[Cialug] Security and the browser

David Champion dchampion at visionary.com
Tue Oct 21 13:33:31 CDT 2008 

Thanks for the clarification...

It's kind of a moot (or mute) point, since most IE users can't even be 
bothered to update or install security patches, I doubt many people will 
change settings like this on their own.

For Nate's case, where I'm assuming he can enforce IE settings, that may 
be a good one to turn on.

-dc

Tim Wilson wrote:
>
>
> On Tue, Oct 21, 2008 at 9:46 AM, David Champion 
> <dchampion at visionary.com <mailto:dchampion at visionary.com>> wrote:
>
>     ... and the wonderful side-effect of the tight integration of IE
>     with the OS - if something causes your instance of IE to crash, it
>     can cause any instances of Windows Explorer, your desktop, the
>     taskbar, programs that use the standard file browser dialog etc.
>     to lock up. They may or may not come back, and you may have to do
>     a cold reboot.
>
>
> Not entirely accurate.  Using the default settings, I believe that is 
> true.  However, in Windows Explorer, there's a setting for launching 
> Explorer windows as a separate process.  I highly recommend doing 
> that.  My desktop at work has had issues accessing network shares, and 
> it has crashed Windows Explorer.  Since, I had changed that setting, 
> my taskbar didn't die also.  The option is called "Launch folder 
> windows in a separate process", and it is under Tools...Folder 
> Options, then click on the View tab.
>
> Of course if your windows machine is low on memory, an extra process 
> could cause the computer to be even slower.
>  
>
>
>
>     I've seen articles describing how a malicious web site can cause
>     IE to crash, creating a local DoS attack of sorts, even if they
>     aren't using IE as an attack vector. For instance if you were able
>     to infect a company's intranet site with code that cause
>     everyone's PC to be unusable for a time, or to be rebooted every
>     time they hit the site... that could cripple a company for a time.
>
>     When IE does lock up, I have been able to alt-tab to firefox or
>     t-bird, and they work just fine while Windows is doing whatever it
>     does behind the scenes to (attempt to) recover.
>
>     -dc
>
>
>     Josh More wrote:
>>      The biggest risk with IE is it's tight integration with the OS.  Most
>>     of the vulnerabilities involve Active X and system libraries (mostly
>>     graphics).  Firefox is proof against these simply because it doesn't
>>     integrate with the OS at the OS level, so there is an abstraction layer
>>     that attacks have to get through.  That makes it harder both to attack
>>     and to do integrative tasks... one of the reasons that Windows Update
>>     only works with IE.
>>
>>     The plugin architecture to both the new IE and Firefox does present a
>>     security concern, but most plugins should run sandboxed, so as long as
>>     you review them before installation, you should be fine.  A bigger
>>     concern with plugin proliferation is the consumption of system
>>     resources.
>>
>>     My recommendation would be to disable IE as much as possible and
>>     replace it with Firefox.  In other words, keep IE around only for tasks
>>     that need the OS integration (Windows Update, custom apps) and use
>>     Firefox only for web browsing.  Use either system imaging or a PUA
>>     filter (Sophos provides this, but there others too) to lock the Firefox
>>     configuration (plugins, themes, etc) to something reviewed and
>>     acceptable.
>>
>>     The big advantage you get this way is somewhat improved security at the
>>     architecture level (abstraction layer) and significantly improved
>>     security at the application layer (if you pick the right plugins (like
>>     adblock)).  The big drawback is that you have to maintain patches for an
>>     additional system and it's associated plugins.  There are likely third
>>     party tools to help manage this (PatchLink maybe?), but I can't
>>     recommend any from first hand experience.
>>
>>     Whatever browser you use should be the latest generation to protect
>>     against phishing and known malware sites.  These technologies aren't
>>     perfect, but they're a lot better than having nothing... so at a
>>     minimum, you should ditch IE 6.
>>
>>
>>      
>>
>>     -Josh More, RHCE, CISSP, NCLP, GIAC 
>>      morej at alliancetechnologies.net <mailto:morej at alliancetechnologies.net> 
>>      515-245-7701
>>
>>
>>
>>       
>>>>>     "Nathan C. Smith" <nathan.smith at ipmvs.com> <mailto:nathan.smith at ipmvs.com> 10/20/08 10:53 AM >>> 
>>>>>             
>>     I've heard people say Firefox is "More Secure" than Internet Explorer,
>>     and while it seems to make sense at first, I do not believe that claim
>>     can be substantiated.  Firefox may have "less inherent risk" than I.E.,
>>     and that is where my question comes in.
>>
>>     At work we use I.E. but we are looking at Firefox.  I have some
>>     reservations about manageability.  Our philosophy right now is that the
>>     single browser, I.E., is probably heavily targeted and has lots of
>>     problems but it easily updated and attacks will become quickly known via
>>     different communities.  It is also "protected" through antivirus and
>>     anti-malware software.  If we were to allow Firefox and perhaps  Chrome,
>>     there would be three very different vectors of risk all with different
>>     types of potential security holes/weaknesses.  We would in fact be
>>     "casting a wider risk net" by using all three or two broswers.
>>
>>     I'm not looking to start a flame war, but rather an intelligent (and
>>     perhaps spirited) discussion of the weaknesses of different browsers and
>>     ways we can look at the risks involved to somehow compare the elements
>>     of risk between browsers.
>>
>>     Some of the risk elements might include plug-ins, types of plug-ins,
>>     rendering engines, open-source v. closed source and whether a code
>>     review is possible, and the track record of the company supplying the
>>     product.  One unfortunate truth is that other products that contain the
>>     Internet Explorer engine are probably going to be subject to the same
>>     risks I.E. is when that product is running.
>>
>>
>>     -Nate
>>     _______________________________________________
>>     Cialug mailing list
>>     Cialug at cialug.org <mailto:Cialug at cialug.org>
>>     http://cialug.org/mailman/listinfo/cialug
>>
>>     _______________________________________________
>>     Cialug mailing list
>>     Cialug at cialug.org <mailto:Cialug at cialug.org>
>>     http://cialug.org/mailman/listinfo/cialug
>>
>>       
>
>
>     _______________________________________________
>     Cialug mailing list
>     Cialug at cialug.org <mailto:Cialug at cialug.org>
>     http://cialug.org/mailman/listinfo/cialug
>
>
>
>
> -- 
> Tim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20081021/5ea21806/attachment-0001.html

More information about the Cialug mailing list