb.cert.org/vuls/id/340420
http://www.kb.cert.org/vuls/id/179105
http://www.kb.cert.org/vuls/id/735441
http://www.kb.cert.org/vuls/id/963889
http://www.kb.cert.org/vuls/id/848873
http://www.kb.cert.org/vuls/id/908801
http://www.kb.cert.org/vuls/id/485961
http://www.kb.cert.org/vuls/id/515749
http://www.kb.cert.org/vuls/id/773545
http://www.kb.cert.org/vuls/id/204889

Firefox:
http://www.kb.cert.org/vuls/id/751808

Both:
http://www.kb.cert.org/vuls/id/120541
http://www.kb.cert.org/vuls/id/261869

[Reese Tora]

Right, but looking at the number of vulnerabilities, FF 3.5.x has half again as many vulnerabilities at IE8, and I looked around that site and didn't see anything that defines the difference between the various things they say.  Numbers are worthless without proper definition.

This site does not clearly define the difference between these things anywhere that I looked, and I think that vulnerabilities sound a bit more important than whatever so called 'alerts' they happen to have.

Yeah, I've never really heard of Pecunia, so I think I'll go with CERT.  Both Microsoft and Firefox have 49 vulnerabilities, but MS has 12 open ones, two of which apply to both MSIE and FF (most from 2007-2010, but one from 1997).  With the exception of 515749, all of IE's vulnerabilities come from ActiveX (which naturally only applies to IE).

Firefox has three.  Two of which apply to both MSIE and FF.  The other one is from 2007, and depends on an obsolete version of Quicktime.

So... basically, if I understand what you said correctly, if you block ActiveX controls, IE and FF are on roughly the same footing?

[superluser]

So... basically, if I understand what you said correctly, if you block ActiveX controls, IE and FF are on roughly the same footing?

Basically, IE vs FF with nothing disabled is 12(*) vs 3(*) unpatched vulnerabilities.

With ActiveX disabled and the most recent version of Quicktime installed, that goes to IE 3(*), FF 2(*).  The remaining IE vulnerability is a flaw in the way IE interprets CSS.

(*) To be fair, 120541 (a vulnerability in SSL >=3.0 and TLS >=1.0) and 261869 (a flaw in Clientless SSL VPN) may not be vulnerabilities in IE, FF, or either.  Both reports suggest calling the companies.

[Reese Tora]

Ah, that clears things up pretty well, at least until someone discovers a new vulnerability in one or the other of them.

[Tapewolf]

You are aware that Google is dropping support for IE6, right?  Google Docs and Sites will no longer function correctly as of March, and in all likelihood youtube will go the same way at some stage too.

http://www.itworld.com/internet/94809/google-end-support-ie6

[llearch n'n'daCorna]

So... basically, if I understand what you said correctly, if you block ActiveX controls, IE and FF are on roughly the same footing?

Basically, IE vs FF with nothing disabled is 12(*) vs 3(*) unpatched vulnerabilities.

With ActiveX disabled and the most recent version of Quicktime installed, that goes to IE 3(*), FF 2(*).  The remaining IE vulnerability is a flaw in the way IE interprets CSS.

(*) To be fair, 120541 (a vulnerability in SSL >=3.0 and TLS >=1.0) and 261869 (a flaw in Clientless SSL VPN) may not be vulnerabilities in IE, FF, or either.  Both reports suggest calling the companies.

... of course, the main reason to use IE is to use ActiveX controls written by moronic companies who haven't heard that the idea of the World Wide Web is communication, and the ability to view the content from anywhere.

But I digress.

[superluser]

You are aware that Google is dropping support for IE6, right?  Google Docs and Sites will no longer function correctly as of March, and in all likelihood youtube will go the same way at some stage too.

http://www.itworld.com/internet/94809/google-end-support-ie6

Came here to say that.  IE6, by the way, opens up a whole new load of unpatched vulnerabilities:

http://secunia.com/advisories/product/11/?task=advisories

[Reese Tora]

You are aware that Google is dropping support for IE6, right?  Google Docs and Sites will no longer function correctly as of March, and in all likelihood youtube will go the same way at some stage too.

http://www.itworld.com/internet/94809/google-end-support-ie6

Came here to say that.  IE6, by the way, opens up a whole new load of unpatched vulnerabilities:

http://secunia.com/advisories/product/11/?task=advisories

gee, I hope that isn't directed at me, because I actually use FF3.5.x on all my computers.  Much as I might like the old browser, and much as I might hate the awfulesome bar, I'm not stupid enough to think that I can use it anymore.