July 26, 2004
(Return of the Browser Wars : Page 1 of 1 )
Column 288 (Continued from the Previous Month)
“The Big Question: Internet Explorer
The VX2 spyware scare was one problem. Another was Download.Ject, aka Scob, and called by some The Russian Hack. This exploited vulnerabilities in the Microsoft IIS servers (one reason why Apache has a significant web server market share) to broadcast malware that exploited in turn Internet Explorer vulnerabilities. That was significant because it caused some journalists to advise users to abandon Internet Explorer entirely. Others didn't go that far, but did say that one ought not use Microsoft Internet Explorer as one's default Internet browser. Perhaps the most extreme statement was "The U.S. government's Computer Emergency Readiness Team (US-CERT) is warning Web surfers to stop using Microsoft's Internet Explorer (IE) browser."
For those unfamiliar with it, US-CERT "is a partnership between the Department of Homeland Security and the public and private sectors. Established to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation," so a warning from US-CERT is pretty serious, and if they're advising you to "stop using Microsoft's Internet Explorer (IE) browser," it may be time to do just that.
All of which prompted a call to Microsoft's public relations people, who arranged a telephone interview with two senior program managers on Microsoft's Security team.
Microsoft's Side of the Story
My interview was with Gary Schare, Director of Security Project Management for Windows, and some of his team.
First, regarding CERT advice to drop IE, they said "We haven't seen any such CERT headline. We've seen journalists who report it, but we can't find any such thing." Which prompted me to go do my own search, and they're right: While I see a number of signed editorials and columns stating that this is CERT's advice, I found no URL linking that statement to CERT itself, and my search of CERT didn't turn it up either.
CERT does have a warning entitled "Microsoft Internet Explorer does not properly validate source of redirected frame," and if you scroll down past a number of other suggestions, the last one is
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
but that is not quite the same as saying ‘Don't use Internet Explorer,’ and a very long way from ‘CERT says use anything but IE.…’ ”
http://www.byte.com/documents/s=9011/byt1090781086558/0726_pournelle.html?temp=1h6pvBLxoD
Posts
No comments:
Post a Comment