PDA

View Full Version : OT: If you're still using Internet Explorer....



Anthem
06-27-2004, 03:36 PM
You need to get off it. Check this article in the Washington Times (http://www.washingtonpost.com/wp-dyn/articles/A6746-2004Jun25.html):


A new Internet virus has surfaced that allows hackers to steal passwords, credit card numbers and other personal information when someone merely visits an infected Web site, government computer security experts warned this week.

Hundreds of Web sites have been targeted by the virus, which exploits flaws in Microsoft Corp.'s Windows Internet software, according to an alert issued Thursday by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.

...

Among the several Web sites hit by the virus, dubbed "js.scob.trojan" by one antivirus vendor, were the Web sites of the Kelley Blue Book automobile pricing guide and MinervaHealth Inc., a Jackson, Wyo., company that provides online financial services for hospitals and health care businesses.

Incidentally, there's a new version of FireFox (http://www.mozilla.org/products/firefox/) out... version 0.9. It rocketh. Auto-import of your IE bookmarks & passwords, safe browsing, tabbed browsing, fast browsing...

Snickers
06-27-2004, 03:48 PM
Hmm.... is FireFox as modernised [plugin, XML, Java, Macro compatible] as IE? I may give it a try. And what about Mozilla?

Hicks
06-27-2004, 03:53 PM
Hmm.... is FireFox as modernised [plugin, XML, Java, Macro compatible] as IE? I may give it a try. And what about Mozilla?

As best as I can tell, Firefox IS Mozilla. I'm not really sure what the difference is. I'm switching to Firefox for now, see if I can get totally used to it. I've had IE 6 and FF0.8 both for a while, and mainly used IE and then FF when I want to tab browse a lot of forums (an awesome feature).

But with this news of the virus stuff, and the fact that there's this new version, (0.9) what the hell; I'll give it a try as my default for a while.

Hicks
06-27-2004, 03:59 PM
Might I add, Firefly is GRRREAT for forum browsing. I have a mouse with a clickable scrollwheel, and when I use that to click on a thread, it starts loading on a new tab while I still see the list of threads on the forum on the original tab, so what you do is just go down and tab any and all threads you want to read, and they all load seperately without taking you off the page, then by the time you're down with that, or at worst done reading the first thread you opened in a tab, the rest will be done loading in the other tabs. It's great for that.

Snickers
06-27-2004, 04:10 PM
I'm using FireFox right now. I think Mozilla is the parent corporation for FireFox, so they are the same thing, basically.

So far, I really like the tabbing feature. Keeps things a lot cleaner.

kerosene
06-27-2004, 04:32 PM
Firefox is a cut down version of Mozilla. Cut down as in quicker, not as much bloat.

MSA2CF
06-27-2004, 05:21 PM
Thanks for the update, Anthem. By the way, could you copy/past the entire article? I have to register with the Post to read it. I'd appreciate it.

(Or was that the whole article?)

Pig Nash
06-27-2004, 05:25 PM
I use the SBC Yahoo browser. What is that, exactly?

TheSauceMaster
06-27-2004, 05:30 PM
I been using Firefox for months , havent used IE in god I forget how long , If your gonna try firefox I would recommend the 0.8 ..the newest one has some issues .

I love firefox because of the building popup blocker and image blocking , if I dont' like you Avatar or signature I can block it from loading ;) and Kerosene is right Firefox is a less bloated version of mozilla , I belive mozilla also has a mail client which firefox doesnt have one built in , but there are programs you can get for mail.

TheSauceMaster
06-27-2004, 05:30 PM
I use the SBC Yahoo browser. What is that, exactly?

IE , I would bet :laugh:

MSA2CF
06-27-2004, 05:45 PM
Nevermind, I registered. :P

Pig Nash
06-27-2004, 06:11 PM
Might I add, Firefly is GRRREAT for forum browsing. I have a mouse with a clickable scrollwheel, and when I use that to click on a thread, it starts loading on a new tab while I still see the list of threads on the forum on the original tab, so what you do is just go down and tab any and all threads you want to read, and they all load seperately without taking you off the page, then by the time you're down with that, or at worst done reading the first thread you opened in a tab, the rest will be done loading in the other tabs. It's great for that.

:lol:

Hicks
06-27-2004, 07:36 PM
Well, I can recommend Firefly, as well, another quality product, albiet a far different one :laugh:

Pacer4fun
06-27-2004, 08:25 PM
Hey, this firefox is really nice, thanks for the heads up.
:applaud:

skyfire
06-27-2004, 11:50 PM
I can also reccomend Opera (www.opera.com) if your looking to ditch IE. Shares alot of the additional functionality that Firefox has and imho has a better, more customizable interface. But regardless everyone should ditch that insecure pos IE.

Anthem
06-28-2004, 12:19 AM
How odd. Following the link from slashdot gets the article, while typing it in gives me problems. Here it is, for those who don't slashdot.

Virus Designed to Steal Windows Users' Data
Hundreds of Web Sites Targeted

By Brian Krebs
Special to The Washington Post
Saturday, June 26, 2004; Page A01

A new Internet virus has surfaced that allows hackers to steal passwords, credit card numbers and other personal information when someone merely visits an infected Web site, government computer security experts warned this week.

Hundreds of Web sites have been targeted by the virus, which exploits flaws in Microsoft Corp.'s Windows Internet software, according to an alert issued Thursday by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.

Infected sites were programmed to connect people using the Microsoft Internet Explorer browser to a Web site that contains code allowing hackers to record what users type, such as passwords and credit card and Social Security numbers. The code then e-mails that information to the anonymous attackers.

Government officials would not identify the infected sites; computer security vendors said many have taken steps to fix the problem. In addition, most large Internet service providers have stopped forwarding Web traffic to the Russian Web site that apparently hosts the software that records what is typed, minimizing the theft of data, officials said.

Among the several Web sites hit by the virus, dubbed "js.scob.trojan" by one antivirus vendor, were the Web sites of the Kelley Blue Book automobile pricing guide and MinervaHealth Inc., a Jackson, Wyo., company that provides online financial services for hospitals and health care businesses.

Robyn Eckard, a spokeswoman for the Irvine, Calif.-based Kelley Blue Book, said the company learned about the problem late Wednesday after Web site visitors said their antivirus software tipped them off to the code. Eckard said Kelly Blue Book removed the malicious code from its site by late Thursday afternoon.

Jennifer Scharff, vice president of marketing for MinervaHealth, said some of the company's clients reported the problem on Thursday. The company has since fixed its site, she said. Scharff said no more than 50 visitors browsed the Web site during the time it was serving up the hostile code.

Stephen Toulouse, a security program manager at Microsoft, said the company does not believe the attack is widespread. "Nonetheless, we view this as a very real threat, with serious significance in terms of the potential impact on our customers," he said.

Toulouse said the company is gathering information on the attack and will hand it over to the FBI.

FBI spokesman Joe Parris declined to say whether the FBI is investigating the attack. "These types of Trojan horse attacks are not that uncommon, and we work closely with Microsoft in investigating matters of this type and always follow up on any information provided by industry," he said.

Security experts said the attack represents the latest variation on "phishing" scams, a form of fraud designed to trick people into giving personal data to criminals who have designed Web sites to look like those of respectable companies.

Ken Dunham, malicious code manager for iDefense Inc., a Reston-based computer security company, said he expects this kind of attack to become more widespread in coming weeks and months.

"These guys have the tools, techniques and motivation to launch highly sophisticated attacks that are very difficult for consumers to protect themselves against," he said. "Whoever is responsible has just seen how well this attack works, and other [hacker groups] are almost surely going to take notice."

Computers experts urged Internet users to install firewalls and antivirus software and to download the latest updates. A CERT alert said Explorer users also can protect themselves by turning off the JavaScript function in their browsers. That change, however, can impair Internet browsing since JavaScript is a programming language used to add interactive functions to many Web sites.

The attack takes advantage of several recently discovered security flaws in Microsoft's Internet browser and Internet Information Services Web software. Microsoft released a patch in April to fix one security hole in its Internet browser; the company is still working on a patch for the other flaw, which security researchers publicly detailed less than two weeks ago.

CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions.

Krebs is a staff writer for washingtonpost.com. Staff writer Michael Musgrove contributed to this report.

Anthem
06-28-2004, 12:28 AM
Also, a bit of clarification. Mozilla is the full-blown successor of the Netscape Navigator, which includes a browser, mail program, IRQ program, and newsgroup manager. Firefox is just a browser.

The FireFox browser, though, isn't quite the same as the one you'll find in Mozilla. Both are based on the same HTML rendering engine (Gecko), and the feature set is similar, but FireFox is a ground-up rewrite designed to be fast and flexible. The theme (http://update.mozilla.org/themes/?application=firefox), extension (http://update.mozilla.org/extensions/?application=firefox), and download managers are pretty cool, as well.

Besides tabbed browsing and an integrated popup blocker, the biggest thing I miss when I use IE6.0 is the text size tool. In FireFox, hitting <CTRL>+<+> at any time will increase the font size. I use it all the time when default fonts on my favorite pages look too small.

Natston
06-28-2004, 01:58 AM
I have been using firefox for several months and I will NEVER go back to IE... :devil:

Doug
06-28-2004, 08:49 AM
FireFox is great. I highly recommend it.

Zesty
06-28-2004, 09:01 AM
I tried Mozilla about a year ago and didn't like it at all, but I'll go ahead and give FireFox a try. Anything that works well and keeps me from having to use a M$ product is okay in my book.

EDIT: Just installed it and got the toolbars and stuff configured the way I want them, and while it seems to be a lot slower in rendering the pages, it kept that stupid sidebar from showing up when I came to PD, so that's definitely a good thing.
:applaud:

Natston
06-28-2004, 09:08 PM
Hey Zesty, it should run faster before too long.

Kegboy
06-28-2004, 10:48 PM
For those of you who haven't run off to a new browser yet, if you've been a good little Microsoft user and been running Windows Update (either manually or Auto), you have nothing to worry about. Microsoft put out a patch for this April 13th, over two months before the virus hit.
---
:duel:

Anthem
06-28-2004, 10:59 PM
For those of you who haven't run off to a new browser yet, if you've been a good little Microsoft user and been running Windows Update (either manually or Auto), you have nothing to worry about. Microsoft put out a patch for this April 13th, over two months before the virus hit.

Not really. Read the article again... "The attack takes advantage of several recently discovered security flaws in Microsoft's Internet browser and Internet Information Services Web software. Microsoft released a patch in April to fix one security hole in its Internet browser; the company is still working on a patch for the other flaw, which security researchers publicly detailed less than two weeks ago."

When CERT says you shouldn't use IE, then it's time to switch.

Kegboy
06-29-2004, 12:26 AM
When CERT says you shouldn't use IE, then it's time to switch.

Frankly, if you're worried about security, you shouldn't be touching a Microsoft OS with a ten-foot pole.


---
:duel:

Kid Minneapolis
06-29-2004, 12:42 AM
Yep. It's called "big dawg status." When yer the big dawg browser that 80% of people use, and you have millions of Microsoft haters that just hate because they aren't making the big cash and hate big corporations 'cause they're big, what you have is a browser that has a big, ten-mile wide target on it. Of course people find flaws in IE --- it's the browser most people "pick on." It's human nature, man -- take the strongest of a group and pick it apart...

With all it's supposed security flaws, and as much browsing as I do per day using IE, I've *never* had a problem with anything that these articles scare up about. Microsoft gets it updated fairly quick.

I downloaded FireFox 3 weeks ago, thought to myself "COOL! I might switch!" And within a week found a handful of quirks with it that kinda annoyed me and I'm right back to IE. It's just more comfortable.

Tabbed browsing is nice, but it's going to be in the next version of practically every brand of browser, so no biggie. Pop-up blockers are in the new version of MSN messenger, which integrates right into IE. It's not that big a deal.

I copy and paste this post every 6 months when someone shouts "Look! A new browser! It's better than IE!" Seriously, it's not like you're "on to something" here.

I love when folks say "this browser is more secure" --- how the hell do you know that?!? Those folks have no idea the secureness of a browser, simply because they 1) haven't seen the source code and 2) wouldn't understand it anyway. If any other browser became as popular as IE, it would become the instant whipping post of browsers and all of a sudden "there's all kinds of security issues with it..."

blah blah blah

Anthem
06-29-2004, 02:33 AM
When CERT says you shouldn't use IE, then it's time to switch.

Frankly, if you're worried about security, you shouldn't be touching a Microsoft OS with a ten-foot pole.

Well, that's certainly true. That's the #1 reason my internet PC only runs linux. :devil:

Anthem
06-29-2004, 02:47 AM
Yep. It's called "big dawg status." When yer the big dawg browser that 80% of people use, and you have millions of Microsoft haters that just hate because they aren't making the big cash and hate big corporations 'cause they're big, what you have is a browser that has a big, ten-mile wide target on it. Of course people find flaws in IE --- it's the browser most people "pick on." It's human nature, man -- take the strongest of a group and pick it apart...

Myth. Microsoft's browser isn't the biggest because it's the best. It's the biggest because it bundled its browser with its operating system and used that to break internet standards.


I love when folks say "this browser is more secure" --- how the hell do you know that?!? Those folks have no idea the secureness of a browser, simply because they 1) haven't seen the source code and 2) wouldn't understand it anyway.

1. News flash. (http://www.mozilla.org/start/1.0/opensource.html)
2. They (http://www.us-cert.gov/) wouldn't understand?

TheSauceMaster
06-29-2004, 03:34 AM
I wouldn't recommend Firefox 0.9 , it has a few quirks ..0,8 is the best til they get the new version fixed ;) There are many things Firefox can do but I am not gonna waste my time listing them , some people will use IE even they knew it was unsecure and people don't like Change alot of times ethier.

I have a feeling if IE wasn't bundled with the MS OS it wouldnt be so popular and at onetime Netscape was the Big king of the Browsers.

able
06-29-2004, 07:04 AM
Well if you really think the "most use it so everyone finds holes" holds up, then re-think, it's the worst sales ptich ever, that must be the reason GM cars brake down more often then Mercedes.

Read this if you think you are safe using IE:

Redmond's Butterfly Effect

Criminals are benefiting from an Internet Explorer that's so complex even Microsoft can't predict its behavior.

By Tim Mullen Jun 28 2004 12:00PM PT

Most of you have heard of a reportedly widespread compromise of an unknown number of clients through an unpatched vulnerability in Internet Explorer. The clients were owned by visiting commercial web sites that had previously been compromised by a yet undetermined method; the attackers dropping code onto those servers that customers would then launch when the site was visited.

While some speculate that an IIS zero day was used to own the servers, my guess is that the hosting boxes were not patched against a recent vulnerability (something like MS04-11). I would normally say "Hey, you should have been patched" and gone about my business. But this event is a bit different.

Here we had multiple vulnerabilities in IE, at least one spanning back months, which have remained un-patched by Microsoft. The culmination of the vulnerabilities allows for silent code execution on the client box: zones crossed, files downloaded, code executed, boxes owned. Microsoft's own little butterfly effect.

To be quite frank, this really, really sucks.

This event perfectly illustrates points that we in the security community have been making for quite some time -- attacks are getting more and more complex, and attackers are using multiple vulnerabilities to carry them out. It also represents what I consider a flaw in the way the IE security team looks at and rates vulnerabilities. The "mitigating factors" in these vulnerabilities have always been determined by looking at the problems in singularity. Things like "an attacker would have to be able to write files locally" or "this would only work if code was run in the Local Intranet Zone."
There is really no excuse for the way Microsoft handled multiple vulnerabilities within a single product with such tunnel vision.
When Microsoft then uses these factors to schedule hot fix development and deployment, we find ourselves in the position we're in today: insufficient ranking is given to these vulnerabilities, attackers piggyback exploits together -- leveraging one against the other to fully compromise a machine -- and here we are sitting around with no patch available.

We shouldn't be meeting today with our admins discussing "work-arounds," we should be following up on how the patch rollout went.

Microsoft's Tunnelvision
The combination of compromised servers in this scenario also breaks the old "one would have to be coaxed into visiting a malicious website" factor. There is no "coaxing" here. To fall prey to this attack, you would simply have to use IE the way we've been told to use IE -- to look in on your Abba collection on eBay or check your Yahoo mail account. And users sitting behind a corporate firewall with AV running client-side would have fared no better.

The fact that XP's SP2 would have fixed this problem is nice to know, but it really doesn't help us much today. To be honest, I'm a little miffed at the fact that Microsoft was familiar enough with these issues to address them in a service pack beta, yet no patch was made available for our production systems.

Internet Explorer is an extremely complex work. I'm not really all that sure what to call it: Application? Browser? Development platform? Mini-OS? Given the innate complexity of zone settings, ActiveX object controls and the various scripting configurations, there is really no excuse for the way multiple vulnerabilities within a single product were handled with such tunnel vision, particularly when their combined exploitation has been exemplified on forums like Security Focus for months now.

I've been watching IE grow for years now, and while I'm aware of the tremendous effort put forth to make it a platform from which elaborate corporate development projects can be built, one has to question the need for such complexity in what most of us use as a Web browser.

Maybe it is time for an "Enterprise Edition" of IE to be developed in the same way that Microsoft has developed expanded capabilities into other products like Visual Studio and Visio. That way, those who need a complex development platform can have it, and the rest of us can have a nice, tight little browser to do with as we will. When it comes to my browser, it would be nice to be able to concentrate on Adriana Lima without having to worry about the likes of Adrian Lamo.

Regardless of what the future of IE brings, it is evident to me that given the events of today the IE security team either doesn't fully understand the security ramifications of its product, or the thing is so complex that it really does take over 10 months to patch a bug. Either way, it doesn't look so good.

--------------------------------------------
SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Pig Nash
06-29-2004, 10:49 AM
I just downloaded Firefox and I like it. The only thing i miss from my yahoo browser are the Fantasy sports and Email buttons at the top but thats ok. I just have to go to my homepage and then those places now.

PHC Fan
06-29-2004, 11:50 AM
Tabbed browsing is nice, but it's going to be in the next version of practically every brand of browser, so no biggie. Mozilla has had tabbed browsing for at least year and a half. If MS were going to add it, they probably would've done that by now. (or maybe it's taking them a while to "develop" it.... bwahahaha!!!!sorry, I couldn't type it without busting out laughing!)

Merz
07-01-2004, 01:05 AM
I recommend Opera for anyone who wants to change from IE

Anthem
07-01-2004, 02:35 AM
Well, I wasn't going to bump the thread, but since Merz already did, here ya go. Another NEW IE exploit. Interestingly, this is a "zero-day" exploit, meaning that the flaw was discovered in the wild before it was found by security researchers.

http://zdnet.com.com/2100-1105_2-5253112.html

A virus that essentially sits between the PC and the wall and reads/records your banking information before it goes out on the internet. Microsoft fixed this problem six years ago, but a recent patch reopened the vulnerability.

Also, FWIW, Mozilla has released firefox .91 to clean up some bugs in the extension manager in .9. I'm still using .8 (which is rock-solid) and probably won't switch until 1.0.

PacerMan
07-01-2004, 03:53 AM
yeh, got it. So how do I 'tab' ?????????

able
07-01-2004, 03:55 AM
yeh, got it. So how do I 'tab' ?????????

Try ctrl-T

PacerMan
07-01-2004, 10:53 AM
yeh, got it. So how do I 'tab' ?????????

Try ctrl-T



danke'

PacerMan
07-01-2004, 04:56 PM
Ok, I'm using it and I like it. Not much to change and anything not MS is ok with me.
But how are the tabs across the top different or better than the tabs across the bottom in IE? (and foxfire. WHy the redundancy?