Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Yet another IE "feature"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Yet another IE "feature"

    Attacks on Unpatched IE Flaw Escalate. Cheers! Hans

  • #2
    Yet another IE "feature"

    Hans.Boldt wrote: > Attacks on Unpatched IE Flaw Escalate > <http://blog.washingtonpost.com/secur...n_internet_exp lorer_f_1.html>. Now Hans, haven't you heard? If IE makes it easier on the programmer then that's what's going to be used, regardless of the potential security exposures it represents. Bill

    Comment


    • #3
      Yet another IE "feature"

      While Bill is talking tongue-in-cheek, he's probably living proof of what he says. Using Windows is a huge security risk. Using a Mac isn't. Yet only 2% of all computer users use a Mac. It's a dangerous world, and people like to live dangerously. Bill, what OS do you use on your desktop? If it's Windows then you're one of the ones living dangerously. Or, living in a "glass house" throwing stones as it were. chuck Opinions expressed are not necessarily those of my employer. "Bill" wrote in message news:B133B4AF8A515433240604D5CA01F239@in.WebX.Wawy ahGHajS... > Hans.Boldt wrote: >> Attacks on Unpatched IE Flaw Escalate >> > <http://blog.washingtonpost.com/secur...n_internet_exp > lorer_f_1.html>. > > Now Hans, haven't you heard? If IE makes it easier on the programmer then > that's what's going to be used, regardless of the potential security > exposures it represents. > > Bill > >

      Comment


      • #4
        Yet another IE "feature"

        Chuck Ackerman wrote: > While Bill is talking tongue-in-cheek, he's probably living proof of > what he says. Using Windows is a huge security risk. Using a Mac > isn't. Yet only 2% of all computer users use a Mac. It's a > dangerous world, and people like to live dangerously. > > Bill, what OS do you use on your desktop? If it's Windows then > you're one of the ones living dangerously. Or, living in a "glass > house" throwing stones as it were. I'm using W2k myself and XP Pro in the business. Since I've got security software going on each desktop which OS vulnerabilities am I exposing myself to? Now, turn that around and in the same setup, which vulnerabilities am I exposed to if I'm running IE? And to say that users on a Mac are safe is to be uninformed. They are beginning to pop up with regularity now. Bill

        Comment


        • #5
          Yet another IE "feature"

          Bill: How much of your working day is spent keeping each of your company's desktops up to date with the most recent patches and virus signatures? Is this some sort of job security issue? More importantly, what's the lag time between when an exploit is discovered and a patch or updated virus signature file is available? In other words, it's not the exploits you know about that are the problem, it's the exploits you don't know about. Read the press. The track records of MS in general and IE in particular are not good in this regard. Sure, most platforms are potentially vulnerable. But pretty much any other alternative to Windows and IE is less vulnerable to attack and easier for a system administrator to deal with. Have a nice day! Hans

          Comment


          • #6
            Yet another IE "feature"

            Bill said: "And to say that users on a Mac are safe is to be uninformed. They are beginning to pop up with regularity now." Well, there have been exactly 3 in the last 5 years. And, to get these worms you must be infected via iChat from somebody within your LAN (can't come from the wild) and you must enter the administrator password to open it and then you must run an executable. Anyone who gets a worm infection on a Mac must be stupid indeed! SARC says less than 50 have been infected. I wouldn't classify that as "regularity." chuck Opinions expressed are not necessarily those of my employer.

            Comment


            • #7
              Yet another IE "feature"

              Hans.Boldt wrote: > Bill: How much of your working day is spent keeping each of your > company's desktops up to date with the most recent patches and virus > signatures? Is this some sort of job security issue? Zero time is spent on virus signatures. It all happens automatically to every user that is connected to our network. We use Trend Micro's Enterprise software, we have a server setup to deliver the updates automatically as it receives them from TM. > More importantly, what's the lag time between when an exploit is > discovered and a patch or updated virus signature file is available? > In other words, it's not the exploits you know about that are the > problem, it's the exploits you don't know about. Exactly. > Read the press. The track records of MS in general and IE in > particular are not good in this regard. Sure, most platforms are > potentially vulnerable. But pretty much any other alternative to > Windows and IE is less vulnerable to attack and easier for a system > administrator to deal with. You're preaching to the wrong choir. Joe and Chuck defended the use of IE, not me. As an anecdote I ran across a website yesterday that just wouldn't work correctly with Firefox, everytime I tried to check out it would say my cart was empty, yet it definitely wasn't. Went to IE and it worked fine -- but I now reflect on the process and wonder if somehow I could've been re-directed during the purchasing process to a false website. How people can live in IE all day and not worry about things like this I'll never understand. Bill

              Comment


              • #8
                Yet another IE "feature"

                Bill asked: "How people can live in IE all day and not worry about things like this I'll never understand." It's simple, be careful where you travel. Your statement is equivelent to saying, "I hear about car hijackings, drive by shootings and gang related problems all the time therefore I'm never going to drive my car again." Surf sites that you know are safe. In fact, our Symmantec web filter here at the office makes that relatively simple. No sports sites, no gambling site, no porn sites for anyone at any time. I'm not saying that we'll never get a virus or spyware, but the fact is we don't. In the 29 years that I've personally been using a PC I've never had a virus nor spyware enter my PC. If you MUST travel to questionable sites then the solution is to buy MS Virtual PC or VMware and surf within a virtual machine. If that machine gets corrupted then destroy it and start anew. If you listen to the most paranoid of security people such as Steve Gibson you'll find that he doesn't even use anti-virus software. He's just very careful where he travels. As many fathers know, abstinance is the best way to avoid social deseases. chuck Opinions expressed are not necessarily those of my employer.

                Comment


                • #9
                  Yet another IE "feature"

                  Bill wrote: As an anecdote I ran across a website yesterday that just wouldn't work correctly with Firefox, everytime I tried to check out it would say my cart was empty, yet it definitely wasn't. Went to IE and it worked fine ... I don't run across many websites that require IE. If I did, I would take that as a sign that the company does not want or need my business. The risks associated with IE far outweigh the inconvenience of not being to buy some product at an IE-only website, IMO. Another way to look at it is this: If a company does not have the technical ability to support multiple browsers (which certainly isn't rocket science), then what confidence can I have that they can either handle my order properly or protect my personal information? But at the risk of changing the subject slightly, I'd like to offer an observation. I know it's been a while since I've been involved with the iSeries, but I still find the community interesting in many ways. For example, one interesting thing is how iSeries fans get so worked up whenever an iSeries shop moves its apps to Windows servers. And yet, many iSeries shops are perfectly happy to give MS a foothold on the desktop. It seems to me that one of the best ways to keep MS at bay is to get rid of all MS products altogether from your shop, including Windows desktops and IE. Cheers! Hans

                  Comment


                  • #10
                    Yet another IE "feature"

                    Hans said: "It seems to me that one of the best ways to keep MS at bay is to get rid of all MS products altogether from your shop, including Windows desktops and IE." To me that's the equivelent of keeping your daughter a virgin by not letting her see boys and putting her in an all girls high school. I see no problem of having MS desktops and even having SQL Server in the same shop as an iSeries. The main thing is to keep the iSeries the hub of all data and you'll be fine. Make sure that the message is clear as to what the expectations are and both the iSeries and your daughter will be fine. The only time that the iSeries is replaced by MS products is when the top I.T. guy doesn't understand the iSeries. It's an ignorance issue. Since I'm the top I.T. guy at my company there's no such ignorance here. chuck Opinions expressed are not necessarily those of my employer.

                    Comment


                    • #11
                      Yet another IE "feature"

                      "Another way to look at it is this: If a company does not have the technical ability to support multiple browsers (which certainly isn't rocket science), then what confidence can I have that they can either handle my order properly or protect my personal information?" Yes, it's relatively easy to write simple web sites that can use either IE or Gecko. However, if you research the Document Object Model, you'll find that many basic business functions simply aren't available in Gecko (such as changing events on the fly). In the end, the various inconsistencies between the two engines make only one choice viable: you have two completely separate JavaScript codebases, one for IE and one for Gecko, and then select one based on the browser information at session startup. Now, this isn't "rocket science", but it's also not without cost. As always, it's a business proposition. Calculate how much it will cost to maintain two separate codebases, then calculate how much additional revenue will be gained from people who insist on using Gecko only. Then make the call. It's not religion, it's business. To imply that someone that doesn't agree with you is inferior as a programmer is irresponsible. Joe

                      Comment


                      • #12
                        Yet another IE "feature"

                        From a casual read of the press concerning Mac's, the impression I got was that buffer overflow exploits were now starting to be made successfully on Mac's with Intel CPU's. Or perhaps the reading was a little too casual and I've just confusedly mixed together a couple of Mac news blurbs. Given the Intel instruction architecture underpinning of exploits on both Windows and Linux, it should not be surprising if that happens under the Mac OS on Intel, especially with the shared Unix heritage of Linux and BSD. IE is a separate virtual bonanza of exploit opportunities, but the book Hacking: The Art of Exploitation demonstrates all major forms of exploits with Linux, not Windows. It's the Intel instruction architecture and lazy C programming that everyone has exploited. IE just makes it so much easier. rd

                        Comment


                        • #13
                          Yet another IE "feature"

                          Hackers Use BBC News as IE Attack Lure Have a nice day! Hans

                          Comment


                          • #14
                            Yet another IE "feature"

                            Not sure what your beef is, Hans. "In the absence of a Microsoft patch, two well-respected Internet security companies—eEye Digital Security and Determina—have released unofficial hotfixes to provide temporary protection for IE users." Or how about this, basically an equivalent bug, only worse, in Safari: http://isc.sans.org/diary.php?storyid=1138 Nor is Firefox immune to security attacks: http://secunia.com/product/4227/ And while it seems that Open Source tends to lead to a faster cycle of bug fixes, it doesn't mean you're secure on ANY browser. The standard answer? Avoid sites you don't know. But the only TRUE security is to surf from someone else's machine... Joe

                            Comment


                            • #15
                              Yet another IE "feature"

                              Here's a link to a site that gives rules on using IE safely. http://www.gripe2ed.com/scoop/story/.../31/15830/0283 Of course, going to that site violates the rules. Have fun. Tom.

                              Comment

                              Working...
                              X