After Microsoft confirmed that a hole in its Internet Explorer browser was used in the December cyber attacks on Google and at least 33 other outfits, a trio of security-conscious nations - Germany, France, and Australia - went so far as to warn their citizens against the use of IE. And that led to a very good week for the likes …
MSoft Credibility Hacking
-- unfounded conspiracy theory alert --
So some *chinese* hackers attack google..
Google blame IE
Google releases details of win16 vulnerability...
Chrome adverts appearing all over my local town...
Has the Big G taken a leaf out of Bills 'How to build an empire at all costs' book?
What I was about to say
Final nail in the coffin of IE
I'm setting people up with Firefox + AdBlock pretty much everywhere I can. They are really surprised you can avoid ads so effectively and are made happy when I tell them that they are getting a faster and safer browser.
When it doesn't freeze, maybe. I've half-switched to chrome, but don't want to give the big G everything.
Where you get this mad idea?
Faster? It take much longer to load.
Safer? Where you get that crazy from? Much less safe - just because they say "safe" you fall for it ha ha!
As MS's source code is...
closed source, we'll never be sure why FF might, and I stress might, be slower on Windows than IE. It's certainly a smaller footprint, so you would think that it would faster.
Makes you wonder how MS slows it down.
Hang on a mo...
It's afterwards that you will experience other browsers doing things faster. It's the whole package, not just certain parts. And, frankly, I'm not _that_ bothered how fast it loads. I expect to load and go, not load...load...load...load... see?
FWIW, you may remember I complained about FF running out of memory and then crashing. I pared down to the essential plugins (Lazarus, NoScript, WebMail notifier, ABP, TACO, and DownloadHelper, FlagFox, extended statusbar, and FDM integration. I no longer have a cute little weather forecast on the status bar and I no longer have some other cruft, but I appear to also no longer have a prone-to-crash browser. That's a worthwhile trade-off, no?
Now the real argument:
Let's look at your "Much less safe" assertion.
Let's have a list of URLs of serious exploits affecting FireFox and Opera [qualification - in order to count it HAS to have been exploited, something a security researcher found does not count if the hole was plugged before any damage was done; I expect my browser to be safe, not perfect].
In return, I can state that it shouldn't be too hard to rip MSIE apart, from the horrible abortion that is ActiveX (probably why some companies are still flogging the long-dead IE6 horse), right up to... well... this debacle.
Oh, and dont quote me that piece of crap study that says how much better MSIE8 is at detecting malware than anything else. You might want to consider http://my.opera.com/haavard/blog/2009/03/26/malware-report-from-nss-labs-manipulates-statistics
[nutshell version: it's a MS sponsored study, it doesn't define the test algorithm, there's plenty of dodgy maths, and to top it all off they claimed to have tested a version of Opera before it was even released; oh and a new FF was not allowed but an IE8 beta was... the results are therefore to be counted as having the words "ADVERTISEMENT" across the top of the page]
I'm not trying to be a FF fanboi. I like FF for its customisation potential and the useful add-ins (some of which help "safety" in a different sense). There will be a serious exploit using Firefox. It is only a matter of time. And if Opera ever gets enough market share, there will be an exploit there too, especially given us FF users are best at keeping the browser up to date, while Opera users are tragically poor at doing so. [http://mashable.com/2009/05/06/browser-innocence/]
One final link that puts the results into context: http://www.itworld.com/endpoint-security/75006/whats-really-safest-web-browser?page=0%2C1
I don't really care if people use FF, Opera, Safari, Konqueror or even Lynx; heck, even IE is OK, just so long as there is a good mix. Why?
1) It reinforces standards and reduces the potential for lock-in, leading to greater competition, increased quality and better value for money.
2) It forces software makers to ensure their product is more manageable. For example, FF is often criticised for not being easy to centrally manage, perhaps increased demand for this will get Mozilla to address it.
3) It encourages OS vendors to provide tools for managing same. Linux shows one way this can be done (one integrated system keeping the OS and all apps up-to-date automatically - something Windows users can only dream of).
4) It massively increases security. In a homogeneous environment a single-point failure can rip the entire system open as the exploit will work across all systems. In a heterogeneous environment it is much harder to get a full system break as you can only ever attack a certain sub-set at a time.
5) Sustainability. With a heterogeneous system it is also much more likely that some kind of service can be maintained, all be it reduced, should an attack or failure bring down one system type. In a homogeneous environment a single virus could bring the entire thing crashing down.
Although there are some costs involved (e.g. trickier initial set-up, training, extra staff) these can be offset by savings in other areas (e.g. reduced license costs, increase up-time, reduced maintenance).
I am not having a dig at MS (yet), *any* homogeneous system be it Apple, *nix or whatever is ill-advised for the reasons above. It is only hard to have a heterogeneous environment due to the deliberate actions of the current monopoly player, it's time customers struck back (there you go).
You forgot one
6) Privacy. Using different browsers for different tasks reduces the risk of information leaks (history hacking, cookie checking, etc). Without the need to worry about erasing all personal info (which is not really possible when simultaneously performing different tasks).
@You forgot one
For this we read: you use Firfox for your pornographics but keep it not default so wife never see history when she click to browse?
You forgot one
Opps - then I forget to even comment on how you do "different tasks" "simultaneously". I think left hand knows what right hands does ha ha!
"you use Firfox for your pornographics but keep it not default so wife never see history when she click to browse?"
Nah, that's what different _accounts_ are for.
I meant I use FF (well, on most of my system it's called Iceweasel, but same/diff...) for general purpose, w3m or Lynx for anything potentially harmful, hv3 or Dillo for FreeNet, and Konqueror for TOR and banking (spot the errors... but you get the idea).
"Given the significant level of attention this issue has generated"
"Given the significant level of downloads of our competitors' browsers this issue has generated"
typically we hear nothing from the UK.gov
Who cares? This isn't something that needs the government commenting on it. The French, German and Australian government clearly have nothing better to do.
No centre ground then?
Just choose 'nanny state' or 'criminally unconcerned government' to go with any news story you care to comment on.
Of course it needs government attention, the government is supposed to look out for it's citizens - that's why the UK government has been so silent on the issue.
As for Microsoft, I love how they have a Trustworthy Computing group. Now there's irony.
Probably quite good too...
The last thing we need is the population starting to think uk.gov has a single clue about IT.
Nope irony is making comments about irony without actualy understanding the inherent contrdictions of your statements.
And here come the browser beaters
For some reason I love stories like this, if only to get a sort of sad pleasure from reading posts from people who believe they are superior humans because they use a different brand of browser.
I am sure the germans have a word for this
<sound of empty stomach rumbling>
I smell a conspiracy
This is just a ruse to get everyone to switch from IE to Firefox so they are distracted and forget that Obama wants to give everybody free healthcare.
Or am I reading too much into this.
I always have a tin hat
As surely it's got it' own continual security issues... It seems every week there is a Firefox patch. Opera rarely needs OOB security updates, and it's inherently secure, not contunally patched to be secure like IE and Firefox and to a lesser extent Safari/Chrome/Webkit base browsers.
Obviously don't know how FOSS projects work
I should bloody well hope Firefox is patched - and more than once every week. Same with Google Chrome and other open browsers. That's kinda the point.
On the other hand, how often they release the changes is a different matter... I find the time between upgrades (on Windows) is closer to months than every week.
Re: Why Firefox
"Opera rarely needs OOB security updates, and it's inherently secure,"
Any justification for this statement? I use both Opera and Firefox on Linux, and Opera does not feel any more stable. In fact, it crashes a bit more on this particular setup, but the comparison is not entirely fair, since the Firefox is what the conservative CentOS 5 distribution supplies, and is thus an older patched version (3.0.14), whereas Opera is the very newest (10.10). So I would just say that they appear to be about on par wrt quality. The lack of security updates could be because Opera receives less critical scrutiny (It is both closed-source, and less common than FF).
I would love to see someone create a full-featured browser in some safer language than C or C++, like Java. While that would not solve all security problems, it could eliminate some common classes of them, like injection of malicious code via buffer overflows.
I bet it would be rubbish
Java Browser Exists
I haven't used it myself to see if it's "fully featured" but there is an open source Java browser called Lobo if you're interested: http://lobobrowser.org
@Java Browser Exists
As if we not have enough problems with Java in the Firfox!
Sun did release a java browser as a proof of concept. It generated no support in the open source world and went into a coma.
you do not realise the *stupidity* of the market... If people would use the 'most standards compliant', safest, browser, they would be using Opera...
But NO, they use the 'most shouted about' , 'geek supported, open source', 'most companies like netscape, mozilla is the same' (FF is as similar to netscape, as a ford anglia is to a Volvo.. check who owns what!!)
Opera is intrinsically more secure, as it does not accept the malformed code, that enables these exploits to happen!!
Only thought is, either opera has an 'attitude problem' with google and similar non-standard webcode, wont pay them enough for 'source code help' due to its 'principles', while FF gets NO problems with the frequent mods that google, yahoo, hotmail, etc make...
It make me wonder that they are letting 'bad' code through for cash, and hoping users wont notice.....
Drop it, FFS
"Opera was quite clear on how it sees the matter: "Security issues continue to plague Internet Explorer users, and the latest recommendations from the German and French governments against using the browser are in line with what the security experts have been saying for years." "
Indeed, what to say on top of this ? It's been written all over the place, in El Reg and elsewhere: Drop the *darn thing* !
I wish you luck in browser creation!!!
If it was *that* easy, there would be *hundreds* about !!! It is NOT security that *most* people want, it is either something to do facebook, myspace, etc, etc, and also look very fancy, have pleny of gadgets and widgets on, do their flashy website without worrying how *awfully* it is written, etc, etc...
It is no wonder that there are only a few browsers actually used... many do not even realise that their 'super-yahoo browser' is actually a heavily disguised IE...
"confusion about what customers can do to protect themselves"
Seems to me everybody has a fairly clear idea of what they can do. Maybe they are referring to their own willful confusion.
Google use IE? They weren't using Chrome...?
microsoft losing ground in many areas..
Microsoft are *finally* getting the attention deserved for their lack of - hmm - open partnership.
For years, they've blithley forged a path as the "trend setters", creating competing standards (I know they aren't alone in this, but are the main protagonists), with a "we're too big to co-operate" attitude.
Take any web tech you can think of and Microsoft will have created an alternative - sometimes this succeeds, sometimes not. Think 'Silverlight vs Flash' or microsoft trying to create an alternative to PDF, or way before that, creating Internet Explorer only markup and scripting. (which so many corporate intranets and extranets still rely on, hence the current security debacle)
Instead of embracing the current platform leader and striving for open standards, they use mighty marketing muscle and many 'bums on seats' to churn out thier version of how things should be, attempting to control the internet and other technologies in the same way they've controlled the desktop for decades.
In recent years, they've started failing - or at least, failing to achieve the kinds of success they once had in most areas. Zune was a flop, Silverlight has failed to gain significant inroads, Vista was an unmitigated disaster - the list goes on.
There's nothing specifically wrong with trying to forge your own path, until you start ignoring better ideas, or buying them out, or squashing them - a typical microsoft tactic.
With balmer at the helm, blundering around like an embodiment of the legendary '800lb gorilla', we're seeing the stiching start to unravel.
Witness this oaf of a man in a recent 'Click' interview, at CES in Las Vegas - denial and FUD just trip out of his mouth - you get the impression that he'll use violence to get his own way, to push his point home. "I'm right, always right, if you don't like it, I'll squash you"
But the reality is, the behemoth is struggling to shrug off it's legacy - the crumbling facade of XP and Internet Explorer, sitting on a technology base that's way past it's sell by date.
Is it any wonder the cracks are starting to widen? - no amount of plaster is going to stop the inevitable collapse, as leaner, meaner, smarter organisations leap ahead.
It's going to be a long, painful, protracted demise, unless microsoft can shed some of it's heft and ditch Balmer.
...er, or something like that, ramble ramble... too much coffee... what was the article about again?
Paris, because as a classy dame of legendary intellect, she likes a bit of Opera and because I've had another cup of coffee..
It's worse than that...
"In recent years, they've started failing - or at least, failing to achieve the kinds of success they once had in most areas. Zune was a flop, Silverlight has failed to gain significant inroads, Vista was an unmitigated disaster - the list goes on."
They're losing so much ground that their grip on "mindshare" (sorry) is slipping. They were smart enough to see that this was happening over Vista, and swallow a bit of their hubris- getting something sleeker and nicer out in record time. However, cracks were starting to show..
What was happening is that Jo Public- ordinary people, not picky geeks like me and thee, were starting to realise that they had a choice, that "computer" and "windows" didn't mean the same thing. Linux-based machines, a lot of shiny Macs.. and people were amazed to find that they were, in many cases, more useful, less stressful and less egregiously paternalistic.
That was a wakeup call, Redmond had too many years of "all your base are belong to us", and thought they could get away with any old crap, and managed to fail to ram a version of Windows itself down throats, despite the most enormous advertising push yet. Fair dos to them for being clever enough to notice and adapt, though.
However, in a small way, genie's out of the bottle now. MS will, in a small way, have to bear this in mind and compete on something more than just strongarming and think - amazingly - about quality sometimes.
This is before we consider Google, of course, who are a new kind of threat- faster-moving and more tricksy than the stodgy outfits of yore. They twist and turn more like smoke than an oil tanker- unlike a lot of those vanquished by MS in the past, and they are every bit as ruthless. Make no mistake about that. Platforms are diversifying at the same time, too- so it's really hard to call.
I'm not sure that I even have an axe to grind- I'd like to see a hetrogenous technological ecosystem where no-one has the ability to write the entire script for themselves. This may well include Microsoft, if it can keep it together, and Ubcle Fester doesn't drive it into the ground with his plodding, charmless, bullying ways. If he does drive it into the ground, there are plenty of candidates for the top spot now.
About bloody time too
Missing the point
"For some reason I love stories like this, if only to get a sort of sad pleasure from reading posts from people who believe they are superior humans because they use a different brand of browser."
Tell you what, mate, try developing web-sites for the wretched piece of crap, and then suppress your smirk when government is telling people to use something else. IE is a nightmare for us web developers - no superiority complex required.
If you develop a site on (say) Opera, you can be 99.99% sure it will work on Firefox, Konqueror etc. You can also be 99.99% sure than any rendering differences are going to be so minor that unless you have two different browsers open side-by-side, you won't notice them.
The you try it in IE (any version) and this...this...vomit just lands on the page. IE8 might render something which might have the same content somewhere on the page, but you'll be lucky if it's usable. You can forget IE7 and IE6.
For this reason, when doing web work, I will state "XYZ will be coded for a modern, standards compliant browser (e.g. Firefox, Opera etc)." This, of course, gets push-back from the customer (internal or external) and gives me that chance to inform them that IE can be supported, but at additional cost. They then ask why, so I show them a few basic examples. Cue much spluttering, shock, head-shaking and a small shift in their world-view.
Hell, if the page is small enough the browser on your average mobile can load it. Try that with your ActiveX crap and proprietary tags/calls .
"Opera is intrinsically more secure, as it does not accept the malformed code, that enables these exploits to happen!!"
Oooh looks - security exploits and errors in Opera! Fancy that. Your comment is utter cr@p.
Face it, all browsers have errors and security exploits - that is beyond dispute. It's not a problem or concern that they exist (most haven't even been found or publicised yet), but it is a concern when the exploits are not fixed ASAP.
All browser vendors - excluding Microsoft - tend to fix security related issues much sooner than later. Just because Mozilla Foundation roll out security updates every few weeks isn't a reason for criticism, it's something to be applauded - how many security patches are Opera/Google/Apple sitting on that would benefit you today?
Does anyone know if beer is effected by this latest earth shattering ground breaking news?
1. Why do so many so called "intelligent people" fail to recognise that thinking in aristotelian absolutes is so limiting. If (and thats is obviously a big IF in so many cases) you have an IQ use it, don't waste it!
2. Is it me or is sombunall of the Register's content written by and for Daily Mail readers? How about some more objective journalism or does 1. refer to you?
3. Sombunall of you will be upset by my comments. Sombunall of me gives a shit.
Kill all Extremists! F**k 'em if they can't take a joke! Fnord.
***2. Is it me or is sombunall of the Register's content written by and for Daily Mail readers? How about some more objective journalism or does 1. refer to you?****
Don't you dare to badmouth my beloved register young man!
Even if it doesn't look like, this is an intellectual temple!
What the fck are you talking about?!
What's this sombunall? Is it at all like a "husjghkwe"?
Way to prove a point.
Sombunall - A term meaning 'Some but not all', as defined by Robert Anton Wilson in his book Quantum Psychology
Sombunall people are capable of finding things out for themselves.
Sombunall people will take this comment with a pinch of salt.
IMHO possible the single most important word missing from the english language, but hey.
Re: Neil 7
Its not the point if other browsers have security flaws
Heck I'm using firefox 2.whatever on a linux box to create this knowing full well it has security holes , flaws, and cracks
But if it get pwned by a russian crime gang all I have to do is delete the user directory (/home/BorisTR/ )and create a new one
(the chances of me running a browser as 'root' are naff all)
In the case of windows xp and IE, its wipe the entire OS because of the stupid design of the OS and browser
Learn to use the OS or upgrade
If you were serious about security you:
* Would be using a limited user account for day to day operations.
* Would have upgraded to Windows 7 to take advantage of UAC to remove most of the hassle of being a limited user.
That would get you pretty close to the security of Linux give or take holes in the OS.
FWIW as others have pointed out:Windows NT was designed with security right the way through. Everything is an object and everything has access rights. Unfortunately the result was a bit too strict and unfriendly so the UI that MS bolted on worked around and glossed over most of it.
Underneath the Windows UI and legacy API support there is a very strict, very competent OS trying to get out :)
excuse me just a minute ladies and gentlemen
I just wish to point out that users dont care about standards compliant, open source, etc. It's more "can I watch my porn/hulu, check my email in a non-annoying way, and does it f*ck up all the time." Now I more or less care to an extent, been using FF since 1.5 and have dabbled with Opera a bit. Also I have taken care to block ads and whatnot at the hosts file.
So the point is if you want to move someone away from something you do it with cheerful gentle prodding in the direction you want not with ZOMG!!!!! internet ending scenarios. That just drives people to be recalcitrant.
ok Im off, need more coffee, tea, and nicotine
unbundle IE and see how fast it drops off
All consumers that buy any Microsoft product have to also purchase IE.
IE is not free. Unless you one of the few fools that think that BurgerKing's advertisements mean that the chips are free but you pay for the coke and burger. Or, that the burger is free but you pay for the chips and coke. Or, that they are all free if just pay $2 for nothing.
Microsoft just lies about the true cost of IE so that fools do not think about what they are forced to buy. And by fools I also mean the EU Commission and the US DOJ which also insist that all consumers be forced to purchase IE. Not a choice. But, forced to purchase IE. There is a huge difference.
does anyone know if there is a browser out there that can show a tracelog of what it is accessing, and that you can single step ?
i would love to have a browser where you can click a button and it would go in single step mode. It should show what file it is now going to load and what domain it is coming from.
along the lines of :
opening index.html :
In trace mode it would show you each individual sub file that is being accesses when opening a web page. The tracing mode whould have an option where you can answer yes or no. That way you, if you see some funky file beeing grabbed : stop it. just block that one file. ( simple box yes,no,add to block list for this domain)
And then of course it should have a filter built in. so that you can say : do not download this file , or do not download this extention.
And last thing :being able to distribute such block-lists and attach them to a specific web domain.
That way if there is a funky site out there ; put browser in trace mode , block the nasty , distribute block list. A centralised block-list repository could do wonders.
If the browser then would have an auto-update feature (than can be turned on and turned off) so that , before opening a webpage , it pings the block-list server for the block list going with the site it tries to open ....
Call it community based filtering.
It shouldn't be too hard to put that in a browser. After all the browser already does all of it. All there has to be, is one additional check to pop up a box showing filename , path , origin and an yes no , add to block list. selection.