Message boards :
Number crunching :
Serious Security Flaw in Internet Explorer
Message board moderation
Author | Message |
---|---|
W-K 666 Send message Joined: 18 May 99 Posts: 19057 Credit: 40,757,560 RAC: 67 |
BBC reports the problem in article and Is it safe to Explore For those who insist on using IE then MS Security Advisor |
skildude Send message Joined: 4 Oct 00 Posts: 9541 Credit: 50,759,529 RAC: 60 |
BBC reports the problem in article and Gee IE has another major flaw. This shouldn't be a surprise. With open tech you get things solved by the community and things generally work well. M$ has made its policy around everyone else doesn't matter except when our flaws are exposed and we won't rush to repair it for any of several various reasons. I think its funny that none of the other common Browsers have this problem but a M$ apologist says to not run off and use them because IE is still great. In a rich man's house there is no place to spit but his face. Diogenes Of Sinope |
1mp0£173 Send message Joined: 3 Apr 99 Posts: 8423 Credit: 356,897 RAC: 0 |
BBC reports the problem in article and I don't think it's a question of open tech. vs. closed, but more a question of philosophy. Look at web frameworks like Joomla that are all open source, and using open source components. Real security comes from design, and secure design is not that hard to achieve. Scripting is a big issue, and the premier "scripting" device in Internet Explorer is ActiveX. ActiveX controls are native windows programs, not an interpreted pseudocode (Java) that is much easier to sandbox (and much easier to get it right). ActiveX on the web is a huge Pandora's box, and it's too late to close it. |
gizbar Send message Joined: 7 Jan 01 Posts: 586 Credit: 21,087,774 RAC: 0 |
I, for one, am glad I don't use IE any more. I just wish I'd had better success in convincing my less technical friends and colleagues to try the change to a new browser. I'm still amazed that there are still flaws to be found in IE. It just goes to show that there are lots of talented people out there finding these flaws, and then the pressure is on M$ to fix it before somebody does a lot of damage with it. Me, I use Firefox. I'm not starting an argument about which is best, just as long as it's better than IE. The problem is, with it being installed on so many computers from new, most non technical or even non savvy people don't know any better, stick to what they know and never try changing. regards, Gizbar. A proud GPU User Server Donor! |
Cosmic_Ocean Send message Joined: 23 Dec 00 Posts: 3027 Credit: 13,516,867 RAC: 13 |
I think there are two factors about why IE has so many problems. One is that the Gecko engine likely has a handful of problems itself, but the market share isn't as high (though it is catching up quickly), and the M$ regime is basically a case of "just trust us to provide for you." Just like the Linux people rant and rave about how they don't need AV software because they're using Linux. While I do agree that Linux is much more secure than Windows, it also has vulnerabilities. It is an inherent flaw in all software that communicates with the Internet that there will be vulnerabilities. It is a noble idea to try to make something that is completely "air tight", but the harsh reality is that it just won't happen, no matter how much effort gets put into it. Linux laptop: record uptime: 1511d 20h 19m (ended due to the power brick giving-up) |
ML1 Send message Joined: 25 Nov 01 Posts: 20283 Credit: 7,508,002 RAC: 20 |
... It is an inherent flaw in all software that communicates with the Internet that there will be vulnerabilities. It is a noble idea to try to make something that is completely "air tight", but the harsh reality is that it just won't happen, no matter how much effort gets put into it. The question is more about "to what extent"... There are other ways to provide the sort of useful 'goodies' that ActiveX is supposed to be used for but without the inherent vulnerability and without the difficulty of 'patching over' various vulnerabilities. Some of those other ways have been demonstrated and are in use. (They are not ActiveX, and by design they are a few levels removed from the underlying OS to take inherent advantage of various levels of good security practices.) For example, to keep your hair dry in a rainstorm, do you use a hair dryer or do you instead use a hat or an umbrella? Keep searchin', Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Fred J. Verster Send message Joined: 21 Apr 04 Posts: 3252 Credit: 31,903,643 RAC: 0 |
|
Cosmic_Ocean Send message Joined: 23 Dec 00 Posts: 3027 Credit: 13,516,867 RAC: 13 |
Yeah, I actually prefer FF2 over FF3, but the latest releases for both are as secure as each other. That's one thing people don't realize that when a new build comes out (2.0.0.18 for v2, and 3.0.4 for v3), the difference between two builds are performance improvements and fixing security flaws. Like I said, all the browsers and OSes have problems, it's just a matter of how severe the problem is, how well-known it is, and the largest part has to do with market share. Linux laptop: record uptime: 1511d 20h 19m (ended due to the power brick giving-up) |
1mp0£173 Send message Joined: 3 Apr 99 Posts: 8423 Credit: 356,897 RAC: 0 |
Actually, there is a place for ActiveX. Because it is much more than a "scripting language" one can build some incredibly sophisticated applications and run them in the browser -- true client server applications with consistent state and about as far away from the typical web app. as possible. The problem is, 99.99% of ActiveX applications could be done in a "lesser" language just as well. ... and 99.9% of all sites that use scripting do not need it. For the 0.01% of all applications that use ActiveX to run something non-trivial inside a browser, they could just as easily be a stand-alone application, downloaded and run. These are generally "intranet" applications, not for the general public. Scripting is overused. ActiveX controls aren't scripts, they're programs, and there is no reason for my web page to run a program on your computer. |
Allie in Vancouver Send message Joined: 16 Mar 07 Posts: 3949 Credit: 1,604,668 RAC: 0 |
I, for one, am glad I don't use IE any more. I just wish I'd had better success in convincing my less technical friends and colleagues to try the change to a new browser. I would probably be one of those “less technical people†you referred to and I use FF almost exclusively and only go to IE for when absolutely necessary. It is just my opine but I find that FF generally runs faster so point out to your friends that even a Luddite like me prefers it. :) Pure mathematics is, in its way, the poetry of logical ideas. Albert Einstein |
Blurf Send message Joined: 2 Sep 06 Posts: 8962 Credit: 12,678,685 RAC: 0 |
No disagreement here re: Firefox. I use it exclusively at home too.... |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Yeah, I actually prefer FF2 over FF3, but the latest releases for both are as secure as each other. That's one thing people don't realize that when a new build comes out (2.0.0.18 for v2, and 3.0.4 for v3), the difference between two builds are performance improvements and fixing security flaws. Agreed. (Firefox user) |
JLDun Send message Joined: 21 Apr 06 Posts: 573 Credit: 196,101 RAC: 0 |
FF 3.x; Started right after 2.0.0.x came out. |
Cosmic_Ocean Send message Joined: 23 Dec 00 Posts: 3027 Credit: 13,516,867 RAC: 13 |
I just noticed my wording wasn't quite right on the explanation regarding latest versions. What I meant was 2.0.0.17 to 2.0.0.18 was to fix security flaws, just as 3.0.3 to 3.0.4 was. The latest versions for both have the same security holes/fixes as each other, just some features are present in one and not the other. I use IE -only- for two things. The web interface for my 24-port gigabit switch absolutely demands IE, even though it's all java script (FF just won't do it..I've tried), and an ActiveX plugin for Surveillix. Linux laptop: record uptime: 1511d 20h 19m (ended due to the power brick giving-up) |
Aristoteles Doukas Send message Joined: 11 Apr 08 Posts: 1091 Credit: 2,140,913 RAC: 0 |
Google Chrome and IE |
ML1 Send message Joined: 25 Nov 01 Posts: 20283 Credit: 7,508,002 RAC: 20 |
Agreed, apart from there being any need for ActiveX to even offer anything outside of the browser let alone provide a route in for open rampage about your machine. For keeping local state, there are cookies and there's more clever stuff such as AJAX and others. You can have in effect a fast 'thin client' in your browser. Hence the push now for utilising 'cloud computing'. If you are going to run programs locally with data held locally, then indeed actually run a program that is installed and run locally. If there are interactions with some intranet database or supervisor or whatever, then hand off that common functionality to a common DLL. All easily restricted by system accounts and interfaces to only do that which the programmer intended. Even better, such a system must be properly (and knowingly) installed. Why download programs with user/admin rights from random (unknown) websites... (including viruses/trojans)? (And it is far too easy to get a "user click" to grease the infection into Windows...) Is most of the virus/malware mess just ActiveX abuse or general sloppy OS design in the first place? I consider a certain "market share" excuse to be merely a very clever Marketing excuse: "We're innocently victim for being the most numerous". For enjoying a greater market share, the greater numbers should allow for greater and more thorough testing by more users so that problems get found and fixed faster. There should also be more resource to get the job done properly in the first place! Note that the Microsoft series of OSes are unique in continuing to suffer live viruses and trojans for so very long. Various other OSes have had their brief encounters with such problems, fixed long ago in the past. Keep searchin', Martin (All just my own opinion as ever!) See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
skildude Send message Joined: 4 Oct 00 Posts: 9541 Credit: 50,759,529 RAC: 60 |
I use IE for M$ updates and if and only if a page doesnt look right in FF. What surprises me is how many ads I don't see in FF vs. IE The only way I see IE becoming a better browser is if M$ drops its insistance on IE being so intertwined in the OS. If they treated IE as a separate program like the courts insisted they do, and build a new IE from the ground up which isn't dependent on the OS to run, perhaps then IE might get a bit of respect In a rich man's house there is no place to spit but his face. Diogenes Of Sinope |
1mp0£173 Send message Joined: 3 Apr 99 Posts: 8423 Credit: 356,897 RAC: 0 |
Martin, I'm speaking of ActiveX in the pure role where only ActiveX will do: you have some kind of complex application that needs to run for an extended time and cannot be broken into "slices" that run under a web server. Something that one would not think of as a browser application. The advantage in this very narrow case is that you, as the owner of the network and the developer, can deploy updates to the application automatically, by having your users access the application through a browser, and then simply updating the ActiveX control on the server. All the clients then update automagically. This is all very wonderful in the context of a single organization that owns the server, the application, and the desktop machines running it. Outside that narrow set of circumstances, ActiveX is about as foolish an idea as has ever been conceived. Why should your ActiveX control be permanently installed (without an "uninstall") on my computer just because I visited your web page? In my opinion, it's a marketing problem, not a technical one. Microsoft promoted ActiveX has the way, the truth, and the light. They taught classes and seminars, they gave away T-Shirts, and it would be a huge corporate embarrassment to admit that the fundamental concept is so flawed that the whole technology has to be scrapped. So, they try to put a bag on the side of it with things like "signed controls" because surely no one evil would be able to sign a control, right? I don't think it's a fundamental flaw in the OS, but in the application. -- Ned P.S. ActiveX is just a native windows DLL |
ML1 Send message Joined: 25 Nov 01 Posts: 20283 Credit: 7,508,002 RAC: 20 |
Fair comment as ever. [...] I just wonder where the balance point will be between embarrassment, Marketing triumph, and insecure user backlash... Meanwhile, it looks like Microsoft have been rushed into appearing to do something at least: Microsoft plans quick fix for IE All "good fun!" Cheers, Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Claggy Send message Joined: 5 Jul 99 Posts: 4654 Credit: 47,537,079 RAC: 4 |
Fair comment as ever. Yep, got a new update for IE, time for a Re-boot! Claggy. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.