Oct 12: Three new critical IE security holes found

[Fuzzy Logic]

(e-mail address removed) (Calm n Collected) wrote in

You are right to use something you like. But some things to consider:

1. There are many software products that don't have continual problems

I have had very little in the way of problems with IE. I used to hate IE
but has improved over the years.

2. IE is always a "sloppy third" when it comes to useful features

That's why I use Avant (an IE shell). Tabbed browsing, pop-up stopper, ad-
blocker, highly customizable.

3. Why use a product that installs hidden directories, files, and
keeps files present when you have removed the program
MS has some control issues

Microsoft is not the only company guilty of installing hidden
files/directories. I know where/what they are and have tools to properly
remove/clean them. Regardless of which browser you use I think it's
important to know all it's settings and how they work as well as where
it's data is kept.

Switching as part of learning what works best is pretty good wisdom. I
have been using Fprot for years but decided to try another product. I
found a trojan with it.

I do computer support and evaluate a lot of different software products as
part of my job. I only switch when I find something I think is worth the
switch. I used to use IE got fed up with it switched to Netscape and have
been using IE/Avant for the last few years.

 

[Klaatu]

I am not bashing Firefox. Obviously it has it's fans. Also any
competition in the browser market is likely good for all browsers. I
am simply stating that switching browsers doesn't suddenly mean you
don't have to deal with vulnerabilities or patches or that you are
necessarily more secure. What's more secure today may be less secure
tomorrow when a new vulnerability is discovered. I like this quote:

Yet simply switching is not an effective security solution. Only if
you use the proper security tools and remain vigilant about staying up
to date and cautious about what you do online should you start to feel
some sense of comfort.

For the great unwashed masses who don't even know they're using a program
at all to surf the web (when I asked someone "What browser do you use?"
and they reply "What? I don't use a browser. I just get on the
internet.", this is very common. I do IT support for a living), using
another browser is a very good idea. Most people have no idea how to turn
off ActiveX (or even what ActiveX is), or for that matter how to stay up-
to-date on patches.

Sure, for those of us who know what we're doing, using IE may be just
fine. But not for most people. Switching to Firefox or other non-IE-based
browser would greatly improve the security for most computer-naive people
in their day-to-day internet use.

 

[Fuzzy Logic]

For the great unwashed masses who don't even know they're using a program
at all to surf the web (when I asked someone "What browser do you use?"
and they reply "What? I don't use a browser. I just get on the
internet.", this is very common. I do IT support for a living), using
another browser is a very good idea. Most people have no idea how to turn
off ActiveX (or even what ActiveX is), or for that matter how to stay up-
to-date on patches.

Sure, for those of us who know what we're doing, using IE may be just
fine. But not for most people. Switching to Firefox or other non-IE-based
browser would greatly improve the security for most computer-naive people
in their day-to-day internet use.

I know what you are saying as I also do user support as well as security and
maintenance of web and mail servers. The great unwashed are the least likely
to change because many of them can't even figure out how to use Windows
Update or how to download and install a program from the net. If they manage
to get that far they now need to worry about patching Firefox (new
vulnerabilities will be found) and if they can't figure out Windows Update
they are even less likely to patch/update Firefox. So are they really more
secure?

Thankfully we preconfigure most of the software for our users to prevent
them from getting into too much trouble.

 

[Bruce the Shark]

Perhaps because fewer people are looking?

No, it's because they don't exist due to good coding and no need
to support ActiveX and other non-HTML standards.

 

[Phred]

No, it's because they don't exist due to good coding and no need
to support ActiveX and other non-HTML standards.

Perhaps for some uses and users, a crippled browser would be a pretty
serious flaw in itself?


Cheers, Phred.

 

[Bruce the Shark]

Perhaps for some uses and users, a crippled browser would be a pretty
serious flaw in itself?

Yep, IE is pretty much crippled when it comes to HTML-conformity.

 

[Doc]

Yep, IE is pretty much crippled when it comes to HTML-conformity.

Bullshit. IE renders HTML-conformed code perfectly. It even does a pretty
good job of rendering non-conforming code that a lot of lazy web-developers
write. (The type of code that your 'alternate' browsers CAN'T render)

How does that make IE crippled ??????? The logic escapes me.

 

[Bruce the Shark]

IE renders HTML-conformed code perfectly.

I know. I was being sarcastic.

 

[Bruce the Shark]

Turn off ActiveX/Active Scripting except for trusted sites.

This is a flawed security measure in Internet Explorer. As the main
coder of Firefox said: "We have no 'mode' that allows untrusted content
to be executed automatically, for example--no 'safe zone.'" In other
words, what your turn off in Internet Explorer can just as easily be
turned back on by a virus -- and exploited. Not possible in Firefox.

 

[Aaron]

MS has a track-record becuase it's been around a lot longer than Firefox.
I like Firefox because I believe it's actually helping to improve MS's
response times.


The number of vulnerabilities is a bit of a red herring. I am more
concerned about the severity and likelihood.


And often we have only had to wait a few days. Obviously some are easier
to fix than others.

Yes, and that's a very big drawback. One reason which makes IE
inferior for a security choice.

A simple fix. Turn off ActiveX/Active Scripting except for trusted sites.

Actually several exploits in the past, worked by bypassing all the
security zones (or to the "local computer zone") which made them run
as trusted.

I have seen numbers all over the place. Again I am more concerned about
the severity and likelihood than the actual number.

Several were rated "critical".

Rumour has it, that this is the reason why MS is slow with patching.

I am not bashing Firefox. Obviously it has it's fans. Also any competition
in the browser market is likely good for all browsers. I am simply stating
that switching browsers doesn't suddenly mean you don't have to deal with
vulnerabilities or patches or that you are necessarily more secure.

Of course, as the saying goes security is a process. But currently it
looks like switching from IE will give you a substantial increase in
security. Not 100% immunity, but I (and you) knew that already.

 

[Fuzzy Logic]

This is a flawed security measure in Internet Explorer. As the main
coder of Firefox said: "We have no 'mode' that allows untrusted content
to be executed automatically, for example--no 'safe zone.'" In other
words, what your turn off in Internet Explorer can just as easily be
turned back on by a virus -- and exploited. Not possible in Firefox.

Well that may be true it means I need to get a virus with those
capabilities. So it's not a flaw in IE per se.

Again I will supply this quote:

Yet simply switching is not an effective security solution. Only if you use
the proper security tools and remain vigilant about staying up to date and
cautious about what you do online should you start to feel some sense of
comfort.

 

[Fuzzy Logic]

(e-mail address removed) (Aaron) wrote in

news:<[email protected]>...

[stuff deleted for brevity]

Of course, as the saying goes security is a process. But currently it
looks like switching from IE will give you a substantial increase in
security. Not 100% immunity, but I (and you) knew that already.

I'm sorry but I don't agree that Firefox offers a 'substantial' increase in
security.

We preconfigure IE in our work environment and lock it down quite well and
in many years we have not had a single security incident related to the
browser. In addition it's a much simpler task in our environment to automate
updates for IE than it is for Firefox. An unpatched browser is a BIG
security risk. Under other circumstances Firefox MAY be a better choice.

 

[JanC]

Fuzzy Logic schreef:

MS has a track-record becuase it's been around a lot longer than
Firefox.

"""153 IE vulnerabilities since April 2001"""

I use Mozilla since early 2000 as my primary browser, so it *has* been
around all that time...

 

[JanC]

Doc schreef:

IE renders HTML-conformed code perfectly.

LOL

That was a joke, right?

It even does a pretty good job of rendering non-conforming code that a
lot of lazy web-developers write. (The type of code that your
'alternate' browsers CAN'T render)

IE, Mozilla & Firefox render malformed HTML equally well, only not always
the same (there is no "correct" way to render bad code).

 

[Bruce the Shark]

Well that may be true it means I need to get a virus with those
capabilities.

It's probably just a matter of time.

So it's not a flaw in IE per se.

Well, it is, and isn't, I guess... I prefer to use a browser that
simply doesn't carry that risk. Turning off ActiveX in IE is like
locking a swimming pool gate... the lock can be picked. Firefox
simply has no pool.