Oct 12: Three new critical IE security holes found

[Bruce the Shark]

From http://tinyurl.com/4p3ao (ie.
http://news.com.com/Microsoft+warns...y+flaws/2100-1002_3-5406550.html?tag=nefd.top):

"Microsoft published 10 software security advisories on Tuesday, warning
Windows users and corporate administrators of 22 new flaws that affect the
company's products. The advisories, and patches published with the
bulletins, range from an 'important' flaw affecting only Microsoft Windows
NT Server to a collection of eight security holes, including three rated
'critical,' that leave Internet Explorer open to attack."

Three more critical IE security holes? Try Firefox instead:

http://www.mozilla.org/products/firefox/

 

[Fuzzy Logic]

From http://tinyurl.com/4p3ao (ie.
http://news.com.com/Microsoft+warns+of+a+score+of+security+flaws/2100-100
2_3-5406550.html?tag=nefd.top):

"Microsoft published 10 software security advisories on Tuesday, warning
Windows users and corporate administrators of 22 new flaws that affect
the company's products. The advisories, and patches published with the
bulletins, range from an 'important' flaw affecting only Microsoft
Windows NT Server to a collection of eight security holes, including
three rated 'critical,' that leave Internet Explorer open to attack."

Three more critical IE security holes? Try Firefox instead:

http://www.mozilla.org/products/firefox/

So I should change to Firefox because 3 holes in IE have been plugged? I
guess the next time a critical flaw in Firefox is found and fixed I should
suggest you switch to IE!

There will continue to be new flaws discovered in IE as well as Firefox.
It's important to use a well supported browser that YOU like and lock it
down and keep it patched. Switching will not suddenly make you invincible on
the net. Security is a process, not a particular piece of software. I
particularily like this quote:

"Yet simply switching is not an effective security solution. Only if you use
the proper security tools and remain vigilant about staying up to date and
cautious about what you do online should you start to feel some sense of
comfort."

source <http://www.pcmag.com/print_article/0,1761,a=130479,00.asp>

 

[KHaled]

== deleted ==

When a "hole" is discovered in IE, does that also affect clones
such as maxthon, avante, etc. ?

TIA,
KH.

 

[WormWood]

No.

| == deleted ==
|
| When a "hole" is discovered in IE, does that also affect clones
| such as maxthon, avante, etc. ?
|
| TIA,
| KH.

 

[Aaron]

So I should change to Firefox because 3 holes in IE have been plugged? I
guess the next time a critical flaw in Firefox is found and fixed I should
suggest you switch to IE!

I guess the meaning of the word "track-record" is lost on you. CERT
says it best

"The problems are six-fold:

1. Large Number of vulnerabilities over the last few years in
comparison to other browsers - 153 IE vulnerabilities since April 2001,
according to the Security Focus Archive .
2. Longer Time to patch known IE vulnerabilities - Users have had to
wait in excess of six months from the time the vulnerability is
disclosed before Microsoft issues a patch.
3. Active X and Active Scripting controls themselves have not been
found to be open to particular exploitation, but can be used to bypass
the security constructs of the browser and potentially impact upon the
host system.
4. Large number of unpatched vulnerabilities - 34, according to
http://umbrella.name/originalvuln/msie/
5. Spyware/Adware vulnerabilities - This affects all browsers and
systems that facilitate access and use of web resources.
6. Integration of IE browser into the Operating System, which makes
the OS more vulnerable to exploitation.
"

Though CERT does go on and says that "All web browsing applications have
had their share of vulnerabilities and bugs that have created security
exposures. " , that is to be expected from a organisation that promotes
security, since there is no 100% defense not even with an alternative
browser.


What Firefox bashers are missing when they get jumping on the ocasional
firefox or Opera patch fix is that, use of alternative browsers don't
give you 100% immunity, nothing does. But it does lead to a substantial
increase in security.

 

[Aaron]

== deleted ==

When a "hole" is discovered in IE, does that also affect clones
such as maxthon, avante, etc. ?

Generally yes. So you still need to update.

 

[Klaatu]

|
| When a "hole" is discovered in IE, does that also affect clones
| such as maxthon, avante, etc. ?

No.

Huh?!? I believe the answer is that, in many if not most cases, yes.

But a better answer could be: it depends.

 

[Fuzzy Logic]

I guess the meaning of the word "track-record" is lost on you. CERT
says it best

MS has a track-record becuase it's been around a lot longer than Firefox.
I like Firefox because I believe it's actually helping to improve MS's
response times.

"The problems are six-fold:

1. Large Number of vulnerabilities over the last few years in
comparison to other browsers - 153 IE vulnerabilities since April 2001,
according to the Security Focus Archive .

The number of vulnerabilities is a bit of a red herring. I am more
concerned about the severity and likelihood.

2. Longer Time to patch known IE vulnerabilities - Users have had to
wait in excess of six months from the time the vulnerability is
disclosed before Microsoft issues a patch.

And often we have only had to wait a few days. Obviously some are easier
to fix than others.

3. Active X and Active Scripting controls themselves have not been
found to be open to particular exploitation, but can be used to bypass
the security constructs of the browser and potentially impact upon the
host system.

A simple fix. Turn off ActiveX/Active Scripting except for trusted sites.

4. Large number of unpatched vulnerabilities - 34, according to
http://umbrella.name/originalvuln/msie/

I have seen numbers all over the place. Again I am more concerned about
the severity and likelihood than the actual number.

5. Spyware/Adware vulnerabilities - This affects all browsers and
systems that facilitate access and use of web resources.
6. Integration of IE browser into the Operating System, which makes
the OS more vulnerable to exploitation.
"

Though CERT does go on and says that "All web browsing applications have
had their share of vulnerabilities and bugs that have created security
exposures. " , that is to be expected from a organisation that promotes
security, since there is no 100% defense not even with an alternative
browser.

What Firefox bashers are missing when they get jumping on the ocasional
firefox or Opera patch fix is that, use of alternative browsers don't
give you 100% immunity, nothing does. But it does lead to a substantial
increase in security.

I am not bashing Firefox. Obviously it has it's fans. Also any competition
in the browser market is likely good for all browsers. I am simply stating
that switching browsers doesn't suddenly mean you don't have to deal with
vulnerabilities or patches or that you are necessarily more secure. What's
more secure today may be less secure tomorrow when a new vulnerability is
discovered. I like this quote:

Yet simply switching is not an effective security solution. Only if you
use the proper security tools and remain vigilant about staying up to date
and cautious about what you do online should you start to feel some sense
of comfort.

source <http://www.pcmag.com/print_article/0,1761,a=130479,00.asp>

 

[Bruce the Shark]

When a "hole" is discovered in IE, does that also affect clones
such as maxthon, avante, etc. ?

Of course! They're based on IE's code, so if something in IE needs
fixing, then so do they. They're called "piggyback" apps.

 

[Bruce the Shark]

So I should change to Firefox because 3 holes in IE have been plugged?

I'd recommend it. Too many critical flaws keep getting found in IE.
The flaws in Firefox are not usually critical, according to Secunia.com.
The point of my post was: IE keeps getting critical updates, whereas
Firefox doesn't... now decide which is better.

I guess the next time a critical flaw in Firefox is found and fixed
I should suggest you switch to IE!

See above. Critical flaws in Firefox are extremely rare.

 

[Tim Weaver]

Of course! They're based on IE's code, so if something in IE needs
fixing, then so do they. They're called "piggyback" apps.

That's misleading. When IE gets patched, any IE front-end will be patched,
as well. They're not *based* on IE's HTML engine, they *use* it.

 

[Alastair Smeaton]

That's misleading. When IE gets patched, any IE front-end will be patched,
as well. They're not *based* on IE's HTML engine, they *use* it.

surely this relies on the person patching IE ? In other words, using a
shell does not mean you don't need to patch ?

Some shells disable for example active x, but other exploits would
need patching surely

 

[Tim Weaver]

surely this relies on the person patching IE ? In other words, using a
shell does not mean you don't need to patch ?

If you're using an IE front-end (Maxthon, SlimBrowser, etc.) you should run
IE (not the front-end) and do the Windows Update thing. This will patch IE
and as a result, any front-end you use will be patched, as well, because it
uses the same code.

Some shells disable for example active x, but other exploits would
need patching surely

Yes. Patch IE as MS puts them out. I keep IE updated, run AntiVir and
Kerio and use IESpyAd. With that combination, I've never had one spyware or
virus infection.

 

[Alastair Smeaton]

Yes. Patch IE as MS puts them out. I keep IE updated, run AntiVir and
Kerio and use IESpyAd. With that combination, I've never had one spyware or
virus infection.

exactly as I thought - which is why the answer to the OP is that
"clones" are just as susceptible to problems - unless you patch
them.((or the underlying engine - IE)

cheers

 

[WormWood]

| On Wed, 13 Oct 2004 07:10:33 GMT, WormWood posted to
alt.comp.freeware:
|
| > | > |
| > | When a "hole" is discovered in IE, does that also affect clones
| > | such as maxthon, avante, etc. ?
| >
| > No.
|
| Huh?!? I believe the answer is that, in many if not most cases, yes.
|

I haven't used clones such as maxthon, avante nor others, if exist.
IIRC, the PC was once, maybe still is, referred to as an IBM clone. So,
yeah, if they use a MS OS, the upgrade would apply to them as well. When
I posted my reply I may have been thinking of Linux, MAC, and the likes
of that.


| But a better answer could be: it depends.

Depends? That's a nursing home loo, innit?

 

[Nicolaas Hawkins]

| On Wed, 13 Oct 2004 07:10:33 GMT, WormWood posted to
alt.comp.freeware:
|
|> |> |
|> | When a "hole" is discovered in IE, does that also affect clones
|> | such as maxthon, avante, etc. ?
|>
|> No.
|
| Huh?!? I believe the answer is that, in many if not most cases, yes.
|

I haven't used clones such as maxthon, avante nor others, if exist.
IIRC, the PC was once, maybe still is, referred to as an IBM clone. So,
yeah, if they use a MS OS, the upgrade would apply to them as well. When
I posted my reply I may have been thinking of Linux, MAC, and the likes
of that.

| But a better answer could be: it depends.

Depends? That's a nursing home loo, innit?

"innit" as in "Innit, not attit", I suppose

--
Regards,
Nicolaas.


- Adults are obsolete children.

 

[Iain Cheyne]

I keep IE updated, run AntiVir and
Kerio and use IESpyAd.

IESpyAd looks interesting. Thanks.

https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD

 

[REM]

Alastair Smeaton <[email protected]> wrote:

exactly as I thought - which is why the answer to the OP is that
"clones" are just as susceptible to problems - unless you patch
them.((or the underlying engine - IE)

There have been previous exploits that were successful even if IE or
shells were not used. That is, you might use Moz exclusively, but the
exploit works because the IE code is there.

It's best to patch asap.

 

[Calm n Collected]

So I should change to Firefox because 3 holes in IE have been plugged? I
guess the next time a critical flaw in Firefox is found and fixed I should
suggest you switch to IE!

There will continue to be new flaws discovered in IE as well as Firefox.
It's important to use a well supported browser that YOU like and lock it
down and keep it patched. Switching will not suddenly make you invincible on
the net. Security is a process, not a particular piece of software. I
particularily like this quote:

You are right to use something you like. But some things to consider:

1. There are many software products that don't have continual problems

2. IE is always a "sloppy third" when it comes to useful features

3. Why use a product that installs hidden directories, files, and
keeps files present when you have removed the program
MS has some control issues

"Yet simply switching is not an effective security solution. Only if you use
the proper security tools and remain vigilant about staying up to date and
cautious about what you do online should you start to feel some sense of
comfort."

Switching as part of learning what works best is pretty good wisdom. I
have been using Fprot for years but decided to try another product. I
found a trojan with it.

 

[Phred]

I'd recommend it. Too many critical flaws keep getting found in IE.
The flaws in Firefox are not usually critical, according to Secunia.com.
The point of my post was: IE keeps getting critical updates, whereas
Firefox doesn't... now decide which is better.

Hmm... Taken on face value, I'd prefer something that was getting
fixed rather than something that isn't. ;-)

See above. Critical flaws in Firefox are extremely rare.

Perhaps because fewer people are looking?


Cheers, Phred.