News - More holes found in Microsoft's Internet Explorer browser

[Lee H]

Because IEX has the most users/market share.

Exactly

If OS X was the most widely used operating system then you'd be hearing about holes in applications that are with OS X. Why would hackers or the writers of malicious software all attack a program or tool which has 5% market share, when they can go for the 95% and gain access to more information such as card information or passwords?

Don't forget, who actually writes the codes in all these programs? That's right, it's a human being and this is always the weak point in the chain. Look at some of the Malware that is out there. Some of it is designed to mimick virus scanners and suchforth and plays on the fact that some people surfing the internet should not even be allowed to reproduce, nevermind put their card details into a browser. I've dealt with requests for support myself where the user of the PC was the problem and downloading and installing everything that popped onto their screen without even thinking about it. A quick stern word with them along with installing the right programs has meant that the support calls to my mobile have dwindled to hardly any nowadays

Until we get sentient software which is able to program software, detect holes and bugs and repair them itself, we are always going to see reports of security holes in software.

As they say - to err is human, but to really cock up you need a PC

[watercooled]

Not a word untrue there, can't really think of anything to add.

[TheAnimus]

@TheAnimus: The same goes for you, anyone who thinks IE is secure is badly mistaken. It's not necessarily the fault of the browser, it's often because it takes so long for a patch to be released and every second counts really. Steve Gibson is one name that springs to mind who you might know, you know, the guy who first detected spyware and named it. Oh yeah everything seems fine and nice and secure until you actually learn more about it. Just how people think Macs and Linux are virus proof and they don't need to worry about malware while using them so they don't bother to think about what they're doing. In reality it's not much harder to infect a Mac/Linux box than it is Windows. No, other browsers aren't perfect either but I can't think of anything worse than IE.

The fact you name someone like gibson in the context of an expert speaks volumes, he is about as much of an expert as carol vordaman is an expert on string theory.

Saracen keeps his real life a secret for just such an occasion as this, but its fairly well known what my profession here is, and its quite cute in a way when someone tries to tell you ur stupid. I know how little about CS I know, but hey the little I have is comparatively a lot more which is all that matters.

I asked earlier a specific question about Active-X and protected mode, for good reason. IE has an extra layer of sandboxing. The ferrit does not.

If FF had the market share of IE, things would be very different, for a start off, most users are corporate users, for them they have to stick to a patch cycle, waiting a month is a risk reward calculation, with the vast majority wanting even longer than a month between cycles.

Yes there are some shamefully delayed patches on IE, but this doesn't make IE at all unique, let alone the worst given ideas like protected mode.

The simplest, best advice people can be given is to browse the net as a restricted user, and believe it or not, don't use a 5 year old browser, on a 9 year old OS.

When you compare this to the likes of mac who can't be bothered to compile a known privledge escalation exploit up for people who are on a 2 year old version of there os, it leads me to this conclusion, if you have to stick your software requirements, not update versions, you can do a lot worse than using IE and win XP.

[watercooled]

I'm not normally one to defend people but Gibson knows a great deal about computer security, expert is a relative term and relative to most experts Gibson certainly knows his stuff (the fact he's famous accounts for something wouldn't you say?)!! I named Gibson because most people know him, I doubt you would know the others I know, and because he often speaks about IE. He also used to use IE with settings changed to lock it down but why bother when you can use another browser which is far more secure out of the box, has more quickly released patches etc and is a faster/nicer browser to use in general. I didn't mean to imply you were stupid but when you leave a comment on a thread, no harm intended, then get a load of abuse shoved down your throat for doing it you tend to word responses more strongly that usual wouldn't you say? As I said I understand IE's position on updates but that doesn't change the fact it leaves the windows open for attack for a considerable amount of time, it's nice to have the option to patch ASAP rather than having zero-day exploits nearly every month. In terms of real-world experience there's been a good number of times I've been round at a friends house removing malware with varying success (as I'm sure lots of us have) and have suggested they give another browser a try and, believe it or not, the amount of malware they pick up drops considerably. That certainly says something.

[superscaper]

Even without FF having the largest market share didn't FF have the largest share of browser vulnerabilities found in half 1 of 2009?

http://www.internetnews.com/security...le.php/3847461

[TheAnimus]

I'm not normally one to defend people but Gibson knows a great deal about computer security, expert is a relative term and relative to most experts Gibson certainly knows his stuff (the fact he's famous accounts for something wouldn't you say?)!! I named Gibson because most people know him, I doubt you would know the others I know, and because he often speaks about IE.

The man is a rubbishrubbishrubbishrubbish pure and simple, a self publiscising drama queen, the fact people know his name does not mean he is good. Plenty of people know who fred estare is, but that does not make him a competent gynocologist.

when you leave a comment on a thread, no harm intended, then get a load of abuse shoved down your throat for doing it you tend to word responses more strongly that usual wouldn't you say?

Yes because what you said is plain wrong.

In terms of real-world experience there's been a good number of times I've been round at a friends house removing malware with varying success (as I'm sure lots of us have) and have suggested they give another browser a try and, believe it or not, the amount of malware they pick up drops considerably. That certainly says something.

My rock keeps away tigers, I don't see any tigers around it.... Wanna buy it?

You mentioned it was insecure due to technical failngs that made it worse than the others, my comment is it has innovative technologies which the others don't. 99% of malware isn't drive by, its the user initiating it, because they wanted the smilies for MSN or the hardcore porn.

Changing browser does little to guard against that. As we have seen from the latest exploits people actively target IE, those who where on win7 in protected mode (the default) where safe..... That's a good thing.

The fact that FF by default allows for more priveledged execution is a very bad thing.

[watercooled]

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable.

Is quite a good way of putting it. If you go and look at the actual vulnerabilities most of them aren't very serious at all. Besides IIRC most of them weren't actually FF itself rather add-ons and such a lot of which (such as flash ones) affected all browsers using the plugin. It's also important to remember FF patches vulnerabilities very quickly, and it's rare anyone is able to exploit them before they're patched so people using FF generally aren't effected.

[watercooled]

The man is a rubbishrubbishrubbishrubbish pure and simple, a self publiscising drama queen, the fact people know his name does not mean he is good. Plenty of people know who fred estare is, but that does not make him a competent gynocologist.

Despite what you might think of him he clearly shows a broad knowledge in the security field (and computing in general for that matter) whether you like it or not, all you've done is call him names really isn't it? I don't see how he's self publicising either, the reason a lot of people know him is because he discovered the first spyware (and named it spyware). Pretty much anyone famous is self-publicising but you don't go on about it.

Yes because what you said is plain wrong.My rock keeps away tigers, I don't see any tigers around it.... Wanna buy it?

Sorry, I didn't realise you'd never said anything wrong...
Even if what I said was utterly wrong (but I still stand by what I said mind), it doesn't give anyone the right to jump down my throat about it. A simple 'I don't agree' would have been a better response, no? Yeah if I'd done that to one PC and it worked then what you said stands but when you've done it for tens of people and it works every time it can't be argued with really. Whatever the reason for it - maybe because attacks are aimed at IE - it doesn't matter, the results speak for themselves. Besides, open source is good for things like this IMO - you have lots of people constantly banging on it looking for anything which could be exploited then it's fixed as soon as it's found. In IE it's 9 times out of 10 a hacker that finds it first, exploits it and it's too late to do anything by then.

You mentioned it was insecure due to technical failngs that made it worse than the others, my comment is it has innovative technologies which the others don't. 99% of malware isn't drive by, its the user initiating it, because they wanted the smilies for MSN or the hardcore porn.

Changing browser does little to guard against that. As we have seen from the latest exploits people actively target IE, those who where on win7 in protected mode (the default) where safe..... That's a good thing.

The fact that FF by default allows for more priveledged execution is a very bad thing.

My light bulb has 'innovative technologies' that others don't...
Yeah most malware isn't drive-by so the browser can't do anything to stop it but then that has nothing to do with the browser does it which is what the subject is about here. Besides FF's malware URL filter is far more complete than IE's so it helps in that regard. The drive-by malware that's out there is 99% of the time crafted for IE so again it's more vulnerable in that regard - people wouldn't bother making it if it didn't work. You said it again - people actively target IE - why stand behind a big target when you could go somewhere else eh?

Aaaaanyway, there's little point in arguing over something on a forum since both sides have their opinion and will stick by it and I've wasted enough of my time on this thread so I'll just unsubscribe and leave it at that eh?

[badass]

Well you certainly haven't evidently. And actually I have, plenty of them believe me - people who actually do it for a living not just people who read some random crap on the Internet and assume it to be true. And I'm almost certain I know more about computer security than you TBH so go think about what you're saying before posting... Yeah IE can be configured so it's more secure, even more than Firefox possibly but out of the box which is how most people are going to use it it's just awful. And when you do lock it down it loses so much functionality, so much so it barely still works as a browser. Not to mention that most web malware/zero-day exploits are aimed at IE and wouldn't even run on Firefox, due to IE having a higher market share. ActiveX is frankly just an awful idea, I mean before IE7 it would just run ActiveX controls without even asking you so browsing a site with a dodgy ActiveX element meant game over for your computer really. Yeah things got better in later releases but it's still there, enabled by default and just never used by most users.
@aceuk - not necessarily, in theory yes but not always in practice.
@Lanky123: Yeah I completely agree with you there and it's funny you should say that - I've just checked my youtube subscriptions and guess what I found: http://www.youtube.com/watch?v=UpfdgnaS4ZE&feature=sub
@TheAnimus: The same goes for you, anyone who thinks IE is secure is badly mistaken. It's not necessarily the fault of the browser, it's often because it takes so long for a patch to be released and every second counts really. Steve Gibson is one name that springs to mind who you might know, you know, the guy who first detected spyware and named it. Oh yeah everything seems fine and nice and secure until you actually learn more about it. Just how people think Macs and Linux are virus proof and they don't need to worry about malware while using them so they don't bother to think about what they're doing. In reality it's not much harder to infect a Mac/Linux box than it is Windows. No, other browsers aren't perfect either but I can't think of anything worse than IE.
@dangel: Oh yeah I understand that, but there's no denying holes do get patched far faster in the likes of Firefox. This of course means that holes are actively exploited for days or even weeks before a patch is released.
And last and certainly least, Singh400 and badass: You just decided to take this as an opportunity to listen to others and be asses did you? I don't get the feeling from your posts you even know what an exploit is so go and troll somewhere else...
I could give you an essay as to why I wouldn't use IE for my everyday browsing but frankly I have better things to do with my time. If you want to know there's plenty of resources out there which you could do with reading...

Thanks for proving my point