Linked by Thom Holwerda on Mon 18th Jan 2010 17:03 UTC
Internet Explorer France has echoed calls by the German government for web users to find an alternative to Microsoft's Internet Explorer to protect security. Certa, a government agency that oversees cyber threats, warned against using all versions of the web browser.
Order by: Score:
Switzerland
by stardogchamp on Mon 18th Jan 2010 18:06 UTC
stardogchamp
Member since:
2009-10-18

Switzerland also gave out a warning, full text only available in German, French and Italian.

http://www.melani.admin.ch/dienstleistungen/archiv/01095/index.html...

Reply Score: 2

Comment by Kroc
by Kroc on Mon 18th Jan 2010 18:25 UTC
Kroc
Member since:
2005-11-10

Video of Microsoft’s head of security and privacy weaselling out of the issue. http://news.bbc.co.uk/1/hi/technology/8466366.stm Pathetic, absolutely pathetic. This is just a PR blip to Microsoft, that’s all. They couldn’t give a damn about actual security.

Reply Score: 4

RE: Comment by Kroc
by Nelson on Mon 18th Jan 2010 19:43 UTC in reply to "Comment by Kroc"
Nelson Member since:
2005-11-29

People running a 10 year old operating system with a 10 year old browser and then having this huge dilemma when they get burned by an exploit.

What other company is expected to maintain updates to programs and operating systems released a decade ago? Mozilla sure as hell hasn't done anything of the sort.

IE8 and IE7 both collectively have more market share than IE6, and are also coincidentally significantly harder to exploit.

This should embarrass Google if anyone, and people need to get with the program.

Reply Score: 3

RE[2]: Comment by Kroc
by Delgarde on Mon 18th Jan 2010 19:50 UTC in reply to "RE: Comment by Kroc"
Delgarde Member since:
2008-08-19

What other company is expected to maintain updates to programs and operating systems released a decade ago? Mozilla sure as hell hasn't done anything of the sort.


A company that reaps what it sows? A company that encouraged developers to target IE6 rather than standards - and then found themselves in the position where large numbers of people couldn't upgrade because their applications didn't work with anything but IE6?

Reply Score: 6

RE[3]: Comment by Kroc
by Nelson on Mon 18th Jan 2010 20:08 UTC in reply to "RE[2]: Comment by Kroc"
Nelson Member since:
2005-11-29

Every browser has it's own quirks, Mozilla's are just as funky as any of IE's.
IE8 also has a quirks mode for IE5/6 level compatibility.

Microsoft's only crime with IE6 was neglecting it's development for so long after it was released. At the time it was released, IE6 had superb support for standards.

People partake in this revisionist history to use to prop up their idealist view of how the web should be, it does not make it true though.

Reply Score: 2

RE[4]: Comment by Kroc
by bert64 on Mon 18th Jan 2010 20:41 UTC in reply to "RE[3]: Comment by Kroc"
bert64 Member since:
2007-04-23

MS encouraged developers to code to proprietary IE extensions rather than to the subset of standards supported by browsers of the day... They also encouraged users to totally ignore other browsers and code only for IE.
Many of these non standard applications are now incompatible with any current browser, IE8 quirks mode doesn't always work with them and sometimes its necessary to disable many of the new security features.

They also intentionally neglected to update their browser for many years and severely handicapped progress on the web. Had it not been for firefox, it's likely they never would have updated anything either.

If you wrote a standards compliant application and tested it with multiple browsers, then it would run on any browser today and people wouldn't be locked to IE6.

Reply Score: 5

RE[5]: Comment by Kroc
by nt_jerkface on Mon 18th Jan 2010 21:32 UTC in reply to "RE[4]: Comment by Kroc"
nt_jerkface Member since:
2009-08-26

MS encouraged developers to code to proprietary IE extensions rather than to the subset of standards supported by browsers of the day... They also encouraged users to totally ignore other browsers and code only for IE.


Which browsers would those be? The ones that collectively had ~5% share at the time? Maybe we should go back even farther and blame Netscape for getting complacent which allowed for the IE takeover.

Firefox 1.0 didn't come until late 2004. IE had already taken over which is why so many companies used it as an interface for quick and dirty internal apps.

Reply Score: 2

RE[6]: Comment by Kroc
by Laurence on Tue 19th Jan 2010 01:00 UTC in reply to "RE[5]: Comment by Kroc"
Laurence Member since:
2007-03-26


Firefox 1.0 didn't come until late 2004.


Whilst technically correct, that's also somewhat misleading.

Firefox existed for a couple of years before then as Phoenix then Firebird.
Same browser, same engine (albeit an earlier version of Gecko) - just a different name.

Edited 2010-01-19 01:01 UTC

Reply Score: 3

RE[7]: Comment by Kroc
by Barnabyh on Tue 19th Jan 2010 14:33 UTC in reply to "RE[6]: Comment by Kroc"
Barnabyh Member since:
2006-02-06

Hmm yeah, I remember using something like 0.7 in 2003, think it was called Firebird then.

Reply Score: 2

RE[5]: Comment by Kroc
by WorknMan on Mon 18th Jan 2010 21:47 UTC in reply to "RE[4]: Comment by Kroc"
WorknMan Member since:
2005-11-13

If you wrote a standards compliant application and tested it with multiple browsers, then it would run on any browser today and people wouldn't be locked to IE6.


Well, it's easy to say that now, when you have technologies like AJAX and Flash to play with. But what other options besides ActiveX were there in the mid-to-late 90's when a lot of this stuff was built? If you needed something like a treeview control with right-click functionality, there just weren't a whole lot of other options back then. Even Mosaic didn't exist yet, and Netscape was playing the same game as MS. (Anybody remember the LAYER tag?)

Now it's pretty much a given that those who coded to IE6 are going to have to update their sites sooner or later, but that's just the way it goes.

Edited 2010-01-18 21:49 UTC

Reply Score: 1

RE[3]: Comment by Kroc
by nt_jerkface on Mon 18th Jan 2010 20:10 UTC in reply to "RE[2]: Comment by Kroc"
nt_jerkface Member since:
2009-08-26

A company that reaps what it sows? A company that encouraged developers to target IE6 rather than standards - and then found themselves in the position where large numbers of people couldn't upgrade because their applications didn't work with anything but IE6?


MS really isn't to blame here, it's more cheap companies that don't want to touch working systems until they die. Companies that have local activex apps can still use an alternative browser when they get on the internet.

I've heard excuses for Google about them having to keep IE6 around for testing. That may be true but that doesn't mean they have to open their mail with it. Geez.

Edited 2010-01-18 20:13 UTC

Reply Score: 5

RE[4]: Comment by Kroc
by lemur2 on Tue 19th Jan 2010 00:27 UTC in reply to "RE[3]: Comment by Kroc"
lemur2 Member since:
2007-02-17

MS really isn't to blame here, it's more cheap companies that don't want to touch working systems until they die. Companies that have local activex apps can still use an alternative browser when they get on the internet. I've heard excuses for Google about them having to keep IE6 around for testing. That may be true but that doesn't mean they have to open their mail with it. Geez.


The particular exploit which this is all about affects almost all versions of IE and Windows.

http://www.itworld.com/security/93045/dump-internet-explorer-now

I've always known that Internet Explorer was an insecure mess, but this latest attacks on Google and dozens of other companies has really opened my eyes to just how bad it really is. The latest zero-day flaw exists not just in bad old IE 6, but in every modern version of IE.

To be exact, according to Microsoft, the same security hole is in IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are vulnerable to attack. In other words, if you're running any remotely current version of IE or Windows, you can be hacked. Great. Just great. How anyone on the planet can actually believe Microsoft when, with every new release of either their browser or operating system they claim that they're more secure, is beyond me.


Edited 2010-01-19 00:33 UTC

Reply Score: 4

RE[5]: Comment by Kroc
by nt_jerkface on Tue 19th Jan 2010 02:22 UTC in reply to "RE[4]: Comment by Kroc"
nt_jerkface Member since:
2009-08-26

The particular exploit which this is all about affects almost all versions of IE and Windows.

Here's a better link:
http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i...

As you can see it's only exploitable in IE6.

You linked to an article by SJVN who is a well known ABMr that could care less about providing a honest assessment of the situation.

Reply Score: 2

RE[6]: Comment by Kroc
by lemur2 on Tue 19th Jan 2010 03:58 UTC in reply to "RE[5]: Comment by Kroc"
lemur2 Member since:
2007-02-17

"The particular exploit which this is all about affects almost all versions of IE and Windows.
Here's a better link: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i... As you can see it's only exploitable in IE6. You linked to an article by SJVN who is a well known ABMr that could care less about providing a honest assessment of the situation. "

The exploit code example that was released only affects XP and IE6. The security hole that was exploited exists in IE6, IE7 and IE8, on most versions of Windows.

SJVN might well be an ABMr just as you are an anti-freedomer, but nevertheless when he indicated which versions of IE and Windows were vulnerable, SJVN was only quoting Microsoft themselves.

To be exact, according to Microsoft, the same security hole is in IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are vulnerable to attack.


Edited 2010-01-19 04:01 UTC

Reply Score: 3

RE[7]: Comment by Kroc
by nt_jerkface on Tue 19th Jan 2010 08:23 UTC in reply to "RE[6]: Comment by Kroc"
nt_jerkface Member since:
2009-08-26


SJVN might well be an ABMr just as you are an anti-freedomer, but nevertheless when he indicated which versions of IE and Windows were vulnerable, SJVN was only quoting Microsoft themselves.


He left out this little tidbit from the report:

At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer.


Just because a vulnerability exists doesn't mean that it can used to takeover a system. His article is deceptive in that it makes it sound like all IE users are under threat of attack. It's alarmist with the intent of switching users to non-Microsoft systems.

As for me being an "anti-freedomer" I don't buy into Stallman's newspeak definition of freedom so that means nothing to me. I measure software based on utility which puts me at odds with FOSS advocates since I don't value software in Stallman's moral terms.

Oh and this was posted from Chrome.

Reply Score: 2

RE[2]: Comment by Kroc
by boldingd on Tue 19th Jan 2010 19:43 UTC in reply to "RE: Comment by Kroc"
boldingd Member since:
2009-02-19

Need I mention that Microsoft committed themselves to long-term support for the platform, or that businesses being able to target IE6 and then just sit on that code for ten years was part of the sales pitch?

Reply Score: 3

RE: Comment by Kroc
by Bryan on Mon 18th Jan 2010 20:00 UTC in reply to "Comment by Kroc"
Bryan Member since:
2005-07-11

That manager certainly isn't very convincing--it's painfully clear he's a PR flack and not someone who's at all informed on the issue. (Microsoft's UK managers seem to have demonstrated an above average ability for putting there foot in their mouths. There was that thing about comparing Win7 to the Mac a few months ago, and I vaguely recall something else earlier last year that I can't quite place.)

Still I think it's overreaching to say Microsoft doesn't give a damn about security. The vulnerability does exist in all major versions, but DEP and Protected Mode do neutralize any attacks at this point, and it's going to be far harder to contruct an effective exploit against browsers in which those are enabled. That's not spin, but simply the defense in depth strategy doing what it's supposed to do: provide additional layers of protection when one fails.

http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i...

Clearly this is a serious issue, and IE6 users (as well as IE7 users on XP) need to take immediate action, whether that's upgrading, switching, or implementing the suggesting mitigations (enable DEP, and/or disable Javascript). But a blanket statement from governments that all IE users need to switch just seems like needless fearmongering, akin to when the US government told everyone to go out and buy plastic tarp and duct tape. The BSI, in particular, seems to be prone to kneejerk reactions:

http://mashable.com/2008/09/07/germany-google/

Reply Score: 4

RE[2]: Comment by Kroc
by Nelson on Mon 18th Jan 2010 20:11 UTC in reply to "RE: Comment by Kroc"
Nelson Member since:
2005-11-29

I think a lot can be attributed to overall technological ignorance on behalf of the Governments (not an excuse, just some context behind their irresponsibility).

It's a bug, software has bugs, but it's Microsoft and IE, so it is instantly a sensationalist headline and used as a crutch for those who generally scream their heads off about alternative browsers to finally have something which resembling an audible whisper.

Reply Score: 3

RE[3]: Comment by Kroc
by bert64 on Mon 18th Jan 2010 20:52 UTC in reply to "RE[2]: Comment by Kroc"
bert64 Member since:
2007-04-23

But it's a far more serious bug due to the prevalence of windows and ie.

Look at it from a hacker's point of view, you can guarantee that any large corporation or government you want to target will be running windows/ie/msoffice on all their desktops... This is very useful for a hacker, you need 1 exploit, 1 backdoor and 1 skillset.

By contrast, if you couldn't be sure wether your victims ran windows, linux, bsd, mac or whatever else and couldn't be sure if they ran firefox, chrome or opera your attacks become much more difficult. You have to discover what your targets run first, and then look for exploits knowing full well that any exploits you develop will only target a small percentage of your targets.

And from the targets standpoint, having no choice but to use windows/ie is a very bad state because even if unpatched 0day exploits are everywhere, there is very little you can do about it. If you have the freedom to choose your software then it becomes easy to switch if one vendor is failing to fix issues and you can choose the software which best suits you rather than having no choice...
Do you really think google would have been using IE if they had any choice? They make their own browser which is a lot better, there has to be some proprietary apps locking them to ie.

Reply Score: 3

RE[4]: Comment by Kroc
by nt_jerkface on Mon 18th Jan 2010 21:50 UTC in reply to "RE[3]: Comment by Kroc"
nt_jerkface Member since:
2009-08-26

But it's a far more serious bug due to the prevalence of windows and ie.


No the problem the prevalence of IE6.

http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i...



Do you really think google would have been using IE if they had any choice? They make their own browser which is a lot better, there has to be some proprietary apps locking them to ie.


So why can't they just use IE6 for those apps? I was just helping someone the other day secure an office network and I would have flipped out if I found out they were surfing the internet with IE6.

Reply Score: 2

RE[5]: Comment by Kroc
by Barnabyh on Tue 19th Jan 2010 14:31 UTC in reply to "RE[4]: Comment by Kroc"
Barnabyh Member since:
2006-02-06

If you're that sort of hacker you're in luck in the UK, all the councils I've worked for here in the last 7 years are using the Win XP/IE6 combo for their apps for Housing and Social Services, and no end in sight. Their excuse is they have hardware firewalls in place.
Some only upgraded a few years ago from Win95.
There are a few open-source solutions at the back end but the desktops and email are all MS.

It's IT heaven ;)

Reply Score: 2

RE[4]: Comment by Kroc
by Shkaba on Tue 19th Jan 2010 00:37 UTC in reply to "RE[3]: Comment by Kroc"
Shkaba Member since:
2006-06-22

Do you really think google would have been using IE if they had any choice? They make their own browser which is a lot better, there has to be some proprietary apps locking them to ie.


I can't believe this c... So the maker of a superior browser is deliberately using an inferior one, just because of some proprietary app?? If my memory serves me right, ms has issued repeated calls for ie to be upgraded and this stellar company (which has become quite a player in the industry) is locked down due to some app?? This "liberator", of sorts, is locked down by some app that uses all the bad and ugly stuff that ms forced on us?? Un(f...)believable (excuse my french)

Reply Score: 1

RE[5]: Comment by Kroc
by strcpy on Tue 19th Jan 2010 14:49 UTC in reply to "RE[4]: Comment by Kroc"
strcpy Member since:
2009-05-20

This "liberator", of sorts, is locked down by some app that uses all the bad and ugly stuff that ms forced on us?? Un(f...)believable (excuse my french)


What? MS has never "forced us" to use anything.

Otherwise, yes, un(f...)believable that Google uses IE6.

Also un(f...)believable that people here are acting like this is all MS' fault (as always) that someone at Google surfs the web with IE6.

Go surf the modern web with Netscape 7, which was released about the same time as IE6. While at it, rant a little about how Mozilla is not any more supporting this dead old browser and urges everyone to use Firefox 3.5.

Reply Score: 2

Next: the OS
by OSNevvs on Mon 18th Jan 2010 19:35 UTC
OSNevvs
Member since:
2009-08-20

In other news...Next week, Germany advises not to use Windows anymore for the same reasons ;)

Reply Score: 4