Re: Microsoft Browser Under Scrutiny

From: Tom (no-way_at_not-here.com)
Date: 07/03/04 

Date: Sat, 3 Jul 2004 16:53:50 -0400

I already know this, I subscribe to Microsoft Security Updates, and I have
had SP2 RC2 installed for a while now.

I am simply posting this so some will read it, and maybe take care. My
opinion is that MS doesn't spend their enormous profits alerting consumers
to their easily hacked programs, especially Outlook and Internet Explorer.
It would do them good if they would by TV time to do this. They typically
wait too long to release fixes, unless the damage is already done, and it
becomes an emergency. They need to keep testing constantly, or release a
browser and email client that won't get cracked so much!

Where I work (my employer has 38,000 employees, and has over a thousand
servers) they officially created a website where to teach others about Linux
servers because the cost of paying for MS products is cutting into the
bottom line, and they are unreliable. Linux can be written to make software
run with more compatibility. They (for now we are have simply servers to
Linux).

I work in department where we have 26 servers to run 26 printers (these are
very high-end printers, the oldest being 2 years old, totaling a cost of
over 22 million dollars). they got rid of Windows 2000 server, and the one
2003 version for the latest Linux version. It has never crashed in the six
months we have been using them. For now though, the desktops will keep the
WinXP pro, because most are not familiar with other types of Office
software, but they are training for Corel products, as to implement that on
Linux desktops; the cost savings are phenomenal, and the IT dept can write
to the operating system when needed, something Windows does not allow.

"Carey Frisch [MVP]" <mrxp2004@nospamyahoo.com> wrote in message
news:O3s2$tTYEHA.1356@TK2MSFTNGP09.phx.gbl...
> What You Should Know About Download.Ject
> http://www.microsoft.com/security/incident/download_ject.mspx
>
> Important:
>
> Users of Windows XP Service Pack 2 Release Candidate 2
> (Windows XP SP2 RC2) are not at risk.
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
>
> Be Smart! Protect your PC!
> http://www.microsoft.com/security/protect/
>
> --------------------------------------------------------------------------------
>
> "Tom" no-way@not-here.com wrote in message:
> news:%23JHJenTYEHA.384@TK2MSFTNGP10.phx.gbl...
>
> http://www.cbsnews.com/stories/2004/07/03/tech/main627407.shtml
>
>
>
> NEW YORK, July 2, 2004
>
> (AP) It's been a bad week for many users of Microsoft Corp.'s nearly
> ubiquitous Internet Explorer browser.
>
> A pair of virus attacks exploiting its vulnerabilities had led security
> experts to recommend that Web surfers
> consider such alternatives as Mozilla and Opera.
>
> Until Microsoft made a software update available Friday, continuing to use
> Internet Explorer was "like playing
> the lottery," said Johannes B. Ullrich, chief technology officer of the
> nonprofit SANS Internet Security
> Center.
>
> The respected research center was among security groups recommending other
> browsers as long as a key
> vulnerability in IE remained unfixed, leaving it capable of running
> malicious code that's been hidden at a
> number of popular Web sites.
>
> It took a week for Microsoft to issue the update, which does not fix the
> flaw entirely but disables a hacker's
> ability to deliver malicious code with it. Ullrich said the update
> appeared to eliminate any immediate need to
> switch browsers, which can cause problems of its own.
>
> The flaw had allowed a computer virus to spread through a new technique
> that converted popular Web sites into
> virus transmitters. That infection was designed to steal valuable
> information as Web users typed it into their
> computers ? passwords and the like.
>
> And this week, researchers discovered another password-stealing program
> hidden behind pop-up ads. A repair for
> the flaw enabling that Trojan infection was issued in April, many users
> had yet to patch their systems.
>
> IE is a frequent target for hacking because of its popularity;
> WebSideStory Inc. says 95 percent of surfers
> use it globally. The browser is closely integrated with Microsoft's
> Windows operating system and Outlook
> e-mail program, creating more room for programming error and making
> solutions more difficult.
>
> Though many of IE's functions are not unique, IE tends to be more
> permissive in running code ? flexibility
> that helps Web developers create fancy features but allows hackers to more
> easily find weaknesses.
>
> A major Windows XP upgrade, known as a service pack, is due out this
> summer and would plugs some holes in IE.
> Last week's outbreak would not have occurred had those software plugs been
> installed, said Gary Schare, a
> Microsoft security director.
>
> Microsoft also is developing a specific fix for the new vulnerability, but
> Schare said testing takes time. He
> called it premature for independent security experts to recommend that
> people explore alternatives.
>
> Even if those recommendations were heeded, it's highly unlikely Microsoft
> could be unseated as top dog in the
> browser business. After all, IE comes with Windows computers. The Justice
> Department, after initially suing to
> force Microsoft to uncouple the browser from its operating systems, later
> backed down.
>
> Many users don't care enough or know how to find other browsers, most of
> which are free or ad-supported. Opera
> Software ASA, which offers the No. 3 browser for Windows, saw no
> significant change in downloads this week.
> Downloads of Mozilla doubled, but the increase is not nearly enough to
> significantly change its market share.
>
> "It's not that consumers are so loyal to Microsoft, but more they are
> apathetic," said Geoff Johnston, an
> analyst with WebSideStory, which tracks browser usage. "With it, there
> really is a cost to switching."
>
> Users who install alternatives will find that some Web sites simply won't
> work. Movielink LLC says its online
> movies need technology specific to IE, and America Online Inc. shuns its
> own Mozilla-based Netscape browsers
> for new conferencing tools.
>
> Browser-integrated toolbars from search leader Google Inc. and others are
> only available for Internet
> Explorer.
>
> Many sites work on alternatives but display items incorrectly, often
> because developers fail to test on them.
>
> "All they know is it looks good to them ... on their own browser, and
> their own browser is most probably
> Internet Explorer," said Jakob Nielsen, a Web design expert with Nielsen
> Norman Group.
>
> Ken Godskind, vice president of marketing at the Internet monitoring firm
> AlertSite, uses the Mozilla browser
> partly because of security concerns, but he accepts having to run IE now
> and then.
>
> "Rarely are you going to go someplace where you're going to avoid
> Microsoft technology," he said.
>
> But sites have gotten better about designing for other browsers, said
> Porter Glendinning, an Internet
> consultant who promotes adherence to Web standards. Until recently, he
> said, banking applications rarely
> worked on anything else.
>
> And leading Web application developers, including Opera, Apple Computer
> Inc. and Macromedia Inc., are
> collaborating on better plug-in technology to rival Microsoft's.
>
> Opera's Christen Krogh said users would get the same functionality no
> matter their browser.
>
> Mark Rasch, chief security counsel for Solutionary Inc., favors
> alternatives "if for no reason other than to
> create heterogeneity," which dulls the impact of any single virus attack.
>
> But alternatives can become targets, too, as more people use them, said
> Chris Kraft, senior security analyst
> at Sophos Inc.
>
> A better solution is to reconsider whether browsers ought to have evolved
> into Swiss Army knives of the
> Internet ? a development that can, and has, backfired on users.
>
> These Web browsers have advanced over time to be extremely rich in terms
> of content, how they deliver
> content," Kraft said. "What's the compromise between a rich experience and
> creating a toolbox for the general
> malicious community?"
>

Relevant Pages

  • Re: Please help with pop-ups!!
    ... Sometimes I'm not on the internet ... A1) No. Microsoft NEVER sends emails with security update attachments. ... pages where you can access Windows Update, download patches, or request ...
    (microsoft.public.security)
  • OT: MICROSLOP IE FULL OF NEW HOLES (all versions)
    ... Microsoft issuing emergency fix for browser flaw ... emergency fix for a security hole in its Internet Explorer software that has ... Internet Explorer is the world's most widely used Web browser. ...
    (alt.support.chronic-pain)
  • Microsoft Releases Security Update
    ... Microsoft Releases Security Update ... interim security update Friday to protect users of its ... attacks to cripple the Internet. ...
    (microsoft.public.security)
  • RE: ConnectComputer - Permission Denied
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... >> This issue is probably a security problem that the ConnectComputer ... In IE, go to Tools, Internet Options, Security. ...
    (microsoft.public.windows.server.sbs)
  • Microsoft Plugs IE; Report Warns All Browsers At Risk
    ... Microsoft Plugs IE; Report Warns All Browsers At Risk ... As if to prove the point that security is like the Dutch boy at the ... but rather an change to Windows that disables the ADODB.Stream ... content of a site displayed in the browser. ...
    (sci.med.transcription)