|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
10:43 EST/15:43 GMT | News Source:
Seattle Times |
Posted By: Robert Stein |
Microsoft's Internet security team has had a tough summer, dealing with Russian hackers, criticism from researchers and a seemingly unending stream of reported flaws in its Internet Explorer Web browser.
To top it off, more experts are suggesting that Windows users start using other Web browsers instead of Internet Explorer, which has more than a 90 percent market share.
|
|
#1 By
2960 (156.80.64.137)
at
7/19/2004 2:03:27 PM
|
IE deserves all the swiss-cheese comments.
I'm on my FOURTH major Spyware infection of the day. This stuff is not amusing at all...
TL
|
#2 By
135 (209.180.28.6)
at
7/19/2004 4:36:30 PM
|
Why do some people like TechLarry get spyware and I do not?
|
#3 By
37 (67.37.29.142)
at
7/19/2004 4:38:13 PM
|
I agree with Muddle on this. Tabbed browsing takes up too much real estate, and is just duplicating having IE open in the task bar (or even grouped in the taskbar). Alt+Tab is even nicer to use since it uses much less real estate.
|
#4 By
2332 (65.221.182.2)
at
7/19/2004 6:27:33 PM
|
#13 - Are you completely insane?
|
#5 By
21203 (4.5.32.137)
at
7/20/2004 3:03:39 AM
|
Actually the real solutions for browser vulnerabilities are basically simple but beyond technical neophytes...
The browser is an engine. Understand what that engine does and how it does it, and you prevent a large amount of vulnerabilities or exploits.
Firefox will facilitate viruses, it will download hacks, trojans and infect people's machines. Why? Because some people will blindly (key word) think that the browser makes you immune to problems. (Best quote recently was markitoz who still believes that he doesn't need antivirus because he's running Firefox. Seriously. Sorry man, but you still need it.)
One problem is education. Some people need it more than others. A browser is merely an engine like your car. If you don't know what "that button" does in your car, you run risks of hurting someone. Unfortunately most don't get training on what a computer does. They barely know what buttons to press.
Well, people get popups that look benign. They click on "Click here to close this window! Honest I'll close if you click here!" and voila, they installed something. Do you think Firefox will fix that? No. You're naive if you think so. I guarantee you it will. Most of the people in this thread who claim that they're getting spyware have -- I guarantee you -- done something to facilitate it's installation. These things don't just install themselves through an exploit. You're allowing it through action or inaction on your part.
And that is the root of social engineering. You can't build it out of the browser because fundamentally the browser is an exercise in standards adoption that is uniformly conformant. Yes, Mozilla and Microsoft agree... when you go to a site, and it asks to render something, it renders. If that site has tricked you into thinking it's benign to perform an action, you'll do it. It sounds unspeakable reading it here on this text, but how do you really know that your browser has rendered something or it is the OS? Have you ever seen ads on the side of this screen that say "You have a virus, click here to get rid of it!". Pfft.
Social engineering is not overcome through cute programming hacks, because at its root it's not browser centric and that's why vulnerabilities continue. Lack of education and social engineering. At the latest security convention I attended it was very apparent the biggest problem is not the technology, it is the people using it. The paradox of ease-of-use conflicts with the principle of least privelage, and laziness prevails over all. People expect it to "just work", when in reality, if you truly wanted a best-of-breed browser that was 100% secure, it would do nothing at all; because it's difficult to know where the next vulnerability is going to come from.
Firefox has a disadvantage in this battle because they have not dealt with OS-Spoofing issues. This is where the browser (realistically -- a site's content, not the browser) masquerades as the operating system and instructs you to do something in a very convincing way.
So if you want to go on about which browser is better, consider this. One vendor is making an effort to make sure the user is educated about security. The other is focusing on being HTML compliant and getting rid of basic bugs on the way to a 1.0 release.
Gecko renders pages well, but it offers me nothing that the IE engine can't do with MyIE2/Maxthon (for free). Features like tabbed browsing, popup blockers, do not "define" a rendering engine, so lets not quibble about petty things like that. Those features are great! But it doesn't add or detract any value from the reasons why one would use gecko as a renderer.
|
#6 By
21203 (4.5.32.137)
at
7/20/2004 11:11:02 AM
|
#20 IE has already done something about this. It is called XP-SP2.
You also don't need to run Linux to be secure, that's a fallacy. You just need to run Windows as a non-administrator. And yes, it's possble, every one of my systems is run that way.
|
#7 By
135 (209.180.28.6)
at
7/20/2004 1:55:13 PM
|
Halcyon suggests Linux is safer because the environment is so user unfriendly that you can't get anything done.
It's as if saying... If Linux was an automobile, it would contain no driver's seat, no steering wheel, no transmission. The engine would run but it wouldn't be attached to the wheels. To make the car move you'd get out and push it to where you want to go.
This of course would make everyone safer, because of the work involved in going somewhere, people would generally just stay at home.
It's an interesting argument, and certainly does get to the heart of the philosophical disagreement between the Linux world and the Real world.
|
#8 By
21203 (208.252.96.195)
at
7/20/2004 7:28:01 PM
|
It's not out yet. It's not like this will stop viruses from existing either...
Your point being? I don't presume a browser to stop viruses from being created.
Firefox isn't out yet either. You can get both as a beta.... well one as a release candidate.
I'm saying that when you download a file from the internet, it is automatically executable in Windows, even if the file should not be trusted since it came from an Internet Zone. You can "Open" right off the internet and execute it.
The rights of the file are set at the time of download.
It's like blaming the operating system for someone giving you a well-labeled CD full of viruses, saying "this is a virus full of CD's", and then copying them to the file system. It's not the OS's fault that you can execute them. It's your fault for accepting them in the first place.
I'll translate. When downloading a file, you have a choice of what to do with it. Intelligence is required. Do you think Linux scores points for requiring you to save, set the execute bit, then execute, every file? No. It might be considered more secure, but that will lose bigtime on usability.
The same level of security is performed, only you must read the prompts.
We can argue this all day. Do you want 12 hoops to jump through just because it will make it more secure? Or would you prefer that people have one hoop ("do you want to save or run this executable you're downloading?") and act intelligently? I'm fairly certain that most users will assume they are intelligent. I'm certainly not going to assume you're stupid.
Not to mention that like what Parkker said, even if you did accidentally "run" a downloaded executable, running as non administrator protects you.
Having said that there are other steps to prevent accidents. AV protection is the catch-all to this. So what that Linux has more steps. I'm also fairly certain thats why everyone says that linux is also somewhat painful to deal with.
|
#9 By
21203 (4.5.32.137)
at
7/20/2004 11:32:39 PM
|
I'll expand a bit.
In XP-SP2 the default behavior of the operating system (this includes IE) is to prompt you about running any executable content that doesn't have a digital signature.
What does this mean? It protects you. Sure, 99% of code won't have that signature (believe it or not that actually helps things), but that answers the following quote: "...Except in Windows files are automatically executable just because of the extension."
That is no longer true. If the content is executable, downloaded and already on your system (just sitting on your desktop for example), and there is no digital signature authenticating the distributor (and package envelope, much like PGP for email), then you get prompted "The publisher could not be verified. Are you sure you want to run this software?" and the default is CANCEL. It even informs you with a RED WARNING: "This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. (and a link to:) How can I decide what software to run?"
Even more, when actively downloading executable content (not already on your system), the following is displayed "Do you want to run or save this file?" with the default being CANCEL and a YELLOW WARNING stating "This type of file can harm your computer. If the file information above looks suspicious, or you do not fully trust the source, do not run or save this software. (and a link to:) How can I decide what software to run?"
Additionally there is a security bit inside the properties of the object (above and beyond any security tab). This shows up when the digital signature is not present. In many ways it creates the speed bump that you're talking about Halcyon. All default, all already present and well tested in XP-SP2.
THAT is a paradigm that is easy for a user to understand. It's well explained. If you don't know how to read past the first few grades in school, you shouldn't have any reason to blame the operating system.
The security bit can be removed through an installer package, so that a program once installed wouldn't need a digital signature for every executable in their suite. But guess what, you would need one for the installer program wouldn't you? :) I'm just trying to answer an issue like for example Office being installed (Word, Excel, Powerpoint, etc). The installer package requires the signature. It's the only bit you actually "run". If you allow it, the system assumes you allow any derivatives of it. And the warning is quite clear in that respect.
So....... in a nutshell, I don't know how they could improve upon the "speed bumps" other than to put up a popup every few minutes saying "If you only know how to click yes, click yes." with, of course, a yes/no/cancel choice.
Will there be loopholes? Sure. But I just described a piece of the SP2 security puzzle. Put it all together, and it's solid offering. (not to get way out of the path here but basically autoupdate and AV fill the other pieces, and answer any other potential issues)
This post was edited by mram on Wednesday, July 21, 2004 at 00:31.
|
#10 By
21203 (4.5.32.137)
at
7/21/2004 12:58:22 AM
|
I would think that it would be; one does not necessarily have to run as Administrator on a workstation (a point driven home constantly). No rights, no install...
|
#11 By
21203 (208.252.96.195)
at
7/21/2004 6:06:35 PM
|
How would it tell that [...]
Because it is a company that has designed a product to do exactly that.
|
|
|
|
|