AndyMan 7 #1 July 2, 2004 Finally, some advice from Homeland Security that actually makes sense. You can download Mozilla here. From Yahoo News Quote U.S. Steers Consumers Away From IE Thu Jul 1, 7:00 PM ET Loring Wirbel, EE Times The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft Corp.'s Internet Explorer. The Microsoft browser, the government warned, cannot protect against vulnerabilities in its Internet Information Services (IIS) 5 server programs, which a team of hackers allegedly based in Russia has exploited with a Java script that is appended to Web sites. The particular virus initiated this week inserts Java script into certain Web sites. When users visit those sites, it initiates pop-up ads on home and office computers, and allows keystroke analysis of user information. The target is believed to be credit card numbers. CERT estimated that as many as tens of thousands of Web sites may be affected. CERT said vulnerabilities in IIS and IE could include MIME-type determination, the DHTML object model, the IE domain/zone security model and ActiveX scripts. Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines. The only defense may be completely disabling scripting and ActiveX controls. Microsoft said earlier in the week it is working with law enforcement officials to identify the source of the latest Internet virus. _Am__ You put the fun in "funnel" - craichead. Quote Share this post Link to post Share on other sites
Luv2Fall 0 #2 July 2, 2004 What browser do you use? Thanks for the post..........been having problems with JAVA script and thinking about scraping IE.....pretty convinced now. Quote Share this post Link to post Share on other sites
kelel01 1 #3 July 2, 2004 We use Navigator. Is that ok? Kelly Quote Share this post Link to post Share on other sites
ManBird 0 #4 July 2, 2004 The vulnerability is in ActiveX, not IE. Active is used in ALL browsers on Windows. As a web developer, I have Netscape, Mozilla, Firebird, Firefox, Opera, and IE installed on my machine. And IIS is not a factor. It's a server-side technology, and has no connection to the way you browse. This leads me to believe that the person or people behind this advisory are biased against Microsoft. If you want to avoid auto-running of ActiveX components, check adjust your browser's setting, disable ActiveX, or don't use Windows. BTW, I primarily use Windows (XP Pro), and I also am running Suse and Panther on two other machines. I've used Windows version 3.1, have been online since 1990 (BBS and then the web in 94), and have never used active anti-virus (occassional manual scans) or firewall software. I have never had a virus in fourteen years of connectivity. Best practices, not software gates, is what keeps you virus-free."¯"`-._.-¯) ManBird (¯-._.-´"¯" Click Quote Share this post Link to post Share on other sites
AndyMan 7 #5 July 2, 2004 Navigator is good, but its always smart to keep yourself on the most recent version available. To answer Luv2Fall, I use Mozilla 1.7. Mozilla is often rebranded as Netscape. _Am__ You put the fun in "funnel" - craichead. Quote Share this post Link to post Share on other sites
ManBird 0 #6 July 2, 2004 What I recommend: Windows: IE. Firefox behind that. Linux: Firefox, hands down. Mac: Safari. Believe it or not, prefer Camino behind that (Firfox and Camino are nearly identical, but Camino has some innovative security features). I think the Navigator-style Mozilla, on any platform, is slow as hell. Forefox is, IMO, the best Mozilla-based browser. I do stand behind IE on Windows as being the best browser around. It does EVERYTHING. It's a web developer's best friend. ANd again, this warning is poo -- this attack affects ALL Windows browsers."¯"`-._.-¯) ManBird (¯-._.-´"¯" Click Quote Share this post Link to post Share on other sites
AndyMan 7 #7 July 2, 2004 QuoteANd again, this warning is poo -- this attack affects ALL Windows browsers. ???? Mozilla is not vulnerable to any of the CERT advisories mentioned. A bigger concern is an exploit known as Download.Ject Exploit, which has been in the wild for over a month now, and Microsoft still hasn't released a patch. They've just announced one, but we don't know when it will actually circulate. Again, this exploit does not effect Mozilla on Windows. More then take my word for it, please drop by www.us-cert.gov and read the advisories yourself. _Am__ You put the fun in "funnel" - craichead. Quote Share this post Link to post Share on other sites
Shotgun 1 #8 July 2, 2004 This article doesn't make much sense. First, they say this: QuoteThe Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft Corp.'s Internet Explorer. Then they say this: QuoteCERT said vulnerabilities in IIS and IE could include MIME-type determination, the DHTML object model, the IE domain/zone security model and ActiveX scripts. Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines. The only defense may be completely disabling scripting and ActiveX controls. So why would they be telling people to stop using IE when the problem exists in any browser using ActiveX controls or html rendering engines? And they don't say anything at all about which browsers they do recommend using... (they specifically say that Mozilla might not be any better). Quote Share this post Link to post Share on other sites
AndyMan 7 #10 July 2, 2004 One more note: the CERT quotes above seem to be lifted directly from this advisory: http://networks.org/?src=cert:713878 QuoteUse a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). Mozilla, which I recomend people use as an alternative to IE, does not contain any of the technologies listed above, like VBScript or ActiveX. _Am__ You put the fun in "funnel" - craichead. Quote Share this post Link to post Share on other sites
AndyMan 7 #11 July 2, 2004 QuoteSo why would they be telling people to stop using IE when the problem exists in any browser using ActiveX controls or html rendering engines? And they don't say anything at all about which browsers they do recommend using... (they specifically say that Mozilla might not be any better). I can see the article there is confusing. Typical government speak. In another post, I linked to the original CERT advisory. If you're interested, that is certainly less confusing. _Am__ You put the fun in "funnel" - craichead. Quote Share this post Link to post Share on other sites
PhillyKev 0 #12 July 2, 2004 QuoteSo why would they be telling people to stop using IE when the problem exists in any browser using ActiveX controls or html rendering engines? QuoteMozilla does not support ActiveX controls natively. A plug-in for ActiveX controls (which also works with Netscape 4.x) is in development, with limitations: it will not download or install controls itself, and it will only host controls that are already installed and marked safe for scripting, so it is not as insecure as ActiveX normally is. The current plug-in does not yet allow controls to be scripted. Quote Share this post Link to post Share on other sites
Shotgun 1 #13 July 2, 2004 QuoteIn another post, I linked to the original CERT advisory. If you're interested, that is certainly less confusing. I went to that site (http://www.us-cert.gov/), but I am not finding anything telling people to stop using IE. Maybe I'm just missing it??? (I'm kinda slow sometimes. ) I see a warning about IIS, and some vulnerabilities in IE (along with steps you can take to make it more secure)... but nothing specifically saying not to use IE, or which browser they would recommend using??? I'm really curious about this... I also use Mozilla, Netscape and Opera, but I honestly like IE the best at this time. But if one of the others is truly a lot more secure, then I might consider switching... I just haven't found anyone that can convince me either way yet. Quote Share this post Link to post Share on other sites
Shotgun 1 #14 July 2, 2004 Thanks... Is that from Mozilla's website? Quote Share this post Link to post Share on other sites
AndyMan 7 #15 July 2, 2004 Quote I went to that site (http://www.us-cert.gov/), but I am not finding anything telling people to stop using IE. click here: http://networks.org/?src=cert:713878 They list stopping using IE as one way of avoiding a particular attack. _Am__ You put the fun in "funnel" - craichead. Quote Share this post Link to post Share on other sites
newsstand 0 #16 July 3, 2004 QuoteThe vulnerability is in ActiveX, not IE. Active is used in ALL browsers on Windows. Says who? The only ActiveX NS 7.1 officailly supports is the Windows Media Player and you have to set up your page slightly differently for it to work. For a short time I had a control my company built running under NS 7.1 but then it stopped working too. Mozilla, Firebird and the rest don't support ActiveX at all. "Truth is tough. It will not break, like a bubble, at a touch; nay, you may kick it about all day like a football, and it will be round and full at evening." -- Oliver Wendell Holmes Quote Share this post Link to post Share on other sites
nathaniel 0 #17 July 3, 2004 Quote Mozilla does not support ActiveX controls natively. A plug-in for ActiveX controls (which also works with Netscape 4.x) is in development, with limitations: it will not download or install controls itself, and it will only host controls that are already installed and marked safe for scripting, so it is not as insecure as ActiveX normally is. The current plug-in does not yet allow controls to be scripted. Ahh yes, the Evil Bit. And here I was thinking that was an April fool's joke. nathanielMy advice is to do what your parents did; get a job, sir. The bums will always lose. Do you hear me, Lebowski? Quote Share this post Link to post Share on other sites
sburkart 0 #18 July 4, 2004 QuoteBTW, I primarily use Windows (XP Pro), and I also am running Suse and Panther on two other machines. I've used Windows version 3.1, have been online since 1990 (BBS and then the web in 94), and have never used active anti-virus (occassional manual scans) or firewall software. I have never had a virus in fourteen years of connectivity. Best practices, not software gates, is what keeps you virus-free. I don't know if you're busting on my response from an older thread or not, but the above statement is pretty much along the lines of what I wrote, and I was pretty much wrong. Though I use a shell account for mail (PINE), I was still vulerable to webpage-based attacks, i.e. that SOBIG dealie (IIRC) that was going around last year. It took a bunch of freakin SKYDIVERS to show me the error of my ways. Outside of calling me socially irresponsible (that stung) their critisism of my madness, er, methods, was dead-on, and I now run a firewall and Avast! anti-virus software. Quote Share this post Link to post Share on other sites