Announcement

**NormanRouxel** · 18-Dec-2008, 04:21 PM

Hopefully that makes me a bit more secure

Yesterday, if you'd visited any one of the 233,000 infected pages you'd probably now have a key-logger on your system in spite of the other security.

A major part of the problem is that Microsoft deliberately tied IE very closely to the O/S instead of having it live as a nicely sand-boxed separate application.

The reason: a political decision by them - they were trying to kill off Netscape and needed an excuse for having IE installed by default. Regulators wanted IE / Netscape / etc to be available as optional user chosen or manufacturer supplied add-ins and MS fought them off by making IE an essential part of Windows. Result - a browser that can read/write your files, tinker with the Registry and run executables.

PS. I did a google search of those 233,000 pages to see if any contained acatalog in their URL and thankfully none did.

**gabrielcrowe** · 18-Dec-2008, 04:54 PM

Yes, i'm saying fundamentally, that windows is at risk.

i'm running IE7 and 8, on my ubuntu workstation, with no security at all, other than not running as root.

i CANNOT be infected.

There are plenty of steps you can take, but overall, not using IE is a big step to your safety. Disabling all script and activex in IE, is definitely advised. and if you use a page that wont render, then switch to firefox/chrome/safari/opera for that session.

Its no different than back in the day, when I had to switch to IE for certain pages.

I cant stress enough how bad explorer is for your health/sanity. I certainly dont feel safe with it, no matter how many firewalls and other securities i ahve in place.

(none, in the case of my mac, and linux, other than not running as root)

**pinbrook** · 18-Dec-2008, 06:36 PM

I agree to a certain degree with Gabe. But all developer/designers have to at least view their sites in IE just to ensure the rest of the world sees an unflawed site.

sadly we can not tell people who use sites we built not to use IE

**Steve G Griggs** · 19-Dec-2008, 02:14 PM

Gabe is probably quite right, I agree that security in windows is badly flawed (all versions)-just read a few books on hacking. They make scary reading

.
However, as well as better security, it seems that one of the reasons systems such as Unix, Linux et al are safer is MS attracts hackers like a jam pot attract wasps.
Personally I don't think any OS can be made either 100% bug free, or usable online and 100% secure (not 100% secure and usable without expert knowledge by the user anyway).
One problem is that the average home user doesn't understand security, the need for firewalls, and anti-virus and strong passwords, why they are needed, and how to set them up. (Quite a few people in business that should know don't either, and I know some of them!) I quote "A firewall, why do I need one of those? what does it do that my free anti virus I got 5 years ago do" Now that's scary!

Passwords stored in IE for access to accounts at risk ETC. Yes storing account passwords, and very basic insecure ones as well.

**CymraegKev** · 19-Dec-2008, 02:24 PM

Originally posted by Steve G Griggs View Post

Gabe is probably quite right, I agree that security in windows is badly flawed (all versions)-just read a few books on hacking. They make scary reading

. etc.......

Yep I agree - Microsoft and their tools are whipping boys because they are so dominant. Whilst they do have security holes, I have no doubt that there are as many (if not more), undiscovered security holes in the likes of Chrome, Mozilla etc. Those holes will be sourced from the operating system of course, but then what are the options to the average user? Buy a DVD with Windows on and install it, or get numerous freeware scripts, hacks, routers, bridges and software tools to try and make themselves safer.

Personally, I prefer to spend my time doing work, rather than configuring umpteen versions of different bits of software on different operating systems on different machines (unless that was your job of course) just to feel safe (when I have full confidence in my Windows based security system).

At least MS now admit and fix the issues in a very timely manner which is a lot more than can be said for a lot of software vendors (Adobe, Apple and Symantic are three that imediately spring to mind).

Unfortuantely, with security hacks, its a case of "picking on the posh kid". If MS ceased to exist tomorrow, it wouldn't take long for these hacker loosers to pick on the next thing in their list (probably OSx)...

Merry Christmas everyone

Kev

**Steve G Griggs** · 19-Dec-2008, 02:31 PM

Hi Kev. You have hit the nail right on the head. I think the main reason the free OS's Linux etc are left alone is they are free, not pushed by a big, rich corporation & OSX etc are less dominant so get less "flack"
Merry XMAS.

**NormanRouxel** · 19-Dec-2008, 03:36 PM

when I have full confidence in my Windows based security system

It's a false confidence.

As I said earlier your Windows system would now be running a keylogger if you'd simply visited one of hundreds of thousands of sites a few days ago.

fix the issues in a very timely manner

See MS explains 7-year patch delay for their explanation as to why it took until this November to fix a 2001 security vulnearability. And even then only a partial fix. Reason - a basic flaw in windows SMB system that MS wouldn't fix as it would break existing networks. Solution - leave everyone vulnerable for 7 years so it could be business as usual for their larger customers.

**CymraegKev** · 20-Dec-2008, 08:08 AM

Originally posted by NormanRouxel View Post

It's a false confidence.

It's a false confidence and very naive if you think by not using IE then you are secure.

**NormanRouxel** · 20-Dec-2008, 01:23 PM

It's a false confidence and very naive if you think by not using IE then you are secure

Never said that, did I? Nothing makes you secure.

However, by not using IE (say using Firefox or Google Chrome) you are demonstrably more secure. Watch the Chrome cartoon sequence. By not using Windows you are orders of magnitude more secure. Uncomfortable facts if you're a Windows fan but still so.

**NormanRouxel** · 20-Dec-2008, 01:49 PM

See this bang up to date Web browser security summary where everything is presented in nicely coloured graphs or tables. The "Relative danger" summary has IE consistently between 2 to 9 times worse than Firefox. The present value being 9 times more dangerous.

**Darren B** · 20-Dec-2008, 06:27 PM

I only us ie if i have to, normally to check a site apart from that it serves no other purpose.

Even my 7 year old has been taught to use chrome or ff, ask him what browser hes using and he will tell you.

Education is the key

**CymraegKev** · 21-Dec-2008, 09:53 AM

My point is the reason IE is less secure is because it gets attacked more.

I'm sure that security issues exist in the other browsers too - they just haven't been attacked so much. I'm also sure one day a big issue will arrise with Firefox (or more probably Chrome in my opinion), that will have just as profound an impact on users of those browsers but not on IE users.

**NormanRouxel** · 21-Dec-2008, 01:12 PM

The reason IE is less secure than other browsers is because it's demonstrably less secure - see my link above. The Company that wrote it that way are also the one the majority of people get our operating systems from. IE's tight operating system integration means that exploits have a much greater chance of taking control. This encourages attacks as the chance of success and the scope for damage is so great.

Anyone can get the source code of Firefox which should make it a lot easier for the black-hats to work out ways to break it. However that doesn't seem to be the case, especially as that same source allows the good guys to peer review every line of code and improve it where necessary. Not a possibility with Mirrosoft's closed code.

The fact that IE (and Windows) is popular means you can guarantee that millions of users will be using older unpatched versions due to complacency / ignorance. A bot-herders paradise. Why buy resources for your spam campaign when Microsoft has supplied them for free.

**Mike Hughes** · 22-Dec-2008, 09:16 AM

I agree with Norman. IE and Windows are fundamentally less secure than other operating systems and browsers. I'm sure this isn't intentional but stems from a combination of historically poor coding, the sheer size and complexity of the windows OS and no peer review process.

Couple the relatively insecure code with a huge userbase of less sophisticated users and it is a hackers paradise.

I'm sure it isn't quite so clear cut as the hackers focus on windows/ IE does mean that more vulnerabilities are discovered than on other systems, but that really just re-inforces the problem. i.e. less secure system, more known vulnerabilities, many unsophisticated users.

The good news is that most business users do keep their systems up to date and add aditional protection to the extent that the risk can be kept to an acceptable level. There are much easier targets for the hackers.

Mike

**gabrielcrowe** · 22-Dec-2008, 01:41 PM

interesting stats mr norm, like those pretty graphs, very revealing.

http://www.techworld.com/security/ne...fm?newsid=1798
how about these stats?

Really, browsers are sandboxed environments, and in order for them to become a threat, they must breach that sandbox. I would say, apart from the more hardcore hacks, that the level of these threats relates to the browser *and* the host operating system.

This latest incident with IE just shows the never ending cat and mouse game played out by the black and the white hats.

If you're playing the numbers for security, then I suggest you use lynx, on your Amiga 500.

Announcement

Internet Explorer Zero Day Vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment