bbc.co.uk Navigation

Rory Cellan-Jones

Is it safe to Explore?

  • Rory Cellan-Jones
  • 16 Dec 08, 13:38 GMT

If the average computer user read the Microsoft security advisory about the Internet Explorer vulnerability - and you'd struggle to find it if you weren't looking - you might be none the wiser about how serious this was, or what action you should take.

Microsoft Internet Explorer logoA long way down comes this line: "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user." As far as I understand it, that means there is a real danger that Internet Explorer 7 users (and possibly users of other versions of IE) could be opening the door to cyber criminals to allow them to ransack the contents of your hard drive. In other words, it is a pretty serious situation.

So when I spoke to John Curran, head of Windows at Microsoft UK, I had three questions.

1. How serious is this?

Mr Curran told me that only a tiny proportion of websites were infected, but given the sheer scale of today's web, that could affect a large number of people.
So, he said, "it is certainly something people should take seriously."

2. So what should IE users do?

Microsoft is working on a patch but in the meantime Mr Curran said there were four steps to take.
- make sure anti-virus software is up to date.
- run Internet Explorer 7 or 8 in "protected mode".
- set Internet Explorer zone security setting to "High"
- Windows users should enable Automatic Updates so that they get any patch that is issued.

But of course doing all of that is not only time-consuming, it will make your web browsing experience slower and less rewarding. Which brings us to the final question.

3. Shouldn't you switch to another browser until the patch come out?

This has been the advice of a number of security firms - who of course are also touting their latest anti-virus products - but you won't be surprised to hear that Mr Curran disagrees. He told me he had recently seen a report which listed another browser as having the highest number of vulnerabilities. "it would not be advisable," he said,"to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities."

But given the choice between messing around with Internet Explorer and so enduring a second-rate browsing experience until the hole is fixed, or running Firefox, Safari or Opera, aren't quite a few people likely to switch? This could be the moment when the minnows in the browser wars finally score a significant victory.

Comments

Page 1 of 2

  • Comment number 1.

    I can't believe anybody would use IE anymore!

    I'm of the opinion that Safari or Google Chrome give the best website browsing experience these days, followed by Firefox.

    Once people try those alternative browsers I can't believe anybody would actually prefer using IE. I guess it's just that IE 'works' for most of the people that use it, and therefore they have no reason (or knowledge of how) to change browsers.

  • Comment number 2.

    1 - don't go on dubious websites
    2 - keep your virus software up to date
    3 - make sure you have your other vulnerabilities patched.

    Where was all the coverage when actual viruses were targetting actual vulnerabilities (MS08-067 in October)?

    this is a non story - thank you to this part of the site for alerting the world to the real issues.

  • Comment number 3.

    "Life without Walls" - indeed......
    Living with Gaping Holes is more like it!
    When will the long suffering Microsoft user base wake up and embrace the alternatives?
    Oh?, they are already?
    Splendid news......

  • Comment number 4.

    Is this in MSIE 6? Or is it just an IE 7 flaw? My employer actively prevents me installing IE 7, but it's on my kids and wife's machines.

    I always encourage them to use Firefox 3, but stuff like MSN messenger (aka Live Messenger) has a nasty habit of waking up MS IE when you least expect it.

  • Comment number 5.

    I agree with #1 - I can't believe that any reasonably computer-savvy person would ever choose IE over another browser. I use Firefox - it's much more flexible and less prone to security flaws.

    The only reason that IE keeps a large share of the market is that many people just use whatever their computer was bundled with (i.e. Microsoft software)- they don't know and/or care about trying another browser.

  • Comment number 6.

    Since IE's the default browser on Windows machines, I suspect that many of its users won't be familiar with its security flaws, or indeed, how to perform the steps in part 2 of your post.

    The simplest thing is to simply download another browser such as Firefox or Opera, and try that instead.

  • Comment number 7.

    I very occasionally use IE because some websites, including that of a major UKsupermarket, don't work properly with Firefox.

  • Comment number 8.

    Your article neglected to mention that 'Protected Mode' is not available on anything but Vista based IE7. XP IE7 does not have this feature for example.

  • Comment number 9.

    Have not used IE or Outlook for years.
    Only ever use IE if a site will just not operate on other browsers, and there are a surprising number that will not.
    Too often someone finds a disasterous backdoor in either IE or Outlook. With perhaps90% of the world, not to mention ISPs using them it pays hands down for hackers and the likes to concentrate on both to exploit the weaknesses to advantage.
    Why spend time finding problems in other browsers when the harvest is not likely to be so great.
    So dear reader, if you have not changed, do so, Firefox, Opera and counless others now available to try.
    And more bells on them to ring, as well as the ability to customise and select themes and colours.

  • Comment number 10.

    Clearly if anyone is using IE, they don't care much about security in the first place. I love it when I visit a dodgy site in Firefox on my Mac and the site prompts me to "upgrade Flash" (or whatever). Sometimes I click Yes just for fun, knowing it can't do anything.

    In response to Mr. Curran, I would much rather use a browser with lots of minor vulnerabilities than one with one MAJOR vulnerability (which is what this is). The number of vulnerabilities isn't important, it's their severity.

    If this flaw serves to drive people from the bane of the web that is IE, I see that as a good thing.

  • Comment number 11.

    Companies like Microsoft, Adobe, Symantec and many others, 'phone home' for operations such as product activation or software updates. These 'tunnels' are the backbone of those criminals seeking to exploit vulnerabilities.

    It may not be too long before the banks bring a class action against these software giants. If these vulnerabilities did not exist, then customers would not get raided and the banks would not lose the cash. Yet it is only ever the bank or the customer that takes the hit.

    A new EU law in 2009 may change all that. Watch out, Microsoft!

    See you in the pub.

  • Comment number 12.

    There is a reason experts have dubbed it 'Internet Exploder'.

    Get Firefox, Safari, Chrome, Camino, just use anything except IE (any version).

  • Comment number 13.

    Another reason why "I'm a Mac" 8-)

  • Comment number 14.

    As a de facto monopolist, Microsoft has been guilty for years of delivering poor quality, badly written software at a premium price, issuing corrections as so-called upgrades or new releases and having the arrogance to charge for them!

  • Comment number 15.

    You make it sound as though this is the first such flaw in IE... in truth, it's full of such problems, with the steady stream of patches to fix them pretty much matched by a steady stream of newly-discovered issues.

    Other browsers have issues, yes, but not in the same numbers or severity. Microsoft got lazy with IE in the years between Netscape becoming irrelevant and Firefox finally making some inroads in IE's dominance, and the product's paying for that inattention now...

  • Comment number 16.

    Is any Microsoft software safe?

    As Bruce Schneier said, Microsoft just see security as a marketing problem rather than a technical problem.

    Microsoft have for years now just focused on flashy features over robustness and security. This has lead to some monumentally stupid situations such as the version of Outlook that would automatically run a VB script in an e-mail.

    People should realise that there are so many free alternatives to Microsoft products that are actually better.

  • Comment number 17.

    IE explorer comes with Windows and internal snopping databases and like anything with a window it is easily broken and provides a entry for criminals.
    Haven't used it for years i use Firefox a far better and more secure browser.

  • Comment number 18.

    Don't be too hasty to jump to Firefox, Safari or Chrome, they ALL have their own set of serious security issues.

    Only last week were loads of bank details harvested by Firefox owners who got duped into loading a nasty plugin masquerading as GreaseMonkey.

    The ONLY safe browsing experience is Opera, it's the ONLY browser that is 100% patched, has no outstanding security vunrabilities, it's also one of the fastest and most functional out the box. It does not do extensions like Firefox, but that's a good thing. Extensions bring bloat and security headaches, and that is something Opera does not need.

  • Comment number 19.

    A bias article interviewing a bias person...

    Pray tell, what was this 'other' browser that has more flaws then? I can't believe any other browser is more flawed than IE...

    FireFox all the way.

  • Comment number 20.

    Up dated my computer to Vista.

    Started to use IE7 and quite liked it.
    McAfee started popping up saying that it had blocked this and blocked that; trojan here trojan there trojan everywhere.

    I then used IE7 to get to Google home page and downloaded Firefox.

    Back to normal.

    What a difference.

  • Comment number 21.

    the problem is that most people don;t know there are other browsers. For them, IE IS the internet. and I'm talking about relatively internet friendly people who use Facebook and hotmail etc, the bread-and-butter internet users. they're also the people least likely to read about this security problem, or indeed understand it applies to them.

    Like a lot of people in IT I have taken every opportunity to convert people to Firefox as it's the most friendly alternative in my opinion. When I first suggest it few have heard of it, but no-one has yet complained. I stress its security, add-ons potential, and, most importantly, the fact that it has a much cooler name.

  • Comment number 22.

    Moving to another browser would work simply because 95% of the world uses IE, so it isn't worth virus writers writing viruses for other browsers.

    To be really safe, run Linux rather than Windows, as Linux by default is a safer OS.

    Viruses will always happen because so many users are lazy and use the software which came on their machine...also they don't bother to learn how to use it to any depth.

  • Comment number 23.

    IE isn't known as Internet Exploiter for nothing, you know.

  • Comment number 24.

    Curious comment, firstly let me state more vulnerabilities does not equal less safe, let me explain... it is better to walk down the road in a sleepy village with £500 sticking out of your pocket than through London, same vulnerability but less of a chance of someone exploiting it... the minority browsers, Firefox included, dont attract the same number of interested hackers. It is a fact that IE represents a risk to users especially if it is unpatched or whilst it is un-patchable. I always suggest Firefox, and Chrome as alternatives as they can and more often than not do, give a better user experience if configured properly. I urge viewers to explore safe browsing options - look at setting your DNS to OpenDNS and try Firefox or Chrome even Safari or Opera. its an open world, or could be if we just try!

  • Comment number 25.

    I'm a firefox person but this is a non-story.

    Whats the point of worrying about your browser security if you don't shred your phone bills? I'm far more worried about using my bank card at the average petrol station than someone hijacking my PC. Given how many cash cards have been cloned in petrol stations its a riskier activity. Browser security is much less of a risk than human error- far more people will respond to phishing e-mails than will have their PC's hacked via IE.

    The only way to be TOTALLY secure is just not to bank on-line and only use a credit card (not a debit card) if you shop online.

  • Comment number 26.

    #18 correctly pointed out that bank details can be harvested from users.

    When on-line banking was introduced, a number of years ago, I remember someone from a large Bank explaining that he would not be using on-line banking as it was not secure.

    At the time I was researching RSA/PGP encryption methods and as such I readily agreed with him.

    IE was offering 128bit encryption which even for those days was laughable. (American/Canadian IE versions were offering 256 bit encryption.)

    I do not have any bank details on my computer, no way no how.

  • Comment number 27.

    To get Firefox go to

    http://www.mozilla.com/

    and click on the download Firefox.

    It is even safe to do this in Internet Explorer.

  • Comment number 28.

    Anti virus software will not stop hackers taking over your pc. You need a good firewall. And don't use IE at all. Firefox might not be perfect but it leaves a different footprint to IE. I use it at home and in the office and have never had a problem. At the end of the day be aware of sites you are visiting and only install so called add ons if you are totally happy that they are genuine. Remember the Facebook problem.

  • Comment number 29.

    For the simple reason that Internet Explorer is unapologetically entwined into the operating system I avoid using it whenever possible. That has its advantages for technicians doing operating system configuration but almost nothing of value to web surfers.

    Getting a Firefox flaw to get Windows to trust it into giving access to the hand disk is an additional hurdle that significantly impairs development of malicious code. Safari, Opera, and Chrome have the same key advantage.


  • Comment number 30.

    In truth no browser or OS is safe and Microsoft is probably doing a better job than most at securing their products.

    Microsoft is the biggest company in the sector with the largest market share so they are always going to attract the majority of the attacks and the majority of the criticism.

    Everyone loves the little guy but 2009 will be the year when Apple and Google will be open to similar attacks and criticism simply because the usage of Chrome and Safari will go up.

    As for all of you out there smugly using Ubuntu did you hear about the OpenSSL vulnerability?!

  • Comment number 31.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 32.

    For your average computer user, there are two main issues: price and ease of use. For the former, as Windows PCs come with Internet Explorer already installed, it doesn't really make much of a difference to them whether there is a free version out there. And a PC is still generally much cheaper than an equivalent Mac.

    Secondly, it is generally easier to stick with the pre-installed software than to install something else to do the same job. On a previous computer I tried but failed to install Firefox.

    Such users are frequently unaware of security issues until such time as they have already been patched, or until such time as it hits them directly, and most of the time IE works fine.

    As for 16's comments that "people should know that there are so many free alternatives to Microsoft products", that is true, but unless they get marketed more in the day-to-day media and not just in computing media, that is unlikely to happen.

  • Comment number 33.

    The problem with Internet Explorer is that as soon as Microsoft have patched this problem there'll be another hole to plug shortly after... and so on. Microsoft Vice President Brian Valentine was famously quoted in 2002 saying "I'm not proud ... We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security". So not much has changed, even though Microsoft poached a senior security guru from IBM.

    It was about the same time that I had a meeting with a senior security analyst at a major bank who said something to the effect of "never use Internet Explorer for web banking".

    Okay, Firefox (my preference) isn't perfect, and I know they patch holes in that every now and again. But I still feel safer than with Internet Explorer.

  • Comment number 34.

    I don't know why anyone would use IE. There are scads of free browsers for PCs and Macs. If I'm on a site that works only with IE (because it's badly written/coded) I leave it.

  • Comment number 35.

    A good way for protection is to use the no-script add-on for firefox. It is very useful and ever since I have been using it, there has been no problem at all with viruses.

  • Comment number 36.

    There is only one totally secure browser in existence. It won't render pretty pages, but it will let you see a websites content (providing the website is marked-up accessibly), and that's Lynx.

  • Comment number 37.

    I just read the following comment and then suddenly found myself agreeing with America that I should be allowed to buy a gun!

    shookster21 wrote:
    Clearly if anyone is using IE, they don't care much about security in the first place. I love it when I visit a dodgy site in Firefox on my Mac and the site prompts me to "upgrade Flash" (or whatever). Sometimes I click Yes just for fun, knowing it can't do anything.

    "I SOMETIMES CLICK YES FOR FUN"

  • Comment number 38.

    I just read the following comment and then suddenly found myself agreeing with America that we all should be allowed to buy guns!

    shookster21 wrote:
    Clearly if anyone is using IE, they don't care much about security in the first place. I love it when I visit a dodgy site in Firefox on my Mac and the site prompts me to "upgrade Flash" (or whatever). Sometimes I click Yes just for fun, knowing it can't do anything.

    "I SOMETIMES CLICK YES FOR FUN" hahaha man shoookster you need serious help with ideas of how to have fun. If this is how people who use Firefox think then I am definitely sticking with good old IE!

  • Comment number 39.

    It's nice to see that you can't teach an old dog new tricks, even if that does mean Microsoft representatives still using the Fear, Uncertainty and Doubt technique.
    If Mr Curran had any, even small, evidence of another browser having similar (let alone worse) vulnerabilities than IE he would certainly name the product and cite his sources for the claims of such vulnerabilities.
    He doesn't, so you simply cannot trust that statement any more that an email from a Nigerian prince.

  • Comment number 40.

    scotbot,
    Internet Exploder too!

  • Comment number 41.

    After all the nonesense about macs and viruses on the beeb. Which was poo stiring. (how much did microsoft pay you) This happens. Classic. Anyone else for the debate about microsoft and apple security??? Didn't think so...

  • Comment number 42.

    Hearing this makes me glad I ditched Windows many years ago and started using Linux.

    I suppose this is one of the 'cons' of making the PC so widely accessible (unlike the good old days where you needed skill and knowledge to use them).

    You've got to agree with me that "Microsoft counselled against taking such action" (in reference to using an alternative browser) isn't really surprising!

    Could you imagine their shareprice should they have said "hmm, well, the flaw's been around for years, we've just never fixed it as nobody noticed. in the mean time (until we can get around to fixing the MAJOR SECURITY hole in our product) we recommend switching browsers"?

    Neeeeeeeeeeeeeeeeeeeew-CRASH!

    I also wonder how many people WILL change browsers and how many of those will go back to IE once they have tried an alternative?

  • Comment number 43.

    Firefox is used by 20% of internet users and is climbing.
    I've been using Firefox since 2000 because of its security, it's spreading also because of its customizability, now I'm on the Mac.
    IE is flawed by design, this means that, no matter how many patches MS will issue, there always will be a vulnerability until MS won't overhaul Windows' internet access, wich is tied to IE.

  • Comment number 44.

    Scotbott. It is not 100% secure. Nothing is. If i was clever enough and rich enough I'd prove it to you. However you are correct in that you are almost 99.9% safe in the current climate. Besides firefox and safari are based on linux and unix systems that are very stable anyway. I remember when their was a court case in the states about microsoft putting a line of code in explorer to stop it reading linux or unix code, this was to stifle competition and effectively innovation. The court case never resolved in the public eye. But thank god microsoft keep getting what they brought upon themselves. Dinosaurs will die.

  • Comment number 45.

    The ONLY safe browsing experience is Opera, it's the ONLY browser that is 100% patched, has no outstanding security vunrabilities, it's also one of the fastest and most functional out the box. It does not do extensions like Firefox, but that's a good thing. Extensions bring bloat and security headaches, and that is something Opera does not need.

    ------------------------

    I couldn't have said it better myself. Although it doesn't have the marketing power of Firefox it truly is the greatest browser out there.

    It's the innovator, the safest and the fastest.

  • Comment number 46.

    @41,

    Couldn't agree more. I bet it really really hurt the BBC 'Technology' Department to have to put this story on their front page, just like they did when they thought Apple were advising people to start using anti-virus, which was completely incorrect.

    Honestly, the more I read this site, the more I think it is sponsored by Microsoft.

  • Comment number 47.

    If you are connected to the internet you are not 100% safe. I'm sick of all these 100% safe people. I am no geek but surely you know this.

  • Comment number 48.

    As a web developer I would advise people to use Opera or Firefox (safari is horrible in my opinion). Opera is by far the best in terms of pure browsing but firefox has some nice add ons. Opera is the safest.

    Also please please please make my job easier and move from IE! It does not use web standards so pages have to be modified to work in IE.......

    Hopefully MS will do a better job with IE8.

  • Comment number 49.

    I still maintain that all browsers are just as bad as each other really, in terms of security. It's like naïve Mac owners thinking they're immune from any Internet threat, just because a Windows v!rus won't run on their machine...

    As a web designer I use all browsers, because I have to for testing purposes.

    Day-to-day I use IE as my main browser on my office PC, and Firefox when I'm not working, but purely because I have Ubuntu on my laptop, which I use mostly for leisure.

    I've noticed Firefox getting a lot better over the years, and becoming more of a competitor to IE... however, because I don't believe all the sensationalist rubbish and because I don't hate Microsoft for the sake of hating the "big company", I still use IE as my No. 1 browser and probably always will.

    I have no reason not to!

  • Comment number 50.

    The thing is, people think they're protected when they are not. One musn't rely on just one piece of anti-virus and anti-spyware software. I have many different pieces of protection software so that if one misses the detection of something naughty that is embedded in one's PC almost certainly one of the others will pick it up.

    My PC isn't running any slower because of these extra pieces of software - well nothing that seriously hampers my use or enjoyment of the computer.

    The fact is, people need to have some technical savvy to operate a computer these days and if they are not, then they should think twice about possessing or operating one!

  • Comment number 51.

    One point that a lot of people missed...

    It's all very well telling people they're idiots for using IE and not installing Firefox. But there are a lot of users out there who haven't the choice.

    A lot of IT departments in large companies deliberately stop their users from installing software themselves, so they're stuck with whatever their IT department has given them.

    And don't worry... Once Firefox gets above about 30-40% of the global internet traffic then it'll be worth the virus writers' effort to work on its security flaws.

    At the moment, the only real safety in Firefox (or any other 'alternative' browser) is not the fact that they are more secure, it's just that they're a smaller target than IE.

  • Comment number 52.

    "hahaha man shoookster you need serious help with ideas of how to have fun. If this is how people who use Firefox think then I am definitely sticking with good old IE!"

    In that case I look forward to you opening your bank statement and finding your money transferred to a bank in Nigeria. I, meanwhile, will enjoy my non-ActiveX browser running on my Unix-based OS that can't open .exe files.

    Good old IE? This whole article was about how it is NOT good at all! And 36 comments above yours agree with that.

  • Comment number 53.

    It's all well and good all of us saying on here 'use another browser' but only people who are interested in technology will look on this blog. The majority of us won't use IE anyway. The only reason I'm using IE to write this is because it's from work and with 400,000 computers to switch I'm sure my IT department won't bother.
    What we need is for sites such as the BBC to fully embrace browsers such as Chrome and Firefox in areas that they don't already. The iPlayer now works but little things like the quizzes and suchlike are still problematic.
    I switched to Chrome ages ago and never think of going back. I also noticed that Live Messenger automatically opens links in IE (as did Dougie #4) so had to uninstall it. Windows really didn't like that, it asked me about 10 times if I was sure I wanted to remove it!
    Maybe it's time I saved up for a mac, not sure if I'll ever be able to afford one in the current climate, hey ho!

  • Comment number 54.

    "But given the choice between messing around with Internet Explorer and so enduring a second-rate browsing experience..."

    IMO using IE *is* a second-rate experience! If a site won't work with a decent browser, then I'll look for the information I want elsewhere, but there is absolutely no way I'll go back to using that essentially broken browser again.

  • Comment number 55.

    I only use IE to check my web pages work with it and once in a blue moon (I usually just leave such sites) visit a site that won't work with anything else.

    I not only prefer as a user but also feel more confident regarding security with my Linux/Firefox system.

  • Comment number 56.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 57.

    @ evergrowingbrain (the number 2 comment above) - please remember that steering clear of "dubious websites" will NOT protect you from vulnerabilities like this.

    There are a growing number of perfectly legitimate websites unknowingly hosting some of these exploits (having themselves been exploited through other means) - you could be attacked tomorrrow through a site you've trusted for years.

    I myself run a small website which is in no way "dubious" - a couple of years ago my perfectly reputable host got their servers hacked in a "zero-day" exploit, and not only my site but hundreds of other perfectly legit sites were spewing out another IE exploit. Like hundreds of other webmasters using that host, I was literally helpless and unable to stop my own trusting visitors from going to the site and potentially getting infected. The point is, this could happen tomorrow to *any* site, including the most innocent and trustworthy in your own bookmarks.

  • Comment number 58.

    You can discuss which browser is better than the other until the cows come home ...

    The clear benefit of Firefox and other open source software is that the security fix can be peer reviewed by a much larger community than that of a commercial company. Therefore as yet there is no fix from Microsoft for this vulnerability - with serious Firefox issues a fix ususally appears very quickly.

    Allowing the code for a web browser to be open and accessible freely provides a much more sensible model for developing software facing the internet.

  • Comment number 59.

    Been using the FIREFOX browser for last 5 years & it is by far the fastest most secure open sourced browser on the market

  • Comment number 60.

    The thing is that people who use IE because they don't know better won't be reading IT-blogs like this.

    After numerous attacks on my mum's computer I forced her to learn how to use Firefox. She didn't like it and said "You know I'm very conservative when it comes to technology". She's flippin' 68 and spends her entire pension on eBay, so I didn't give up. I even removed everything to do with IE on her machine. Took a couple of months and now she would never switch back to IE and her PC has been clean from viruses.

    Next step is to make her use Linux.

    Think it's everybody's duty to remove IE from their clueless acquaintances computers and replace it with Firefox. Bet you, if you make sure you associate all shortcuts with Firefox they wont notice a thing apart from the pages load quicker.

  • Comment number 61.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 62.

    IE is a bloated monolith. FF3 is way better, add some key add-ons - "adblock plus" and "no-script" and you have a much greater level of security.

    When I first installed and used noscript in FF3 the level of scripts,cross scripting and other sites that were accessing my PC was rather frightening.

    Now paranoid and wearing foil hats!!!!!

    Do yourself a favour and ditch IE

  • Comment number 63.

    I have been a Firefox user for years. I only employ IE for certain work-related sites and forms that are designed only to work in it. It is both spurious and an abdication of responsibility for Microsoft to advocate continuing to use their flawed product in favor of one that - whatever vulnerabilities it may have - at least doesn't leak your personal information like a sieve.

  • Comment number 64.

    august82 "Next step is to make her use Linux.".

    My parents are in their 70s and are (OpenSuse 10.3/KDE) Linux users. Their PC is dual boot with XP Home but they never use the Win part.

  • Comment number 65.

    Having read through all the comments, I just tried to log on to opera.com via IE

    Guess what ... it won't load the site.

  • Comment number 66.

    he [Mr. Curran, MSUK] had recently seen a report which listed another browser as having the highest number of vulnerabilities. "it would not be advisable," he said,"to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities."

    Oh how typical.
    Never mind the gasping stupidity of IE/Windows exploits - let's just wave meaningless numbers around for "another browser" to frighten people into staying with IE.

    But do people REALLY still use IE?
    How quaint. I guess they'll catch what they deserve.

  • Comment number 67.

    Since ALL browsers are full of security holes (and that includes people's beloved Firefox), I would suggest this bit of added security:

    NEVER use a computer with administrator privileges!

    Always set your computer up with users who have restricted privileges, and leave the "administrator" for installing software or making major changes.

    If you are using older MS software like windows 2000, make sure you set it so that you HAVE to press ctrl+alt+del to log in.

    This way, if someone does hack in as you, then they are limited to what they can do.

  • Comment number 68.

    Whisky - you seem to be rather confused.

    Firefox usage currently sits around 20% - certainly not insignificant and easily a big enough target for any miscreants. Yet still it doesn't suffer from flaws as serious or widespread as Internet Explorer.

    Historically IE has been the 'open door' into many user PCs, and this is just another example.

    If a flaw is found in firefox you can rest assured that it will be discovered by the open source community and patched much quicker than IE ever is.

    No-one who reads this blog should run Internet Explorer - it isn't safe and you are just asking for trouble.

  • Comment number 69.

    @Shookster (51) ... 'security by obscurity' is a line normally peddled by people who know they're using a substandard product (in this case, IE) but haven't the motivation to do anything about it. It's also pretty lazy reasoning because it simply assumes, without evidence, that the alternatives are as bad as IE because, well, they must be, mustn't they ... ?

    In fact, Firefox has a major advantage over IE. Its codebase is open source and therefore open to inspection by anyone who can understand it. That means vulnerabilities are more easily found in the first place, while the browser is in beta-testing, and any that go undiscovered until after full release can more easily be fixed thanks to the huge number of people who freely contribute their time and resources to the project.

    Right now, you're at the mercy of a company that has been coy about the very existence of the vulnerability and even now is only letting a selection of its own employees work on a fix. Meantime, I have a browser - Firefox - that was lovingly crafted and tested by tens of thousands of people all over the world, and continues to enjoy that support.

    I know which side of the internet I'd rather be on, and it aint yours!

  • Comment number 70.

    I forget that there's ANYONE out there still willing to use IE (any version) for anything. I think it was P.T. Barnum that said, "There's a sucker born every minute."

    Firefox is my poison, but I hear that Opera and Google Chrome are just ducky too. (And if you don't mind a more visually spartan browser I hear that Chrome is really speedy. Even more so than Firefox.)

    Also, for anyone who is like me and dreads even starting IE even once...for anything: Google "IE tabs Firefox". You'll never have to start IE again for any reason :)

  • Comment number 71.

    I would think twice about using firefox. see this link
    http://blogs.zdnet.com/security/?p=2304

  • Comment number 72.

    Today 96% of computers are sold with microsoft's software and you cannot get a rebate for buying a computer with nothing inside.
    There is no wonder why most people simply use the software inside and pay more money for protecting an unsafe system.
    After two major crashes with the windows thing, I have switched to something nearly free (just buy a computer magazine with a Cd or Dvd inside), anti-virus free, allowing to download free software, I mean Linux.
    It is such a pleasure that now I have 10 hard disks with 10 different systems.
    All of them are fitted with Firefox, plus other browsers like Epiphany or Konqueror.
    Linux systems can read non linux systems! Ask windows to do the same!
    So, stop worrying with the software inside your computer,first, save your docs and photographs on a cd or dvd, buy a magazine or download a Linux system, burn Linux on a cd, restart your computer and install something not completely different visually but technically yes. Oh! I forgot relinquish you anti-virus.
    When signing in on the BBC site, I have noticed that in the confirmation mail, the Beeb is using .... Linux, yes!

  • Comment number 73.

    I like internet explorer, especially 8.
    I am also dissapointed by this security flaw. I trust microsoft but if this kind of thing carries on, I might have to move to firefox (I am writing this in firefox at the moment to save my details!)

  • Comment number 74.

    IE is the least secure and slowest of the mainstream browsers. Some sites are incompatible with Safari, Lynx and Google Chrome (it's the fault of the coders on those sites, not the fault of the browsers). Firefox seems to have the best balance of functionality, speed and compatibility.

    What really annoys me though is that occasionally I need to use IE because Microsoft sites tend to be coded to DELIBERATELY ensure that only IE can access them.

  • Comment number 75.

    I work as a sysadmin and i really can see if anyone starts using ie, then most probably that soon he gets a bundle of all possible trojans, viruses and rootkits. So I think it's Internet Explorer that helps to dispatch malware all over the world. Firefox or Opera browsers are what you need to prevent your PC from being used by hackers via web sites.

  • Comment number 76.

    I work as an IT Security Consultant. I'm CLAS listed (http://www.cesg.gov.uk/products_services/iacs/clas/index.shtml%29.
    I always love the suggestion that you can solve security problems by changing software or operating system - makes me laugh out loud. Also, very encouraging, because there I know that with this level of ignorance, there will always be work for people like myself!

    Let me put this in simple, easy to understand terms:
    your browser send an HTML request to the server. It receives an HTML response, which it formats on the screen. That's it. That's all that a browser does.

    All this nonsense about browser wars is out of date and just plain daft now.

    To keep your system secure, make sure you install updates, use the correct configuration, and keep your anti-virus up to date. Oh, and don't log on as an administrator.

    So, the high security setting will stop you installing ActiveX controls from an unknown source. So you really want to install this stuff on your PC? If you do, then you really don't care about security, do you?

  • Comment number 77.

    I am a computer novice, i do use internet explorer it seems i should nt.

    But when I read the patronising comments on this type of thread about this making me an idiot and living in the dark ages I remember why i have never changed.

    Sad really there is clearly a strong arguement to use an alternative and good options available, it seems the idea of breaking microsofts virtual monopoly appeals to a lot of people but instead of helping people like me the so called experts on here have decided to instead just slag off anyone with slightly less knowledge than themselves.

    Post 70 is a prime example.

  • Comment number 78.

    I have not used IE since Windows 98 simply because it was riddled with security holes constantly being patched up by hundreds of KB's ever since. If IE was available only as a bolt-on and not integrated with Windows OS's, I would put money on no takers as there are far superior products out there such as Opera or Firefox and far more user friendly also. But the main issue is that the security holes of all IE versions has created the hacker culture which, in turn, has forced many to purchase AV software and strong firewalls. Money that need not have been otherwise spent.

  • Comment number 79.

    @dom
    What's the point of simply counting "vulnerabilities" without considering each one first?

    This is the sort of silly game that MS play to try and score points and it's no surprise to see ZDNet playing the MS sock puppet.

    Much more revealing is (for example) to consider the mean time between discovery and patching of flaws.

    Difficult with MS because they don't announce most of them - unlike "another browser", the creators of which fully understand the importance of honesty, openness and acting quickly & comprehensively.

  • Comment number 80.

    I've tried all the alternatives to IE and given up on all of them, mostly because of the number of web sites which only behave properly in IE.

    I gave up on Opera because on my main "entertainment" computer the BBC I-player will not work in Opera, and no-one can tell me why.

  • Comment number 81.

    The problem is, there is now a multi bi££ion pound industry setup and dedicated entirely to saving Micro$oft users from themselves.

    Security software writers, installers and maintainers, anti virus software companies, PC "doctors", network engineers, PC "gurus", support lines... the list is endless. If MS products actually worked properly there would be no need for this industry to be so big.

    So, do MS do their job and keep a few long-suffering end users happy, or maintain the status quo, continue to turn out half baked bloatware and keep a major industry alive and happy?

    Since MS now sell directly into the PC security industry (many of the products available to keep your MS servers safe and secure can be bought from, yes you guessed it, MS), I suspect the have taken an unwritten and unpublicised decision to do, well, nothing.

    Which is exactly what they've done all along when it comes to making their broken products work properly.

  • Comment number 82.

    NoScript is a free plugin for Firefox that filters scripts, and to my kn owledge is the only such solution. I would never surf the web and allow unrestricted website scripts to run through my browser.

    Most web sites rely on Java, Flash, and Javascript to present their content. unfortunately, even "trusted" websites usually present cross-scripts (in the form of "ads") from other sites which they neither monitor nor control.

    It is these cross-scripts which is the major vulnerability for all browsers, and through which malicious code is introduced to computers.

    NoScript filters all scripts by default and then presents a list of scripts to the user. The user chooses which ones to permit. Even keyboard redirecting scripts are caught (no browser in the world has this level of security).

    I would never surf without NoScript (in Firefox).

  • Comment number 83.

    The flaw under discussion here is one of hundreds which have been revealed up to now, and hundreds more surely to come. I'm no fan of Microsoft, and there are plenty of reasons to switch to another browser and operating system, but this "incident" should be barely a blip on the radar.

    All these stories about "a dangerous security flaw out there" remind me of those broadcasts you used to see (or was it only in movies?) where "a dangerous criminal has escaped from the local prison". If he was the only dangerous criminal in the country then OK, but given that there are dozens of bank robberies and murders every year in large cities, one extra criminal - whose fingerprints and photo are on file and who is being actively sought by the police and embarrassed prison authorities - really isn't going to make all that much difference.

    The only malware(s) really worth getting worried about are the occasional worms which spread very quickly, and in those cases, your anti-virus software is going to be even less help than usual. (The response of every anti-virus company to the "MS-Blast" and "Sasser" worms was "get a patch from Microsoft, there's nothing we can do to keep this off your PC".)

    Certainly there's no point in updating your anti-virus software right now; either it provides good generic protection from the kind of exploit which will appear for this problem (unlikely), or your anti-virus vendor will be playing catch-up as usual, as soon as the exploit hits the wild. We catch a lot of viruses on our network before more than 3 or 4 of the 30+ commercial products out there know about them; it typically takes a couple of weeks for even 2/3 of them to be up to date (as shown by virustotal.com.)

  • Comment number 84.

    @oldbearchris wrote:
    "your browser send an HTML request to the server. It receives an HTML response, which it formats on the screen. That's it. That's all that a browser does."

    No, that's all it's SUPPOSED to do - but then MS added ActiveX and God knows what else which rather makes a mockery of it all, don't you think - as well providing many WINDOWS-SPECIFIC vectors for malicious code injection.

    So in this case, changing to a browser and/or OS which isn't quite as brain-damaged WILL solve a very large majority of the Windows-specific security problems.

    "keep your anti-virus up to date.", you say.
    Huh. Why doesn't the manufacturer of a certain OS harden their code so it isn't such an open door to viruses? I mean it's a REALLY open door and way beyond a joke. Has been for years; any version despite the usual pre-release claims.

    Can't MS fix it?
    Well history teaches us that no, it can't.

  • Comment number 85.

    @ sharon1402 whjo wrote:

    "But when I read the patronising comments on this type of thread about this making me an idiot and living in the dark ages I remember why i have never changed."

    So You are given the advice, over and over again right here (don't use MS IE), and you ignore it out of, what, stubbornness?

    It's this attitude that keeps MS so prosperous and happy. In my experience. most people who suffer serious security issues know exactly what they should have done to prevent them. They just couldn't be bothered.

    Like most people can't be bothered to simply change browser.

  • Comment number 86.

    Those of you moaning about Windows being unsecured obviously missed the patch Apple had to release yesterday that, you guessed it, allowed remote code to be executed!


    Firefox, Linux et al have their fair share of vulnerabilities - they just don't make the headlines because they're not so widely used.

    I recommend people turn on DEP. (see http://en.wikipedia.org/wiki/Data_Execution_Prevention )

    This will stop most attacks that work like this one.
    If you have XP or 32 bit Vista then DEP is off by default. The downside is some applications won't work, (such as Half Life) but even then it's just a case of adding an exception for that particular application.

  • Comment number 87.

    Like some other people mentioned above, there are other great features that Mozilla Firefox has to offer. For example, add ons can make it easier to do the things you want online.

    You can also easily control security features, and customize where the buttons are located (in case you are not comfortable).

    Don't forget, your router can also be a way for people to break into your computer. Although I found that there are new security products (i.e. BreakingPoint ) that look like they will almost eliminate those security threats.

    In reply to Dom (Post 71) I think that the title is misleading. see the first comment after the article.

    Part of the reason that Firefox has an advantage is that thousands of experts are part of a community of developers that works on this software, so it can be fixed very soon after a problem is found (as with any browser, just make sure to install the latest updates and have automatic updates turned on!)

  • Comment number 88.

    Microsoft have been very lazy with IE - once Netscape died, they basically had almost full market share and stopped bothering to develop the browser.

    Unfortunately, they are also extremely sloppy when it comes to implementing web standards - as a web designer, my work is roughly doubled by the need to work around IE issues.

    Firefox, Safari, Chrome and Opera are much better alternatives - and all are free and easy to install.

    And for proper security - try Linux instead of Windows.

  • Comment number 89.

    Not to offend, but this concern is about 5 or more years too late. Microsoft is notorious for not only having a whole load of exploits constantly showing up in their internet software, but many are intentional features, YES features that are intentional, there to facilitate business uses and advertising in what they see as an all in one browser. This makes it obviously not secure enough for the average user if they care at all about security. And no matter how up to date your software is, and especially anti-viruses,someone hacking into your system though what is essentially a backdoor is NOT a virus, and goes unnoticed to any user that does not have the very advanced security software designed to watch for such intrusion, which companies don't even have, because they don't exist. Show me one person who says they have a perfectly secure system due to their expertise, and I'll show you a liar.

    Even using another browser is only a bit safer, as you cut out any potential IE exploits, but with the fact IE is currently part of the operating system itself, which is also full of the same types of holes, both intentional and unintentional, you are never perfectly secure.

    The best advice one could give is to keep any important data on a removable medium and keep it backed up (cd-r, dvd-r, flash, whatever) and use your computer under the assumption it probably will be, or could already be, hacked.

    Being an IT professional myself, it annoys me how novice so many of the current IT professionals are, but unwilling to acknowledge it, getting a lot of average users who couldn't possibly know better into a lot of trouble, then putting the responsibility on the users because the IT profs "obviously" couldn't be at fault for being irresponsible in their interface design, programming, and security implementations.

    Windows, and most other operating systems, for the normal human, are confusing as a system can get with all that is promised and presented to them, and how easy they make it for the user to break it. Or how often we find the systems came already broken, or constantly break themselves.

    People Use IE the same reason they use windows, because ti is already there, and MS has already convinced everyone that if they don't write their software for windows, they won't make a lot of money. That's the way it has been, that is the way that it is, and I don't see things changing in the near future because most new IT professionals are almost as ignorant as the users now.

    But what do I know? It's not like I've actually taken a true interest in the field and have actually kept up on what companies do or anything, I mean, who does?

    I personally love using my computer, and very much enjoy helping people with their computer problems, but I can't stand how much their (PC's) potential has increased, and yet trying to do the same things I used to do in DOS actually takes the same amount of time, or longer. Doesn't anyone else care about why this is the case other than me? And useless bells and whistles are just that, USELESS. But they dazzle executives and idiots who don't know any better, so that is why it is the mainstream. Usefulness has become a taboo subject these days and it isn't any more evident than the state of what the IT industry offers the public; CRAP for CASH.

    P.S. I have an IT degree, have worked PC support on every version of Windows and many Mac OS versions over the last decade or more (used Linux, most Linux users don't need support), have set up several networks, learned to program in 4 languages, do graphics and web design, worked at several helpdesks (utter hell, and not because of the users), and am a regular reader of The Register, and on the odd occasion they don't have the articles on their site, will read tech news on the "major" news sites. So suffice it to say, I've built up a healthy disgust of the ultra-nerd-elitist mentality of most of the people who are in the IT industry, and am never surprised, or offended, when a user may not trust me right away when I'm just trying to help. Being smart doesn't mean you know something someone else couldn't care less about, or just hasn't had the chance to learn yet. But that mentality dominates in every IT based management level, and employee level, I have ever encountered. Don't even get me started on that mentality in science and medicine...

  • Comment number 90.

    "your browser send an HTML request to the server. It receives an HTML response, which it formats on the screen."

    Well it sends an HTTP request. The content returned need not be HTML (even if a .html page is requested) , may or may not be handled by the browser and HTML can contain JavaScript, embed ActiveX, etc.

  • Comment number 91.

    I've already been using Firefox and Chrome in place of IE for some time, it really irritates me that such an inferior product is given such a hold on the market.

  • Comment number 92.

    This is a response to Microsoft's veiled stab at Firefox, who they were almost certainly referring to when they listed "a browser" with even more security flaws that IE, but conveniently made sure their source wasn't available to the BBC .

    -and also-

    To "Dom" who posted: "I would think twice about using firefox. see this link
    http://blogs.zdnet.com/security/?p=2304"

    Response to 'dom': Bit9's estimate that IE7 is safer than Firefox is arbitrary. (I'm being in kind using that word and also assuming this is their position since IE never appears on their little 'list'.)

    Why?: First, a person needs to see [Unsuitable/Broken URL removed by Moderator]to see the criteria they use to come up with their results. In particular look at item 5. Do IE's "automatic" updates exclude IE7 from the list? Also, the 'CVE* Numbers' column. Google those CVE's (In Example, Google "CVE-2008-5052")
    3 of the items on Bit9's 10 item list do not even apply to Firefox3 (consider comparing IE6 to Firefox 3....) and there's another that is listed as, and I quote, "CVE 2008-4016
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."... So we don't even know what that one will be yet.

    You're killing me here people. You have the most powerful tool ever created my manknd at your disposal.. the internet. If you have time, start using it to educate yourselves a bit on things that affect your daily lives. (I am not above this... I need to start using the internet to better effect to enrich my own life as well... hey, at least I'm trying;)

  • Comment number 93.

    The main problem with all Windoze flavours up to and including XP is that you are logged in as a "root" user by default, which gives you access to the whole system, but also gives anything you download acces to the whole system. I'm not sure if this is true still with Vista, I don't use it.
    As a Linux user though (unless you're daft enough to log in as root and browse - which should never EVER be done) you only have "write" access to to a limited area of the file system (your home directory + anywhere else you've been given explicit permission), which limits the movement of malignant code under most circumstances. Most if not all programs are in an area to which only root has write permission.It's this simple safeguard which makes Linux that bit safer, although admittedly I believe it is possible to get past this with rootkits and the like.

  • Comment number 94.

    Just a quick note on the 'I can't believe anyone would use IE anymore' - coming from someone who has been using the internet for 16 years now and has tried every browser that was serious enough to compete, I would definetly say: you should use IE - and this is coming from a guy who is a system architect.

    Today IE is the browser that provides the richest browser experience ever and makes the best use of resources for the features offered.

    Anyone who complains about IE just does it to look cool to their friends since they had enough knowhow to setup another browser - but have no knowhow about how the thing works.

  • Comment number 95.

    Than god Mr Curran is bot my security advisor. If he thinks running anti-virus and anti-spyware makes it ok to run internet explorer then he should consider another job. Even microsoft are advising against the use of internet explorer.

    The truth is if you want to be SAFER on the internet then don't use windows.

  • Comment number 96.

    "Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable."
    Oh! Is that all?

    A happy Ubuntu/Firefox user
    ;-)

  • Comment number 97.

    I agree with others who mentioned NoScript and Firefox. It is a very secure combination, and running it on Linux makes for a very secure machine. I've never had any issues with this setup.

  • Comment number 98.

    <RICHPOST><p><a href="http://www.bbc.co.uk/blogs/technology/2008/12/is_it_safe_to_explore.html#comment67">The_Old_Boar's comment</a> is well worth a read. This particular volnerability is extremely severe. Any hacker with the knowledge of how to exploit it may potentially gain the same level of access to your programs and files as you. Even so, restricted users still have precious files and folders which I'm sure most people would rather keep private. Therefore, Microsoft are being irresponsible not to urge use of alternative browsers at present.</p><BR /><p>We can debate the merits of each browser for infinity. No matter what developments occur in the future though, no browser will ever be 100 percent secure. Firefox, Safari, Chrome, Opera, Internet Explorer and indeed any other browser, all contain some security holes. However, many of these remain undiscovered and not all of them will allow a hacker to steal everything you have on your computer. This is why this particular Internet Explorer flaw is serious enough to warrant discussion on this Blog. Until Microsoft fix it and you download and apply their fix to Internet Explorer, you are leaving your data open to interference including access, modification or deletion, any time you run Internet Explorer.</p><BR /><p>I hope this helps clear up any confusion you may have.</p><BR />[Unsuitable/Broken URL removed by Moderator]Darren Paskell , Undergraduate in <a href="http://www.cs.rhul.ac.uk/">Computer Science</a>, <a href="http://www.rhul.ac.uk/">Royal Holloway, University of London</a><p> </RICHPOST>

  • Comment number 99.

    I love all the patronising comments from the smug Mac owners. Need I point out that Microsoft products are targetted so much because they are in such widespread use?

    Apple has are such a tiny proportion of the market that it's hardly worth writing viruses for their products. It's like the Vatican declaring itself one of the few countries free of the Credit Crunch.

  • Comment number 100.

    In addition, sharon1402 is perfectly justified in her comments, most of the informed in IT are ignorant to the average user's experience and background, making anything useful they might contribute too easy to ignore. Not everyone was born with a zx81 in their hands, and having that experience cannot prepare you for the insanity of what is out there now posing as personal computers.

    But hey, what do I know? My hat still fits my head.

 

Page 1 of 2

The BBC is not responsible for the content of external internet sites

BBC.co.uk