Linked by David Adams on Wed 22nd Dec 2004 17:15 UTC, submitted by Gsurface
Bugs & Viruses There's been a lot of hoopla about Firefox lately, and its security/privacy benefits over IE. However, here this guide can lead you to tools and practices that will make IE safer to use, for those who don't want to stop using IE.
Order by: Score:
While i respect the idea behind this article...
by Omar on Wed 22nd Dec 2004 17:28 UTC

it seems that in the long run the best solution to protect the user from browser-based security problems is to have a diverse software ecosystem based on open-standards.

By downloading and using alternative browsers (firefox, mozilla, opera, konqueror, etc) we help create a diverse "ecosystem".

In short, if you are using Internet Explorer and follow the instructions in the article you will be safe; however, you will not be promoting a holistic evironment that reduces the overall threat.

Calling BS
by Anonymous on Wed 22nd Dec 2004 17:28 UTC

I'm calling bs on this one, this is not about securing IE as much as it is about installing spyware tools to clean up behind IE.
I don't even see how a firewall helps securing IE exploits, it might prevent installed crap from phoning home, but it doesn't help ie in preventing it from being installed

v piece of crap it is
by l3v1 on Wed 22nd Dec 2004 17:30 UTC
Did I miss something?
by Dustin on Wed 22nd Dec 2004 17:33 UTC

This only has 2 bits about how to secure IE. The rest of the stuff is about basic security practices and what to do after IE has been infected. This is hardly qualifies as a "guide" More like a couple of tips.

As an aside, I always find it funny when you get someone who says "use common sense". Unfortunately, it seems like the vast majority of the population is completely unable to exercise common sense. Common sense dictates that 4WD on an icy road will help you get going, but won't make you stop any faster...But some people don't realize it...
Oh well.

v IE sucks anyway.
by Nicholas James on Wed 22nd Dec 2004 17:33 UTC
RE: Calling BS
by Omar on Wed 22nd Dec 2004 17:33 UTC

I agree, most browser based attack hit port 80, and anyone with a firewall (IP, TCP, UDP filter) will not be able to block this port without locking themselves out of the WWW.

Active X is inherently insecure, proprietary, and just not good for the interperablity of the web as a whole.

This whole article proves a point..
by Bas v.d. Wiel on Wed 22nd Dec 2004 17:38 UTC

Every day at work I'm amazed at the amount of misery my co-wokers are prepared to put up with when using their computers at home. Not a day goes by without these people discussing the anti-spyware-tool-of-the-day or the virus scanner for that matter or how they reinstall Windows every two to three months (thank God for disk imaging software).
Personally I had been a user of Microsoft products since halfway through the 80's but stopped when Windows XP hit the shelves and required activation. Not only is Microsoft treating its paying customers more and more like potential criminals, it's also putting out sub-par products that are riddled with holes as this article proves once again.
Last year I finally got rid the last Windows installation I needed. All my Adobe apps now run on a Mac G5 and I haven't looked back since.
My x86 PC's have been running FreeBSD and Linux for some time now. No spyware, no viruses, no trouble! The only time these machines malfunction is when their hardware actually fails.
My girlfriend is now using Linux (Suse) to great satisfaction and she maintains her box all by herself after learning the basic skills from me. I have tried to convince my colleages to at least use Firefox (anything but IE essentially) and Thunderbird (anything but Outlook). Heck I even wrote a newspaper article on the subject.
Just the fact that you need half a dozen third party application just to make sure your computer won't be compromised/sabotaged when you go online should be enough for anyone to finally make a stand. Haven't you people had enough of Microsoft yet? How much more punishment will you take from this company that doesn't even try to take its paying customers seriously? Imagine what'd happen if Microsoft made airplanes instead of software..

Haha!
by MuD on Wed 22nd Dec 2004 17:44 UTC

"Imagine what'd happen if Microsoft made airplanes instead of software..."

I don't want to know! ;-)

RE: This whole article proves a point..
by Frustrated Consumer on Wed 22nd Dec 2004 18:06 UTC

"Haven't you people had enough of Microsoft yet?"

Actually, no.

I love my TabletPC and would never switch back to Linux. I still use Debian for some things (well, and Slax too) but my Tablet has made computing more fun for me since I last was running BeOS. Being able to take notes and record audio and have the two sync together makes me smile every time I do it! There's so much cool development going on in the Tablet world...

And I've never had a problem with IE, but then again I don't visit suspect sites and pay attention to the security settings. You do start have to make the users accountable at some point.

But I'm also glad that Firefox and Opera are around to push Microsoft to be better...

reliable research
by tobaccofarm on Wed 22nd Dec 2004 18:11 UTC

The article doesn't stress the fact one shouldn't surf the net as admin in the first place.Most spyware tools don't block the adware at first hand before they even install.A virus scanner most of the times doesn't do anything against spy or adware.Why doesn't MS do some reliable research,to get some clue about how most adware gets installed and what methods are being used?

With SP2 i had hoped MS would give the XP-Home user the same acl system per default from the prof version.On top of that it would have been nice when they had integrated some techniques to block most ad/spyware or a reliable ad/spyware-hunter.There will be a moment when other OS-ses have the equivalent apps and *not* the additional costs/skills that are needed to relatively compute without t harrassment.Sometimes it seems everything is designed with the possibillity of milking the cow on a increasingly rate.I have shifted to FreeBSD and Linux and i don't regret it.

He misses a simple one
by drsmithy on Wed 22nd Dec 2004 19:07 UTC

Create a dedicated (Limited) user account and use "Run As" to run IE as that account for browsing. Then any damage wrought by IE is limited to that account and the things it can access (hopefully very little).

Of course it's easier to just avoid IE and use Firefox (at least until malware authors start targeting it).

javascript
by tobaccofarm on Wed 22nd Dec 2004 19:22 UTC

And turning of javascript!

This article is as good as holding a pillow in front of you before being hit by a semi truck.

v Are you kidding??
by prnc of ikea on Wed 22nd Dec 2004 19:49 UTC
Bas v.d. Wiel
by Darius on Wed 22nd Dec 2004 20:13 UTC

Just the fact that you need half a dozen third party application just to make sure your computer won't be compromised/sabotaged when you go online should be enough for anyone to finally make a stand. Haven't you people had enough of Microsoft yet?

Actually, your assumption if flawed. Fact is, you need exactly 2 apps (virus scanner and firewall), which is only 1 more than what most Linux users use, plus just a little bit of common sense. And actually, if you use a hardware firewall and are extremely careful to scan every file that is introduced to your PC, you can run without any security apps at all, assuming you still have the common sense part thrown in ;)

Using my guide to securing Windows, you don't even need to have an spyware remover installed, much less running resident. I will be submitting an article soon with details on how to go about this, because I am sick and tired of all the bullshit being spewed by the anti-MS jockeys on this site.

Why should you have common sense?
by Sabon on Wed 22nd Dec 2004 20:16 UTC

Why should you have common sense? If the company that makes the OS you use doesn't care enough about you to write secure software. Why should you care about them?

And we are sick of the anti-Apple jockeys on this site. I'm also sick of the anti-LinSpire jockeys on this site too. Especially when 99.9% of them don't have a clue what they are talking about.

Here's an easy test. If you haven't used an OS for at least 20 hours this month. Consider yourself uninformed.

Re: Why should you have common sense?
by Darius on Wed 22nd Dec 2004 21:02 UTC

If you really have to ask that question, then you obviously don't have any. Common sense is what prevents somebody from running as root on Linux, and then wonder why their desktop background is red. Get it?

RE: By Darius
by tymiles on Wed 22nd Dec 2004 23:00 UTC

Hummmm it would seem to me that if Windows and IE were so secure then MS would not be investing in Spyware removers and Anti-Virus software.

MS knows they have flawed software that at least in Windows XP and below will never be fixed. So instead of fixing it they spend money and buy some unknown spyware remover to patch Windows up as always.

Windows will always have weak macros, VB scripting, GDI scripting etc. Till they fix or remove those and other scripting tools (Most of which can run without the user being an admin) Windows will always have these problems!

Re: Bas v.d. Wiel
by Hedged on Thu 23rd Dec 2004 00:38 UTC

"Actually, your assumption if flawed. Fact is, you need exactly 2 apps (virus scanner and firewall), which is only 1 more than what most Linux users use"

And don't forget those hefty 75 mb security patches just for fun.

Don't run as Administrator
by Bryce on Thu 23rd Dec 2004 02:33 UTC

The #1 way to not get a machine full of spyware is: DON'T RUN AS ADMIN. This is a big reason why we don't see as much crap on Linux. See the excellent blog at http://blogs.msdn.com/aaron_margosis/ on how to easily run as a limited user.

Re: Omar
by Mike on Thu 23rd Dec 2004 03:01 UTC

agree, most browser based attack hit port 80, and anyone with a firewall (IP, TCP, UDP filter) will not be able to block this port without locking themselves out of the WWW.

Blocking port 80 is no problem for browsing. Browsers don't use port 80, they use a port range somewhere high up. You're confusing webservers, they mostly use port 80.

Another way to run IE at reduced rights
by Anonymous on Thu 23rd Dec 2004 04:12 UTC

Not as good as running as a limited user, but useful:

http://msdn.microsoft.com/security/securecode/columns/default.aspx?...

Re: tymiles (IP: ---.nrockv01.md.comcast.net)
by drsmithy on Thu 23rd Dec 2004 04:38 UTC

And don't forget those hefty 75 mb security patches just for fun.

Indeed. And now let's see how big the updates are for a well known Linux distro:

[root@leela root]# cat /etc/redhat-release
Red Hat Enterprise Linux ES release 3 (Taroon Update 4)
[root@leela root]# du -sh /var/spool/up2date/
1003M /var/spool/up2date
[root@localhost root]#

The only way?
by Anonymous on Thu 23rd Dec 2004 05:50 UTC

The only way to use IE without getting any virus or spyware is to study English. Why? Because most of them just don't read the warnings and click YES button ever when something popup. Only one point I agree with this article is the Common Sense; don't you read the warning saying that this may be unsafe to open? I mean, c'mon ppl, I am not insulting but please read! They keep complaining this and that, but hey! it's just because you didn't read and listen. They never remember your warnings like "don't do this, don't use that to open that...when you see this, please don't do this...", next day they will tell you they've done all those you told them not to. After they get into trouble, they start to worry but once you can fix that? they forget it totally.

So if you wanna use IE, go ahead but just don't be a dumb user, that's the point. Virus/spyware never go to your computer until you plant it yourself.

re:(IP: ---.speed.planet.nl)
by tobaccofarm on Thu 23rd Dec 2004 06:20 UTC

Blocking port 80 is no problem for browsing. Browsers don't use port 80, they use a port range somewhere high up. You're confusing webservers, they mostly use port 80.

Although let's say on Linux it's not allowed to bind to sockets below 1024 as non-root and a range of high ports are being used when you surf the web,you can't block port 80.The firewall controls the destination port as well.The best way to configure any firewall is block every traffic both incoming and outcoming as default by policy and than open only the ports you need.For web browsing although you bind locally to sockets (protocol+port) in a high range you have to open port 80 in the firewall policy.

tymiles
by Darius on Thu 23rd Dec 2004 07:00 UTC

Hummmm it would seem to me that if Windows and IE were so secure then MS would not be investing in Spyware removers and Anti-Virus software.

I didn't say Windows was secure, I said it can be made secure, and quite easily. I make no such claims for IE. But the beauty of IE is that you don't have to use it except maybe on corporate intranets and Windows Update ;)

@drsmithy
by Bas on Thu 23rd Dec 2004 08:45 UTC


>Indeed. And now let's see how big the updates are for a well known
> Linux distro:

>[root@leela root]# cat /etc/redhat-release
>Red Hat Enterprise Linux ES release 3 (Taroon Update 4)
>[root@leela root]# du -sh /var/spool/up2date/
>1003M /var/spool/up2date
>[root@localhost root]#

You cannot class all updates as security updates as where tymiles was speaking about, drsmithy.
Besides that the upgrades for RHS are also including programs that
do not belong to the OS. Your comparison is completly wrong.



@Darius
by Bas v.d. Wiel on Thu 23rd Dec 2004 13:07 UTC

Alright, so Windows can be made secure.. I shouldn't have to bother with that really. And no, I'm not an anti-MS-jockey of any kind. I'm just utterly fed up with their current products. If they learn from their mistakes and actually start making customer-friendly products again, I'll consider them again. Just right now, looking at the state Windows, Office and IE are in.. thank you, but I'll pass. And yes I know how to fix Windows, my point is just that I shouldn't have to. It's Microsoft's job to release secure products. Just as it isn't my job to add brakes to my newly bought car, I expect the manufacturer to do that. The long time excuse of software being too complex to be bug-free is a load of ***** as well. Cars nowadays contain just as much software as a normal PC, if not more, and you never hear of cars spinning out of control because some embedded controller went BSOD.
At work I'm forced to use Windows (I work as a web editor for a newspaper). This job requires me to hunt the web for interesting news, which also sometimes means visiting dubious weblogs. My colleagues have *CONSTANT* trouble with viruses and spyware, even behind the corporate firewall. I installed Firefox: gone was my spyware! We still need IE though for some crappy Microsoft Java plugin that renders a page tree in our content management application. I hardly know anything about Java, but it shouldn't be mandatory to use Microsoft's JVM..

@ Bas v.d. Wiel
by mattb on Thu 23rd Dec 2004 14:46 UTC

the ms jvm is one of the biggest reasons that applets never took off. its a terrible implementation of an archaic version of java, but it came pre-installed on every windows box, so everyone wrote for it, and users learned to associate "applet" with "crap" (and with good reason). about a year or so ago sun won a case against them, and now its illegal for them to even distribute it anymore.

the reason its manditory to use it is that there are deliberate incompatibilities with java. plan a) was alwas to steal java, plan b) is dotnet.

Re: Bas v.d. Wiel
by Darius on Thu 23rd Dec 2004 18:06 UTC

Alright, so Windows can be made secure.. I shouldn't have to bother with that really.

Actually, I kind of like it that Windows is so insecure by default, because it forces me to remain security conscious. If I used something like OSX, I probably wouldn't care much about security, and thus would get blackballed the first time a nasty outbreak occured (and it will, it's only a matter of time).
As for us security conscious Windows users, when we look on the news and see some nasty outbreak that is infecting thousands of computers, to us, it's just another Thursday ;)

As for IE, I don't use it. I don't recommend anyone else does either unless you absolutely have to.

As for Java applets, I'm glad they never took off. They're like Flash, but only worse. The technology isn't bad, but 98% of time time, it's used in place where it never should be - usually for eye candy *blech*

So, thank God for MS and their crappy JVM ;)

Re: Darius
by Anonymous on Fri 24th Dec 2004 00:34 UTC

Interesting comments, but insufficient. Users are just that, users. They should be guided to maintain a high level of security and those who know more of computers will still be free to do otherwise. This doesn't work for MS. They think usability and security have to be compromised and so do you with your statements like "I kind of like it that Windows is so insecure by default".

I just installed XP SP2 to play some games and half of them don't work because of SP2. Care to comment? It's sickening to see this happen at MS, being a Debian user for years. In Linux I have more freedom, more usability and more security. Like most users I just want to run software to be productive and don't think too much about the operating system. Windows claims more attention then it should be.

This article is about securing IE but darius says just avoid it. I agree with him, but you people are making a fight out of nothing. Darius knows just as well as you do that IE is riddled with so many holes that it is not worth the risk of using. That is why his solution is so simple don't use IE on the Internet and all you need to defend Windows on the Internet is Antivirus and a Firewall.

Unfortunatley not everyone knows that IE is riddled with holes. For those people they need to be told to change browser or they have to use all that anti-spyware stuff.

BTW SpywareBlaster is probably the best of these tools and basically cripples spyware from working just by adding their sites into IE's restricted zone.

Re: mattb (IP: 216.191.126.---)
by drsmithy on Fri 24th Dec 2004 07:04 UTC

the ms jvm is one of the biggest reasons that applets never took off. its a terrible implementation of an archaic version of java, but it came pre-installed on every windows box, so everyone wrote for it, and users learned to associate "applet" with "crap" (and with good reason). about a year or so ago sun won a case against them, and now its illegal for them to even distribute it anymore.

What definition of "terrible" are you using here ? The Microsoft JVM (in its day) was fastest and most compatible JVM available.

Certainly it's "archaic" now, but that's because Sun's lawsuit wouldn't let them update it.

Re: Anonymous (IP: ---.fttd-s.tudelft.nl)
by drsmithy on Fri 24th Dec 2004 07:06 UTC

I just installed XP SP2 to play some games and half of them don't work because of SP2.

Which games, when were they released and what OS(es) are they supported on ?