Slashdot Mirror

When I try to post a comment to this artivle on the MS site, I get this :

http://blogs.msdn.com/ptorr/Moderation.aspx?Return Url=/ptorr/archive/2004/12/20/327511.aspx

"Moderation
Comments on this blog are currently being moderated. An email has been sent to the owner with the details of your comment.
Click here to return to the original post or article"

Nice !!!!!!!!!!!

Here is some of his reply to the comments

Actually, this post in reply to the blog indicates that it's an issue with McAfee VirusScan--not Firefox. The only other reference to that I can find on google is from a random VB programming forum, though.

Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!

Too bad I can't trust Firefox due to the fact that Firefox is full of gaping security holes. Firefox has so many security flaws you could drive a truck through them. These horrible security failures include:

-Installing Firefox requires downloading an unsigned binary from a random web server
-Installing unsigned extensions is the default action in the Extensions dialog
-There is no way to check the signature on downloaded program files
-There is no obvious way to turn off plug-ins once they are installed
-There is an easy way to bypass the "This might be a virus" dialog

For more information on these flaws, Click Here for information.

Too bad I can't trust Firefox due to the fact that Firefox is full of gaping security holes. Firefox has so many security flawys you could drive a truck through them. To wit:

-Installing Firefox requires downloading an unsigned binary from a random web server
-Installing unsigned extensions is the default action in the Extensions dialog
-There is no way to check the signature on downloaded program files
-There is no obvious way to turn off plug-ins once they are installed
-There is an easy way to bypass the "This might be a virus" dialog

For more information on these flaws, Click Here for information.

Use the "DropMyRights" app from here: http://blogs.msdn.com/michael_howard/archive/2004/ 11/18/266033.aspx/ to run internet apps as "normal user".

(If possible, compile your own version from the source a user posted in the comments; you'll get a little 1.5k app that supports arguments, instead of the bloated half-broken app the Microserf made available...)

It's not perfect, but I've seen a net drop of spyware and crapware on machines where I've installed it to launch everything that connects to the net.

Make sure to replace the direct access icon to MSIE on the desktop with a DropMyRights-ed ordinary shortcut. Only "Windows Updates" needs MSIE with admin rights. Also remember to modify whatever launches at Windows startup to run with reduced rights.

Final tip: rename it to something short (I use "safe.exe" and place it in the path, it makes modifying shortcuts a whole lot easier.

Show the user how to modify his own shortcuts so that he can reduce the rights of whatever he downloads before launching it for the first time...

Let me preface this with the statement that the lax security in pre-SP2 IE is shameful. But MS has realized it's faults, and they are quickly securing their products. You can ascribe whatever evil motivation you like to the security push.

While there have been a few viruses in the past that legitimately exploited vulnerabilities (like buffer overflows and such), all of the spyware in the post SP2 world requires (a) user intervention (pressing yes at a prompt) and (b) running as admin.

Make your grandma a limited user, and even if she presses yes at the prompt, the installation will fail and she'll remain spyware free. While you are at it, you can install Mozilla and let her discover the joys of tabbed browsing.

Here are some resources that might help:
http://www.techproblemsolver.com/limited.html
http://www.dotnetdevs.com/articles/RunningAsNonAdm in.aspx
http://blogs.msdn.com/aaron_margosis/
http://www.pluralsight.com/keith/book/html/howto_r unasnonadmin.html
http://support.microsoft.com/default.aspx?scid=kb; en-us;305780

Check out Aaron Margosis' blog at http://blogs.msdn.com/aaron_margosis - he's got some very interesting helpful bits for folks who want to start down the path of least-privilege access on Windows. It's not the "official" word, and it's not at all comprehensive, but it's part of a wave of folks inside MS who are putting these practices to good use right now.

If you read MSDN blogs you occasionally come across references to people using non-Microsoft software, including Firefox, Apache, and *nix. Hotmail uses UNIX tools running on Interix... which includes the "viral" GCC.

Channel9 has some good movies that demo most of the features. There's actually some cool stuff like using it as a Start->Run box, creating small macros, etc.

Have you heard of/used Lookout? It is a tool for indexing Outlook files (and is free). I tried out GDS, but reverted back to Lookout b/c Lookout can also index files on the file system that I specify, like I can say, "Index .cs files in this directory," and it will work, whereas GDS doesn't (yet?) support this. Google's UI is a lot nicer, but Lookout lets me get what I need done. Also, MS is supposedly going to be coming out with a Desktop Search of its own, which, since they bought Lookout, will hopefully be an improved version of Lookout.

I thought Windows Forms was going to be essentially deprecated anyways, when Longhorn is released, in favor of Avalon/XAML?

Pass phrases are at least easier to remember than long passwords (compare "I am the walrus, koo-koo-kachoo!" to your example) and are long enough to be more problematic for passowrd cracking programs.

There was an interesting blog article by a Microsoft PSS employee about his recommendation for choosing passphrases as opposed to passwords. Worth a read. The main problem is a number of online sites don't allow spaces in passwords or limit the password to a short number of characters. For example, I tried to create an iTunes account with a phrase from a Pavement song but it wouldn't let me go over 32 characters or have any spaces in my password.

• http://www.techproblemsolver.com/limited.html
• http://www.dotnetdevs.com/articles/RunningAsNonAdm in.aspx
• http://blogs.msdn.com/aaron_margosis/
• http://www.pluralsight.com/keith/book/html/howto_r unasnonadmin.html
• http://support.microsoft.com/default.aspx?scid=kb; en-us;305780

I'm fairly sure he's talking about Channel9 and the IE blog.

I'm fairly sure he's talking about Channel9 and the IE blog.

As part of Windows Longhorn, Indigo is available to every Longhorn application. Indigo will also be available as a separate download for Windows XP and Windows Server 2003.

I'm not sure how you got modded up with a broken link, but here's the correct link:

http://blogs.msdn.com/chris_pratley/archive/2004/0 4/27/120944.aspx

-

Chris Pratley, a Microsoft insider, recently wrote about the competitive environment, product development and MS Word vs WordPerfect ca. 1995. Take a few minutes to read his http://blogs.msdn.com/chris_pratley/archive/2004/0 4/27/120944.aspx/ blog entry for background.

Try MS IE blog as a first port of call, although I doubt they will listen. Still, some amusing posts there.

So, let me get this straight. C-Net goes all the way to austrialia to find a "managing director" who hasn't used Firefox and then makes the statement that Microsoft doesn't see Firefox as a threat? Come on people. Read around on the weblogs at MSDN and you'll run across 100s of Microsoft employees excited about Firefox and running it.

But I'm glad to know they went out of their way to interview a managing director of Cisco to find out that Cisco uses IE, but only with "Cisco's Secure Agent" running. I'm surprised they didn't throw in an interview from a managing director of Papa Johns who only uses IE while enjoying some delicious Papa Johns pizza

IE is embedded everywhere in Windows, even when you bring up an HTML dialog box. Add/Remove Programs? DHTML. System Restore? DHTML.

Windows Update? Active-fucking-X. So unless you move http://*.microsoft.com/ into trusted zone (ramped up to medium security), you cannot get security updates without enabling ActiveX download and scripting.

Even in WinXPSP2, there is still that trusted zone that gives unlimited rights. Like download unsigned activeX controls without prompting. There is nobody I'd give that right to, not even myself. Yet they have it.

Plus all the MSN content pushes AX at you. At least Expedia are not that daft; you can shop there with Firefox. But check out a pure MS site
like the channel9 developer site; ActiveX, windows everywhere. No attempt made to evangelise to the rest of us :)

I can't help wondering why it is that with all the monstrous resources Microsoft has at its disposal, IE still has buffer overflows.

IEXPSP2 isn't vulnerable. Apparently they used a compiler feature to protect against buffer overflows. Shame non-XP users are left high and dry though.

Do they have test beds?

Yes, but I fail to see what that has to do with finding buffer overflows.

Second, IE, like Windows and the rest of Microsoft, is committed to Trustworthy Computing. You'll see that commitment with the next beta of Longhorn. XPSP2 demonstrated that commitment. The work in Windows Server 2003 around "hardening" showed that commitment. Our work on security updates for a browser released in 1999 shows that commitment. I've talked with customers running Win2K and IE5.01 who have solid business reasons for not changing OS or browser. They understand that they are running an "old" platform. They want to be as secure as possible in that choice. Microsoft is there for them, and will be for a long time.

Obviously this new security hole is just a figment of your imagination or a filthy lie.

You are so cool to use "Micro$oft".

Try looking first next time

Kevin Lam,
Ben Smith,
David LeBlanc

- adam

I think s/he was saying that instead of bitching on /., people should bitch on MS IE blog? Maybe then the IE developers would get a sense of clue.

Why not let MS IE blog know what you think. After all, I'm sure that MS IE blog would love to hear your opinions. Go on, you know you want to talk on the MS IE blog. Why not give MS IE blog a whirl?

Why not let MS IE blog know what you think. After all, I'm sure that MS IE blog would love to hear your opinions. Go on, you know you want to talk on the MS IE blog. Why not give MS IE blog a whirl?

Why not let MS IE blog know what you think. After all, I'm sure that MS IE blog would love to hear your opinions. Go on, you know you want to talk on the MS IE blog. Why not give MS IE blog a whirl?

Why not let MS IE blog know what you think. After all, I'm sure that MS IE blog would love to hear your opinions. Go on, you know you want to talk on the MS IE blog. Why not give MS IE blog a whirl?

I read the Micsoft IE Blog. It was better than Cats. I will read it again and again.

Hey /. - why not let the good folks at Microsoft IE blog know your feelings? I'm sure Microsoft IE blog would love to hear from you. You know you want to share all your deep dark browser fantasies with Microsoft IE blog. Go on, give Microsoft IE blog a try...

Hey /. - why not let the good folks at Microsoft IE blog know your feelings? I'm sure Microsoft IE blog would love to hear from you. You know you want to share all your deep dark browser fantasies with Microsoft IE blog. Go on, give Microsoft IE blog a try...

Hey /. - why not let the good folks at Microsoft IE blog know your feelings? I'm sure Microsoft IE blog would love to hear from you. You know you want to share all your deep dark browser fantasies with Microsoft IE blog. Go on, give Microsoft IE blog a try...

Hey /. - why not let the good folks at Microsoft IE blog know your feelings? I'm sure Microsoft IE blog would love to hear from you. You know you want to share all your deep dark browser fantasies with Microsoft IE blog. Go on, give Microsoft IE blog a try...

If you're running Win2k3 Server, have you tried to use the console switch on the client?

The compiler options used in XPSP2 don't prevent crashes, they cause buffer overflows or attempts to execute non-executable memory to result in an immediate and easy to pinpoint crash, rather than let the process continue with a trashed stack or executing code from the stack. Similar changes in Windows Server 2003 caused Sasser not to be a remote code execution security issue, but a denial of service issue on that platform (see http://blogs.msdn.com/michael_howard/archive/2004/ 06/16/157874.aspx.

So if parsing some HTML caused IE to overrun a stack buffer, IE will immediately terminate with a crash that points to the buggy function and you get the option to report the crash to Microsoft. If the person who wrote the exploit code was doubly clever and smashed the exception handler also, on XP machines with x64 processors, another crash would occur immediately since the stack is non-executable.

may be a little paranoid (heck, I actually am) but I've long suspected the IE support for loose HTML was a strategic decision. Go back to the days when Netscape would render a page with a unclosed table tag as blank. IE rendered the page, and I often encountered sites that didn't work on Netscape.

Microsoft has always leaned towards maintaining backwards compatibility. If a site worked in IE 1.0, then it should work in IE 6.0. They work very hard at ensuring this. Of course, that leads to some inefficient code, continuing mistakes made in the past, and nobody ever fixing their HTML. But, it keeps the new version of IE from looking like it's breaking websites.

With XPSP2, MS has decided to let security trump compatibility. IMHO, this is a Good Thing(tm). And, with IE6's strict doctype declaration, bad HTML can be found and fixed by the developer. Of course, only those developers who care about such things will take the time to do this...so it may be moot.

I wouldn't be too sure (read the first comment , LOL !!) .

If Microsoft enforces a patent on Mono, I'm sure Novell will pay the license fee though. A RAND license from Microsoft might involve a per-copy royalty or a distribution restriction agreement for the source - effectively killing off Open Source part of Mono. But Novell would still be able to consider Mono a revenue stream (so the paying customers might still be not left out in the cold).

The sad part of this is that all the public code of Mono will also become useless for everyone concerned (except for academic purposes , but there are much better research VMs). This is the concern expressed by the various Gnome devels recently ...

I wouldn't be too sure (read the first comment , LOL !!) .

If Microsoft enforces a patent on Mono, I'm sure Novell will pay the license fee though. A RAND license from Microsoft might involve a per-copy royalty or a distribution restriction agreement for the source - effectively killing off Open Source part of Mono. But Novell would still be able to consider Mono a revenue stream (so the paying customers might still be not left out in the cold).

The sad part of this is that all the public code of Mono will also become useless for everyone concerned (except for academic purposes , but there are much better research VMs). This is the concern expressed by the various Gnome devels recently ...

They'd do way better calling it something like blogs.sco.com ... it's not like they've got any kind of plausible deniability going for them. At least they could try and sound like they had a clue.

I mean, even Microsoft knows which way the wind's blowing.

A interesting explanation is here.

http://blogs.msdn.com/cyrusn/archive/2004/10/11/24 0673.aspx

Then tell me how much you want to push C# to production.

Having worked in both java and C#, superficially there arent much to distinguish the two beyond syntax and some design philosophies. However, i expect C# to really take the lead once they introduce templates (generics) which are coming out in a few months. Having coded in C++, templates are one thing i really miss. Click here . For more info on generics. I dont know what java has on the horizon like it.

Brian Goldfarb who is a program manager for ASP.NET today posted a link to a http handler that will block requests using malformed URLs for all web apps on the server. Link I think this is a bit overblown here. URLscan which is recommended in any MS security blocks this. The ASP.NET security guide shows how to avoid cannonicalization issues. On the other hand how did this get through testing? .NET has an excellent security track record with very. very few issues. I think that this is the first major one. Good for something as large as .NET. MS has come a long way over the last couple of years with security. Best of luck to them over there. More info can also be found here.

> The problem is that only browsers based on Mozilla code (Camino, Firefox, Netscape, etc.) have support for these standards.

A possible temporary solution is this one. On the long-term, I suggest sacrificing goats until the MSIE team makes a new, improved release. They've recently resurfaced, so maybe they're alive and coding on it, who knows :-)