Suprise.
April 17, 2002 6:47 PM   Subscribe

Suprise. Another gaping hole in Internet Explorer. This one's pretty alarming. Mozilla, anyone?
posted by dr_emory (48 comments total)
 
Surprise no. Mozilla yes. Obligitory pro Opera post. Obligitory anti Opera adware flame.
posted by nedrichards at 6:51 PM on April 17, 2002


There's a related link at Slashdot.org, but I'm too lazy to post it.
posted by dr_emory at 6:51 PM on April 17, 2002


I have no problem with adware when its right there in front me (none of that Kazaa BS) and it provides a free service...i'm not paying for Opera, so i ain't complaining.
posted by jmd82 at 7:03 PM on April 17, 2002


Well considering their definition of vulnerability, its a wonder this shit gets fixed at all. This is the one of more headache inducing spin jobs I've read in awhile.
posted by KevinSkomsvold at 7:09 PM on April 17, 2002


Pay for Opera? Yep, I did. Not just to get rid of the ads but as a "thanks" for the work they're doing.
posted by NsJen at 7:18 PM on April 17, 2002


Aside from their recent support of flashy CSS tricks and whatnot, another great thing about Opera is the way that the UI lets you have a lot of windows open without cluttering your desktop. It also makes it easier to get popups out of the way.
posted by paddy at 7:21 PM on April 17, 2002


ICAB

I just stopped using mozilla. Wait for v.1
posted by Settle at 7:21 PM on April 17, 2002


The exploit does not work on Macs with current versions of Explorer, or in Mozilla or Opera browsers.

obligatory "think different" comment
yeah, Settle, iCab!
posted by Dean King at 7:23 PM on April 17, 2002


I actually like the Middle East posts but I really don't like the gleefull anti-Microsoft bug reports. But since it is here I will throw in my two cents.

The anti-microsoft crowd and alternate browser advocates are really arguing for security through obscurity when they trumpet an IE bug and recommend a browser switch. While there may be fewer bugs reported in the mainstream press for Mozilla and Opera is there anyone who thinks these programs are perfect?

I will assume (perhaps incorrectly) that nobody believes this. So if all browsers have bugs (some more than others - it is a complicated empirical question) which browser do you use? The one that recieves the most testing, scrutiny, and published bug reports or the ones that are used by so few people that media source barely know they exist, nevermind care about publishing stories on possible exploits?

I haven't seen any posts about security failures in Mozilla. Is that because there are none? Or is because nobody feels like throwing a rock at david, only at Goliath?

The open source projects are quite impressive. I have run an apache server and dabbled in linux but I have always thought the open source advocates were either kidding themselves (and us) or outright lying when they trumpeted bugs in their competition while not mentioning their own. There are no security bugs listed in bugzilla (for security reasons of course) but a quick check shows there are 14,117 active bug reports just for the browser.

Ironically, Mozilla has a reference to the 'It's not a bug, it's a feature" line.

WONTFIX
The problem described is a bug which will never be fixed, or a problem report which is a "feature", not a bug

posted by srboisvert at 7:36 PM on April 17, 2002


Here's the test at /.

While there may be fewer bugs reported in the mainstream press for Mozilla and Opera is there anyone who thinks these programs are perfect?

no, of course not. iCab, for instance, is beta and breaks on some css (and some flash). it's worth it to me, though, for all the cookie/javascript/image filtering.
posted by Dean King at 7:42 PM on April 17, 2002


sorry, from the article: "a Slashdot reader"
use at your own risk?
posted by Dean King at 7:43 PM on April 17, 2002


Actually, srboisvert, this exact same bug was found in mozilla, last June. It's bug number 88167. It was found and fixed within a week. Microsoft has known about this problem since November, and it's still not fixed. The reason you don't see posts about security holes in Mozilla is because they get fixed very, very quickly.
posted by mr_roboto at 7:53 PM on April 17, 2002


It also makes it easier to get popups out of the way.

F12, Refuse Popup Windows. Gets rid of popups completely. :-)
posted by five fresh fish at 7:55 PM on April 17, 2002


Or is because nobody feels like throwing a rock at david, only at Goliath?

I understand your sentiment but I have and probably always will use IE. No offense to Opera or Mozilla users but I just haven't been compelled one way or another to switch. My beefs with Microsoft have to do more with my daily dealings with them regarding OS fixes in general and their attitude which seems, maybe righfully so, more surly and abrubt.
posted by KevinSkomsvold at 7:57 PM on April 17, 2002


I didn't mean to sound "gleeful" in my post about the hole in Internet Explorer. However, I do find it kind of remarkable that Microsoft seems kind of smug about security, when in reality their software (for whatever reason) seems to be less secure than some of the alternatives. I realize that this may be simply due to the fact that MS is Goliath so they are subject to greater scrutiny by bug-hunters; the fact remains that people should know about this so they can take appropriate precautions.

And you're right--Mozilla might suck worse than IE. But that's not what I mean by "Mozilla, anyone?" What I mean to do is remind people that you aren't bound by law to use MS products. From a layman's perspective, Microsoft engages in anti-competitive and probably illegal tactics to get people to use their products. That means I don't really have to feel sorry for them when something goes wrong for them.

Anyway. The only reason I posted this is that this is a HUGE hole and it is probably interesting to your average computer user as well as your tech-geek. I'm not trying to turn this into Bugtraq for IE. Blech.
posted by dr_emory at 7:59 PM on April 17, 2002


So arrogance has a price.
posted by onegoodmove at 8:18 PM on April 17, 2002


the problem with IE is that it's the windows shell. if they weren't using it as a shell I don't think these flaws would be so serious. at least that's why I understand the mac isn't affected. too bad mozilla can't run multiple instances because then you'd be able to use it as a (partial?) substitute for ie. I found out first hand just how tightly ie is integrated with the OS when I updated, emptied my temp folders, THEN rebooted. Try it. You won't like it. I had no idea until I had this experience. Personally I prefer UNIX and Mac (now virtually the same thing) but I don't think it's fair to say that a set of shells and utilities are inherently more secure or worry free than any other approach. Each has their inherent limitations and appeal. I just wish MS would either make it open source, or make it a distinct product from the DEFAULT shell that is generally imposed on everyone. BTW has anyone used that bash on windows thing (can't remember the name at the moment)? Or can anyone expand/correct my comment on shells with respect to browsers/browser os integration?
posted by greyscale at 8:19 PM on April 17, 2002


The problem with IE is that it's a pain in the ass. Opera's mouse gestures and click-combinations are vital, and its bookmark handling is leagues better. Not to mention its cookie handling and handy-dandy F12 popup that lets you turn off Javascript, GIF anim, etc., at the blink of an eye.

For a shell, I use geOShell. Works like a charm. Loverly clean desktop, one-click access to all my most-used applications.
posted by five fresh fish at 9:20 PM on April 17, 2002


greyscale: Maybe you mean cygwin. I use it occasionally. As far as my minor experience tells me, it has to always run inside a dos box, so it lacks the convenient resizing and so forth that you get with 'real' unix GUI shells. It's a shame, cuz all the tools are there and work just like you'd expect them too, but I hate not being able to resize my window while in vi, for instance.

And one problem with removing IE from being the shell is that it probably wouldn't load quite so fast, which is basically the only thing keeping me from going to mozilla and opera.
posted by paddy at 9:22 PM on April 17, 2002


Hrm, the antivirus software my University forced me to get seems to stop this from doing anything. Intresting.
posted by delmoi at 9:25 PM on April 17, 2002


The problem with IE is that it's a pain in the ass.
Huh? Support? MS irritates me plenty. Possibly more than most, as I have a mutant ability to crash software in the most spectacular ways possible. Remember Microsoft saying that XP doesn't have a BSOD? It's a lie. And it only took me half an hour to make it happen.
Anyways, where does this come from. Your following statements are tangential.

Opera's mouse gestures and click-combinations are vital
To Opera. If you want gestures for IE, and/or your entire system for that matter, there are plenty of separate utilities that will provide this for you. Browsers must browse, and that is all. This is like saying MacOS' windowshade feature is vital. Windows users have never had it, and just say Eh. If they want it, they get Windowblinds or somesuch.

Its bookmark handling is leagues better.
Purely subjective. I hate tabbed browser interfaces, and that makes Opera a pain in my ass.

Not to mention its cookie handling
I don't consider "cookie-handling" a browser feature. If you want this, again there are utilities that probably do it better than anything built into a browser. Cookies are supposed to be transparent to the user. The only reason this has become an issue is abuse from site developers. It shouldn't have to be the browser programmer's responsibility.

I'll concede that the F12 pop-up is handy, but eh. Popups are annoying, and while it would be nice to turn them off that easily, I accept them, like TV commercials, as the price for using the medium.
posted by Su at 12:51 AM on April 18, 2002


ICAB
iCab would be so much nicer if the developers gave up on trying to build their own rendering engine and just used Gecko. I'd pay for the rendering ability of Mozilla and the interface of iCab.
posted by darukaru at 3:55 AM on April 18, 2002


Heh. I read Su's last sentence as "People are annoying, and while it would be nice to turn them off that easily, I accept them[...]" I agree either way. ;)
posted by MiguelCardoso at 4:01 AM on April 18, 2002


Op-er-A! Op-er-A!

I've been hooked on Opera for about three months now, and I can't see myself going back. It's SO FRICKIN FAST. If you don't want to spend the money, and the ads bother you that much (which they won't after a while. you tune them out pretty quick), you can surf in "full screen" mode, using mouse gestures and right-clicks to navigate.

You can also turn off pop-ups with 2 mouse clicks. w00t!

The preceding has been a message from the jpoulos-for-opera campaign. jpoulos is in no way affiliated with opera, but thinks you should get it today. operators are standing by.
posted by jpoulos at 5:55 AM on April 18, 2002


What jpoulos and others have said - if you haven't already done so, give Opera a try. I love it and have paid them for it.

As for the 'microsoft is more visible and that's why their bugs get reported more frequently' sentiment....feh. Microsoft is actively engaged in trying to obscure the reporting of security issues in their software. The open source folks have a much better record of reporting and fixing bugs as they occur, not months later. I don't buy the 'they're more visible' sentiment. They deserve to get lambasted for their bugs - if they don't, history shows us that they simply won't fix them.
posted by Tempus67 at 6:19 AM on April 18, 2002


I used Opera years ago. Hated it. The interface constantly grated on me, especially the inability to alt-tab between sites/pages, as my standard browsing mode is to spawn off as many as a dozen or more pages and then go read them.

It pleases me enormously that MS has caught on to the utility of this approach with Word, etc., as well.
posted by NortonDC at 6:46 AM on April 18, 2002


There was actually a good suggestion on the 2nd page of the article, if anybody read that far: install Windows on a drive other than C:. Yes, it's the simplest form of security through obscurity, but since most malicious hacks work only because they know to look in standard locations for particular files, a simple little thing like a D: drive could save you a lot of hassle.
posted by ook at 7:25 AM on April 18, 2002


I agree with NortonDC. I open browser windows with a right click--right now I've got 12 browser windows open--and shut them when I've finished with each one, so I hardly ever use the "back" feature. As a result, I couldn't get used to Opera. Plus I'm too old to learn new key codes. But MS certainly does suck.
posted by phartizan at 9:36 AM on April 18, 2002


Su: I hate tabbed browser interfaces, and that makes Opera a pain in my ass.

Then Opera 6.0B2 won't hurt you're hindquarters because it gives you the option to run within a single window or to run in separate windows. You can middle click on links to open a new window and alt-tab between them. So, NortonDC and phartizan, what don't you like about Opera now?
posted by jaden at 9:58 AM on April 18, 2002


Doh - I meant "your" not "you're".
posted by jaden at 9:59 AM on April 18, 2002


jaden - Other than that it costs an infinite percentage more than other browsers, I don't know, because I haven't touched it in three years.
posted by NortonDC at 11:02 AM on April 18, 2002


Er, right, then, you're speaking from a position of near-complete ignorance then, eh? Vunderbar.

The hurdle with Opera is learning a new UI. Once learned, it turns out to be an order of magnitude better than the one MSIE has. This makes browsing far more efficient for me, allowing me to accomplish more in less time.

Makes it a winner in my books.
posted by five fresh fish at 12:08 PM on April 18, 2002


five fresh fish - Er, right, then, you're speaking from a position of near-complete ignorance then, eh?

No, I'm willing to bet that I know a hell of a lot more about my experiences with Opera than you know about my experiences with Opera. Luckily, my experiences with Opera are all I spoke to. Note the past tense, and let English be your friend.
posted by NortonDC at 12:38 PM on April 18, 2002


ook, the only problem with running windows from a d: drive or whatever is that if you and another hard drive you are screwed. That second drive will bump back your windows drive and you won't be able to boot up with it in. Damn you Fdisk! Damn you to partition hell!
posted by Apoch at 2:40 PM on April 18, 2002


NortonDC: Other than that it costs an infinite percentage more than other browsers, I don't know, because I haven't touched it in three years.

An infinite percentage? I'm not sure if I understand what you mean there. Monetarily, it's free. In the context of system usage, it doesn't use more (if anything, less) resources than other similar browsers. It's a relatively small download (5MB). What other costs are you referring to?

I recommend you try it again as it's improved a great deal since your first experience with it. Who knows, you might just like it.
posted by jaden at 2:59 PM on April 18, 2002


"So, NortonDC and phartizan, what don't you like about Opera now?"

Look, people, couldn't we have just left it to what nedrichards said? For the most part, IE users have been hearing about security holes for so long it's like white noise (I'm not saying that’s good, but it's a fact) I have been using it as my primary surfing browser for years, and have never had a problem with it. I like it because it often lets me do fun stuff with code years before the other browsers. html+time, vml, even when they aren't adopted there is rarely anything lost in learning them because now we have smil, and svg, which are very similar.

Hence, what browser you like using is very personal. Yes people get so steamed up about it, it's like they are talking about sporting teams. You can only tell people which browser is good for you, not what they would like. Yes, you can tell them to try another, but if they are happy with what they are using they are unlikely to do so.

The Opera evangelism is bordering on creepy, seriously ;)

If you are really happy with the security of Mozilla, or Opera, you should be yelling at us "These browsers suck, stay away" Because if they ever get as many users, then to some extent, they will have more security problems.

"What I mean to do is remind people that you aren't bound by law to use MS products."


You're joking, right?

Bottom line (let's keep things simple here) is that the MS people are too complacent about security, and need to greatly simplify the instructions on their download page for bug fixes.
posted by lucien at 4:01 PM on April 18, 2002


jaden - An infinite percentage? I'm not sure if I understand what you mean there.

Opera costs $39.00. IE costs $0.00. Netscape costs $0.00. Mozilla costs $0.00. K-Meleon costs $0.00.

I recommend you try it again

I may.
posted by NortonDC at 4:46 PM on April 18, 2002


IE is only free if your time isn't worth anything.
posted by Settle at 7:42 PM on April 18, 2002


NortonDC: That's only if you want to get the version without the ads. I paid zip for mine and I barely notice the ads. I may pay the $39 to support Opera, but there's no need to.
posted by jaden at 9:45 PM on April 18, 2002


If you are really happy with the security of Mozilla, or Opera, you should be yelling at us "These browsers suck, stay away" because if they ever get as many users, then to some extent, they will have more security problems.

Just because more people use a piece of software doesn't mean there are going to be more security holes. It's a matter of the programmers paying attention to security while they are writing the software. Sure, there will be security issues like any piece of software, but I don't buy the idea that just because there aren't as many people using a software package it will be full of security holes when it gets popular. The fact that Microsoft is saying that now they're going to focus on security shows that this is a new idea for them, which is why there are so many security wholes in their products.

In addition, I don't know what's so bad about finding something that I consider superior after having used what others are currently using and recommending they give the new one a try. Shame on me for trying to help people out.
posted by jaden at 9:59 PM on April 18, 2002


Lucien,

Yes, I was joking about being "bound by law". I shouldn't have put it in those words here on the internet, where inflection and nuance tend to dissapear into the ether. Oh well. You also have a good point.

And about your point that Mozilla / Opera fans should discourage people from using them....I see what you mean, but I kind of disagree. I think that Mozilla (don't know much about Opera) has a security model that is totally different than Microsoft's. They basically encourage the public posting and airing of their bugs, and allow people a chance to fix their own problems. Given, the average user of Mozilla is not as helpless as the average IE user, so they will probably be more likely to fix their own problem, but still. I (and a lot of other) are curious to see what would happen if Mozilla caught on like IE has--would the difference in security model and open source code really make a difference?

If it doesn't, there will always be something new, so no big deal. :)
posted by dr_emory at 10:21 PM on April 18, 2002


Jadem, I was joking, hence the wink emoticon, and I don't know what I wrote in that regard that made you think I was referring specifically to you because I can assure you, I wasn't.

Anyway, it was a simply a joke. Gentle teasing if you will. People, including myself, perhaps particularly myself, sometimes sound a bit like an advertisement when we are espousing about something we really like.

"In addition, I don't know what's so bad about finding something that I consider superior (...)"

There isn't. As I said, it was a joke. Hence the joke emoticon.

"Lucien,

Yes, I was joking about being "bound by law". I shouldn't have put it in those words here on the internet"


Yes, I know. I was joking also. Of course I don't think I'm "bound by law" to use IE. I fully realised you were joking, and thought that given that fact, you wouldn't mind if I did also, omitting the usual "joke" emoticon.

As for user base vs number of bugs. I didn't claim that was the whole story, and never did. Which is why I wrote (all jokes aside) -

"Bottom line (let's keep things simple here) is that the MS people are too complacent about security, and need to greatly simplify the instructions on their download page for bug fixes."

posted by lucien at 3:56 AM on April 19, 2002


Settle - IE is only free if your time isn't worth anything.

IE costs me less time than any other browser, so I don't see your point.
posted by NortonDC at 4:07 AM on April 19, 2002


If you are really happy with the security of Mozilla, or Opera, you should be yelling at us "These browsers suck, stay away" Because if they ever get as many users, then to some extent, they will have more security problems.

In addition to what jaden and dr_emory said, you've got to consider the big picture. I don't like Microsoft's business tactics, but I don't have a vendetta against them. I'd be thrilled if they'd clean up their act and start producing secure products, and I'd probably use them. But they won't do that unless they perceive a threat to their business from other products. So I do encourage people to use other products--even if they end up not liking them, and returning to MS. We need to shift the paradigm, people. As long as Microsoft products are the "default" for the average user, there's little incentive for the company to improve them.
posted by jpoulos at 6:36 AM on April 19, 2002


"you've got to consider the big picture."

It's important to look at the big picture however, if you are looking at an issue from one perspective (i.e. pointing out the ramifications for Mozilla, Netscape, and Opera users of a sudden increase in their user base) you can't convey the big picture.

It's pretty clear that both jaden and dr_emory are fans of other browsers, Opera and (probably) Mozilla respectively. These browsers have a minority of users. I'm making the point that to some extent, more problems occur when more users get on board. I think it’s fairly self-evident that to some extent that would be good for me, the MS user (although as I said, I haven't had any problems with it) But still, MS would pay more attention to security if their market share started to decrease.

But that would take a big swing in the user base and I don’t know if or when such a large swing might occur, at least in the near to medium term future. Also, as I have already pointed out, I don’t think that’s the whole story. There are other variables, such as the simple fact that MS is often disliked (which might well lead to more attempts being made on the security of the browser) and the glaringly obvious fact that they don’t seem to take security seriously enough from the get-go.

"So I do encourage people to use other products--even if they end up not liking them, and returning to MS."

I actually do use other products simply because I have to check out code in other browsers but thus far, I haven't personally found a compelling enough reason to swap from using IE as my main browser for surfing the net. That might change, and don't get me wrong, I'm not adverse to political statements in general, and if you want to use a browser you might like less for a while to make a political statement to MS, with the intent of trying to improve their woeful attitudes toward security issues, then I admire that stance.
posted by lucien at 11:27 AM on April 20, 2002


lucien: Jaden, I was joking, hence the wink emoticon, and I don't know what I wrote in that regard that made you think I was referring specifically to you because I can assure you, I wasn't.

It would be helpful to not use the word "seriously" when you are joking since your tone of voice is lost in the text.
posted by jaden at 1:30 AM on April 21, 2002


You know, this is a really big deal, seriously ;)
posted by lucien at 3:19 AM on April 24, 2002


And another.
posted by NortonDC at 6:34 AM on April 24, 2002


« Older Jiro Changey Kikaida!   |   Will the Swedes save Rock 'n' Roll? Newer »


This thread has been archived and is closed to new comments