France Tells Its Citizens To Abandon IE, Others Disagree

Freistoss writes "Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers to attack Google. After sample code was posted on a website, calls began for Microsoft to release an out-of-cycle patch. Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch. Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well." PCWorld seems to be taking the opposite stance arguing that blaming IE for attacks is a dangerous approach that could cause a false sense of security.

love the recommendation

[alain94040]

The link to the official French recommendation is here: CERTA-2010-ALE-001 [ssi.gouv.fr]

Quoting from it (rough translation): "while waiting for the editor [Microsoft] to correct this vulnerability, we recommend people use an alternate browser.

--
are you a startup founder looking for co-founders [fairsoftware.net]?

Re:Tear down

[drDugan]

From the article referenced.

While research indicates that the Internet Explorer zero-day used in the attacks could be used on any version of Internet Explorer, even on Windows 7...

Re:Tear down

[drDugan]

but France and Germany are mandating switching as though it's some sort of panacea.

I'm not missing this argument. I disagree. Removing IE is not a panacea, nor is this what the announcement means.

Equating a logical, correct step for a more secure computer (removing IE) as a false panacea is the position in the PCWorld article only, and one that misses the more basic point. IE6,7 and 8, including on Win 7 all have this flaw, and there is no fix yet.

Re:Tear down

[KarmaMB84]

The flaw exists but the default configurations on Windows Vista and Windows 7 will prevent any damage. My understanding is that Microsoft's policy is to classify them as vulnerable because it's possible to run IE7 and IE8 in configurations where they actually are vulnerable (DEP disabled, Protect Mode OFF) even if the default configuration makes them immune to the current exploit.

Re:It'll never work...

[RobertM1968]

Wrong... the problem is in ALL versions of IE from at least 6 upwards on ALL operating systems from at least XP upwards. Microsoft themselves admitted that.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

Microsoft Advisory [microsoft.com]

Why are people still perpetuating the myth that this does not affect IE7 or IE8 when Microsoft themselves claim it does?!?!?! Just curious.

Re:Actually not that bad of a suggestion.

[rattaroaz]

Bottom line is that IE really has sucked all its life; and not just statistically.

Remember back in the days competing with Netscape, IE was actually good for the time. It wasn't until Microsoft held the browser monopoly that it remained stagnant, while the rest of the browsers moved ahead.

Re:I blame the IE 'mentality'

[pyrbrand]

Actually, any add on can be enabled for only a specific set of pages. For instance, to restrict the use of Flash in IE8, to go Tools->Manage Add-Ons then under the Adobe published by section, double click the "Shockwave Flash Object" (I don't know why Adobe can't just call it Flash), then under the text field titled "You have approved this add-on to run on the following websites:", click the button "Remove all sites". Now you'll get a gold bar on every site that uses flash in which you can allow the site to run flash or not. Not quite as nice as Flashblock, but still pretty good.

Re:And you all laughed

[mister_playboy]

You forgot to mention that a avian-dropped baguette was responsible for knocking the LHC offline... but was that good or bad?

Re:Importance of Competitive Choices

[icebraining]

The EU doesn't want Windows to come without a browser. It wants Windows to come with *multiple* browsers, so that you can choose one in a nice little panel.

And this is not directly to protect the Windows users - this is to protect the competition in the market, which in turn will help *all* consumers. Or do you think non-Windows users weren't hurt by the dominance of the IE, after defeating Netscape?
All the web standards had been broken and a great majority of the sites required IE to be viewed correctly, which was kind of difficult if you used IE. This is changing now because of competition.

Re:Importance of Competitive Choices

[the_womble]

I'm sorry, do you *remember* Netscape 4? IE was a far superior product

Yes, but Opera was better than either at the time, and got nowhere.

And on Macintosh it won the market fair and square, there being no "stranglehold."

Not true: IE4 was bundled with MacOS as the default browser as part of a deal between Apple and MS. The crowds reaction to the announcement [youtube.com] this was clearly not what users wanted.

Notice:

1) The cross licensing deal (cross licensing is bad because it blocks new entrants [moneyterms.co.uk])
2) MS also bought this by promising to keep developing MS Office for Mac (i.e. they were trying to leverage the Office monopoly).
3) MS also bailed Apple put financially as part of the deal: i.e. they actually bought market share for cash.

Re:Importance of Competitive Choices

[Capsaicin]

In the theoretical free market, everyone has perfect knowledge of the values involved.

Just to get our nomenclature correct. As I conceded in a post [slashdot.org] further down, "some people (myself included) are conflating the definitions of 'free market' and 'competitive market'" There's a little water under the bridge since I last sat in an Econ class (though Competition Law classes were more recent), so I can be forgiven for making this mistake. If memory serves me correctly what you are describing here is technically called the 'perfect(ly) competitive market' as opposed the the merely 'competitive market' which Competition Law (aka Anti-Trust Law) seeks to maintain (or at least did until Bork, Posner et. al. got hold of it).

State involvement is a fundamental method of getting and preserving free markets, not an anti-market force.

s/free/competitive/ and yes, that's exactly what I was pointing out. It probably goes without saying, but like most things in life there is a cost-benefit problem. Too little intervention and the "free" market degenerates into an oligopoly ridden generator of unfreedom, too much and the efficiency and information which markets bequeath are defeated. Again not B&W.

The theory behind antitrust law is the government has to step in when a monopoly is being abused, not merely because it exists.

Yes that is true, but it's actually a fairly modern, post-Chicago school view of role of antitrust law. As is clear from reading the speeches which accompanied the passing of the Sherman Act, for example, the very existence of cartels and monopolies was the mischief intended to be cured. The framers of this legislation were apparently motivated by a, perhaps romantic, vision of a capitalism or more of less equal craftsmen-proprietors (a nation of Joe-the-Plumbers) willingly bound in contract to one and other, in contradistinction to the emerging reality of a nation of employees facing big capital, in what can barely be described as a free choice to contract.

There is, despite the modern view that monopoly is not bad per se, a reasonable economic argument, that the ability, in the absence of competition, to charge way above the marginal cost of production (ie. the "monopoly rent"), is of itself a dangerous distortion of market mechanisms.