US govt warns users to avoid Internet Explorer until security flaw fixed

[Fred Zed]

Published Monday, April 28, 2014 8:40AM EDT
Last Updated Monday, April 28, 2014 1:58PM EDT
Microsoft’s Internet Explorer may not be best for exploring the Internet for the time being, as the company works to fix a security flaw that has left it vulnerable to hackers.
The U.S. Department of Homeland Security is recommending that Internet users “consider employing an alternative web browser” until the flaw is fixed.
In a statement posted Monday, the Department’s Computer Emergency Readiness Team (CERT) says that the flaw affects versions six through 11 of IE “and could lead to the complete compromise of an affected system.”


Read more: http://www.ctvnews.ca/sci-tech/u-s-...l-security-flaw-fixed-1.1795379#ixzz30DJYNYpi


http://www.ctvnews.ca/sci-tech/u-s-...-explorer-until-security-flaw-fixed-1.1795379

 

[danmand]

The us gopvernment does not want anyone to have access to your emails.

 

[IM469]

The us gopvernment does not want anyone else to have access to your emails.

Corrected your post.

 

[sauna1701]

Sounds like Microsoft may not even offer a fix for WIndows XP operating system. Anyone still on XP, and are you planning to stay or upgrade ??

 

[D-Fens]

People are still using XP? That's mindblowing

 

[Ms.FemmeFatale]

For people who are not aware -

1. Internet explorer {IE} is separate from your windows operating system. Meaning you can use Chrome, Firefox, etc. Just google them and download them and enjoy a much better surfing experience. IE should be the last browser you use.

2. Microsoft will no longer be offering support for Windows XP period. http://windows.microsoft.com/en-CA/windows/end-support-help

 

[Moderator]

For people who are not aware -

1. Internet explorer {IE} is separate from your windows operating system. Meaning you can use Chrome, Firefox, etc. Just google them and download them and enjoy a much better surfing experience. IE should be the last browser you use.

2. Microsoft will no longer be offering support for Windows XP period. http://windows.microsoft.com/en-CA/windows/end-support-help

Windows xp not protected even after fix stop using XP
http://www.cbc.ca/m/news/#!/content/1.2624032

 

[BlueLaser]

For people who are not aware -

1. Internet explorer {IE} is separate from your windows operating system. Meaning you can use Chrome, Firefox, etc. Just google them and download them and enjoy a much better surfing experience. IE should be the last browser you use.

2. Microsoft will no longer be offering support for Windows XP period. http://windows.microsoft.com/en-CA/windows/end-support-help

Firefox is the least secure browser on the market. It's a pile of steaming dung. Firefox is the last browser you should use.

Safari has had zero-day exploits that have been around, reported and upatched, more than 5 years and Apple denies any problems exist. It should be the second last browser you use.

Chrome works fine, but I suggest you actually read the Terms of Service before you do. They're pretty strict. The day google starts to enforce them is not a day I'm looking forward to (I use Chrome... but I know what it says and take great lengths to remain anonymous).

IE is just fine. The flaw was actually reported by Microsoft who have never been afraid to admit when there's a security problem. They actually patch their stuff. They are also the only major company that will pay a hacker to report a security flaw whereas most others refuse to and therefore the hackers find other ways to get paid (like actually taking advantage of the exploit). This latest flaw is actually very minor. I'd still use IE over Firefox with the current zero-day exploit. At the last hacker convention, Firefox was brought down in minutes using an exploit that's been around and we've known about for half a decade.

Windows XP is 12 years old. New technologies both security related and otherwise are missing from the core technologies behind it and can't realistically be patched in. Would you want to use a 12 year old computer? Same deal here. Upgrade and stop complaining. Apple routinely stops supporting an OS once the platform is 3-5 years old. The fact that Microsoft supports beyond a decade is already ridiculously generous.

My degree is in computing, I'm still active in the computing world (I develop Linux drivers and packages and am part of the security and cryptography teams for one of the major Linux distributions) and I use Microsoft when I'm not on my Linux box because it's the only company I can trust to actually fix their stuff. Treat Windows like any other operating system (use a user account not one with full administrative privileges and don't disable User Account Control) and even this latest flaw won't hurt you (it only allows user-level control, so with a user account and UAC on, it can't really do anything).

If you're really worried, there are various browsers made by actual security companies out there. Try Komodo's Dragon (based on Chrome) or IceDragon (based on Firefox), White Hat Security's Aviator, SRWare's Iron, or a non-name branded browser called Dooble. But be prepared for pages to render slowly and often incorrectly. In an effort to be flashy and appealing, the Internet 2.0 is filled with hacks and cut corners that mean very few things follow the standard.

 

[Sniper Jr.]

IE is just fine. The flaw was actually reported by Microsoft who have never been afraid to admit when there's a security problem. They actually patch their stuff. They are also the only major company that will pay a hacker to report a security flaw whereas most others refuse to and therefore the hackers find other ways to get paid (like actually taking advantage of the exploit).

Sounds like a convenient way for Microsoft to scare Windows XP users into getting a new operating system.

 

[BlueLaser]

Sounds like a convenient way for Microsoft to scare Windows XP users into getting a new operating system.

Put your tinfoil hat away, the flaw wasn't discovered by Microsoft, it was reported by Microsoft. It's a zero-day exploit. Zero-day means it's unknown to the manufacturer at the time it's referred to them. FireEye found it, submitted the information to Microsoft and Microsoft subsequently alerted the public and advised there's a patch on the way.

I get everyone thinks Microsoft is evil, but they're actually the most ethical of all the major tech firms out there and given that XP's lifecycle actually ended 2 years ago but Microsoft granted a 2-year extension for free, you can't blame anyone but yourself if you get exploited. Windows XP is older than the concept of an iTunes store for crying out loud. When XP was released, PCI Express didn't exist yet, Clippy the Office Paperclip mascot was just being phased out, bittorrent was just announced as a concept, SATA 1.0 was introduced and Pentium 4's (yes, not Pentium 5's) running 2GHz were the fastest on the market. And I can assure you that software technology, security technology in particular, advances faster than hardware.

Look at it another way....

If you run Mac OSX 10.1, will Apple provide you with any support today? No, they won't. What's even worse is that there are security holes in the current version of OSX that were reported back in the early-mid 2000's when OSX 10.1 was still being supported and just weren't patched, that have stayed in the code all the way through to the current version. So tell me, do you really not trust Microsoft in this environment? XP is a cesspool and it's only going to get worse. It lacks DEP and ASLR as well as any form of RBAC, all of which are core security technologies that would be non-trivial to patch in. Upgrade or deal with being an open door. Microsoft doesn't have to "scare" anyone, it's the reality of digital life.

 

[needinit]

People are still using XP? That's mindblowing

Lots of businesses stayed with XP - very stable compared to later versions and costs involved to upgrade has stopped them switching.

 

[DB123]

Meh...if a hacker wants to know who I asked "Hi, are you available this afternoon?" they're welcome to that information

 

[SkyRider]

Sounds like Microsoft may not even offer a fix for WIndows XP operating system. Anyone still on XP, and are you planning to stay or upgrade ??

Time to switch to Linux.
https://ca.news.yahoo.com/u-governm...internet-explorer-133750375--sector.html?vp=1

 

[Ms.FemmeFatale]

....

We are all entitled to opinions. I am going to simply agree to disagree.

 

[rhuarc29]

People are still using XP? That's mindblowing

Where have you been? There's still something like 30% of desktop computers using XP.

My workplace stayed mostly with XP. I put Windows 7 on my own work computer about a year ago when I realized they weren't going to do a company-wide upgrade. Our resident tech "experts" apparently said there was no need. Seems like a dumb decision to me.

 

[BlueLaser]

We are all entitled to opinions. I am going to simply agree to disagree.

Yes, you gave the opinion of an internet user... I gave you the opinions of security experts. If you don't want to give the opinion one of those two groups more weight, that's your business. If you want to use Firefox instead of IE, go ahead. But you may want to look into the results of various conferences and conventions like CanSecWest, AthCon, DEFCON and Hacktivity. The opinion of a neophyte to browser security should play second fiddle to the experts.

Here's an exert from one of the most exhaustive lists compiled at the end of a huge testing period. Yes, it's from 2010, but what's eyeopening is that you can run the exploits yourself and see that a lot of them still exist.

http://www.securityweek.com/dirty-dozen-list-top-desktop-applications-security-vulnerabilities

1. Google Chrome (76 reported vulnerabilities)
2. Apple Safari (60)
5. Mozilla Firefox (51)
8. Microsoft Internet Explorer (32)

You can also just listen to the experts themselves:

"No single test determines what browser is least secure," Randy Abrams, research director for NSS Labs, said. "However, the trend throughout the Pwn2Own contests combined with the current result does demonstrate that Firefox is significantly more exploitable than other browsers."

Randy is a well-known security expert that gives a myriad of talks as the aforementioned hacker conventions. I've listened to him talk more than once, the guys pretty switched on.

Large security research firms also agree. Sourcefire did a long-term study last year and found the top 3 most vulnerable software products that have a non-negligible market share were all Mozilla products, with Apple products coming in 2nd across the board, Microsoft 3rd and RIM 4th. And they weren't even close. For example, in the mobile phone OS market, Apple had 210 vulnerabilities, Android had 24, Windows 14 and Blackberry 11. The same nearly logarithmic charting of vulnerabilities exists in the browser market, with Firefox having 174, more than double the number found in IE over the same period. Their full report is available here:

https://info.sourcefire.com/25Yearsof_Security_Vulnerabilities.html

If you're so ingrained in your believe that firefox is better, maintain your opinion to the contrary of what all the experts say. It's no skin off my back. But don't think I'm not going to come here and provide the evidence that shows your opinion is severely flawed and obviously biased. Other people may take your opinion as fact and I would prefer to educate people and let them make an informed decision. If they still chose to stick with Firefox, I don't care. I have no stock in any of the major tech companies so it doesn't affect me in any way shape or form who gets the most marketshare.

 

[BlueLaser]

Lots of businesses stayed with XP - very stable compared to later versions and costs involved to upgrade has stopped them switching.

Windows 7 and 8 are very stable... I don't know where you get that XP is very stabled "compared" to them... Virtually every study comparing the two shows about the same number of faults and failures in XP and 7. They are at least as stable as each other with Windows 8.1 being more stable than both. The difference is that Windows 7 and 8 are better at reporting what caused the fault, making fixing it much easier for an educated user (like say an IT department).

 

[Ms.FemmeFatale]

Yes, you gave the opinion of an internet user... I gave you the opinions of security experts. If you don't want to give the opinion one of those two groups more weight, that's your business. If you want to use Firefox instead of IE, go ahead.

Thanks!

Enjoy the next Microsoft lunch-in, hope they compensate you well. LMAO

Sorry it seems to have pissed you off that I did not run out and change all my computing ways based on your "expertise"

For the record, I never once said that FIREFOX was the best. I do believe that for browsers from a users point of view IE is crap. From a designers point of view - let's not even go there, because my opinion is even worse. ALL browsers have security issues. It is up to the user to be informed and do what is best for them. If you noticed, I never even said which browser I use. Nor what my system is. I bet you think I am Apple fan don't you? LOL BTW - where is the government warning about the other browsers????? And all their security risks? Nevermind. I don't really care. Google is my friend. I know

NOW - as already said, I will agree to disagree. Clearly that is not something you are capable of, so please continue. I will not be bothered to read your next post in this thread but I am sure you will feel better having your say and that is all that matters my friend, right?

Have a great day.

 

[BlueLaser]

Thanks!

Enjoy the next Microsoft lunch-in, hope they compensate you well. LMAO

Sorry it seems to have pissed you off that I did not run out and change all my computing ways based on your "expertise"

For the record, I never once said that FIREFOX was the best. I do believe that for browsers from a users point of view IE is crap. From a designers point of view - let's not even go there, because my opinion is even worse. ALL browsers have security issues. It is up to the user to be informed and do what is best for them. If you noticed, I never even said which browser I use. Nor what my system is. I bet you think I am Apple fan don't you? LOL BTW - where is the government warning about the other browsers????? And all their security risks? Nevermind. I don't really care. Google is my friend. I know

NOW - as already said, I will agree to disagree. Clearly that is not something you are capable of, so please continue. I will not be bothered to read your next post in this thread but I am sure you will feel better having your say and that is all that matters my friend, right?

Have a great day.

So you ask me a bunch of questions, then say you won't read my post? Seems pretty rude. It'd also be rude not to answer. So I guess I'm in a pickle. In any case, it wasn't my expertise... I gave you Security Week, Randy Abrams and Sourcefire, but I guess you didn't bother to read. You were too busy assuming I'm on Microsoft's payroll to catch the fact that in the I didn't give my opinion at all, I was always citing someone else... citations you can verify, of people whose credentials you can review. I think that's a better source than "Ms.FemmeFatale said so".

Government warning about other browsers do occur. 2 years ago governments advised to stop using Firefox (except the US who it has now been revealed has been using Firefox loopholes to spy on user's activity even when users where using things like TOR to give them privacy). Those warnings were never repealed. Both the Indian and Israeli security apparatuses have been warning against Chrome for months now. If Google is your friend, why don't you use it? In fact, I took Google out of it - I gave you links to well-respected security firms and their detailed studies and analysis.

Where did I say you claimed Firefox was the best? You claimed IE was the worst, I simply pointed out that Firefox is worse than IE. I never said you mentioned anything about Firefox. Reading comprehension ftw.

I don't know why the browser you use matters. If you're savvy about technology, you know better than to go to weird links and get phished, so most security holes should be a moot point. Why do you think I'm still using IE on my phone? Because I think the security flaw is a myth? I don't. I'm sure it's real, I'm just not worried about it. I never mentioned which browser I use either (except just now when I admitted to using IE on my phone). Truth is, outside my phone, I don't use IE. I generally use Comodo Dragon on my desktop when I'm in Windows. On Linux I spend most of my time in the console and Lynx (a text-only browser) does the job just fine for me. When I am in a graphical environment, I usually just use Firefox on Linux because it's pre-configured on the distribution I work in. Security holes and all. But like I said, I know what I'm doing. I wouldn't recommend it to people that are worried about security. I went out of my way to recommend 4 browsers, none of which are made by Microsoft and all of which have a very solid reputation with experts for security... So why exactly do you think I'd be invited to a Microsoft lunch?

You can "disagree" all you want... But if you are of the opinion that IE is the last browser anyone should use, you're opinion is just plain wrong. You might as well be of the opinion that sky is fluorescent green or that the Sun revolves around a flat earth. It's an opinion that every security expert in the industry would tell you is wrong, over and over. Even if they use it themselves.

I mentioned it before, but you obviously lack reading comprehension so I'll say it again - I'm not trying to change your mind but others might read this thread and assume you know what you're talking about and follow your advice blindly. So don't take my pointing out how you're wrong as a sign that I'm trying to change your opinion... I'm trying to educate anyone who reads it. If you want to remain in a cubicle of ignorance with your fingers in your ears, that's fine. But like I said, I'm still going to correct you... And unlike most people around here, I'll correct you with links and the references I'm citing instead of just asking everyone to trust what I say as an anonymous user. I realize that's your view - that everyone should trust your opinion because they say so - but I hope Randy Abrams and Sourcefire are more compelling experts than you. And if they aren't, then frankly people deserve to be hacked.

 

[islandman4567]

Yes, you gave the opinion of an internet user... I gave you the opinions of security experts. If you don't want to give the opinion one of those two groups more weight, that's your business. If you want to use Firefox instead of IE, go ahead. But you may want to look into the results of various conferences and conventions like CanSecWest, AthCon, DEFCON and Hacktivity. The opinion of a neophyte to browser security should play second fiddle to the experts.

Here's an exert from one of the most exhaustive lists compiled at the end of a huge testing period. Yes, it's from 2010, but what's eyeopening is that you can run the exploits yourself and see that a lot of them still exist.

http://www.securityweek.com/dirty-dozen-list-top-desktop-applications-security-vulnerabilities

1. Google Chrome (76 reported vulnerabilities)
2. Apple Safari (60)
5. Mozilla Firefox (51)
8. Microsoft Internet Explorer (32)

You can also just listen to the experts themselves:

"No single test determines what browser is least secure," Randy Abrams, research director for NSS Labs, said. "However, the trend throughout the Pwn2Own contests combined with the current result does demonstrate that Firefox is significantly more exploitable than other browsers."

Randy is a well-known security expert that gives a myriad of talks as the aforementioned hacker conventions. I've listened to him talk more than once, the guys pretty switched on.

Large security research firms also agree. Sourcefire did a long-term study last year and found the top 3 most vulnerable software products that have a non-negligible market share were all Mozilla products, with Apple products coming in 2nd across the board, Microsoft 3rd and RIM 4th. And they weren't even close. For example, in the mobile phone OS market, Apple had 210 vulnerabilities, Android had 24, Windows 14 and Blackberry 11. The same nearly logarithmic charting of vulnerabilities exists in the browser market, with Firefox having 174, more than double the number found in IE over the same period. Their full report is available here:

https://info.sourcefire.com/25Yearsof_Security_Vulnerabilities.html

If you're so ingrained in your believe that firefox is better, maintain your opinion to the contrary of what all the experts say. It's no skin off my back. But don't think I'm not going to come here and provide the evidence that shows your opinion is severely flawed and obviously biased. Other people may take your opinion as fact and I would prefer to educate people and let them make an informed decision. If they still chose to stick with Firefox, I don't care. I have no stock in any of the major tech companies so it doesn't affect me in any way shape or form who gets the most marketshare.

thanks for the links, I've been under the impression that Firefox was more secure than IE for a long time due to reading a lot of posts saying IE was crap. I may have to do some more reading and re-assess things.