<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Thanks for the clarification...<br>
<br>
It's kind of a moot (or mute) point, since most IE users can't even be
bothered to update or install security patches, I doubt many people
will change settings like this on their own.<br>
<br>
For Nate's case, where I'm assuming he can enforce IE settings, that
may be a good one to turn on.<br>
<br>
-dc<br>
<br>
Tim Wilson wrote:
<blockquote
cite="mid:5a9568c20810211113v16f4964bo75a16cbeb8d44820@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Tue, Oct 21, 2008 at 9:46 AM, David
Champion <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dchampion@visionary.com">dchampion@visionary.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">... and the wonderful
side-effect of the tight integration of IE with
the OS - if something causes your instance of IE to crash, it can cause
any instances of Windows Explorer, your desktop, the taskbar, programs
that use the standard file browser dialog etc. to lock up. They may or
may not come back, and you may have to do a cold reboot.</div>
</blockquote>
<div><br>
Not entirely accurate. Using the default settings, I believe that is
true. However, in Windows Explorer, there's a setting for launching
Explorer windows as a separate process. I highly recommend doing
that. My desktop at work has had issues accessing network shares, and
it has crashed Windows Explorer. Since, I had changed that setting, my
taskbar didn't die also. The option is called "Launch folder windows
in a separate process", and it is under Tools...Folder Options, then
click on the View tab.<br>
<br>
Of course if your windows machine is low on memory, an extra process
could cause the computer to be even slower.<br>
<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><br>
<br>
I've seen articles describing how a malicious web site can cause IE to
crash, creating a local DoS attack of sorts, even if they aren't using
IE as an attack vector. For instance if you were able to infect a
company's intranet site with code that cause everyone's PC to be
unusable for a time, or to be rebooted every time they hit the site...
that could cripple a company for a time.<br>
<br>
When IE does lock up, I have been able to alt-tab to firefox or t-bird,
and they work just fine while Windows is doing whatever it does behind
the scenes to (attempt to) recover.<br>
<font color="#888888"><br>
-dc</font>
<div>
<div class="Wj3C7c"><br>
<br>
Josh More wrote:
<blockquote type="cite">
<pre> The biggest risk with IE is it's tight integration with the OS. Most
of the vulnerabilities involve Active X and system libraries (mostly
graphics). Firefox is proof against these simply because it doesn't
integrate with the OS at the OS level, so there is an abstraction layer
that attacks have to get through. That makes it harder both to attack
and to do integrative tasks... one of the reasons that Windows Update
only works with IE.
The plugin architecture to both the new IE and Firefox does present a
security concern, but most plugins should run sandboxed, so as long as
you review them before installation, you should be fine. A bigger
concern with plugin proliferation is the consumption of system
resources.
My recommendation would be to disable IE as much as possible and
replace it with Firefox. In other words, keep IE around only for tasks
that need the OS integration (Windows Update, custom apps) and use
Firefox only for web browsing. Use either system imaging or a PUA
filter (Sophos provides this, but there others too) to lock the Firefox
configuration (plugins, themes, etc) to something reviewed and
acceptable.
The big advantage you get this way is somewhat improved security at the
architecture level (abstraction layer) and significantly improved
security at the application layer (if you pick the right plugins (like
adblock)). The big drawback is that you have to maintain patches for an
additional system and it's associated plugins. There are likely third
party tools to help manage this (PatchLink maybe?), but I can't
recommend any from first hand experience.
Whatever browser you use should be the latest generation to protect
against phishing and known malware sites. These technologies aren't
perfect, but they're a lot better than having nothing... so at a
minimum, you should ditch IE 6.
-Josh More, RHCE, CISSP, NCLP, GIAC
<a moz-do-not-send="true" href="mailto:morej@alliancetechnologies.net"
target="_blank">morej@alliancetechnologies.net</a>
515-245-7701
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre>"Nathan C. Smith" <a moz-do-not-send="true"
href="mailto:nathan.smith@ipmvs.com" target="_blank"><nathan.smith@ipmvs.com></a> 10/20/08 10:53 AM >>>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre>I've heard people say Firefox is "More Secure" than Internet Explorer,
and while it seems to make sense at first, I do not believe that claim
can be substantiated. Firefox may have "less inherent risk" than I.E.,
and that is where my question comes in.
At work we use I.E. but we are looking at Firefox. I have some
reservations about manageability. Our philosophy right now is that the
single browser, I.E., is probably heavily targeted and has lots of
problems but it easily updated and attacks will become quickly known via
different communities. It is also "protected" through antivirus and
anti-malware software. If we were to allow Firefox and perhaps Chrome,
there would be three very different vectors of risk all with different
types of potential security holes/weaknesses. We would in fact be
"casting a wider risk net" by using all three or two broswers.
I'm not looking to start a flame war, but rather an intelligent (and
perhaps spirited) discussion of the weaknesses of different browsers and
ways we can look at the risks involved to somehow compare the elements
of risk between browsers.
Some of the risk elements might include plug-ins, types of plug-ins,
rendering engines, open-source v. closed source and whether a code
review is possible, and the track record of the company supplying the
product. One unfortunate truth is that other products that contain the
Internet Explorer engine are probably going to be subject to the same
risks I.E. is when that product is running.
-Nate
_______________________________________________
Cialug mailing list
<a moz-do-not-send="true" href="mailto:Cialug@cialug.org"
target="_blank">Cialug@cialug.org</a>
<a moz-do-not-send="true"
href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a>
_______________________________________________
Cialug mailing list
<a moz-do-not-send="true" href="mailto:Cialug@cialug.org"
target="_blank">Cialug@cialug.org</a>
<a moz-do-not-send="true"
href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Cialug mailing list<br>
<a moz-do-not-send="true" href="mailto:Cialug@cialug.org">Cialug@cialug.org</a><br>
<a moz-do-not-send="true"
href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Tim <br>
</blockquote>
<br>
</body>
</html>