Re: Giving IE the boot?

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 11/28/03

  • Next message: Russ: "Re: CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048" 
    Date:         Fri, 28 Nov 2003 03:45:03 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Several people responded to this troll, hopefully Jeffrey got more responses personally. I'm not starting an IE versus anything debate on NTBugtraq. Remember, the list is about using what you have, not finding replacements. If that weren't true, we'd still be mixed in with Unix zealots telling us to switch OS' and forget about the browser issue.

    That said, here's a couple of my comments about the issue. FWIW, I'm in the Risk Assessment and Risk Management business (I think we call it Security Assurance these days, it changes so often.) I have something like 4 million PCs under my purview, or at the very least subject to my advice, in my role at TruSecure Corporation.

    1. I know of no customer who has switched browsers at a corporate level.

    2. I know of no risk(s) which would cause a customer to switch.

    3. I see no unmanageable risk to having IE as your default corporate browser.

    4. I certainly would never recommend a corporate default be a beta of anything.

    5. Managing vulnerabilities is doomed to failure, regardless what product you're talking about. Managing risk, on the other hand, is viable for all products.

    6. You cannot completely prevent components developed, and fixed by, the IE team at MS from being invoked on your system and still use it as a desktop OS.

    IMNSHO, you can run a corporate network, with IE as the default browser with Active Scripting enabled in the Internet Zone, with a Firewall, Gateway Email Anti-Virus, Desktop Anti-Virus, and reasonable policies that are not draconian, fairly easy to implement, and full of common sense. Rocket science, voodoo mojo, IDS, and expensive security software/hardware not required.

    We (TruSecure Corporation) have been doing it for years now for, currently, more than 700 companies, most in the Fortune 1000 and 5 of the Fortune 10.

    The first choice required to reduce your risk, is to actually reduce your risk and stop trying to reduce your vulnerabilities. You can count the number of IE vulnerabilities actually used in different "in the wild" attacks over the past 4 years on one hand, with MS01-020 still being the most commonly used IE attack.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Russ: "Re: CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048"