Article: Windows web Threat.

[Mychael]

In today's main newspaper ( Australian Herald/Sun) it reads:

Microsoft has issued a "critical" security alert that affects it's 900 million people using its Internet Explorer Web Browser.
The computer giant warned of a newly discovered flaw in Windows that could be exploited by hackers to steal personal details or take over computers.
The glitch is so severe it potentially affects every user of Internet Explorer.
Firfox, Google Chrome and Safari are unaffected because, unlike Internet Explorer they don't support MHTML files, where the problem lies.
The loophole only seems to affect the way Internet Explorer handles some web pages.
Internet Explorer users are urged to download a patch to stop any potential attach.
The company has been unable to remove the bug itself and has issued a "fix it" security patch to block any attempts to use it.
All Windows users are urged to download the patch while the companys secuirt team works on a permanent fix.

 

[lonewolfmage]

Source needede

Mychael~

Can you provide a source link to this so it can be checked ???


That would help immensely .. i'm sure ..

Just a suggestion...

~LoneWolf

 

[Nibiru2012]

Again, just when we thought IE was getting it's act together, another monkey wrench gets thrown into the machinery.

Another reason to stick with either Firefox or Opera, in my humble opinion.

 

[Mychael]

Try heraldsun.com.au That's the web page for the newspaper but I don't know how much of the daily news is accessible.
However we are talking about the major daily newspaper here, not that they cant be mis-informed but I think they'd be pretty careful checking out a story like that.

 

[davehc]

Here is the newspaper article for the Brits:
http://www.dailymail.co.uk/sciencet...ects-900m-people-using-Internet-Explorer.html

Plenty of others if you search!

This is the patch:
http://support.microsoft.com/kb/2501696

 

[catilley1092]

I knew that IE9 was simply too good to be true. Well into it's beta stage, the browser one day quit responding at least five times. I simply removed it and stuck with Firefox, now at 3.6.13, and their beta is 4.0 Beta 10.

However, unlike the other betas of Firefox, I've shied away from it. The screen doesn't even appear to look as clear, and it still has a way to go before going mainstream. But 3.6.13 rocks! It's hard to beat it's options, performance & security.

Opera is looking better and better with every release, if IE was removed from Windows altogether (we no longer need it for updating), Opera outperforms IE hands down. But with the steep competition that Firefox & Chrome gives, it's going to be tough for Opera to climb very far.

As far as IE goes, it's always going to be a security threat, no matter what, as they don't have enough add ons to offer to secure the browser. That's just the way it is, and the way it'll always be. Where it not for the fact it's force fed by being built into Windows, it's usage figures (very doctored) would drop as fast as the stock market did on Black Monday in the late 80's.

Cat

 

[davehc]

It is actually IE8 which is mentioned, Cat.But maybe IE9 (Beta) is affected for those who are testing it.
In defense, sort of, anything produced by Microsoft is , to hackers, like dangling a fish in front of a cat. Microsoft, imo, is not weaker in its security, just more tempting to Hakers.

 

[Mychael]

M/S is certainly a bigger target. Linux probably has friends 'cos it's free.
Apple is getting very big and have a lot of product placement yet so far they have by and large been immune to serious hacks whilst M/S has pretty much been under attack in one form or another since Windows 95 and the internet.
Be interesting to see the future and if Apple O/S becomes more of a target.

I think it may partly be because M/S is more the faceless corporation and has 'users' as opposed to true fans or followers like Apple and Linux. Being the biggest and being liked are not the same thing and I could be wrong but I would doubt if M/S has any 'friends' in the way Apple or Linux does.

 

[Core]

Good to know; thanks for the info.

I've only used IE once on this install, and that was to download Firefox. I don't foresee IE9 changing this either, based on what I've read about it.

 

[Digerati]

just when we thought IE was getting it's act together
I knew that IE9 was simply too good to be true.

This is a bug in Windows - not IE.

 

[catilley1092]

This is a bug in Windows - not IE.

It very well be be that, but the issue only arises when using IE.

Firefox has enough extensions to keep me safe, if you use the NoScript to your advantage, it'll keep you safe, as long as you're using safe computing practices.

If IE had such a tool, as powerful as NoScript, perhaps IE wouldn't be hit so hard. But it's not going to happen, MS would be better off spending it's cash on it's better products, like Windows & Office, and just let us choose our own browser.

Then, we would see how "popular" IE really is.

Cat

 

[davehc]

You could look at the better side of the issue, and thank Microsoft for being alert to this?
But, a couple of facts. From Microsofts own security pages of January 28:

"At this time, Microsoft has not seen any indications of active exploitation of the vulnerability."
(MS quote it as affecting several of their releases but, of course, would not mention Linux or Apple vulnerability.)

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems**
Windows Server 2008 R2 for Itanium-based Systems"

Before criticising MS too much, most browsers support MHTML, with add-ons, but not in their default state.

Digerati is correct, that it is the OS, but it is the browser that allows the attack in the first instance. There has been no mention that this is a problem for Linux or Apple. But in the case of the former - why not? it is open source.


But: Ms Quote:
"An attacker who successfully exploited this vulnerability could inject a client-side script in the user's Internet Explorer instance"
IMO. At this time, it is much ado about very little. It looks like the vulnberability is understood and is being taken care of.

.

 

[Digerati]

If IE had such a tool, as powerful as NoScript, perhaps IE wouldn't be hit so hard. But it's not going to happen, MS would be better off spending it's cash on it's better products, like Windows & Office, and just let us choose our own browser.

Sorry, but that's a ridiculous statement on many fronts. You are obviously not an ignorant person so I question your motives for making statements like that. It seems clear it is simply to bash MS and tout Firefox. Statements like that (1) fuel ignorance, (2) leads to irrational and unfounded blame and Microsoft/Windows/IE bashing, and (3) mislead the even less informed!

I have nothing against bashing Microsoft when due and I am often right their dishing it out in those cases. And certainly, they have brought a lot of bad attention on themselves by their actions (or inactions) over the years. But let's get the facts straight before passing ill informed judgement:

1. Users have been able to disable Active Scripting in IE since IE3! - yes 3 - from within IE, or with add-ons. (MSKB Article 154036)
2. Microsoft is constantly improving Windows and Office - especially Windows with Win7 being, by far, but the best and most secure Windows yet.
3. You can choose your own browser.
4. NoScript is an extension. It was NOT created by Mozilla and it is NOT included in Firefox. It was created by the folks who saw a deficiency in Mozilla based browsers.
5. Firefox continues its trend of having the most reported vulnerabilities while IE 8 and 9 (through concerted efforts, funding and R&D by Microsoft) continue their trend of being the most secure browsers.

NSS Labs - Socially-Engineered Malware Protection,
Firefox Tops Vulnerability List 2009,
Internet Explorer is THE MOST Secure Web Browser.​

Before criticising MS too much, most browsers support MHTML, with add-ons, but not in their default state.

Right. And note that Microsoft is not denying it. In fact, Microsoft issued the alert almost immediately. It is the IT media and MS bashers that once again, are sensationalizing this into the threat of the century. This again is simple Microsoft bashing by unprofessional so-called journalists. Look at what is being said,

Microsoft just said that the bug is inside Windows, presumably because they don't want users to migrate to other browsers.

They said it is inside Windows because it is inside Windows. But also note the first FAQ of that alert where it clearly says, "This vulnerability manifests itself in Internet Explorer.". That's hardly hiding it. davehc is correct, ALL browsers support MHTML in one form or another, either directly or via extensions/add-ons.

The threat is rated as serious, not critical. I am not trying downplay "serious" but it seems some are trying to blow it out of proportion. It is important to understand and to put into perspective that a vulnerability does not mean exposure. Look at it as an open lock box in your closet. A bad guy first must know it is there. He must then get past your perimeter defenses (firewall and router), past your burglar alarms and guard dogs (anti-malware), and then be able to escape with the goods after he gets his hands on them.

Firefox has enough extensions to keep me safe, if you use the NoScript to your advantage, it'll keep you safe, as long as you're using safe computing practices.

Again, I question the motive for such a statement. The truth is, virtually ALL browsers can be made safe, and practicing safe computing is a prerequisite to keep safe regardless the browser or OS of choice. That statement implies that only Firefox can be made safe and that using some other browser will make you unsafe. Simply NOT true!

 

[Digerati]

I should also point out that Microsoft has provided a simple "lock down" fix for this. It does not force a reboot either.

http://support.microsoft.com/kb/2501696

 

[Nibiru2012]

Here's a handy article I found at TechRepulic.com. It offers FIVE separate testing websites for web browsers, each working in subtle different testing methods.

I tried #1 and #5, both worked well. Firefox beat out IE8 in #1 and #5. Interesting to say the least!

Five tips for testing Web browser security


Here's the test from BrowserScope for the Firefox v3.6.13

Here's the test from BrowserScope for IE8:

Y'all can try the other and see what you think.

 

[Digerati]

And there are similar tests that show Safari is best and others that show Chrome is best. Name a browser and you will find a test that puts it at number one. And again, a vulnerability does not mean exposure, or that you will be compromised.

Internet Explorer is the Safest Browser
Safari is the Best Internet Browser
Opera Best Browser
Chrome beats Firefox and Internet Explorer
Firefox Is Best
Flock: Best Browser

This is not about which browser is better.

If you keep your systems updated and patched, scanned with a current scanner, blocked by a working firewall (and preferably a router with NAT), AND you, the user, the weakest link, avoid risky practices like visiting "illegal" porn and gambling sites, P2P and Torrent illegal file sharing, opening attachments and downloads without first scanning, or clicking on unsolicited links - in other words, if you practice safe computing, you will remain safe regardless the browser of choice.

 

[Nibiru2012]

If you keep your systems updated and patched, scanned with a current scanner, blocked by a working firewall (and preferably a router with NAT), AND you, the user, the weakest link, avoid risky practices like visiting "illegal" porn and gambling sites, P2P and Torrent illegal file sharing, opening attachments and downloads without first scanning, or clicking on unsolicited links - in other words, if you practice safe computing, you will remain safe regardless the browser of choice.

Regarding computer security and browsers, truer words were never spoken!

I was just showing the discrepancies about various tests in my previous post.

Digerati has most definitely pointed out the obvious. I knew he would respond as such because he does know his stuff!

Of course, as most users here know, I'm usually stirring the pot anyway.

 

[Core]

Please don't irritate the angry duck any further. His rants give me a headache.

MSIE is the best, safest browser. Arbeit macht frei.

 

[Digerati]

Rants? Headaches? Well, okay. Nothing says you have to read them. Relentless and opportunistic MS bashing especially when coupled with Firefox fanaticism, give me headaches. And they turn into throbbing migraines and yes, frustration, if not ire when the bashing is rationalized, over and over again, with false information.

You don't see IE users bash FF and Mozilla every time there is another (and there have been plenty) critical flaw found in FF. The "Firefox is safe, IE is not" ship sailed and sunk a long time ago.

This is a flaw in Windows, the operating system. It affects all browsers to one degree or another. Microsoft has acknowledged it, accepted responsibility for it, and has produced a fix for it that you can apply if you feel the need urgently affects you. Or you can wait for Windows Update to come out with the update that Microsoft is working on and expects to release soon.

 

[davehc]

This is no longer productive. Close the thread?