France and Germany warn against Internet Exlporer

**scooterscot** · 18 January 2010, 19:59

Get a raincoat...

**NickFitz** · 18 January 2010, 20:55

IE8 is secured against those particular exploits in its default configuration, but it still has the relevant vulnerability and can become insecure if some settings are changed.

IE5.5, 6 and 7 are insecure (as far as those exploits are concerned) in their default configurations; users have to change their settings to protect them. IE6 has been the only version attacked so far, but now the exploit is out in the open it's anybody's guess what will happen next.

The average user probably finds it much easier to download and install a new piece of software than to change IE's settings in line with the relevant Microsoft Security Advisory, which doesn't include any instructions that would be understood or easily followed by most users.

Furthermore, what instructions there are can only be found by scrolling past a very long list of "Affected Software" and are buried three levels deep in nested lists that are, by default, collapsed using JavaScript. This makes it look as if the page is much shorter than it is - the first time I looked at it, I didn't bother scrolling past the long list, as the scrollbar seemed to suggest that I'd only find the usual footer down there.

As an example, here's Microsoft's version of just one of the workarounds that users are recommended to apply:

Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, follow these steps:

On the Internet Explorer Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

Having contemplated the prospect of explaining that lot, and three more of the same, to your mother over the phone, consider the alternative:

Go to www.mozilla.com.
Click the "Download Firefox - Free" button.
When the file downloads and it asks you what you want to do, click "Open" (or "Run" - can't remember which IE says these days).
Keep clicking "Next" until it installs the program. If the "Next" button is greyed out on the license screen, click "I agree" and then click "Next".
From now on, use the cute fox wrapped round the globe instead of the big blue "e" to go on the Internet.

I know which I'd choose

**AtW** · 18 January 2010, 20:57

Originally posted by NickFitz View Post

IE8 is secured against those particular exploits in its default configuration, but it still has the relevant vulnerability and can become insecure if some settings are changed.

IE5.5, 6 and 7 are insecure (as far as those exploits are concerned) in their default configurations; users have to change their settings to protect them. IE6 has been the only version attacked so far, but now the exploit is out in the open it's anybody's guess what will happen next.

The average user probably finds it much easier to download and install a new piece of software than to change IE's settings in line with the relevant Microsoft Security Advisory, which doesn't include any instructions that would be understood or easily followed by most users.

Furthermore, what instructions there are can only be found by scrolling past a very long list of "Affected Software" and are buried three levels deep in nested lists that are, by default, collapsed using JavaScript. This makes it look as if the page is much shorter than it is - the first time I looked at it, I didn't bother scrolling past the long list, as the scrollbar seemed to suggest that I'd only find the usual footer down there.

As an example, here's Microsoft's version of just one of the workarounds that users are recommended to apply:

Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, follow these steps:

On the Internet Explorer Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

Having contemplated the prospect of explaining that lot, and three more of the same, to your mother over the phone, consider the alternative:

Go to www.mozilla.com.
Click the "Download Firefox - Free" button.
When the file downloads and it asks you what you want to do, click "Open" (or "Run" - can't remember which IE says these days).
Keep clicking "Next" until it installs the program. If the "Next" button is greyed out on the license screen, click "I agree" and then click "Next".
From now on, use the cute fox wrapped round the globe instead of the big blue "e" to go on the Internet.

I know which I'd choose

Get a life Nick the Geek!

**RichardCranium** · 18 January 2010, 21:38

Originally posted by AtW View Post

Get a life Nick the Geek!

It would have been really funny if that had been written by that Russian bloke that's built a huge search thingie, you know, the bloke who works all weekend and the highlight of his life is to tell us what he had for lunch. Especially since it is targeted at one of the few single people on here, someone who is out pubbing and clubbing it until the sun comes up, having adventures with brawls, drunks, drug-pushers, Police, vandals and all manner of ne'er-do-wells.

**NickFitz** · 18 January 2010, 21:59

Originally posted by RichardCranium View Post

It would have been really funny if that had been written by that Russian bloke that's built a huge search thingie, you know, the bloke who works all weekend and the highlight of his life is to tell us what he had for lunch. Especially since it is targeted at one of the few single people on here, someone who is out pubbing and clubbing it until the sun comes up, having adventures with brawls, drunks, drug-pushers, Police, vandals and all manner of ne'er-do-wells.

... and that's just the downstairs neighbours

Though not since the kidnap/torture trial. The new people are all nice and respectable, which makes things a bit more peaceful

**RichardCranium** · 18 January 2010, 22:11

Originally posted by NickFitz View Post

The new people are more discreet and know how to administer Rohypnol, which makes things a bit more peaceful

FTFY

**d000hg** · 18 January 2010, 23:43

Originally posted by NickFitz View Post

Installing IE8 would be pretty easy too. Even The Register aren't laying into IE, so it can't be that bad...

Originally posted by http://www.theregister.co.uk/2010/01/15/ie_zero_day_exploit_goes_wild/

We've said it before, and given the particulars of this vulnerability, we'll say it again: security measures like DEP and ASLR, or address space layout randomization, matter. As ugly as this vulnerability is - to say nothing of its ability to remain undetected for nine years - the fact that Windows 7 and IE 8 were able to withstand the "highly sophisticated" attacks that felled Google is testament that Microsoft is making significant progress.

**NickFitz** · 19 January 2010, 03:22

Originally posted by d000hg View Post

Originally posted by NickFitz View Post

Installing IE8 would be pretty easy too. Even The Register aren't laying into IE, so it can't be that bad...

Explaining the crucial aspects of a serious problem, with a link to the information people need and instructions on how to find the place that MS have (unwittingly) hidden it, doesn't strike me as "zealotry"; pointing out that most people wouldn't know how to follow MS's directions and suggesting an alternative approach that will protect them immediately is merely my attempt to be helpful, whilst also pointing out how utterly useless MS are at coping with this kind of thing.

A Google search for a whole range of relevant terms, such as might be used by normal people, should immediately direct me to a document hosted at microsoft.com that explains how to protect oneself against these exploits in language even normal people can understand. It doesn't. Furthermore, it doesn't because there is no such document. All MS have put up is a document that hides advice by default and is tricky to follow even for experienced geeks. (It also ranks poorly in search results - they own a search engine and they can't even manage basic SEO.)

Still, you're correct; if people are running up-to-date installations of certain recent Microsoft operating systems then installing IE8 would be the best option for them.

Perhaps you can provide a five-step guide on how to do so, suitable for explaining over the phone to non-tech savvy individuals?

**Tarquin Farquhar** · 19 January 2010, 06:37

Originally posted by NickFitz View Post

A Google search for a whole range of relevant terms, such as might be used by normal people, should immediately direct me to a document hosted at microsoft.com that explains how to protect oneself against these exploits in language even normal people can understand. It doesn't.

Yup. Simple as that.

France and Germany warn against Internet Exlporer