Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

Skip to comments.

RIP, IE
Linux Today ^ | 25 June 2004 | Brian Proffitt

Posted on 06/25/2004 7:05:03 PM PDT by ShadowAce

Before you start reading, fire up the printer, and get the scissors. You may want to clip this one out and give it to your friends and colleagues who are still in Windows land.

There are times in life when you actually hear words coming out of your mouth and even as they're coming out, you realize how stupid they sound. I realize that in my own personal and professional life, this sort of thing happens a bit more than the statistical average, but this morning I uttered words that sounded so completely insane, I had to share them.

After getting up early and scoping out the Net for new and interesting stories to post, I ran across several articles detailing a new form of malware that supposedly hides in Web site graphics, and will download a package to a computer running IE, without the user even knowing it. No one is sure what this package will do; it could be spyware doing keystroke logging, or could be a way to turn an infected computer into an unwitting spam generator. Time, unfortunately, will tell.

Now, after reading this, I was not terribly concerned, since the one Windows machine in the house runs Netscape, and this lovely new piece of malware affacts only those unfortunate running Internet Explorer. But, when my wife came in to say goodbye before she went to work, I said this to her:

"If you surf at work today, you may want to rethink it. There's a new virus hiding out in images out on the Web."

"On which sites?," my intelligent spouse asked.

"They don't know yet, or they're not saying," her not-so-intelligent husband replied.

And as we were having this exchange, I realized that this tiny little conversation had to be the most insane thing I said or will say today. It boiled down to: there's a virus out there that will hit your IE-running computers and you won't know where or when it hits.

Now, to be fair, later today I learned that this immediate threat had been thwarted, because they managed to shut down the Russian server all this malware was sending information to. The malware is still out there, still infecting IE-running PCs, except now it's effectively rendered toothless. Not by a patch or a fix from Microsoft, understand.

And, after all of this, that's when it dawned on me: Internet Explorer must die.

Not be fixed. Not be patched. Be dead, as in no one in their right mind should use it anymore.

This is a piece of software--a closed source, and therefore supposedly (ha!) more secure piece of software, mind you--that is constantly having innumerable flaws exposed and taken advantage of. In the recent past, it was download this, and you're doomed. Open this, and you're in trouble.

Now, it's: open any page on a Web site running a Microsoft Internet Information Server, and you potentially could be infected.

Read this again: By opening a page. With pictures.

I say that this sort of irreponsibility must be stopped and stopped now. The public must be made aware that while Microsoft is certainly not responsible for the behavior of crackers behaving the way they do, they are certainly responsible for creating such a fertile field for them to play in.

So, to that end, I want you to give this article to a friend or colleague and have them read this passage:

"The receiver of this article will be granted the services by the giver of this article to install a non-IE based browser on their computer, free of charge, for the receiver to try. The person providing this service will install the browser on any operating system you have, and promises not to ease you if you are using Windows. The receiver of this service will agree to give the new browser an honest try as their default browser and see what they think."

Now, if you give this article to someone, then you should be prepared to follow up on this clause. Install Mozilla or Firefox for your friend. Install Netscape. Heck, install Opera if they really hate the whole idea of open source. Just get then to try something else, besides IE. Be nice about it, and helpful. Make sure their bookmarks and home pages are set just so. And don't hassle them if they're still using Windows. It all has to be done one step at a time.

If they ask, indicate that while Mozilla and other browsers have flaws too, there are no where near as many critical issues, because Mozilla and the rest, unlike IE, are not intrically tied to the operating system and therefore flaws are not as likely to bring about the complete ownership of their systems by some mook.

I think this will be an excellent way to demonstrate that (1) open source software is not primitive, cobbled-together code and (2) IE is not the be-all end-all of browser technology.

After they try it, and like it, you can use a similar technique for other cross-platform OSS, such as OpenOffice.org. Once they're comfortable with that, then you can waddle out the penguin.

This is my ultimate migration plan. Nothing fancy-schmancy. No usability studies. Just kill off IE first to save us all from zombified computers and massive worm traffic, then work on the other stuff.

Because we can all talk a good argument up for open source, but a lot of folks still need to take it for a spin to really understand. So let's rev up the test drives.


TOPICS:
KEYWORDS: browsers; firefox; free; ie; linux; microshaft; mozilla; windows
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-120 last
To: ShadowAce

Thanks for responding. I suspected that Microsoft made it very difficult and I wanted to remove out of spite for all the grief that Wintel has given me compared to Macintosh, not for any really good reason.


101 posted on 06/26/2004 9:38:17 AM PDT by Biblebelter
[ Post Reply | Private Reply | To 100 | View Replies]

To: Musket
Gee that's a lot of bugs.

Yeah, it is.

I've been using Firefox for a day and a half on XP with zero problems. And I've had Mozilla on my Linux box forever with zero problems.

Congratulations. That means nothing.

Are you trying to scare people?

No. Merely pointing out that every software product has a ton of bugs -- despite the illusion that zealots such as yourself would project.

I think you're too late. There has been a mass exodus from IE in the past 36 hours.

Rrrrrrrright. Maybe it's cracked 1% of the browser market. /SARCASM
102 posted on 06/26/2004 10:05:03 AM PDT by Bush2000
[ Post Reply | Private Reply | To 92 | View Replies]

To: ShadowAce
Maybe this will make you feel better... /SARCASM

169 Critical Firefox bugs

FireFox: Where Do You Want To Crash Today(tm)?
103 posted on 06/26/2004 11:16:16 AM PDT by Bush2000
[ Post Reply | Private Reply | To 97 | View Replies]

To: Bush2000
Only one of your reported MOZILLA bugs mentions a virus, worm, or trojan, and THAT has nothing to do with FIREFOX (which has no built-in email program)
104 posted on 06/26/2004 11:39:29 AM PDT by Future Useless Eater (FreedomLoving_Engineer)
[ Post Reply | Private Reply | To 91 | View Replies]

To: Bush2000
Thank you. Now please link to the list of all unconfirmed, new, and assigned critical bugs in Microsoft's bug tracking system for all versions of IE6, along with all developer comments, examples, and patches. The list should be quite a bit shorter, since IE is a more mature codebase, Microsoft has more paid developers, IE has far less functionality built-in than does Firefox, and IE only exists on one or two platforms, compared to all the platforms that Firefox runs on (Windows, Mac, Linux on multiple architectures, *BSD on multiple architectures, Solaris, VMS, etc). If we were to trim the Firefox bug list to only those bugs confirmed critical on Windows, there'd only be 36. And most of those are for specific cases like certain web pages few people use or obscure cases like "Firefox crashes if you release mouse button while scrolling a bookmark up in the list and don't select another one before closing the Manage Bookmarks window." In any case, I'm waiting to see IE's bug database.
105 posted on 06/26/2004 11:54:40 AM PDT by Caesar Soze
[ Post Reply | Private Reply | To 103 | View Replies]

To: ShadowAce
may require the TabBrowser extension

Yeah, that was the first one I installed. It still doesn't work like the "slave" option, but I'm adjusting. Thanks.

106 posted on 06/26/2004 12:08:40 PM PDT by Flyer (This dog bite me)
[ Post Reply | Private Reply | To 98 | View Replies]

To: Allan

Bump


107 posted on 06/26/2004 12:28:04 PM PDT by Allan
[ Post Reply | Private Reply | To 83 | View Replies]

To: Bush2000
946 Mozilla Critical New Bugs

I think that's a good point. However I don't know how it would compare to IE, there's not a corollary site for MS internal bug fix logs, I don't think. But maybe we could look at security vulnerabilities.

So, you got me thinking though. To really compare, we'd need some metric to weigh the potential risk, which we don't have in order to compare.

Ignoring the relative severity of this particular exploit – unique to Windows/IE, – I thought it might be interesting to look at a comparison of number security vulnerabilites specific to the two browsers.

FWIW, here's what I got from http://www.securityfocus.com/bid/vendor/ since Jan. 1, 2004:

Security Vulnerabilities specific to Mozilla Browser
 2004-06-14: Mozilla Browser URI Obfuscation Weakness
 2004-05-26: Mozilla Browser Zombie Document Cross-Site Scripting Vulnerability
 2004-05-26: Mozilla Browser Cookie Path Restriction Bypass Vulnerability
 2004-04-15: Mozilla Messenger Remote Denial Of Service Vulnerability
 2004-03-10: Mozilla Browser Script.prototype.freeze/thaw Arbitrary Code Execution Vulnerability
 2004-03-10: Mozilla Browser Proxy Server Authentication Credential Disclosure Vulnerability
 2004-01-20: Mozilla Browser Cross Domain Violation Vulnerability

Security Vulnerabilities specific to Internet Explorer
 2004-06-21: Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability
 2004-06-16: Microsoft Internet Explorer HREF Save As Denial of Service Vulnerability
 2004-06-15: Microsoft Internet Explorer Wildcard DNS Cross-Site Scripting Vulnerability
 2004-06-10: Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness
 2004-06-10: Multiple Microsoft Internet Explorer Script Execution Vulnerabilities
 2004-06-07: Microsoft Internet Explorer URL Local Resource Access Weakness
 2004-06-04: Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability
 2004-05-18: Microsoft Internet Explorer CSS Style Sheet Memory Corruption Vulnerability
 2004-05-15: Microsoft Internet Explorer http-equiv Meta Tag Denial of Service Vulnerability
 2004-05-14: Microsoft Internet Explorer Codebase Double Backslash Local Zone File Execution Weakness
 2004-05-14: Microsoft Internet Explorer Double Backslash CHM File Execution Weakness
 2004-05-14: Microsoft Internet Explorer Interface Spoofing Vulnerability
 2004-05-11: Microsoft Internet Explorer Unconfirmed Memory Corruption Vulnerability
 2004-05-10: Microsoft Internet Explorer XML Parsing Denial Of Service Vulnerability
 2004-05-10: Microsoft Internet Explorer Embedded Image URI Obfuscation Weakness
 2004-04-30: Microsoft Internet Explorer Meta Data Foreign Domain Spoofing Vulnerability
 2004-04-21: Microsoft Outlook Express MHTML Forced File Execution Vulnerability
 2004-04-21: Microsoft Outlook Express MHTML Redirection Local File Parsing Vulnerability
 2004-04-17: Microsoft Internet Explorer Object Element Data Denial Of Service Vulnerability
 2004-04-12: Microsoft Internet Explorer Bitmap File Processing Denial of Service Vulnerability
 2004-04-07: Microsoft Internet Explorer Remote IFRAME Denial Of Service Vulnerability
 2004-04-06: Microsoft Internet Explorer Macromedia Flash Player Plug-in Remote Denial of Service Vulnerability
 2004-04-06: Microsoft Internet Explorer MSWebDVD Object Denial of Service Vulnerability
 2004-04-01: Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
 2004-03-29: Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
 2004-03-04: Microsoft Internet Explorer Script URL Cross-Domain Access Violation Vulnerability
 2004-03-04: Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
 2004-03-04: Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
 2004-02-27: Microsoft Internet Explorer Cross-Domain Event Leakage Vulnerability
 2004-02-16: Microsoft Internet Explorer Bitmap Processing Integer Overflow Vulnerability
 2004-02-11: Microsoft Internet Explorer Unauthorized Clipboard Contents Disclosure Vulnerability
 2004-02-10: Microsoft Internet Explorer Double-Null URI Denial Of Service Vulnerability
 2004-02-09: Microsoft Internet Explorer LoadPicture File Enumeration Weakness
 2004-02-03: Microsoft Internet Explorer NavigateAndFind() Cross-Zone Policy Vulnerability
 2004-02-02: Microsoft Internet Explorer BackToFramedJPU Cross-Domain Policy Vulnerability
 2004-02-02: Microsoft Internet Explorer Window.MoveBy/Method Caching Mouse Click Event Hijacking Vulnerability
 2004-01-27: Microsoft Internet Explorer CLSID File Extension Misrepresentation Vulnerability
 2004-01-02: Microsoft Internet Explorer Malicious Shortcut Self-Executing HTML Vulnerability

108 posted on 06/26/2004 10:53:44 PM PDT by D-fendr
[ Post Reply | Private Reply | To 91 | View Replies]

To: D-fendr

Bush2000 will get back to you when he's done mowing Bill Gate's lawn.


109 posted on 06/27/2004 7:02:18 AM PDT by Musket
[ Post Reply | Private Reply | To 108 | View Replies]

To: ShadowAce
In Firefox, I highlight the desired text and right-click, click on "View Partial Source."

THANKS!!!!!!!!! I'd never seen that before. yet another reason to use Mozilla! Sweet stuff.

110 posted on 06/28/2004 12:52:29 AM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Ernest_at_the_Beach
Some of the extensions sound interesting.
Any suggestions there?

You didn't ask me, but I figured I'd chime in on this late day anyway...

I upgrade to the latest nightly every couple of weeks for bug hunting, so I have to re-install my plugins regularly. Here's what I run...

There are tons of cool extensions on the Mozilla site. As usual, some are better than others, YMMV. HAND!

111 posted on 06/28/2004 1:04:37 AM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 56 | View Replies]

To: ShadowAce
Could you add me to the browser ping list as well?
112 posted on 06/28/2004 1:11:04 AM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 96 | View Replies]

To: zeugma

Thanks will take a look at them.


113 posted on 06/28/2004 9:31:13 AM PDT by Ernest_at_the_Beach (The terrorists and their supporters declared war on the United States - and war is what they got!!!!)
[ Post Reply | Private Reply | To 111 | View Replies]

To: zeugma

Done. I've only got one ping list. I only use it for tech/MS/Linux-type threads. If you're cool with that, I'll keep you on it.


114 posted on 06/28/2004 2:46:27 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 112 | View Replies]

To: zeugma
flashblock

Hey that's a good idea. Do they have midi file block? There's nothing worse than loading a page when that stupid sounding midi music starts playing, and you can't turn it off. As I'm usually not expecting it, it usually makes me jump out of my chair! One time I was listening to some really weak/low volume Realplayer file, left the volume on my stereo way up and continued surfing, forgetting that the voulume was WAY UP. Then I hit a midi file page and blew one of my JBL's.

Midi files on the web. Good grief, what a stupid idea.

115 posted on 06/28/2004 11:56:08 PM PDT by Musket
[ Post Reply | Private Reply | To 111 | View Replies]

To: Musket
I haven't been able to find a midi blocker yet, but I'll search around a bit. You can find most legitimate Mozilla extensions at The Extension Room.
116 posted on 06/29/2004 6:07:24 AM PDT by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 115 | View Replies]

To: zeugma

Thanks for the links!


117 posted on 06/29/2004 7:54:09 AM PDT by Musket
[ Post Reply | Private Reply | To 116 | View Replies]

To: blanknoone
The fact that it is open source means that hackers can look through the code for weakness. That is a downside for OS, but it only matters once it is common enough to be worth targeting.

Security through obscurity is no security. If that mattered, then Apache would have far more exploits than IIS, yet from 1999 to now I see far more IIS exploits than Apache exploits.

Why do you think that one of the requirements of a good encryption algorithm is that the attacker should be able to know everything (including the source code) but the key and still not break it? Because you can't hide security flaws behind closed source code and expect that to save you -- look at Cisco.

118 posted on 06/29/2004 2:43:13 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 50 | View Replies]

To: BigSkyFreeper
If IE or any other browser can render HTML, execute code, then by dumping IE for an alternative brower is a exercise in futility.

Except that the other browsers don't use system-level DLLs to do render, opening the door for a system takeover. Except that the other email clients don't use those same DLLs to render HTML emails, thus providing another pathway for web-based attacks.

119 posted on 06/29/2004 2:51:13 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 82 | View Replies]

To: antiRepublicrat; BigSkyFreeper
Here's another reason to dump IE.
120 posted on 06/29/2004 2:59:02 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 119 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-120 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson