[opendtv] Re: Tide Turning in Browser Wars?
- From: Kon Wilms <kon@xxxxxxxxxxxx>
- To: opendtv@xxxxxxxxxxxxx
- Date: Thu, 01 Jul 2004 09:39:40 -0700
First I have to say this CERT news is *old news*. The mentioned IE bug
came out, was analyzed, and fixed in windows update before they released
this news. There is no need to *stop* using IE. Make sure you have a
virus scanner installed, and keep it and your windows updates current.
Another thing to note is that people leave their windows boxes wide
open. I don't (can't, cause they interfere with the files) run AV
software on the datacast boxes at work that we have in the field.
Solution - lock the box down with IP filter and IPSEC rules. Only SSH
gets into the servers, and everything else (including terminal services)
is tunneled through that. The SSH user account is jailed to a home
directory that is unreadable/writable, and has no filesystem privs. We
have had these boxes in locations where windows boxes are constantly
getting their asses kicked by msblaster and friends (many broadcast
stations I consider to be the wild west). No problems for our locked
down boxes though. And you can do the same for XP.
Having said that, I run gnome desktop and linux at home. But even so I
*still* have an openbsd firewall in place with squirrelmail. The windows
systems are locked down with IPsec and restricted trust rules. We have
never had a single trojan or virus here at home.
Every system is vulnerable to trojans, even linux (unsigned RPMs (and
vendors like SuSe commenting that this is how it is and how they will do
it in future) in apt/yum repositories just prove my point) and osx.
I suggest a starting point being the NSA guidelines for securing windows
systems: http://www.nsa.gov/snac/
Cheers
Kon
Craig Birkmaier wrote:
>Just when we thought the "browser wars" were over...
>
>Looks like some Windows users are going to learn how difficult it is
>to install and use an alternative Web browser to Micrisoft's flagship
>"integrated" Internet Explorer. I started hearing about the latest
>vulnerabilities in IE several days ago, via a tech segment on our
>local Talk radio station. The commentator is a side-kick on a local
>afternoon show, who also runs a company that specializes in "Digital
>Marketing" and PC maintenance/sales. Mr. PC's (no, I'm not kidding)
>advice is to switch to the Mozilla browser.
>
>Now the U.S. Computer Emergency Readiness Team is recommending that
>people stop using IE as well. Could the hackers finally be winning
>the war, exposing Microsoft's seemingly endless vulnerabilities?
>Could this kind of negative publicity wake people up to the options
>that exist for running a PC today, without paying their tithe to the
>boys in Redmond?
>
>Regards
>Craig
>
>
>US-CERT ADVISES SWITCHING BROWSERS
>In light of a recent announcement about an "extremely critical"
>security vulnerability in Internet Explorer (IE), the U.S. Computer
>Emergency Readiness Team (US-CERT) has issued a warning advising
>computer users to stop using Microsoft's browser. US-CERT is a
>nonprofit formed in September 2003 by the Department of Homeland
>Security and the public and private sectors to improve computer
>security preparedness and response. According to the US-CERT notice,
>there are "significant vulnerabilities in technologies relating to the
>IE domain/zone security model, the DHTML object model, MIME-type
>determination, and ActiveX." The IE bug allows hackers to install
>spyware on users' computers without any action on the part of the
>user. The notice goes on to say that, particularly for browsing
>untrusted sites, use of another browser is an effective way to avoid
>the security risks mentioned.
>Internet News, 29 June 2004
>http://www.internetnews.com/security/article.php/3374931
>
>
----------------------------------------------------------------------
You can UNSUBSCRIBE from the OpenDTV list in two ways:
- Using the UNSUBSCRIBE command in your user configuration settings at
FreeLists.org
- By sending a message to: opendtv-request@xxxxxxxxxxxxx with the word
unsubscribe in the subject line.
Other related posts: