tags:

views:

106

answers:

3
+3  Q: 

What advice are you giving your Web user community about the IE security issue?

Perhaps not directly programming related, but definitely product / commercially related. And I can't find a dupe, so I thought I would ask.

I have had a bit of trouble trying to figure out what best to say to people who have called and asked for advice. The Microsoft message is a bit worrying - basically, be worried, lock up everything and hold on tight. Some of the people I have directed towards that route have objected because of what it does to their browsing experience.

The "go get Firefox" message seems to be going down a bit better. What is the real story and what is the best advice to give?

How much actual risk does it pose between now and when MS patches it?

Edit: here are the links that my community seem to be reading... WSJ NP BBC

+4  A: 

Switch to another browser, already.

Chrome and Firefox would be my first two choices. Firefox would probably be best for now, just because it has a longer history.

The only way to prevent this on IE is to follow Microsoft's workaround procedures, which will cause a huge headache for users.

EndangeredMassa  2008-12-16 22:57:13
+2  A: 
  • Use Firefox
  • Use NoSript (if you want proper defence in depth). I can simply say 95+% of all client-side exploits requires JavaScript and 90% of the time these are loaded from a 3rd party website. Therefore switching FF and using NoScript is a really good solution.

How much actual risk does it pose between now and when MS patches it?

If you look at 0days in IE there are bunch of them, and IE got the worst security track. Also it's one of the most targeted application for attackers because there is clear profit in it. Therefore using IE generally not a good idea.

If you have to use IE,

  • Use protected mode
  • Use the latest stable version
  • Keep your windows updated
  • Run it as least priviliged user
  • Use a process control and personal firewall application such as Comodo Firewall (process control application if you can use them right can solve many of these problems, but got a massive overhead in user)

Details of previous IE issues, there are lots of them!

You can inform them to patch by following some workarounds but as you notice it's not going to save them on the long run.

dr. evil  2008-12-16 23:29:00
A: 

Apart from switch browser, pay attention to the emergency patch - get it installed.

Jonathan Leffler  2008-12-16 23:38:15

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security