AOL & IE (unknown)

Topic

New Reply

At one time AOL used IE as its browser-does it still do so? If so, does the AOL version share the vulnerabilities that led US-CERT to recommend using a different browser than IE?

I sent around a link to the US-CERT alert, paraphrasing their recommendations, and my brother-who uses AOL-responded that he didn’t know what browser he was using. He did mention that he gets very little junk mail & few popups which isn’t a common experience among IE users that I know, so assuming that AOL is still using IE it would appear that they’ve put their own filters & traps on it-which might mean that the AOL version doesn’t share the vulnerabilities. Does anyone know for sure?

Thanks.

Reply | Quote

Replies

I don’t use AOL but according to their site, requires IE6 or higher.
Also:
“AOL is capable of running third-party applications, like the Netscape

Reply | Quote

Thanks. I know that you can ‘use’ any browser with AOL-just minimize their software once you’re connected & then start your other browser. It’ll use the existing Internet connection that AOL established. But in my opinion most people (including my idiot brother) are unlikely to switch if it’s the least inconvenient. Look at how many use IE because they’d need to download & install Netscape? (Like that’s difficult. But apparently it’s difficult enough to dissuade them from switching.)

Hopefully the Netscape for AOL is integrated with their dialer & email. At least it seems like it’d be worth a try. (Still wish it was Mozilla or Firefox, but that’s probably too much to ask with AOL owning Netscape now.)

Thanks.

Reply | Quote

Thanks. I know that you can ‘use’ any browser with AOL-just minimize their software once you’re connected & then start your other browser. It’ll use the existing Internet connection that AOL established. But in my opinion most people (including my idiot brother) are unlikely to switch if it’s the least inconvenient. Look at how many use IE because they’d need to download & install Netscape? (Like that’s difficult. But apparently it’s difficult enough to dissuade them from switching.)

Hopefully the Netscape for AOL is integrated with their dialer & email. At least it seems like it’d be worth a try. (Still wish it was Mozilla or Firefox, but that’s probably too much to ask with AOL owning Netscape now.)

Thanks.

Reply | Quote

I don’t use AOL but according to their site, requires IE6 or higher.
Also:
“AOL is capable of running third-party applications, like the Netscape

Reply | Quote

I’d never recommend that anyone switch browsers based on what US-CERT or any self serving private organization recommneds? Remember these are organizations that spout astronomical numbers of PC & $$$ damage for various forms of malware while using no known methodology for coming up with these figures. I’ve been using the ‘net longer than I care to remember and have never had a security problem. Running a fully patched OS, browser, up-to-date A/V & firewall are the keys. If you wish to change browsers do it on a feature/function basis. Or do it just because you don’t like MS. Just don’t do it because one of these organizations recommends it.

Joe

--Joe

Reply | Quote

Umm, US-CERT is part of the Department of Homeland Security. US Government agency. And did you bother to read my message? I’m not looking to change browsers-I currently use Netscape/Mozilla & am in the process of moving to Firefox. And I’m happy with that.

I do wish that everybody would run up-to-date AV & firewall software. But they don’t & probably never will. As for a fully-patched OS, that pretty much depends on how many problems the patches themselves cause-so far I’ve seen enough problems that I don’t recommend that anyone apply a patch as soon as it comes out except on a test machine. (I don’t necessarily recommend against it either. But if asked I always say ‘wait a couple of days & see how many problems are reported’.

Patches have gotten a lot better in the last couple of years but they aren’t problem-free. If they continue to improve at the current rate then I’ll probably change my advice in a year or two. But not today, sorry.

Reply | Quote

Umm, US-CERT is part of the Department of Homeland Security. US Government agency. And did you bother to read my message? I’m not looking to change browsers-I currently use Netscape/Mozilla & am in the process of moving to Firefox. And I’m happy with that.

I do wish that everybody would run up-to-date AV & firewall software. But they don’t & probably never will. As for a fully-patched OS, that pretty much depends on how many problems the patches themselves cause-so far I’ve seen enough problems that I don’t recommend that anyone apply a patch as soon as it comes out except on a test machine. (I don’t necessarily recommend against it either. But if asked I always say ‘wait a couple of days & see how many problems are reported’.

Patches have gotten a lot better in the last couple of years but they aren’t problem-free. If they continue to improve at the current rate then I’ll probably change my advice in a year or two. But not today, sorry.

Reply | Quote

Yes, I read your message. I know what US-CERT is and I’ll stand by my statement. They generally put out c..p. You may not be running IE but you are suggesting by proxy that whoever you sent the e-mail to switch browsers. To answer your question about the AOL browser. It is still based on IE. The reason they selected IE originally and stuck with IE is that IE can be componentized easily. So, you further ActiveX testing is not a realiable method for determining whether it is IE based. Only whether AOL has disabled the ActiveX functionality in their front end. Even so someone could enable with the IE controls. I’m not sure what that would mean to the AOL side.

Joe

--Joe

Reply | Quote

And do you have any evidence for your statement that US-CERT generally puts out garbage?

And I didn’t suggest, by proxy or otherwise, that anyone should switch browsers. What I recommended is that the people I sent the message to should follow one or more of US-CERT’s recommendations. (I’ll admit that the details got lost in rewriting my original message, but they aren’t important to the question of whether or not the AOL browser is vulnerable, now are they?)

My last previous message (response to JScher) noted that what I’m interested in is whether or not the AOL browser is vulnerable. I don’t really care whether it’s based on IE or not-although that’s what I originally asked about. (As often as I run into a user who asks the wrong question you’d think I’d pay more attention to my own questions-but sometimes I don’t.)

Reply | Quote

As to US-CERT putting out garbage. Just go back & look at their postings about various outbreaks/infections. Neither they nor anyone else (i.e. A/V vendors) do anything other than close their eyes and throw something at a dart board when coming up with wild guesses about the numbers of PCs infected and the $$$ lost becasue of an outbreak. Almost every time there is a supposed major outbreak, whoever posts the highest number is assumed to be correct and the next outfit picks up on it or chooses yet another higher number. No company or geovernmental organization that I know of publishes or privately tells any firm/organization that they were impacted by malware and to what extent they were impacted. I’d invite you to go to Vmyths.com and read a bit. There are numerous articles about the A/V industry and Internet security. This is my last comment about the subject. No offense intended and none taken.

A couple of comments about your original post. Little spam in AOL e-mail system – AOL has a very stringent spam filter. So stringent that they frequently block legitimate e-mail. But, that is something the AOL user has to know & be willing to live with. Few popups – in one of the recent version of their software AOL severly limited the number of their ownd ads that typically bombarded their users. I’ve not really paid much attention to the details of features in the past several releases, but they may have implemented a popup blocker also.

About AOL software being vulnerable. I’d say that it would share the same weaknesses that IE has as it is IE based. There may be ways that AOL has configured the underlying components to minimize the IE issues. That is something that a user would have to try to find out from AOL. Although, I’m pretty confident that AOL (just like others) will say their software is secure, reliable, etc., etc.

Joe

--Joe

Reply | Quote

I’ll admit that I don’t pay any attention to $$$ estimates-from anyone. I do read US-CERT vulnerability assessments & have found them to be fairly accurate. One item that particularly struck me about this one is that this administration has generally appeared favorable towards Microsoft-for them to recommend switching away from IE impressed me. But I suppose it could have been politics-who knows what goes on behind the scenes.

I do agree with you about AOL’s likely assessment of their own browser-that’s why I look for outside opinions. Better yet, ways of verifying for myself.

Thanks.

Reply | Quote

I’ll admit that I don’t pay any attention to $$$ estimates-from anyone. I do read US-CERT vulnerability assessments & have found them to be fairly accurate. One item that particularly struck me about this one is that this administration has generally appeared favorable towards Microsoft-for them to recommend switching away from IE impressed me. But I suppose it could have been politics-who knows what goes on behind the scenes.

I do agree with you about AOL’s likely assessment of their own browser-that’s why I look for outside opinions. Better yet, ways of verifying for myself.

Thanks.

Reply | Quote

As to US-CERT putting out garbage. Just go back & look at their postings about various outbreaks/infections. Neither they nor anyone else (i.e. A/V vendors) do anything other than close their eyes and throw something at a dart board when coming up with wild guesses about the numbers of PCs infected and the $$$ lost becasue of an outbreak. Almost every time there is a supposed major outbreak, whoever posts the highest number is assumed to be correct and the next outfit picks up on it or chooses yet another higher number. No company or geovernmental organization that I know of publishes or privately tells any firm/organization that they were impacted by malware and to what extent they were impacted. I’d invite you to go to Vmyths.com and read a bit. There are numerous articles about the A/V industry and Internet security. This is my last comment about the subject. No offense intended and none taken.

A couple of comments about your original post. Little spam in AOL e-mail system – AOL has a very stringent spam filter. So stringent that they frequently block legitimate e-mail. But, that is something the AOL user has to know & be willing to live with. Few popups – in one of the recent version of their software AOL severly limited the number of their ownd ads that typically bombarded their users. I’ve not really paid much attention to the details of features in the past several releases, but they may have implemented a popup blocker also.

About AOL software being vulnerable. I’d say that it would share the same weaknesses that IE has as it is IE based. There may be ways that AOL has configured the underlying components to minimize the IE issues. That is something that a user would have to try to find out from AOL. Although, I’m pretty confident that AOL (just like others) will say their software is secure, reliable, etc., etc.

Joe

--Joe

Reply | Quote

And do you have any evidence for your statement that US-CERT generally puts out garbage?

And I didn’t suggest, by proxy or otherwise, that anyone should switch browsers. What I recommended is that the people I sent the message to should follow one or more of US-CERT’s recommendations. (I’ll admit that the details got lost in rewriting my original message, but they aren’t important to the question of whether or not the AOL browser is vulnerable, now are they?)

My last previous message (response to JScher) noted that what I’m interested in is whether or not the AOL browser is vulnerable. I don’t really care whether it’s based on IE or not-although that’s what I originally asked about. (As often as I run into a user who asks the wrong question you’d think I’d pay more attention to my own questions-but sometimes I don’t.)

Reply | Quote

Yes, I read your message. I know what US-CERT is and I’ll stand by my statement. They generally put out c..p. You may not be running IE but you are suggesting by proxy that whoever you sent the e-mail to switch browsers. To answer your question about the AOL browser. It is still based on IE. The reason they selected IE originally and stuck with IE is that IE can be componentized easily. So, you further ActiveX testing is not a realiable method for determining whether it is IE based. Only whether AOL has disabled the ActiveX functionality in their front end. Even so someone could enable with the IE controls. I’m not sure what that would mean to the AOL side.

Joe

--Joe

Reply | Quote

I’d never recommend that anyone switch browsers based on what US-CERT or any self serving private organization recommneds? Remember these are organizations that spout astronomical numbers of PC & $$$ damage for various forms of malware while using no known methodology for coming up with these figures. I’ve been using the ‘net longer than I care to remember and have never had a security problem. Running a fully patched OS, browser, up-to-date A/V & firewall are the keys. If you wish to change browsers do it on a feature/function basis. Or do it just because you don’t like MS. Just don’t do it because one of these organizations recommends it.

Joe

--Joe

Reply | Quote

Since only IE supports ActiveX, and since WindowsUpdate uses only ActiveX, one could ascertain whether the AOL browser was IE under the covers by pointing it at WindowsUpdate and seeing what happens. (As one who does not have AOL, I can’t conduct this experiment myself.)

Reply | Quote

And since it’s mostly the ActiveX that makes IE undesirable that’ll verify whether the AOL browser (branded as IE or not) shares the vulnerabilities.

Brilliant! Thanks!

Reply | Quote

And since it’s mostly the ActiveX that makes IE undesirable that’ll verify whether the AOL browser (branded as IE or not) shares the vulnerabilities.

Brilliant! Thanks!

Reply | Quote

Since only IE supports ActiveX, and since WindowsUpdate uses only ActiveX, one could ascertain whether the AOL browser was IE under the covers by pointing it at WindowsUpdate and seeing what happens. (As one who does not have AOL, I can’t conduct this experiment myself.)

Reply | Quote