Dept. of Homeland Security Says to Stop Using IE

LWATCDR writes "I have been saying this for a long time but now it is offical. From Yahoo News: 'The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft's Internet Explorer.'" In related news, rocketjam writes "According to Wired, the widespread Internet Explorer security exploit last week and CERT's subsequent recommendation that IE users should consider switching to another browser has resulted in a large spike in downloads of the Mozilla Organization's Mozilla and Firefox web browsers."

If it's broke...well....we'll fix it later

Rather than come right out and say that their I.E. browser is not yet up to snuff in terms of security issues, Microsoft issues this absolutely delicious serving of corporate double-speak:

"In the meantime, we have provided customers with prescriptive guidance to help mitigate these issues."

This translates to a set of instructions for making changes in I.E. settings since the default settings are not terribly good for security. THe MS spokesperson said that a "comprehensive" security pack for I.E. will be out later this summer. You gotta love this. You just cannot make stuff up like this!

Cheers!

Erick

Re:If it's broke...well....we'll fix it later

Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...

Re:If it's broke...well....we'll fix it later

The difference of course is that Sendmail and Apache fix security vulnerabilities in a reasonable amount of time (usually days, if not hours)

Furthermore, there are generally also configuration changes you can make in the mean time to these products to nullify the vulnerabiltiy. There is nothing you can do with IE except disable ActiveX and set the security level to high which (1) makes IE somewhat unusable and (2) STILL doesn't completly protect you.

Finkployd

Re:If it's broke...well....we'll fix it later

I would venture to guess that the majority of users who (1) know to do this and (2) know how to do this are probably not using IE anyway.

Finkployd

Re:If it's broke...well....we'll fix it later

How about the majority of folks who are not using Windowx XP? Can they install "IE SP2"?

Re:If it's broke...well....we'll fix it later

I believe the poster was referring to a company knowing about a severe defect in a product and simply failing to address the issue for a ridiculously extended period of time. It's especially dreadful when the same general problem keeps recurring. For major OS products, when a problem is revealed it is quickly fixed, and the problem *stays* fixed. You simply can NOT say this about Microsoft's products.

So yeah, we have a pattern of extreme negligence on the part of Microsoft. But I guess it can't be helped because they have no incentive to fix it (thank you USDOJ).

Re:If it's broke...well....we'll fix it later

Sorry, this analogy doesn't work. If a window is unlocked, it's easy to see that is so and how to lock it.

Going a little deeper, it's all about risk/benefit. People know the risks of having a window, and feel it's worth it to have the benefits of a window.

You simply cannot say that about the Windoze/IE flaws. Most people have little understanding (even now) of the risks of using insecure software and little or no understanding of how to mitigate the risks. The benefits are obvious, but the risks are still an unknown to most users.

IANAL, but I'm willing to believe that a class action suit against MS could be mounted and might even prevail, based on the negligence of the company.

Re:If it's broke...well....we'll fix it later

My windows aren't easy. I can't just stand in my house and determine whether my windows are locked or not. Ihave to walk ove to them. I have to look at the lock. Then I have to actually try to lift the damn window, since the locks are internal and I can't ever remember if "lever to the left" means locked or unlocked. Do I have grounds for a lawsuit if I can't tell if my house is secure?

You seriously better hope a class action lawsuit *never* comes up for this. That would seriously turn the entire software industry on it's head. Where would it stop?

If I'm playing a competitive game of UT2k4 and the mouse driver cuts out, can I sue Logitech for loss of potential profits?

If I'm writing my thesis and the power cuts out, can I sue the Utilities Company for my lost tuition?

If I'm using a statistical package and, due to some bug, I determine that shooting myself in the face with a loaded shotgun has a -0.314159 probability of death, can my mourning relatives sue the company?

At what point does the software manufacturer get to say "Hey, we did our part. The rest is up to you."

It's a very slippery slope.

Re:If it's broke...well....we'll fix it later

The problem with that analogy is that the very nature of a window is inherently insecure in various ways. If you can make it 100% (or 99%) secure, it's probably not a window anymore. But there's no such attribute of an operating system and its applications - it is not a given that software is reasonably expected to be insecure, especially a many $$$ operating system. And when there are security flaws that can be fixed and they are left unfixed, that is a heckuva lot more worthy of a lawsuit than windows not made out of "1/4-inch steel".

Re:If it's broke...well....we'll fix it later

More than anything the difference in terms of lawsuits is push and pull. Microsoft pushes their browser out, consumers have no choice in the matter.

Sendmail and Apache however are pull, they are available freely but you must go out and get them yourself.

For most software it's a question of cost. In terms of free software Microsoft is the only company in a position to "push", they push using their monopoly onto oem installs. Since nobody else has that monopoly, there is nobody else who produces and distributes free (as in beer) software who should be held liable for glitches in said software.

Re:If it's broke...well....we'll fix it later

You misunderstand. I am referring to the difference between making a mistake, but then making an effort to fix it, and making a mistake, and then blaming everyone but youself. All the while not fixing it.

I'm wondering at what point it becomes criminal negligance.

Finkployd

Re:If it's broke...well....we'll fix it later

As pointed out, IE & IIS and such are paid for. Another factor is that despite the weak remedy of the DOJ antitrust suit, MS was still found to be a monopoly. This puts them into a different class than most other software.

Despite the click-wrap license which claims no liability, I think it would be easy to show the contrary and the class action is a good idea. MS is a for-profit company and as such their goal is to make money. They aren't going to write any code unless it affects the balance sheet. Time to make the exploits show up on the 10-Q.

There's more truth in Dilbert than in Farenheit 9/11

Re:If it's broke...well....we'll fix it later

Also, if you see the bug in sendmail you can (in theory) find the bug and recompile, or download a patch from someone else who has done the same.

With IE you have no option but to depend on Microsoft for patches and updates.

Re:If it's broke...well....we'll fix it later

The problem is that OEMs are not free to change the browser. If you are a Microsoft OEM, you CANNOT replace IE at all. This is the root of the problem. Computers are bought as a package deal from OEMs, and Microsoft has prevented OEMs from including competitive software in the default installs.

IE is not free

You should be entitled to the full price of Internet Explorer. Oh wait.. they offer it for free.

They don't. By their own testimony, IE is an integral part of their operating system. And indeed, several important operations in Windows are impossible to perform without IE installed. The operating system is not free, and neither are its integral parts.

Here's one

"money" , and the reality that most people use IE because of illegal monopolistic actions that resulted in MSOS being the defacto install on their computers, so they use what came with the package, which includes IE, and they are encouraged to go onto the internet without adequate instructions, or without adequate protections, both of which are well known to MS and the various vendors who sold them their computers.

When you have the vast bulk of PCs the last decade and a half being shipped with MSOS, they had a responsibility to make sure they weren't violating anti trust laws, which they failed to do, and got convicted of it.

The consumer was long ago denied any reasonable* expectation of free market choice, when the vendors themselves conspired with MS to ONLY include MSOS to such an extent. It's intent, and to my way of seeing it, is an example of RICO action and should have resulted in MS and several large vendors getting charged with criminal violations, not just civil violations, and several billionaires going to jail over it.

Even though IE is a free download, it is easily observed that most people did not have some other OS OR of their free will go "download IE", it came as a bundled app with their monopoly enforced distribution of MSOS, and the product is seriously flawed. Seriously. The EULA should be challeged, and we need to get a determination of when and how any product may be profited from, but still avoid an implied warranty for suitability for purpose. If they get granted a patent and a copyright, they have certain responsbilites when they trade it in some fashion for money. When you receive something for free, it's a different story. That's the major difference there. And if that again causes a shift in free/open source, how it's distributed, it would be worth it to force closed source/propietary and for-profit sodftware to get classed as a product that is sold, and have normal consumer protections. The tradeoffs are worth it, IMO.

* please note, I said reasonable as opposed to technical. Technically yes, they had a choice, reasonably, no, there was little choice, and still not much. Walk into any big computer store, what is the default install on the boxes there? Are any of them safe to go on the net "as is", how they are sold? No, they are not. The EULA basically is an example of a vast huge case of consumer fraud, IMO. People assume their brand new computers will work, and part of their entire computer package they purchase with real money is the software that comes with it. They would sell little if any new computers bundlked with MSOS if they were merely labled truthfully, as in "you will probably get infected with virus, malware, trojans, backdoors, etc within one hour of being on the internet with the default install and configuration if you click accept on the EULA provided for the bundled microsoft software". If that sticker was on the outside of the boxes, the stores wouldn't seel hardly any of them. How many computers and copies of MSOS would they sell then, if they were merely required to tell the truth, even keeping the current EULAs in place, exactly how they are written now?

I personally *do not care* if the entire software industry top to bottom, left to right, inside to outside has to change licensing,thinking, what they do or how they do it, enough's ENOUGH on claiming a 60 year old industry that has raked in untold hundreds of billions of dollars or more isn't mature and sophisticated enough to offer products that can be covered by minimum consumer implied warranties. Time to take the training wheels off, and get rid of the EULA get out of any responsibility "license". If it slows down releases and causes huge shifts in PHB and investors thinkings and stock holders profits, I could care less, and I bet millions more consumers feel the same exact way. Software will still be written and sold or given away, just of much better quality. Releases will be slower, but they will be much better quality. Pressure will shift from get i

Re:If it's broke...well....we'll fix it later

Repeat after me: Global Class Action Lawsuit against Microsoft. Bunch of bumbling fubars. And that ain't the only whole they haven't plugged in months...

That last sentence gives me a better idea... forget the lawsuit. Encourage their spouses to deny them until those bugs get fixed.

Call it Project Lysistrata.

Uhh... that assumes they have spouses to deny them. If not, distribute their pictures to every singles bar and sweaty-palm dating site, with a "DO NOT TOUCH THIS PERSON." warning.

If they're not plugging holes now, they certainly won't be plugging holes until the bugs get fixed!*

* "or get plugged", depending upon gender and orientation. Deny, deny, deny until the bugs are fixed!

Re:If it's broke...well....we'll fix it later

Uhh... that assumes they have spouses to deny them. If not, distribute their pictures to every singles bar and sweaty-palm dating site

These are Microsoft developers. You'd better be distributing those pictures to all the hookers and massage parlors in and around Seattle.

Re:If it's broke...well....we'll fix it later

What is a 'Global Class action Lawsuit'? is this when the entire planet sues a company?

Perhaps Microsoft didn't adhere to Global Law and will face a Global Court. In front of this World Court where juristiction is not in any way ambiguous, microsoft shall be cleansed of all the evil wealth it created and be forced to continue to work for free on open source projects.

Re:Why's Parent "Funny?"

Quicken, Photoshop, and 3D CAD (SolidWorks). I rely on those programs. Make Linux run them and I'll switch immediately. Until then, I suffer with MS crap, along with the rest of the world.

Your reaction makes perfect sense - use what OS you need to to run the apps you want - but your post also contains the incorrect implication that there's something that Linux could do to make those apps run on it. There isn't. It's entirely in the hands of the application writers, and market forces. That's not something linux itself can change. It's a social problem, not a technical one. The apps don't exist on linux because the companies that make them don't think the effort to port would bring them enough new customers. This has nothing do to with any deficiencies in the OS itself. None.

Re:If it's broke...well....we'll fix it later

How about partials? Have they plugged any partials lately?

Only partially. (sorry about that;)

Re:If it's broke...well....we'll fix it later

It would be equally interesting if the US decided to class action the GOP for allowing MS to continue bundling IE in the OS when it
a) knew of the problems at hand
b) had already proven this was a monopolistic practice because of lack of choice
c) Balked at the chance to remedy the situation after b) was proven true in court, thus forcing numerous citizens to be exposed to risk without their choice or consent

"Willful neglect"?

(FTR: I do not generally approve of a sue-happy society)

Re:If it's broke...well....we'll fix it later

Doesn't the click-wrap license agreement stipulate that you agree to "indemnify and hold harmless" (or however it's phrased) Microsoft, such that you don't have recourse to lawsuit? IANAL, but that's my reading of it.

Leaving aside whether or not click-wrap licenses are actually enforceable, I suggest that all the folks who aren't using any MS products at all (myself included) -- and as such haven't agreed to any such nonsense -- band together to join a class action suit against them. Whether it's for all the time we're stuck burning, having to fix the Windows PCs our friends, family, &c constantly need fixed, network outages caused by virii that use Windows exploits as a vector (my ISP [cable] was more or less buried under the overload in traffic from MyDoom and Welchia or whatever they were called, to the point that their only recourse was turning off infected users' connections).

Does "people who don't use a product but are still inconvenienced, put out and may even have suffered financial loss (as did a friend of mine when our ISP choked on virus traffic) because of its foreseeable and preventable problems" consitute a class?

Re:If it's broke...well....we'll fix it later

Yes and Yes.

THIS SOFTWARE IS PROVIDED "AS-IS" WITHOUT ANY WARRANTIES....

Class action lawsuits are bullshit anyway. Only the attorneys and the class-leader(s) get any significant money. Everybody else gets twenty bucks after they fill out a mountain of paperwork. I'm glad I live in a state with no class action status.

Re:If it's broke...well....we'll fix it later

"Doesn't the click-wrap license agreement stipulate that you agree to "indemnify and hold harmless" (or however it's phrased) Microsoft, such that you don't have recourse to lawsuit?"

Yeah, but, wasn't it just a few weeks ago, that a company got out of legal problems involved with privacy (an airline?), because they argued that most of the plantiffs probably did not read the privacy statement they clicked to agree with....and therefore it wasn't binding.

Well, if that works in reverse...just claim you never read those click through EULA's.....and therefore aren't bound by them...and so you can sue.

Seems fair....?

Re:If it's broke...well....we'll fix it later

This is the wrong way to to. MS should lose market share for being insecure, that's certainly true, but the #1 reason that we suffer so much from MS' operating systems is the homogeneity of the OS market, and while they've fought as hard to stay on top as any other corporation would have, I'm not willing to say that it's their fault that everyone has been saying "screw security, I need Word" for 10 years.

We knew better, but we got burned. Now is the time to take responsibility for our actions and switch to non-MS products.

Re:If it's broke...well....we'll fix it later

Maybe this is a good time for all those to start badgering "IE Only" web sites (especially financial institutions) to wise up and support other browsers due to the security issues. I'm lucky my bank has already "seen the light" and started supporting any standards compliant browser.

For a while, I have had to have my browser lie to web sites about what it is on too many sites. For the most part, this is no longer needed.

Re:If it's broke...well....we'll fix it later

The #1 reason for security holes in MS products is NOT the homogeneity of the OS market. It is clearly a failure of Microsoft to take security seriously from the start. They programmed an OS that did everything for the stupid user so the stupid user wouldn't have to think. They ignored all the standards and specs to throw in their own proprietary garbage.

It amazes me that no one has pointed out the obvious:

With their TREMENDOUS market share, Microsoft has a moral (and probably legal) obligation to secure their software and they have failed to do this for years. Entire industries depend on MS software. There is no excuse. Failure to do this is simply immoral and unethical, but we have come to expect this behavior from MS.

Frankly a class-action lawsuit is long-overdue.

Re:If it's broke...well....we'll fix it later

...Entire industries depend on MS software. There is no excuse. Failure to do this is simply immoral and unethical, but we have come to expect this behavior from MS.

Remember, M$ is a corporation. Corporations have but one gole: profit. Morals come into play only when they affect profit. As M$ has a virtual desktop monopoly (for the moment), they have no need of morals.

Now if high level executives start doing hard time for the crimes the corporation(s) they run commit, morals will have a much greater influence.

Can we can this rubish once and for all please?

I don't know where you USian guys get this rubish about companies have only one goal, the damned profit.

You have been brainwashed and repeat your little mantra like the good Chinese workers used to parrot Mao's Red Book.

Companies can be the expresion of an ideal, the realization of a dream or the intent to attack social problems. You have companies that have been set up to ensure fair trade of tea and coffee, other companies that operate in a cooperative basis in which the workers are owners and benefit.

In Brazil a well known style of management (like some forward thinking USian companies like Google) support their employees to start their own businesses on their free time using company's resources that otherwise would not be utilized.

Many companies have programs to vinculate them with their local communities (mine is one of them) helping with reading skills, IT skills on deprived schools, and promoting on their employees a culture of solidarity and social responsibility. Many of you don't know, but many corporations have strict guidelines about what is legal or moreal and what is not, and employess are lectured constantly (to the point of boredom) about legal and moral obligations.

There are companies out there that compete trying to put innovative products on the market and not by the shameful "embracing and extending" touted by the greatest megalomaniac of the IT industry.

The companies are what you want them to be, if they only pursue profit without regards for the consequences it is because greedy unscrupulous individuals have been made heroes by their peers, the media and unsuspected Red Book reciters.

Re:If it's broke...well....we'll fix it later

Let's see.. 10 years ago I was thinking how cool it was that I could have a windowing system of any kind on a cheap generic computer. What were the alternatives to Win3.1 on DOS for my 486? By the time OS/2 came out, it was too late. Windows owned the market. Why bother with OS/2 then?

I mean, really. In 1994, I was not thinking, "Oh geez, these worms and trojans and virii sure are a pain unique to Windows--maybe I could switch to some UNIX-like OS on my Intel computer." I was thinking, "How can I get the web working with my 14.4 modem?" and "Wow, CD-ROM drives sure are cool."

Re:If it's broke...well....we'll fix it later

Oh, please. A managed runtime is not a magical security bullet. In the case of Internet Explorer here, these are not the buffer overflows, off-by-one or signedness errors that a managed runtime could ever protect against. These are simple security design errors. Microsoft wanted to show how great their IE engine was and implemented security zones so that local HTML-only applications could exist using the engine. They are being burned by this, now, as people find new ways to turn the higher security 'Internet Zone' into the lower security 'My Computer' or 'Trusted Sites' zones.

Of all programming errors, buffer overflows, off-by-one, and signed mistakes are some of the easiest spot and to fix. Other errors, like SQL injection, privledge separation, races and the dozens of other errors that can cause crashes, security vulnerabilities, or denial of service attacks, can not be protected against by a managed language because they're outside the scope of the language itself.

Re:If it's broke...well....we'll fix it later

Though Apache is demonstratably better than IIS, and there is plenty of proof that anything database, filesystem or network related is far better in Linux than in Windows, I am uncertain about desktop software.

My impression is that the stuff being forced onto the Linux desktop is as huge of a bloated and hacked mess as anything coming out of Redmond, and that only the variety and minor market share of any of them is preventing exploits as bad or worse than anything in IE. Though I doubt anything on Linux is as bad as Outlook, but neither is anything else from Redmond that bad.

Capitolism

"Global Class Action Lawsuit against Microsoft"

This is what people don't understand about capitalism. If you don't like the product, you don't have to sue, just stop using the damn product.

I really hate this attitude, "the man keeps us down, so lets sue." It makes absolutely no sense at all. Corporation uses child labour to make affordable products, sue them. Heaven forbid you should accept responsibility for it and stop buying their low-quality products. MSFT sells software for too much money, sue them, don't simply use something else. It's no wonder we have so much unnecessary litigation in this country.

Re:Capitolism

"Capitolism": The tendency to put golden domes on buildings.

Seriously, avoiding certain purchases only goes so far. If action isn't taken to proactively stop clothing manufacturers from using sweatshop child labor, then they'll keep doind so, forcing everyone else to do the same thing or get priced out of the market. When it's all made that way, what do you do then, build a loom and start farming sheep and cotton?

Re:Capitolism

You don't quite seem to understand capitalism, I'm afraid. It's not a system that responds to public opinion and the needs of the collective social good - it responds to supply, demand, efficiency, convenience, & price. When a person makes a purchase decision, there is a very complex multi-variable equation being solved, a reflex calculation of interfering and intersecting desires as opposed to the prices of the objects for sale.

People will without fail attempt to make the choice they feel is most advantageous to themselves. Valuation is in the eye of the purchaser, and it is this that the purchaser's ethics and ideals of social good must affect in order to affect the outcome of any purchase.
People who complain about Wal-Mart's behavior yet continue to purchase Wal-Mart's goods, for example, do not weigh the cost of the social ill they believe Wal-Mart creates heavily enough against the value of the goods to stop them from making the decision to buy Wal-Mart's product.

This is exactly the same reason why consumers won't pay a price premium for the privilege of not fucking over struggling third-world coffee farmers. Bad shit that happens to other people isn't seen to be as important as bad shit that happens to one's self, even when the bad shit that happens to you is relatively trivial, such as having to spend that extra $3 for the guilt-free version.

This is precisely why courts of civil and criminal law at the state and federal levels have authority over business activities - there are many sorts of behavior that will give a company a large competitive advantage that are collectively perceived as undesirable, but which will clearly be rewarded financially by a pure system of capitalism. Undesirable and socially harmful behavior can be proscribed and reprimanded by the courts, which is a socialist aspect of our American marketplace, like it or not. I think that overall it's more beneficial than harmful, but that's just my opinion.

As regards the question of whether or not Microsoft's activities have been sufficiently harmful to consumers to merit the prosecution of a class-action lawsuit, I would suggest that it is certainly the right of American citizens to raise that question in a court of law if they feel that there is sufficient reason to do so, and that the social order we have wherein, where we would accept the decision of the court in this question, is working reasonably well in such an instance.

Re:Capitolism

Oh those Ford Pinto's that exlpode in flames when rear-ended? Don't sue, just don't buy the things...

No, lawsuits are a reasonable way to redress injury caused by faulty product design.

The economic pressure by fewer sales is one too, but especially in monopoly markets, legal instruments may be the only effective way to curtail abuses in a reasonable amount of time.

If you produce crap defective product, expect lower sales AND lawsuits. Both reduce the profit of the company and can be used a lever to induce better behavior. Both are legitimate tools.

Cheers,
Greg

Re:Capitolism

That still doesn't address previous damages. Fleeing to another product only prevents FUTURE damages. A harm has still been done. Harm will likely continue to be perpetrated until the careless party is made to be accountable.

Individuals are subjected to the "Crime and Punishment" mentality, corporate persons should be given no special treatment in this regard.

Microsoft will not be sued...

...because they are a monopoly (in regard to the IE bugs and the DHS advisory).

They will be sued because they were willfully negligent in the maintenance a monopoly product, the sabotage of which inflicts material damage upon third parties in the range of hundreds of millions of dollars.

Don't let your dislike of antitrust law cloud the real harm that this software has done. If Standard Oil had sold petroleum products that destroyed the engines of their customers during their monopoly breakup, would they still be liable for damages? Of course.

p.s. IANAL.