[LUG-Ischia] (senza oggetto)
Linux User Group Ischia
info@lug-ischia.org
Ven 18 Giu 2004 10:14:03 CEST
Time to Dump Internet Explorer
Date: Fri, 18 Jun 2004 10:14:03 +0200
Mime-Version: 1.0
Content-Type: text/plain; format=xdraft; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Time to Dump Internet Explorer
By Scott Granneman Jun 17 2004 07:54AM PT
One of my many weaknesses is a fondness for stupid jokes. Here's one that I
like:
Why do ducks have webbed feet?
To put out forest fires.
Why do elephants have flat feet?
To put out burning ducks.
Not very sophisticated, I know, but it makes me smile every time I read it.
Here's another classic, one that relates directly to many Internet users:
A man goes in to see a doctor. "Doc, whenever I lift my left arm, I get a
shooting pain in my shoulder. What should I do?" The doctor replied, "Stop
lifting your left arm."
I think many of us are in the position of that man, and today I'd like to
act as your physician. Except that I'm not going to talk about left arms and
pains in the shoulder; I'm going to talk about a piece of software that
causes us pain in a different part of the body - Internet Explorer.
The latest version of IE is 6, and it has certainly accumulated an
impressive record of holes: 153 since 18 April 2001, according to the
SecurityFocus Vulnerabilities Archive. There have been some real doozies in
there. For instance, last August, Microsoft issued a patch that fixed a hole
that the company described this way: "It could be possible for an attacker
who exploited this vulnerability to run arbitrary code on a user's system.
If a user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action." Oh,
is that all? Well, that's super - simply visit a Web page, and you're
0\/\/N3d, d00d!
A little over a week ago, the SecurityFocus Vulnerability Database reported
the "Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability,"
which "may permit cross-zone access, allowing an attacker to execute
malicious script code in the context of the Local Zone." That was just one
of the six reported so far this month - and we're only halfway through!
In fact, it's gotten so bad that now spyware creators (AKA, scumbags) are
using flaws in IE to surreptitiously install the I-Lookup search bar (or one
of several others) into the browser. Again, the user doesn't need to do
anything - just visit a Web site or click on a URL in an email. The results?
Your home page is changed, a bunch of new bookmarks show up in your
Favorites, and popup windows for porn sites open constantly.
I could go on and on. Look, let's be honest with each other. We all know
this is true: IE is a buggy, insecure, dangerous piece of software, and the
source of many of the headaches that security pros have to endure (I'm not
even going to go into its poor support for Web standards; let that be a rant
for another day). Yes, I know Microsoft patches holes as they are found.
Great. But far too many are found. And yes, I know that Microsoft has
promised that it has changed its ways, and that it will now focus on
"Trustworthy Computing." But I've heard too many of Microsoft's promises and
seen the results too many times. You know, fool me once, shame on you; fool
me twice, shame on me. Who's shamed when it's "fool me the 432nd time"?
Who's the fool?
We're security pros, and we know the score. It's time. It's time to tell our
users, our clients, our associates, our families, and our friends to abandon
Internet Explorer.
A better browser: Firefox
On Monday, the Mozilla Foundation released its latest preview release of
Mozilla Firefox, available for download and ready to run. As most of you
probably already know, the Mozilla browser is great, but it's also a huge
software project, encompassing a Web browser, an email program, an address
book, a Web page editor, and much, much more. Mozilla Firefox is an effort
to pull out the browsing component, resulting in a faster, more focused, and
more innovative Web browser. And you know what? It's working.
I've been using Firefox for more than a year, and it's performed admirably.
I've experienced a little bit of bugginess here and there - after all, it's
just now getting to 0.9, with the full 1.0 release expected at the end of
the summer - but on the whole it's been just fine, certainly good enough for
full-time use. Its feature set is enviable: pop-up blocking, tabs,
integrated search, an awesome level of customizability, and excellent
support for Web standards. But it has really shone (as has the Mozilla
Project as a whole, actually) in the area of privacy and security.
All software has bugs, and none is totally "secure". As has been said so
many times, security is a process, not a product. So I'm quite aware that
Firefox has had security issues, and will have more in the future as sure as
the sun rises. But the record so far with Firefox has been positive.
Security issues are not common, but when they are found, they are openly
discussed and fixed quickly. This is very good, and security pros should
appreciate such responsiveness.
In addition to a good track record in the past, Firefox and the Mozilla
Foundation are taking a proactive approach to securing the Web browser in
the future. The privacy and security settings available in Preferences are
intelligent and effective, and the browser itself does not accept ActiveX
controls, a key vulnerability in IE. Firefox uses XPI files to install
themes, extensions, and other add-ons. Recently, new changes to the
browser's handling of XPIs were introduced, including a three second
countdown when installing XPIs, in order to give the user time to read the
dialog box, and an optional XPI whitelist, which will allow XPI
installations only from approved sites. Both are good ideas; in particular,
the latter should be enabled by security pros on the machines they oversee,
as it will greatly reduce the likelihood of miscreant installs (the link
above implies Firefox is not implementing the XPI whitelist; Mozilla bug
240552 contravenes this).
As people who care about security - and who so often work with people who
care nothing about security - it's our responsibility to spread the word
about a better Web browser that does not constantly compromise the basic
security of our computers and networks. Why is IE the most widely-used Web
browser on the Net? It's not because of quality, and certainly not because
it's better than the alternatives. In fact, IE hasn't really been improved
in years, and other browsers now offer far more innovative features and
capabilities. It's because Microsoft leveraged its monopoly to force IE down
the throats of users. And in a case of kicking users while they're down,
Microsoft has pledged to tie IE even closer to the Windows operating system,
guaranteeing plenty of security problems in the future.
It's all about the marketing. Microsoft owns the desktop, so they can bundle
IE with every copy of Windows. To combat that, security pros are going to
have to engage in counter-marketing. Sit down with the computer users you
oversee, and explain to them the security issues associated with IE, and the
benefits of moving to Firefox. If you need help, a short piece entitled "Why
You Should Switch to Firefox" may help. If you're feeling nervous about the
not-yet-finished status of Firefox, just wait a bit longer, and then start
evangelizing it, but be aware that lots of folks have been using it for
quite some time, happily and successfully.
I already know one of the objections I'm going to get in emails from my
readers: "My bank, fill-in-name-here, requires Internet Explorer to work!"
Let me deal with that point now, in an effort to reduce the email I'll get.
First of all, this problem is decreasing all the time. Several years ago,
many more Web sites were written to work with IE only, but now, thanks to
the efforts of the Mozilla Foundation, Opera, and Apple (who will actually
contact the owners of sites and help them to get their sites to work with
other browsers), coupled with the increasing awareness of Web standards
among developers, the vast majority of Web sites work in all modern
browsers.
Second, if your bank (or e-commerce site, or whatever site that matters to
you) doesn't work with Firefox, email, call, and write them (all three can
be an effective combination) and, in a polite tone, inform them that their
site isn't working and ask them to fix it. If a site does work in Firefox,
email, call, and write the owners and thank them. Positive feedback can do
wonders.
Finally, if you have to use IE, you have to use IE. But use it only with the
site(s) that require it. The people reading this are smart enough to use
Firefox 98% of the time, and then switch to IE when necessary. But is your
mom? Here's a suggestion for you to help Mom: install Firefox and tell her
to use that when she want to "use the Internet." Rename the Internet
Explorer icon to "First National Bank" or whatever it is that Mom uses, and
change the home page to http://www.firstnationalbank.com. Then tell Mom that
Firefox is for the Internet, but there's a new program that's just for her
bank, and the icon is right on her desktop. When she gets done banking,
close her "bank program" go back to Firefox. (Feel free to substitute "Sue
in marketing" for "Mom" above if necessary)
I'm tired of vulnerabilities in Microsoft's Web browser that take over
computers, install spyware and God knows what else, and ultimately cause us
to spend hours cleaning up messes on the computers of clients, friends, and
family. How much money, time, and energy have we all spent fixing the
problems caused by IE? It's time for security pros - the folks that should
know better - to start dumping IE and start promoting Firefox, a better Web
browser. Enough is enough. How many times are we going to put out the fires
that IE starts, only to get stomped on, again and again?
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St.
Louis. He specializes in Internet Services and developing Web applications
for corporate, educational, and institutional clients.
Copyright © 1999-2004 SecurityFocus
########################################
......--.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
....|@_ @| Linux User Group Ischia ~
....|:_/ | LUG-Ischia ~
...// \ \ @:. info@lug-ischia.org ~
..(| | ) www:.www.lug-ischia.org ~
./'\_ _/~\ http://ischia.linux.it ~
.\___)=(___/~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maggiori informazioni sulla lista
lugischia