(no subject)

[theweaselking]

Gee, do you think that maybe running your web browser as part of the kernel might be a bad idea?

If you're still using IE for some unfathomable reason, switch.

Comments

[publius1.livejournal.com]

Work won't let me. Grr.

[lafinjack.livejournal.com]

Maybe they will now.

[jsbowden.livejournal.com]

No they won't. There are a ton of back end business applications that only work with IE. It's the same reason I still use it, but only for internal sites that require it.

[publius1.livejournal.com]

Actually.......


I just learned today that my friend (who happens to be a manager) has managed to convince IT to allow us to use Fahrfox again. So yay.

[publius1.livejournal.com]

On the other hand, we're not running it on an administrator account either way, so.

[kierthos.livejournal.com]

Firefox for the win.

[missysedai.livejournal.com]

Heh. I have to for work.

Microsoft's interface for us will only work in Exploder.

[theweaselking.livejournal.com]

Same thing with MS's volume license site - but that means I use IE for that *and that alone*.

[missysedai.livejournal.com]

Yeah, that's all I use it for is work. In a protected profile. But because of what I do, it's not going to help.

[theweaselking.livejournal.com]

No chance you can run it as a non-Administrator account, or inside a Virtual Machine?

[missysedai.livejournal.com]

A VM is right out, it slows the damned tool down, and we have speed quotas.

I'm going to see if it plays well in an NA account today. ISTR a colleague complaining that an NA account caused some kind of problem, but I don't remember what the problem was. That may have been fixed by now.

[kjn]

Run it in a VM!

Thought that is probably more hassle than it's worth.

[theweaselking.livejournal.com]

VMs are really easy and convenient... if you have a license for the OS. I suspect MS would be less happy if she were running IE on Ubuntu, somehow.

(Hey, maybe MS will hook you up with a discount for XP Pro or Vista Business? You're an employee!)

[fearmeforiampink]

I do a similar thing with Spreadshirt and Firefox, as it doesn't (or possibly didn't, they may have fixed it now) work with Opera.

[zdallin.livejournal.com]

"Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable."

*snickers* I like that. "Only".

Firefox for the win. Despite anything my boss might say to the contrary.

[theweaselking.livejournal.com]

The "only" makes sense - they say that older and newer IEs are vulnerable, but they've only found code IN THE WILD that hits 7.

[fridgepunk.livejournal.com]

What made me laugh though was that the "protected mode" link explains this bizarre feature that presumably only exists on versions of IE that I have never interacted with (yet). This is what it opens with:

"Internet browsers have become a common avenue for hackers to deliver malware or to try to damage other people's computers."

Because you see it's perfectly normal for browsers to have a dedicated "malware on" and "malware off" button, as internet browswers in general are so prone to being "hacked" into. No this isn't a thing you only find in IE.

There is not enough "UR DOIN IT RONG!" in the world really.

[theweaselking.livejournal.com]

"Protected mode" is something that shows up in the Server OSen and in Vista. It basically hides the browser from ANYTHING that can run, kind of like NoScript for Firefox but without any of the options.

[netdef.livejournal.com]

Firefox plus NoScript FTW . . . (without NoScript FF is every bit as insecure as IE - sorry FF fans.)

BTW: Microsoft is releasing an out of cycle patch for the problem tomorrow.
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

This link is still a template placeholder (partially filled in) but tomorrow it should have links to download the fix. I expect it will also be available via auto-updates for those that use such.

[theweaselking.livejournal.com]

Every bit? Not hardly. It doesn't, for example, RUN AS OPERATING SYSTEM.

Vulnerable, yes, and getting more so as the market share goes up, but the fact that IE was stupidly included as part of the OS in 98+ makes up for a LOT.

[netdef.livejournal.com]

No arguments here about the kernel inclusion . . . even MS's attempt to make IE safer by imposing "Protected Mode" (a serious marketing spin there) on newer operating systems is still insufficient to make the beast behave.

I've personally seen cases where a user was logged in as user (versus admin) and running IE in protected mode where they still got infected by a malicious site. Not even counting dumb downloads . . .

But . . . I've also cleaned up machines on which FF allowed remote code to run locally from a drop site, and that code was able to use other Windows vulnerabilities to escalate it's permissions from user to admin and own that machine. NoScript (when used properly) mitigates that problem very nicely.

Been playing with Chrome lately, it has potential, although I have found a few references that it's not quite as secure as Google would have its market believe. The good news so far is all the examples I've seen are just that, nothing in the wild yet - as far as I am aware.

[andrewducker]

Hang on - since when is IE part of the kernel?

[theweaselking.livejournal.com]

It's inextricable from the OS and often runs commands in ring 0. It's got hidden "undocumented" hooks in the OS especially for it.

It has a VERY bad tendency to make calls that run as SYSTEM rather than as the user who's browsing.

[andrewducker]

Interesting - you got any links for that? I've never seen anything about internet explorer having kernel hooks that nothing else has, or executing in ring 0, and I can't find anything useful about that at the mo.