The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft's website: blogs.technet.com/b
/msrc/
On Windows XP and Windows Server 2003 operating systems, the Microsoft .NET Framework 2.0 must be installed for EMET to work. There are no other special requirements for any other supported version of Windows.
And in order to have it one needs to install .NET which comes with bunch of its requirements.
Simply switching to another browser isn't a panacea; Chrome, Firefox, and Opera all have the benefit (currently) of not commanding the same market share as IE except for recently. If IE stays behind Chrome for a while (and if other browsers' share keeps increasing), these other browsers will be targeted more, as it would be more economically worthwhile. While they are an improvement over IE in the security department, it will nevertheless be interesting to see if malware authors can have success against Chrome, Firefox, and company.
Actually, there are now more Chrome users than IE users (depending on which country you are dealing with). German users have been huge Firefox users since 2005. And the Webkit supergroup (add all the Safari, iOS, and Android browsers to Chrome) means even more of the market than you might think are using essentially “the same” browser engine.
(Quotes because, as PPK always reminds us, there is no monolithic WebKit in actuality.)
Edit in reply: Hmm, “currently… except for recently.” Then let my comment be in reply to “currently” and not “recently,” I suppose. Not sure if my parent was edited after my reply, or if I was really that bad a reader.
Also with things like WebGL security is only going to become a bigger problem.
Yes, they fix and push fixes out faster, but that doesn't inherently mean your browser is more secure, only that there are less people out there with browsers that are publicly known to be exploitable, but is safe to assume that all browsers are exploitable, and that there are people that knows the holes but doesn't make them public because their value (either to governments or criminals) is way too great to even compete in the same league as the rewards offered by browser makers.
It seems the web people have deluded themselves into thinking they really understand the implications of letting webpages interact with video drivers, and some of the graphics industry were just to happy to help along.
This doesn't change the fact that WebGL exposes graphics drivers in ways that they were never meant to, and that there is no real way for third parties to verify how safe it is to turn on WebGL for a given driver.
The whitelists and blacklists of drivers currently used do little more than to fragment the web and frustrate users.
I'm a big fan of how Google introduced much needed decent sandboxing to web browsers, but what they are doing with WebGL is both scary from a security point of view and depressing from the point of view of fragmenting the web, now to access certain websites not only you need the right browser, you also need the right video card and video drivers, is worse than the "best viewed with" nightmare of the 90's.
> It seems the web people have deluded themselves into thinking they really understand the implications of letting webpages interact with video drivers
By "the web people" you mean Google, Microsoft (yes, Microsoft, because it is ok with letting webpages interact with video drivers through Silverlight), Apple, Mozilla, Opera, and Adobe (yes, Adobe, because it is ok with letting webpages interact with video drivers through Stage3D in Flash)?
> not only you need the right browser, you also need the right video card and video drivers, is worse than the "best viewed with" nightmare of the 90's.
First, Chrome will fall back to a software emulation that actually works very well. So even if your video driver is blacklisted, you can still see the content.
Second, I'm not sure Carmack has made an effort to really look at the differences between WebGL and OpenGL. Features are limited and the browsers are required to parse and verify input, so that only correct code is sent to the graphics drivers.
(edit:) Let me add some more information here: Array bounds are checked; Array indexes must be constant expressions ; and, most importantly, while-loops are forbidden. If you've taken a course in theoretical CS, you may recall the difference between for and while loops and why applications using only the former can be verified (if there is not recursion - OpenGL shaders also don't support that anyway).
Third, access to WebGL could be easily limited in the future: For example allow access by default for browser extensions and require user confirmation for the rest of the web. Should be fine for games.
> First, Chrome will fall back to a software emulation that actually works very well. So even if your video driver is blacklisted, you can still see the content.
1. Only on Windows, not anywhere else
2. It will be very slow. For this reason, I think this might be almost pointless, and worse than showing nothing in some cases.
> it will nevertheless be interesting to see if malware authors can have success against Chrome, Firefox, and company.
We already know the answer to that - when attackers try to target any browser, they in many cases succeed. All major browsers get hacked at the relevant competitions, and those are just the public hacks we hear about, the private ones are likely far worse.
Mitigation measures do matter though. Adding security makes it harder, and pushing out patches quickly reduces the window of vulnerability. Microsoft has improved in the former but not in the latter.
I find it amusing that geeks worry so much about browsers and the security of them at a software level, when every computer I've repaired in recent memory was owned by user stupidity (I would call it social engineering, but smiley packs and .jpg.exe's are hardly advanced trickery). All browsers, IE included, are pretty damn secure these days. People's brains? Not so much.
The fact the article disappeared interests me more than its content. How does Reuters go about deciding which articles to delete, as opposed to merely retracting or modifying? Is this an excercise in journalistic integrity, corporate bullying, ...?
Yeah well this has been all over the primetime news shows on german television. They all aired with the warning to not use IE / switch to a different browswr.
While this might not mean much to the average user of HN (read: tech literate) - i think it IS quite a big deal for "ordinary" computer users.
I think such warnings, from an official government body no less, will be heeded by many who don't know much and "just want to be safe"
Meanwhile MS choses to tell people that it "is not that bad" and that "not many users will be affected" and no word on when a patch is coming.
This despite the fact that all current MS OSes (xp,vista,7) are exposed - is a PR disaster for MS.
Obviously MS is downplaying it but on the other side the BSI creates a huge stir to create the image that it is useful in someway and to avoid becoming an obscure agency that is mentioned only in passing in a couple of tech news articles. That's not to say that what they are doing is bad it's just that their are two sides and the ordinary computer user probably has still no idea what's going on.
My job routinely requires me to utilize Internet Explorer, and I don't think it's all that bad to be honest. I also utilize Chrome and Firefox throughout my day. Is it a little slower? Sure. Is it kind of the big, ugly older sister of Firefox and Chrome? Absolutely. Beyond all that, though, it still works.
I thought it only did not allow other browsers to do JIT compiling, whereas Apple is the one who does not allow competing browsers at all on ARM (iOS).
> it only did not allow other browsers to do JIT compiling
Effectively preventing competitors from building accepctable JavaScript-enabled browsers. It's not that you can't make a winrt browser. It's that it'll suck.
Apple doesn't allow anything other than their provided Webkit rendering engine for interpreting websites, in extension to not allowing any third party interpreters in general. They do now allow others to repackage Webkit into their browser apps, which Google has done with Chrome - albeit like with Win8@ARM they can't do JIT then. So it's not all that different actually, the outcome for the user is about the same.
Well, i'm not aware of it existing on 'windows rt' (no one has it for starters), but firefox works on both linux ARM and windows x86, so i'm sure that could be ported without too much trouble.
Microsoft was deemed to have a monopoly in "Intel-compatible PC operating systems". An ARM tablet is not in this market; Microsoft has no monopoly in this market; Microsoft cannot be fined for abusing monopoly power in this market as it does not have monopoly power. They are free as Apple or Android to allow or disallow software on that platform.
Having a strong brand is not an abuse of monopoly power. That's ridiculous.
An abuse of their monopoly power would be something like denying Windows licenses to PC makers unless they agree to exclusively produce Windows 8 ARM tablets. There needs to be a leverage of the monopoly power in doing something anticompetitive for there to be an illegal act.
I'm pretty sure you can't say that so categorically. If you can distort the market (specifically: have a monopoly), then in principle any means you use to do so might be illegal. Using a brand might qualify - at least I'm not aware of any specific exceptions that would exclude them.
> Having a strong brand is not an abuse of monopoly power. That's ridiculous.
I was not speaking of brand, but OEM agreements. IIRC, if the OEM posts "X recommends Windows Y" on every product page, they get a better license price.
> ...would be something like denying Windows licenses to PC makers unless they agree to exclusively produce Windows 8 ARM tablets
Or differentiating their Android patent licenses according to the licensee's willingness to manufacture Windows Phone devices too. Or only licensing Windows 8 to ARM tablets that can never run anything else.
Well, I was in Germany in 2010, working in a Govt office. Searching to get authorized a different browser, i found that the govt recommended to avoid use of ie.
the "Enhanced Mitigation Experience" = priceless