On-line Opinion Magazine…OK, it's a blog
Random header image... Refresh for more!

Achtung – IE Ist Giftig

The BBC notes that the German government warns against using MS Explorer

The German government has warned web users to find an alternative browser to Internet Explorer to protect security.

The warning from the Federal Office for Information Security comes after Microsoft admitted IE was the weak link in recent attacks on Google’s systems.

However, Graham Cluley of anti-virus firm Sophos, told BBC News that not only did the warning apply to 6, 7 and 8 of the browser, but the instructions on how to exploit the flaw had been posted on the internet.

The Microsoft response, after admitting the problem exists and they have no fix, other than to crank up the security settings to 11.5, was “don’t worry, be happy”, we’ll do something eventually.

Actually this wouldn’t be a major problem, except that the flaw is “in the wild” and the attacks will start.

Update: The authorities in France and Australia have joined the Germans in calling for people to avoid IE.

Update II: Microsoft patches Internet Explorer hole. Patch released at 1800 GMT [Noon CST] 01/21/10.

[Attention – IE is poisonous.]

12 comments

1 cookie jill { 01.17.10 at 12:41 am }

I love the Fox.
.-= last blog ..Geaux Saints! =-.

2 Kryten42 { 01.17.10 at 2:14 am }

And that’s just the start! 😀 And vindication for myself and many others in the Security field who have been warning people not to use IE since v4 (with many legitimate and valid reasons).

M$ Have never created anything that works properly, and never will. M$ will never make it because they want to own everything and be completely proprietary.

FireFox isn’t perfect either, but it’s way better than IE ever hoped to be. I also like Opera very much, and find Google Chrome to be quite stable and fast.

More on the German warning here:

Germany’s Office for Information Security Warns Against Microsoft’s Internet Explorer After China Attacks

Here’s another story on the latest M$ product/service that failed (I’ve stopped counting. The number is huge):

Lies and Denial of Service Attacks from Microsoft Bing

The EU is steadily nailing the M$ coffin shut… But still the USA gives them one opening after another, but eventually, even the USA must finally come to it’s senses. 😉

3 Steve Bates { 01.17.10 at 7:32 pm }

I was forced to use IE today, to download and apply 26 updates to Win XP (that’s too few IMHO, but M$ hasn’t written the ones I really need). If you want to update Windows, you have to use IE. I guess that says something about Windows…
.-= last blog ..Wired-Fi =-.

4 Steve Bates { 01.17.10 at 7:34 pm }

(Why 26 updates? They were on my seldom-used laptop. Things tend to get old over there. I understand. I’m seldom-used, and I’m getting kinda old…)
.-= last blog ..Wired-Fi =-.

5 Bryan { 01.17.10 at 9:45 pm }

While I personally use Firefox for everything, all of my software updates come in automatically via IE, with no way for me to alter it. As Steve notes, M$ does it, so the true ‘Net wide attack is going to come disguised as a Windows update. Think about it…

It is supposedly trusted and many people have turned on automatic update, so the defenses are dropped to permit it.

The reason it was only 26, is that you didn’t need the corrupted updates that generated their own update to fix the new problem. They do generate periodic combined updates that group many of the individual updates, If you hit it right you can make do with a single update that covers months of patches.

One can only hope, Kryten, that the EU forces M$ to start competing again, which means actually hiring people to fix products on a long-term basis, instead of just outsourcing the work whenever someone bring a problem to their attention.

6 LadyMin { 01.18.10 at 12:40 am }

I refuse to use IE. Not even to update windoze. I don’t even have their windows update software installed. I use Autopatcher or I’ll download the security patch I need. I probably sound a bit hostile about it but if you’ve ever downloaded a patch that needed a patch to fix something first patch broke then you understand! I find that Firefox plus a few good extensions like No Script give me 99% protection.

I believe you’re correct that someday a netwide attack will come disguised as a windows update. Amazingly I know a few people that are forced to use only IE at their jobs because that is the only browser allowed on their computers.

7 Kryten42 { 01.18.10 at 1:13 am }

You don’t need IE to get updates. There are several much better ways. I have used AutoPatcher for years with success. It’s now known as APUP (AutoPatcher Updater):

AutoPatcher

Current version is 1.2, there us a user guide (PDF) and a good FAQ & Forum (all accessable from the Downloads page). One advantage to APUP (and it’s a huge one!) is that the Updates resolves the usual M$ update conflicts, and installes the updates in the correct order. All updates are d/l from M$ Update site directly and saved in the designated location. If you put it on a USB key or external HDD, you can use the same updates one several PC’s (even with different versions of XP). So you only need to waste your bandwidth and time once if you have more than 1 PC. 🙂 Also, APUP allows you to turn off the most common Windoze annoyingly useless memory eating *features*. 🙂 Though, the BEST tool for that IMHO, is xp-AntiSpy, which works on all Windoze from 2000 to Win7.

Another I’ve used is: Windows Update Downloader, from a member of the MSFN -Micro$oft Software Forum Network. There are a bunch of useful Windoze projects there.

Someone recently told me about this one, but I haven’t used it. It says *free* to download… but I get the impression you have to pay to use it. I could be wrong… *shrug*

Portlock Windows Update Manager

I have a couple others if anyone wants to know, but the above should get you started.

8 Bryan { 01.18.10 at 9:05 pm }

I don’t need it for Windows updates, but there are other updates I need that only work with IE, with is a complaint I have made to the companies involved, without any luck. The problem is all of the people who use their Win boxes without modification and have become a potential botnet for the ne’er-do-wells and script-kiddies. They don’t realize what they are inviting, and a few of them, as you note, Lady Min, are corporate IT people. They want everything uniform, even if it is uniformly bad and dangerous.

My virus software tells me when M$ has issued a security update, so I can go and get it. Actually, it nags me if I don’t get security updates with flag messages and changes its little system tray icon from green to orange.

I just updated to indicate the French and Aussies have joined the Germans in telling people to stop using IE, so the pressure is building.

9 Badtux { 01.20.10 at 6:29 pm }

And today we learn about a vulnerability in all extant Microsoft operating systems that has been there since… 1993. Yeppers, SEVENTEEN YEARS. Siiiiiigh!

– Badtux the Security Penguin

10 Bryan { 01.20.10 at 9:43 pm }

They can’t fix it now, Badtux – it’s a historical artifact 😉

11 Kryten42 { 01.21.10 at 12:00 am }

You cannot believe a thing M$ says. Almost every word uttered from Redmond is at best a half-truth.

Consider for example, that *officially* M$ have been wanting to kill off XP for two years now. Yet, they *secretly* released a whole new version with an updated kernel and core system and integrated SP3 Oct/Nov 2009. I say secretly because it was not publicly announced and is only available to MSDN members (which I still am, even though I told them to go *you-know-what* themselves over three years ago. What a bunch of morons. Mind you, I still get Apple updates and bulletins etc, and I told them to drop dead in 2007. *shrug* I’ve been using the new XP a couple months now, and it’s definitely an improvement. However, if anyone were to buy XP from a shop, they would probably get the 2005 update at best.

12 Bryan { 01.21.10 at 9:15 am }

As soon as they put the bean counters in charge, there is no one left who knows what the truth is that will be allowed to talk for the company officially. That is the pattern I saw repeatedly during my years in Southern California dealing with software firms that were successful. Earlier in their evolution there was a free flow of information and things got fixed because “power users” spoke directly to people with the ability and position to deal with problems. Then “customer relations” was separated and the system broke down.

The development cycle degenerated as programmers found batches of bug reports dumped on their desk when they were about to start the newest version, and there was no attempt to sort them, and rarely enough information to determine what the real problem was.

In the corporate world you have the sales force telling customers that systems will do things that no one can do, and then the tech guys have to roll back expectations.

At some point everything becomes marketing and the product gets ignored.