Fog Creek Software
g
Discussion Board

that about wraps it up for internet explorer



http://www.infoworld.com/article/04/01/28/HNiehole_1.html


_why_ are people still allowing their less techie friends and relations to use IE?  its kind of like painting a bullseye on their forehead and sending them out into a warzone.

it just plain baffles me....maybe mozilla, opera etc etc are lacking in one or two points of functionality, but surely when compared to the risk its worthwhile to kick the non-techies into something (anything) other than IE?

FullNameRequired
Wednesday, January 28, 2004

It is for reasons like this:

http://www.baus.net/archives/000047.html

If vendors keep doing stuff like this, they only make matters worse.

christopher baus (www.baus.net)
Wednesday, January 28, 2004

wow, what a wonderful example of manufacturer stupidity..

FullNameRequired
Wednesday, January 28, 2004

How about this article from Microsoft, where their "solution" for a URL-spoofing vulnerability in IE is to tell you NOT to click on hyperlinks:

http://support.microsoft.com/default.aspx?scid=kb;[ln];833786

I repeat: if you're using Internet Explorer, Microsoft says that you should NOT click hyperlinks.  Instead, they recommend that you simply *type the URL into the address bar manually*.

Let that sink in for a minute...

...

...it's mind-boggling. 

John Rose
Wednesday, January 28, 2004

For what it's worth, I just installed a network-attached storage device (basically a file server in a box) and when I used IE 6 to configure it I got a bunch of errors on the config screen.

Chris Tavares
Wednesday, January 28, 2004

Typing the URL in rather than clicking a hyperlink is a legitimate way for users to protect themselves, whether they're using IE, Firebird, or anything else as their browser.  Consider the number of scams that result from email links claiming to be from PayPal and telling you to go to something like www.paypaI.com to update your user information.  In cases like this, it's better to just type in paypal.com manually than to trust the email and your eyes.  That's the point MS is trying to make in that knowledge base article.  They aren't saying you should stop clicking *all* hyperlinks, just ones that originate from unauthenticated sources that end up asking you for personal information such as your credit card number.  That's good advice that I'd hope everyone already follows.

Of course, Firebird is *so* much more secure than IE.  It's fun reading the Firebird bug database and seeing a user report a crash and then getting the response "you are using a 3 months old build, a lot has happend since then."  Yeah, that's a product ready for prime-time.

SomeBody
Wednesday, January 28, 2004

As opposed to a user reporting a crash bug in IE?  MS would say "download the patch".

Show me where on the Mozilla.org website it says that Firebird is ready for prime time.  It's not even 1.0 yet.

What is the correct response to a user reporting a crash bug?  "Download the patch or new version that fixes it" is a completely valid response, IMHO.

Richard P
Wednesday, January 28, 2004

"Typing the URL in rather than clicking a hyperlink is a legitimate way for users to protect themselves, whether they're using IE, Firebird, or anything else as their browser. "

indeed it is, the difference between IE and _any other browser in the market_ is that if you carefully read the current location in the address bar in IE, you are _still_ unable to be sure that you are there.
Its possible in any browser to mistake and I for a l etc, and care must always be taken...only in IE is it possible to mistake http://www.paypal.com.im.going.to.steal.from.you.com for http://www.paypal.com


"Firebird is *so* much more secure than IE"

firebird is _not_ the only other option here, there is a generous selection of browsers out there today, some are commercial and some are not...nearly any one of them is more secure than IE because it is _different) from IE, so any _IE SPECIFIC_ secure attacks are going to fail.
If you dont like firebird, fine (neither do I, I use mozilla on one machine, opera on another and safari on a third) but there is a huge range of other possibilities that you can encourage people to use.

FullNameRequired
Wednesday, January 28, 2004

For fuck's sake, IE is fine.  People just need to learn to use antivirus software and firewalls.

Norrick
Wednesday, January 28, 2004

Microsoft have announced plans for a fix to the URL spoofing vulnerability:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489

Malcolm Miles
Thursday, January 29, 2004

"For fuck's sake, IE is fine.  People just need to learn to use antivirus software and firewalls. "

:)  says it all really.

FullNameRequired
Thursday, January 29, 2004

I don't see how that fix addresses that vulernerability.

The problem is you can use JavaScript to lie about what you're mousing over. So when you mouse over a link, you can change it to say anything you want, including spoofing a URL.

The fix only addresses a problem where you're logged in to a URL that looks like another one using a server login:

http://www.paypal.com%01@hacker.com

Which your mother will think logs you in to paypal, but actually logs her into hacker.com.

This is only part of the problem outlined in the first Microsoft link.

I have AntiVirus and I have a Firewall. I shouldn't have to use either of them becuase I browse the web. I don't believe Mozilla or Opera are inherently more secure than IE, I just think IE is a target.

BTW, nice topic. Yet another HHGG reference is always welcome.

www.MarkTAW.com
Thursday, January 29, 2004

For one, when you mouse down on the link, it seems to override the mouse over JS thing. I like the implication that MS cannot fix these vulnerabilities. I just imagine they have an army of programmers scratching their heads having given up. Good grief - people won't be happy until MS is out of business! Spend more time with your families.

m
Thursday, January 29, 2004

>>
Show me where on the Mozilla.org website it says that Firebird is ready for prime time.  It's not even 1.0 yet.
<<

Umm, apparently you didn't read the first post in this thread that advocated migrating non-techies to Mozilla, Opera, etc..  My response was to that. 

SomeBody
Thursday, January 29, 2004

[Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening]


yes thats it! The code will never be able to be rewritten. It can never be removed because it's actually locked itself in the basement! We are all doomed!

trollbooth
Thursday, January 29, 2004

News flash:  The spoof is fixed.

Downloaded the latest patches today, and the spoof no longer works; it shows the _whole_ URL string in the address bar and you get an "Invalid syntax error" page.

(Don't know if this is just my particular configuration, which had other problems, but I had to uninstall and reinstall IE6 to get it to properly update.)

Kyralessa
Tuesday, February 3, 2004

*  Recent Topics

*  Fog Creek Home