[ISN] Microsoft: To secure IE, upgrade to XP

InfoSec News isn at c4i.org
Mon Sep 27 04:24:41 EDT 2004

Forwarded from: matthew patton <pattonme at yahoo.com>

> Microsoft has maintained that the browser is part of the operating
> system, a point of contention in its antitrust battle with the U.S.  
> government.

and what a WONDERFUL piece of integration it is. Purhaps my Citrix
admins are clueless but all I'm supposed to be able to use is IE -
they've removed File/Open|Save, the address bar, the GO button,
Internet Settings and maybe another thing or two but I can STILL get a
command prompt. I can run control panel, task manager, any app I want
to as well as a FULL desktop ala Start Menu and the whole works. I
*love* this browser integration!! It's a massive security hole for me
to do whatever I want on the Citrix box. And to think we have lots of
Citrix accounts out there with unmolested IE settings so the hurdles
aren't very high at all.

> Last year, the company ruled out future releases of IE as a
> standalone product. This week, the company reiterated that stance.

If I were Gartner and Co. I'd be forcibly reiterating my "abandon the
IE ship" message. $99 may not seem like a lot and corporate volume
pricing can probably 1/2 that but it's still rediculous for companies
to be left deliberately vulnerable by their #1 software provider
because the latest point releases of an OS are not and have not been
compelling. What's that say to you oh Redmondian giant? Maybe scrap
Longhorn altogether and actually work on getting a version that works
and isn't filled with a zillion security holes? Win2K works just *()*)
fine for me and 30,000 other users in the company. Why on earth do I
want to chase M$ product for no tangible benefits and plenty of UI and
driver headaches? A compelling upgrade would be one that broke the OS
into a zillion independant pieces and a kernel functionality breakout
ala RPM and Solaris/Linux with choice of loadable modules. I'm sick
and tired of having this gargantuan behemoth with 90% unnecessary and
unasked for "features" with all the entailing security problems shoved
down my throat.

> And it's those more substantial changes, rather than the bug fixes
> that come with routine upgrades for supported products, that
> security organizations have lauded for addressing IE's graver
> security concerns.

oh geez and Mozilla/Opera etc have had these features for how many

> That 49.2 percent of Windows users are left out in the cold when it
> comes to significant updates to IE and other software.

Come on Microsoft, you know you want to ship a utility to eradicate IE
from every facet of Win2K on down, right? Well at least the cursed
WinME and the older but more stable/better 98/95. These people aren't
going to switch to XP even if you gave it to them. Maybe if you sent
out a MCSE to their house with a free PC to run the latest bloatware
and migrated all their applications and data they'd consider it. Yet
here I am a technologist supposedly interested in pursuing the cutting
edge and all that. I run Win98 until quite recently on a 500mhz AMD.
The only thing my 1.7Ghz CPU gives me now is a faster rate of cracking
distributed.net key blocks.

I've had years of reading Cringley and other chaps at Byte etc. who
have documented their frustrations with OS after OS after OS. No thank
you. Win98 just plain works. Win2000 just plain works. Get used to it
Redmond, it takes you guys at least 3 versions of a product before you
make one that actually works well enough to justify thinking about
migrating. So that means XP is not it. Longhorn isn't it. Featuritis
is not what matters - FIXING stuff is.
> features they'd have to pay for in IE. But most consumers don't
> download anything if they can avoid it."

sad but true. And we wonder why Windoze boxes get owned and why there
are so many of them.

More information about the ISN mailing list