ActiveMac - The Most Activated mac Resource

ActiveMac

User Controls

New User

Edit/View My Profile

ActiveMac

Articles

Forums

Links

News

News Search

Reviews

News Centers

Windows/Microsoft

DVD

ActiveHardware

Xbox

MaINTosh

News Search

ANet Chats

The Lobby

Special Events Room

Developer's Lounge

XBox Chat

FAQ's

Windows 98/98 SE

Windows 2000

Windows Me

Windows "Whistler" XP

Windows CE

Internet Explorer 6

Internet Explorer 5

Xbox

DirectX

DVD's

TopTechTips

Registry Tips

Windows 95/98

Windows 2000

Internet Explorer 4

Internet Explorer 5

Windows NT Tips

Program Tips

Easter Eggs

Hardware

DVD

Latest Reviews

Applications

Microsoft Windows XP Professional

Norton SystemWorks 2002

Hardware

Intel Personal Audio Player 3000

Microsoft Wireless IntelliMouse Explorer

Site News/Info

About This Site

Affiliates

ANet Forums

Default Home Page

Link To Us

Links

Member Pages

Site Search

Awards

Credits
�1997/2004, Active Network. All Rights Reserved.
Layout & Design by Designer Dream. Content written by the Active Network team. Please click here for full terms of use and restrictions or read our Privacy Statement.

Non-Microsoft browsers are most secure choice

Time: 00:00 EST/05:00 GMT | News Source: Computer Weekly | Posted By: Todd Richardson

A number of security bodies and industry experts, including the US government-backed CERT, and non-profit Sans Institute, have urged companies to consider Microsoft alternatives. These include Netscape, Opera, Mozilla and Apple's Safari.

Richard Brain, technical director at security consultant ProCheckup, said: "It is a good idea to use other, safer browsers like Firefox by default, and the more complex, buggy Internet Explorer to access those sites which will only work with IE. "IE is an overly complex bit of software that should really get back to its simpler roots as a web browser, so that Microsoft developers can simplify it and remove its security holes," he said

Write Comment
Return to News

Displaying 1 through 25 of 316
Last | Next

The time now is 5:15:50 AM ET.
Any comment problems? E-mail us

#1 By 20 (67.9.179.51) at 7/7/2004 1:36:28 AM

There's a good discussion of switching platforms to avoid security problems and how it doesn't really solve anything over at www.ntbugtraq.com (search the archives, it was at the end of June, early July).

Firefox has it's share of bugs and if everyone switches to it, then all the bug finders will follow and crackers will attack it.

Move to FireFox for any number of reasons, just not for security. This holds true for any platform switch (OS, app server, etc).

#2 By 13030 (198.22.121.120) at 7/7/2004 10:41:47 AM

#1 Not nearly as important as IE's previous system access exposing flaws.

As the article implies, the browser should have never been a bloated, tightly integrated part of the OS. This is a basic tenet of software development that MS flaunted and now we have all been paying for it in the form of security issues and multitudes of IE (that is OS) patches.

Use Firefox, you'll drop IE faster than you can say public license.

#3 By 135 (209.180.28.6) at 7/7/2004 11:16:36 AM

A lot of people, such as ch, are going around claiming things about IE that do not appear to be true.

In what way is making a common HTML rendering engine a bad thing for an OS? Should an OS also not implement tty handling? Graphical User Interface?

I'm sorry, but I think you are grasping at straws.

#4 By 17996 (69.21.203.150) at 7/7/2004 11:45:52 AM

What I hate seeing is all these people who are so concerned about security that they switch browsers, but they still run everything from an administrator account. If they're that serious about security they'd do just about everything from a limited account. And don't start saying "Oh, but it's simply not practical to run as a limited user" or "It's such a hassle to switch accounts or to use RunAs every time I want to install something." It IS practical to run IE as a limited user -- and when you do, you are protected from this latest string of IE holes. Plus you don't have to worry about ActiveX installation popups -- they don't show up for limited users, so you won't accidentally get spyware on your system.

#5 By 135 (209.180.28.6) at 7/7/2004 5:11:20 PM

#7, #9 - Hmm. How is it a tremendously huge impact? Other than a support issue of blowing up your OS install, what other problems does it cause?

#10 - Firefox implements it's own common rendering engine, and it's being promoted to be utilized within applications exactly like Microsoft's.

#6 By 23275 (68.17.42.38) at 7/8/2004 3:07:02 AM

Good threads...when this topic was introduced <one of many times>, I opined that one should always run as a simple "user"; use RunAs and even set parameters for programs to RunAs whatever user rights were needed to allow them to execute - and of course, never use the system on the web as an admin.

By design, XP/W2K are just fine and deafult users are in fact, simple users. On a domain, users have to be manually added to the LMZ admins group - by a user with either domain or enterprise admin rights. In this context, Windows is structured very well.

That said, a typical OEM system arrives backwards...but that is an OEM decision and part of their builds - not as a result of Windows' design. The only direct to consumer Linuces I am aware of is Lindows, and they too, ship direct to consumers with the OS set to root [or should I say, become "Rooted"]. So, we did some tests. We took a virgin system, ran it as an admin [XP Pro SP2 RC2] and also Pest Patrol Professional [Build 4.4.3.24]. We ran ten test web sites - two of which were free porn sites and opposite IE, Opera, Mozilla and Firefox 9.x...
Before each test run, we cleared a lot of files - and noted all the asche and trash as we went along. Now, I know a lot of folks will say this was not very scientific; however, it was not meant to be. It was meant to replicate what real people, running real systems against real sites, would likely encounter. In all tests, IE on SP2 RC2 performed the best and allowed no hostile code to be executed without a clear warning that defaulted to - "Stop, Don't, or else..."
The remaining browsers resulted in a very noisy Pest Patrol - which BTW, did a super job of nailing incoming threats. In IE; however, Pest Patrol remained quiet and did not have to step in. While running Mozilla, two VBS files were not caught by Pest Patrol and Panda Anti-virus caught and stopped them [ Script blocking enabled and alerted against Downloader.xx ].
We will do these tests regularly and against some pretty nasty sites - gambling, free porn, and many others. While entirely subjective, it does appear that opposite XP SP2 RC2, IE is and the OS are pretty well suited for continued use. In one <costly> regard, we have had to re-code in usually small ways, all the apps and sites we have built in the last two years - to accomodate alternative browsers - which is bad for smaller shops. I do wonder just how many customers who are able to pay reasonable fees, actually use Mozilla or Firefox in any great numbers, or how many will make these their primary - after all, even smaller companies have good policies opposite user accounts and approved site lists. I do hope most home users or under serviced companies will at least upgrade to XP SP2 RTM when it ships - it'll cut down on the racket hitting our NIDS. Thanks

#7 By 23275 (68.17.42.38) at 7/8/2004 4:14:46 AM

Good points, for sure, but it is "still" on the OEM's and entirely. Not many know it, but the deployment kits for the OS are pretty clear about how the systems should be shipped and do include some very easy to configure tools for shipping a system that walks a user through the exact processes described by #17. The registered/certified OEM Systems Builder Site is populated with all of that kind of documentation and clearly spells out why it should be done.

One has to remember the product road-maps as well - meaning, that when XP was designed and shipped, Internet threats were not what they are today - again, meaning that professional groups were not actively engaged in the practice of hiring highly skilled programmers to harvest under-protected systems to be used primarily as distribution points. Neither was the presence of low cost, always-on broadband.

I do, and I think fairly assess, that Microsoft, since the emergence of the above factors, has done exactly what they should have...e.g., respond appropriately and well ahead of what one might expect. That is, Bill Gates began an initiative and drove it through the company. The company, at every level began working and investing to permanently fix these problems - even at the risk of hazarding the bet-it-all-on-Longhorn development. I mean, in my opinion, they did the right thing despite some serious consequences and made up for a lot of shortcomings induced by the OEM's who were largely interested in reducing support calls opposite user rights management - as a builder and seller of specialty servers, systems and networks, and yes .NET apps, too, I know this to be true, because we use the same tools.
I can't really blame the OEM's, either. It is really tough on them and while there are standards for operating a car...possibly damaging a few dozen at most...there are no standards at all for operating a PC, which can harm millions. The ISP's, also stressed for cash, were perhaps the worst - doing nothing to police their networks - sans blocking all traffic on port 139 [even out-bound] killing the best Hosted Exchange solution made - RPC over forced encryption on TCP [ISA Apps Filter] - Thank God for RPC over HTTPS and Exchange 2003!.

So, it is a combination of things - the least guilty of which is Microsoft. It is high time OEM's, ISP's and regular Joe's took some measure of responsibility. Even tough medicine. I mean, we were burned, too - some 20K a week burnt cleaning up systems people had jacked via Kazaa and or free Internet Porn...opposite our end to end service and support [4 years] it just sucked...

#8 By 23275 (68.17.42.38) at 7/8/2004 11:55:51 PM

Patch Proliferation in Linux as it regards system file updates, does require rebooting. We proliferate patches to Linuces based system, regularly and much more often than is required in Server 2003. We are required to reboot them and track exactly which updates require this and which also require booting in single user mode and doing a mandatory file system integrity check. As with Windows systems, these are tested first, on staging systems and then proliferated. The results of both tests and production updates are recorded and reported. Very specific alerting protocols determine when and who is contacted and what is reported. Extremely critical updates, as was the case with the last OpenSSH/OpenSSL update, are executed out of band with more limited testing and clients are advised concurrent to the update. I still mainain that the Windows systems are more secure, see fewer required updates and are easier to manage. The costs of this entire process is also calculated. We have literally man centuries in the Unices - most of us cutting our teeth on them when the C language was called B and before Unix was a brand - using Xenix, and MP109, etc...

RDP Sessions in Server 2003 also auto-reconnect - even when updating an interface device driver. The session is also held in state. I maintain that Microsoft has responded meaningfully and appropriately. Their most senior product managers are so candid about security and all they are doing to make things truly secure and also easy to use. I just wish that for once, solid scientific facts and real-world procedures would be the basis for these discussions. I understand and admire the passion behind a lot of these threads, but do wish that guys that actually support this stuff opposite contractual obligations that have specific terms would share what they see and if they are able to support the Linuces better than we are - then please share what you are doing. We are applying the same types of policies and procedures - very carfeful ones, and we see much higher costs opposite the Linuces and much lower performance. Finally, operations management is central to any solution - no matter how small. This is perhaps where the Linuces is weakest; the Unices most costly and Microsoft the better choice - at least for my company and our clients. If it were different, and we would be better doing it differently, I would do it the way that was better. When PDP's 5's, 10's, 11's, 77's were better, we ran then and developed for them in C and Fortran 77, when Microsoft brought lower cost, better performing systems out that ran on less costly hardware, then we supported and developed for that. It was and is always about doing it right and what is best for the client. Thanks.

#9 By 23275 (68.17.42.38) at 7/9/2004 10:35:23 AM

These are awesome questions and I am glad to share what we observe and record.

First, a couple of things to remember. 1. this is a production environment opposite specific procedures [as I assess all sites and services designed to support Internet applications would be]. 2. Often, but not always, specific client policies will dictate that a reboot be performed and a Linuces system booted to single user mode and a FS Integrity Check run and the results recorded [most often when dealing with very large databases and large RAID 5 or 10 Arrays].

The first rule is to run only those services that are needed to support the intended purpose of the server. The second is to record these and track each process; which user it is run as, and log all processes - each day...and no and I mean no, Internet browsing from any sever - not even to run updates - these are proliferated manually.

The second rule is to never assume a firewall, or any combination of firewalls can keep a system safe - network, and host Intrustion Detection Systems are a must and they must be monitored against pre-established event procedures. These are used alongside BHO Proces tripwires and audits of all processes and issued commands.

The Third rule is to use an audit trail and analyze all logs and admin reports together.

These three rules form the basis for being able to safely support production - specific set up is important and I can share how that is done - e.g., SPLIT DNS, One to One Routing, BHO Process Guards, Back to Back Firewalls, etc...

As regards the number of Apache -vs IIS Servers running - the actual numbers are higher for windows - there are just more Hosts [Ref Zones] for more sites reported for Apache. This suggests that there are more IIS based dedicated environments running, or as we do, all sites on IIS terminate to a single Host - single IP Topology - so the hundreds of servers running look like one and only count as one.

As regards proliferaton of patches on Linuces vice Windows. Windows is far faster and results in far less scheduled down-time. I'll explain...the boot sequence and service/process start-up in Windows can be easily made to be automatic. The driver model is different, so even large arrays come on line more quickly - or so it is recorded and measured. The Linuces systems require the manual startup [in all but a few cases] of most all processes - logging in as that user and in a specific order - for example, patch system files=>reboot=>reboot to singhle user mode=>run FS Integrity=>reboot=>log as user 1, start DB, Start TNS Listener, Switch User [SU] and start db instances [connect to, startup] SU, next instance, etc...
Move to Apps server, and stop apps server instances and then re-start them, manually [ ./name etc...]. Test. Go back and log back in as user, start UAGENT, check UAGENT status, and TripWire BHO Process protection. Test. Record all actions, export all logs and executed commands. Monitor and report.

#10 By 23275 (68.17.42.38) at 7/9/2004 10:35:48 AM

Both the manual processing and the much longer boot times contribute to a much longer sequence in Linuces. We time these processes and know, for certain that we can patch and bring online, 4 Windows Servers of greater complextity than it takes to patch one Linuces system. Now most of use run the CLI for both Linuces/Unices and Windows - we've been doing it for decades and can type like mad fools. We do use a two-man rule - so no typos contribute to errors and also as a matter of policy. I can share that some Windows systems have not been booted in over two years - they are connected to systems that are connected to other layers that do serve up sites and services, but they do so in a way that insulates them entirely and they require no patches of any kind. Finally, many Linuces may be up, but their sites and services stopped. In the eyes of a client, this is no different than if the plug were pulled - thouh starting a process may be quicker.

Instances of being rooted/exploited or harmed...not yet...knock on wood and a pile of event logs...not on any system we did not set up for that purpose - e.g., to allow it to be rooted to see how exploits are carried out, or how to train to recover. We do this often, but find that most crackers use many of the same methods. In the past we saw guys like us who would be more of a curious hacker. These days we see very well organized criminal hacking teams. They are brilliant and cunning and well paid. They look at some organizations and quickly move on - not that they might not be successful, but they are more likely to get caught and caught in a way where evidence would be useable. Now, as it regards ease and instance, I do know that one can take a fully exposed Windows system, run it in LMZ mode and watch every cracker fail - usually SMB exploits - opposite very strong passwords, one usually just watches the even log file up with failed log in attempts. An exposed Linuces usually gets fully rooted in between 3 minutes to three hours. There are many points of entry and professional teams know them well. A Unices, say IRIX, or AIX takes as long as a Windows system if the team is really good. In each case, the Windows systems have been easier to repair. Normally the team hits the wbem dir or the drivers/etc dir - killing the PID and removing the crack is pretty easy in most cases. On a Linuces, if the Kernel gets recompiled - for example, replicating a user who would likely have compilers needed to install apps...one can forget it...rebuild it, becuase their is no way to clean it up. In the cases of a curious hacker, whom we can appreciate...we congartulate them and move on. In the case of cracker teams, we get others involved and work to support responsible and appropriate actions. We record more than 60,000 such events each day - mostly from FR, CN and RU. The world is full of folks who were left in the cold <economically> who have great skill - so it is tough to really dislike them, or at least not recognize they have families to feed, too. While I fully agree that more Windows systems are available for attacks and are attacked more frequently, I do not agree that as a percentage, more Windows systems are cracked successfully. It does appear to be harder and we do model this - e.g., we crack our own test systems.

#11 By 4240821 (213.139.195.162) at 10/26/2023 11:58:08 AM