
German Government: Stop Using Internet Explorer - AndrewWarner
http://mashable.com/2010/01/15/german-government-stop-using-internet-explorer/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Mashable+%28Mashable%29&utm_content=Google+Reader
======
dunstad
Misleading title, the recommended stop is only until a security fix.

------
elblanco
These problems are well known, yet enterprise IT management seems to persist
in sticking with IE, even spreading disinformation to their employees with
claims that FF, Safari, Opera and Chrome are more vulnerable.

One incident still boggles my mind. A friend of mind attended a security
conference last year with a corporate IT manager who had been insisting that
IE is the better choice from a security model standpoint. One after another
speaker stood up and presented a paper or a speech or a lecture or a round-
table all saying essentially the same thing:

The security of networked systems is only as good as it's weakest link, and IE
has consistently been the weakest link for years. Even with hundreds of
security patches since XP was released, it's still such a threat to the
network that it's irresponsible to continue using it. Not one presenter used
it anymore. They continued that enterprise IT should not only be recommending
other browsers, they should be enforcing other browsers as part of their
security policy and disabling IE as much as possible on all systems under
their control. It was damning.

After we got back to the office, he sent out a corporate wide email reminding
everyone that browsers other than IE are vulnerabilities to the network and
won't be tolerated.

------
cgs1019
Is IE entirely to blame, really? What about an operating system that allows a
web browser sufficient prominence within the system even to allow a
susceptibility that enables hackers to “perform reconnaissance and gain
complete control over the compromised system.”

I understand that a government would be hard-pressed to suggest that a nation
forgo using an OS that is so deeply embedded in many organizations' and
people's day-to-day operation, but even a brief acknowledgement of what is the
underlying problem (worldwide deployment of an out-of-date operating system
inextricably and systemically intertwined with the function of an abhorrently
insecure electronic portal to the entire world of internet-enabled machines
[I'm referring here to Internet Explorer]) would really help the much-needed
movement to spread awareness of the more secure, cheaper alternatives (I'm
referring here to Linux-based systems).

In any case, it's always great to see organizations with clout holding
Microsoft publicly accountable for its indiscretions.

~~~
tptacek
I have to ask what this even means. The last time the world started holding
Microsoft publicly accountable for its security indiscretions was the "Summer
of Worms" in '03. From that point on, starting with WinXP SP 2, Microsoft has
put an absolutely huge amount of effort into security, including:

* Training virtually all of their developers on secure coding

* Modifying their core libraries to avoid dangerous idioms

* Spending tens of thousands of dollars per product _per release_ on external security testing

* Slowing down dev cycles with "SDL" measures like threat modeling and code review

* Holding off releases to audit for new bug classes

I'm not saying that Microsoft ships perfect software, because what I'm saying
is that it's impossible to ship perfect software.

~~~
jrockway
_I'm not saying that Microsoft ships perfect software, because what I'm saying
is that it's impossible to ship perfect software._

When you write it in C/C++, anyway.

(I think Microsoft has almost solved this problem, though, with their heavy
investment in the CLR and languages like F# on top of the CLR. Even C# is
fine, compared to C or C++. You can still write insecure software in managed
languages, but it will be because of a careless design, not forgetting to tack
a "\0" on the end of a block of memory.)

~~~
tptacek
Python, Ruby, and Java web applications are riddled with domain-specific
vulnerabilities. I'm sorry, there simply aren't any easy answers here.

~~~
jrockway
I think the problem is "web applications" and not Python, Ruby, or Java.
Mostly.

(If you were writing your web applications in C, you'd have to worry about
memory corruption problems AND cross-site request forgeries.)

------
Groxx
Seems a bit pre-emptive, as the suggestion is based on _"a critical yet
unknown vulnerability"_ that was _"probably exploited"_ in the recent attack
on Google & others.

That said, the very fact that a browser is not super-sandboxed in the first
place is frightening, and IE has a huge amount of integration compared to
other browsers. Mayhaps that's why it's been such a problem?

~~~
tptacek
It was probably preemptive when it was written, but it's been borne out by the
facts.

The only browser that is "super sandboxed" is Chrome, and nobody knows how
effective the process security model in Chrome is going to end up being. The
actual vulnerability appears to be a basic object lifespan problem in DOM
handling code; in other words, this could happen to any browser.

After Chrome, the browser with the next most involved security model is IE
with DEP, and, in fact, when DEP is enabled, the exploit doesn't work (that's
no guarantee that it could never work, though).

------
ugh
Cool, didn’t know we had something like that:
[http://en.wikipedia.org/wiki/Federal_Office_for_Information_...](http://en.wikipedia.org/wiki/Federal_Office_for_Information_Security)

(Uh, and it’s one of those government offices still in Bonn. Just around the
corner, for massive 5km amounts of just around the corner.)

~~~
sovok
The "Bundesamt für Sicherheit in der Informationstechnik" advised users to
avoid IE at least since 2004:
[http://translate.google.com/translate?js=y&prev=_t&h...](http://translate.google.com/translate?js=y&prev=_t&hl=de&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FBundesamt-
empfiehlt-Browser-Wechsel-104674.html&sl=de&tl=en)

~~~
tptacek
Did they advise users to avoid Firefox, too? Their users would have avoided a
lot of security pain.

~~~
sovok
No, they just recommend using alternative browsers and to switch often.
Although the BSI warned against lots of things in the interest of privacy,
mostly Google products (Chrome Beta, Google Wave, ...).

On the other hand they have the power to intercept and analyze the complete
data- and phone communication without anonymization. They of course use it not
only to find malware and security risks, as was intended in the bill, but to
provide 'suspicious' data to the police and intelligence services
(<http://www.golem.de/0901/64639.html>).

We also have data retention for all communication data for six months and have
planned a nice censorship infrastructure to block domains (against child
pornography for now), not unlike Australia or China.

But at least IE has only 40% market share... (<http://www.browser-
statistik.de/>)

------
jpcx01
Seriously, any company still forcing IE6 on their employees should be reported
to the government and taxed. These stupid corporate IT decisions are impacting
everyone, and there needs to be regulation. Its no different than if the
company was pumping toxins into the air.

------
tptacek
This vulnerability is no longer unknown, though it is (to my knowledge) still
unpatched. It is known not to be exploitable on IE7 with DEP enabled, so most
IE instances should in fact be easy to lock down.

~~~
rms
China and the USA both have access to the Windows and IE source code, correct?
So presumably they have as many pre-0day vulnerabilities as are ever needed.

~~~
tptacek
You're crazy if you think access to IE source code is anything more than a
speed bump for vulnerability researchers. Microsoft code is among the easiest
to reverse out in a disassembler, and they publish symbols.

In any case, this vulnerability looks remarkably straightforward. You could
conceive of the fuzzer that might have found it. It would be an extremely
clever fuzzer, but not an unprecedented one.

~~~
rms
(I know very little about security research, which is readily apparent...
should have phrased the second part of previous question as a comment as well)

~~~
tptacek
Maybe, but you shouldn't get downvoted for it. ;)

------
NathanKP
Someone ought to edit

    
    
       &utm_content=Google+Reader
    

out of the link so that the visits from HN aren't reported as referrals from
Google Reader. By the way, this also tells me that the poster found the
article in their reader and copied the link directly from the reader.

