I wasn't going to mention this as I'm bored of the arguments, but now that I've seen the third Google news item in a week about Google news items on MS/IE security and alternative browsers (http://news.google.com/news?hl=en&edition=us&ie=ascii&q=secure+browser&btnG=Search+News), I thought it was worth a mention (note that link is from a search because Google news changes so regulrarly). In addition to this, MS have just released (today) another patch for IE, bringing forward their usual (as of the last few months) "second Tuesday of each month" patch release. I must admit to seeing more "don't go to this site if you're running IE" messages.

Installing popup blockers (via Google, A.N.Other toolbar) will help reduce the malware that can be loaded onto your machine without your knowledge, but there's still the issue of the browser being part of the OS and therefore a really easy way into Windows. Even the US government are warning against IE (http://news.google.com/news?q=government+IE+secure+browser&btnG=Search+News&hl=en&edition=us&ie=UTF-8)! More:

http://www.enterpriseitplanet.com/security...cle.php/3375591 (http://www.enterpriseitplanet.com/security/features/article.php/3375591)
http://www.enterpriseitplanet.com/security...cle.php/3375431 (http://www.enterpriseitplanet.com/security/news/article.php/3375431)

Found another link on "US governement slams IE" at Digitial Connect News (http://www.dcnews.com.au/Software/1686). It's a subscription only site but thanks to the bugmenot (http://www.bugmenot.com/) service which is getting better populated ("10049 sites liberated" apparentently), you don't have to give away your details to anyone to read it. And they've got a really nice logo at the bottom of their index page ;)

The washingtonpost (http://www.washingtonpost.com/ac2/wp-dyn?node=admin/registration/register&destination=register&nextstep=gather&application=reg30-technology&applicationURL=http://www.washingtonpost.com/wp-dyn/articles/A24535-2004Jul2.html) also has an article that you can now read via bugmenot. The email address you need to put in to enter the site is evidence that they don't seem to know what they're doing and can't be benefitting from the registration process. If a site doesn't want to go down the whole "we will be emailling you and you'll need to confirm" route, they should at least check the thing to see if it conforms to an email address standard. Otherwise there's no point in having registration.

Wired article (http://www.wired.com/news/infostructure/0,1377,64065,00.html) ("free")

+++++ later +++++

Strange - I revisited the bugmenot site later and got a different username and password, which makes my above comments seem wrong. To show that I'm less mad than normal, you can log into washingtonpost like this:

email address: deliveries
password: dawgs

That'll teach me to shoot my mouth off. On Wednesday someone found a way of creating a DOS (http://www.mccanless.us/mozilla/mozilla_bugs.htm) attacking using Moz/FF/Thunderbird on Windows (no other OS). But, as this NewsForge (http://software.newsforge.com/article.pl?sid=04/07/08/2327246&mode=nested&tid=78&tid=82) article points out:

The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project.

Still, it took until 1.7.1 (Moz), 0.9.2 (FF) and 0.7.1 (TB) to get one security hole. Not bad, but still disappointing.

Mozilla.org as the patch (http://www.mozilla.org/security/shell.html) that needs applying. It works as a Moz extension and is easy to install. JB/JG - don't forget to patch your work installs.

From BBC Technology today:

http://news.bbc.co.uk/1/hi/technology/3886861.stm

IE's market share has dropped by a whole one percent in the last four weeks.

The article fairly points out that IE is targetted by hackers because of its ubiquitous use, not because there are obvious vulnerabilities. And we know Mozilla has been exposed as unsafe recently too.

Competition is a good thing if you believe in the free market, so credit to Mozilla and co.

It's interesting about the whole "moz" unsafe thing. Here's a vulnerability timeline (http://www.sacarny.com/blog/index.php?p=104) for the fixing of the hole. I'm seeing more and more people saying that the whole hole thing only occured because of a fix MS was supposed to put into XPSP1 and didn't. The argument goes that it isn't Moz's place to deal with OS issues and, although they knew about the issue a while back, the fact that shell: is apparently an external protocol and has nothing to do with the browser and is therefore not their problem.

I've got very mixed feelings about this, but as this is the first major security issue in years and as it took less than 24 hours to patch the hole, I'm sort of okay. From what I've read online, MS still haven't got a definitive fix for that last breach.

Opera have recently gone from 7.5.1 to 7.5.2 because of apparent security issues.