homepage Welcome to WebmasterWorld Guest from 54.211.68.132
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
CERT Recommends NonIE Browsing
Brett_Tabke




msg:605159
 7:21 pm on Jun 30, 2004 (gmt 0)

CERT, (Computer Emergency Response Team,) the Internets foremost authority on matters of security has recommended that users and companies move to nonIE browsing.

Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternate browsers. The U.S. Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser among six possible responses.

[news.com.com...]

 

tedster




msg:605160
 7:27 pm on Jun 30, 2004 (gmt 0)

This alert has already prompted one business I've worked with in the past (1800 employees) to call me for recommendations.

It's a tough moment for MS - Looks like Bill Gates' call for making security their #1 agenda item last year was a bit prescient, but it still came a bit late to actually meet this challenge.

ogletree




msg:605161
 7:32 pm on Jun 30, 2004 (gmt 0)

A large company should be able to set up windows and IE and there network so that security is not any more of an issue than any other browser. Doing so would cost a company a lot of money. They would have to rollout new software and the helpdesk would be hammered with requests becaue sites no longer work they way they used to. MS has that going for them.

coopster




msg:605162
 7:38 pm on Jun 30, 2004 (gmt 0)

I agree that companies should be able to set up their environment so that security is not any more of an issue than any other browser. And we all know that it doesn't stop there.

I differ, however, in that I believe the helpdesk would be hammered with accolades now that sites work the way they were supposed to all along once a conforming browser is introduced :)

webdevsf




msg:605163
 7:53 pm on Jun 30, 2004 (gmt 0)

I think IE needs its own threat terror color. ;)

Borrowing a term from agriculture and the fight against pests, software developers and security experts have warned about the hazards of "monoculture." The term refers to the widespread farming of a single variety, making the entire crop vulnerable to a single pest. Historians pin such disasters as the Irish potato famine on monoculture.

Mozilla acknowledged that much of the value of using its software, or that of Opera, stemmed from the hazards of monoculture rather than any inherent security superiority.

[news.com.com...]

So, I guess using alternate browsers makes them less safe. So the only way to keep Mozilla, et al, safe from attacks, is, umm, not to use Mozilla.

Maybe I'll use lynx. Or just do this:

telnet www.webmasterworld.com 80
GET /

That's safe right? Its a dangerous world out there, maybe i'll just turn off my javascript and stay home.

grelmar




msg:605164
 8:56 pm on Jun 30, 2004 (gmt 0)

If you read the rest of that article, you would have noted that Moz has some genuine security benefits aside from being less targeted.

Namely, that it doesn't support ActiveX, which is the source of this (and many other) security issues. Also, not being as tightly tied to the OS creates an inherant barrier against certain types of attack.

My bias is against IE, and for OpenSource. Partly for real reasons, partly for typical OpeneSource "Religious Holy War" reasons.

Then again, both sides of the debate tend towards "Religious Holy War" arguments (ones based on gut feeling and emotions, rather than pure facts). That aspect of browser and OS wars is unlikely to go away in the near future. Legitimate reasons for picking one over the other just add fuel to the "Fundamentalist" arguments of either side.

Edit, add postscript: Yah, I'm in a mellow, rational mood today. Don't worry, it'll pass.

vkaryl




msg:605165
 11:49 pm on Jun 30, 2004 (gmt 0)

I've already had this chat with our IT guy (who's good but not GREAT.... if you get the dif....) It honestly wouldn't be any big deal for 100 or so machines to download Moz or FireFox (I like FF, but Moz is good too....)

He's resistant. Which is weird. Because linux is what he cut his teeth on. So off-breeds (off-MS, that is) ought to give him warm-and-fuzzies.

I think it's because he doesn't want to have to explain to 100 people why they can't use IE any more....

And I'm not going to be there to do it for him.

Leosghost




msg:605166
 12:08 am on Jul 1, 2004 (gmt 0)

Mainly through the the instigation of Vkaryl ( hi V )
I moved over to firefox ..even though I have "exploited" the oppertunities of IE in the past ...( and need to clean up /adjust one site which needs you to have javascript so I can run your activex : )) and now it won't work :(

But I just know that I'll keep IE 5.5 somewhere ..since my wife asked me to give up skydiving ..what other "legal" way is there to live as dangerously and get that adrenalin rush as "surfing with Bill "....;)

whoisgregg




msg:605167
 12:08 am on Jul 1, 2004 (gmt 0)

I think it's because he doesn't want to have to explain to 100 people why they can't use IE any more....

Which is interesting because the oft cited reason for why people use Internet Explorer is that "people just use whatever is installed." (I'm not claiming that you've said that vkaryl, only that it's often said.)

If that's the case, then institutional changes from IE to another browser should be mostly headache free.

tedster




msg:605168
 12:40 am on Jul 1, 2004 (gmt 0)

I think changing browser for an institution might have some issues with email client integration. It's not just a quick download, install and off you go.

Andy_Abbott




msg:605169
 12:49 am on Jul 1, 2004 (gmt 0)

If people really care about security that much we'd all be UNIX users.

IE is practically integrated into the Windows operating system as far as the users are concerned. It is a serious security flaw in Windows, not just the IE.

On balance, I think people are too used to the convenience to care about security.

Leosghost




msg:605170
 1:35 am on Jul 1, 2004 (gmt 0)

I think changing browser for an institution might have some issues with email client integration. It's not just a quick download, install and off you go.

You can say that again ..when I finally realised that firefox as default doesnt get opened as "the browser" from inside outlook ( which stubbornly launches IE ) ..I thought use t'bird ..
But it has no import accounts/settings facilty from Outlook ...manually to do this from outlook "no way joseph"..
So you have no alternative but to take the moz package with its email reader which does import as an option from outlook all the accounts/settings ...
From there you can then .(.if you really want t'bird ) import again all of the stuff you just put into moz into t' bird ( because it can import from moz but only moz ) ..and then uninstall moz ...

problem is the uninstall of moz is not nearly as clean as you think ..all the user folders of mail etc are left and you have to search the disk and get rid of them one by one ...that is some serious geek work ..not for the fainthearted who in a moment of inattention might "delete" the wrong file and break the machine ...and thats just in pre XP ...in Xp itself you got to sneak round the goddamned gui that doesnt want to let you delete anything without a signed note from Bill ....

How much would you charge to do this clean and correct on 10 machines ...now scale up for whatever the number is and we are into serious money here ..and down time per machine ...first person to write a macro to do this ( if one could ) is rich ( and I want only 10% for my share for having explained the basics ...I'll be selling the ebook with the step by step , file by file manual delete list ) ...

Or T'bird is needed with auto click and play import from outlook etc ...

c'mon get coding guys ...

and someone here said that t'bird is still buggy as hell?

when all is said and done M$ sloppyness could revitalise the internet and provide work for millions more and Bill can tell us this was all a planned "feature" ...

s'cuse spelling (comme d'ab)

vkaryl




msg:605171
 1:50 am on Jul 1, 2004 (gmt 0)

Yah, y'all - the email thing is a right ***. And honestly, though Eric didn't mention it, that's probably the bottom line - anyone with a need to coordinate scheds uses Outlook, the rest of us ('cept me... I get to do stuff no one else does....) use OE. So that's a mega-problem all right....

Sheesh. Considering the number of calls I get every day ("help what's this in my inbox!?") because it's 6:30 am and Eric doesn't get in until 8 or so, doing something constructive about an mail client seems like a a no-brainer too.... They don't pay me to be an IT tech, but I'm the SINGLE PERSON (besides Eric the IT guy) out of 100 who has ANY clue....

[Not to worry, whoisgregg - I wasn't the first one who said it, though I'll bet I have since! *laughing*]

[Edits: MEGA-typos! *sigh* Long day, what can I say?]

[edited by: eelixduppy at 9:56 pm (utc) on Feb. 18, 2009]

ogletree




msg:605172
 3:34 am on Jul 1, 2004 (gmt 0)

Also in windows if you turn off IE you can still browse the internet in the same window that you browse your computer files. I had IE break one time it no longer worked at all. I had to use My Computer to get to the Internet. it worked fine.

jpalmer




msg:605173
 5:02 am on Jul 1, 2004 (gmt 0)

Gidday Leosghost and folk,

You can say that again ..when I finally realised that firefox as default doesnt get opened as "the browser" from inside outlook ( which stubbornly launches IE ) ..I thought use t'bird ..
But it has no import accounts/settings facilty from Outlook ...manually to do this from outlook "no way joseph"..
So you have no alternative but to take the moz package with its email reader which does import as an option from outlook all the accounts/settings ...
From there you can then .(.if you really want t'bird ) import again all of the stuff you just put into moz into t' bird ( because it can import from moz but only moz ) ..and then uninstall moz ...

If you're using NS7.x, Moz (don't know about FF, but presume as it's also a Moz engine, same rules will probably work), then my bet is you'll have to do a hack in about:config or all/pref.js file to call a non M$ app to load.

<trim>

[edited by: Brett_Tabke at 11:56 am (utc) on July 2, 2004]
[edit reason] no blog urls please. [/edit]

grelmar




msg:605174
 7:22 am on Jul 2, 2004 (gmt 0)

Not to give this thread a dead cat bounce, or anything, but...

The recommendation is making its way into the mainstream media. An article in The Globe And Mail [globetechnology.com], one of the two largest national newspapers in Canada, has picked up the story.

Now, we could all sit around and pick apart the mass of innacuracies in the story (reporters really don't get Tech), or we could just take it for what it really represents...

The visibility of the security security flaws in IE has gotten to the point where it's really hitting the papers, and that might make the change that M$ fears... If enough people read about it, think about it, and discuss it, eventually people other than Tech Heads are gonna start making the switch to other browsers.

Brett_Tabke




msg:605175
 11:54 am on Jul 2, 2004 (gmt 0)

[wired.com...]

"Mozilla and Firefox downloads have increased steadily since last fall, with the Firefox user base doubling every few months, as more people seem to have reached their threshold level of frustration dealing with problems with IE and Windows, and have found the Mozilla software a good solution to solving those problems," said Hofmann. "CERT's recommendation is just a reflection of the trend we have seen for quite some time." Security experts said Mozilla's lack of ActiveX support makes the browser more secure than IE. ActiveX was intended to allow websites to add multimedia and interactive features, but has lately been used to slide spyware onto PCs without the user's knowledge or explicit consent.

usa today yahoo [news.yahoo.com],

Security experts say the two new attacks likely have been in operation for weeks, infecting tens of thousands of PCs. Given the history of cyberthreats, they are bracing for copycat assaults.

grelmar




msg:605176
 7:58 pm on Jul 3, 2004 (gmt 0)

I wonder if the sloppy coder from Redmond has been reading the news lately? Or if he's just sticking his head in the sand like an Ostrich.

Still no sign of a patch for the latest threats. Did everyone in Redmond take summer holidays at the same time?

tedster




msg:605177
 9:02 pm on Jul 3, 2004 (gmt 0)

Browser patch:
[webmasterworld.com...]

well, it's something ;)

henry0




msg:605178
 10:24 pm on Jul 3, 2004 (gmt 0)

In response to
<<<
If people really care about security that much we'd all be UNIX users.
>>>
I would like saying so far no real threat exists for Linux due to the percentage of users
We all know that if tomorrow Linux was serving 90% of users the whole game will be different.
The problem does not only lie in using IE or not (although IE really *****)
The real problem is mass office employee’s education
A few among us (here on the board) are dealing at large corp. level and not really interfering with the end users
As a one-man show very-little-biz-owner I am in contact with the end users on a daily basic and I made part of my value added to offer (free) that kind of on the job training
You won’t believe the high level of incompetence I daily “fight” with

Henry

ogletree




msg:605179
 10:27 pm on Jul 3, 2004 (gmt 0)

CNN [cnn.com] had it yesterday

tedster




msg:605180
 12:35 am on Jul 4, 2004 (gmt 0)

Thanks, Ogletree. Could they have buried the information about Opera and Mozilla any deeper? And no URLs for them either. CNN could have helped a lot of people if they had gone one extra step there.

blaze




msg:605181
 6:29 pm on Jul 4, 2004 (gmt 0)

MS has a workaround:

[v4.windowsupdate.microsoft.com...]

henry0




msg:605182
 7:32 pm on Jul 4, 2004 (gmt 0)

when if you've got a hardrive bigger than 4 gigs then only your grandchildren are likely to see the "disc fragmentation is finished" notice

I am the co founder of a tech site (I figured today that we got a PR7)
for about 18 months we have supported a great fix to boost defrag in 98
just rename your defrag "old" in case of broplems
and load instaed win2K defrag
if you do a few searches you will find it
I cannot go further for MS lawyers very politely
ask us to stop supporting that trick

Wertigon




msg:605183
 11:49 am on Jul 6, 2004 (gmt 0)

Not trying to be a troll or anything, but...

Even Slate [slate.msn.com] (Microsoft's online magazine) says that maybe, just maaaaaybe FireFox is better. :D

Perhaps the IE "monopoly" is finally crumbling? :)

BlobFisk




msg:605184
 12:00 pm on Jul 6, 2004 (gmt 0)

Funny that they didn't mention Opera....!

http://www.webmasterworld.com/forum21/7952.htm [webmasterworld.com]

Leosghost




msg:605185
 12:06 pm on Jul 6, 2004 (gmt 0)

Wertigon ...Luv ya!

Printed it and will be making the picture frames to display it on the office wall later today ...

Maybe now they could start talking objectively about their OS...?

CritterNYC




msg:605186
 4:39 pm on Jul 7, 2004 (gmt 0)

Browser patch:
[webmasterworld.com...]

well, it's something ;)

And, just as quickly... browser unpatch:
[webmasterworld.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved