France has echoed calls by the German government for web users to find an alternative to Microsoft’s Internet Explorer to protect security. Certa, a government agency that oversees cyber threats, warned against using all versions of the web browser.
France has echoed calls by the German government for web users to find an alternative to Microsoft’s Internet Explorer to protect security. Certa, a government agency that oversees cyber threats, warned against using all versions of the web browser.
Switzerland also gave out a warning, full text only available in German, French and Italian.
http://www.melani.admin.ch/dienstleistungen/archiv/01095/index.html…
Video of Microsoft^aEURTMs head of security and privacy weaselling out of the issue. http://news.bbc.co.uk/1/hi/technology/8466366.stm Pathetic, absolutely pathetic. This is just a PR blip to Microsoft, that^aEURTMs all. They couldn^aEURTMt give a damn about actual security.
People running a 10 year old operating system with a 10 year old browser and then having this huge dilemma when they get burned by an exploit.
What other company is expected to maintain updates to programs and operating systems released a decade ago? Mozilla sure as hell hasn’t done anything of the sort.
IE8 and IE7 both collectively have more market share than IE6, and are also coincidentally significantly harder to exploit.
This should embarrass Google if anyone, and people need to get with the program.
A company that reaps what it sows? A company that encouraged developers to target IE6 rather than standards – and then found themselves in the position where large numbers of people couldn’t upgrade because their applications didn’t work with anything but IE6?
Every browser has it’s own quirks, Mozilla’s are just as funky as any of IE’s.
IE8 also has a quirks mode for IE5/6 level compatibility.
Microsoft’s only crime with IE6 was neglecting it’s development for so long after it was released. At the time it was released, IE6 had superb support for standards.
People partake in this revisionist history to use to prop up their idealist view of how the web should be, it does not make it true though.
MS encouraged developers to code to proprietary IE extensions rather than to the subset of standards supported by browsers of the day… They also encouraged users to totally ignore other browsers and code only for IE.
Many of these non standard applications are now incompatible with any current browser, IE8 quirks mode doesn’t always work with them and sometimes its necessary to disable many of the new security features.
They also intentionally neglected to update their browser for many years and severely handicapped progress on the web. Had it not been for firefox, it’s likely they never would have updated anything either.
If you wrote a standards compliant application and tested it with multiple browsers, then it would run on any browser today and people wouldn’t be locked to IE6.
Which browsers would those be? The ones that collectively had ~5% share at the time? Maybe we should go back even farther and blame Netscape for getting complacent which allowed for the IE takeover.
Firefox 1.0 didn’t come until late 2004. IE had already taken over which is why so many companies used it as an interface for quick and dirty internal apps.
Whilst technically correct, that’s also somewhat misleading.
Firefox existed for a couple of years before then as Phoenix then Firebird.
Same browser, same engine (albeit an earlier version of Gecko) – just a different name.
Edited 2010-01-19 01:01 UTC
Hmm yeah, I remember using something like 0.7 in 2003, think it was called Firebird then.
Well, it’s easy to say that now, when you have technologies like AJAX and Flash to play with. But what other options besides ActiveX were there in the mid-to-late 90’s when a lot of this stuff was built? If you needed something like a treeview control with right-click functionality, there just weren’t a whole lot of other options back then. Even Mosaic didn’t exist yet, and Netscape was playing the same game as MS. (Anybody remember the LAYER tag?)
Now it’s pretty much a given that those who coded to IE6 are going to have to update their sites sooner or later, but that’s just the way it goes.
Edited 2010-01-18 21:49 UTC
MS really isn’t to blame here, it’s more cheap companies that don’t want to touch working systems until they die. Companies that have local activex apps can still use an alternative browser when they get on the internet.
I’ve heard excuses for Google about them having to keep IE6 around for testing. That may be true but that doesn’t mean they have to open their mail with it. Geez.
Edited 2010-01-18 20:13 UTC
The particular exploit which this is all about affects almost all versions of IE and Windows.
http://www.itworld.com/security/93045/dump-internet-explorer-now
Edited 2010-01-19 00:33 UTC
Here’s a better link:
http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i…
As you can see it’s only exploitable in IE6.
You linked to an article by SJVN who is a well known ABMr that could care less about providing a honest assessment of the situation.
The exploit code example that was released only affects XP and IE6. The security hole that was exploited exists in IE6, IE7 and IE8, on most versions of Windows.
SJVN might well be an ABMr just as you are an anti-freedomer, but nevertheless when he indicated which versions of IE and Windows were vulnerable, SJVN was only quoting Microsoft themselves.
Edited 2010-01-19 04:01 UTC
He left out this little tidbit from the report:
Just because a vulnerability exists doesn’t mean that it can used to takeover a system. His article is deceptive in that it makes it sound like all IE users are under threat of attack. It’s alarmist with the intent of switching users to non-Microsoft systems.
As for me being an “anti-freedomer” I don’t buy into Stallman’s newspeak definition of freedom so that means nothing to me. I measure software based on utility which puts me at odds with FOSS advocates since I don’t value software in Stallman’s moral terms.
Oh and this was posted from Chrome.
Just to clarify … I don’t read the same thing when I see “vulnerability” as when I see “exploit”. I read a “vulnerability” as a potential way to compromise a system, and an “exploit” as realised code that can actually do it. Your apparent reading of those terms is close enough to mine.
So then, for this latest episode, all the versions of IE and Windows mentioned by SJVN are vulnerable, just as he claimed them to be … Microsoft themselves agree. In the actual attack against this vulnerability, the exploit code that was used was only effective against IE6 on Windows XP.
Can we agree on that?
OK … the vulnerability is still there, on all those versions of Windows. It hasn’t been patched yet. If attackers can use better exploit code, they may well still be able to compromise even the very latest up-to-date version of Windows 7 and IE8.
It means something to me, and to millions upon millions of people. As I said, you are an “anti-freedomer” just as much as you accuse SJVN of being an “ABMr”. If you can use disparaging terms, so too can others against you. If you want respect, you must give it. OTOH, if you withdraw your disparagement and dreadful attitude towards others, those other people just may hold a bit more respect for you in return.
Whatever your views, it doesn’t mean you should attack others who see it differently to you. I, for example, am not willing to give over control of my machine and surrender my privacy and security to an American profit-motivated corporation in exchange for imagined utility that turns out to be a marketing/PR illusion in any event.
What do you want, a medal or something?
Use what you are happy with. Just don’t be vicious towards others who aren’t happy with something shoddy that you apparently are prepared to put up with.
Edited 2010-01-19 10:03 UTC
Need I mention that Microsoft committed themselves to long-term support for the platform, or that businesses being able to target IE6 and then just sit on that code for ten years was part of the sales pitch?
That manager certainly isn’t very convincing–it’s painfully clear he’s a PR flack and not someone who’s at all informed on the issue. (Microsoft’s UK managers seem to have demonstrated an above average ability for putting there foot in their mouths. There was that thing about comparing Win7 to the Mac a few months ago, and I vaguely recall something else earlier last year that I can’t quite place.)
Still I think it’s overreaching to say Microsoft doesn’t give a damn about security. The vulnerability does exist in all major versions, but DEP and Protected Mode do neutralize any attacks at this point, and it’s going to be far harder to contruct an effective exploit against browsers in which those are enabled. That’s not spin, but simply the defense in depth strategy doing what it’s supposed to do: provide additional layers of protection when one fails.
http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i…
Clearly this is a serious issue, and IE6 users (as well as IE7 users on XP) need to take immediate action, whether that’s upgrading, switching, or implementing the suggesting mitigations (enable DEP, and/or disable Javascript). But a blanket statement from governments that all IE users need to switch just seems like needless fearmongering, akin to when the US government told everyone to go out and buy plastic tarp and duct tape. The BSI, in particular, seems to be prone to kneejerk reactions:
http://mashable.com/2008/09/07/germany-google/
I think a lot can be attributed to overall technological ignorance on behalf of the Governments (not an excuse, just some context behind their irresponsibility).
It’s a bug, software has bugs, but it’s Microsoft and IE, so it is instantly a sensationalist headline and used as a crutch for those who generally scream their heads off about alternative browsers to finally have something which resembling an audible whisper.
But it’s a far more serious bug due to the prevalence of windows and ie.
Look at it from a hacker’s point of view, you can guarantee that any large corporation or government you want to target will be running windows/ie/msoffice on all their desktops… This is very useful for a hacker, you need 1 exploit, 1 backdoor and 1 skillset.
By contrast, if you couldn’t be sure wether your victims ran windows, linux, bsd, mac or whatever else and couldn’t be sure if they ran firefox, chrome or opera your attacks become much more difficult. You have to discover what your targets run first, and then look for exploits knowing full well that any exploits you develop will only target a small percentage of your targets.
And from the targets standpoint, having no choice but to use windows/ie is a very bad state because even if unpatched 0day exploits are everywhere, there is very little you can do about it. If you have the freedom to choose your software then it becomes easy to switch if one vendor is failing to fix issues and you can choose the software which best suits you rather than having no choice…
Do you really think google would have been using IE if they had any choice? They make their own browser which is a lot better, there has to be some proprietary apps locking them to ie.
No the problem the prevalence of IE6.
http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-i…
So why can’t they just use IE6 for those apps? I was just helping someone the other day secure an office network and I would have flipped out if I found out they were surfing the internet with IE6.
If you’re that sort of hacker you’re in luck in the UK, all the councils I’ve worked for here in the last 7 years are using the Win XP/IE6 combo for their apps for Housing and Social Services, and no end in sight. Their excuse is they have hardware firewalls in place.
Some only upgraded a few years ago from Win95.
There are a few open-source solutions at the back end but the desktops and email are all MS.
It’s IT heaven
I can’t believe this c… So the maker of a superior browser is deliberately using an inferior one, just because of some proprietary app?? If my memory serves me right, ms has issued repeated calls for ie to be upgraded and this stellar company (which has become quite a player in the industry) is locked down due to some app?? This “liberator”, of sorts, is locked down by some app that uses all the bad and ugly stuff that ms forced on us?? Un(f…)believable (excuse my french)
What? MS has never “forced us” to use anything.
Otherwise, yes, un(f…)believable that Google uses IE6.
Also un(f…)believable that people here are acting like this is all MS’ fault (as always) that someone at Google surfs the web with IE6.
Go surf the modern web with Netscape 7, which was released about the same time as IE6. While at it, rant a little about how Mozilla is not any more supporting this dead old browser and urges everyone to use Firefox 3.5.
In other news…Next week, Germany advises not to use Windows anymore for the same reasons