Network News

X My Profile
View More Activity

Attacks on Unpatched IE Flaw Escalate

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.

In an update to its Security Response Web log, Microsoft security program manager Stephen Toulouse said the attacks Redmond is seeing against the IE flaw "are limited in scope for now and are being carried out by malicious Web sites."

I have to call Microsoft out on both counts, and I think some of what I've uncovered so far about these attacks should make it clear that the situation is serious and getting worse by the hour.

According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). Among the victims are a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country.

On Friday, hackers broke into the Web site of shipping company DLPromotionFreight.com and planted code that attempted to use the flaw to steal user names and passwords stored by IE. Yaniv Zahavi, chief technology officer for Intermakers Inc., the Plantation, Fla., company that manages the site, said it appears that only a handful of customers browsed the site during the few hours the attack code was present.

Security Fix learned the location of one Web site being used as a virtual drop box for user name and password data stolen from people who'd visited the network of hacked sites (the SANS Internet Storm Center has a great post detailing exactly what one of these data-dump reports looks like). One of those victims was Abdel Marriez, a truck driver from Astoria, N.Y. The malicious program stole credit card information and credentials he used to access his e-mail online.

Marriez said he couldn't understand how the code could have landed on his computer, since he said he is fastidious about ensuring his Norton anti-virus program has the latest updates from Symantec. After this experience, he said, he plans to change browsers.

"IE and me are through, that's it," Marriez said.

That same password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN). Chowdhury also uses Norton anti-virus, which did not pick up any signs of infection. He said he won't rely on his anti-virus program to clean things up.

"It's really not worth the risk," Chowdhury said. "I'm going to reinstall [the operating system] just to be sure."

Both of these situations illustrate the dangers of relying on only anti-virus software. That is not to say anti-virus software is useless. It is a necessary element of protection for any Windows PC, and for better or worse will remain so for the foreseeable future. But there is a window of time between the creation of a new virus or worm and the availability of new anti-virus "definitions" that identify the intruder as malicious.

Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code" and that people who want to use IE should either disable "active scripting" or download the IE7 beta2 preview.

Instructions for disabling active scripting are under the "workarounds" section of this Microsoft advisory (which incidentally is three clicks away from Microsoft.com homepage). Microsoft warns, however, that this may cause problems loading some Web sites.

Indeed, I tested this solution as Microsoft recommends and found I could no longer access my Web mail. Turns out I also needed to add it to my list of "trusted sites," though Microsoft's advisory doesn't really make that clear. See this non-Microsoft site for a decent tutorial on how to set up your trusted-sites list.

Rather than download a "beta" (read: potentially unstable) version of IE or wait around for Microsoft to issue a fix, a far better idea would be to ditch IE altogether (or only use it only when absolutely necessary). I use Mozilla's Firefox for everyday browsing, but your mileage may vary. There are other options, of course, such as Opera and Netscape, to name a couple.

What amazes me is how many Windows users seem to blindly equate Internet Explorer with access to the Internet -- in much the same way that many America Online users are unsure whether they can use someone else's browser once they've signed on to their account. Even after you tell people that they may have just been whacked with a virus due to a flaw in IE, they still use it.

Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.

By Brian Krebs  |  March 27, 2006; 7:23 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Happy Birthday Security Fix
Next: Non-Microsoft Patches Issued for IE Flaw

Comments

...and people wonder why I hate IE so much.

Posted by: DOUGman | March 27, 2006 7:36 AM | Report abuse

Micro$haft is the devil

Posted by: Voice in your head | March 27, 2006 8:18 AM | Report abuse

People still use IE when there is Firefox?

Posted by: Chad | March 27, 2006 8:21 AM | Report abuse


I don't know anyone who willingly uses Microsoft's IE to browse the web anymore.

Unmentioned in an otherwise excellent article is where to find Firefox, the free and safer alternative that is chipping away at IE's market share:

http://www.mozilla.com/

Posted by: Lawrence | March 27, 2006 8:22 AM | Report abuse

From Microsoft's advisory.

"Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site"

This is misleading to say the least. If the exploit code can be embedded into blog comments or in a forum of some type (one that you read every day such as this blog) then that site would end up being malicious. The hacker didn't force the user to go to the malicious site. I guess they tried to word this one as clever as possible but it gives a false sense of security for your every day user.

Posted by: David Taylor | March 27, 2006 8:26 AM | Report abuse

Fire Fox is so much better (IE doesn't even have tabs). But, Everyone that I know that knows anything about computers uses linux, which is a good idea becaose very few viruses are writen for linux (that I know of).

Posted by: C. J. | March 27, 2006 8:32 AM | Report abuse

Lawrence: Weird. I always hyperlink Firefox. I have fixed that now. Thanks for pointing that out.

Posted by: Bk | March 27, 2006 8:33 AM | Report abuse

Brian--I spoke with you last week after experiencing problems trying to access monster.com for a couple of hours, when I kept getting redirected to one of those fake portal sites each time that I carefully typed in Monster's URL. Your solution of not using IE is good as far as it goes, but my military employer permits only IE to be installed on its computers. Users are not allowed to install any programs on their own (not even such innocuous plug-ins as the Adobe Reader). So, I will never be able to install and use Firefox or Netscape at work. I can't even go to the Microsoft Web site and download and install security patches. I suspect many other Federal agencies operate the same way, leaving us all to rely on whatever firewalls and other safeguards our IT people have come up with.

Posted by: Scott | March 27, 2006 8:39 AM | Report abuse

You're mostly all a bunch of technical idiots.

"Use Firefox b/c it's safer"
Just because it's newer and non-MS is the only two real reasons that anyone is using it.

Firefox could NOT correctly display DIV elements until their LATEST release, and the support for the wheeled mouse is cumbersome at best - where are all the post bashing Firefox because it cannot even handle basic browsing capabilities????


Posted by: David Smith | March 27, 2006 8:52 AM | Report abuse

Nice, David Smith. Your comments are really going to get all of us on board the firefox bandwagon back to using IE. The only reason I use IE anymore is for security updating. Otherwise, cya.

Posted by: Anonymous | March 27, 2006 9:13 AM | Report abuse

The one thing I think many people do not realize is that Mozilla is open source. The problem with open source programs is that everyone and their mother has access to the actual code. Why is this important to know? Simply because if Mozilla ever becomes as dominant as IE, you will see hacker exploits written for Mozilla. These IE exploits are about money, pure and simple. Hackers create these exploits to have the largest effect possible. As of the writing of this comment, IE rules the roost with about 88% of browser usage...if Mozilla hits 88% or even 50% some day, you will see plenty of exploits created for it specifically. Safety on the internet only exists as far as the bad guys want you to be safe.

Posted by: BlogginDaBurgh.com | March 27, 2006 9:20 AM | Report abuse

Some people like bondage and discipline. David must be among them. Meanwhile, I chuckle when I see a person's computer loaded up with Norton, Ad-aware, squash-this, check-for-that, and still they get infected. And yet they blindly return for more.

For the record, I haven't noticed any problems with div elements or other rendering issues with Firefox, and I've used it daily since it was called Phoenix. It's well-known that IE is much less W3C-compliant than Firefox or Opera.

My Logitech wheel mouse works fine with Firefox. What's better than that is 'find as you type'. I watch IE users scroll through pages looking for something or use CTRL-F; meanwhile, I land on a page, type the word I'm looking for, the cursor jumps to the word, if it's a hyperlink, I press the Enter key, I go to that page.

Compared to the competition, IE is clunky at best, and dangerous at worst. Why put yourself through the pain, unless your workplace demands it? In that case, you might point out to your IT department that Homeland Security (via US-CERT) recommends not using IE.

Posted by: Rick | March 27, 2006 9:21 AM | Report abuse

I appreciate the passion that people feel about this topic, but please keep your comments free of profanity or personal attacks, as comments that contain either will be severely edited or deleted.

Thank you.

Posted by: Bk | March 27, 2006 9:23 AM | Report abuse

Hehe, that's funny Rick - you mentioned Norton - another media hype AV software package.

Anyone who is serious about being safe will be using NOD32 from eset (www.eset.com)

Posted by: David Smith | March 27, 2006 9:30 AM | Report abuse

So, when Microsoft decided that including IE as an integral part of Windows, they were being as freaking brilliant as "we" are all now being stupid! (Not quite all, I've used IE for a grand total of about 1 hour over the past decade, and only once or twice on my own PC as I had no choice on those occasions).

USE MOZILLA FIREFOX !!! N-O-W !!

Posted by: Tim A. | March 27, 2006 9:31 AM | Report abuse

Firefox alone will not always save you. Once everyone has switched over to firefox, hackers will then write code that affects it and ie. I heard a few months back that firefox also had a vulnerability that had to be patched.

there is no safe random internet searching done today. your best bet is to limit your searching and when you have to search, diable ie's active scripting and other scripting ablilities. in fact disable all that bs and just drop the ones you need to use into your trusted sites. block all cookies and also give your trusted sites the ability to write cookies.

I never have trouble with IE... because I limit it to begin with. same with windows, disable servies and set a secure local security policy. this works for everything sinse 2K. the only way you can get me at home, is with a trojan, seeing as I have no welcome matt and all the doors are closed and cemented over.

Posted by: guy | March 27, 2006 9:36 AM | Report abuse

IE is by far the dominant browser (90%+ - no one else even comes close), so of course all hacks are written for it. Firefox is not safer; it's just not as attractive a target. The latest Firefox has some features that the (now ancient) IE6 doesn't, but IE7 is on the way.

I have to use IE daily because I create websites and Microsoft's domainance of the browser market combined with all their non-compliant code and rendering means I can't see the sites as most everyone else does using anything but IE. And a lot of websites out there are written only for IE, with crippled or broken content served to other browsers. It shouldn't be this way, but it is.

If you don't have to use IE, then by all means use whatever other browser floats your boat. But don't go thinking that makes you invulnerable to hacks. Just wait till Firefox gets over 10% of the market and you'll see how secure it is.

Posted by: ZAP | March 27, 2006 9:40 AM | Report abuse

First time I've been to this blog. I'm disappointed to see that some readers can't have a discussion without personal attacks on other members. Sad commentary on our society.

Posted by: kamuelab | March 27, 2006 9:45 AM | Report abuse

> Firefox 1.5 frequently freezes for a few minutes, most often
when opening a link from another program. It also spikes in CPU usage during these freezes. Several sites always cause Firefox to just hang. I've had to stop visiting a couple of these sites, it was so frequent. The rendering seems to have gotten a little worse in version 1.5. PDFs have never been that reliable in Firefox, but at least in 1.0.x they worked most of the time. I find they rarely work in the newest version. All of this is on a completely clean profile as well on a clean install, so it cannot be blamed on a faulty upgrade or extensions.
--Shane McAliece

>> I'm having problems with Web pages loading incompletely
and improperly. It's a crapshoot as to when I'll experience these problems. Sometimes the pages load fine, other times not. What's troubling is that sometimes
it looks like I'm losing my Internet connection when the pages won't load at all (and I get the Firefox equivalent of a 404 message). Then a minute later,
everything will be fine.
--Betty Nakamoto

>> I'm getting "Page not found" or
"Site not available" messages at least 15 to 20 times more frequently than ever before, which is especially vexing since I'm often simply going from page to
page on the exact same site at the time!
--Scott Thompson
>> It doesn't render many pages correctly, particularly on The Motley Fool, where I use it the most.
Some links don't show; text isn't formatted properly (runs off the screen). Once IE comes out with tabbed browsing, I may drop it.
--Paul Knudsen

>> Memory usage has shot way up! On my machine, Firefox 1.0.7 used to use about 100 Mbytes. Now Firefox 1.5 shows 250 Mbytes or more [based on Windows Task Manager's Processes tab].
--Richard Frisch

>> I have three major issues with this
release. 1) I'm among those who've seen Firefox grow to over 350,000k in memory. 2) I've seen it consume up to 40% of my CPU for extended amounts of time for seemingly no reason, even while idling. My PC is a 2-month-old Dell 600xps/dual
processor, so this program is eating up serious CPU cycles. 3) This morning Firefox kept crashing and wouldn't stay up for more than 15 minutes at a time.
--Kevin Mahanay

>> I've encountered the 100% CPU freeze-up problem. And it comes
close to making the operating system useless. Some Web pages fail every time I try to load them.
-- Rob DuWors

More online at http://www.informationweek.com/news/showArticle.jhtml?articleID=175800132

Posted by: Speak Out | March 27, 2006 9:46 AM | Report abuse

Using firefox is always sure to be more safer than IE.

Posted by: fisherwy | March 27, 2006 9:48 AM | Report abuse

According to Secunia, Internet Explorer 7 Beta 2 preview is also affected. This is not an option to protect oneself from this vulnerability, and should be removed as an option from this posting.

More here: http://secunia.com/advisories/18680/

Posted by: Kevin Gennuso | March 27, 2006 10:01 AM | Report abuse

Kevin,

I looked into that before posting: an early version of the IE7 beta was affected by this. The build Msft now makes available is not, according to Msft, anyway.

Posted by: Bk | March 27, 2006 10:04 AM | Report abuse

Several friends who downloaded the IE Beta have had nothing but problems. It crashes repeatedly for them.

Me? I left it a long time ago. I have it on for sites that I have to get into that require it. I also use it to check webpages views when I work on them or the Blog. Otherwise, I use Firefox.

It is a strong mindset for IE. I was working with someone who was having problems when I asked what she used for her browser her response was I use Microsoft for my IE. She did not understand IE was NOT a term for browser.

I would like to blame poor Internet and computer education but I wonder sometimes.


Posted by: Phil | March 27, 2006 10:49 AM | Report abuse

Not sure if your comment was sarcastic, David Smith, but Firefox actually implements the CSS and DCOM standards correctly. The reason why some sites break in Firefox and not I.E. is because that specific site was written specifically for I.E. and did not follow proper CSS guidelines. So, in essence, div tags that break in Firefox are really working as they should; Firefox reads tags as written regardless of how you WANT it to be showed.

Try validating one of those sites at http://validator.w3.org/ and see what happens. You'll most likely come across many errors.

Now onto your other point -- I agree with you that using Firefox alone does not make you any safer if you insist on visiting suspicious websites, opening strange attachments, or not properly use anti-virus and firewall software. Just slapping Firefox on there, using Norton, and running spybot / adaware every week is security through obscurity. You're not making your system safer. As long as your habits are destructive, you're likely to get hit with something bad.

Still, most malicious code written exploit the Active X component of I.E., something which Firefox lacks. Using Firefox, for now, should compliment your security methods, but not be your sole source of it.

Finally, the fine people at Mozilla have a real good turnaround time from when an exploit is found and when it is patched. Microsoft used to take months to patch something, but they have become better now.

Posted by: Kamyar | March 27, 2006 10:53 AM | Report abuse

To all people who claim that Firefox will be as vulnerable as IE had it have a 90% market share.

Yes, I am sure that there are exploits for firefox but as long as the project stays open source, those exploits will be fixed in the fastest and best possible way.

Fixing IE takes ages and we can never be sure that the fix was good simply because there is no way to review the fix, which of course is not true for open source.

Posted by: Georgi | March 27, 2006 10:53 AM | Report abuse

If only the websites I use (including internal Cisco switch management pages) would actually work in Firefox, I could switch too! :(

Posted by: Josh | March 27, 2006 11:09 AM | Report abuse

Microsoft are living in a dreamworld of their own invention. They are likely to remain their until the more people wake up and face the facts not the Microsoft fantasy.

Posted by: Steve | March 27, 2006 11:32 AM | Report abuse

Disable Active script (Javascript) will cause plenty of sites to stop working since it is such a fundamental component of web pages. My advice is to disable ActiveX in IE and password storing in IE and Firefox! Turn on ActiveX only when you must, like trying to retrieve updates from Microsoft, after that turn them off again.

Storing passwords on your hard drive is such a risk even if they are protected by state of the art encryption, which they are not. In theory once you are connected to the Net, anything on your PC - in memory and on disk, your keystrokes and your screen - is accessible to anybody out there with the right piece of software. For the truly paranoid, power off your computer after you access your bank account say, so the memory itself will be wiped clean. But even then you never know what gets stored on the page file. Nothing is foolproof. But every bit of caution helps. Such is life.

Posted by: Tom | March 27, 2006 11:50 AM | Report abuse

Use Firefox! When Firefox gets exploited, use a different browser, when that browser gets exploited, use a different browser, when that browser gets exploited, use a different browser.

Posted by: "you can't always get what you want" | March 27, 2006 12:17 PM | Report abuse

The US-CERT site also has a tutorial on setting up trusted sites in Internet Explorer.

http://www.us-cert.gov/reading_room/securing_browser/#how_to_secure

BTW - I think operating a computer using an unprivileged account is more effective than anti-virus software today.

Posted by: gary | March 27, 2006 12:31 PM | Report abuse


The link to the zdnet website for turning off active scripting ( http://blogs.zdnet.com/Ou/?p=133 ) is mildly useful, but if you want a much more thorough way to lock down IE, I would look here:

http://www.mvps.org/winhelp2002/restricted.htm

Posted by: TE | March 27, 2006 1:37 PM | Report abuse

"IE is by far the dominant browser (90%+ - no one else even comes close), so of course all hacks are written for it. Firefox is not safer; it's just not as attractive a target."

This is a canard.
If the only differences in security of products were due the size of their userbase then there would be no reason to try to write secure code in the first place. If it's not the only difference then Firefox can be more secure.

Microsoft does not have a good track record as far as secure networked applications go. It is possible that other competing products can have higher quality code.

Posted by: Anonymous | March 27, 2006 1:48 PM | Report abuse

"IE is by far the dominant browser (90%+ - no one else even comes close), so of course all hacks are written for it. Firefox is not safer; it's just not as attractive a target."

This is a canard.
If the only differences in security of products were due the size of their userbase then there would be no reason to try to write secure code in the first place. If it's not the only difference then Firefox can be more secure.

Microsoft does not have a good track record as far as secure networked applications go. It is possible that other competing products can have higher quality code.

Posted by: azreal | March 27, 2006 1:50 PM | Report abuse

A handy tip: To install Firefox on a machine without administrator rights,

- you need to do a "Custom Install" and specify a directory that's not protected (it won't work with C:\Program Files). I just dumped it into a new directory in my data folder, (C:\a_better_browser\Program_Files).

- Also, you need to uncheck the options to put a Firefox item in the Start menu and in the Quick Launch icons. Desktop shortcut is OK.

- Firefox will work, despite a warning that the install won't work properly without admin rights.

- If one of your usual sites gives you problems after the install, locate the old cookie for it and delete the cookie.

Aside from the usual benefits of surfing with Firefox, I added ad-blocking extensions and the FilterSet.G ad filter. Without admin rights, I can't install similar ad-blocking for Internet Explorer. It's SO NICE to be commercial-free!

To enhance your security, add the "NoScript" extension. To block Flash and embedded video/audio on bloated media-heavy websites, add the "Flashblock" and "Stop Autoplay" extensions.

Posted by: Ken L | March 27, 2006 2:01 PM | Report abuse

> support for the wheeled mouse is cumbersome at best

I agree, the default scroll wheel support is iffy. Install https://addons.mozilla.org/extensions/moreinfo.php?id=12 and you'll see a big improvement.

Posted by: Anonymous | March 27, 2006 2:18 PM | Report abuse

Ok to boot here it is, I am an IT manager and use IE. What's more is that I have never had an issue with an exploit, yet, what gets me is the FireFox deal, come on people! We can either use one or another and there will be just the same amount of issues. The exploits written for Windows are far more just due to exposure. How many articles already published the exploits and how IE was handling the press? Well there ya go with the amount of hacker exposure you got. Listen the end all is don't go visit sites you are not supposed to and webmasters do your job examining your site and you won't have the issue. I will continue to say that the more an OS does without requiring any 3rd party software the better off it is because it is less troubleshooting in the long run. IE vs. a Firefox install, what happpens on an uninstall? Does all browsing die? Any number of issues, dll's and registry entries remain and/or get overwritten and voila reinstall the OS now because Firefox was better, it's an opinion and not a fact!!! IE may have this flaw but it took how long for hackers and others to find and exploit it? Come with something stronger than that please!

Posted by: Felipe | March 27, 2006 2:21 PM | Report abuse

There are plenty of websites out there that are written to work best with IE. Dems the facts Jack. A lot of sites have pop up video options and they just don't work with FF. I use FF most of the time, but for some sites I HAVE to open IE because FF won't display the page correctly or the video I want to watch doesn't work in FF. THAT'S why people still use IE, that and because they just don't know any better and they're lazy.

Posted by: J4m3z | March 27, 2006 2:24 PM | Report abuse

Oh Please! I'm so tired of the Blame game "MS is Evil!", IE Sucks" get with it, focus your ire on the exploiters, write tougher hacker laws, honestly do you really think that using Firefox will save you? look back a couple weeks and see the headlines then, at what point do you think the exploiters won't hack Firefox, 25% market share? 30? 35? no one Browser, or OS is without vulnerabilities, Get educated and be aware that's your best protection

Posted by: GeoffM | March 27, 2006 2:24 PM | Report abuse

This post is to scott. Your "facts" are flawed. Most people don't use firefox because it's non-MS, they use it because it offers features that the current final consumer IE builds currently don't such as tabbed browsing, extension use, proper CSS rendering, better XML functionality, etc. IE had NEVER been a great browser. I don't know about you but I was in the industry well before Microsoft had ever made IE. We used to use Lynx on Unix. Firefox hands down is a better browser. It is evident in the fact that Microsoft has copied most of its and Opera's features in IE 7 beta. Please respond.

Posted by: Twzop | March 27, 2006 2:36 PM | Report abuse

I use Firefox and have been for a few months. I just prefer the features and when IE 7 is finally released I will take a look and if I like the features I might switch again.

I believe that evey sinlge browser out there has it's share of flaws... IS is just getting targeted more often because there is just so many more people that dislike the company etc. and IE is the most often used browser. The 'target' market for hackers are just so much bigger. Pure logic - just think about it. If you had the same pool of people targeting Firefox or Opera or whatever that is currently targeting IE I am 100% sure that they would suffer just as much. Anyway - They all have the benefit to some degree of seeing where IE does things wrong and get a gap to do it differently.

But please... I find it insulting if people use lines like 'One guy I contacted' and list names of obscure people no one has ever heard of 'a truck diver named..' etc.

I can also go and find some realworld hacks exploiting IE, Firefox or whatever, write an artivel and then try to back it up with vague 'some guy' statements.

Posted by: Camojoe | March 27, 2006 2:49 PM | Report abuse

Quote: "The one thing I think many people do not realize is that Mozilla is open source. The problem with open source programs is that everyone and their mother has access to the actual code. Why is this important to know? Simply because if Mozilla ever becomes as dominant as IE, you will see hacker exploits written for Mozilla. These IE exploits are about money, pure and simple. Hackers create these exploits to have the largest effect possible. As of the writing of this comment, IE rules the roost with about 88% of browser usage...if Mozilla hits 88% or even 50% some day, you will see plenty of exploits created for it specifically. Safety on the internet only exists as far as the bad guys want you to be safe."

It isn't that easy to get code checked in. There is an entire process before code get's checked in, and most of the time you have to be a consistant member. There are checks and balances. Read up before you make dumb statements, please.

Posted by: Anonymous | March 27, 2006 2:55 PM | Report abuse

It's a common misconception that when the source code for a program is disclosed publically, the program is less secure. Usually, the reverse is true.

Source code open to the public is often much better designed (to spare embarrasment) and more thoroughly debugged because outside observers (hundreds or thousands) will review and send comments and corrections. Thus, there will be few if any holes to be exploited. If the code is run on a secure platform, it won't be vulnerable. Secrecy isn't security, it's often the enemy of security.

Posted by: Duncan | March 27, 2006 3:11 PM | Report abuse

Heterogeneous versus homogeneous software.:

I use Firefox mostly, but sometimes use Internet Explorer. I can choose to use either at anytime I want. Should an exploit surface for Firefox, I can stop using it and start using Internet Explorer. Right now, I use FF by default because there are more exploits for IE. Its really a no-brainer. I'm just using the path of least resistance to get my work done. There's no ideology behind it. It does take me a few minutes every few months to update Firefox - download/install. But the peace of mind is worth it alone. If FF, and IE both start having lots of problems, maybe I'll swith to Opera or Safari or use Mosaic or Lynx.

"Its not the strongest or the smartest that survive, but the most adaptable" - Darwin

Posted by: jonniesmokes | March 27, 2006 3:28 PM | Report abuse

This really has nothing to do with IE vs. Firefox.

You need to realize that most computer users don't understand all this security mumbo jumbo. There is the knowledge that there are viruses and people stealing credit card numbers in cyberspace, but most people have no clue how to stop this.

The majority of users want their applications to be as predictable and reliable as MS Notepad.

While anyone with a grain of computer aptitude can laugh at "dumb n00bz," that really doesn't solve anything.

I think it's going to be another 10 years or so before people understand the consequences of having a computer connect to the public Internet. There has been no prototype for opening up a private person's life like this before.

Posted by: Gee | March 27, 2006 3:29 PM | Report abuse

I highly suggest using Opera. Its fast, more secure, more standards compliant than any of the other browsers, and, most important, its free these days as well.

Posted by: Don | March 27, 2006 3:33 PM | Report abuse

i suggest using a mac and safari

Posted by: desypher | March 27, 2006 4:10 PM | Report abuse

Firefox, Opera, IE, Netscape... all render HTML. The fact is there are opinions and cause and effects. Do you know all of them. OK now Firefox has a base security level that can be altered as with any browser to include IE. You can play with the settings to not allow the certain exploit and IE is just as secure. Gee got it right when the average person out there understands little. So on the one hand I have to agree that Firefox or another browser comes with a better default level of security on the browser. IE has the potential to do the same, but now you get into SP2 issues like the firewall being turned on automatically and now you have issues doing the thing you value the most. People it is opinion and not fact, there are some things YOU like better but not all people are YOU. I like using all but from an administrators point of view, I would be remiss if I decided to use Firefox and now do not pay attention to the exploits for IE and some worker decided they liked using IE. Now do I need to configure all machines not to allow IE, native to the OS to run, or not. Laziness is no excuse, a browser is a browser, not a life altering event. Know the issues at hand for all and you just might find yourself amazed at how petty the differences are, and security of one browser vs. another will have nothing to do with it but network security will have a bigger part of it.

Posted by: Felipe | March 27, 2006 4:14 PM | Report abuse

What I find most interesting about this IE vs. Firefox security debate is the lack of a plan by those who rely on IE. Firefox is immune to this exploit, as is Opera. IE can have a trojan horse installed by merely visiting a hacked website (not a malicious website). Firefox has had some vulnerabilities, but never of this magnitude.

Firefox users are characterized by some IE users as fanatical crusaders who use FF mainly to avoid using Microsoft IE, instead of the fact that they find FF a superior browser in most respects including security.
Judging from comments by some IE users, it's clear that some supporters of IE are much more fanatical about staying with a dangerous application.

To all: What is your solution to this exploit? Using a browser immune to this exploit would seem to be the only logical answer.

Posted by: Mr. Spock | March 27, 2006 4:18 PM | Report abuse

the best solution i've found is a mac and firefox. i haven't had any of the problems mentioned by previous writers, ever...

Posted by: neb | March 27, 2006 4:22 PM | Report abuse

On the complaints about firefox not being able to display certain pages, all one has to do is go to Tools and click Always View This Page in IE. No brainer...

Posted by: nevermorestr | March 27, 2006 4:30 PM | Report abuse

After all the media coverage and buzz about security and IE people still use it? or don't taken measure to protect themself. I'm glad they get beaned. Sorry to say this but they deserve it. I stopped trying to tell people.

It that were their house that got burglarized something would have been done by now.

Wake up guys. How load and clear must a message be.

Posted by: Bob Bonomo | March 27, 2006 4:31 PM | Report abuse

I liken this to the fact that people should educate themselves before they learn to browse the web: you do not see people jumping in brand new vehicles on the highway with no education on its usage and potential for damage, but you get my point.

Posted by: DOUGman | March 27, 2006 4:56 PM | Report abuse

Very interesting points of view and I agree wholeheartedly with the point that if you will not take the time to secure yourself and police yourself then you should be the one hacked for not listening and agreeing with the times. Still the whole animosity about IE and security flaws falls on deaf ears but I bet most of these Firefox proponents have been hacked at one time or another and blame IE or Windoze for it but it could have been avoided if one informed themselves!

Posted by: Felipe | March 27, 2006 5:17 PM | Report abuse

I totally agree that folks should invest time in educating themselves in the basics of computer and internet security.

And there are some Firefox users who have brought misery to their computer's doorstep by being careless and/or ignorant.

But back to Brian Krebs's article about this IE flaw: We are not talking about ignorant or careless users out there. We are talking about this vulnerability affecting folks who have patched their OS/software to the max, and who only visit websites that should be safe to visit.

There are only 3 reasons that this devastating vulnerability that can get someone: (1) Malevolent people who write these exploits and should be in jail; (2) An unpatched vulnerability in one particular web browser, IE; (3) Use of that browser. Of the 3, the public can easily do something about #3.

We are talking about the potential for bad guys getting sensitive information that can be used to hack into everyone's bank account, etc... It's a bad idea for my bank or your bank or any person charged with security to use IE on any computer connected to the internet, even if they're "educated and careful".

Please, everyone, stop using IE - at least for a few days - at least until there's a patch.

Please.

Posted by: Mr. Spock | March 27, 2006 6:01 PM | Report abuse

For all web browsing and financial transactions I use a classic Mac running OS 9 and browse with either Mozilla or IE 5. Windows is such a piece of security swiss cheese.

I do however like the suggestion to use a non-privileged account on Windows.

Posted by: under the radar | March 27, 2006 6:18 PM | Report abuse

It's fascinating that major vulnerability in IE inspires a considerable number of Firefox bashers...what, is it Spring Break in Redmond or something? Just doesn't make sense.

Posted by: Giddins | March 27, 2006 6:25 PM | Report abuse

what is IE and how do you know it you use any of this things life firefox all i know is i use internet explorer all this in interesting if i new what you all are talking about it sounds like you know but i was wating to see how to fix it but i dont know and less now i read all this you make it diffacult to understand in a way i dont care about any problem only the way to fix it i just wish i could understand what you all are talking about maby i would be more confused like i think you all are maby someday

Posted by: larry | March 27, 2006 6:45 PM | Report abuse

I have no intention of declaring what browser I use. The fewer of you that use it, the less likely it is that it'll become a target...

Posted by: Otto | March 27, 2006 7:02 PM | Report abuse

Yeah, Firefox is SOOOO much better than IE. Not. http://www.mozilla.org/projects/security/known-vulnerabilities.html

According to Symantec, Firefox has acutally had more security vunerabilities than Internet Explorer.

If you want a safe browser that hasn't been plagued by hundreds of bugs, try Opera.

Posted by: Captain Packrat | March 27, 2006 7:32 PM | Report abuse

Well, the real problem here is that there are a lot of people who have never written a single line of code telling us what to do.

The folks who say that open source Firefox is less secure than IE are clueless. Repeat clueless. USA/Europe = open society (Good), North Korea = closed society (Bad). Sharing information protects your rights as a user. Get it?

When will the internet be safe? Never. Never ever. So long as you can download an executable file of any sort that can be installed with full privledges, the internet will never ever be a safe place. That is why an IT person is an administrator and a typical noob has no rights to install software in so many companies.

The real problem occurs when the noob goes home. That is where the noob is the administrator. Poor fellow will always be doomed.

Posted by: Sharky | March 27, 2006 8:02 PM | Report abuse

Scott - the military man - how about trying Portable Firefox? You don't have to install anything. Just execute the program. If you have permission to do that ;-)

See: http://portableapps.com/apps/internet/browsers/portable_firefox

Posted by: nerd6 | March 27, 2006 9:01 PM | Report abuse

The 'noob-as-administrator' problem is compounded by the fact of many programs requiring adminstratror rights to run... even though nothing they do is 'admin' material.

Posted by: Firefly | March 27, 2006 9:13 PM | Report abuse

I can't believe all these folks defending Microsoft when it's gotten so large and overstaffed it can't even launch a new product, much less support its existing ones. It's been five years since XP and IE6 came out. That's an eternity in the computer world. Just last week it was announced Vista wouldn't be released until next year. Your beloved Microsoft is about to collapse under its own weight.

Posted by: webjockey | March 27, 2006 9:20 PM | Report abuse

I have been using linux + firefox with no AV etc for 4 years now and haven't had to deal with adware, malware, m$ware ;-), worms viruses etc even once. If hackers start writing virus worms etc for linux, I will switch to BSD or some other OS. looking at how people are resistant to move away from M$ware, I will not be worrying about switching OS any time soon :-)

Gani

Posted by: Gani | March 27, 2006 10:12 PM | Report abuse

Geez, this comments section is turning into slashdot.

To all those who are defending IE, here's the deal: regardless of any "possible", "theoretical" vulnerabilities, at this moment the safest browser to use is anything except IE. Use Firefox, use Opera, hell, use Lynx.

When the vulnerabilities that are actively being exploited are patched, you can go back to using whatever you want. But right now, anyone who uses IE is taking an unnecessary risk.

Security is a process. There will always be vulnerabilities. The right answer can change at any moment. But right now, the best answer for most people is Firefox. That doesn't means it's the best, or that it will be the safest forever. But anyone who doesn't distinguish between theoretical risk and actual danger doesn't deserve to be listened to on security issues.

Save the Firefox/Linux/Mac OS/Windows religious wars for another time and place.

Posted by: MarkGo | March 27, 2006 11:14 PM | Report abuse

Sadly, TODAY will be the day when many people will have their computer security compromised by evil-doers.
Because of the silent nature of trojan horse thievery spying upon keystrokes and pilfering account passwords, this day will not be designated Black Monday by the computer press or even be remembered along with the infamous Melissa and loveletter viruses that were designed to make headlines. Because of the stealth of the exploits, today's victims may not learn of the crime against them for some time. Today's victims, most of them, will not have "asked for it" because they were too lazy or ignorant to patch their software, to update their antivirus, to install a firewall, or by recklessly visiting questionable websites. Today's victims's only failing will have been deciding to trust that the world's dominant web browser would protect them, that the might and power and wisdom behind that Big Blue E means that the forces behind that "E" are vigilant, caring, and responsible. Today's victims may be people you know.

And before someone says something like "all software has bugs - no software is perfect - Firefox has bugs, too, you know - and besides, I don't like the color orange", I ask you, where is Microsoft on this vulnerability?

Yes, we know that they are busy working on a patch for it - I applaud the analysts and programmers working long hours to solve this problem (it probably won't earn them any more vacation - that's an inside joke) and wish them godspeed. And, no, I don't think that even a Microsoft or an IBM can produce absolutely flawless software that never needs a patch.

But check out Microsoft's website. Where is ANY INDICATION that the end user should be concerned? Any sort of caveat, advisory, or recommendation that "right now is not a particularly great time to be using Internet Explorer to surf the web" - I could live with a statement like that, maybe with a picture of Tony Shalhoub shaking his head thinking "No, no, don't go to internet today."

Instead, because of concerns over marketshare of the profitless webbrowser niche, somebody's grandma or niece or cousin or friend is going to get got in a bad way by some evil-doer out there.

Now is the time to tell your friends, everyone you know, to not surf the web with Internet Explorer (at least until it's patched).

Argue all you want later. Tell everyone to stop using IE now!

Posted by: Mr. Spock | March 27, 2006 11:50 PM | Report abuse

I've been repairing and debugging computers and networks for many years now and if anyone thinks that Blackhats won't hit Firefox, Netscape, etc., they're living in a dreamland! Hackers usually focus their attention on the most widely used computer program/operating system in use. Right now, that happens to be Windows and any programs related to it. When Firefox becomes a widely used program, they will undoubtedly attack it as well. So, for right now, it may be the "safest" browser to use, but just wait until it becomes REALLY popular! No one should be giving advice as to which browser you should be using. They are ALL susceptible to attacks. To be honest about it, IE is the most difficult code to corrupt out of all the browsers. It's just a matter of which one they wish to focus their attention on, and IE is the king of the hill to bring down!

Posted by: G Cain | March 28, 2006 12:05 AM | Report abuse

No one is saying that Firefox, Safari, Galeon, or Opera are invulnerable.
IE is the king of the trash-heap right now. Your point is?

FACT: Using Internet Explorer at this time is your WORST POSSIBLE CHOICE for browsing the internet.

Posted by: Pluto | March 28, 2006 12:23 AM | Report abuse

Determina released a free patch for IE that will protect users until MSFT gets its act together and delivers a patch:

http://www.determina.com/security_center/security_advisories/securityadvisory_march272006_1.asp

Posted by: djottercreek | March 28, 2006 12:47 AM | Report abuse

Use PSexec from Sysinternals and IE and no problems. You aren't running IE as a priledged user anymore.

http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html

Posted by: Bruce | March 28, 2006 1:44 AM | Report abuse

Hello folks.

Disclaimer: I'm a programmer, therefore I use Linux and Firefox.

I have a couple of points.

On the relative abilities of IE and Firefox to render pages correctly:
Test it out for yourself with the ACID2 test. You can read about it and test your browser here:
http://www.webstandards.org/action/acid2//

You will find that neither IE nor Firefox (nor Mozilla, nor Konqueror, nor Nautilus, nor Epiphany) can render it properly. There is only one browser that can: Opera. If rendering is the be-all and end-all of your browsing, that would be the logical choice. Mind you, don't forget that a _lot_ of web _sites_ are broken! It may not be your browser at fault anyway, whichever browser it is.

Next I'd like to turn to open source software and the awful misinformation posted by BlogginDaBurgh.com. He or she said,

"The one thing I think many people do not realize is that Mozilla is open source. The problem with open source programs is that everyone and their mother has access to the actual code. Why is this important to know? Simply because if Mozilla ever becomes as dominant as IE, you will see hacker exploits written for Mozilla."

S/he misses the point of Open Source software completely: the point is that because the source code is open, anybody can _read_ it, including you, the users. It's not fine prose, admittedly; for example, Java source code tends to look like this:

addInputStream( jarFile.getInputStream( ze ) );

As you can see, it's ugly but _readable_ by humans. All other modern computer languages are equally readable by humans.
Because of this, while it's true that anybody at all can _offer_ a changed piece of source code to the programmers who wrote the original, that new piece of source code won't make it into the product until it has been:

1. Read and analysed by those original programmers; and

2. Compiled with _their_ compiler (over which those original programmers have total control); and

3. Added in to the 'source code control' system--which only those original programmers can do; and

4. Downloaded, re-read, re-analysed, re-compiled and re-run by many other people.

Java source code with malware in it would tend to look like this:

sendToMyPC(botnet.get(login + password));

That's pretty obvious even to a non-programmer, no? :)

And yes, it's true that a wannabe leet script kiddie ('l33T 5k8yP7 k166I3' in their pidgin) might try to disguise it by renaming 'sendToMyPC' as 'worble' and 'botnet.get' as 'foo.bar' and so on; but even so, the _things_that_it's_doing_ will still be visible to an alert reader, and so the wannabe will still fail.

THAT'S the main reason why Open Source Software is more secure. OSS is also more reliable, because there are millions of programmers who are eyeballing _and_running_ every single line of that code 24 hours a day all around this fine planet. When a bug or exploit appears, we fix it. Pronto. Like yesterday. We don't have to wait for a faceless middle manager to tell us we can do it next month after we've filled in our expense reports. OSS is also more secure because some of us are downloading and running that code specifically to look for vulnerabilities.

Why do we bother doing all of this for no money? Because we actually care and because we love to program. Most of all because we love the _immense_ job satisfaction which comes from producing something fine and beautiful and useful. Most of us get approximately zero of that satisfaction in our paid employment, just like everybody else these days; so we program OSS at night, at the weekend, over holidays and in our lunchbreak. Some of us work for MS and Apple.

And there are literally millions of us, not the few thousand working for MS or Apple. And we are of every nationality, skin colour, language, age, gender, religion, political persuasion and profession, so don't you guys go thinking that some weird foreigner from Atlantis writing in Sanskrit is going to fool us.

BlogginDaBurgh.com is therefore completely and utterly wrong that Open Source software must be unreliable: it's the exact opposite of what s/he suggests.

I hope this will lay to rest some of the appalling scaremongering going on out there.

Thanks for your time.

Steve Berry

Posted by: dalroth5 | March 28, 2006 4:39 AM | Report abuse

Being a programmer myself, I was just going to post about OpenSource and how it's more secure, but dalroth5 beat me to it.

So, instead I'll say: What he said!

Posted by: deice | March 28, 2006 5:15 AM | Report abuse

I switched to OSX on an Apple Mac Powerbook and I said goodbye to ALL these issues. As of now I have had my Mac running 13 days, 23 hours and 5 minutes (9-11 hours actual use per day) and not one of about 14 programmes running has quit, or caused any problem for me. I certainly haven't been fearful of losing my credit card details either.

I look on with amazement at the problems Windows causes and wonder what mentality stops people from going out immediately and buying an Apple Mac. It's like being in the best Mercedes ever built and watching the world going past in those smoky, crappo Russian Trabants...

My advice? Switch before you lose your minds completely.

Posted by: Jon T | March 28, 2006 5:29 AM | Report abuse

Eeye, the outfit that coined the slammer worm ' sapphire worm first by a couple hours, came out with a patch today for those who chose not to wait for ' you know who '. Google eeye will get you there. I can report no ill effects thus far. It comes with an uninstaller and will show-up on your ' all programs ' page.

Posted by: George | March 28, 2006 5:51 AM | Report abuse

"Norton anti-virus, which did not pick up any signs of infection" -- what a shock!

Posted by: Darth Geoff | March 28, 2006 6:14 AM | Report abuse


What is the solution to these Browsers? No matter what it takes or any new new browser arrives, we still have to live everyday with the fear of virus attack. But we can only be asure that when we stop the power of human mind these creation of virus attack will be stopped. But it's endless...............

Posted by: Nisan | March 28, 2006 8:00 AM | Report abuse

That ie-seven site above is a drive-by download site...beware.

Posted by: djottercreek | March 28, 2006 8:01 AM | Report abuse

Quote from Neb above, "the best solution i've found is a mac and firefox. i haven't had any of the problems mentioned by previous writers, ever... "

I think that's a lot like stating that you ride a bicycle and have never gotten a speeding ticket, ever.

Apple/Mac is to the computer industry like AOL is to the Internet.

When you simply DO NOT give the user enough power to do harm to themselves.

Then you think that somehow it is better, simply because you don't have enough knowledge to know the difference.

Think of it like a baseball game - you are ALL sitting there in the stands, hollering and carrying on. There are very FEW players who are actually down there on the field, and playing the game.

The problem is, the noise coming from the stands is so loud that people who are passing by don't hear anything else.

Maybe you should all sit down, shut up, and watch the game. If you think that you know so much, then get your butts down there on the field and try to make a difference.

Posted by: Beauford Pitts | March 28, 2006 8:20 AM | Report abuse

i use fire-fox with norton 2006 n web-root spy sweeper my high-speed is 4717 ks webroot is the way to go its been 2 years with no problem go 4 it.noting comes in my machine

Posted by: c gauthier | March 28, 2006 8:42 AM | Report abuse

Being open source makes something safer, not riskier. I would rather trust the open code review by a variety of developers who have the community and their own interests at heart than closed code that no non-employee of a corporation can ever see.

That is why Firefox is safer now and will remain safer to use than IE.

Posted by: dmac | March 28, 2006 8:43 AM | Report abuse

More pro-firefox hysteria! Configure IE correctly, and stop being babies. The 'net is full of neurotic paranoid drones- learn how to configure windows correctly you simpletons. That programmer's going to re-install his operating system now?? Hahahaha...

I'll tell you about something that's safer than Firefox... stay of the Internet!!

Posted by: Mike Oxbigg | March 28, 2006 8:52 AM | Report abuse

Oh yeah, I've been using The Proxomitron (with IE) for years now- it has a myriad of ways to tame active scripting etc.

Posted by: Mike Oxbigg | March 28, 2006 8:57 AM | Report abuse

I just love the logic by the IE-diehards: one day, Firefox will be just as targeted as IE, so you might as well stick with IE.

Think about that for a second...security is a process, not something you set in stone. When the bad guys start targeting Firefox, Opera and other browsers with anywhere near the intensity they're throwing at IE, then you burn that bridge when you come to it. But until then, using IE for your everyday browsing is just foolish.

Posted by: Anonymous | March 28, 2006 9:11 AM | Report abuse

In answer to the people saying that there are so many more exploits for IE than other browsers because it has the largest installed base: No, that's NOT the only, or even the primary, reason. There are several other significant differences: Integration, proprietariness, and response time. All of these factor into security.

By integration I am referring to the fact that Microsoft, as part of their strategy to fight antitrust suits, incorporated parts of IE directly into the guts of Windows. While this did allow them to say "no, it's not an application, it's part of the OS!" to the government(s), it also allowed IE to say "trust me!" to the rest of the system. Because of this integration, (which provides no actual benefits, I should point out; it was done for litigation reasons) IE has a level of access to the rest of the system that no external application has. In a sense it's a part of the OS being directly exposed to attack, rather than a mere application program such as Firefox or Opera. This gives it unique vulnerabilities.

Other people have pointed out the benefits of open-source development with regard to security already. To expand on it, though: Nothing is closed to the bad guys. They decompile, they disassemble, they reverse-engineer, they analyze. The "black hats" out there probabably know more about IE by now than the programmers who built it. That's how they find flaws to exploit in the first place. The difference is, with proprietary software, ONLY the bad guys are looking at the code. ONLY the bad guys are in a position to identify possible exploits. It's difficult, impractical, or a crime (depending on jurisdiction) to try to get a look at the guts of IE; therefore, only people with something to gain and a lack of ethics will do so. Bad guys. But open-source software is available to anyone who wants to read the code, from hobbyists to the high-powered people on Google's payroll. Instead of only the bad guys analyzing it for exploitable flaws, the good guys are looking, too, and there are a lot of good guys. This means that vulnerabilities can be found and fixed before they are exploited.

The third difference, response time, comes into consideration when a vulnerability does turn up. Microsoft, for better or for worse, is a very large corporation. As anyone who has worked for one knows, part of the "or worse" that comes with that size is a certain level of bureaucracy. If some software engineer spots a problem, he can't just fix it. He has to go through multiple stages of bureaucracy and paperwork, requiring multiple levels of approval of all types, before something can be done about it. This is why MS lets exploits remain open for weeks at a time: their system (like that of any big company) moves so slowly that for them, getting a fix out in the next scheduled patch IS fast response. Plus, for a major effort, Microsoft has to shift people from other work, which impacts other parts of their business. The supply of labor for an open source project, on the other hand, is far more elastic. Therefore, it's possible to fix flaws much more quickly. If one turns up in Firefox, for instance, the patch is often submitted, tested, and pushed within 48 hours. No waiting for Patch Tuesday.

Oh, and as for "...according to Symantec..." you completely left out any mention of Symantec's retraction of that report. You can read it on Yahoo. Originally, they counted only vendor-confirmed flaws, which of course gave Microsoft the edge, since they don't confirm any flaws unless forced to (and not at all if they can patch them before anyone notices) whereas (practically by definition) any flaw in Firefox is "vendor" confirmed. When they counted ALL of the known security flaws in IE, not just the ones that Microsoft confirmed, then IE came in second in a two-browser race.

"...don't go visit sites you are not supposed to..."

You mean like "...a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country"? Which of those are people "not supposed to" visit?

Let me guess: the only website we should be visting is microsoft.com? Well, at least we wouldn't be getting stressed out by reading about IE vulnerabilities if we did that.

Posted by: Wanderer | March 28, 2006 9:26 AM | Report abuse

Something ate my link to the Yahoo story about Symantec's retraction. Here's the URL:

http://news.yahoo.com/s/cmp/20060308/tc_cmp/181501722

I'll try again to make it clicky, but something here doesn't like me: Yahoo story

Posted by: Wanderer | March 28, 2006 9:31 AM | Report abuse

Lol, okay, it will only let me post a naked URL. I guess it's for goatse prevention. Anyway, the previous post has the correct link.

Posted by: Wanderer | March 28, 2006 9:32 AM | Report abuse

I am just fascinated by the vehemence that the pro IE people here are showing. Good golly, what is THAT about? "I use the most insecure browser on the planet, WHY isn't it GOOD ENOUGH FOR YOU?", and other such crap is just that... crap. Are all of you still driving Pinto's, too?

Those who think that secrecy is the cure all for security are fools, plain and simple. Closed source is a clear way to get yourself hacked. Ever hear of REVERSE ENGINEERING? Open source makes that FAR less possible, as is evidenced every day by the continuing fixes that occur on Opera, Firefox, and the rest of the open source world. How often does this happen on IE, just to use an example? Right now MS is saying that they don't want to release a patch for IE until about the 11th of APRIL! That leaves all their users open to attack and identity theft for 2 weeks! Obviously they are very concerned about leaving their customers open to this...

Get over your Bill Gates worship. He is just as likely as anyone else to fail and give you weakly designed software. Think about it: He has NO reason to provide you with "perfect" software. if he did, you would NEVER buy another copy, would you? It's to his advantage, especially with the virtual monoploy he has, to keep turning out ware that needs to be "upgraded" at some point. So why should he even worry about bugs?

Being nasty to those who do things a different way than you do is just foolish, especially when they are NOT opening themselves up to identity theft, fraud, and credit card insecurity and YOU ARE. GET OVER IT!

Posted by: Will Morrison | March 28, 2006 10:19 AM | Report abuse

Jon T says his Mac has been running for almost 14 days without a hiccup. I just returned from a two week trip to Malaysia and India. I booted my PowerBook G4 in Chicago before leaving and never shut it down. Just closed the cover. During the trip, I made numerous Web connections through ethernet, phone, and wireless. Behind firewalls and outside them. I used Safari and Firefox. It went through numerous airport security checks. I dropped it. No viruses. No freezes. No reboots.

Beauford Pitts replies to Jon T by saying that Macs are "to the computer industry like AOL is to the Internet." That's ignorantly wrong. I've programmed for 35 years on an awful lot of computers and operating systems (now work in Java). I maintain a Windows network for my wife (a weekly maintenance task clearing out malicious worms and adware that made it past Norton and an SBC firewall). If you've never used an OS other than Windows, then please do not comment on these issues. And remember, most of the "powerful" features you like in Windows were copied from the Mac.

Most veteran programmers I know use Linux or Mac OS X for their own work. And as dalroth5 says, they do open source. They do so because they know the facts in this debate. Also, I work in the sciences. The scientists I know use OS X or Linux because they can't afford to lose their data. And they use a Mac at home because they can't afford to lose their credit card numbers.

Posted by: Lee W | March 28, 2006 10:48 AM | Report abuse

While Mozilla, Firefox and Opera may be better alternatives to IE, if you are working in a domain / environment where your system is being updated by security administrators on a regular (i.e., weekly) basis, you MUST adhere to the policies of the organization that you work for.

Installing a browser that your admins are not monitoring for updates creates a security vulnerability for your environment. Believe it or not, alternative browser to IE, STILL have exploits, and the average user does not make it a part of their day to monitor for updates to their new Mozilla browser (nor should they - that's the security admins' job).

Organizations create policies that will affect their users and data in the best possible means of productivity. To do otherwise, would be counterproductive to the groups' efforts, and the company loses money - which ultimately means the company may have to layoff staff ...

Know what your company's policies are, and if you should choose an alternative, e.g., Firefox, monitor for updates. If you can't do this, save your company a headache and stay with what is being updated through automated services, such as WSUS or SMS. You work hard enough, why let someone else steal your work?

Posted by: Jonny ISSO | March 28, 2006 11:09 AM | Report abuse

Lee W:

"...Norton and an SBC firewall"
That just shows what you don't know my man - NOD32 from eset.com beats Norton hands-down, and if you didn't believe the hype that Norton puts out, then you'd make the switch.

I'm not PRO-MS or Pro anything, but it is perplexing how those people who are obviously "Pro-Anti-Microsoft" are missing the single most important point.

Sure there's a bug, you can point your fingers directly at Microsoft and say "Fix it"...

Where do you point your fingers when there's a problem with open-source software?

Where's the 800# for Firefox?

Who's ultimately accountable?

You've got NOBODY, even though you have thousands.

And why isn't your software sitting on the shelves of all the stores?

Does our free OS and it's applications come pre-loaded on 95% of all the PC's available on the market today?

You have nobody leading the way - just an open-source, "free everything" vision.

Don't you have any revenue for marketing?

Oh, that's right, you give away all your stuff. Hmm, seems like a pretty crappy business model for something which is supposed to be vastly superior.

Posted by: Beauford Pitts | March 28, 2006 11:21 AM | Report abuse

Googled for

firefox exploits

Results 1 - 50 of about 3,710,000 English pages for firefox exploits. (0.31 seconds)

Sit down and shut it up

Posted by: Mr. Googler | March 28, 2006 11:26 AM | Report abuse

To this day, I am still amazed on how Microsoft continues to put out one piece of excrement after another and still keeps its market share.

Even though I have an iMac that is running OS X Tiger, I STILL use Mozilla's Firefox 1.5.0.1 as my browser.

Anyone who read this should do themselves a favor and at least TRY a Mac: you get an incredibly STABLE OS based on Free BSD Unix Kernal, only a handful of know virus issues versus tens of thousands, and go for weeks without the need to reboot....

Posted by: Terry K | March 28, 2006 11:48 AM | Report abuse

All these comments by the pro-IE run-IE-no-matter-what I-can-run-IE-without-any-security-problems-because-I'm-so-smart-and-careful (never mind this flaw affects fully patched computers visiting sites such as an insurance company and not badware.com, what can I say except to re-iterate the last paragraph from the Wash. Post's security expert:

[Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.]

Posted by: Pluto | March 28, 2006 11:50 AM | Report abuse

Beauford:

I point my finger at Apple and say "fix it." Their 800 number is 1-800-MY-APPLE. I get a real person when I call. Last and only threat I heard about this year (a pseudo-worm, actually), Apple sent out a patch within three days.

As for NOD32, I agree with you. Norton's kind of a pig and awful buggy. But I think we should trust a company with over 90 percent market share. They must be doing something right
;)

Posted by: Lee W | March 28, 2006 12:19 PM | Report abuse

"Googled for

firefox exploits

Results 1 - 50 of about 3,710,000 English pages for firefox exploits. (0.31 seconds)

Sit down and shut it up"

so by your logic, the google search for "IE exploits", which returns 12,900,000 results, says that firefox is 3.5 times safer than IE.

Posted by: I google too | March 28, 2006 12:46 PM | Report abuse

Googled for

firefox exploits

Results 1 - 50 of about 3,710,000 English pages for firefox exploits. (0.31 seconds)

Sit down and shut it up

Congratulations, you found 3 million pages that contain both the words "firefox" and "exploits". If you were to google for "firefox exploits" in order to get just the ones that talk about Firefox exploits, rather than things like "if you're worried about IE exploits, use Firefox", you get 465 hits.

Sit down, shut up, learn2google.

Posted by: Anonymous | March 28, 2006 1:15 PM | Report abuse

Googling for something to prove a point is ridiculous.

Case in point: Google:
Mr. Googler is an idiot

Results 1-10 of about 265,000 for mr. googler is an idiot (0.12 seconds)

Posted by: googlethis | March 28, 2006 1:20 PM | Report abuse

> I'm not PRO-MS or Pro anything, but it is
> perplexing how those people who are
> obviously "Pro-Anti-Microsoft" are
> missing the single most important point.

If you're not part of the MS astroturf, then why are you reciting the Microsoft party line?

> Sure there's a bug, you can point your
> fingers directly at Microsoft and say
> "Fix it"...

... and maybe they will, next Patch Tuesday. Or maybe they won't. If they do, and they still support your OS, and the fix isn't a bigger problem, you're in luck. If they don't, you can't fix it yourself, nobody can fix it for you.

> Where do you point your fingers when
> there's a problem with open-source
> software?

At whoever wrote it, same as any other software. Or, if you bought support for it from a third party, such as Red Hat, at them.

> Where's the 800# for Firefox?

Bugzilla.

> Who's ultimately accountable?

Same as any other software: whoever wrote the code. Whoever checked it in. Whoever distributed the build. All of which is at least as well documented in OSS as it is in proprietary development. It's, y'know, OPEN.

> You've got NOBODY, even though you have
> thousands.

With Microsoft? Sure. With Firefox? Nope.

> And why isn't your software sitting on
> the shelves of all the stores?

Firefox? Because it's distributed online. The same is true of proprietary programs, by the way. Or don't you think they're real either?

Linux? Which distro do you want? You can buy several at my local CompUSA.

? Does our free OS and it's applications
> come pre-loaded on 95% of all the PC's
> available on the market today?

It's been documented that Microsoft has threatened to refuse permission to sell Windows to any PC manufacturer that sells machines with Linux. However, this is slowly changing; you CAN walk into at least some major chain computer stores and walk out with a Linux PC in a box. If the legal environment changes so that there can be actual competition in the marketplace, you can expect a lot more of them.

> You have nobody leading the way - just an
> open-source, "free everything" vision.

Why do you even bother to post? Just put in a link to Microsoft's "get the lies" pages and save yourself a lot of typing.

> Don't you have any revenue for marketing?

Like full-page ads in the New York Times? Yep. Firefox been there, done that, sold the shirt.

> Oh, that's right, you give away all your
> stuff. Hmm, seems like a pretty crappy
> business model for something which is
> supposed to be vastly superior.

First of all, a company's business model has little to do with the quality of their products. Take the late lamented Commodore Amiga: great computer, great software ... company that couldn't sell ice cream in July. Or take AOL: even its own users hate it, and nobody sane is going to argue it's the best ISP out there, but saturation marketing worked; there are how many bazillion AOL users?

You can build not just a better mousetrap but an absolute genius mousetrap, but if you can't build a better mousetrap company, too, the mice of the world are still safe.

That said, take a quick look at http://finance.yahoo.com/q?s=RHAT . Hmmm ... do I correctly read the market cap as somewhat over 5 billion dollars? $158+ million dollars in profit last year? Not bad for a company that gives its products away. Might not be such a bad business model after all.

Posted by: Wanderer | March 28, 2006 1:43 PM | Report abuse

You know what? This crap is getting almost as bad as the TV ads. Which leads back to the base question.

Given the state of affairs with the internet... yet the need to use it for say job searching and applications... about 90% of what I do with it... How should one truely set up their machine?

Currently running a late model machine with 2.8HT, 1 gig of ram, 10k SATA150... runing XP Pro. Not the fastest in the world but a significant improvement over my 6 year old althon 850 it replaced.

So... for my own reasons stemming back 20 years I really do not like $MS... mainly because of his early releases of unfinished programing, inferior programing, and unfair competion practices... however, what it is is what it is... and I have to use them because Corp America does.

For years we used McAffee, but since they would not support installation and fix my problem free (on a new purchase) I took it back and got Nortons ISS... now using Norton's System Works aand their fire wall. It has everything the ISS had except spam which I can handle with my mail program (I think... havent tried... but really don't get that much. Run Ad-aware weekly ans well as keep the anti v and anti spy up as well as possible.

Now run something called Snoopfree for anti privacy hooks etc. Surprisong what it found MS doing.

We used Netscape for years (since v3) and most versions since. I also used them for my mail prog too. I do not trust most any MS program but like I said I have to use their full office suite and OS for work purposes. Outlook is here but I do not use it. Like to disable the instant messenger... don't use it or need it.

I also do not let Active X run un attended in anything if I can. Its disabled every where I can find. Although windows Update needs it... but MS won't say why...????? I asked. I really do not want its code even on the machine.

I run all the protection I can think of and only have a few sites at full trust settings. By default it the minimum with no java or active, popups, etc. On sites I trust I open it up only as far as I need to view or use properly.

I use IE only if absolutely necessary and I can't Netscape 8.1 to do it.

So the question stands... what should I be doing... and don't reply with "pro-this or that favorites"... I want sound advice based on exerience and knowledge.

I confess I am not totally in that category... but sometimes I know just enough to be dangerous.

Thanks

Posted by: dem | March 28, 2006 2:47 PM | Report abuse

For those who say they are not allowed to install FireFox on their business/military computers - buy a U3 USB thumbdrive (www.u3.com) and all the apps stay on the thumbdrive and no info is ever left on the host computer. So, put the U3 version of FF on the U3 thumbdrive, plug it in any USB port and use FF as a browser. When finished, remove the thumbdrive and there is noting left on the host computer. Carry all you apps on your thumbdrive and use any computer with a USB port - any leave nothing behind.

Posted by: Retiredbob | March 28, 2006 6:40 PM | Report abuse

It pains me to see that some people are very envious of Microsoft and the services which it's provides. Society needs to realize that NOTHING is 100% safe. Please, use any browser at your own Peril and stop blaming the Evil Empire.

Posted by: Guest jay | March 28, 2006 7:57 PM | Report abuse

Any website developer who can't program their website to be compatible with different browsers shouldn't be programming websites.

Any user who's serious about the internet WILL NOT be using Internet Explorer, 100% fact.

If you're reading this article through Internet Explorer, try thinking for your self for once and make the change to a more secure browser now.

-BFM

Posted by: BurningFeetMan | March 28, 2006 8:23 PM | Report abuse

People are typically blind to the hazards. This is how Microsoft has kept their market share (and Microsoft is fully aware of this.) For the most part, until a consumer is affected directly they will not change to another browser. Sometimes it requires a kick in the pants for someone to even try another browser. The response from Microsoft on this particular flaw was to wait until a later date to release the fix for it.

Many consumers and businesses do not ever do Windows updates to their operating systems. In fact, many do not even have a clue about how to do this.

Until there really is a choice on the desktop of a browser on the new computers sold, browser usage will be slow to change.

This reminds me of Microsoft's stance on that they do not have to be better than the others; they just will be on more computers than any other software or browser in the world. In the end they think it doesn't matter.

But, a storm is brewing on the Internet and Microsoft may be in for a rude awakening.

Posted by: James | March 28, 2006 9:24 PM | Report abuse

People hate IE for one very big reason - Choice. Choice is key and I guess most people failed to learn this when they watched the Matrix? Not that you have to learn it there, but its an important concept.

Certainly many people can install Firefox on their own computer ... it is not difficult. Some people do not know what a browser is - of course this is changing as the younger generations grow accustom to such concepts.

A bigger issue is IT shops and Help Desk staff who are unable to install any alternative and/or 'safe' browsers on people's work computer. As one poster indicated he's in the military an any user install is verboten. This is not a bad idea as a whole, but in private and public companies they can fire a user for such a violation (though it would probably have to have a large effect - that is installing something that would hoze a system that may prevent a deadline from being met that would cause a hugh issue). Some places will lock a system down (or attempt to). Also keep in mind many users love to install free and 'cute' software that will cause endless pop ups and eventually make the system unuseable (and this is often the best case scenario).

Of course there are admin's who do not like or trust open source - because it is open. When I point out that Microsoft proprietary and close solution is often much worse, they do not seem to believe me...

So there are all sorts of reasons why choice is limited or non existant. IE 6 SP2 has added some depirately needed features, but SP2 is also a stupid PITA as our Corporate version seems to want to insist on auto activation of the Firewall.. where is may partially interfere with some of our custom applications - which is brilliant (NOT!) ...

so why do people hate Microsoft? They are the unchecked source of millions of people tormented and suffering ... certainly not as bad as some areas, but mental anguish form a tool one depends on can be almost as bad! You might as well take the ultimate too to it - a good hammer seems to fix most issues and I actually feel like something was acomplished!

Is it hammer time? :P

Posted by: drx | March 28, 2006 9:30 PM | Report abuse

> It pains me to see that some people are
> very envious of Microsoft and the services
> which it's provides.

ENVIOUS???

I'm envious of a company because I think a competitor has a better alternative to an outdated and flawed product that the company in question sells?

On that basis I must be horribly envious of Radeon (I have an nVidia video card), Intel (I prefer AMD chips), and the second-rate laundromat up the street (which I will only go to if the good one is closed). Um, yeah, right. Because we know the only reason that someone might recommend a specific product is if they envy the manufacturer of a competing product.

And, um, "the services which it provides"? Last I looked, Microsoft was _selling_ me services, and at rather steep prices and undesirable terms. They're not a charity operation. Not that I expect them to be, of course; I'm a dyed-in-the-wool capitalist myself. But I take them for what they are, a cutthroat business operation, and don't mistake them for some sort of philanthropic organization kindly "giving" us the products that we buy, often unwillingly, from them.

Posted by: Wanderer | March 28, 2006 9:42 PM | Report abuse

Fascinating. Everytime a story comes up about
Microsoft security problems the trolls come out of the closet.

1) Firefox, Opera, Mozilla, and Lynx are all more secure than IE at present.

2) IE is the main target of attacks.

Solution - use something else. It's not as if choices don't exist. It's a bit harder, and some pages won't render properly - but if you complain about the ones that don't render, they will get fixed.

As to another browser being as vulnerable, no other browser is integrated into the operating system, so any vulnerbilities are likely to be far less dangerous.

Posted by: Wayne | March 28, 2006 10:09 PM | Report abuse

RE: IE flaw. Looking for suggestions for a workaround for a machine running Windows 2000 (not XP!). None of the downloads offered by
Microsoft work (why am I not surprised). And to avoid being scolded for using IE, it is used only for sites that demand it. Otherwise, we run with the foxes of Mozilla.

Posted by: helene | March 30, 2006 12:00 PM | Report abuse

RE: IE flaw. Looking for suggestions for a workaround for a machine running Windows 2000 (not XP!). None of the downloads offered by
Microsoft work (why am I not surprised). And to avoid being scolded for using IE, it is used only for sites that demand it. Otherwise, we run with the foxes of Mozilla.

Posted by: helene | March 30, 2006 12:04 PM | Report abuse

Sorry for the duplicate posting, did so in error

Posted by: helene | March 30, 2006 12:06 PM | Report abuse

@ Helene:

>>Looking for suggestions for a workaround for a machine running Windows 2000 (not XP!).

Have you tried setting the Internet zone to High security:
http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#security
(The most secure setting is, obviously, 'Disable Java'. :)

and adding the "sites that demand it" to the Trusted Sites zone?
http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#trusted

Posted by: Mark Odell | March 30, 2006 4:05 PM | Report abuse

thanks mark. that was quick!

Posted by: helene | March 30, 2006 6:49 PM | Report abuse

That's weird that US government employees (or military or whatever) could not use any browser but IE.

See this alert from the french government's bureau of national defense, requiring to use Firefox or Opera as a workaround for IE's security flaws...

http://www.certa.ssi.gouv.fr/site/CERTA-2006-ALE-002.pdf

Posted by: Jean | April 2, 2006 1:56 AM | Report abuse

Mark,
re workaround for Win 2000.
Everytime I reset the security to High it defaults to low.
what to do?
HL

Posted by: helene | April 2, 2006 12:08 PM | Report abuse

more on Windows 2000. Any suggestions for a freeware like Snoopfree for it.
Thanks.

Posted by: helene | April 2, 2006 12:36 PM | Report abuse

Helene,
>>Everytime I reset the security to High it defaults to low.

You say you're on Windows 2000; the only thing I can think of that might cause this is that you're logged-in as an ordinary limited user when you try to change it. Try logging-in as Administrator, reset the Internet-zone security settings to High, log out, then restart Windows and see if the new setting "takes".

BTW, the default setting of the Internet zone is Medium, so I don't know where Low is coming from on your machine. (The default setting of the Trusted Sites zone is Low, but for this scheme to work, you shouldn't have to touch it.)

Posted by: Mark Odell | April 2, 2006 12:37 PM | Report abuse

Thanks again mark.

Posted by: helene | April 3, 2006 9:01 AM | Report abuse

This sort of article is not honest nowadays.

It is a shame!

Posted by: David Heckert | April 5, 2006 11:39 AM | Report abuse

Yes, it's a shame. A real shame.
Shame on Microsoft for not acting on this sooner. Shame on Microsoft for letting trojan horses get installed on your mother's computer, your grandma's computer and possibly yours (if you run Internet Explorer).
My guess is that 1/4 million Microsoft customers (folks who gave Microsoft money from their hard work) have been adversely affected - their credit card stolen - or whatever ("whatever" is the lament heard in the halls of Redmond - "whatever" happens to customers happen to them - "a sucker is born every minute").
Yes, indeed, it's a shame.
Fool me once, Microsoft, shame on you.
Fool me twice - well, we all know that...

Posted by: King of Sorrow | April 7, 2006 2:55 AM | Report abuse

Posted by: Anonymous | April 9, 2006 2:28 PM | Report abuse

I love it when people say, "I got infected even though my Norton Antivirus was up to date". And then they stop using Internet Explorer! It's about time someone applied the same critical scrutiny to the uselessness of Norton Antivirus.
Also, remember most of the sites being compromised where actually running Apache on Linux.

Posted by: Darth Geoff | April 16, 2006 9:17 PM | Report abuse

"IE is by far the dominant browser (90%+ - no one else even comes close)"

Although this was once true, This often stated non-fact has NOT been true for a long time.

I just now checked to see the latest count and the result surprised even me.

FireFox has over 160 Million Downloads!!! and counting....

see the latest count here:
http://www.spreadfirefox.com/node/22360

Posted by: Erik | April 17, 2006 6:41 PM | Report abuse

Very good site, congratulations! suikoden iii

Posted by: suikoden | April 18, 2006 4:11 PM | Report abuse

i am looking for an internet explorer for many days, at last i find a good one called IE Catcher at

http://www.yaodownload.com/internet-tools/browsers/iecatcher/

Posted by: kate | April 23, 2006 11:01 PM | Report abuse

The Real Issue is the Operating system. If you have a seceret then some one wants it Bill has made billions that way. Good for him.I never had any real problems with firefox opera or netscape in the open source world. If some one wants to hack a open source then hey that tells you how lazy they are. Or wait how scared they will be seen any way. you can have secerets or be open Peace and love to all.

Posted by: man Of Peace | July 23, 2006 11:27 PM | Report abuse

The Real Issue is the Operating system. If you have a seceret then some one wants it Bill has made billions that way. Good for him.I never had any real problems with firefox opera or netscape in the open source world. If some one wants to hack a open source then hey that tells you how lazy they are. Or wait how scared they will be seen any way. you can have secerets or be open Peace and love to all.

Posted by: man Of Peace | July 23, 2006 11:30 PM | Report abuse

IE is probably the best web browser for any Microsft system. There will always be exploits for any web broswer used! That will NEVER change. Firefox is no better than IE. And when all the ignorant people in the world listen to this crap and shift over to firefox, the hackers will take advantage of that shift. It's not the firefox (or any other web browser) is more secure. It's that hardly anyone uses it. If you have a Windows system and you really believe this bull then you need to reevaluate your knowledge a little more.

Posted by: Guardian | August 13, 2006 7:31 PM | Report abuse

"FireFox has over 160 Million Downloads!!! and counting...."

And how many of those people do you think actually know one thing about computer or network related technology? People are ignorant; they'll follow anything they hear from their friends, family, or other ignorant people! How many people also use AOL and Norton still! If you actually know what you're talking about, then I've made my point.

Posted by: Anonymous | August 13, 2006 7:31 PM | Report abuse

Well said Darth Geoff. Norton is about as useless as AOL, and could be considered malicious if you think about its affect on most systems. I can't stand when someone comes in the store and says their system is slow, but they don't want to get rid of Norton. Throw AVG, Spybot, and Ad-Aware on a system and you have all you need (if you're an average user). And they're all free. Why pay for software that will only make your PC into a fancy boat anchor. I guess the media plays a huge role amongst ignorance.

Posted by: Guardian | August 13, 2006 7:41 PM | Report abuse

These guys kill me. DOOM DOOM DOOM and then some GLOOM. Funny how whenever someone finds a new exploit or vulnerability all the Microsoft Nay sayers get all worked up and start feeling inspired. They feel their way is the right and only way of thinking. That anything else is wrong and invites DOOM and GLOOM. Let me lay it on the line. I'm not a fan of any particular browser. So here are some unbiased facts. If I were your tech, I'd present it this way and let you as my customer decide on your own. I feel it's a techs job to provide you with enough facts to allow you to make an informed decision.

FACTS:

He is correct about the vulnerability existing.
Internet Explorer is targeted by hackers more often than all other internet browsers combined.
Almost all of the internet is written to support Microsoft Internet Explorer. The 'other' explorer widely supported is Netscape Navigator.

OPINIONS:

By the time I finish writing this email and you get done reading it, Microsoft will already be posting a patch for this vulnerability.
Internet Explorer is targeted more than other internet browsers because it is used by approx 90% of internet surfers on the planet.
Other browsers are not targeted as much because not many people use them. Why go through all the trouble of writing a hack if it only has a chance of affecting less than 10% of people surfing?
This does not mean the other browsers are any more secure than the internet explorer. It's just not worth exploiting their vulnerabilities. This use to be the old Apple mantra. "Look how secure we are! No viruses! No security vulnerabilities!" Until hackers started taking the mantra as a challenge and then all of a sudden there were Apple viruses and vulnerabilities.
Let's say you did install a non-Microsoft internet browser on your system. Would the manufacturer be as responsive to threats as Microsoft is? Does the manufacturer have thousands of software engineers to fix the vulnerability and to distribute the patch? Because so few of the populace are using the browser, how long would it take to even detect the vulnerability?
OPERA and FireFox give you an alternative look and feel for surfing the internet. However, they have to be installed as they are not part of your operating system. So they will take up space and resources in addition to your Microsoft Internet Explorer. This equates to a small drop in system performance.

My take is that Microsoft Internet Explorer has vulnerabilities. If it's not this one, it'll be something else. But their responsible actions to fix vulnerabilities are why I say don't install the other browsers. I'd go even further and say that you will want to use as many Microsoft products on your system as you can because this will always ensure compatibility. Whenever I get a computer in where the customer complains of it being slow or is crashing, my first step is to identify any software that can be removed. This is the fact that narrow sighted techs often miss. Microsoft products are always going to work together because software engineers have access to the proprietary code, which ensures compatibility. Third party manufacturers don't have that luxury and are often the reason many systems crash or slow down. I like all the business that companies like AOL bring me but my integrity compels me to inform my customers of the errors of their ways.

So you decide. Which is the lesser of two evils?

Posted by: Bill | August 13, 2006 7:44 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company