IE exploits now seen worldwide!

[polonus]

Hi forum friends,

@bob3160
What you say is very true, 80% of the users use IE on Windows, probably because it is the only way they know how and experienced, and because it came with their computer and "it is the way you go onto the Internet", isn't it? So it is even worse the IE browser cannot be trusted for some lapse of time, because all the users that do not know about an alternative (or not interested even/ or not bother) are put at risk, and so this needs to be addressed as soon as possible by the developers of IE.
Read here: https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/180#M180
This has nothing to do with bashing browsers or being an IE fan-boy or an alternate browser fan-boy. Why is it so difficult for users of IE to admit there can be some lapse of time (until it is fully patched off-course) that they better not use their beloved browser, but use an alternate one (as long as it is not vulnerable to that specific vulnerability - DHTML Data Binding handling - heap spray?)
If MS itself comes up with the advice to only run IE in protected mode in Vista, I would know what I do, stay away from IE until they have found a cure for this. Funny why with some people there are always emotions drawn into a discussion when browsers are concerned!?!
Well this time it has come to the browser that has almost the absolute monopoly built into the platform that has almost the absolute monopoly globally. So what? The more reason I think to do something about it. I am almost sure there are already third party patches out there....or they are being developed.

@Jtaylor83 ..NoScript has not been passed by any vulnerability as far as known, so that would be a novum.
On the other hand if NoScript is such a successful security extension why those that decide on browser security won't have it by default inside Flock or Firefox, and why Giorgio Maone was never asked to come up with a similar extension for Blue E? Just let this line of mine sink in, ponder over it some time, and then you are certainly having some questions on your mind, haven't you?

polonus

[doomer]

http://forum.avast.com/index.php?topic=40869.msg343103#msg343103

Looks like the browser wars will rage on for...

The Next Hundred Yeeears...


Still, I am glad there are people like bob3160 to introduce balance and shed some light on the true situation at this very moment.

And not the fanboyish one.

[Alan Baxter]

No browser war necessary.  The standard prudent advice is to use another browser until MS fixes IE.

http://blogs.zdnet.com/security/?p=2301

Until Microsoft can issue a patch — out-of-cycle or otherwise — you should consider using an alternative browser like Mozilla Firefox or Opera.

http://voices.washingtonpost.com/securityfix/2008/12/exploit_for_unpatched_internet.html

I would strongly advise readers to avoid surfing the Web with IE at least until Microsoft has patched this flaw. If Microsoft sticks to its regular schedule of issuing updates to fix security flaws on the second Tuesday of each month, that means that unless Redmond deviates from that schedule, the earliest we can expect a patch for this flaw is Jan. 13, 2009.

http://www.theregister.co.uk/2008/12/11/sql_server_vuln/

The best way to protect yourself against the IE attack is to stop using the browser until it's been patched.

[Alan Baxter]

On the other hand if NoScript is such a successful security extension why those that decide on browser security won't have it by default inside Flock or Firefox,

It's under consideration.  From Ryan Naraine’s Talking Firefox security with Mozilla’s Window Snyder:

There are discussions happening internally at Mozilla around adding NoScript functionality into the core browser.  “It’s a conversation we’re having.  I’d love to see it in there."

and why Giorgio Maone was never asked to come up with a similar extension for Blue E?

MS didn't bother asking.  From NoScript’s Anti-XSS Filters Partially Ported to IE8:

[bob3160]

Polonus,
Right now I'm not using IE or FF but:



Let the wars continue....

Get it here:
http://mysharedfiles.no-ip.org/Browsers/srware_iron.exe

[polonus]

Howdy bob3160,

I use that too, my friend, and I also posted in the national anthem query. You still have that Prussian old anthem there? And you still love Sauerkraut and Wurst? I do.Well, but to mention it - actually a decent browser war has a purpose, it makes us all more secure. Always look on the bright side of life, as I tell you,

Damian

[bob3160]

Damien,
I've looked at the bright side of life and a lot of other subjects for many many years.
Here are just 2 examples:
http://forum.avast.com/index.php?topic=19766.msg166105#msg166105
http://forum.avast.com/index.php?topic=13246.0

Have a great day. 

[FreewheelinFrank]

Unfortunately FWF has been bashing IE and Microsoft for so long that he has lost sight of the fact:
It is the most widely used browser and operating system in the world.

Bashing the browser and the operating system or any one who uses one or both doesn't cure anything.

Just for the record, Bob, I think this is complete bullshit.

I challenge you to find one post where I've gone beyond reporting the facts or making a reasonable criticism.

[FreewheelinFrank]

http://forum.avast.com/index.php?topic=40869.msg343103#msg343103

Looks like the browser wars will rage on for...

The Next Hundred Yeeears...


Still, I am glad there are people like bob3160 to introduce balance and shed some light on the true situation at this very moment.

And not the fanboyish one.

Bob is not the source of objectivity he pretends to be: he has always played down security problems with IE in the past.

He's consistently stated that it doesn't matter what browser you use- all have security issues- and if you stick to safe sites, you'll be fine with any browser.

This advice flies in the face of major problems with IE like this one, where, as pointed out in previous threads comments, we have security web sites suggesting that people simply avoid IE, and reports of in the wild exploits appearing on hacked legitimate web sites.

Am I a Firefox Fanboy and Bob a source of illumination? I'll leave that to others to judge, but I'd rather we avoid the childish labels.

EDIT: correction.

[alanrf]

As I said in another thread:

In the same spirit ... let's skip characterizing other forum members as "anti-Microsoft".  It is useless, it is counter-productive and it does nothing to forward a thread or build forum community.

However important anyone may consider themselves to these forums please remember that apart from the avast team contributors the only folks really indispensable in these forums are Tech and DavidR.  For the rest of us we need to remember that personal attacks are forbidden.  There are a some of us (yes even me) that need to mend our ways but I am far from alone ... and if I have to I will ask the moderators for their guidance on further personal attacks. 

Friends (if not that then let's work harder to make it so) we are here to help the users of avast not to battle in front of them - or else, quite rightly, this sub forum will disappear too.   

[Marc57]

Agreed, We ALL need to work together, NOT fight over Which OS or browser is the best, Let Microsoft, Mozilla and Apple do that, That's what they get paid to do.

Come on people, We're ALL better than this.

Frank, you alanrf and bob have done a LOT to help people on these forum, And I've learned A lot from ALL of you.

To Frank, If I've said anything to disturb you, Please except my apology.

NOW, Can we get back to helping each other??

[FreewheelinFrank]

Agreed, We ALL need to work together, NOT fight over Which OS or browser is the best, Let Microsoft, Mozilla and Apple do that, That's what they get paid to do.

Come on people, We're ALL better than this.

Frank, you alanrf and bob have done a LOT to help people on these forum, And I've learned A lot from ALL of you.

To Frank, If I've said anything to disturb you, Please except my apology.

NOW, Can we get back to helping each other??

Nothing to apologise for, Marc. 

[Marc57]

Glad to hear that friend. 

[polonus]

Howdy folks,

Let us start with helping each other then. In the case you run IE7 on XP SP3 the the recommended workaround to run IE if you have to use it, is described here:
http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx
I past here some advice that I got posted:

They (that is the workarounds) should be sufficient.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Disable XML Island Functionality

That done, I've decided to still follow the prudent advice I posted and stay off IE until this exploit is patched. Too many trusted sites require Active Scripting or ActiveX Controls to work properly. In the meantime I've disabled the Always-view-in-IE feature of IE View too.

I would like to add if you need to run IE for some reason, at least run it without full admin rights,

polonus

P.S. Info about a recent new infected Chinese website: http://securitylabs.websense.com/content/Alerts/3261.aspx

[bob3160]

Bob is not the source of objectivity he pretends to be: he has always played down security problems with IE in the past.

I have

All browsers are flawed. None of them are 100% perfect. 
It's up to the user to be prudent how they secure their own choice of a browser.

Right now I'm using SRWare Iron.  ( My Own personal Choice ) You'll have to choose your own.