Has China helped Google in the browser wars?
Google's move to confront the Chinese government over the censorship of its search results is looking shrewder by the day. It has succeeded in mending some of the damage to its reputation caused by its original entry into China, it's given a huge boost to the morale of thousands of Google staff who were never happy defending that decision, and it's moved the spotlight onto its rivals' China policies.
But it could also prove a decisive moment for the fortunes of its Chrome browser. Miocrosoft has admitted that there is a vulnerability in its Internet Explorer browser, which was apparently used by the Chinese hackers who launched an assault on Google and other companies. by advising their citizens to avoid Internet Explorer.
This terrible piece of PR for Microsoft comes just as the IE browser which had almost total control of the market starts to come under pressure - not just from the open-source Mozilla Firefox, but from Google's Chrome.
Finding accurate statistics for market share in the browser market is quite a challenge - appears to show that Internet Explorer, in its various guises, has now been overtaken by Firefox, and that Chrome has come from nowhere to grab 10% of the market.
Whereas shows that while Microsoft's browsers are being hotly pursued by Firefox they still have an overall lead. I'm also told by another reasonably reliable source that in the UK, Internet Explorer has around 75% of the market, with the latest version IE8 now on over 40% of computers.
But what could be a bigger incentive for all those millions of Internet Explorer users to move than hearing that they are using a piece of software that puts them at risk of invasion by Chinese hackers? Little wonder then that Microsoft was on the phone this morning, asking to come and give their side of the story to 91热爆 viewers.
Cliff Evans, head of security at Microsoft UK, arrived at our offices with quite a simple message. Yes, there was a vulnerability in Internet Explorer but it had only actually been exploited in IE6 - so users should upgrade to IE8, which was much safer. And he went further - Internet Explorer 8 was the safest browser on the market and would give you the kind of security against malware and phishing attacks that Firefox and Chrome simply couldn't offer.
I called Google in an attempt to start a bit of a fight over that claim, but my contact was, perhaps sensibly, unwilling to wade in: "We think people should simply upgrade to the latest version of whichever browser they use," he said, though he did add:"Having 14% of the market using IE6 is not good for security."
And Microsoft would probably agree with that. But the millions of people who browse from their desks in big corporations probably don't have a choice - either of their browser or of which version they use. Just as they used to say "nobody got fired for buying IBM" it's my impression that in corporate IT departments nobody got fired for installing Internet Explorer - and then telling users impatient to upgrade to the latest version that "it's not been approved yet".
After enjoying unchallenged supremacy in the browser market for years, Microsoft was finally forced to start innovating when Firefox showed there was a better way to browse. So far it's been usability that's won users to the likes of Firefox and Chrome - now security will become a priority. So maybe those Chinese hackers have done Google a favour...
Comment number 1.
At 18th Jan 2010, stevereal wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 1)
Comment number 2.
At 18th Jan 2010, linuxrich wrote:Hopefully, this episode will result in IE6 being aggressively phased out. Also, maybe people will look at the vulnerability of the rest of their system, not just the browser.
The other issue is China... I had an unauthorised access attempt today, a .edu.cn address attempting to ssh onto my test box. A bit of planning on the security front put a stop to that, but clearly a lot of ignorance in matters of security still exists. Otherwise these attempts wouldn't take place.
Complain about this comment (Comment number 2)
Comment number 3.
At 18th Jan 2010, stevereal wrote:Microsoft is not stealing Western Corporate intellectual property
no matter what the simpletons in Germany and France may believe.
Get your mind right France and Germany and stop licking
the Communist bootheel.
Complain about this comment (Comment number 3)
Comment number 4.
At 18th Jan 2010, linuxrich wrote:@ stevereal
Really? Would you like to put 'microsoft gpl violation' into your source engine of choice?
We would all benefit from a shift from MS dominance, whatever spurs it on. There would be far less pwned machines on the internet if people didn't provide malware writers with a nice homogeneous environment.
Complain about this comment (Comment number 4)
Comment number 5.
At 18th Jan 2010, stevereal wrote:@linuxrich
It's a dishonest diversion by certain European governments blame Microsoft IE for the theft of European intellectual property (and also breaking into journalist's email) by the Chinese Government.
For the Euros to divert the attention of the public,
away from this massive theft of Western intellectual property
by the Chinese government is outrageous!
All to pursue the corporate interests of a few?
It's totally outrageous
and unforgiveabl by these internal politikal forces.
All for what may I ask you?
For them to pursue the corporate interests
of other Internet browser developers
mainly Google or Foxfire out of silicon valley?
that's small potatos thinking
by small minded peoples
if you ask me
Complain about this comment (Comment number 5)
Comment number 6.
At 18th Jan 2010, _Ewan_ wrote:Yes, there was a vulnerability in Internet Explorer but it had only actually been exploited in IE6
So far, that he knows of. The vulnerability seem to still be there though, so it's only a matter of (not very much) time before it's being exploited there as well. Microsoft's security approach of "if it ain't been broken in an undeniably high profile and embarrassing manner, don't fix it" simply isn't suited to maintaining something with as much exposure to hostile code as a web browser gets. Coupled with their bizarre practice of withholding fixes for up to a month in the hope that no-one notices the bugs in the meantime, IE is left hugely vulnerable for a much larger fraction of the time than any other browser. Using IE on anything but completely trusted internal web sites is completely irresponsible.
Complain about this comment (Comment number 6)
Comment number 7.
At 18th Jan 2010, Carior wrote:Interesting article. I would imagine one of the problems with all these statistics on browsers is summed up by your comment "Internet Explorer has around 75% of the market, with the latest version IE8 now on over 40% of computers". Being on a computer and being USED on a computer are very different things, I for one have firefox, safari and chrome on my mac, at the moment i am using chrome (on an extended trial period) but previously would use firefox. On occaision i have however found that my primary browser of choice has disliked various content, thus enforcing a change. I imagine this could be true for many other systems, whilst I have safari installed i dont use it and I nearly all people i know use firefox or chrome over IE or safari so the stats that IE8 is on over 40% of computers potentially means nothing. There was a time afterall when IE was on nearly 100% on computers and IE itself will be on all computers running windows as very few people with bother circumventing microsofts efforts to prevent you from removing it.
Complain about this comment (Comment number 7)
Comment number 8.
At 18th Jan 2010, Briantist wrote:Who's Miocrosoft?
Complain about this comment (Comment number 8)
Comment number 9.
At 18th Jan 2010, Briantist wrote:The 91热爆 still uses IE6 on it's internal systems, doesn't it?
Complain about this comment (Comment number 9)
Comment number 10.
At 18th Jan 2010, UncleB wrote:The real story/question here is why are the likes of Google and Adobe are using such an old browser?
It's understandable that there are exploits software as old as IE6 - just as there would be in Firefox or Opera of the same age. Equally, it is understandable that some corporates have applications tied to IE6 and are slow to move.
However, Google and Adobe are different. They would have us believe that they understand security - they want us to trust them with our data. Yet they use IE6 on an internal network with access to GMail accounts. Note: this isn't some compatibility lab, it's on an internal network that allows access to their customer's data. Heck, from a security point-of-view, this is far worse than an IE6 issue. This indicates that compromised PCs inside Google could access that data, bypassing customer passwords etc.
At this point, I would assume that anything I have stored in Google Docs is vulnerable.
Complain about this comment (Comment number 10)
Comment number 11.
At 18th Jan 2010, Turkey-Trots wrote:Correct me if I'm wrong, but isn't IE6 the latest version available for Windows 2000? Win2000 is still much used by corporates (and by me on one old laptop). It is much more stable, if slow to start, than XP (which I use on another laptop of comparable power which has IE8).
It also seems to me that IE8 gets almost as many monthly security updates as IE6. So much for Microsoft's line on this.
Incidentally I use Firefox and Thunderbird on both PCs. Excellent software.
Complain about this comment (Comment number 11)
Comment number 12.
At 18th Jan 2010, Chris Mills wrote:I work in a company that encourages employee health and safety to the Nth degree, yet their corporate build for computers still uses XP SP2 and IE6 (effectively a setup from 6 years ago). One has to wonder why they don't take their information safety as highly..
Complain about this comment (Comment number 12)
Comment number 13.
At 18th Jan 2010, Chris Mills wrote:@UncleB Adobe are getting quite hammered as far as security goes at the moment. Flash is the latest target for the bad guys. Adobe don't help themselves with a quarterly patch cycle. At least MS patch monthly.
Complain about this comment (Comment number 13)
Comment number 14.
At 18th Jan 2010, Briantist wrote:@UncleB
There were 34 companies effected, not just Google and Adobe.
It's quite possible that being "in the cloud" Google employees might use Internet Cafes which often use IE6.
Complain about this comment (Comment number 14)
Comment number 15.
At 18th Jan 2010, Dr Stangelove wrote:I really wish people would stop using that god awful browser, it is well behind in its time. and to be totaly honest, open source is allways better. Thats genraly why i use GIMP (dont be immature it stands for GNU image manipulation program) and firefox.
Truley mozilla make greate programs and i still dont understand why people use those terrible microsoft programs, and dont think being a mac user gets you off any better, but i dont feel like ranting at the moment in time.
To put this in short the only thing internet explorere is good for is downloading a better browser.
with love a SRS internet troll
Complain about this comment (Comment number 15)
Comment number 16.
At 18th Jan 2010, Guims wrote:Hold on a minute. Let me get this straight. Google, who have the Chrome Browser, were using Internet Explorer which is why they got hacked. Surely if Chrome is better than IE, then Google themselves would be using it? If not, then Chrome clearly isn't good enough even for Google to use and they must prefer using IE.
If everyone switches to Firefox or whatever, then the hackers will just start finding holes in that instead. Then it we will be being told not to use that perticular browser anymore and to find another.
Sounds like a publicisty stunt to me. Also, another case of anti MS reporting from Mr Jones there.
Complain about this comment (Comment number 16)
Comment number 17.
At 18th Jan 2010, PabloPabloPablo wrote:Unfortunately many large companies are tied to Internet Explorer 6 and 7 with in-house, or external, applications only supported by these two products. As these products are proprietary and support powerful yet insecure operations they're often favoured by poor developers or poor project managers that push them to deliver enhanced functionality.
Therefore, if a supplier doesn't make their product compatible with a modern, standards-compliant browser we have to wait. Many of the users with IE6 and IE7 installed are in this boat. Even one of the flagship NHS products released only a few months ago is only certified to be compatible with IE6.
It should also be noted that Microsoft's dominance, proprietary nature and subsequent stagnation created this situation. Therefore anybody upgrading to IE8 has to wonder if that's the right long term decision or whether they'd be better choosing a browser that was more open and supported the standards such as Firefox, Chrome or Opera.
Complain about this comment (Comment number 17)
Comment number 18.
At 18th Jan 2010, cjb1101 wrote:To anyone asking why Google would be using IE, as opposed to Chrome:
It is possible (though unlikely) they have a problem with upgrading to something more useful and secure, due to some badly designed system that requires it.
Additionally, it may be that they are using it because their market (most of the interent users in the world) also use IE, and as such need to be able to check that their systems actually work with it, considering the lack of standards support in Internet Explorer.
Complain about this comment (Comment number 18)
Comment number 19.
At 18th Jan 2010, _Ewan_ wrote:Google, who have the Chrome Browser, were using Internet Explorer which is why they got hacked.
My reading of this was that the individuals who's accounts were compromised are believed to have had their passwords stolen by them accessing Google services while using Internet Explorer, not that Google were using IE internally. Short of blocking accesses using IE (though, arguably that wouldn't be a bad idea) there's not much Google could really do about that.
Complain about this comment (Comment number 19)
Comment number 20.
At 18th Jan 2010, The_Hess wrote:Whatever browser you use, other security precautions should also be used. A decent firewall, anti virus, anti spyware and anti malware software should all be on your computer to protect against most threats. Using a secure browser is just an extra item in your arsenal against malicious attacks on your computer. Personally I use Chrome for it's simplicity, although I also use Firefox as well depending on website compatibility. IE6 is an outdated system. Using it and expecting up to date security capabilities is the same as expecting Windows 98 to have all the same features as Windows 7. I am surprised that Microsoft even offers it as a download from their website. Especially considering that IE8 is free to download as well. Perhaps it would be better for them to simply drop all support and instead just say, "Get IE8 now, it's better."
Complain about this comment (Comment number 20)
Comment number 21.
At 18th Jan 2010, Oneness wrote:I this finally kills of IE6 web development costs will drop by 25%. Since it is such an effort to make a web site ender correctly on such an outdated, standards incompatible browser.
Good riddance IE6.
Complain about this comment (Comment number 21)
Comment number 22.
At 18th Jan 2010, a wrote:Unfortunately Google (as with all web-developers) need to check that IE6 renders their pages properly. This is as IE is so shockingly poor/actively-unhelpful at following web-standards: this is why if you look at the page source of most webpages (including this one) there is special coding to "help" IE render the page properly.
To check your browser's web-standards and rendering speed etc. look up "acid 3 test" with favourite search-engine.
Companies need to "man-up" and show the leadership needed to get rid of software which requires IE (6 or otherwise). It's the 21st century for goodness sake! The problem is that most IT firms know that their client knows nothing (especially ones still using IE 6) and so can claim pretty much anything is impossible/as expensive as they want...
A friend's company were recently told that it would be sixty pounds to upload each further pdf file to their website. Upon calling them up he was told: "it wasn't in the contract, we don't have to even offer it"! Crazy.
Complain about this comment (Comment number 22)
Comment number 23.
At 18th Jan 2010, UncleB wrote:@Briantist, @Chris Mills,
It is besides the point whether it is just Google and Adobe or 34 others. Google and Adobe are the big names on the list and we all use their software everyday.
That Flash is far more vulnerable now than any current browser just underllines the point.
According to the web reports, employees PCs were compromised. This isn't the web-cafe PC.
Google and Adobe (and the 91热爆) love to attack Microsoft, and, historically, one can see why. However, today in 2010, everyone in the software tech industry should know something about security. Those that promise to look after our data should know everything there is to know.
For Google to allow employees to run IE6 or have a network where employees PCs can gain access to customer's data is unforgivable. To have both is amateurish.
I know it is not PC to dare suggest that Google are not perfect - but in this case....
Complain about this comment (Comment number 23)
Comment number 24.
At 19th Jan 2010, Mike wrote:@UncleB
The accounts were accessed, not hacked, by third parties. They were accessed by using Trojans on infected machines to gain passwords to Gmail accounts. Google were not using IE6, as far as I am aware they use Free and Open Source Software as much as possible, including the GNU/Linux Operating System. Obviously, if a Linux distribution is being used, that would mean Internet Explorer couldn't be installed on it without running it through an emulator. It's also unlikely that a Trojan would be installed, as it wouldn't run in the same way.
@The_Hess
Basic security precautions should be taken into consideration, but the weakest link will always be the user. If the user is not technically savvy, then the likelihood is that they will install the malicious software themselves without realising what they are doing.
Complain about this comment (Comment number 24)
Comment number 25.
At 19th Jan 2010, Mal Price wrote:Try paying a banco santander credit card account wih anything other than IE. Oh bother!
Complain about this comment (Comment number 25)
Comment number 26.
At 19th Jan 2010, Chris Seton wrote:The problem is not so much with Internet Explorer, it is the Windows operating system itself that is the root cause of these problems - if Windows was designed as a fully secure O.S. from the ground up, as UNIX is, we would not have all these recurring issues of security loopholes being exploited by malware writers.
Complain about this comment (Comment number 26)
Comment number 27.
At 19th Jan 2010, cg wrote:RE: #s 1, 3, 5
I was so disgusted after reading the first comment that I thought of complaining on the basis that it breaks House Rules by being likely to offend (the phrase "Chinese heathens" repulses even me - and I'm American!). However by the time I was through reading post #5, I realized that a better claim to violation of House Rules was that these posts hadn't been written in English, which is required for 91热爆 blog responses. At that point I decided the best thing is for the posts to remain viewable as instructive guides to American values and thought. The writer is engaged in cultural diplomacy for the United States; who am I to suppose diplomacy should always help its land of origin?
Hopefully more on point to the actual blog entry: Is Microsoft's claim that IE 8 is safer than Firefox, Chrome (or Safari or any other browser) actually credible? Have they been able to provide any evidence to support this crazy-sounding claim of theirs? I mean I believe well over a decade ago their browser and all other MS software were already legendarily rubbish at security, and despite the fact that they have remained one of the richest companies in the world this whole time, they are constantly and consistently revealed to be indifferent stewards of their customers' security in software package after software package, to the point of appearing willfully defiant in their latent narrative that they get to do whatever they want to make money regardless of the real-world impact it has on their customers. That's the latent narrative of capitalism in general, but in the case of a company whose products - software packages - are tools for use in accomplishing tasks and goals throughout their customer's lives and enterprises, the fundamental nature of a software package as a tool means that if it doesn't actually do what they say and imply it does - sometimes, that's 'you can use this to make financial transactions and conduct business and you won't have your life and business ruined by having everything intercepted and stolen by criminals' - then they are selling dangerous, faulty tools while insisting they are safe. This is different and even worse than buying a widget that is low quality but only to the extent that the user can discern its failure of quality. If I buy a coffee machine and it turns out to be made of rubbish plastic and makes bad coffee, I've been ripped off - but I can tell I have and stop using the product before it ruins my life or at least my next breakfast. With software, they can say it's great and safe and if we don't know they're lying until we have our lives ruined, this is a different balance of ripoff in practical terms, with more danger for the customer and much less for the company selling the incoherently defined product. If I want a decent coffee machine, I go to the store and pick up the machines and move the little switches to get a sense of what the build quality is. With a software program which has the potential to expose me to financial ruin or even worse dangers, there's nothing I can do myself to see which string of numbers is less poorly edited than the others. If nobody can say whether or not Microsoft is, for the first time ever, not lying when they say their latest version is the best not the worst, then no one can really tell, fully, despite anyone's personal loyalties etc.; and this is a problem because they can't be held responsible for their claims. I mean I personally would never, ever use IE, but that's not enough: the company shouldn't be allowed to say something that isn't true and if they really are lying then this begs for regulatory action, and sanctions and penalties against the company, not snide knowing comments from techies on online posts.
Complain about this comment (Comment number 27)
Comment number 28.
At 19th Jan 2010, Skashion wrote:stevesurreal (pun intended)
China is quite possibly the most capitalistic nation on the planet now, especially if you include Hong Kong. Trying to turn it into some kind of ideological contest by labelling them as 'Communists' is ridiculous. You sound like a 'Cold' War relic.
Complain about this comment (Comment number 28)
Comment number 29.
At 19th Jan 2010, andrew wrote:Until you know the truth of why Google went public I don't see how you can take sides. Of course you will never know the truth unless somehow you manage to see everything Google knows which is unlikely.
As soon as Microsoft was added to the story I immediately thought that is why Google went public, because what it actually wanted to expose was the flaw in its competitor's product. This makes far more sense since Google agreed to do business in China, then claims a change of heart.
Since what you have written is published by the 91热爆 it should be imparital. Please add an update saying that one commentor has said Google's move may have been a commercial one.
Thank you
Complain about this comment (Comment number 29)
Comment number 30.
At 19th Jan 2010, Steve Brayley wrote:The biggest issue I find as a IT profesional is that IE allows you to install ActiveX components which yes can be beneficial for some things but also i'd have to say that 80% of malware/spyware/virus cases I've dealth with have come from users installing these activex components from sites with a simple clicking of yes where as other browsers such as google chrome and firefox do not use activex and it's harder for users to run the programs that cause the issue.
Complain about this comment (Comment number 30)
Comment number 31.
At 19th Jan 2010, linuxrich wrote:@ post #20, The_Hess.
You seem to be confusing 'your computer' with 'your Windows computer'. Any other computer does not need anti-virus, anti-malware etc. All you need is an open source browser because "given enough eyeballs, all bugs are shallow", a securely designed operating system and a 'firewall' if you don't have a NAT router.
By the way, chalk up one convert from IE to FF as an indirect result of this episode. I managed to switch my father-in-law over from the blue e side while fixing a network problem for him.
Complain about this comment (Comment number 31)
Comment number 32.
At 19th Jan 2010, UncleB wrote:The ironic part of all of this is that the safest browser by far currently is IE. But not just any IE... explicitly, if you run the 64 bit version of IE8 under Windows 7 as a regular user (not administrator), you are in the safest environment going. Heap and overflow attacks will not work. None of the dodgy plug-ins will work. Even if a flaw is found in the browser, it's locations in memory is randomised so the best a hacker could achieve is a crash; even if there is a way past that, IE8-x64 is sandboxed with no permissions to access user files.
Of course, there is no Flash support for 64-bit yet - but that makes the browser even more secure.
Complain about this comment (Comment number 32)
Comment number 33.
At 19th Jan 2010, MarkG wrote:I find it bizzare that people are ditching IE and moving to Firefox because of IE security concerns, as Firefox is actually less secure than IE, with far more security holes discovered last year (44% of all browser flaws were in Firefox, Safari/Chrome/Webkit 35%, Internet Explorer 15%, Opera 6%)...
Either way, anyone with any sense would be using Opera anyway, not only because it's the most secure, it's also the most widespread platform-wise, it's among the fastest, it's web standards compliant and does not need all those silly Firefox add-ons, it has all the useful one built in, meaning unlike Firefox, they don't open up security holes and bloat the browser.
Complain about this comment (Comment number 33)
Comment number 34.
At 19th Jan 2010, linuxrich wrote:@ MarkG
From the article you link to:
"Other factors need to be taken into account for a proper comparison; this includes the type of vulnerabilities and thus the underlying type of coding errors, the impact of the vulnerabilities, the time it takes the vendor to fix the reported vulnerabilities, how easy it is to update the software thus how quickly the users (learn about and is able to) apply the patches."
As I mentioned in a previous post Open Source is there for everyone to see and report bugs, be they minor or critical. Proprietary code flaws only get reported when the vendor sees fit and/or when the bad guys start exploiting them. So really, you're comparing apples and oranges.
Complain about this comment (Comment number 34)
Comment number 35.
At 19th Jan 2010, Javi wrote:Ok, just to put people right.
Google don't use IE.
It was users in China that have Gmail accounts that were using IE.
Once they logged into Gmail or Google docs they gave the hackers their user names and passwords which then allowed the hackers a way in!
I don't understand what upgrading to IE8 would have done as the hole exists there also.
As for suggesting that users move to FF or Chrome. I totally agree! Whether or not they are more secure is not a question that i can answer but because of its market share (gained inappropriately according to the EU) IE will always be the largest attack vector. Just like Windows is exploited more that OS X or Linux.
What i would say is just as important is making sure that other software like Flash / Silver light / Acrobat are fully up-to date!
Complain about this comment (Comment number 35)
Comment number 36.
At 19th Jan 2010, smallpotatoes wrote:The impression that uses' choices for software in organizations with IT departments are totally controlled by those IT departments conflict with my experience. In my world I install Windows, and quite old versions, in the workstation environment not only because of business reasons such as cost but because of user familiarity. I can rant about using something other than windows until hell freezes over and users will not budge an inch. There are a lot of users that just do not want to learn something else. So I install the standard Windows environment for them but also Firefox, Thunderbird and bunch of other things that are ignored. I have found that some will use Firefox and TBird, not all users but a good number. The beauty of open source is its availability. Mozilla so far has managed to avoid its curses such as eccentricity and abandonment.
Complain about this comment (Comment number 36)
Comment number 37.
At 19th Jan 2010, Virgil Ierubino wrote:The link to the browser statistics that show Firefox in front of Internet Explorer is from w3schools.com, a web language reference website.
Their statistics come from the people who visit their site only. Only the highly computer literate would be visiting that site, a tiny slice of all computer users, and hence the statistics are unrepresentative.
Highly computer literate users are of course more likely to be running Firefox or Chrome - it's no surprise. But Microsoft still dominates most other users.
Complain about this comment (Comment number 37)
Comment number 38.
At 19th Jan 2010, Steve Brayley wrote:I use Linux every day for development as I find it alot more stable, every day that I start up I get numerous updates both security and features. Same as with firefox I've noticed that when a vulnerability is found an update I released within a few days. Where as microsoft are fully awar of this vulnerability and have yet to release a patch and only the next patch date in Feb has been mentioned, which in my opinion is rather lax of microsoft as details of how to use this vulnerability are available on the internet and no doubt have people working on exploiting it.
Complain about this comment (Comment number 38)
Comment number 39.
At 19th Jan 2010, _Ewan_ wrote:It's interesting, if a little odd, that MarkG at #33 cites an article that completely demolishes the survey he's referring to. It's worth following his link to see just how bad the data he's basing his comment on really is.
Aside from the detailed problems with that particular survey, the fundamental issue is that it didn't count vulnerabilities, it counted published fixes. Microsoft's practice of ignoring security flaws, leaving them unacknowledged and unfixed for long periods, then quietly fixing several in a single monolithic update, obviously tilts these figures in their favour, despite the true effect being to leave users more vulnerable for more of the time.
You only need to look at this particular fiasco to see the problem:
Total fixes released by Microsoft: Zero
Total damage done by their bug: Massive
Complain about this comment (Comment number 39)
Comment number 40.
At 19th Jan 2010, UncleB wrote:This was not an attack on computers external to Google. According to the Google blog, this was "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property". That isn't using a 3rd party computer to steal a few passwords. This is getting into Google itself. If, as is reported, this is down to the fault in IE6, then:
a. Google *is* running IE6
b. Those PCs were not on an isoloated browser-test network - they had access to important data.
This points to extremely weak security on the part of Google.
Now, how about some real investigative Journalism from RCJ and have him ask questions of Google along the lines of "How safe is our Google hosted data?" or "Does Google understand security?" and not just present more of the (rather tired) "bash Microsoft" propaganda.
Complain about this comment (Comment number 40)
Comment number 41.
At 19th Jan 2010, Paul Robins wrote:As an example of which browsers are actually used on PCs rather than simply installed, my company sites are viewed in Internet Explorer by 76% of visitors 鈥 bang on 40% overall total using IE 8 and 16% on IE 6. Firefox 3.5.7 is 11%, Chrome is 5.5%, older Firefox, Safari, Opera, Mozilla make up the rest
Complain about this comment (Comment number 41)
Comment number 42.
At 19th Jan 2010, James Rigby wrote:Most people don't care what browser they use. People can't be bothered to consider statistics about security or startup time - they want something that works (which IE does). For the average user, the thought of downloading software from the internet and then installing it fills them with trepidation. And people think that because they have something that works there's no point changing it. I've installed Firefox (and recently Chrome) for many of my friends - and they all prefer the change. But they all say they'd have never done it or even thought about doing it without someone to help them. Until Chrome, Opera or Firefox comes installed on the type of system you buy from PC World, IE will continue to have a larger market share than its security and performance deserves.
Complain about this comment (Comment number 42)
Comment number 43.
At 19th Jan 2010, Steve Brayley wrote:In regards to James's last post this could all change in the EU at least with microsoft finally backing down against the EU in the anti-trust case found here:
This will give users the choice on browser when yuou first turn on a new PC. But for those who already have a PC trying to get them to install something new will deffinatly be a hurdle and a big one at that.
Complain about this comment (Comment number 43)
Comment number 44.
At 19th Jan 2010, SilverWave wrote:Quote from Microsoft.
"The vulnerability is present in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. All versions may crash after opening the attack code. However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution,鈥
Yes that's right - MS are advising you to use IE7 or IE8 and they are both vulnerable to the same exploit.
The only people who are using IE, unless forced to by their employer, are the ignorant or the negligent.
Complain about this comment (Comment number 44)
Comment number 45.
At 19th Jan 2010, UncleB wrote:In the rush to blame IE, we are all forgetting that computer can only be compromised if teh operator is visiting a site that has already been compromised.
This doesn't happen by just starting up the browser. Some web server somewhere is serving up the malware and the browser has to be directed there. You could argue that the link could be delivered by email, but no half-decent email package has automatically opened links for years (not even Outlook).
It would, perhaps, be more interesting to know something of the nature of the compromised sites...
Complain about this comment (Comment number 45)
Comment number 46.
At 19th Jan 2010, stevereal wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 46)
Comment number 47.
At 19th Jan 2010, stevereal wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 47)
Comment number 48.
At 19th Jan 2010, stevereal wrote:The Chinese Government Steals Western Intellectual Property
Larry Wortzel, a longtime China espionage expert summed up the situation: "When you see human espionage directed against specific technologies like quiet submarine drive systems [or] naval propulsion systems...a reasonable analyst will conclude that it is probably government-directed."
-NPR
"Google engineers at Silicon Valley began to suspect
that Chinese intruders were breaking into
private Gmail/Hotmail accounts,the company
began a secret counteroffensive."
-NYT
It appears "Adobe Systems, Northrop Grumman
and Juniper Networks, Microsoft,Rolls-Royce
and Royal Dutch Shell, Dow Chemical,
Yahoo, Symantec, Rackspace Hosting Inc,
Cybersitter",
-NYT
and God knows who, in a deliberate attack
on Western intellectual property by the Chinese.
The practice of stealing is built into
the business model at
"the Chinese Internet company carved out
a strong presence by offering something that Google,
at first, would not:easy links to download pirated songs,
TV shows and movies."
-91热爆
The Chinese Government need a class action lawsuit handed to them
for gaining access to everyone, who has ever owned a gmail/hotmail account.
Is there a lawyer in the UK worth their salt anymore?
Complain about this comment (Comment number 48)
Comment number 49.
At 19th Jan 2010, SilverWave wrote:Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 -- even when Microsoft's recommended defensive measure is turned on. (from computerworld).
Complain about this comment (Comment number 49)
Comment number 50.
At 20th Jan 2010, Tom Mann wrote:I'm not quite sure where people are getting the idea that ANY version of IE could ever be the most secure browser. Let's put this into perspective.
The hack works by injecting executable code via javascript into a browser. Any other browser than IE would offer to download it. IE has ActiveX objects, a rival to the Netscape plugin which the rest of the browser world uses, meaning it can run this content, and deliver a small control application to your PC. Tell me how that is more secure!
Secondly if you are using IE8 - it is worth the switch just to see web sites as they are intended: IE8 still ignores W3C recommendations on web technologies (such as SVG graphics) and JScript is still incompatible with JavaScript outside of the standard implementation.
If you want a good browser, make sure it passes the Acid3 test, and hasn't been advised against being used in multiple european countries!
Finally, I've seen the metasploit video, and yes, IE8 *is* affected.
Complain about this comment (Comment number 50)
Comment number 51.
At 20th Jan 2010, UncleB wrote:@Tom Mann
The metasploit site does point out that the hack only works on IE8 if the user has switched off safety measures such as DEP. (and only on 32-bit IE)
As to Acid3 - well, it's irrelevant in the real world.
If you have a web-site and want to deliver a product or information, you usually want to target the largest audience you can. That means you must code to IE standards. Every other browser will try and display an IE compatible view, so you get everyone.
If you tell your potential customers that they must change browser, you will lose customers. An analogy would be akin to a fuel company saying they'll no longer serve petrol to Ford drivers.
A good browser is one that lets you get to the sites you want simply and easily.
Sadly, again, this rush to blame Microsoft ignores the hacked sites, the poor training of users, the Google infra-structure etc.
Complain about this comment (Comment number 51)
Comment number 52.
At 20th Jan 2010, James wrote:Hopefully this will encourage Microsoft to retract the statement they made a few months ago saying they'd continue to support IE6 until 2014!
@UncleB
"If you have a web-site and want to deliver a product or information, you usually want to target the largest audience you can. That means you must code to IE standards. Every other browser will try and display an IE compatible view, so you get everyone."
Nope. I code to a WC3 standards compliant browser (or rather as close as you can get - namely Firefox in my case) and then apply tweaks and hacks to get it to work in IE. It's far more efficient that coding to IE and tweaking back for FF and other browsers.
"If you tell your potential customers that they must change browser, you will lose customers. An analogy would be akin to a fuel company saying they'll no longer serve petrol to Ford drivers."
Undoubtedly. But recommending they change browser and giving genuine reasons backed up with evidence can help engender better trust from your users.
Complain about this comment (Comment number 52)