Enterprise-wide Browser Upgrades, IE, and Patching?

newkid asks: "Our company needs to upgrade its standard browser, a difficult decision when we factor security, compatibility and the logistics of actually doing it. For compatibility, Internet Explorer is required by internal applications like IBM Tivoli Storage Manager, so we have to keep it. On the security front, expert bulletins keep ranting every week about the latest gaping holes in IE but nobody really seems concerned: for example, many on-line banking services only work in IE, and they don't check for patches. Meanwhile, users do not care, as a large portion of the traffic still comes from IE 5.5, a version discontinued by Microsoft. As for logistics,the software distribution technology and the cost of patching both make the project much larger than we can undertake this year. Our two options are: roll-out IE without patching, or roll-out IE and Netscape, but lock IE so it can only surf on intranet sites, and update NS with rsync or Ant. What is your company doing? What is your strategy? How serious are the security threats? What are the documented security breach caused by IE? We need a reality check."

Many go unpatched anyways

[dpete4552]

http://www.pivx.com/larholm/unpatched/

Mozilla

[Cokelee]

Why can't you install Mozilla on a couple of shares and update them. It doesn't have to be on a local machine, and most internal networks remain fairly idle. (The other 60+mbps not being using by an external source.)

On a very different note: these machines are running Windows, right? Why the security concern over IE?

Quick and dirty...

[dnight]

Send an anonymous email with the Microsoft IE download link to the entire corporation, the day before you take a vacation. If your helpdesk is up to snuff, it should be all set when you get back.

Oh, and look for snakes in your office when you get back.

Re:Quick and dirty...

[spectral]

Ok, this can be done and (mostly) automated if you have your network set up properly. It requires a bit of knowledge with batch scripts (that I don't have), or just write a little program to do it for you. Requirements: windows file sharing enabled (and that you know the computer names or IP addresses. Can run a sniffer for these), desktops running an NT based operating system, preferrably all the same, and hopefully 2k+.

Look for something called 'pstools', it is half of what you need. the others are a

Re:Quick and dirty...

[spectral]

nope. Living in Japan at the moment, going to uni. The reverse lookup will be our firewall, with a .jp address, so not me. :)

We have both.

[zulux]

We've put Phoenix on the desktop, and quick launch bars.

We hid explorer in the Programs->Accessories->System Tools.

And of course, you get Konqouror and Phoenix when you log into our VNC server.

But as far as risk is concerned:

Lthe largest risk is Outlook and Outlook Express - they use the core of IE to do their mail previews. Most of our users don't visit odd websites - but they sure could be sent a virus now and then.

Easy

[4of12]

MyCorp finally decided that IE 6 was an improvement over NS 4.7 for our Windows machines. Despite disliking the borglike tactics of MS, the decision made sense locally. It's almost easier to just let Windows have its way and use IE by default. But I would insure the security patches are up to date. Use SMS to update them.

Our migration to IE was decided before Mozilla was as good as it is now. Also, Opera ain't bad, nor Konqueror/Safari. Check `em all out and keep your internal sites W3C standards compliant so you have options in the future instead of handcuffs.

Re:Easy

[J_DarkElf]

Well, IE6 *is* an improvement over NS 4.x

But then again, so is every other browser which does not lie about its CSS support, and can render standards-compliant pages.

The main problem with IE is that it accepts garbage, so people keep using garbage, saying 'it works in IE'...

Accepting garbage.

[Inoshiro]

Applications are supposed to be permissive in what they take is input. Granted, you shouldn't hide that it's wrong (IE needs to have popups for malformed pages), and it shouldn't make its own decisions for you (for example, its overzealous mime typing), but making the best logical render of something that's broken is just good software design.

Writting programs that spew un-RFC compliant crap, like IIS or Outlook -- that's poor software design. Always be exacting in what you output, as much as you are per

Re:Easy

[shaitand]

actually IE 6 does NOT always render standards compliant code correctly.

Course you don't think I'll make a statement like this without giving a couple examples off the top of my head do you?

IE will not get rid of the borders on frames without an attribute in the frameset tag, it ignores frameborder="0" in frame tags. The standard defines them in the frame tags and no border related attribute in the frameset tag.

(I should note, while not the same attribute in the frameset, netscape also suffers from this

Re:Easy

[oliverthered]

try

div > table {
background:red;
}

with

<html>
<body>
<div >
<table><tr><td>hello</td></tr></table>
</div>
</body>
</html>

try

<div style="left-margin:20px;right-margin:30px:overflo w :auto;height:100">
<div style="position:fixed;width:100%">
this test should be fixed
</div>
<pre>
this
is
some
text
that
should
make
the
div
scrolable
</pre>
</div>

IE + CSS ummm.....

[oliverthered]

I've just been converting all some web sites over to using CSS.

When you start using CSS (or anything vaguely complicated) you start to see just how much IE sucks. sure Mozilla and Opera arn't perfect IE just isn't.

Are you sure you *need* IE?

[aoteoroa]

You mentioned that tivoli's storage manager requires IE but a quick look at their product info page [ibm.com] indicats that they support HP/UX,linux,Solaris and other clients and if that is the case then their web software must work with other web clients.

I do all my banking, and the company's with Mozilla with no problems. A friend of mine also uses Moz for his banking. That's three separate banks that have no problem with Mozilla.

There are probably more good choices in web browsers right now than there ever was. It is a good time for change.

Re:Are you sure you *need* IE?

[mbogosian]

You mentioned that tivoli's storage manager requires IE but a quick look at their product info page [ibm.com] indicats that they support HP/UX,linux,Solaris and other clients and if that is the case then their web software must work with other web clients.

Be wary of any application which requires a certain browser for an interface (IE, Mozilla or otherwise).

Browser-specific sites are bad, but apps are worse.

Re:Are you sure you *need* IE?

[shaitand]

This is true, especially since the entire point of using an html based interface on a local app is portability...

Re:Are you sure you *need* IE?

[DavidpFitz]

This is true, especially since the entire point of using an html based interface on a local app is portability...

It may be for someone, but not me. I am on a team which is developing an application which will be tested against IE6 *only* because this is the supported browser of the company who will use our product. We are not using a browser based interface for portability, we are using it so we can easily rollout changes without having to touch a single machine on of the 40,000 users will access our app

Re:Are you sure you *need* IE?

[shaitand]

No it's called bad programming. First you write standard html. Second it takes 5 minute to load it in a couple other browsers to make sure there are no quirks across them. The company your writing the app for will undoubtedly want to upgrade their browsers eventually and then your app will be broken. This is what alot of bad software companies do, some intentionally so the purchaser must spend more money down the road, some out of stupidity.

Re:Are you sure you *need* IE?

[shaitand]

On another note, if you never deploy that app for anyone else, you still may want to use code/libraries from it (at least if your programming choices aren't this poor in every other area of the app as well) the reusability of your sweat is directly proportional to the portability of the code you wrote the first time around.

Re:Are you sure you *need* IE?

[DavidpFitz]

No, it's nothing to do with that. Out HTML is written to standards, and checked for that. A product test must be done using the target platform -- this is extremely costly for a system which has a massive number of "pages" a user can see. Having to test this in multiple browsers on multiple platforms woudl cost hundreds of thousands and take lots of time.

We have to certify against IE6, and nothing else since it is the target platform. If the client wants to use another browser, at very least they will have

Re:Are you sure you *need* IE?

[shaitand]

In that light it makes more sense. As long as your writing code to w3c standards then you've definately done your part I agree. That's what I've always loved about standards... if you code to them you can say the platform is broken not your code with a straight face.

Re:Are you sure you *need* IE?

[thempstead]

I agree, I've run the TSM admin gui under Konqueror on KDE 3.1 without issues. I'd have thought that any browser with the appropriate level of Java support should work ....?

Tim

Re:Are you sure you *need* IE?

[prnd_ndrd]

FWIW, I regularly use four sites to move money around (mainly to pay what I owe:). Mozilla works flawlessly on all of them. The site "searscard.com" used to require IE for part of the process, but no longer (I presume something was updated in Mozilla).

My $0.02

[benjamindees]

1) Performance will be an issue if you upgrade from 4.x to a current version of Netscape. Phoenix might be a better solution. There's Opera, too. What kind of processors/OS are you running?

2) Banking sites can usually be tricked with a simple change in the Useragent string in Mozilla/Netscape. Are you sure you need IE?

Switch to Windows Server 2003

[RzUpAnmsCwrds]

Although this is a somewhat lame answer, consider switching to Windows Server 2003. It has an "enhanced" lock-down mode that eliminates most of the holes in it's default configuration.

Now, it makes some pages break, but that's the price.

Re:Switch to Windows Server 2003

[Stargoat]

This isn't flamebait, this is a very viable option. According to MS, Server 2003 is capable of rolling out patches to workstations in a manner similar to Symantec Corporate Edition rolling out virus updates over a network. This could indeed solve the problem. It's not the best option, may not even be viable, but it is a way of solving the problem.

In other words, switching to Server 2003 is an option. Dogs and cats living together! Mass hysteria!

Whose has the final say?

[heldlikesound]

I mean for places like the trasporter room, you really do need the latest and greatest, to be sure you're not shooting people into a Cardasian ship or something, but for officers lounges where Explorer is just being used for browsing the web,etc, it doesn't seem like that big of a deal...

By the way, this joke was a bit of a stretch for me as I don't really like Star Trek.

IE 5.5 still supported by MS

[vjl]

Just FYI, but IE 5.5sp2 is still being updated and maintained by MS. You can no longer download it, as of March 31, 2003, but until December 31, 2003, MS will continue to patch it as needed. After December 31, 2003, MS will no longer release security updates for IE 5.5.

We keep NS 7.0.2 and IE 5.5sp2 on our users' desktops, as IE6 had issues with Office 2000 on a Win2ksp3 workstation [go figure - all 3 packages are made by MS!].

Only problem is that the MS Update w3 site always wants the users to upgrade to

Wait. Just a little...

[bluephone]

Netscape is going to be leaunching the latest version of the Netscape 7.x browser line (probably 7.5) in the next few months. Now that Mozilla/mozilla.org is closing in on 1.4 final, the NEtscape folks will go into hugh gear for the commercial release to be based on 1.4 final, instead of the 1.0.x branch like NS 7.02 is. This will be the best commercial browser on the market, possibly ever. I'd suggest you wait until the release (final probably late this summer) before you roll out. You'll be far more secure, have a cross platform standard, and with IBM's work on their products, possibly be looking at accessing many apps that are currently IE only from other browsers.

Patch management

[mbstone]

You have to apply the latest Microsoft patches right away, or hackers will come along and break your system. But the patches themselves will break your system once you apply them. You might as well give up now, and krazy-glue the ctrl-alt-and del keys to the bottom of you keyboard.

________________________________________________
If it doesn't fit, file it. But it gets dirty and you can't clean it. So you have to THORW IT AWAY!!

Tivoli?

[Dausha]

That's odd, we're an all Unix shop and so our Tivoli storage manager is viewed on Netscape (4.79). So, I'm a bit surprised to see that you need to maintain connectivity with the Tivoli system. Also surprised since IBM has a Linix port (previous Slashdot article).

At least give MS a go properly.

[swmccracken]

Install a copy of Software Update Services [microsoft.com] and then use group policies to configure your workstations to use and automatically install the patches.

It's a partial solution, while it doesn't upgrade Internet Explorer itself, it *does* apply all relevant patches to IE and the OS.

You do use Group Policies, right? This is one managment area where Windows 2000 out-of-the-box beats any Linux managment system hands down.

Generally.. the patches aren't that important, but notable exceptions exist. (Such as Outlook Express opening certain mime types automatically! - virus writers were quick to take advantage of *that* one..) The problem is that you never quite know which ones are going to be important.

Re:At least give MS a go properly.

[SuiteSisterMary]

Use IEAK to build a custom version of IE.

Use Intellimirror if you're on an all Win2k+ network, to roll out, well, any software you want, really.

Use SMS if you're not on an all Win2K network, to, well, roll out any software you want, really.

Block the windowsupdate sites at your proxy.

Do NOT let users have admin access to their own machines.

Re:At least give MS a go properly.

[swmccracken]

Like I said, use software update services. :-)

Oh, and subscribe to NTBUGTRAQ [ntbugtraq.com]. That's pretty much an abosoulte must - heads up as to which patches (like MS 03-010) it might be a good idea to hold off on.

SUS lets the admin specify which patches the workstations are to download and install. It uses the same (more or less) client software as the standard windows auto-update, but you use Group Policies to connect to your own, internal, controlled, server.

And, yes, you *do* need to automatically install the

Re: We GAVE MS a go properly.

[TropicalHotDogNight]

Properly? According to..? There are (at least) 101 things Mozilla does that IE does not, listed here: http://www.xulplanet.com/ndeakin/arts/reasons.htm l
And that's with Mozilla 1.2, back in January!
I started using Mozilla 1.0 when SP1 for IE6 rendered IE unable to render all the graphics of many web pages. Refreshing would sometimes show more of them, sometimes less. I tried Mozilla out of necessity, my first use of open source software. Then I uninstalled SP1 & was thrown back to IE 5.5 (isn't that sp

Block IE at Proxy

[maol]

My company blocks IE at the proxy (and doesn't allow direct connections not using the proxy of course).
As for upgrading Netscape 7, Mozilla or Opera: you really don't have a software distribution system installed? How do you update other software? How many clients?

IEAK

[Student_Tech]

What about the Internet Explorer Administration Kit. It lets you set the options for a customized distrobiution of IE for w/in your company. You can set it up so it installs in the background and reboots the computer when done. You would still need someway of pushing it to the desktops but it would be one download from MS for what ever version of the browser and then it just gets distributed w/in your company.

IEAK

[omega9]

There's a neat little took called IEAK [microsoft.com], which stands for Internet Explorer Administration Kit. It lets you download IE and create your own custom set of installation files with only the options you want. You can even make the installation non-interactive to make sure it only does what it's told. Anyone who's done a major IE rollout has at least heard of IEAK. Since you didn't even mention it I'll guess you've either never done an IE rollout or you've got SARS and it made you forget about it.

You also didn't mention your network setup. However, you're considering IE so I'm going to guess most of your clients are running Windows. Also, if you're really entering into a rollout your network must be on the larger side (else it would just be you installing something on a few machines). So if you've got a a)large b)Windows network there's a good chance you've got some kind of domain model there. Or at least something that provides login scripts. Go fix yourself up a custom IE install with IEAK and launch the setup from the login script. Heck, if you're running AD on a Win2K server whip up an MSI and push it out to the clients. But if you can't do enough research on you own to discover IEAK, then you probably won't even be able to spell MSI.

If you've never heard of IEAK, got a large Windows network, and aren't using some sort of login script functionality, then the SARS has truely taken over and a browser rollout is the least of your troubles.

DISCLAIMER: no SARS were injured during the creation of this reply

Darn

[Anonymous Coward]

I was hoping you'd say something like:

"...the then SARS have already won."

Re:IEAK

[benhaha]

Mod parent up!

How on earth did he get into a stupid situation where "Roll out IE without patches" was ever any kind of option?

It's
a) dangerous not to patch and
b) easy to patch.

You just have to know what you are doing, which that dork obviously doesn't.

standard config..

[martin]

well if you have a big enough organisation where desktop software management is a real issues (which prob means you've got more then 10 machines;-) then you need to look at software like Intel Landesk (or whatever it's called this week).

It gives you the technology to to have a 'golden host' on which you base every desktop. You then download the chnages automatically once a day (or when you hit the button for emergency updates!).

Turbo Linux has a similar product which has been recently bought by a Californ

A reasonable idea

[mnmn]

In some browsers like opera, you can change the Client string so it looks like IE6. I did that with the opera browsers on some public Pentium2 computers and the clients have been happy to my knowledge. Opera is also more robust, low on resources and fast.

I'm tempted to think something like cygwin rsync would work on windows machines to update opera. Of course, if you dont have apps that require win32, you can move to linux completely, possibly using xpde for naive clients.

Re:A reasonable idea

[Lxy]

There a difference between functionality problems and sites that do browser checking.

Having to deal with many, MANY web apps, I can tell you that this doesn't always work. Some apps are so heavily built with IE-only components that there's no other browser that works with it. PERIOD.

Mozilla and Opera are wonderful web browsers, and could easily kill IE if developers would stop writing web apps that only work in IE.

If using Active Directory, try MSI packages

[UnrefinedLayman]

You're apparently using Windows, hence IE being installed. I imagine your users are in a domain, but if not, disregard the following.

Group Policy in Windows 2000 allows you to create MSI packages that can be rolled out to multiple clients and that will be installed when the user starts up the computer. If you check the Windows 2000 Server CD, you'll find the light version of WinInstall, called WinInstall LE (winstally around here). This will let you scan a computer, then you can run any updates (for exam

Is "enterprise" now a synonym for "organization"?

[cyberkreiger]

Just walk up to a computer terminal and say: "Computer, conduct a complete ship-wide level 1 browser upgrade, security override 'Picard Omega Three'."

1/2 of our virus infections are a'la IE

[scorp1us]

1/2 of our virus infections are a'la IE and browsing email sites, like yahoo and hotmail. We had to block them for that reason.

Browser Fear

[bahamat]

It's been my experience that browser advocates come in one of two flavors. Those who worship Bill and constantly mutter under their breath "I hate netscape", and those (us) fringers that use an alternative browser (mozilla, phoenix, opera, icab, etc).

People that used to love Netscape have pretty much turned to IE due to the NS4 line's stagnation and the netscape branch of mozilla being inadequate (I'm highly looking forward to a branch of the 1.4 trunk). They don't complain or they'll get laughed at.

The l

Re:Browser Fear

[zzyp]

Of course you can delete IE *completely* using this free utility, it doesn't work for SP2 and above on Windows 2000.

http://www.litepc.com/ier_lic.html