Run Windows Update. NOW.

[matgb]

Seriously, there's a major security hole in Internet Explorer that also opens up vulnerabilities in other browsers. Even if you rarely if ever use IE, you need to secure your system if you're running Windows. If you don't know how to, Yahoo! Tech has a handy guide. It's fairly major, several popular websites have been hijacked, one well known webcomic artist got infected while looking at his own comic. MS normally only patch at scheduled times, for them to rush something out this quickly is almost unheard of:

Acting with record speed, Microsoft has issued a patch for the just-announced security flaw that impacts all recent versions of Internet Explorer, from version 5 to the latest betas of IE 8. The next security update had not been due from the company until January 13, making this a very rare occurrence.

Most scary? Up until now, I had thought Opera was a pretty good browser, it's certainly nice to use. It appears though that Opera was subject to the same vulnerabilities as it uses the same XML renderer memory buffer as IE. No, I don't really understand that bit either. So Opera gets downgraded.

If you're still using Internet Explorer for your browsing, really, it's NOT SAFE. No browser is completely secure, but IE is part of the core operating system of Windows, and when there are unpatched exploits, the attack can get directly into Windows itself. By far the safest way to browse^[1] is with Firefox, and it's probably tied after that between Apple's Safari and Google's Chrome. Opera remains a groundbreaking bit of software, but if the default behaviour is still to pretend to be IE and also open up vulnerabilities regardless, it isn't as good as it should be.

For the full security shield, Firefox has plugins such as Flashblock, Adblock and NoScript that really do push it to the top. At the very least, Flashblock stops system hogging flash from hijacking your browsing unless you want it to, it's the first thing I install after Fx on a new machine. Always.

Another part of this vulnerability involved Adobe's Acrobat Reader. PDFs are, unfortunately, now a part of life, and there are still many many idiots that put their PDFs online and think they've got a decent web presence. Given this, the PDF download plugin for Firefox is essential, and switching to a much faster and less system intensive reader (I use Foxit) for your default PDF setup is probably a good plan as well.

---

[1] I'm ignoring text only and other lite browsers such as Lynx here, just talking about normal, standard plays YouTube vids and looks normal browsers.

Comments

[matgb]

NB, if you work in an office and don't have admin abilities, definitely check with the IT department ASAP to confirm they're up to date.

Those of you fighting the "can we switch to a better bit of software please" fight may find this useful extra ammo. Those of you just putting up with using IE at work, seriously, start putting pressure on bosses and IT.

Using IE could really mess up your company's bottom line.

[js84.livejournal.com]

(From BBC website article)

Said [third-party security advisor] Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

What about all the other flaws?



and what's the vulnerability that affects PDF files?

[matgb]

The Zero Day exploit works by remote running files, thus it tells IE to boot Adobe Reader to get access to the XML thingy.

Or something.

MS has to say don't switch. Believing them is up to the guy paying the bills.

[fearmeforiampink]

I don't know the details, but in terms of identifying as stuff, generally Opera is set up to default identify as Opera, but can be set to identify as IE.

[matgb]

I'm told it defaults to send the user agent as IE—it definitely did when I installed it ages back, haven't done a fresh install for ages. It may be they've switched that stupidity off (seriously, telling your software to pretend it doesn't exist thus you don't show up in stats is an interesting idea, but reverse marketing isn't my idea of good practice).

The actual problem is in the IE XML buffer, which Opera apparently uses. If that means stuff to you, great.

[fridgemagnet.livejournal.com]

I'm not sure what you mean about Opera; iirc Opera does have a "use IE to view this page" option, but there are Firefox modules that do the same and neither are at all common except with web developers.

[matgb]

This will probably make more sense to you that me: Specifically, he got infected from running Opera on Windows, wherein Opera exports their XML data binding functions to the published operating system engine, which is dun-dun-da-daaaaa the one that IE uses (Remember the bit about how IE was inextricably part of Windows? Yeah. Great design decision.) which is Microsoft's. The exploit basically uses a set of XML code that builds data objects in memory that sit in IE's memory space within the OS, carefully crafted data objects that bear binary code. The exploit then specifically exploits the fact that the XML rendering engine, when told to get rid of the data objects, doesn't perform proper memory management and garbage collection, and doesn't run in a sandbox /per se/ with lowered data execution privileges and operating system resources but in fact runs as whatever level the user runs IE at. Which is almost always with permissions to install software. This is a classic memory buffer overflow exploit, and is entirely Microsoft's fault for not fixing it so long, long ago.

Firefox can have plugins (I have them, I use them in a secure manner, if anyone ever gets an exploit to automatically trigger them I'll remove them, it's unlikely as they're not common usage). Opera defaults on install (I'm told) to send the user agent as IE, and apparently uses the IE XML memory buffer, which is where the problem was.

I used to recommend Opera to anyone that wasn't using extensions, what's the point of Fx if you don't use the extensions after all, out of the box Opera is better.

But if what I've read is correct, Opera is less secure, thus I'll now recommend Chrome, which at least has brand recognition for people that care about such things or trust names they know.

[fridgemagnet.livejournal.com]

That makes sense. I'm quite surprised that Opera does that actually, but in this instance it was unwise.

The thing is of course that while in this instance Opera trusted Windows not to be vulnerable to buffer overflow attacks when it was, there's nothing to say that Firefox or Chrome or whatever other browser isn't also trusting some other Windows service which is vulnerable.

Unfortunately you sort of _have_ to trust some of the services of the OS you're running on, and while some companies trust very few of them (Opera for instance does a whole load of stuff on its own, which is why it looks slightly odd and I was surprised to see this) they're all going to trust a few. In this instance Opera is vulnerable and other browsers which don't use that service aren't, but that's not indicative of some sort of long-term issue with Opera IMO.

[tiredstars.livejournal.com]

Someday my office may upgrade from IE6. :/

[tiredstars.livejournal.com]

Strangely, most of the headings in the side-frame on the windows update page appear to be in Korean at the moment.

[paulgregory.livejournal.com]

if the default behaviour is to pretend to be IE and open up vulnerabilities
That's slightly misleading. The pretend-to-be is user-adjustable but it's mainly useragent stuff and possibly some box-model interpretation. From what I understand, the vulnerabilities from XML rendering are not due to "default behaviour" in the same sense; I doubt there is another XML rendering option. (I may be wrong, I don't touch desktop Opera).

[matgb]

Ah, I'm conflating stuff again. More digging reveals you're right, it's the XML buffer. Meh, not my area of expertise, I just pass on important stuff when I see it.

[requiem2adream.livejournal.com]

... I don't think I have ever been so happy that I made the Switch to Mac and Firefox *snuggles my baby*

[matgb]

*cough*

Oh man, you are so desperately in need of a subscription to US-CERT. Apple had two dozen critical vulnerabilities to OSX *in the last week*.

"Macs don't get viruses" is a slightly bigger myth than "abstinence only education is a good idea".

Just, y'know, FYI. The more people start using Macs, the more likely the crackers are to try and get you, and from what I understand, when they start trying, they'll have a nice easy job...

[requiem2adream.livejournal.com]

...

Laurens happy protective bubble of Mac security: *is burst*


The more people start using Macs, the more likely the crackers are to try and get you.

I appreciated that when I brought my baby. Obviously now more people are getting them the chances of security breaches will be higher.

[mapp.livejournal.com]

"Mozilla hastily shoves Firefox updates out door," reported The Register on Wednesday.

"Mozilla Security Advisories for 3.0," with notes for 3.0.5 that suggest it's addressing the same problems that MS and Opera were having (pesky remote code execution!).

[matgb]

Aye. My beef with MS is that they release patches, normally, on a schedule—it took something this big to force them to patch out of sequence.

Mozilla patch holes as soon as they're found, meaning they have vulnerabilities, but those holes are found and fixed ASAP.

(I don't know Opera's system for security releases)

[mapp.livejournal.com]

My point is that it's not something that only has effected Opera and IE, but the much loved Firefox as well.

[0ct0pus.livejournal.com]

Basically update the browser you are using - and any other browsers you have on your machine. Which is quite a job for some of us. The fuss with MSIE has been because they have taken so long getting an update up, and because most IE users don't do browser updates. Oddly IE6 users are occassionally pushed to update to IE7 via a redirect on start up... wonder if they could have used a similar mechanism for this.

Opera is still a brilliant browser btw (fanboy!!)

[matgb]

Oh, I know Opera is good (and I agree, regular updates are good), but if it uses IE infrastructure as default on install, it's not as secure as I thought it was.

Hopefully they'll fix that now.

[djm4]

Are you sure Firefox *doesn't* use IE infrastructure? They've introduced a very similar patch today, and I see no reason why they'd wouldn't do exactly the same thing Opera does w.r.t. XML.

Ditto Google Chrome, which also released a patch today. It certainly *could* be coincidence, but until I see something telling me that Firefox hasn't done exactly what Opera did, I'm suspecting that as the most likely explanation.

Relying on the OS for one's core functions isn't exactly unusual.

[mapp.livejournal.com]

Mozilla Security Advisories for 3.0.5 suggest that the 3.0.5 update fixes the problem (in other words, it's not Opera/IE only)

[el-staplador.livejournal.com]

Done! (I use Firefox almost all the time, but IE is Still There, so I'm patching to be on the safe side.)

I don't really care what happens at work. Considering how long it took me to show my manager how to make a text box in Excel yesterday, and considering that I won't be there after Christmas, it doesn't seem worth it.

[innerbrat]

Firefox named most vulnerable windows application.

Discuss.

[matgb]

Bollocks methodology. That flaws exist in all browsers is known. What matters is that when one is found, it's fixed quickly. Fx defaults to checking and fixing itself. It can't be remote fixed easily, which is a problem for large companies that like centralised updating, but it is automatically happening anyway.

Every hole they identify was fixed very quickly and the patch auto updated on default installs.

Apparently that makes it a problem, whereas IEs system of requiring the IT guy to do something makes it more secure.

[purple-pen.livejournal.com]

Ah, thanks for the Foxit link! I have long despised PDFs, but having just downloaded Foxit and given it a go, I think I may learn to get over that now.

[matgb]

I found out about Foxit from an old post of theweaselking's, who works as a consultant sysadmin. Combine it with PDF download and no annoyances at all.

It is slightly weird at times with certain PDF tricks that Adobe allows that aren't technically in the ISO standard, but it's cheap and fast, so we let it off—you can normally see when something looks wrong.

[davegodfrey.livejournal.com]

PDFs have been a part of life as a scientist for a very, very long time. Everybody uses them, and its the standard way to distribute your paper online or by email.

[matgb]

I have no problem with the PDF file format. As a method for distributing large document files (like academic papers) it's fine, and there isn't really a better standard.

But when companies only release their info on PDFs, and have internal (or even external) links that turn out to be PDFs, it's a problem.

When I took over the local party website, the only way to read the manifesto in the local elections was to download a PDF. That isn't going to get any votes at all.

[davegodfrey.livejournal.com]

Ok, thats a bloody silly way of doing things. Most of my experience with PDFs is in science publications where you get a webpage with the abstract on it, and then links to download the full document. I'd assumed that was how most people used PDFs. Y'know. Sensibly. *sigh*

JSTOR while having masses of lovely references generally presents each page as a JPEG. Which is deeply irritating, as I have to print or load each page individually. What's the bloody point of that?

[matgb]

Many many websites run by businesses seem to think that preparing a report then simply uploading the PDF to their site as a download is a good idea.

This includes supposed "web 2.0 consultancies" and similar. PDFs aren't meant for online reading, they're meant for transmitting documents in a printable format.

Nielsen still puts it as the second biggest mistake in design—that means it's not just a stupid idea, it's a very common stupid idea:
http://www.useit.com/alertbox/9605.html

As for putting text up as JPEGs? I have no clue—it hides the content from search engines and makes copyright infringement harder, but people'll get around that anyway. Why make things hard for legit users?

[davegodfrey.livejournal.com]

PDF reports without an abstract? Makes no sense to me, but then I've got a science background. Abstracts are second nature to me.

Much of JSTOR is behind an academic paywall anyway, so you have access from your institution. Checking a journal at random ("Avian Diseases" as it happens) there's a link to download a PDF too. Which makes the JPEG bit even odder. I suppose it makes online reading easier, but still...

[misscoollinda.livejournal.com]

Thanks for the tip. I forwarded the yahoo link to our IT chief, but he tends to be a putz and will likely ignore it.

[staceyuk.livejournal.com]

Thanks. I don't use IE but have it anyway cos I'm running Vista! I miss XP! UAC drives me a little bonkers! You can switch it off but get a security warning every time you boot up. Bleh.