Being in the automotive industry I'm having the good fortune (?) of having several weeks off. Hopefully that won't lead to more permanent time off. Unfortunately my wife's job is preventing her from taking any vacation time through the end of the year (sigh). That means this week I'm enjoying spending more time on-line that normal.

This morning I stumbled upon this Internet Explorer security warning.

http://tech.yahoo.com/blogs/null/111811

"The major press outlets are abuzz this morning with news of a major new security flaw that affects all versions of Internet Explorer from IE5 to the latest beta of IE8. The attack has serious and far-reaching ramifications -- and they're not just theoretical attacks. In fact, the flaw is already in wide use as a tool to steal online game passwords, with some 10,000 websites infected with the code needed to take advantage of the hole in IE.

Virtually all security experts (as well as myself) are counseling users to switch to any other web browser -- none of the others are affected, including Firefox, Chrome, and Opera -- at least for the time being"

I'm a pretty typical computer user - certainly not an expert - and am wondering what those who know more about these things thing about it.

I've used Firefox and like it, but found using bookmarks in it kind of a pain.

Today I loaded Google Chrome for the first time (using it now), and I've got to say I'm impressed so far. Simple. Very fast.

A few years back I had my work laptop messed up enough by malware that it needed to be re-imaged. It had Norton's security software on it and still got trashed. Since then I've been VERY careful about which sites I visit.

Your thoughts?

Ken

I use Safari on both my Mac's and PC. Works great and is very user friendly. If you have an iPod or iPhone and have connected it to the 'puter you are using, you probably have it. Oh yeah, NO SECURITY ISSUES.

Grew up on PC's, switched to Mac last christmas. I have one program that cannot be run on Mac that I have to reboot to windows OS on my mac. If I am in windows OS, I AM NOT on any network due to all the security issues. Now when the next job comes, I am sure it will come with a PC. It will be "work only" due to PC security issues and companies really don't like personal business on the time or machines.

Yea, IE has just gottne too unsafe to use anymore. I gave up on IE and windows about 5 yeras ago after I got hit twice with some crap I had to reinstall to remove. I had my system locked down really secure, running as a non admin user, etc.
No software is perfect and no software is completely safe, but to have the browser integrated into the os allows a browser hole to become an OS hole, the worst thing Microsoft ever did was that integration.

+1 on Chrome. I use it too.

BTW, what makes Mac more secure is that they are less juicy targets since there are fewer of them in the market place. They are installed in less critical locations, etc.

Rest assured, as Macs become more and more popular, they will become targets too. If Macs cross over to the "enterprise" in a big way you can bet on them becoming attacked just like their PC brethren. There is nothing inherent about the Mac's OS that makes it more secure. It is just less profitable to attempt to exploit them...

So for now, security through obscurity works....

http://www.networkcomputing.com/showArticle.jhtml?articleID=159900444

http://www.informit.com/articles/article.aspx?p=712742

http://broadcast.oreilly.com/2008/12/is-apple-os-x-more-secure-than.html


GarlyDog
CISSP
http://en.wikipedia.org/wiki/CISSP

But security added to obscurity is even better.

I can't blame IE - by the numbers, its just as safe or safer than Mozilla (who released a fix for a dozen vulns a couple days ago) or Opera (who did the same last night). I use each of these from time to time. IE is a bigger target, so caveat emptor, and with any browser be careful where you go. Microsoft already released the critical update patch to address this, and I applied it, so no worries there.

For the record, I run mostly Windows Vista, and in 20+ years have only been hacked by my daughter's iTunes app (which has an attrocious security record), or my son's predeliction for dodgy Runescape installs. In general I trust Microsoft to code more securely than Apple or some of the others, and I think their recent track record backs that up - and in software, the only relevent measure is today's actual performance. ymmv of course.

I spend ALL DAY on a computer, mostly using web sites, doing a LOT of research and planning. I use the web ALL FREAKING DAY.

Since I make a living with web browsers and a laptop, I need one that WORKS all the time.

Since I do all my banking and financial management online, I also am critically aware of the security issues facing IE users.

I personally use a Mac Book Pro, I browse mostly with Firefox with a raft of plug-ins and filters, LittleSnitch runs on the computer (monitors all network connections), my firewall is ON at all times on the computer.

For the times where I simply MUST use IE, I fire up an instance of Windows XP as a virtual machine with Parallels on the Mac. I keep a "fresh install" copy of the XP virtual machine image,I copy that, run the VM from the copy, leaving the original "safe" copy alone and once I'm done with using IE for whatever reason I was forced to do it (mostly [censored] poor web coding or an insane reliance on Active-X), I delete the potentially contaminated copy of XP.

I'd sooner travel across the arctic in wet jeans and T-shirt than use IE for anything. It's a DANGEROUSLY BAD program.

One more thing...

Google Chrome. A good browser for today and a better browser for tomorrow.

Get it. Live it. Love it.

It's CRISP and SIMPLE.

I've been in the Unix world since the late 70's. It was part time, but I switched over to Linux full time in the mid 90's, when Windows 95 came out. I don't hate MS, nor am I "religious" about operating systems, I just hate GUI's.

I use IE at work (no choice), but have my wife use Firefox, and I do sometimes also. It's pretty good. Most of the time, I use Pine. I still like it better than anything else, and I don't have to look at all the stupid graphics everyone tries to force on me. I'm getting grouchy in my middle age...

Since Mac is now Unix based, that is the way to go, and I've gotten most of my family to switch over. I still prefer Linux because I live on the command line, but if a user is not interested in that sort of thing, go Mac. If not Mac, then Firefox or Chrome (haven't tried that one yet).

Popularity and numbers are only one part of security, there are other things to look at. Look at the description of security bullitons for an os like linux or browser like firefox, they are more often than not minor trivial things, then look at the bullitons for IE, they are large holes into the kernel of windows.

That's just not so Eugene - check out Jeff Jones' study of comparative vulnerabilities reported by Red Hat, Microsoft, Ubuntu and Apple OSX. Red Hat, Ubuntu and Apple all have more severe vulnerabilities than Windows Vista or Windows XP, combined. http://blogs.technet.com/security/archiv...ity-report.aspx

Hmm, I have never like the obscurity argument for any platform. Yes, many more people use various flavors of Windows and it is a much "juicier" target these days. Initially there was little business value to exploiting the weaknesses of the Windows OS since the truly mission critical stuff ran on VAX, UNIX or older Mainframe systems. These systems have been networked for years and been demonstrably less vulnerable to many of the exploits pulled on Windows systems. So basically the security problems with older Windows systems were initially exploited for fun and reputation, not profit (this changed when people figured out you could take over machines via email and send spam from a remote machine). On that basis I would have expected people to come out swinging at some of the non-MS stuff just to show it could be done. Results to date indicate that either people aren't trying too hard or non-MS stuff is harder to exploit (interpreting a small/null sample is always a challenge).

Of course MS made it trivially easy for people to find exploits. Initially there was literally no concept of designed in security and while they are improving, security often runs counter to the MS approach to ease of use (let the system automatically do that to ^h^h for you) and creeping (or maybe exploding) featuritis. This is especially true with the MS office suite, mail and IE being so closely integrated with the OS. A vulnerability anywhere can be escalated across the entire environment. At least with non-MS stuff in the loop (as browser or OS) the level of integration and vulnerability is reduced.

Are Linux and MacOS bulletproof? Of course not! But because of various design decisions they are much less vulnerable to the sorts of tomfoolery that Windows has had to put up with. It is much more difficult to escalate an exploit on most non-MS systems to the same degree that you can on a MS platform.

I don't have certifications like yours, and to be blunt in my field they don't mean much, but I do have over 20 years working with lots of Commercial Off The Shelf computing and networking systems while designing, integrating and testing safety critical systems. A lot of this computing stuff is pretty similar to our preparedness discussions - lots and lots of choices with no single answer that works for everyone.

- Eric

Considering the source of the paper I would be shocked if they reached any other conclusion. Jeff Jones works for MS. Having reviewed the paper (and the comments on the site), I would basically say that you can use metrics (measurements) to reach any conclusion you want- you just have to pick the right ones.

- Eric

Ha, <sarcasm> a real unbiased source there </sarcasm>

Microsoft has put out a lot of papers, some show the cost of ownership lower for their software, showing the uptime greater, etc, all of them are good joke material for the whole IT industry.

Like you, I will take my opinion from practical experience. I too have had several computers trashed because of “drive-by downloads” that Internet Explorer lets in and Norton AntiVirus doesn’t even blink at. After reformatting my own computer a couple times because of this, and reformatting several friends’ computers because of this, I whole-heartedly recommend using an alternative browser.

I am now using Firefox, along with the NoScript add-on. The NoScript add-on is only partially for security in my case; it is also fantastic for disabling all the Flash web-junk that makes my piece-of-trash PC even slower. Internet Explorer 7 and 8 may not be as bad as the older versions that were the bane of my experiences, but I would rather not switch from my current setup that I know works and am comfortable with.

I also whole-heartedly recommend avoiding Symantec security software like the plague, although I have heard their newer versions also work much better than the older ones. Although after seeing Norton AntiVirus sit in the system tray right alongside the darned adware download viruses Internet Explorer let in, I have advocated various other antivirus products instead. Eset NOD32 is my current favorite, but my antivirus trial-and-error testing is material for another thread.

Same happened to me, both times were simple typo's in the address bar. This was on my brand new laptop I bought around 2003, was my first XP system. Never got USB to work right or suspend/resume either no matter how many patches or driver updates, both worked nine out of ten times. This was compared to all the Windows 2000 systems I had owned or supported through jobs. I was messing with Linux off and on for about a year and made the switch and am still running that same laptop now, I've replaced the 1 GHz processor with a 1.3GHz, the drive went from 20G to 60G to 120G to 160G, ram at 640M (I still need to order that other 512 to replace the 128) network from pcmcia to 802.11b minipci to 802.11.a/b/g minipci. I need to replace the backlight bulb now as its starting to get dim. I've carried it everywhere and ran it 24x7. I upgrade to the latest version of my distro each time I swap in a bigger drive and it keeps getting faster unlike Windows systems that get slower with age.

Due to most of the nature of my work (computer security related), I am dependent on Windows most of the time. I stay away from IE like the plague and use Firefox (and Google Chrome) instead. For FF, I also use Adblocker, Noscript, Remove it Permanently (great for removing extraneous fluff from websites) and Edexter.

All the pc's regardless of operating systems on my network are routed through a customized Squid proxy server with restricted lists of domains and iptables running on Linux which is forwarded to two routers / firewalls then out to the internet.

Needless to say not only do I feel safe browsing the internet and stopping unwanted TCP/IP incoming traffic, web pages load exceptionally fast with all the ads, flash video etc stripped out of them.

As for Norton....stay away from this product in any incarnation. Better choices out there include NOD32 and Trend Micro.

On a related note, a couple of days ago, Martin Focazio mentioned the Google Chrome browser and he is correct.

Quote
One more thing...
Google Chrome. A good browser for today and a better browser for tomorrow.
Get it. Live it. Love it.
It's CRISP and SIMPLE.
End quote

I also really believe Google Chrome is the browser for today and tomorrow. Once they get one little bug fixed that really effects my work.....I will switch over to it full-time.

I don´t attach much importance to simple tools like browsers and don´t care what people use but I am quite surprised how many people glorify the Chrome browser. This thing is basically created for one reason - to spy on you in order to target advertisements to you. Or who knows what they are doing with all this data or what they will do in the future.

Maybe something has been already "fixed" now but here are some examples what Chrome was like when it came out (maybe something is still included today):

- If I remember correctly the EULA of the software stated something like this: whatever you upload via Chrome browser belongs to the Google. Basically "All your base are belong to us" attitude. I believe the EULA was changed with later versions. But the first EULA says something about Google´s intention.

- Your Chrome installation is associated with unique ID. In order to anonymize your installation you have to use third party application UnChrome. (This behavior is present in Chrome today.)

- Google update service which installs along with Chrome is always running on your computer even if Chrome is not running and cannot be terminated or uninstalled the normal way. (This was somebody´s complaint - I don´t know if it´s 100% true.)

- This is from this thread - http://forum.securitycadets.com/index.php?showtopic=8161&hl



There were also some serious security bugs in Chrome ( http://forum.securitycadets.com/index.php?showtopic=8161&hl ). I don´t know if everything has been fixed now or not.

There are more issues than these, just search "Google Chrome Privacy".

... No, thanks, I will stick with Opera.

P.S.: There is "Iron" browser that is created from open source code of Chromium. It should be almost identiccal to Chrome but with better privacy and maybe other advancements.

This is not any different then any other web site / service. Read their EULA's and privacy agreements.....some make Google's pale in comparison. As for glorifying GC, perhaps you read too far into Martin's comments....I certainly did not and can recognize a good product when I see and use it.


Have you ever read Microsoft's EULA?...thats if you have the money to spend on a high priced lawyer to interpret it for you.


Unique ID's are also present in Microsoft and any other software products that "phone home."


Patently false...unproven hyperbole. It is easy to disable.


FUD, (Fear,Uncertainly, Doubt) Do you use Google, Yahoo, MSN etc with any web browser? Similar or the same info is collected. As for the auto suggest keystroke. You can download numerous code that allows any website to collect the search term info in a database. My work website has this functionality and the last I heard, we nor Google had used keyword auto-completion for any malicious reasons. If you are so worried about privacy, maybe it is time to give up the computer and internet...and while you are at, all your ID, phone numbers, job, friends, your house, bank accounts etc. These people who have and own this information know far more about you then an internet company..


Please....This was fixed sometime ago, next time try to be up to date with a security concern.


Insert any other words you wish and search, there is always someone with crusade against some product or service and has wrote about it....even Opera's


Thats what freedom of choice is all about.

Eric, Eugene - Jeff Jones is known for his objective reviews of publicly available security vulnerability data - just the facts, wherever it leads. Dismissing him or his reports because of his employer is wrong, and misses the point: his objective analysis is dead-on correct, whereas your dismissal of his findings is not. Dismiss the analysis if you can, but its been over a year, and greater minds than ours haven't been able to do that. Ad hominem attacks don't win very many arguments with me, anyway.

To me this isn't about open versus closed source or Microsoft versus Anybody But Microsoft - in a measure of relatively security, Microsoft's more recent products do measurably better across the board, from Windows to IE to Office to SQL. Microsoft has internalized certain security coding methodologies that result in fewer security vulnerabilities over time. Its a long and hard process, never perfect in its realization. I would like to say that competing applications and operating systems have taken a similar course, apparently though they have not. In general I would say that Microsoft has gotten better at this security thing, while its competitors have not. That can be difficult for some to admit. cx You can dismiss hard facts if you like, its to your detriment though. Don't mislead others along the way if you can help it.

Lono:

I disagree with you and agree with Eugene. There are many, many security experts with no ties or vested interests in any software company that state the same facts. But I guess Jeff Jones is the only real expert that counts in your view.

I just finished a test of 0 day compromise attacks against fully patched and unprotected Win XP and Win Vista systems. Within 23 minutes of putting both these pc's on the internet, they were both compromised with the XP faring the worst.

A comparison test using Linux distro, Centos, Suse and Kubuntu showed that all three of these pc's using a default install still have not been compromised after 4 days around the clock exposure to the internet.

Is this is scientific test? No it is not, yet is close to the real word testing as we need to make reasonable and key decision on.

I noticed that you claim to be located in the PNW...would your work address be somewhere near Microsoft Way, Redmond WA.?