Major problems with IE!

[inactionman]

Haven't seem anything on here about this, but I thought I'd better warn people. There's a *major* problem with using IE. Apparently a cracker gang, probably related to organised crime, has broken into a number of legitimate websites (on some using what is thought to be an unpatched vulnerability in IIS) and have placed malicious software on them that uses two *unpatched* vulnerabilities in IE to install itself. This program then bombards you with pop-ups, and installs a keylogger to get username/passwords, and credit card details. It's quite a sneaky program!

Link to story on zdnet:

http://zdnet.com.com/2100-1105_2-5247187.html?tag=zdfd.newsfeed

Microsoft page:

http://www.microsoft.com/security/incident/download_ject.mspx

The Microsoft page doesn't really give you any solution, as they tell you to increase your browser security settings to high (blocks the script that installs it), and to add trusted sites to the trusted zone (how are we supposed to know which sites to trust??!!).

Basically my advice is to quit using an insecure non-standards compliant browser, and to download a decent browser like Firefox! (www.mozilla.org/products/firefox)

Don't you just love the outcomes of Microsoft's recent focus on security!

 

[itcheh]

Like inactionman says "FIREFOX PEOPLE FFS OMG!!!"

 

[Athan]

Someone will be along in a moment to say Opera is better than Firefox, no doubt. And then there'll be some Mac user going on about Safari no doubt.

But joking aside, yes, this is yet another reason to get OUT of the M$ IE "I'm bent over and ready to take you big boy" camp.

-Ath

 

[Summo]

Are you people saying that Firefox, Mozilla, Safari and the rest are all perfect? That they have no security vulnerabilities?

It is, of course, that if you're going to write malicious software for a browser, you aim it at the most-used browser. I don't believe IE has any more vulnerabilities than any other browser. In fact, I'd go so far to say that IE has fewer security holes than any other browser. Its just that who gives a shit if Firefox has an exploit to allow a remote user full control of your machine? No fucker uses it.

 

[tRoG]

That's a bit like the 'Linux = Security by obscurity' argument.

While true to some extent, Linux/Firefox/Whatever is more secure. Not perfect, nothing can be, but better.

[Oh, and Firefox is a joy to use compared to the multi windowed hell of IE ]

 

[dysfunction]

Prevention is sometimes better than a cure...so if you have a different browser that nobody exploits then you dont have to worry now do you.

Netscape 7 for me thanks!

 

[Nightchill]

I'm an Opera fan myself (no firefox vs opera arguments please ).

 

[Jonaldo]

For ultimate security I only ever use ansi terminal programs over my 9600 baud modem (in a kind of thing way as my memory is a little rusty these days)

Hyperterminal 4tehwin!

 

[TdC]

thank goodness I have a direct x.25 line to my fave core router...

 

[Wij]

I have a big cock.

 

[mookie]

I'm an Opera fan myself (no firefox vs opera arguments please ).

you would be

Firefox 0.9 on the pc, Safari on meh ibook. teh winnarz.

 

[Funkybunny]

i prefer opera myself... it isnt bloated like other browsers *cough*firefox/angelsoft or whatever they will change its name to next*cough*

wich other browser h ave a integrated mail-client consisted by 1 - one - dll-file at the size of aprox 200kb? and irc-client, tabbed browsing, popupblocker, notes, +++ in under 4mb?

 

[TdC]

I have a big cock.

no you haven't. I've seen it in the g0atpr0n archives. welcome to average Mr!!

 

[inactionman]

Are you people saying that Firefox, Mozilla, Safari and the rest are all perfect? That they have no security vulnerabilities?

It is, of course, that if you're going to write malicious software for a browser, you aim it at the most-used browser. I don't believe IE has any more vulnerabilities than any other browser. In fact, I'd go so far to say that IE has fewer security holes than any other browser. Its just that who gives a shit if Firefox has an exploit to allow a remote user full control of your machine? No fucker uses it.

Err... but do the rest get a security vuln reported to them, and don't release a patch for months? During which time the black-hats may work it out, or even worse they have known about it for some time?

Also the whole concept for IE is broken, a program that is *part of the operating system* and is used both as the GUI for remote aps, and local aps! :touch:

 

[Athan]

The problem with IE is the false faith in the security zones and the big big big one is ActiveX. It by definition gives things direct access to the machine to do whatever they bloody well like. You don't get that with the other browsers.

But, yes, you're correct that the other browsers DO get bugs. And they don't even necessarily get them fixed all that quickly (unlike other open source software). It is, to a great degree, just a case of IE being so damned popular and an easy target and thus that's all hackers bother to target.

At this time however, the advice is still good, drop IE, use another browser. It WILL be much safer.

-Ath

 

[stormrider]

Looks like the vulnerability has been disarmed:

http://news.com.com/Web+site+virus+attack+blunted--for+now/2100-7349_3-5248279.html

 

[Whipped]

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

Surely it would have been an idead to list them! Oh no, they big businesses that had got infected because of the numpties running their security would then lose business. Who cares if the odd general user gets infected and has their details stolen

 

[Gray]

microsoft.com ? . Hell it could have been CNet. "If you're on Internet Explorer and you're viewing this page... sorry "

 

[Athan]

Looks like the vulnerability has been disarmed:

http://news.com.com/Web+site+virus+attack+blunted--for+now/2100-7349_3-5248279.html

For those too lazy to go read that page all they've done is shut down the specific server the IIS vulnerability, as coded, was pulling code from to get up and running to infect IE.
It could come up again on a different server any time, and/or be coded differently by another bunch of fuckwads.

In short don't take this as it being safe to continue using IE.

-Ath

 

[Ch3tan]

www.mozilla.org

 

[Ch3tan]

i prefer opera myself... it isnt bloated like other browsers *cough*firefox/angelsoft or whatever they will change its name to next*cough*

wich other browser h ave a integrated mail-client consisted by 1 - one - dll-file at the size of aprox 200kb? and irc-client, tabbed browsing, popupblocker, notes, +++ in under 4mb?

And who still has a PC so dated that it needs to run such a lightwieght browser?

 

[Xavier]

In fact, I'd go so far to say that IE has fewer security holes than any other browser. Its just that who gives a shit if Firefox has an exploit to allow a remote user full control of your machine? No fucker uses it.

It's thanks to the way Internet Explorer handles ActiveX, bringing it so close to the rest of the operating system that IE is so buggy - believe me it's got many many more holes than its considered "mainstream competitors" combined.

 

[Sar]

And who still has a PC so dated that it needs to run such a lightwieght browser?

Me

I ran 3dMark 03 yesterday - 954.

Erk! :/

Thank fuck I'll finally be getting a Radeon 9800 Pro (poss 256Mb version) in the next couple of days.





Mind you my P4 1.9 prolly doesn't help either, but methinks the GF3 is probably a bigger culprit.

 

[NetNifty]

Think i've figured out how to prevent the virus from installing itself...

From mucking around with the proof of concept of the exploit (bugtraq id 10473) which it apparently exploits i noticed that it overwrites WMP and then opens it to infect the system. I set wmplayer.exe (in C:\Program Files\Windows Media Player) to read only (if it can't overwrite it with the virus it should stop it working) and it seems to stop the proof-of-concept working at least.

 

[Shovel]

Ahhh, ye old "Are Moz + Opera really secure debate".

I disagree with Summo about the "no bugger uses" it argument. The same was applied to Linux and Apple, but distracts from the fact that both those operating systems and these web browsers are designed more secure from the ground up. Microsoft spent a very long time not giving a shit about security (hence ActiveX applets are able to erase your hard disk drive, the only defense being a "Yes or No" dialogue prompt, to which users are trained to say "Yes" out of experience). That legacy lives on. The security improvements/hacks that come with XP-SP2 will be interesting, since they mimick the methodology already used in Firefox and others. If it actually works then this solves a great deal of the problem and leaves the 'new browser war' as a fight based on features for end users, and web standards for developers.

The standards battle is already won (Mr Developer: "I'd like to use this clever tech that's been specified by the W3C for years to enhance and slicken my website, please." FX, Opera, Safari et al: "OK " Microsoft: "Fuck off").

The user battle is harder. IE is a barebones browser. It loads fast, it renders pretty quick, the buttons make sense. It doesn't do anything more than be a browser. That's what people need.
New features like Tabs are, to be honest, a matter of taste. Some people love em (I do like them, personally), but tabs are little more than a 'second' task bar (especially in Mozilla), plenty of people are happy to say "But what's wrong with this task bar that I've already got?". The alternative browsers do, of course, make that all optional, but it's one of the 'killer features' that actually not a lot of people care about. Same with the FX and Opera "Download Managers", I think they're ace (I hate the separate download windows of IE) but again, it's not reinventing the wheel. Extensions are also very cool, but 'average joe marketshare' doesn't care to put the time into adding bits to his browser. If someone told him about something cool he could do with it, he probably would, but he's not going to go browsing update.mozilla.org for the fun of it.

There's an awful lot of "Chicken and Egg" in this new browser business. People need to switch so that developers can comfortably let IE degrade and stop bothering to recreate element:hover with javascript just for IE, but at the same time, people are less inclined to switch until there's actually a persuasive reason to do so.

Frankly, as a developer, it's bloody annoying. Maybe when Firefox goes 1.0 there'll be a glut of switches, I can but hope.

 

[Wij]

Most people in my experience HATE tabbed browsers.

Microsoft are usually famed for taking new features on before anyone else tbh. THEN they break compatibility with the standards for the sake of 'functionality.' You never heard of 'Embrace and Extend' ?

 

[Shovel]

'Embrace and Extend' is indeed very real. It is, I suppose, an opposite of standards. The objection is that Microsoft apply this to the Internet, which is not thier's to extend. They do not 'extend' in such a way as to enhance, but instead to replace and lock-in. The idea though that you should be required to use the latest version of MS Windows and IE to view the public internet is, in my mind at least, fundamentally wrong. MS can and will produce development tools for writing applications and services, many of which are 'hosted' within IE, heck Mozilla.org do the same (the forthcoming XUL Runtime Environment, for instance), but Microsoft would very much like people to use their Windows only/IE only technology in their public websites and 'encourage' (read: force) people onto their platform.

"All's fair in competition" you might say, but here lies the problem. This happened once before. When Netscape died (albeit as much their own fault as MS's), people jumped aboad good ship Microsoft and didn't think twice about W3C standards. They just did it. But now 6 years later without a proper browser update to speak of, surrounded by security woes and a clear unintention to actually update the universal technology within the browser, it's now very difficult to move away from IE because people have ignored standards and locked themselves and users in. People are turned off to Firefox and Opera because there are websites that block them out and say "You must use MSIE on Windows". Not many, but probably enough. This is exactly what MS wants, because it means they don't have to bother updating the browser. They don't have to bother with new features or updated standards, because people can't use them while the world uses IE.

The 'net is supposed to be an open medium, freeflow on information accessible to all. Microsoft is directly opposed to that and their efforts to oppose that have left the ugly side effects of security and compatibility woes.

Tabs: Are optional. I personally think that Firefox marketing are making a mistake having it first on the list of 'great features', but it's very hard to market something as 'look, overall, it's just better', so I guess they have to start somewhere.

 

[Wij]

Yeh but - for the n00b - what does Firefox give them ? Nothing immediately obvious. 'Embrace and extend lives.'

 

[Gumbo]

Most people in my experience HATE tabbed browsers.

But what's to hate? You don't have to browse tabularly. I find them great on my slow connection. For instance, I pop open the general bookmark I have then mousewheel click on all the little new posts arrows, so they can all load at once while I read my emails or whatever, then I pop back into it and read each tab in turn.

None of this click......load.......read.......back......load......click.......read.......back etc.

I love em

 

[tRoG]

Joe Bloggs doesn't even know about the M0z1LLa Kr3W!. He doesn't know about IE's security issues - and he doesn't think he should switch. IE was sitting there on his desktop when he got his lovely new Dell, and he's been using it ever since. He can get along just fine with it.