The language here is typical Register UK [Microsoft is from hell, etc.]. I was unable to find a link or anything from CERT which said "use anything but IE." They discuss various IE flaws which have not been corrected, but what to do was not detailed. If you know otherwise, let me know, plz. The attacks are somewhat complex, at least to me, and I'm not quite sure what is needed to be safe. Lets peruse this a bit. In general, and for protection from Juno 4 or 5 email [which by necessity uses IE], one could set the Internet Zone to High [which would be used to render HTML email], then when surfing if a given page did not run properly, one could put that page to run on Trusted or Restricted Zones [which, for this purpose could be set to two other values, such as Low for such as Windows Update, and a custom version of Medium ----- suggestions for the custom settings are available at sites such as http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/20468/Windows Security_20468.html http://www.winnetmag.com/Article/ArticleID/20622/20622.html http://www.winnetmag.com/Article/ArticleID/20700/20700.html http://www.winnetmag.com/Article/ArticleID/21026/21026.html http://www.winnetmag.com/Article/ArticleID/21199/21199.html http://www.winnetmag.com/Article/ArticleID/21282/21282.html [six part series from 2001 for Win 2000 which should be fine for XP and for XWin 9X except for the XP specific stuff like Group Policy Objects] or peruse Forums » Up and Running » Security » IE Security Settings http://www.dslreports.com/forum/remark,1333507~root=security,1~mode=flat or http://www.dslreports.com/forum/remark,1333507~mode=flat~days=9999~start= 20 or http://www.dslreports.com/forum/remark,1333507~mode=flat~days=9999~start= 40 [suggestions and discussion from forum--note that different users have different needs, so choose different settings] or http://www.tames.net/security/iesettings.htm or http://www.infinisource.com/techfiles/surf-safe.html ------- With this arrangement, suggest using ----- Internet Explorer 5 Power Tweaks Web Accessory, but it works fine on Internet Explorer 6. http://download.microsoft.com/download/ie5/Utility/1/W9XNT4MeXP/EN-US/pwr twks.exe [info at] http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.mspx Allows you to switch the page you are viewing from Internet to either Trusted or Restricted zone with a right click choice, if it fails to render properly [and thereby risk an attack from the unpatched flaw in JavaScript rendering in IE]. ----- Here is Microsoft's recommendation with IE: http://www.microsoft.com/security/incident/settings.mspx Increase Your Browsing and E-Mail Safety--4 Steps to Help Ward Off Hackers and Attackers 1. Set Internet Explorer security level to High 2. Add Web sites you consider safe to Trusted Sites 3. Use plain text to read the e-mail messages you receive 4. Block pop-up windows in your browser It seems the noted flaws [in particular the one using JavaScript] do not apply to Firefox browser, though it has a flaw or two itself. When you run Firefox, you typically do not run ActiveX or Flash/Shockwave [require plugins and the ActiveX plugin is strongly not recommended], but can run JavaScript, or Java at your option. Information on browser flaws from Secundia, a reputable security outfit, for the two most commonly used browsers in Win: http://secunia.com/product/11/ Secunia currently has 54 Secunia advisories affecting Microsoft Internet Explorer 6. 42% of these are "extremely" or "highly" critical, whereas I don't see any that critical in the few flaws listed for Firefox 0.x and Mozilla 1.4-1.6 browsers. http://secunia.com/product/3256/ Secunia currently has 3 Secunia advisories affecting Mozilla Firefox 0.x. For any product, see from Secundia at http://secunia.com/product/#os_F a complete list of software and operating systems in the Secunia database. Our database currently includes 3564 pieces of software and operating systems. Click a product to view all current Secunia Advisories affecting it. Finally, see http://www.eetimes.com/sys/news/showArticle.jhtml?articleID=22103358 [running out of two sides of the mouth IMHO] July 01, 2004 (4:00 PM EDT) COLORADO SPRINGS, Colo. The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft Corp.'s Internet Explorer. [...] Alternative browsers such as Mozilla or Netscape may not protect users, the agency [CERT] warned, if those browsers invoke ActiveX control or HTML rendering engines. OK, I have convinced myself, that, for good safety, IE is much worse than the most popular alternative browser Mozilla/Firefox :-). On the other hand, you might more likely get food poisoning this summer than a successful attack via IE, particularly if you keep up your antiviral and spyware signatures. So enjoy the potato salad and the Internet surfing, be it with IE or Firefox. thepccat On Wed, 30 Jun 2004 11:58:46 EDT bob.in.jersey@xxxxxxxx writes: > > http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/ > > [quote] > CERT recommends anything but IE > By John Oates > Published Monday 28th June 2004 11:50 GMT [...] To unsubscribe, send a message to ecartis@xxxxxxxxxxxxx with "unsubscribe juno_accmail" in the body or subject. OR visit //freelists.org ~*~