Microsoft is doing its best to deflect from the software vendor’s ugly, fat security hole in Internet Explorer 6, by telling customers to not only upgrade their browser for the latest version of IE, but also to ditch Windows XP while they’re at it. The much-loved operating system that refuses to die is vulnerable to attack, said …
@Which is a bit like saying "foot, meet gun."
Well it's better than "heart, meet gun".
@Which is a bit like.....
Actually, I think it is more like, "nuts, meet gun"!!
"there are a number of ways to limit the attack to an IE crash"
Chrome, Firefox, Opera..
If you move to Crome, Firefox or Opera what do you do when they get their next exploit?? FF will take a good year to fix it, and you cant centrally patch it.
Ultimatly you will end up with two security holes not just one, and have to manually fix one of them. Bugger that.
...Ubuntu, Fedora, Mandriva, Knoppix...
My OS and all my applications including the browser are already centrally patched
Linux, welcoming you to the easy way of updating your PC
I feel a little sorry for MS
(but only a very little bit)
Every company I've ever worked for (and there have been many) always says the same thing when a client phones with a problem. "What version are you using?" usually if the answer is not the latest then the answer will be "Well upgrade to the latest version and call back if you have the same problem still.".
Microsoft are getting complaints about a version of software that is two behind the latest running on a version of their OS that is also two behind the latest but nobody is cutting them any slack. Now if I claimed I had problems with an ancient version of Firefox running on Fedora would you tell me to upgrade or advise me to move to another browser and another OS?
That said, Microsoft, if you have ambitions of maintaining your market lead in the browser field then for heavens sake start fixing these bugs as quickly as you can even if that means patching ancient versions.
They can enable DEP via the web browser?!
I couldn't help noticing the article linked has a big fat 'Enable DEP' button that claims to turn DEP on, via the web browser. Surely, its only a matter of time before some miscreant works out a way to *disable* it via the web browser...
the underlying computer architecture, sometimes I wonder if it isn't just a big "Do Nothing" button, a kind of digital placebo so you can feel like you did something.
I'm no fanboi, but...
I really don't think that's quite what that diagram's saying. Certainly not to me. It seems to be a straightforward browser-on-os chart, and is quite correct in saying that IE6 on XP is vulnerable whilst IE8 on XP isn't. If you really, really, really must stick with IE7, then it's potentially duff on XP but OK on Fista.
Umm, how would you have preferred to see 'em lay that out?
Not the same drivel again
Microsoft urges user to upgrade to more secure OS (not!)
Windows 95 ...... Windows 98 SE
Windows 98 SE ......Windows NT
Windows NT ...... Windows 2000
Windows 2000 ...... Windows XP
Windows XP ...... Windows Vista (rejected)
Windows XP ....... Windows 7 (Vista Service Pack 2)
After over 25 years of virus ridden, bloated, and buggy software you would think people would learn not use it. The only safe computer running Microsoft software is one that is never switched on!
Hate to be a peddant...
..., well, I don't *really*. M$ never advised 98SE to NT - at that time, NT was for business users, 9x was home users. It should be 98SE to ME (yuk!) to XP for home users and NT>2000>XP/2003.
And I should say I've although Linux can be more stable (with some noteable exceptions), when they go wrong (and contrary to the fanboyz, they DO), Windows is easier to fix.
But, I won't argue with someone who is obviously somewhat blinkered into a Tux-lovin' frenzy of M$ bashing - it's far more interesting to watch paint dry, or watch repeats of Dad's Army...
"Worse still, it’s doing this even though the firm cannot offer a watertight guarantee that those later editions of Internet Explorer won’t also be exposed to the same security flaw. In fact, they are at risk from the same attack."
So potentially the last 3 desktop OSes by Microsoft are borked? They released XP with this vulnerability, then Vista with the same hole and finally Windows7.
I use linux, solaris, windows and OSX and I am mightily peed off that all OS and software vendors keep jamming in functions and add-ons and upgrades yet can not create stable, secure and reliable products.
If car manufacturers did this there would be an uproar, imagine parking your car in a car park only to return later and find that your stereo was missing due to a design fault that meant a thief could gain entry easily with minimal effort (and I'm not talking about windows). Or your front door could be opened by a burglar wriggling the handle a funny way?
But software vendors get away with it and we let them time after time after time.
I for one am sick of it.
"I use linux, solaris, windows and OSX"
Have you tried Solaris with the trusted extensions? Certain govt. depts. use/mandate it. Not that that's a recommendation, mind you, they can lose data faster than you can say "Don't plug that USB stick in". At least Sun have tried to make a more secure version of their OS.
"Or your front door could be opened by a burglar wriggling the handle a funny way?"
Your front door CAN be opened by a burglar wriggling the handle a funny way.
Ever heard of a bump key?
You can buy them or make them yourself, then gain access to someone's home in seconds.
The average front door really isn't that secure.
I don't mind
Any dirty tricks Microsoft wants to get more installations of IE6 off the streets are fine by me. As a web developer, I don't care if they want to blow up a busload of kittens as long as they convince people and companies to just get rid of it.
Would somebody please think of the kittens
While I share your same enthusiasm in seeing the back of IE 6, I can not and will not condone the killing of kittens ok?
Not even if...
the kittens wrote IE6 in the first place?
You have to admit, it'd explain a lot of things...
Blow up a busload of kittens
You sir, have cheered me up at the end of a crap day. Mainly because I got an image of Keanu Reeves saying "whoa" a lot in a dead-pan voice while trying to stop said bus from dropping below 50.
Complete with Antonio Banderas/Puss In Boots on board.
Isn't this all because DEP is opt-in by default?
Ugh. The only difference between 6 and 7/8 is that 6 doesn't opt-in to DEP without you changing that
Just reminds me why I hate PR drones.
Pirates because they at least have a higher code of ethics.
Trust us, we know what we did wrong last time
OK, the last 13 things we sold you were crap. All your problems will be solved by giving us some more money.
Standard business practice
Think new improved washing powders. The advertising has told us for the last fifty odd years that the old version of the powder only got your whites white, but the new version gets them whiter than white. And they managed to show this even on old B&W TVs. Of course the sensible response to those adverts is to say "if this is true than you lied to us last time" but nobody ever does.
It doesn't matter if it's computer software, a TV, a car or any other consumer product this has always been the way. Car companies will happilly tell you that the latest model is more reliable, faster, more economical, better handling and cheaper to run than the old model. But they told us that the old model was 100% reliable and, well you get the picture.
But that doesn't mean I'm likely to buy the new washing powder or the new car or the new version of windows.
In other news
Anti-MS brigade gets usual FUD article published on El reg.
IE6 on XP is vunerable, MS have been trying to get people to upgrade for years now.
The exploit "could" be updated to work on IE7 and IE8 but there is no evidence that it has.
Can you really blame them for trying to get people to upgrade ?
Isn't Windows 7 less secure (with default settings) than Windows Vista SP2? What is the most secure version of Windows(with default settings)?
I know Microsoft keep talking up Windows 7, but I thought UAC was less secure...
Will have to upgrade to Windows 8 when the next attack occurs
I feel they will ask us to upgrade to Windows 8 when the next attack occurs.
Lets avoid this by using the safe and secure UBUNTU!
Force users to upgrade
The pros/cons of IE alternatives aside, am I the only one who thinks Microsoft should be doing more to force people to upgrade. Maybe “Force” is a bit strong, but at least encourage or reduce support. I appreciate the "If it's not broke, don't fix it" mantra but you can hardly call the current patching circus as not being broke. Using this as an example, the fact that there is a large number of corporate’s still using IE6 (The numbers larger than you might think), says more about lazy IT departments, developers and the organisations still using this stuff than Microsoft.
I appreciate that Microsoft feel obligated to keep old software going as they're scared stiff if losing customers, but they're as likely to lose customers anyway with this type of thing. Don’t recommend an upgrade - make it a requirement. And there’s something inside me that believes if Microsoft wasn’t forced to make everything they do so backwards compatible - having to include old code in new software, there wouldn’t be as many of these issues turning up.
"[..] (MS) to force people to upgrade"
MS would love to that! But that's not the problem why people use IE6. It's legacy applications, built on top of IE6 by other companies. Those applications were expensive! And rewriting them, so they will use normal open standards, is more expensive than loosing all their company data (IP and all) to crackers. That's why companies don't switch to IE6.
Of course the irony is that the tactic of IE6 was exactly this. A vendor lock-in. To make sure people would always use IE. Boy did that back fire into a PR nightmare now.
From this day on, everybody knows the risks of not using open standards and have a vendor lockin on your most valuable part of your business. MS will never be able to sell this again. I mean we now have .NET and Share point.... oh oops!
Vendor lock in?
I don't believe any web applications are too big/complicated to rewrite.
These are large corporations who have all the money and resources in the world.
It's the people working there who can't be bothered to rewrite it since it's not broken.
Hence the term vendor lock in.
If these companies are willing to risk losing all data by sticking with ancient software then maybe they deserve it.
Losing data means no work right so it must be good for everyone.
Don't see what the fuss is about
Why are people still running IE6 anyway?
I can't see what the problem is with MS telling users to update to the latest version of IE. IE6 is 2 versions behind the latest major release after all.
I think folk are giving 90% of the Internet population too much credit when they suggest switching to firefox or chrome. Most users are too daft to understand how to use the address bar to type a URL never mind comprehend another web browser.
People are running IE6 because their bosses make them use it. The installation of alternatives (including the MS ones, never mind FF, Chrome or Opera) are strictly verboten and non-compliance can result in being fast-tracked to the job centre.
Stupid, I know, but when have corporate stuffed shirts ever made much sense?
Unhappily I can only concur. Most Windows computers I see at customers sites (I'm fruity) have multiple toolbars on the browsers, and if they can't find the address by typing something like it into Google, then it just don't exist as far as they are concerned.
hold on ....
......and I quote.... "Microsoft is doing its best to deflect from the software vendor’s ugly, fat security hole in Internet Explorer 6, by telling customers to not only upgrade their browser for the latest version of IE, but also to ditch Windows XP while they’re at it."
Am I reading this correctly ? They're saying upgrade to Win 7, which was named as also subject to the same problem by the German security researchers that uncovered this little nest of vipers in the story run last week. Anyone care to guesstimate how much that would cost those users so affected ? Be honest and include the hardware costs in your working folks, because the chances of getting W7 up and running on anything that shipped with IE6 in the preinstall are slim. Opportunistic disingenous garbage attempting to misdirect attention from the same MS marketing dweebs who stated cheerfully that Vista was "best ever", and who have known about the potential for an exploit with this vuln for quite some time. The researchers only went public with proof of concept code last week.
Further, the unusual hacks of gmail accounts belonging to potential dissidents last were run using this same vulnerability ???? Oh marvellous. Bearing in mind the nature of the activity I think it's fair to say that this means those that get "owned" are getting owned by the Chinese security services or contractors for them at the very least.
Google possibly running this admittedly outdated browser purely in order to give on the cheap, legally mandated wiretap functionality in order to guarantee our security, leading to substantive failures in security for folks not involved in being dissident or crims ? Fscking ironic or what ?
Amazing..... I couldn't decide between WTF or FAIL icons, but on the basis of the amount of fail this news contains, there really could be only one.
That graph . .
. . just shows that the bad guys lag a bit behind in finding the cracks.
If XP + IE6 is so bad...
Odd they didn't mention you can just go download IE8 for free and stick it on your XP machine.
A sentence or two later, they "also" recommended the OS be upgraded.
Reading... we've heard of it
“We recommend users of IE 6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows.”
Come on now, you can do it. Sound the words out. Just the first sentence is fine.
A windows upgade is the secondary advice.
Move over to Firefox/windows(short term) then Firefox/Linux(long term).
It's the only way to be sure...
Oh and thanks to Microsoft for this classic security FAIL.
Then Firefox/BSD longer term!
Firefox/FreeBSD, or openBSD if you're paranoid.
Get over it.
Nobody actually cares what browser or OS they use as long as it does what they want it to do, this is normally Facebook, email and the odd typed and spellchecked letter to the agony column of the Sun. If you produce a device which does that then the only other factor that people will care about is price.
Now I'm sorry, Mactards, your kit is too expensive. It's the BMW of computers. Although it may be very lovely, most people buy it because it's more expensive than a Ford and they want to show off. Everyone else knows that a Ford does the same thing for a lot less.
Linux users, you're the Daewoo drivers. Yes it's a BMW for less than the price of a Ford but it's a bugger to get it serviced so unless you are capable of doing it yourself or have a spotty teenage son/grandson who hasn't discovered girls to do it for you, you're not going to bother.
In a company environment they're going to buy Fords because they're cheaper than BMWs (they'll keep the BMWs for the people who don't do much mileage) and easier to maintain than a Daewoo. You also know the resale value because Fords are predicatable whereas who knows where Daewoo will be this time next year.
Daewoo are now badged as Chevrolet and are sold and serviced by GM (i.e. Vauxhall) dealers in the UK.
Unix is infact for lazy people
ANY OS requires the user to maintain it.
The key is to build a system that seeks to subject the user to as little "maintenance" as possible rather than depending on the more common idea of "just shove it out as quick as you can and patch it later". A novice consumer will be no more able to deal with Windows than any other system. This is just a widely perpetuated myth.
However, Windows and it's vendor applications are much more insecure by design.
Ditch IE entirely if you can. Ditch any MS apps that you can.
Microsoft users are Trabant drivers, it's a product of a Monopoly, poorly made and restarts after you hit with a hammer (aka a Ctl-Alt-Del, reboot). The poor owners had to third parties to keep it working. Unfortunately, unlike the fall of the Berlin Wall, Microsoft is taking longer to collapse!
Re: The Vociferous Time Waster - Daewoo
Sorry I can't see the analogy between Linux and a Daewoo. Daewoos are cheap cars for people who just want to get from A to B and don't give a sh1t about cars. That is not the sort of person who tends to use Linux. Linux is used predominantly by people who care passionately about computers and would actually like them to work. They are also generally people who tend to tinker, but I doubt that the self maintainers are a high percentage of Daewoo owners, it is actually more likely that they never even open their bonnet. Lets face it, they ain't going to be showing it off to their mates and remember they don't care about cars.
Daewoo drivers are much more likely to be windows users, they probably don't even know there is an alternative.
"Fords are predicatable whereas who knows where Daewoo will be this time next year."
Assuming you meant to say "Ford is" and not "Fords are" else there is no sense in the sentence.
But looking a the state of the US car industry, I still hope you are right, and perhaps Ford Europe will keep Ford alive.
@The Vociferous Time Waster "A Daewoo's a BMW for the price of a Ford"
Hmm. Never seen a Daewoo churning out 500hp while still seating 5 persons comfortably.
Seriously: get a life.
Taking your inaccurate statement "your kit is too expensive", change it to "your much more secure, virus-free kit is too expensive for me". There, fixed it for you!
Can't afford Macintosh? You might be able to if you didn't have to buy Anti-Virus and other security software.
Mind you, Macs are generally brought by people who don't buy the cheapest rubbish just cos it's cheap. More successful and better paid people generally, would you not agree? Good at decision making and choosing the right alternative, right? Obviously better at making decisions than you it would seem.
That's why they brought a Mac, so they don't end up getting raped by Microsoft and/or its mistakes every couple of years.
Are you jealous?
The only thing good about this is that a lot more Sysadmins and Consultants will have a little more money and job security over the next few months....unless they were the short-sighted idiots who suggested going with Microsoft in the first place, that is!
The Edsel Eureka Moment
"However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution,” said Microsoft."
Err, is that the mighty Microsoft solution to the vulnerability which allows attack code execution .... crash Internet Explorer ..... and is therefore a tacit admission that there is no found and/or sound solution and the vulnerability is a Systemic Catastrophic Flaw in the Microsoft business model and Windows Operating System?
Head, meet howitzer?
Surrreee...it's ALL Microsoft's fault...surrreeee....
Google running IE6!? Wow. HAHA! They're not even using their grrigin browser??!!! There's faith & competency for you! I also read a story a while back that they had "OPEN" (unsecured) WiFi in one or more of their locations.
This is just another case of stupid people & management, doing stupid things, with no accountability anywhere in site! The ills of the Internet, software, and info-technology as a whole...when designed, created, implemented and USED by humans (especially older or unpatched code) offers a moronic calvacade of info-tech transgressions.
For you FF fanboys: www.dailytech.com/Security+Study+Lists+Firefox+Most+Vulnerable+Browser+IE8+Among+the+Safest/article16796.htm