MS issues brown alert over unpatched IE 7 flaw
Hackers have upped the ante by launching more attacks against an unpatched IE 7 flaw. Microsoft warned on Saturday that attacks targeting the vulnerability, which affects versions of its flagship browser on all supported versions of Windows, are becoming more widespread. The security bug first came to prominence a week ago, just …
How about "ditch IE, pick another browser, ANY other browser"
... to defend against the flaw, pending a security patch from Microsoft, include disabling active scripting"
The only really efficient workaround is to switch to another browser. The other recommended measures are only half-arsed mitigations (as MS admit on their page about the vuln).
Its great to tell us that MS have yet again not fixed a problem, but how about telling us what the problem is.. how it affects a user, or even link to an article which does tell us.
the colour of the IE development team's pants at the moment.
... aren't you so happy that you integrated your browser to tightly to the OS?
I guess in the run to push up your numbers by bundling, you didn't figure how much money and time it would cost?
Perhaps if your browser had any sort of concept of separation from the OS, you wouldn't be having to worry about every 1 in 500 of your customers (assuming they're all paying - which might be assuming a lot) to Bad Things.
I'm not a Firefox/Safari/Mac/Linux fanboi - but come on, hasn't this gone on long enough? Surely someone who works there can figure out how to untangle the browser from the OS and then isolate the OS?
Back in 1999, when Microsoft did the integration trick, I saw this coming...
I remember the response from friends: But, but, but think of all the features if your OS can be controlled from the Internet!
Security is never considered, it's a shame.
You Brits come up with the funniest titles. If tried to emulate your style in Canada I would be defenestrated from the highest igloo in the land.
Keep up the good work.
What else I need to say... a fix is available for download. Just Google for the word "Ubuntu". Happily surfing for the last three years with it, happy to report that no security incidents since.
Oh, yes, neither Ive had any security issues with Windows at work. Mmmmm... must have something to do with the level of computer literacy, I hear you Windows fanboys saying.
Before dismissing my argument, consider that my Linux box is used by my kids (less than ten years old) While I've not botched beyond repair a WIndows box in my life, my children have been able to do it with every single Windows release since Windows 95 without even trying.
Not with Linux, however. The reasons to explain that are left as an exercise to the reader.
BBC (World Service at least) is recommending that users switch to another browser until it's fixed - dunno where the advice is coming from, however - this article just says "internet experts" (Elders of the Internet, perhaps?):
http://news.bbc.co.uk/1/hi/technology/7784908.stm
.. even firefox gets security patchs you know, just less people bitch about firefox exploits cause it's less fun.
Also linux DOES have exploits , but they are generally less damaging due to user accounts (more on that in a moment), and less widespread when stuff does happen.
Oh and "Not with Linux, however. The reasons to explain that are left as an exercise to the reader" <--- you let your kids use a windwos box with admin privlidges, do your kids play about with root on your linux machine as well.
I'm no fan of MS or Windows (I run xubuntu at home) however all this advice that people should change OS is frankly niaive. If there is such a thing as an anti-fanboy then that's what you saddos are.
People use MS for all sorts of reasons:
It's what came with the PC.
It's what they use at work.
It's the one that most of the commercially available games work on.
etc.
etc.
etc.
Normal people are not going to wipe their PC and install a new OS and you are living in cloud cuckoo land if you really expect it to happen. I will happilly fit a car with better components, Honda V-TEC in a Mini? (a real one) No problem, it's a better engine than an A series. However I wouldn't expect most people to do the same, they don't have the knowledge or the skills.
As for the corporate use of Windows. As long as your IPS is up to date this particular exploit, and indeed most exploits, will have no effect on you. You do have a decebt IPS don't you?
News like this make me even gladder I set up my almost totally computer-ignorand aunt-in-law with a laptop running Linux. She mainly uses it for mail and ebanking, which both took some teaching - exactly as much as if the system had run Windows, since she had no prior experience, so no problems with the system not looking exactly like Windows... I'm pretty sure that if it had run Windows, the laptop would now be crawling with worms and trojans.
"do your kids play about with root on your linux machine as well", anon
Well no, but Windows isn't usable unless you are logged in as admin. In this age of phishing and malware epidemic I would suggest using a bootable CD for any kind of online financial transaction ..
http://distrowatch.com/
"Normal people are not going to wipe their PC and install a new OS .. I wouldn't expect most people to do the same, they don't have the knowledge or the skills"
Installing Linux isn't really that much of a hastle and you don't need to wipe anything, the new installation will most happily make room for itself and dual boot with Windows. Before installing you can run it from the bootable CD just to make sure it works. There's a version given away with the computer mags. You can pick one up at most newsagents/bookshops.
http://distrowatch.com/
Can I have some of what you're smoking? Or are you really that much of a fucktard?
I would suggest to Microsoft to release IE as one program like it already is but in three flavours that idiots can understand an deal with:
RED (no java/no script/no activeX, etc): Use for smut, music, torrents, general browsing and things that are high risk.
ORANGE: Use for sites that you need to use but cant use on red.
GREEN (standard IE): Use for banking and shooping and big name sites, bbc, etc
You can tell the public to download Firefox as much as you like but 50% of them will get a virus trying to do that.
A stupid idea?? I'll get my coat :)
You know this vulnerability is a buffer overflow, right? It has nothing to do with ActiveX or any sort of OS integration. It's simple code injection and execution, which can happen (and has happened) with any browser, even Firefox.
re: Steven Snape
That's what security zones are for. All Microsoft needs is a simpler UI around them, one that doesn't require going into the settings dialog to add a domain to a white/blacklist. Not that they would have prevented this bug (AFAIK it's in the parser, and exploitable without ActiveX or JavaScript), but they would be generally useful.
Shocking sensationlaist reporting from the BBC. Just don’t go anywhere near porn and warez and you will be OK.
What Jon said. We have some 2000 users where I am all running as standard users. Sure, there's the odd stupid app out there but a few registry tweaks and the odd script to set the right security and 99% of them are fine.
Need to do some admin? That's what runas is for, just like sudo/su. Or of course Vista uses the more Ubuntu like UAC.
"Stop whining and wait for the path...
.. even firefox gets security patchs you know, just less people bitch about firefox exploits cause it's less fun."
Oh right, so that's the answer then, "I know I've got a security flaw in my browser, I know it's a very serious one and I know that literally hundreds of people's machines have been comprised by it and I know there are thousands of websites that have been infected with code to exploit the vulnerability, but I'm not going to do anything about it".
Yeah man, like that's the right attitude. The right attitude is to take action to prevent your machine from being compromised. If that means using another web browser then one should take such action. Sitting back and doing nothing when being in full posession of the facts is not an option, unless you are stupid.
Sign up, sign up for The Register's weekly IT security newsletter - click here
