Serious Security Flaw in MSIE 5.01, 5.5

Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2. Read the security bulletin and download the patches. Discovery props to Kriptopolis.

Re:Web browsers belong in a jail

This is a good idea, but sadly probably won't catch on because of the hassles involved and the blow-your-leg-off philosophy of Unix.

If you read the MS security advisory, you'd see that MS already has limited version of this implemented in IE for the content you download. If you've set your MS mail reader to "restricted" (recommended), it won't let the messages call local executables or write to the filesystem. Not bulletproof by any means, but something.

Re:How about a poll?

* If there's a simple way to do the equivalent of su, it's not widely known.


The NT4 version is on the resource kit CD. It is widely known because it's practically impossible to manage a NT network without the tools on this CD.

The NT5 version is built right into the shell and plastered all over the documentation. I suppose Bill Gates could come to your house and move your mouse for you.

Re:Hmm..

You are living on Planet Microsoft where "rich text" is a thing (a specific format read by a specific COM control) and not an idea. HTML mail exists to provide "rich" (meaning "formatted") text to users. Let me pat that sexy MSCE ass for you for knowing the lingo, but MS doesn't own the term "rich text". Let me also smack upside the head for even mentioning Exchange (which this exploit has nothing to do with).

And that's the problem with the implementation, because nobody asked for Plugins, ActiveX controls, Java applets, frames, external image and sound loading, *arbitrary MIME type loading* and so on in their e-mail. They just wanted a fucking portable way to make things bold or red colored or whatever.

The solution is to sandbox the whole fucking thing to a greater degree, or better yet, define an XML format for mail messages, including standard classes that can be used for user-controlled CSS. All they need to do is knock heads with Netscape for a bit (just like they did with HTML/MIME), and we'd be rid of HTML mail for good.

Microsoft has had about 100 exploits due lack of sandboxing in their HTML mail clients over the years, and I'm just curious when they'll get sick of "Critical Updates" and fix the damn problem.

Re:Web browsers belong in a jail

Almost. Web browsers, or anything else for that matter, should not do things behind your back. MS DESIGNED in Behind your Back capabilities, and even sprinkled in a few remote command shell holes, and other silent, dont display stuff. I am still surprised why it does not report at login - you last logged in at timeand date followed by tripwire like reports if anything changed. The reason browsers not jailed is that plain text email/W3C compliant webpages would become prolific once again - that any old os would do- hurting sales. Read the certificate thing again. Hardcoding them into code means that the loss of .net performance is significant. why?, and is it called more than once. I would like the user to be able to extend this list too. a deny all rule would expose, i guess other matters...

I went back to PINE from Microsoft OUTLOOK...

...because in OUTLOOK there was no way of automatically preventing HTML in email from being rendered.

By putting codes in, say, an IMG tag like this

IMG SRC=foo.gif?123458343213

a spammer can know if his email has been received.

Given this newest security problem, I'm glad I'm a PINE nut!

Re:Hmm..

This is exactly how the white hat in question (Juan Carlos Cuartango) operates. MS had plenty of warning.

Cuartango, BTW, is probabaly the number one white hat working on IE and HTML Mail issues, and he's gone public a number of times when MS was unresponsive. Quite a few of his warnings have turned into real exploits.

Microsoft, of course, is just fixing the potholes. They really need to go back and re-evaluate their implementation of Rich Text (HTML) e-mail from the ground up.

And for anyone crowing about Netscape/Mozilla -- Don't forget that Netscape 4 has had numerous mail exploits, just that Netscape doesn't release "Security Bulletins", they release .01 version bumps with missing release notes. I don't think there's been any major Mozilla holes discovered, but it's not 1.0 yet, so the white hats are probaby sitting on their hands for now.

Recipe of disaster

Just think of the following scheme: (If I understood correctly, it should be possible to create the following worm)

1) Send this worm to everyone in the address book using the randomly taken subject from the your previous emails.
2) Install timebomb into computer, which deletes all the files after few days
3) Send all your previously written emails to random recipients taken from the address book.

Worm would spread like a wildfire as the message does not look suspicious (it comes from a known sender and the subject is reasonamle as it has been used before by the sender). As no questions are asked from the user - all the outlook users reading the message would be affected.

Worm would be totally destructive, as all the files would be deleted.

Probably most damage would be done by sending the previous communication to random recipient. Just look into your sent messages folder and imagine what would happen if you would send the messages to random recipients taken from your address book.

Do you still have the gust to use Windows/IE/Outlook ?

Re:Recipe of disaster

[keesh]

IIRC, you can use VBScript to attach stuff onto genuine sent messages after the exe has run for the first time. Then it will be absolutely genuine email. Imagine a mailing list with this...

Re:Recipe of disaster

[LuckyLuke58]

I think your recipe is slightly flawed. If it sends to "everyone in the address book", it is very likely to get noticed very very quickly. Thus people would have ample time to react, given the "few days" indicated in (2). I would design it to only e-mail a small number of people in the address book.

For similar reasons to above, I would eliminate 3, as it would raise alarm bells straight away. It would literally be international news before the "few days" had even passed. Rather keep the worm as quiet and subtle as possible, so that most victims aren't even aware when it comes time for they payload to be activated.

So um...

[Wakko+Warner]

When is there gonna be a software Lemon Law? A car can explode and kill or injure its occupants, but when a piece of software running mission-critical software breaks (or is broken), it can cost money, time, or, in the most severe case, lives. When will software companies be held responsible for the most egregious of errors, and would something like this be considered just that?

- A.P.

--
* CmdrTaco is an idiot.

Re:So um...

[Your+Anus]

Nope! And you can thank UCITA fro that! $ $

Why would I want to download that?

[Brian+Knotts]

I like the way the editors no longer ever pretend that the vast majority of readers on this site aren't running Windows.

Well, I don't like the reality behind that, simply because of what has happened to the comments as a result.

Believe it or not, at one time, that wasn't the case.

But it's funny, in a pitiful sort of way, anyhow.

Re:Why would I want to download that?

[jamiemccarthy]

"I like the way the editors no longer ever pretend that the vast majority of readers on this site aren't running Windows. ... Believe it or not, at one time, that wasn't the case."

The majority of readers have been running Windows ever since I've been reading Slashdot. At least, the readers I've met. The best games have always run on Windows and no self-respecting Slashdotter would be caught dead being unable to dual-boot into deathmatch heaven.

But then, the majority of readers have always been saying "Slashdot was much better back in the day," so, you're upholding a proud tradition. Carry on!

Jamie McCarthy

Re:Why would I want to download that?

[Dwonis]

FPS games are much more fun on a LAN with 8 or more of your friends. Single-player FPS games are boring, as are network games with a small number of players you can't yell across the room at.
--------
Genius dies of the same blow that destroys liberty.

Re:Why would I want to download that?

[Darby]

The best games have always run on Windows...
Not counting some console games, sure, but the worst games run on windows as well. At least 90% of all games suck ass.

...no self-respecting Slashdotter would be caught dead being unable to dual-boot into deathmatch heaven.

Actually I have a lot of self respect and I can't stand first person shooters at all. Nothing against anyone who does. I just think they're totally lame.
For my real time strategy needs I dual boot into MacOS thanks very much for playing.

---CONFLICT!!---

Netscape *did* get revenue

[hawk]

There was a revenue sctream, and netscape did have to adjust to that. I always thought that it was pretty clear that they didn't care about the $30 from end users--they were making their mane money off server software, which needed the brosers out there. However, they *did* get paid by OEM's who included netscape.

Re:Netscape *did* get revenue

[hawk]

>So I'm not sure I get the point... what does selling/giving away their
>browser have to do with selling their server software

Mosaic, lynx, and www at the time didn't support things netscape
wanted to serve. They needed that kind of broser out there in people's
hands, or there was no pointin anyone buying theri servers.

hawk

Re:Netscape *did* get revenue

[clontzman]

So I'm not sure I get the point... what does selling/giving away their browser have to do with selling their server software? If they really don't care whose client was accessing the server, what difference does it make? And they still sell server software, so if they don't care about the money from the clients, what are we talking about?

As for the OEM issue, that's an adjustment I guess they had to make, but we're not talking about the difference between their business surviving and not surviving there.

Fact is, Netscape created the situation (giving away the browser) that ultimately they blamed on MS. If they had a good, slim, up-to-date browser (a la Opera), they could still sell it. They don't, so they can't.

Re:Inaccurate

[jafac]

I don't know what the deal is with my particular system;

Win2k Pro, SP1, Dell PE1300 P III 600MHz 256meg RAM -
But ever since I loaded IE 5.5, it's actually SLOWER to launch than Netscape 4.73. I don't mind the crashes all that much anymore.
(this problem also affects Word; so much for wonderful "shared libraries")

M$ finally owns up - sort of

[pedro]

I have to admit one thing about the M$ link provided:
It would seem that someone with a semblance of Clue(tm) wrote it.
The Q&A format is one that I've never seen before. An actual admittance of responsibility for, and meager explanation of, their role in the propagation of these sort of virii.
In Court, this could prove dangerous, liability wise, and doubtlessly was vetted endlessly by their lawyers.
The very fact that it appears at *all* is truly amazing to me.

Re:Hmm..

[Mark+Hood]

All well and good the fix is out. I run Win98, IE 5.5 SP1. I just downloaded & installed the patch.

Why wasn't it on Windows Update? Why didn't the 'ever so clever' Critical Update Notification tell me about this?

Surely if I download an application from MS that claims to tell me about any new patches required for system security, it should do just that? And even if it was missed, why doesn't Windows Update tell me?

At first I thought I might already have it, but Help->About didn't list it as loaded & since it installed I assume it wasn't already present.

Kudos to MS for fixing it so quick. Raspberries that I had to find out from /. (of all places).

And don't get me started on why I had to reboot my PC to 'make the changes take effect'.
--
Keeper of the Wedding Shenanigans Home Page

Re:Not Suprising

[sheldon]

Sniff...

You don't like me. :(

I feel really hurt.

Boo Hoo.

Re:Not Suprising

[sheldon]

Boo hoo.

You don't like me either. :(

[Obviously your someone who can't appreciate sarcasm :)]

Re:SP2

[Mihg]

Special note of warning, the website has been more messed up than usual over the past few days

Yeah, I just installed the latest IE security updates on my parents computer. One of them (the so-called "VeriSign fix") was dated April 2. Which is a bit odd, considering today is March 29.

New math?

Re:IE's OS integration

[Mihg]

Mozilla implements (most, all the relevant bits anyway) of the IWebBrowser2 interface, making it a drop in replacement for IE.

However, in order to use Mozilla instead of IE, you have to do a binary patch to every single program that uses the IE control in order to make it use Mozilla instead. (All you need to do is change 16 bytes.)

If Microsoft had created a standard method of defining which CLSID (class ID) to use to create an object that supports the IWebBrowser2 IID (interface ID) (for instance, by storing browser name and CLSID key pairs in the registry and providing a control panel to change which one is the default), it would be trivially easy for the user to choose which web browser they wanted to use and for a program to use that web browser to display content.

Re:IE's OS integration

[Mihg]

Also, I think the plan is to replace gtkhtml with gtkhtml2. Mozilla is too damn huge!

Mozilla the comprehensive internet client is huge (24 MB on Linux, last time I checked. Which is tiny compared to IE.). However, if you get rid of the mail/news client, HTML editor and themes, it shrinks in size.

Besides, I would prefer a rendering engine capable of doing all of the relevant standards (HTML4, CSS, CSS2, DOM2, XML, MathML, XSL, etc.) mostly correctly and pretty quickly at that. However, I have no idea how well gtkhtml2 supports the standards or displays content.

Re:IE's OS integration

[Mihg]

The Mozilla ActiveX Project has been around for quite awhile. As to when exactly, I don't know.

Unfortunately, you can't just replace the IE DLLs with a compatible Mozilla implementation. Mozilla is just a web browser/email client/etc. while IE is the whole OS shell, and its DLLs do more than provide web browsing services.

IE's OS integration

[Mihg]

I find it odd that people are bashing MS because so many programs are using IE to render HTML.

Think about it. There is a standard way for any program to render HTML in a window. Instead of everyone reinventing the wheel, all a programmer has to do is create a COM object and display it in a window.

Of course, the average Slashdotter is using this as evidence that Microsoft is the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

Modularity is good. Standard ways of doing things is good. Code reuse is good.

Now, the fact that there is absolutely no way to replace IE with your web browser of choice is evil (despite the fact that email clients, HTML editors, conferencing software and whatever else can be easily replaced) and the fact that Microsoft is terminally unable to write a program that doesn't serve as a speedy means of either crashing the OS or inviting in unwanted network guests is also evil. So they are the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

On a side note, GNOME is doing the same thing. Any program can use gtkhtml to render HTML in a window. Evolution is using it to display email messages (sound familiar?), Red Carpet uses it for UI, and GNOME Help uses it to render content. IIRC, the plan is to eventually replace gtkhtml with Mozilla (which does a much better job of complying to standards and rendering documents than gtkhtml.

Re:IE's OS integration

[Detritus]

So they are the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

It's a start.

Re:IE's OS integration

[RossyB]

On a side note, GNOME is doing the same thing. Any program can use gtkhtml to render HTML in a window. Evolution is using it to display email messages (sound familiar?), Red Carpet uses it for UI, and GNOME Help uses it to render content. IIRC, the plan is to eventually replace gtkhtml with Mozilla (which does a much better job of complying to standards and rendering documents than gtkhtml.

There is one difference between re-using IE and re-using gtkhtml. When you re-use IE you get JavaScipt and all of the security holes which come with it, and VBScript and the magical FileSystem objects. Thanks. With gtkhtml you get a HTML viewer. No scripts, no FileSystem objects. Hey, Evolution even refuses to go online to get images as they are normally only used by spammers to track email addresses ("correct" html mail also attaches the images).

Also, I think the plan is to replace gtkhtml with gtkhtml2. Mozilla is too damn huge!

Re:IE's OS integration

[weave]

I disagree with almost all of you. Having HTML-rendering code available as an API for all programs to invoke if needed is not a bad thing. The problem here is the crap that comes along with that, and the numero uno biggy is Active X.

When Active X was first announced, all security-minded folks heaved, sighed, and worried. "Download native code with full privs and it runs on my box?" Microsoft assured everyone that it wasn't a problem cause all code would be signed and you could limit what gets run on your box.

As history has shown, this promise has failed. We've had hacks exploiting weak Microsoft-supplied active X controls, Active X controls that come with Windows (and hence already installed) with problems that get exploited (hence no prompting), and bogus verisign certs that appear to come from Microsoft and problems revoking it. And finally, just plain stupid users who will press OK on any dialog box that comes there way...

So it's not the bundling of an HTML rendering engine that bothers me, it's the crap that comes with it.

BTW, on my windows boxen, I just set the option for active x code and scripting to "prompt" instead of enable or disable. It can be a pain at times, but unless I'm doing something like visiting the Windows update site, I usually deny any active x invokations on almost all web sites I visit.

Re:IE's OS integration

[BradleyUffner]

I'm sure netscape is making thier browser to "help others" too, they don't care about money at all.
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\ =\=\=\

Re:IE's OS integration

[cyber-vandal]

I find it odd that people are bashing MS because so many programs are using IE to render HTML.

Because there's no easy way of using another program and because Microsoft did it to put Netscape out of business, not to help users.

Re:IE's OS integration

[cyber-vandal]

So where is this mythical COM object that replaces the IE rendering engine and whatever other stuff that's part of the OS. I doubt it's that simple or Netscape would have done it.

Re:IE's OS integration

[clare-ents]

"
Any program can use gtkhtml to render HTML in a window.
"

gtkhtml doesn't run as an OS service and by default isn't allowed to overwrite your kernel, disk partitions etc. etc. etc.

If an execute arbitrary code bug was found in gtkhtml it would compromise user security - not system security. Whilst this is bad it's not a remote root exploit like the IE bug is.

Re:IE's OS integration

[clare-ents]

However, several applications fail to work unless run as local administrator under Win NT. Under NT you can't type su and then become an adminstrator to install a new piece of software - no - it's log off - log on - log off - log on time.

Anyway, there is a ridiculous number of user-privledge escaltion bugs under NT anyway, this converts any 'Adminstrator Access' bug into a 'Remote Administrator Access' bug.

Re:IE's OS integration

[Ergo2000]

Microsoft did it to put Netscape out of business, not to help users

Don't fault Microsoft for making an actual modern component based system out of IE, and trying to pretend that it wasn't to benefit the user and developers is just sad.

Re:IE's OS integration

[MidnightLog]

So it's not the bundling of an HTML rendering engine that bothers me, it's the crap that comes with it.

I agree. I have only looked into using the IE COM Objects a couple of times, so I could be wrong, but they seem to do too much. Let's say I wanted to create a browser for Win32 platforms using Delphi. The point of this new browser would be to be more secure than IE itself (mostly by limiting features). At a minimum I would like to use different security settings than IE normally does and filter what types of objects are retrieved from the network. It doesn't look like you can do either of these things with the IE objects. Or maybe I just didn't look hard enough.

BTW, on my windows boxen, I just set the option for active x code and scripting to "prompt" instead of enable or disable. It can be a pain at times, but unless I'm doing something like visiting the Windows update site, I usually deny any active x invokations on almost all web sites I visit.

For me, I set most of the ActiveX options to disable. Unfortunately, when I visit a site that uses ActiveX, I see a dialog warning me that the page may not display properly because I have disabled ActiveX controls. This can also be a pain. I guess its time to look into Opera again.

Re:IE's OS integration

[Ayende+Rahien]

> Now, the fact that there is absolutely no way to replace IE with your web browser of choice is evil

Are you talking about using another web browser as a user, or from a program?
The first is no problem, the second depend on several things, one of them is the availability of the other program on the client's computer, the other is 100% similar interface for the program.
That way, you could just change the COM calls, and use the rest.
There is nothing that prevents writing/using such a system.
And, of course, you can always use another HTML rendering COM object if you want, in your own programs, but using IE as the HTML rendering in so many applications was done because of other reasons.

It's common, it's good, and it's easy.
You want to complain, don't complain to MS, complain to the ISV.

Re:IE's OS integration

[Ayende+Rahien]

There are plenty of ways to use another program, the easist would be to write a COM object and use it.

Re:IE's OS integration

[Ayende+Rahien]

Write a COM object that does everything IE does (hint, Netscape doesn't come near to it), and do it.

Re:IE's OS integration

[Ayende+Rahien]

That is good to know.

When did Mozila did it?

Can't you replace the DLLs themselves?

Re:Inaccurate

[Grue]

Let's not joke around. Microsoft saw Netscape as a threat. The ability to run applications in a web browser decreased the value of the MS Operating Sytstems. Below are key points:

Microsoft bundled a web browser with it's OS. No, MS didn't just bundle some components. It included a complete software application w/ it's OS.

> KDE would have exactly this flaw if the
> Konquerer component had this flaw and an e-mail
> reader used the component.

What is the point of that statement? A would have this flaw if A had this flaw? Well.. yeah. But the point is it doesn't. And even if it did. You have the source. Even more important, you have choice. GNOME? KDE? WIN32?

This isn't idiotic MS bashing. MS is building us a world where we have no choice but to have security flaws.

Ugh.. I'll stop MS bashing when MS stops taking advantage of me and other consumers.

Josh

how times change

[bcboy]

Used to be slashdot was where you'd hang out for discussions with people into free software.

These days it's one long Microsoft love-fest.

I wonder if these folk really think they're going to get /. admins to like m$ by incessantly pointing out how great m$ products are. There are thousands of m$-centric sites on the web. Now /. has to be one, too?

I gave win2K a whirl, when we were given new laptops recently. It's the same old same old. The window manager sucks, and is totally unconfigurable. Re-mapping the keyboard requires building a dll, or paying per-cpu licenses for a program to do it. IE barfs pretty regularly.

I don't want to become a warez dood just so I can use the freaking keyboard.

Re:how times change

[bcboy]

hehehe. That's pretty funny. Microsoft knows better than I do how I want my UI to work? I don't have to tweak everything in my computer?

Well, turns out I know better than Microsoft how I want my UI to work. I find Microsoft's window managing to be completely unusable. Window arrangements that I use all the time on X aren't even possible with Microsoft.

And standard keyboard layouts give me RSI problems. But who am I to avoid nerve damage by using a keyboard layout that's not approved by Microsoft UI gurus? Just some stupid user that thinks he knows what he wants.

Right.

Meanwhile, people who have no choice but to use Microsoft are doing crazy things like writing kernel mode code to do key remapping. This is just brain-damaged design.

Re:Not Suprising

[johnnyb]

Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?

Although it seems kind of contradictory, it's basically the difference between owning a house and renting an apartment. If you own a house, when something breaks, you feel a sense of pride of ownership when you fix it. If you rent an apartment and something breaks, you only can think about how long the stupid manager is taking to fix the problem. That's one of the main reasons that people (me included) like Linux - the pride in ownership.

Re:Ahem.

[johnnyb]

It's not disabling active stuff, you also have to disable downloads, that's right, downloads. Not executables, not active crap, just downloads.

Re:The MS bulliten really annoyed me

[Glytch]

I believe I speak for many casual english speakers when I say this: Fuck proper grammer.

Re:Windows sucks now, eh?

[Mongoose]

What are you trolling for?

1. Redhat isn't linux.
2. You never install OS at work you image.
3. When you rely on signed packages and
autoupdates, then false positives will
screw you. ( Remember MS has yet to
patch the bad verisign certs for users. )
4. You shouldn't manage the computer you
have a qualified IT staff for that. I can
setup debian with wine and sawmill to run
all the apps our win2k install runs with
the same GUI.
5. Distrobutions of linux are as tight as
default OpenBSD - and you can run scripts
to secure most common distros that aren't.
6. WINE has no effect on linux security as it's
a userland process.
7. There are linux apps that install with clicks
and leave a pretty kde and gnome icon for you.
I beta test them. =)
8. Windows ME shouldn't be compared to linux.
ME isn't in the same class of OS. Me is just
for people that need to run IE and do nothing
else.
9. Using X won't hurt your security on unices.
10. VBAs are the devil.

Re:Windows sucks now, eh?

[Mongoose]

One thing is network transparent applications, and another is run twice as much software since I can run your apps as well. Also, my SMP isn't locked to a set number of cpus via a marketing team. ^_^

Another bad default

[Maserati]

IE 5.01 SP2 installs Visual Basic Scripting Support by default.

Somehow I just can't bring myself to leave that box checked.

Re:Select "Custom" button, then the "Advanced", 2

[ansible]

Well, maybe I am a dumbass, but I didn't know that. I always thought I'd have to find the specific download package, which is not that easy to find from their website.

Easy fix?

[cornice]

Cool. I can attach the patch to an e-mail, modify the mime headers and send to everyone in my company. That should do it...

anyone got details?

[orabidoo]

what are the offending MIME types, so people can block them at the mail server?

Re:anyone got details?

[Control6]

I dont know the exact details but the example exploits produced by the finder of this hole used
audio/x-wav

Although I am sure there are probably many more you could use

Re:The MS bulliten really annoyed me

[toriver]

"They", "them", and "their" are grammatically plural

Bzzt! Check your dictionary again: The pronouns are also legal in singular, though that use diminished over the centuries. It has largely been replaced by "he", "him" and "his", probably because women didn't count when the change occured: There was no need for a common pronoun for "male or female" because only the male was of any importance. :-P

Whether you (another pronoun which is the same in singular and plural form) are using singular or plural should be apparent from the sentence's context.

Re:Inaccurate

[CoolVibe]

Blockquoteth the poster:

When the very functionality of the system is endangered and the user (or in this case the users data) is laied naked before the world that's a time for a RECALL OF THE PRODUCT MS does this. According to them, they recommend all users install Critical Update Notification for Windows. This is akin to a product recall - when a serious bug comes up they update the Critical Notification records, and everyone running it recieves a patch.

Right, and you *trust* the automatic patch installing? What if I'm at the same subnet that you are on, and I use some hackery with ARP or DNS cache poisoning to convince your host that *MY* machine is the windowsupdate.microsoft.com machine? Well, I I have bad intentions, you're screwed. It relies on host names (a.k.a. DNS and IP numbers). It's insecure.

I'd rather download patches and check them md5 checksums. Call me paranoia, but it *DOES* matter.

How do you know that the Microsoft network isn't compromised (they had the odd breakin now and then)? Do you trust them? Why? Because they say so?

Just rememver the microsoft/verisign hassle from last week. No way microsoft will touch my machines. I just don't trust them.
--
Slashdot didn't accept your submission? hackerheaven.org will!

Hmm..

[nebby]

Microsoft already has a fix out. I think this bug was reported today. I'm impressed.

So many people here always scream that Open Source is better because you don't have to "wait for the service pack" in order to get fixes. Granted, the bug probably would've been found sooner if the source were open, but the fact that there is a fix out already is admirable.

I think this is going to be another long thread of unwarranted Microsoft bashing. You can bitch about the bugs in IE and it's security hazards, but if they get fixed this fast then it really detracts from your argument that Microsoft sucks. There have been security flaws found in Linux with a fix issued and instead of posts saying "Linux sucks, here's yet another security patch I have to add!" they're praising the community for getting a fix out so much faster than Microsoft would have.

Re:Hmm..

[Surak]

MS had plenty of warning. Obviously. Because it's fixed in IE5.01 SP2. Duh. :)

Re:Hmm..

[mystik]

Microsoft is so fast, they already have a patch for IE, dated April 2, 2001 http://www.microsoft.com/windows/ie/download/

Re:Hmm..

[Malcontent]

That seems to be the standard MS response. "See this great feature we advertised heavily, now please turn it off if you want your software to function properly".

Re:Hmm..

[addaon]

Yes, a fix is already out. You say this is good. I say you're not nearly paranoid enough for slashdot! All this means is that Microsoft already knew, and they've been using the bug for their own nefarious purposes! But now they've been caught, and they managed to find a way to turn even that to their advantage.

Re:Hmm..

[Darby]

I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

I didn't have this happen, but I did read the page before blindly downloading a patch (from MS of all places), so I can say that you do need a patch, but you did download the wrong one.


---CONFLICT!!---

Re:Hmm..

[donutello]

The way these things work is that whoever discovers the bug, if they are a white hats, sends a message to the software manufacturer. Usually it is of the form "Here's the bug, here's what it can do. You have XX days to issue a fix. After XX days I will post this to a security discussion alias with/without also posting the exploit".

The fact that the bug was reported today does not mean that that is when Microsoft found out about it.

I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

Re:Hmm..

[Deluge]

Dunno about anyone else, but the single fastest way to have a functional machine go belly up, regardless of OS, is to change something willy-nilly, without knowing what it does. Allowing the vendor to have control over what gets patched and when is suicidal and not in thebest interest of users.

Fortunately, aside from the NT4 Service Pack messes, MS has been rather good about providing useful patches for security issues. And when you're dealing with users who should, but don't, and never will have any interest in what security flaws exist on their machines and what can be done to remedy those flaws, putting MS in charge *IS* in the best interest of those users, because at least *SOMEONE* is doing something to protect these people.

autoinstalling anything, without reading the release notes and taking the time to figure out if you really need the changes, is totally begging for problems. Users like my mom don't stand a chance

Again, I'd rather have my mom's machine crash because of a bad patch that got automatically DL'd in an attempt to secure the box, than have her personal and business documents/data exposed to some l33t h4x0r who thought her machine might be a fun target.

---

Re:Hmm..

[puetzk]

afaik, this bug has been actively exploited for at least a week or more - there was a link being broadly crossposted in the diablo2 forums that led to a page which tried it (or something very like it, but I suspect the same hole) and passively installed a trojan.

So if it's the same bug, I saw attempts to exploit it a week or more ago, and I think the posts were older than that. Still nice that they admitted it and fixed it though.

Re:Hmm..

[BradleyUffner]

There is absolutly no way my mom would EVER know about this problem. No way at all. There are MILLIONS of people out there and will continue to be for some time the same MILLIONS that are have and use versions of IE that have this problem.

So you don't plan on telling her? Bad son! BAD! There are ways for every windows 98/2000 user to know about this, it's caled windows update. It's so easy even my mom found out what it was without even asking me, and I still have to explain to her what a path is when she wants to save files someplace other then the default.
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\ =\=\=\=\=\

Re:Hmm..

[n-baxley]

Caveats:
If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.


So let me get this straight. They have bugs in their pathces?! I'm sorry, I need to sit down, this is just too funny.

Nate

Re:Hmm..

[n-baxley]

The fact that they got the fix out so quickly means one of two things. A.) the fix was extremely simple and that says to me that they should have caught it before it went out. B.) They've known about the error for some time and already had the fix prepared which is even worse since they should have told us about it before now.

Nate

Re:Hmm..

[Perx]

Read the 'Caveats' section on this page.

Re:Hmm..

[oliphaunt]

Yeah, the patch is out. But how many Joe AOLusers are going to hear about this, download the patch, and install it?

Good thing Windows will automatically search the net for updates, and tell you when you need to upgrade! Isn't MS trying to develop XP so that you don't even need to give it permission to install patches? That's just what the world needs- software that fixes itself without you knowing about it!

OK, build web page with fake "U N33D Windoze Update. Download now?" popup dialog, check. AOL users everywhere download my latest malware, check. Installed malware redirects automatic WinXP update query to my 3l337 h4X0R 53Rv3R, which TAKES OVER WINDOWS and then, uhh, does, uhh, whatever it is you, uhh, do with someone's windows box j00 just 0wn3d. Like install BeOS.

Re:Hmm..

[Chagrin]

• Microsoft already has a fix out. I think this bug was reported today. I'm impressed.

You think wrongly. See http://www.microsoft.com/technet/security/bulletin /MS01-020.asp:

• Acknowledgments

  Microsoft thanks Juan Carlos Cuartango (http://www.kriptopolis.com) for reporting this issue to us and working with us to protect customers.

And furthermore from: http://www.microsoft.com/technet/security/bulletin /policy.asp:

• When you see a security professional acknowledged in a Microsoft Security Bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the patch, and helped us disseminate information about it once the threat was eliminated.

Other comments on this article have noted that the patch was included in IE SP2 which was released on March 6th. This is quite wonderful; now your common cracker knows to dissect Microsoft patches very carefully to find out what exploits they can learn before the exploit is ever announced. I am quite unimpressed with this policy.

Re:Hmm..

[jedwards]

The fix for this security hole is in IE 5.01 service pack 2.
SP2 was released on March 6th. MS have know for a while.

Re:Hmm..

[f5426]

* This user has donated to the EFF and written his congressman.

You would have had much bigger influence if you only wrote to the EFF and donated to your congressman.

Re:Hmm..

[f5426]

> Does anyone really think that the internet would be growing this fast if it weren't for MS.

You mean, if Microsoft did not consider Internet un-important and tried to promote their own non-internet MSN service instead in Windows 95 A ?

You need to stop beleiving the bullshit redmond throws at you. Microsoft have been surprised by internet, under-estimated the phenomenon, and tried (and failed) to control it. Now they want to make you believe that credit is due, while they did their best to slow it down.

The only credit Microsoft have is the very impressive turnaround they did in 1996-98. I would never have beleived that such a big company could react that fast.

Cheers,

--fred

Re:Hmm..

[greggle]

I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

Hmmm... me too. The scary part is I just reinstalled Windows ME after reducing my windows partition to give my linux more breathing room. I was online for a while ... perhaps it did an automatic update?

gregg

Re:Hmm..

[cyber-vandal]

Ummm, how would a BIND exploit affect a desktop user? You can't talk about BIND and sendmail exploits in the same way as IE exploits because the former affects servers and the latter affects desktop users. Anyone who gets caught out by BIND or sendmail problems only has themself to blame as there are superior alternatives out there, however you can't get rid of IE.

Re:Hmm..

[innocent_white_lamb]

I find it interesting that Microsoft seems to be unable to determine what version of IE is on a particular system. "This patch is not needed" when it's the incorrect version of the patch that's being executed? Talk about misleading (and false sense of security).

Re:Hmm..

[brad3378]

Your comment is misleading. According to This Microsoft bulletin There is only a patch for the problem on the 5.1 browser. We can only assume that 5.5 will be fixed later.

Would you care to share your source that claims that there is a fix? You might earn some honest Karma if you can.

Also, would anyone like to comment on if/how this affects Solaris and Mac versions?

Re:Hmm..

[Ho-Lee-Cow!]

This is exactly why Microsoft has "Critical Update Notification" for Win98, ME, 2k. Everytime a security update comes out you are notified, and asked if you want to install it.

Dunno about anyone else, but the single fastest way to have a functional machine go belly up, regardless of OS, is to change something willy-nilly, without knowing what it does. Allowing the vendor to have control over what gets patched and when is suicidal and not in thebest interest of users. Placing blind faith that M$ has your best interests at heart and that their patches even work right, is a disaster waiting to happen. M$ thinks their customers are stupid, worthless sources of revenue--they don't give a crap about anyone but their shareholders.

But even more important, in an age where we need people to RTFM, autoinstalling anything, without reading the release notes and taking the time to figure out if you really need the changes, is totally begging for problems. Users like my mom don't stand a chance--the smart ones call tech support, or their geeky kids before they make changes.

Re:Hmm..

[CowbertPrime]

you need to upgrade to either IE 5.01 SP1 or IE 5.5 SP1 (make sure the they are SP1). If you are running IE 5.01 SP2, you are safe.

Re:Hmm..

[tswinzig]

I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

Are you sure you weren't at micr0s0ft.com?

Re:Hmm..

[Auckerman]

"You can bitch about the bugs in IE and it's security hazards, but if they get fixed this fast then it really detracts from your argument that Microsoft sucks"

There is absolutly no way my mom would EVER know about this problem. No way at all. There are MILLIONS of people out there and will continue to be for some time the same MILLIONS that are have and use versions of IE that have this problem.

With .NET around the corner, one can only come to the conclusion that it will be even worse since obviously Verisign has been socially enginered, MS has made this kind of mistake, and people are not educated enough to use and update technology. Wtih MS controlling how people see the internet, we about to enter the world of mystical sci-fi where code can be run remotely on anyones machine, viruses are spead merely my downloading an email, and people can just enter someone elses machine when they are connected to the internet.

Oh wait, we are already there.

So, with all due respect, MS does suck. They are the ONLY company that ships an OS that has the "undocumented feature" that allows web pages to run code on peoples machines. My Macs have NEVER had this problem. My BeOS box has never had this problem. I can think of no other OS that has had this problem, except the "innovative" Microsoft.

Re:Hmm..

[Sinistar2k]

The fix is in IE 5.01 SP2, which was released over a week ago, so this wasn't a "reported and fixed in one day" kind of thing.

In other words, they knew about it, fixed it, tested the new SP, released it, and are just NOW telling people about it.

So, Microsoft still sucks. :)

-- Sinistar

Re:Hmm..

[stretch_jc]

Sure BIND and sendmail are 'server' tools but many linux distro's install them by default even when a desktop install is selected. We were talking about Auckerman's mom and how she would never find out about these exploits, let's see her find out about those bugs on her redhat box? I'm pretty sure she couldn't fix them. The issue isn't server or desktop, it's 'power user' vs. 'average joe'

Re:Hmm..

[stretch_jc]

There is absolutly no way my mom would EVER know about this problem. This is exactly why Microsoft has "Critical Update Notification" for Win98, ME, 2k. Everytime a security update comes out you are notified, and asked if you want to install it. My copy of Redhat 7.0 has never popped up with a warning that new expliots to BIND have been found, so unless I manually check for updates they are never installed.

Re:Hmm..

[df1m]

Do you even understand why the net "used be a bunch of universities and the military"? (Hint: non-commercial). And MS was still sleeping when the net started to explode in usage.
Where was Linux? When the hell did you get net access?
As for ease of installation, the "average user" won't be able to install Windows on a new machine either. No, an easier install won't help, Linux is very easy to install already - sometimes much easier to install than Windows, sometimes not.
Most times I've installed to a machine in the past couple of years, Linux has been easier. The last install I did at home, though, both sucked big time:
Linux: doesn't support my SCSI card out of the box, so put an IDE drive in, install, patch kernel, move to real drives.
Windows: doesn't support my SCSI card properly, for some reason only sees one controller, bitch and moan for hours while going to Linux to download driver X and put it on a hard drive (no CDROM according to Windows), finally manage to get the CDROM and such recognized, give up on the fast drives - hell, Windows can't use them properly anyhow.

Re:Hmm..

[df1m]

Sorry if you got the impression that I was saying Linux was behind the internet back then. I certainly didn't mean it. Heck, I was using OS9 and XENIX to access back then. What made the difference was allowing commercial use (Yeah! No more begging for a UUCP feed when I move! Awesome! now *companies* can actually *sell* me access!)
As for the reason you give in the first paragraph for Linux's popularity, I agree completely. That's the reason I got it, and upgraded to more recent hardware, I finally could get a UNIX work-alike for far under $1000.

- dave f.

Re:Hmm..

[jotaeleemeese]

Only a 10 year old person would utter such nonsense.

Go and read something about computing history, since you obviously did not have the privilege of see things happening.

Perhaps MS popularized the concept of ease of use (they did not invent it) and perhaps MS now wants to own the internet (they did not see it comming, the "visionary" Billy Boy wrote his infamous book "The road ahead" and Internet was not in his sight).

Re:Hmm..

[jotaeleemeese]

So lets see here... MS is bad and linux is good.

I did not say that. What I said is that your knowledge of computing history is not good enough.

Ok I may be young but where was the internet before MS? It was used be a bunch of universities and the military.

Wrong. By 1994 there were plenty of companies using the Internet (email,ftp, gopher services) and Mosaic was giving acces to many people all around the world to the Web. All this on spite of MS strategy to lauch a propietary, AOL-like, service known as MSN that same year.

When the tide was unstopable MS changed direction, and they did so remarkably well, but the popularity of the Web was not due to MS but to Mosaic and e-mail. MS happened to produce Windows, but windows (3.x) had to be configured with extra software to make it TCP/IP aware. W95 (95!) was the first MS product with some degree of TCP/IP support and thus Internet capable. By then the Internet was perfectly established and growing at tremendous rates all around the World.

So sorry but you are wrong: MS did not popularize the Internet, the Internet was so popular that MS machines were adapted to use it.

But if it were not for MS I guarantee that the net would not be as popular as it is now.

You are deluding yourself. The Internet was so popular that MS was forced by reality to pay attention to it. There was no need for MS browser, there were plenty of non MS script languages, non MS techniques for providing Web services (CGI,php, etc), non MS ways to extend content (plug-ins).

So can you tell us what did MS do that helped spread the Internet? I am terribly curious about it, honest, because I am sure that would be new knowledge to all the Internet community, MS included.

Re:Hmm..

[rgarcia]

I got the same message running NT4.0 Workstation, IE5.5.

Re:Hmm..

[DarenN]

Yes, hmmmm.... Amazing, isn't it that a patch can be written, tested and released soooo quickly.

Just a little sussed to me. Is it possible that this problem was discovered before release, but was left on the grounds that fixing it would delay the release date? So the release goes ahead, but the patch is written to be added later, in a service pack. People have been accusing M$ of building in bugs so that people feel they _have_ to upgrade for _years_.

Just because you're paranoid doesn't mean they're not out to get you :o)

Re:Hmm..

[alex_siufy]

Where was Linux? Quite simply, powering and serving Internet pages for all the moronic MS trolls like you.

You're just simply wrong in believing Microsoft brought ease of use to the net. Macs had browsers and easier connecting options way before Windows (Winsock anyone?).

If anything, Microsoft hindered the development of the Internet, with its own proprietary extensions and late-coming browser, which is now known for opening a huge hope in people's computer (which is, btw, the topic of this thread).

Re:Hmm..

[slaida1]

I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited.

Maybe this is the workings of that dude with stolen MS Certificates.. Wich means your box is bound to run his code wheter you install this "update" or not.
:p

Re:I don't get it...

[Detritus]

Why does integration with the OS automatically give an attacker full access to your machine?

Because Windows 95/98/ME has no concept of security, all code has full access to the machine. Even with Windows NT/2000, many users run under accounts with Administrator privileges, due to the large amount of broken software that doesn't work properly when run under an account with User privileges.

.NET is already dead

[Aphelion]

All these "remote root" exploits are all starting to be a blur when it comes to Internet Explorer or Micorosft in general. Who ever gave them the idea to make Internet software? Couldn't they just stick to insecure operating systems?

I just don't see how you can knowingly dig your own grave by providing ubiquitous, essential e-mail and web browsing software and then widely propogating its lack of security. Why does an e-mail program have the ability to anything to my system except write a data file with my e-mails?

I can only imagine .NET.

Re:.NET is already dead

[Darth+Turbogeek]

Quote - I can only imagine .NET

Oh god. Not another reason to avoid .NET like a dose of the clap. Shhhh, dont be saying that. Some of the PHB that have been trained to think M$ only might actually start thinking for thiemselves and see just why .NET is such a bad idea. The thought of the systems first owned by MS then by some script kiddie aint conjucive to good sleep by any self respecting sys admin

Re:.NET is already dead

[Quazion]

Dont under astimate the brainwasshing powers of Microsoft! they will create they will distribute, and they will use it. And everyon will take for granted that every scriptkiddie can delete all your files who cares, you just reboot..

Re:I've Got a Security Patch For This

[An+Ominous+Coward]

Linux is a toy operating system, so it isn't expected to be secure. I'm pretty sure that was his point.

Re:Inaccurate

[mcc]

Well, i would like to note that complexity and difficulty are not the same thing, but:

OK. My apologies. :)

I was somewhat confused as to the exact functionings of BIND at the time of the making of my post, and those initial comments were more than likely plain wrong. -_- However i think if you just delete everything before the words "despite this", or at least the stuff before "the important thing though" from my post, the rest is, umm, fairly important. Or something.

I would go into a long rant here about my personal belief that unweildiness of Mozilla (yes, i've poked the code) and MSIE and such are due to the fact that they are less than excellently thought out and designed attempts to create unreasonably monolithic applications, NOT because the nature of a web browser DEMANDS it be bloated .. but that would be offtopic, and i am not of such skill i could tell you how to do such a program CORRECTLY -_-

Re:Inaccurate

[mcc]

Heh. The last one sounds really funny. Hadn't heard about that one. So that leaves the score at what? Netscape: One arbitrary code execution bug, one hard drive access bug. MSIE: At LEAST two arbitrary code execution bugs (that i can remember), and at least two hard drive access bugs (that i can remember). Umm.. hmm. Maybe we should start putting together some kind of official scorecard or timeline or something of this stuff ^_^ would be interesting to look at..

No, i did not mean to imply that Netscape has a perfect track record. Upon re-reading i realize that that was what i SAID, but i did not mean to; i must blame the hour of the morning and the fact that i am a massive tool for this occurance. The general gist of the garbled thought behind my posting was that Netscape bugs i remembered hearing about from time to time ; ie bugs i remembered hearing about *on a regular basis.* I thank you for bringing some objectivity to all this :)

Moderators: as of this writing, Ayende Rahien's informative post here is at score: 1, and my toss-off post he is replying to is at score: 3. WHAT ARE YOU SMOKING.

Re:Inaccurate

[mcc]

Or rather, three interlocking application platforms, each akin to little OSes: the clumsy javascript/vbscript/html access, the java engine hooked in at the side, and the port going out the back to ActiveX where most of the TROUBLE! (OHH YESSS WE GOT TROUBLLE!!) seems to be coming from. This thing is a MESS, and while it's easy to understand how someone having to cover THIS much material could make a sloppy job of it, that doesn't make it *OK*. PUT SOME THOUGHT INTO YOUR GODDAMN SOFTWARE.

W3c, thy art dead.

Re:Inaccurate

[mcc]

There was at one point a case of a public web site which for a time (until their DNS provider threatened to take away service) contained some activex or javascript code thing which caused-- if you visited the web page on a Windows NT machine-- FOR THE OPERATING SYSTEM KERNEL TO BE OVERWRITTEN WITH AN EMPTY FILE, requiring a reinstall of the entire system. There were multiple cases of sysadmins who just happened to be web browsing on production machines (stupid idea anyway) and subsequently had to go down for hours to reinstall NT and all the service packs.

I seem to remember that this would happen even if the user was not an administrator, however this detail seems EXTREMELY unlikely and i probably imagined it. It was called monkeybagel.com or something. I can't find it anymore. I did find this:

http://www.zdnet.co.uk/news/1999/35/ns-9701.html

Re:Joys of non-competition

[mcc]

> and you somehow reached the conclustion that it is MS' fault that all the other browsers aren't as good, right?

You could make that case, very easily. Think: if not for Microsoft, it would still today be realistic to charge money for a web browser. Meaning it would be possible for a web browser to exist on its own terms, with SERIOUS resources devoted to their development, rather than the current situation where the major browsers must squeak by with either hand-outs from a massive corporation who are only developing the browser as a political tool, or beg (unsucessfully) for money and developers from passerby.

I'm don't know if it necessarily follows from this that MS was acting in an immoral fashion by leveraging its huge pool of resources to drive everyone serious out of the browser market, but you can CERTAINLY make a good case that it is "MS' fault that all the other browsers aren't as good"..

Re:Inaccurate

[mcc]

I would say two things: first off, Creating something like BIND is infinitely more difficult than something like MSIE-- MSIE has a huge number of disparate things it's expected to do, while BIND is in a certain manner less "complex", but all the things MSIE does are *simple* and it doesn't have to do them *efficiently*. Despite this BIND, at least from where i'm standing, seems to be doing *better* than MSIE. I mean, it may just be i'm not paying attention, but big BIND problems seem to come along every five months and big MSIE problems seem to come along every two or three.. and the MSIE problems seem a bit worse. The IMPORTANT thing, though, and this has been noted elsewhere in this same discussion, is that BIND is aimed at *professionals*-- people who are skilled, and people for whom constnatly watching the security news and speedily applying new patches to the machines they are charged with watching can be considered to be part of their *job*. MSIE/OE, meanwhile, is VERY heavily used by people who don't understand computers at all, people who just wnat to print things in wordperfect every so often and get e-mail every so often. MICROSOFT HAS AN OBLIGATION TO PROTECT THESE PEOPLE, microsoft has an obligation to not leave the defenseless with security vulnerabilities, microsoft has certain obligations to simple SAFETY that the people who write BIND do not. ANd MS is failing at it. Do you really think that the kind of person who is scared by computers to the point where they never ask "I wonder how i can delete these shortcut icons off my desktop?" Is going to *EVER* update their IE, or check microsoft.com for updates, or even be able to figure out what a service pack is?

As far as Wu-ftpd goes.. dude. Seriously. Use Proftpd. It's better anyway. :) With something like Wu, it gets to the point where if you don't like the security track record of a product you should consider just not *using* it.. hell, you even have alternatives to BIND. Microsoft should realize that people don't have too much alternative to using MSIE, realize that people aren't going to switch based on security, and make it their job to fix security as a result. Although i'd bet that they let security get so bad *because* they knew nobody would stop using MSIE because of it.

> If you want to make a constructive criticism, then you should have them rewrite the whole OS.

Not a bad idea. Here's a better one. Two words: CODE AUDITS.

(at the sound of the magical words "code audit", angelic voices are heard singing from the heavens.)

MS doesn't need to *rewrite* this stuff, not *really*, but initiating a large-scale security-oriented code audit of the entire text of their networking and web browser code is something that they could really stand to do, BEFORE they start thinking about windows xp or whatever. They certainly have the resources. How do you propose to get them the initiative? Cuz it's sure as hell not my problem :)

Re:Inaccurate

[mcc]

My apologies for being unclear. That comment was meant to refer to microsoft's *web browser* division, and microsoft's web brower division *only*. Yes, of course server OSes and server apps will have security issues from time to time. I don't expect them not to. The thing that leaves me a bit taken aback, though, is microsoft's tendencies to have security issues in a low-end *consumer-oriented* app like a web browser. WEB BROWSERS ARE NOT THE KIND OF THING WE SHOULD HAVE A SECURITY TRACK RECORD TO KEEP TRACK OF, and that was my only point.

YESS, it really kind of *is* an MS thing. Except for one vague memory or so of an incident involving a java hole, you just plain don't *SEE* security holes popping up with Netscape or Opera or Omniweb or really ANY browser except MSIE! *Netscape* got security right, and their software was AWFUL! But that there should be THIS many instances of hardware-access-level vulnerabilities in something meant to display web pages.. just. blah. it blows my mind.

--mcc
it is late and i am spastic and bitter

Re:Inaccurate

[mcc]

> In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.

The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;
i can think of at least four times since MSIE 4 that ways for attackers to affect the contents of an MSIE user's hard drive have been discovered, and i haven't even been watching it closely.
Are you really sure that "forgive and forget" is a good idea?? Do you honestly think that this isn't going to happen again? Do you honestly think if people let this issue rest-- and they will-- that microsoft is going to change its ways on its own? It certainly didn't the LAST couple of times this happened.

Keep in mind these are the people that you're supposed to be buying an attempted NETWORK OS (windows xp) from in a year or so, and they can't pull off security in a passive web browser. XP involves the passing around of remote executable code, doesn't it? Don't you think some SERIOUS pressure needs to be brought to bear on microsoft until they take steps to ensure that the security issues in their browsers are dealt with, COMPLETELY?

I am a Mac OS X user, so i am not *too* worried about this, but i do use MSIE from time to time, and so i for one am extremely alarmed with microsoft's nonchalance with security issues. Microsoft seems to have no interest to bring these "technologies" (activex, for example) that seem to be causing the problems to the macintosh platform, and the Macintosh port of IE shares no codebase with the windows version, so i am not directly threatened; however i still feel somewhat insecure with using MSIE.

Re:Joys of non-competition

[HiThere]

Mozilla crashes within 15 minutes? Are you running release version 0.8? Switch to 0.8.1 immediately! (Most of the versions between 0.8 and 0.8.1 were pretty bad...I went back to 0.7 for awhile, but 0.8.1 was reasonably good again. 2001032804 hasn't given me any trouble yet (I think the scrambled graphics were a problem at the User Friendly site), but the day is young.

And investigate win98Lite. I stopped choosing to upgrade MS products before the first UCITA law was passed, or perhaps it was before the DMCA was passed ... which ever came first. I haven't clicked on one of their agreements since then, and don't intend to. If someone insists on MS, then they have to make the agreement. That's one thing I won't do for them.


Caution: Now approaching the (technological) singularity.

Re:that breaks important browser features

[HiThere]

Well, he said few rights, not none. Presumably the browser would be able to write to a file in its own (home?) folder. It could save all of it's downloaded files into one folder (allowing the user to create sub-folders as appropriate). Then the users could log in as themselves and move the file to the appropriate location.

Thinking this over, the web browser should have a special folder under each user to which it could write. Starting the web browser should be equivalent to logging in as user WebBrowser, with the current directory set to the web browser folder for whoever you happened to be before starting the web browser. The web browser user shouldn't have the right to open any directories belonging to any other user. Quitting the web browser shell should exit you back to who you were before. And ever web-capable user should be able to read files and execute folders owned by the web browser user.

This might be a bit inconvenient, but not terribly so. Setting it up would be a pain, but could easily be worth it (OTOH, I'm thinking of installing a distribution with the 2.4 kernel, so I probably won't run out and do this right now).

Caution: Now approaching the (technological) singularity.

IE 4 probably isn't affected

[alienmole]

I don't think it would kill Microsoft to test this with IE4, and at least inform their customers whether they were affected, even if they don't supply a patch.

My guess is the reason they don't do that, is that they don't believe IE4 is affected. Admitting that would make them look bad, so they're rather spread FUD about the safety of their older software, to try to encourage upgrades.

That kind of violates the idea idea of having software versioning, now doesn't it?

No, it doesn't. It's perfectly normal to continue to release patches for older products, for just about any software company other than Microsoft. In fact, Microsoft itself has done this in the past: they released a service pack for NT 3.51 after NT 4.0 was out. I don't remember the timing on NT4 SP6a - that may have come out after Win2K, too.

Re:New read and execute features in IE 5.5

[sharkey]

What about Huckster?...

That's the name of the holding corporation that MS will use to sell Hackster.

--

How about a poll?

[haapi]

Subject for a Slashdot poll: How many people have "administrator" privileges on their NT accounts? The subject of the follow-on poll is left to the reader....

I also want to patent the method and apparatus of infecting the MS-OS side of a multi-booting computer so that the other OS(s) are affected upon subsequent boots, as well as the process of scanning for such damage. Hear that, McAffee? All your profits am belong to me. Hear that, Virus writers? Don't bother doing that -- it's been thought of, and so is no longer 133t.

Re:How about a poll?

[MadPhatTim]

Here's an su command for NT.
http://bmrc.berkeley.edu/people/chaffee/winntutil. html
---

Re:How about a poll?

[Waffle+Iron]

I would bet most of them, because

• It's really annoying to run NT with lesser priveleges and do any real work.
• If there's a simple way to do the equivalent of su, it's not widely known. The alternative is to log off and come back as an administrator. Once your back you're king. Why leave?

More details..

[augustz]

Love to get some more details on this puppy.

Re:Windows Update?

[leperjuice]

I'm sorry, but Microsoft does not consider a patch that closes a remote sploit for allowing malicious users to "take any action on the computer that the user can take" as a critical update. Thank you, please call again!

I wonder, given the number of days it will take between now and when they finally get off their tuckuses and add it to the update page, how many people will be affected that otherwise could have been protected.

If it takes more than a week, I could imagine the lawyers would be drooling over the negligence of Microsoft, EULA or no.

Note that few contracts are totally rock solid; it depends on how many lawers you can affort to hammer on it. Look at what happened to poor Toshiba...

Bah!

[Black+Parrot]

Attacker are entitled to ease of use too, ya' know.

--

Re:New read and execute features in IE 5.5

[Black+Parrot]

> Combine this new exploit with this old one that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.

It's the latest in peer-to-peer file sharing. They're marketing it under the name Hackster.
--

Tomorrow's patches today

[Carl+Jacobsen]

The page www.microsoft.com/windows/ie/download/ lists (at the top) current security patches for IE. Right now, the top one listed is "Security Update 1, February 27, 2001". Oddly, the patch "Security Update, March 29, 2001", discussed in the current article, isn't listed now. Well, when I looked last night, it was...

The interesting part is, last night the page also listed, "Security Update, April 2, 2001" (note the date!), with the description:

This update resolves the "Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard" security vulnerability, and is discussed in Microsoft Security Bulletin MS01-017. Download now to prevent an unauthorized user from running code on your computer by digitally signing programs as "Microsoft Corporation."

Too bad the temporal rift only went a few days into the future and not further -- would've been nice to have downloaded, say SP3 for IE6...

There's still plenty of room for MS bashing

[Mdog]

I agree that getting the fix out so fast is indeed cool. The point is that the *next* bug in IE (and outlook!) will grant root^H^H^H^Hadministrator access to l337 hackers. Both open and close source programs have bugs; what's worth bitching about is the MS *philosophy* of running a web browser in kernel space. And this *does* affect *nix users, just as surely as a hole in the sun affects nocturnal animals.

Re:There's still plenty of room for MS bashing

[robhancock]

I don't think that IE runs in kernel space. That would imply that the app would be a VXD, I think, which it's not..

Re:Inaccurate

[mat.h]

Hello? Email has something to do with text entry, therefore my email client doesn't integrate a web browser with an insecure scripting system but is integrated in Emacs. That's reuse, too. If I get an HTML email (it does happen sometimes), it's automatically piped though lynx -dump and displayed. That's reuse, too. And a great feature is that I could use W3m if I would find out that lynx could be instructed to wipe out my disk^Whome directory with the right HTML input. That is real modularity. You don't need object orientation for that. And having these features is no excuse for security holes.

um, okay...

[delmoi]

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker

I fail to see how that makes sense... What does the fact that IE is part of the OS have to do with email?

If this security flaw existed in, say, mozilla, then any program that used it's HTML rendering engine would be just as vulnerable.

I knew it!

[LocalH]

I knew there was a good reason that I didn't put IE5.5 on my box. Now it comes to fruition.
_______
Scott Jones
Newscast Director / ABC19 WKPT

So they really _do_ withhold updates[Next monday?]

[drenehtsral]

Well, i guess they really do withhold updates... Who would have guessed =:-)

Not a flaw, a support tool!

[bdowne01]

Yesterday when I was on a tech support call with Microsoft (our Exchange server was glowing red and hovering), they simply told us to start up Internet Explorer and they'd fix the problem from their end. Just like magic, the server floated back into the rack and stopped glowing!

Hats off to M$ for writing such an amazing tech support tool!

Re:Inaccurate

[Wah]

just a quick note. I checked the MS update page after I saw this story. It did NOT list this as a "critical update", at least not for 5.01. Upgrading to SP2 was an option under "Recommended Updates". I don't know if this bug set off their "critical updates" program since I don't use it. It is a tough situation for them, tons of clueless users who will get abused, but it should be their responsibility on some level for damages associated with abuses for their software. Yes, I know their EULA tries to head off that argument, but the whole monopoly thing seems to be a decent counteragument.
--

Easy fix for this one.

[CSIP]

Well. now that MS has released a patch for this bug... should be easy enough to use the bug to fix itself.... create a webpage, that uses this flaw to cause the pc to download and install a copy of the fix ;)

Re:Not Suprising

[spudnic]

It helped me. I appreciate /. for carrying the story.

I use a w2k box at my desk. I use w2k because I have to view the Internet world through the eyes of IE like our clients. I keep about 20 SecureCRT sessions open to our Linux servers and IE up all day.

Thanks for the info!

Re:Microsoft & Diversity

[zmooc]

Or maybe it was an Internet poll which tend to be rather biased because only certain people vote. In that case, the 95% might even be correct since (I assume) there are a lot more IQ>100-ppl than there are IQ100 on the Internet.

WARNING: goatse.cx troll!

[SMN]

Ah, they finally got me =( Anyone who's dumb enough to click the http://uninstall.microsoft.com link in the parent post just for the hell of it is in for a very unpleasant surprise.

Maybe it's supposed to be part of the joke - I can't tell if the poster has a history of trolling from his past posts alone. Either way, there's a goatse.cx link - that's not cool.

If anybody's grateful for the warning, I wouldn't mind you expressing your generosity with a few mods up =)

Re:WARNING: goatse.cx troll!

[SMN]

What about those of us who moved the mouse over the link [...] Can we mod you down?

Sure, if you're so haughty and self-absorbed that you have no qualms with sending others over to goatse.cx - I see that one moderator already did. Nice to see the thanks I get for trying to be helpful -- at least I've got a little karma to spare.

Microsoft & Diversity

[SMN]

Interesting excerpt, from the "Technical Details" portion of the support page:

An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system.

(Emphasis mine)

Well I guess Microsoft has finally realized that we males are too stupid to be "attackers," since everyone knows that the vast majority of 5r1pt k1dd13s are women. I was going to try to be an 3133t hax0r, but apparently the women have beaten us to that, too. I suppose the only quick and dirty way to rake up some cash now is to audition for Survivor.

Re:Microsoft & Diversity

[SMN]

I sure wasn't trying to be a troll -- I hope it didn't come off that way =( Just wanted to take the opportunity to get in a cheap shot at Microsoft.

Technically, the "correct" way is to write out "he or she," but that sounds very cumbersome, especially when you start adding in "his or her" and "him or her" into the mix, all in the same sentence.

I'm a big fan of using "they," as you typically hear on the street these days, or "he," if you're in the company of people mature enough to understand you're not trying to make sexist assumptions. I really hate this politically correct crap that keeps going too far. . .

Re:Microsoft & Diversity

[QuantumG]

actually that's sort of a political correctness phenomenon.. there was a time when if I wrote the like: "all a mailman has to do is take his bag of letters and put them in the mailboxes" and you would quickly recieve a deluge of feminists screaming for blood. "Women can be mailpersons too!", "why do you naturally assume that your mail must be delivered by a man." So rather than go to the linquistic complexity of making sure your sentences are without gender bias, a lot of P.C. writers chose to make every sentence female gender biased. Would one not expect a deluge of men screaming how they can be leet hackers too? Apparently not. Now why do you think that is?

Re:Microsoft & Diversity

[QuantumG]

Translate this arguement into french where there is not indeterminate gender and there is specifically a "male dominiates over female" rule for talking about groups.

Re:Microsoft & Diversity

[Dwonis]

...which is interesting, because many European languages (including English) use the male gender as a male AND indeterminate gender. Now it's just confusing as hell.

"Why mailman?"

"Why _NOT_ mailman?"
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft & Diversity

[Dwonis]

I was talking about French. Its roots may be "male dominates over female", but it still serves the same function.
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft & Diversity

[Tackhead]

> So some people use "he", some people use "s/he", some people use "they", some people use "she", and others alternate between "she" and "he."

We're talking about skr1pt k1dd13z here.

"it".

End of discussion.

Re:Microsoft & Diversity

[Johnzo]

Dunno if you're shooting to be funny or just being a troll, but here goes.

The trouble here is that English just doesn't have a good gender-ambiguous pronoun family. While there have been attempts to invent a new one (ISTR that someone proposed "hir" for gender-ambiguous possessive), the more common approach is to kludge wider definitions onto existing words.

So some people use "he", some people use "s/he", some people use "they", some people use "she", and others alternate between "she" and "he."

Honestly, I don't see what the big deal is. Western society's far more inclusive gender-wise than it was fifty years ago. Why shouldn't the language reflect that?

zo.

Re:Microsoft & Diversity

[fulgan]

95% of people polled believe their IQ is above average.

Well, that means that there is at least one INCREDIBLY stupid person out there :)

Re:Microsoft & Diversity

[ChrisCampbell47]

Would one not expect a deluge of men screaming how they can be leet hackers too? Apparently not. Now why do you think that is?

Perhaps it's because women have had the heel of man on their neck for 10,000 years of human culture and are a bit more sensitive to gender issues than men are. Not the other way around.

Plus, the Taliban are actively pulling women back into the stone age. You have to admit that women have a slightly different perspective on these issues.

Re:Microsoft & Diversity

[Safety+Cap]

So some people use "he", some people use "s/he", some people use "they", some people use "she", and others alternate between "she" and "he."

The whole thing could be resolved by avoiding the use of both "he" and "she."

Just use "the attacker," or "the malicious coder," or even "the Slashdotter."

No, wait...

Re:Microsoft & Diversity

[jotaeleemeese]

But you are male most probably.
if you were female maybe you would have a different opinion....

Re:Microsoft & Diversity

[Rogerborg]

Have you seen the WinME install? Splash after splash of grinning little kids, grinning old folks, grinning gentlemen of colour, and grinning ladies of all sorts. IIRC, there's only one image of an actual computer purchaser (i.e. a pasty faced 20-30ish bloke), but, hey, at least he's doing the M$ grin.

Day In The Life Of Net Scam Artists

[SMN]

Day In The Life Of Net Scam Artists

CRIMINAL NO. 0
12:32 AM Some lamer just offered me $250 to write a one-day journal of my hacking. I brag that I can make $4,000 a day by stealing credit cards, but I'm still willing to spend several hours writing a journal for a meager $250. With that kind of incentive, you can be sure that none of this is made up. None of it. Trust me, I'll appeal to the media's maniacal demand for sensationalist hacker stories.
12:38 PM Found a cool new way to hack people. 31337.
12:39 AM Sent out a mass HTML email to hundreds of AOL Lusers with code to steal their passwords. The technical flaw only exploits Outlook Express users, but those Lamers are stupid enough that somehow it'll still work in their AOL mail programs.
12:40 AM Going to my girlfriend's house.
12:41 AM Back from girlfriend's.
1:14 AM Got 217,468.25 AOL logins already. Haha, those lamers are so stupid! I can steal all your passwords, America, and there's nothing you can do about it because I'm a scary hacker! ph34r me.
1:27 AM Ran a secret hacker script to extract credit card numbers. Bought $1,000,000,000 worth of cocaine from a secret hacker website at http://www.dea.gov/. The Feds will never be able to figure out my address, because I sent it to my mom, who's sleeping in her room down the hall. And my ISP will never give my name away - AOL doesn't do that kind of thing.
1:30 AM Realized its past my bedtime. Mommy's yelling at me to go to sleep. Remember, America, hackers can do anything! But send me your credit card number and I guarantee that you'll be safe from hackers.

(Score:-1, Corny)

Re:Day In The Life Of Net Scam Artists

[SMN]

. . . and he's still getting more than I am.

(This always is the point where the moderators finally get some pitty and moderate me up, only for someone in my school to see it and show everyone else =)

Re:Day In The Life Of Net Scam Artists

[fanatic]

12:40 AM Going to my girlfriend's house.
12:41 AM Back from girlfriend's.

Gotta love it.

--

--

thank Jebus for IE6

[mondainx]

oh wait its probably just IE5.5 re-branded.. :(

Re:thank Jebus for IE6

[Tiroth]

Oh, but I don't even believe in Jebus!

/. at it's best

[tiny69]

Slashdot just can't let the opportunity to smear MS go by. Is this really news? MS has a big security hole in one of their products. Does this surprise anyone?

But when the 2.2.x kernels have a _BIG_ security hole that allows users to exploit it against _ANY_ SUID binary, well that must not be news worthy...

Re:Inaccurate

[Kwantus]

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]

That is inaccurate.

What you quoted is not inaccurate. It was established in the FoF that it is virtually impossible to remove IE from Winduhs98, and thus simply removing the vulnerable software is not an option. If KDE had such a flaw, you could rm it entirely, or simply stop running it.

What's perhaps worse, is that a lot of Winduhs users I know would think they could avoid the problem by using a browser like NeoPlanet, not realising it's just an IE wrapper. They'll plunk themselves into the worse situation of thinking they're safe when they aren't.

That is what M$ innovation gave us.

Ever heard of the term "reuse"?

Yes, it's called linking a library and it wasn't invented with OO. And from the way DLLs get sprinkled all over the system I don't think a lot of SW authors accomplish/bother with "reuse" on Winduhs anyway.

I don't get it...

[macpeep]

"Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine."

Why does integration with the OS automatically give an attacker full access to your machine? Just because IE comes with the system and because it shares DLL's that the system uses doesn't mean that you would be running your email app or your browser as root / administrator or anything like that. What's the ingress here refering to?

Re:I don't get it...

[macpeep]

You still didn't answer my question. Yes, Windows has poor / no concept of security but what does OS *INTEGRATION* have to do with any of this?

Re:I don't get it...

[nagora]

What I said was: It is very rare to find code which can be reused safely if it's more than 100-200 lines long. The reason it's not safe is that code longer than that is unlikly to exactly fit what you want to do

It is rare but not unheard of. I put it to you that there is not a single case of code re-use in the 10000+ line league (which I think includes IE's lousy HTML code which can't handle <H1> tags in tables) where the use of that unmodified code has not resulted in problems of the sort OOP is supposed to prevent, ie unexpected side-effects.

Come back in a few years when you know what you're talking about.

TWW

Re:I don't get it...

[nagora]

Because it propagates a security hole in one program (e.g. IE) into everything else (e.g. Outlook) because IE is treated as an OS service.

TWW

Re:I don't get it...

[nagora]

You said: Nobody is using IE as a service.

But then you said:A lot of programs use it to render HTML

Do you want to try again?

You've one of the best HTML rendering engines avilable, will you use it, or write your own?

But, even if I could use Opera to render HTML in another program, why would I want to? The only time I want to render HTML is when I'm on the web and then I'll be using my browser.

Of course, if I had brain damage I might want to use HTML in email and let the "HTML" engine execute any old code it feels like (because executing code is something you want your HTML-email reader to do-right?). On the other hand I could just delete all my files myself.

IE is an application,

Not according to MS it isn't: it's part of the OS.

Basically you're saying that if buggy code is accessed by lots of programs and so spreads the bugs through every application you use that it's okay because at least no one had to re-write the buggy code. You're not George Bush by any chance?

TWW

Re:I don't get it...

[nagora]

I assume that you meant service in NT's meaning, a background process.

I don't see why putting something in the background makes it a service. A service to me is when one program asks another to do something for it and return the result (or display it etc.).

Why use HTML other then in browsers? Help files,

I browse help files with my browser. As you said why re-invent the wheel? Using a separate program to read help files is one way in which KDE/Gnome/Windows all stink.

There is a bug in the code, cheel out! it's not the end of the world. It's fixed, too.

Well, its fixed if you speak English. The rest of the world will have to wait. It's not the fact of the bug, it's the fact of the long list of bugs. I'm dumping BIND after the most recent fiasco and I dumpped Windows some years ago. There are only so many strikes a company/project can have before I walk away and I don't understand this infinite "give them another chance" attitude that is being repeated all through this discussion.

I'm saying that it's good that you can reuse code.

As a programmer I'm not convinced of the arguments on this one. It is very rare to find code which can be reused safely if it's more than 100-200 lines long. The reason it's not safe is that code longer than that is unlikly to exactly fit what you want to do (e.g. using HTML engine to read email) and it may do strange thnings when placed into a new environment.

I'm for cautious code reuse but I'm totally against blind code reuse which is very common in Windows programming, due partly to the examples one finds in books on the topic which in turn is due to the philosophy handed down from offical MS courses.

TWW

Re:I don't get it...

[nagora]

Service is what you would call a daemon.

It may be what you would call a daemon; I'd apply a broader definition (ie, anything that provides another program with functionality).

I disagree about code reuse. It's the 100 - 200 lines of code where it's not worth reusing code, it's easier to write more specialize code for this.

No. The bigger the task the less likly it is that a non-specialised piece of code is the correct solution. I can write generalised list and string functions in tiny little chunks and use them over and over again. I can't write a CAD system and hope to use it in anything other than subsequent versions of the same CAD system.

Look through Art of Computer Programming: it's not full of example wordprocessors and missile control systems, it's full of small reusable examples which can apply to almost any computing task.

You seem to think that it's wrong to use specilaize applications instead of one, all-encompasing, application.

That is the opposite of what I believe. What I'm attacking is blindly reusing large binaries (such as MS DLLs). Care is needed when reusing code to make sure that the code will behave in its new environment and not have unexpected side effects. The bigger the chunk of code the harder this is. Fact of life.

Things are better if you have the source code and can check it, but in the context of MS that's irrelevent.

why would you use stdio.h, or iostream.h, what about std::string

This bit had me laughing. Why would I use any of those? I write in Perl, PHP, Forth, and Assembler. Haven't used C/C++ in years and don't miss them. In fact, in 23 years of programming I've only used them about 10 times each; I've used Occam more often. I do remember having to write by own string code, though, since the std lib stuff is junk.

TWW

Re:I don't get it...

[Ayende+Rahien]

Nobody is using IE as a service.
A lot of programs use it to render HTML, because there is *no point* in reinventing the wheel.
You've one of the best HTML rendering engines avilable, will you use it, or write your own?

IE is an application, and like most Windows applications, it can be used as a COM object, which is what a lot of programs are doing.

Re:I don't get it...

[Ayende+Rahien]

What type of service are we talking about?
I assume that you meant service in NT's meaning, a background process.

Why use HTML other then in browsers?
Help files, both windows & gnome use it.
There are plenty of uses.

There is a bug in the code, cheel out! it's not the end of the world.
It's fixed, too.

I'm saying that it's good that you can reuse code.
Every software has bugs, when they are found, they are fixed, end of story.

About Opera, I don't know if you can reuse their rendering engine, and how.
But if they allows you to do so (both legally and programatically) I don't see a reason why not do it.

Re:I don't get it...

[Ayende+Rahien]

Service is what you would call a daemon.
I'd several systems that use non english windows systems.
Usually, the english patches work.

I disagree about code reuse. It's the 100 - 200 lines of code where it's not worth reusing code, it's easier to write more specialize code for this.
You seem to think that it's wrong to use specilaize applications instead of one, all-encompasing, application.

This goes against everything *nix belives in (small, specilaize tools, for single task) but beyond this, a general application may not always be a good thing. It wouldn't be able to give the extra touch that a specialize application can.

Take MSDN, frex. The online version versus the installed version, I know what I prefer.
(msdn.microsoft.com, if you don't have msdn installed, check windows help, same theme)

What they did in IE, is to make one part that does all the rendering, and another that does the IE UI.
So, frex, if I want to build a browser, that would use Moxila's XUL and IE's rendering, I can do it quite easily.

BTW, if we talking about code reuse, do you program all your functions on you own?
I mean, if it's *wrong* to reuse long code, so why would you use stdio.h, or iostream.h, what about std::string ?

Re:I don't get it...

[Ayende+Rahien]

In other words, you recommend that each program will have its own networking code, right?
And, since you use Perl, you must avoid using ReadLine (or is it ReadFile, don't program in Perl much), which is several thousand lines long.

Viruses?

[fungus]

Technical description:

Because HTML e-mails are simply web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail. An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system.

This is scary... I bet we will see more and more viriis that spread using Outlook.

hmm.. let's do some virii coding =)

Re:Viruses?

[vkt-tje]

The titel is "Viruses"
Anybody understands that as the plural of "virus"
Why would you use "viriis" and "virii"?
The first is some kinf of double plusral with a typo, and a second one a (correct) plural but still with a typo.
In Latin any word ending in -us has the plural in -i.
So "one virus" and "two viri". Just one 'i' at the end (except for words that have an i before the 'us' ending of course, the rule still applies resulting in 'ii').
You used two 'i's while there is no 'i' just before the 'us' in "virus". Thats the typo.
Then the double plural: I accept/understand viri as plural. secondly I forget the double 'i' typo.
That still leaves "viris"; so that is a Latin plural (i) + an English plural (s): a double plural.

Since Latin is a so called "dead" language, whose spelling was fixed centuries ago (literally) this is bad, really bad. OK, Now forget all of the above, I don't give a f* about spelling in any language :-)

Re:Viruses?

[vkt-tje]

Did you read the last line? (Just above the sig)

Re:Viruses?

[Graspee_Leemoor]

Allowing for your sig. being cut off, (and let's forget for the moment that you are actually wrong about "virii" being the correct plural of "virus"), I counted ten mistakes of either grammar or spelling in your post.

The only thing worse than a grammar nazi is grammar Hitler. I am your worst nightmare.

Graspee

Re:Inaccurate

[unapersson]

> Netscape, Mozilla, Opera

Don't you mean:

Netscape & IE, Mozille & IE, or Opera & IE

IE is integrated into the operating system, you can't just uninstall it (without causing problems).

at first this didn't seem all that funny...

[Symbiosis]

but you redeemed yourself at the end, good show! :-)

-------------------------------------------
I like nonsense, it wakes up the brain cells.

Re:at first this didn't seem all that funny...

[gvonk]

hehe i was gonna take out all but the end but i actually said to myself, in my head... "the end will redeem me"

Re:Inaccurate

[Malcontent]

I would guess that most slashdot users probably don't run wu-ftpd. Even if they do they probably subscribe the listserve which let's them know immediately when something is cracked. Unfortunately most lusers who use IE will never even know that this security hole exists and will never upgrade their IE thereby unleashing all kinds of meyhem on the internet which we will have deal with.

I know of no Linux user who runs server software like bind or proftpd who does not monitor their logs, subcribe to security listserves and is generally paranoid about being hacked. Recently when a vulnerability was anounced in proftpd (first one in a long time) I got email both from the proftpd folks and debian. I upgraded via apt withing minutes after I got the email (I sshed in from work) and I was safe.
Too bad less then 5% of IE users will ever take that kind of action.

Re:Inaccurate

[Malcontent]

I highly doubt that even the most idiotic luser would accidently press the "SERVER" button instead of the "WORKSTATION" button. Even so more and distros are installing safer defaults. In fact I was recently at bust buy and noticed thad SUSE was actually selling two boxes one for workstation and one for server (the server costing a bit more).

Re:Inaccurate

[Malcontent]

Come on now BIND, wu-ftpd, and even sendmail get bashed regularly on slashdot (and rightfully so especially BIND). It's because of all the bashing that BIND9 was re-written from scratch.

Don't you remember the recent thread about BIND? Whenever a major security breach is discovered it gets covered on slashdot why should MS be immune?

Re:Inaccurate

[Malcontent]

Well that's not what they testified to in court. Are you suggesting that the top brass on MS committed perjury?

Meanwhile, in related news..

[Tuck]

For immediate release:

Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook

Atlanta, Ga. (SatireWire.com)

Scientists at the Centers for Disease Control and Symantec's AntiVirus Research Center today confirmed that foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.

"Frankly, we've never heard of a virus that couldn't spread through Microsoft Outlook, so our findings were, to say the least, unexpected," said Clive Sarnow, director of the CDC's infectious disease unit.

The study was immediately hailed by British officials, who said it will save millions of pounds and thousands of man hours. "Up until now we have, quite naturally, assumed that both foot-and-mouth and mad cow were spread by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By eliminating it, we can focus our resources elsewhere."

However, researchers in the Netherlands, where foot-and-mouth has recently appeared, said they are not yet prepared to disqualify Outlook, which has been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna Kournikova," and "Naked Wife," to name but a few.

Said Nils Overmars, director of the Molecular Virology Lab at Leiden University: "It's not that we don't trust the research, it's just that as scientists, we are trained to be skeptical of any finding that flies in the face of established truth. And this one flies in the face like a blind drunk sparrow."

Executives at Microsoft, meanwhile, were equally skeptical, insisting that Outlook's patented Virus Transfer Protocol (VTP) has proven virtually pervious to any virus. The company, however, will issue a free VTP patch if it turns out the application is not vulnerable to foot-and-mouth.

Such an admission would be embarrassing for the software giant, but Symantec virologist Ariel Kologne insisted that no one is more humiliated by the study than she is. "Only last week, I had a reporter ask if the foot-and-mouth virus spreads through Microsoft Outlook, and I told him, 'Doesn't everything?'" she recalled. "Who would've thought?"

Copyright © 2001, SatireWire

--

Re:Meanwhile, in related news..

[mickonline]

Surely you live in Annandale.

Re:Joys of non-competition

[befletch]

Mozilla crashes within 15 minutes? Are you running release version 0.8? Switch to 0.8.1 immediately! (Most of the versions between 0.8 and 0.8.1 were pretty bad...I went back to 0.7 for awhile, but 0.8.1 was reasonably good again. 2001032804 hasn't given me any trouble yet (I think the scrambled graphics were a problem at the User Friendly site), but the day is young.

Now this here is a textbook-quality example of why it is so hard to tell from written messages whether someone is trying to be funny or not. Taken seriously, this person seems to be suggesting that normal people, or at least normal slashdot people, should be willing to evaluate the relative advantages of 0.7, 0.8, 0.8.0.x, and 0.8.1 builds of a web browser over the course of a month or so. Taken as a joke, HiThere is pointing out how some of us have jobs or go to school.

Somebody want to help me out here?

Re:You have to use the Windows Update feature...

[M-G]

Which is a royal pain in the ass when you're supporting other users. All I want is an executable patch that I can either point users to or put in their login script.....

Re:Joys of non-competition

[Simon+Brooke]

Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.

Sad but (more or less) true. Konqueror, on the other hand, is now pretty stable, does 95% of things right, and is very close to being a thoroughly satisfactory browser.

Re:Inaccurate

[rajafarian]

Dude, that is so fucking funny. Sounds like you're saying. "that is NOT a cube; THAT is a physical object with six squares of the same size for physical boundaries. ha ha ha he ROTFL

Re:Inaccurate

[Hard_Code]

It has little to do with "object orientation" also. It has to do with the security system. Whether code is reused or not does not matter...if vulnerable applications are run with powerful privelages, bad things will happen.

Inaccurate (you too)

[Dwonis]

All software has bugs.

Short answer:

s/All/Most/

[Too ]Long answer:

Not really. I've seen some code written by disciplined programmers that I would say is perfect. So I think software had bugs because of a lack of programmer discipline. I think most people will agree that it's possible to make a perfect function (i.e. it does exactly what it's supposed to do, handling all possible errors, etc). It's also possible to make every function perfect. Therefore, it is possible to make an entire program perfect. I've done it with smaller programs (nothing I've released yet) and I intend to do it again with a larger one I'm beginning to write (it's an XMMS replacement).

Anyway, I agree with everything else you said. That's just a pet-peeve of mine.
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft doing disservice to users

[Dwonis]

it was time to do the windows equivalent of using dkpg, hit windows update

Buckling in pain. Please refrain from comparing dpkg to Windows Update as if they're almost the same thing. It just hurts.
--------
Genius dies of the same blow that destroys liberty.

Re:Not Suprising

[Dwonis]

It goes the other way, too. I've seen crappy programmers who are so proud of their code they think it's worth millions of dollars, and they don't want to let anyone see it.
--------
Genius dies of the same blow that destroys liberty.

Re:Some day even you will grow up

[Dwonis]

The problem with Linux guys is that they use Linux because of its robustness, and an OS that *ever* *needs* a reboot because of memory leaks simply isn't robust.

I'll probably get flamed for this, but I think a large portion of Linux advocates are just like a large portion of <anything> advocates: they are people who blindly try to follow what the intelligent people are doing, so they can look and feel intelligent too. Of course, they often miss the REASONS why intelligent people act a certain way and do regally stupid things that make the real intelligent people look bad. (I know I've done that, though I tend to notice it later.)

Get used to most people being stupid in one way or another.
--------
Genius dies of the same blow that destroys liberty.

Re:/me sighs....

[Dwonis]

Pine sucks. Use mutt.
--------
Genius dies of the same blow that destroys liberty.

fp

[kahuna720]

fp

Incorrect MIME type

[JodoKaast]

what mime types does IE handle incorrectly that would cause a file to be executed? and is only with exe's that are incorrectly identified, or would it, say, open up a movie file if the mime type was changed to the same incorrect thing?

M$ Pissed?

[bubbha]

CNN's report includes a response from the "innovators" in Redbud that they were pissed that the security flaw was reported..."irresponsible" was the word. Clearly, using M$ software is irresponsible... it's the price they pay for making product "lock-in" job #1.

Re:M$ Pissed?

[bubbha]

...and they wanted to be my laytex salesman...

Re:uptime

[operagost]

You REALLY don't want me to post the uptime of my OpenVMS and OS/2 boxen, do you?

Inaccurate? Maybe it is ....

[KhaosSpawn]

Not sure as to the success other people have had, but I installed the patch under the adminsitrator account, logged back in after the necessary (STILL!!) restart and BAM!!. Your profile has become corrupted!! WTF??? Next time I'll the the "H4XOR" fix up my PC, god knows they couldn't do a worse job than MS on this.

This is the first time it has happened though, so I have to wonder how throughly Microsoft "tested" it. Since their websites and network are real secure and we can all trust their digital cetificate I kinda feel I bought this upon myself.

Microsoft is just now posting this??

[llzackll]

This type of security hole has been known for at least 6 months by many people. If it's what I'm thinking, it is not just limited to email, but you can also be infected just by going to a web page. How do I know this? because it has happened to me. I did some research and sort of figured out how it worked.

Basically, when you open the html page, behind the scenes, it saves two text files to your computer, one is a debug script, and the other is the actual virus/trojan. How can a text file contain a virus? Well the first one is basically a hex dump of some executable. The offending web page then runs debug.exe, which is found on every windows computer, and reconstructs it into a .com executable. What it is is a UUdecoder. The actual virus/trojan is UUencoded. So the web page then runs uudecode.com or whatever, and reconstructs the trojan.. It is then ran.

So why not have debug.exe do the whole thing? well, debug only works with the .com format from the old DOS days, which is limited to 64kb in size. There are a few more things going on, but this is basically how it works.

Could this have been prevented in the first place? YES. Is it all Microsoft's fault? YES. Did microsoft have security in mind when creating Windows? NO!.

Re:Windows sucks now, eh?

[0xA]

Ok, I did a fresh install of windows on a computer at work. Windows 98 first edition. I popped in the cd, the install ran, and in 30 minutes the computer booted and I went to the Windows Update site. Four downloads and two reboots later, I have a reasonably secure system with no known exploits. Full install, all fixes applied - less than an hour and a half.


This is a pretty useless argument. Atfer spending this amount of time with an install of Windows 98, adding the updates and rebooting a couple of times you have an OS installed. If I spent the same amount of time with a Red Hat 7 install and updates I have everything I need to get my work done. I have Emacs and and gcc andPERL and Apache and MySQL and OpenSSH and Abiword and Gnumeric and Netscape and Mutt, etc.

You have Windows, IE, Outlook Express and WordPad. Joy, just what the hell are you going to do with that?

You're comment about Windows being secure is true. On the other hand its' not like it does anything either. As soon as you install an FTP server, a web server, an RDBMS and a remote acces program you have the potential to get just as "owned" as any other OS.

What people are trying to say here is that making my email program execute code because I've got something showing in the preview pane is pretty damn dangerous. Yesterday, for the first time in my life, I recived an email that makes use of these fancy scripting features. Its' a piece of spam (which I signed up for) from the Ministry of sound with a link to their new TV ad and a little flash animation. Its' pretty cool but I'll live without it if that's the cost of not getting email that causes some trojan to be executed.

And as always: International patches later perhaps

[egghat]

To all guys complaining about MS security: Try installing their products in Spanish, French German or whatever you like. Then you will learn what untimely and sometimes even forgotten bug and security fixes are :-((( If you ever want to make a computer really insecure Install Windows NT Server German. And then IIS on top. Forget about security forever. Or you'll never sleep calm again. Bye egghat.

Re:Translation for Slashbots

[BlueUnderwear]

>Recommendation: Customers using IE should install the patch immediately.
> So basically, this lets someone malicious tell your computer what to do.

Especially since Micro$oft's crypto certificate has been leaked. So you cannot even be sure that the patch is from the real Micro$oft either!

Re:Inaccurate

[jesser]

Netscape: One arbitrary code execution bug, one hard drive access bug. MSIE: At LEAST two arbitrary code execution bugs (that i can remember), and at least two hard drive access bugs (that i can remember).

If two arbitrary-code holes are present in the same version of some software, how much worse is that than having a single hole?

Re:Web browsers belong in a jail

[jesser]

Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.

That works if you only use the web for fun and/or reference, but if you type your credit card number into any website, you should hope that other sites aren't able to read your cookie file or hijack your browser to send everything you type into other sites to the malicious site. I guess you could tell the user to restart their browser after visiting any questionable site and throw out the cookies file between each session, but I doubt it would be worth the effort and loss of functionality.

By the way, preventing the browser from mucking with your files wouldn't solve privacy problems such as bug 57351 (present in both IE and Mozilla).

Windows sucks now, eh?

[jonnythan]

http://www.redhat.com/support/errata/rh7-errata-se curity.html

http://www.redhat.com/support/errata/rh7-errata-bu gfixes.html

http://www.redhat.com/support/errata/rh7-errata-up dates.html


Ok, I did a fresh install of windows on a computer at work. Windows 98 first edition. I popped in the cd, the install ran, and in 30 minutes the computer booted and I went to the Windows Update site. Four downloads and two reboots later, I have a reasonably secure system with no known exploits. Full install, all fixes applied - less than an hour and a half.

Compare this with Redhat 7. Of course, everyone will complain that either these are for other apps (not the beloved linux kernel) or that RH 7 is just chock full o bugs. These are not excuses - and it's not an excuse that a knowledgeable person can plug up all the security holes in their GNU/Linux distro. Windows is a rather secure OS. OpenBSD it is not, but I garuantee that if you replaced every Windows user's desktop with KDE running on RH or SuSe, in absolutely no time at all 1337 4ax0rs will be having field days.

And on top of it, my copy of Windows ME that I use on my main desktop is the most stable full GUI system I've ever run. After turning off stupid things like system restore and PCHealth, it's quick, unobtrusive, and NEVER CRASHES. I haven't had a crash on this machine not caused by RealPlayer or Mozilla since I installed it. My current uptime is around 29 days, and that was only to change the ethernet card. Same goes with my Thinkpad.

I run an OpenBSD server, and I'm impressed with its default install security, and the fact that everything is turned off. I like OpenBSD, and I like Linux. However, putting X on Linux and running windows-equivalent apps, in my experience, makes it just as buggy and not much, if at all, more secure.

No one cares how fucking wonderful, stable, bug-free, and brilliant the Linux kernel is when common Linux apps aren't. I don't give a shit if Linux has better memory management when I can just click "open from location" and have apps install right there and give me a nice icon. Users won't care about the source code to the gnu c++ compiler when I can click TWICE and have ALL of the latest bug fixes and security updates install THEMSELVES WITH NO EXTRA INTERVENTION.

I don't care if Linux is more powerful when Windows is just so much easier to manage. I do WORK with my time, not bug downloads and system management.

Sorry about that, I just had a bone to pick.

Re:Windows sucks now, eh?

[startled]

I don't care if Linux is more powerful when Windows is just so much easier to manage. I do WORK with my time, not bug downloads and system management.

Let's hear it for anecdotal evidence. Oddly enough, your post is completely 180 degrees from my experiences. Let me tell you about last Monday at work.

Get to work. NT is acting funny. Reboot-- ooh, look! Unable to find NTLDR. Shit. Find new hard drive. Install NT. 3 reboots later, I have basic NT on my box. Not bad, right? Except that it's missing all the software I need, like Outlook, the latest IE, Visual J++, the latest Detonator drivers, vim, etc.. NINE reboots later, my system is almost back to how I had it. NINE. Read that a third time: NINE FUCKING REBOOTS. That's IN ADDITON to the 3 reboots for the initial install. Oh, and the system's still not like I had it, even though I've recovered the old hard drive's data. Why? Because all of my configurations are kept in some voodoo registry file that I can't get 'em out of. I could easily copy the config files on a Linux box.

Brief summary of last Monday: 9:30 am, NT box goes down. 6:00pm, NT box back up, MOSTLY the way I want it-- it's STILL not how I want it, on Friday.

Linux sucks? Linux is hard to install? I had NEVER installed Linux before; hell, I'd hardly ever used it, just a bunch of Unix. I had no clue what I was doing, but I went out and picked up a copy of slack. After just a few hours, I've got all my devices going, XWindows up, KDE and Gnome, and a frickin FTP server so I can grab my files at work.

To get this MILDLY on topic, let's do another comparison. You don't think the latest security fixes are a big deal? You don't think it's important that Windows has more frickin holes than swiss cheese? How about the immense amount of time lost to my company when the ILOVEYOU virus hit? I think that's pretty important. Oh, but it was easy to install the patch-- oh, wait, they denied there was even a problem until days after it hit. Let's hear it for closed source!

I don't know what fucking fairy land you live in that everything's just peachy on Windows ME, but if you ever work at a real Windows-dependent shop, you'll see all the crap they have to put up with. Don't even get me started about that piece of shit called SourceSafe-- suffice it to say all our SS servers are now called things like "notsafe".

Re:Windows sucks now, eh?

[mvdwege]

Might I just point out for completeness sake, that those RH updates are mostly server-side and admin tools? Why in the name of God would you want to install these on a desktop machine? Almost all software mentioned is unnecessary for a normal user's desktop, which does seem to be your target system, seeing as you just installled Win98 on it.

Unless of course you just installed Win98 on your administrator's workstation, in which case you deserve what's coming to you, as you are completely clueless in that case.

For God's sake man, if you have to use Windows, use NT. It's still crap, but at least it's usable in a corporate setting with clueful admins (as we just established you are not).

Mart

Re:Windows sucks now, eh?

[vkt-tje]

Wanna see ME (including latest updates) crash? Just come to see my fathers PC. I'll crash it in under five minutes, without opening any obscure program: Scanning an image is enough. (Did'nt Billy had the same problem on some demo?) Currently he scans on a stand alone win95, copies to a zip, and continues his work on his PC...

Re:Windows sucks now, eh?

[Graspee_Leemoor]

"You're comment about Windows being secure is true"

Um- If you dial up to the internet on a default install of Win98 it's not secure at all. If you put a packet filter into the equation and set it up properly, I'll let you off.

Graspee

Re:Windows sucks now, eh?

[the+ugly+sheep]

when I can click TWICE and have ALL of the latest bug fixes and security updates install THEMSELVES WITH NO EXTRA INTERVENTION

i'd just like to mention that linux has quite a few of these snazzy programs as well (up2date, apt-get and such). additionally, with software like red carpet, you can have the latest version of any software delivered to your doorstep

i'd also like to mention that linux was not intended for the faint of heart. if you know what you're doing and can read documentation, you've got the power make any of your programs do system specific things. because of microsoft's closed source system, this isn't possible. the power of linux is the ability to make changes. EVERYTHING is configurable. (if you want pretty icons, you can have pretty icons) and if you make a great change, you can share it for others to use.

don't get angry because you don't want to take the time to learn new things. if you want to use windows, that's fine, but don't knock the linux users that are attempting to learn new things and to stretch the limits.

Re:Browser/OS integration will always be risky

[barneyfoo]

This whole "integration" label is kind of wrong-headed to begin with. Technically calculator is integrated into the OS (bundled, whatever you want to call it).

Browser "integration" into the os isn't risky if it's done intelligently. A Browser now-a-days is an external browser interface, a core html rendering widget, and plugins. It's not ludicrous to put the rendering widget into a system library (like microsoft does) because this doesn't preclude security in any way. (although it is ludicrous to make it non-removable *cough*).

Imo, the correct way to look at this is in the legalistic manner. Monopolies can be found guilty of a method called "Tying" which basicly what MS did. They bolted IE onto the side of windows and made it catastrophic to remove IE functionality (not for very good reasons). Should MS make it possible to remove the browser? Of course. I'm sure there would be many sys admins out there drooling at the chance to do just that. Of course MS would never do that. IE is now their forced-onto-everyone interface to .NET the embraced and extended internet of the future (as they would have it). It's too bad that if people dont want IE it's tough shit for them. Mozilla would be a /much/ better alternative if they were allowed the hooks into the OS that loads it on startup into memory, and makes it persistent, and makes it so it loads the mozilla widget when you type in a url in the explorer application.. Too bad those API's aren't documented. Maybe MS considers them "application specific" and not part of the OS. What nebulous nit picking.

I'll see you in splittsville, MS.

flash is evil

[neowintermute]

SEE, this is why we need nice cross platform non proprietary standards like SVG and SMIL. I oly use windows because there's no good flash program for linux. I wish there was, it's not like flash for windows is bug-free.

Maybe they'll make an osX version soon. :)

http://www.hyperpoem.net

Re:flash is evil

[vkt-tje]

Do you actually use flash??????
I hate it.
It is used in two ways:
The first is the so called "intro animation". that takes only valuable surfing time and bandwidth away. A site with a flash intro but without a "skip intro" button well be closed immediatly, never to be visited again.
the second use is to define some nifty looking interface. All GUIs currently follow the thought set out by Xerox (dektop analogy and so forth). In any current GUI (Mac, X, Win*, Solaris, whatever) we have gotten used to some standars interface elements: buttons for one example. Now every website designer (no longer a "technician" but an "artist") is creating sites where you have to move the mouse allover and look at the pointer to see where you have to click.
Take for example the website about that bird-frying mirror yesterday on /. First of all it wastes 75% of the screen size on a blank border (is 1024*768 really that high a resolution?). then there is some tekst on the left. Only when you move the mouse over it you can see that it in fact are buttons: there is no border or other specific, recognisable rendering. Clicking on these "planes" (since it are no buttons) opens some lines of text (20 at most) in the right half of the "interface", toghether with some stamp sized pictures. Since those pictures have very light contrast and have some explenatory tekst over them I thought they were "buttons" to get more info with a bigger picture... No such luck!
The info on that website surely fits in a single html-only webpage. With links to full screen images that would be so much easier to navigate and find interesting info. HTML was designed to navigate ALL websites in the same way. And that "way" would be only determined by the browser/terminal you use (Surrfing is quite a different experience when you're blind).
So I say: thank all those websites buildes that also provide html only versions of their 'flashed' sites. But they still are 99% more stupid than a 'simple' html website coder!

Re:flash is evil

[Graspee_Leemoor]

"(is 1024*768 really that high a resolution?). "

On a laptop, yes.

Graspee

Re: come on now...

[Pfhreakaz0id]

Haven't you guys ever heard of Windows Update? I assume (I don't know, because I run IE6 preview) that everyone has a critical update notification about right now (assuming you run it). Windows update even works for older OS'es where it wasn't built in (like nt4). Again, before I get flamed I'm assuming this patch is on Windows update, but I don't know, because I don't run ie 5.5. I'm sure it will be shortly.
---

Will they take my suggestion now?

[dave-fu]

Look. I don't want to render my e-mail. I don't want clickable links. I just want plain fucking text. Is that so much to ask for?

Brown Orifice?

[dave-fu]

What's that?
I forgot how rock-solid Netscape's LiveScript was.
Also, ha ha.

You want to know why?

[dave-fu]

Because the exploit's half a year old.
Also, because this is a different exploit. Checking a page out should necessarily entail reading its contents. Is a cross-frame scripting vulnerability that easy to mistake for a MIME fuckup?

Re:Fill in the Blanks

[fanatic]

Please mod this moron down to -10, his link is to GOATSE.CX

--

--

Re:The double standard

[fanatic]

The vast majority of the "Linux" holes you refer to are:

• in the apps, not part of the OS (as IE is) and
• more importantly, are local exploits.

It is cool that the fix is available quickly. I hate MS business practices, but at least they were prompt on this.

--

--

Re:workmates must wonder

[fanatic]

Just for clarification, I (Fanatic) didn't have to follow the link this time - thank god - once was more than enough. No one with a weak stomach should follow that link.

Quick tip - if you mouse-over the link, it's href shows up in the status line.

--

--

Re:The double standard

[fanatic]

It doesn't matter that it is really part of the OS, you don't have to use it.

Not quite true. As the bulletin makes clear, the same code gets used to render HTML in the MS email clients. Additionally, MSIE components get used in other places, such as the MS "help" system. And maybe you don't have to use it explicitly, but have you tried installing or upgrading ANY MS software lately? Every time I've done it lately, I was forced to install IE. It's very dificult to get away from.

--

--

Does anyone know if AOL 6.0 has this?

[fanatic]

Everyone in my family except me uses AOL. (They're OK otherwise, and actually rather intellignet, believe it or not.) Anyhow, I'm trying to figure out if AOL's browser at v6.0 is MSIE or what. Any help much appreciated. (Using 'help->about' just says it's AOL v6.0, unfortunately, I'm told.)

--

--

Re:Does anyone know if AOL 6.0 has this?

[fanatic]

I'm not sure that AOL6.0 would have Mozilla - didn't AOL7.0 come out recently? Mozilla is still fairly green, especially the parts used by Netscape.

--

Re:Does anyone know if AOL 6.0 has this?

[fanatic]

From http://www.msnbc.com/news/481970.asp#BODY:

AOL 6.0 still uses Internet Explorer as its Web browser.

No sign of which version, tho.

--

Re:Does anyone know if AOL 6.0 has this?

[xnuandax]

I don't use AOL, have never seen AOL, but I believe AOL 6.0 is built on Mozilla given that AOL bought Netscape (from which Mozilla was spawned...)

Re:Inaccurate

[fanatic]

That is inaccurate. It's thanks to an object oriented operating system that we have this problem.

Not sure what OO has to do with it; the problem is a program that executes code recieved from the net without even asking. That's the problem. Let's hope KDE never does anything that silly.

--

--

Re:previous versions

[Col.+Panic]

Yeah, but 5.01 is nice and stable and doesn't hog RAM so why not upgrade? It don't cost nuthin'.

This is...

[TomatoMan]

...the funniest thing I've EVER read on slashdot. My sides hurt.

TomatoMan

Re:Inaccurate

[Deluge]

I'd rather download patches and check them md5 checksums. Call me paranoia, but it *DOES* matter.

When the patches are downloaded there does seem to be some sort of authenticity and integrity checks made against the dl'd files, so I wouldn't think that the Windows Update system would just willingly install any ol' fake patch that you might try to send it. Still...

---

Re:Joys of non-competition

[Deluge]

i like opera, it can even disable animated gifs

In IE you go to Tools -> Internet Options, and uncheck "Play Animations." Bingo, no more animated gifs.

---

Re:Inaccurate

[Deluge]

Hell, you can't even get the damn icon off your desktop without going to rather a lot of trouble.

Exactly. The technical knowledge and skill necessary to position the mouse over the IE icon, right click, and select "Delete" is beyond the average user's ability. It needs to be made simpler. I think the desktop should have the IE icon, and the rest of the desktop should be devoted to a 600x600 button saying "Click here to remove IE icon from desktop." Would that please you and the hapless idiot users you seem to be speaking on behalf of? Cheers!

---

one guess...

[renard]

yeah, and i'll give you one guess whether they "are" or "are not" so affected, too... --renard

OO BS

[Tablizer]

>> It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? <<

Procedural can also "re-use" code, it is just not usually via class hierarchies. (Smalltalk-type message handling is sort of limbo-land between both approaches.)

-The official anti-OO troll-

Only for girls?

[rhino777]

An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system.

Guess it only affects girls....we're safe guys!

Re:Not Suprising

[crucini]

I find it amusing that the worst purveyer of unprompted MS-bashing, Malda, is also the only editor who regularly admits to using Windows.

I find that quite understandable. People who don't deal with Windows on a regular basis generally don't have very strong feelings about it. This makes it easy (and fun) to maintain an attitude of casual scorn and contempt toward that particular festering pile. When one is forced to use Windows, however, one's attitude unfortunately degenerates into pulsating screaming hatred.

Re:Inaccurate

[hburch]

That's what 'Microsoft Corporation' Verisign certificates are for: authenicating the source of the updates. :)

Re:Browser/OS integration will always be risky

[BradleyUffner]

and makes it so it loads the mozilla widget when you type in a url in the explorer application.. Too bad those API's aren't documented. Maybe MS considers them "application specific" and not part of the OS. What nebulous nit picking.

Netscape can do this, When I had to install versizon DSL software on a computer it also instaled Netscape (without asking me, grrrrrr). When typing a URL into the run comment it opened Netscape.
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\ =\

/me sighs....

[chemguru]

If only everyone read their mail with pine, and browsed with lynx....

Oh well.. I can dream, can't I??

Translation for Slashbots

[gvonk]

Here's the translation for your average slashdotter

Originally posted: March 29, 2001

We would have told you earlier, but we were sharpening our throwing knives and trying to install "Unix" on our computers...

Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Let's see... IF I were running IE, then the Attackers^tm would be fiercely attacking me now and I wouldn't be reading this right now... but the translation is:

Who should read this bulletin: any of the sheeple that we have convinced to use our (superior) product.

Impact of vulnerability: Run code of attacker's choice.

So basically, this lets someone malicious tell your computer what to do.

Recommendation: Customers using IE should install the patch immediately.

So basically, this lets someone malicious tell your computer what to do.

Re:Translation for Slashbots

[Ergo2000]

MS' certificate didn't leak but rather somebody got Verisign to issue one for the corporate name of "Microsoft Corporation". Seems similar but there is a difference. MS has released a patch that basically disallows that one certificate from being trusted.

Re:Translation for Slashbots

[IdentityCrisis]

Heh, This awfuly reminds me of one exploit to IIS 5, Which allowed a user to read ANY file on the webserver no matter what premission he has, Just by adding +.htr to the end of the url.
In Here Microsoft says, quote: Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Service. The vulnerability could allow enable an attacker, under very unusual conditions, to read fragments of files from a web server. the translation can be found in the security bulletin Here this one could enable an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result of doing this is that fragments of server-side files like .ASP files could potentially be sent to the attacker. Or in other words, ANY USER, WHAT SO EVER can recieve any FILE on the webserver, so much for "under very unusual conditions"

Re:Translation for Slashbots

[einhverfr]

Actually, supposedly Microsoft has posted a "patch" for that certificate problem as well... We had to istall it on our machines this morning.

I've Got a Security Patch For This

[portege00]

...you can get it here.

Microsoft: Who Do j00 want to 0wn today?

Re:I've Got a Security Patch For This

[portege00]

Assumption is the mother of all fuck ups. You assumed that I meant default. What does that make you? A... (hint, hint, put two and two together).

First off, it was a joke. For a complete definition, see Webster's Dictionary.

Secondly, I've seen default RedHat installs survive a lot longer than 24 hours on a University connection, although I've also heard of RedHat installs getting owned in four hours through dialup of all things.

Lastly, if you take an hour to update and shut down stuff you don't need, you're a lot safer than the dumbass who went to Windows Update and rebooted four times.

Don't take yourself so seriously. No one else does.

Re:I've Got a Security Patch For This

[JAVAC+THE+GREAT]

Yeah, default install of Red Hat. Real fucking secure there, genius. I bet you put up that on a university IP block it'll be owned 6 ways in 24 hours.
---

Re:I've Got a Security Patch For This

[madskills]

You somehow managed to prove here that it is *okay* for a Red Hat product to have default security holes, but not okay for Microsoft products.

Interesting.

Re:�Red Hat Linux not without its flaws

[portege00]

That's very true. OpenBSD is incredibly hard. But you really can't use it as a desktop OS like you can Linux or Windows.

To be secure, use Linux. If you're really, really paranoid, use OpenBSD. If you're all about easy to use interfaces, use MacOS. If you just don't care, use Windows. Take your pick. Given the fact that OpenBSD is too hard for the average Joe, MacOS crashes too much (sans OS X), and Windows is, well, Windows, I choose Linux. If you take the time to learn RedHat Linux, you can effectively secure your system while using it as a very effective desktop OS. But, damn, OpenBSD is so tight. It's nice to see that someone shuts stuff off by default, rather than keep everything on by default *coughs IRIX, IRIX*.

Re:The MS bulliten really annoyed me

[creidieki]

"They", "them", and "their" are grammatically plural, and are therefore technically incorrect. I've been told this is the fault of 18th century grammarians; apparently in olden times, English speakers recognized the need for singular androgynous pronouns. Microsoft taking the tried-and-true track rather than risking their reputation by forwarding progress is rather a common theme to the criticisms here.

Re:Not Suprising

[blue+trane]

I use a w2k box at my desk. I use w2k because I have to view the Internet world through the eyes of IE like our clients.

I hear you. I have w2k and linux boxes at my desk, because there's just something about using vi on a physical *nix machine :) I use ie to surf; but for programming I love having multiple consoles organized by desktop on my linux box.

Re:The MS bulliten really annoyed me

[blue+trane]

How about "one"? as in, "one could edit the MIME headers..."

Not quite as idiomatic as the French "on".

Re:The MS bulliten really annoyed me

[blue+trane]

or in chinese, you might just leave out a subject altogether

Re:Not Suprising

[The_Messenger]

Not entirely unbiased. The entire story is flamebait; notice that Slashdot only ever posts "news" relating to Microsoft's problems. Jamie didn't post this thinking, "Gee, this will be helpful to all those readers using IE." He was probably thinking, "Gee, this is yet another excuse to bash Microsoft." I'll admit that his tone was remarkably cool, but this is Slashdot... I won't believe that Slashdot can post a neutral Microsoft story until they ditch the Gates/Borg icon.

I find it amusing that the worst purveyer of unprompted MS-bashing, Malda, is also the only editor who regularly admits to using Windows. (Unless I just missed Loki's ports of The Sims and Diablo II.)

--

Re:�Red Hat Linux not without its flaws

[The_Messenger]

Better to use an operating system that has not had a remote hole in three years: OpenBSD.

No one finds holes in OpenBSD because it has a total of five users, including Theo and Theo's mom. Holes in Windows and Red Hat are found most often because the former is the most-used OS and the latter is GNU/Linux for newbies. Theo can afford to be smug. If OpenBSD had 1% of users that GNU/Linux does, its reputation would be considerably less pristine.

(That is, if you can tolerate it's slow-ass filesystem implementation.)

...and the lack of SMP. Sure, it runs on six or seven architectures (courtesy of NetBSD), but lack of SMP is the reason I won't run OpenBSD anywhere. (For instance, OpenBSD supports SPARC, but I haven't even personally seen a Sun box with less than eight CPUs in years.) This is the first reason OpenBSD has no future in business.

The second reason is the complete lack of commercial software. (Even FreeBSD does better in this area!) GNU/Linux may have more reported bugs, but it also runs fucking Oracle 8i. (And, yes, anyone who suggests that I replace my Oracle installations with MySQL gets beaten with the clue stick.)

OpenBSD only has a future as a firewall for the 386 in the corner, and frankly, most admins with a clue would rather run GNU/Linux on that firewall because encrypted swap doesn't mean shit if the machine is just looking at packets all day.

Not to mention the fact that the future of the product rests in the hands of a single Canadian cryto-nut with a well-deserved reputation as a whiny, bitchy, moody control freak. The project has other developers but it is no secret that Theo 0wns OpenBSD. Before you mod this as flamebait, think: maybe there's a reason why everyone who has heard of DeRaadt has heard of DeRaadt's emotional instability. Even if OpenBSD ran Oracle on my company's SMP RS/6000s, I'd be hesitant to use it because of this sticking point.

--

Re:Pet Peeve

[The_Messenger]

Yet, they keep cranking out new writes of the same old horse with new bugs every couple of years to make $$$$$$$$$$$..

Windows has existed in its present forms for about five years. UNIX has been around for 25-30. BSD for 20. GNU for 15. Linux for 10.

Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux.

NT has only taken market share from UNIX. (Which, as most of you are too ignorant to know, was a Big Bad Corporate OS in the 80s. Just like IBM was evil in the 80s. How things change... a few open-source UNIX-ripoffs later, and UNIX is considered "grassroots" by many people here, just like IBM is now seen in a similar light for their "heartfelt" support of Linux.)

They've also completely taken over the desktop market. Of course the roots of this monopoly are 20 years old, but they've only had a truly desirable product for about five.

I like NT. I wouldn't let it in my server room, but it makes a damn good workstation OS. I like its interface best of all I've tried. It has excellent hardware and application support. In addition to being a great development environment, it plays games and DVDs. And my UNIX boxes are never farther away than a telnet session.

MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has, and NT is still four times younger than UNIX. So I'm willing to forgive some bugs.

--

No problems here...

[The_Messenger]

I'm posting this from IE 5.5 on NT5 and ØÄȦ®$ûüè h4w h4w! I 0wn 4ll j00r b0X0rz!! ØÄȦ®$ûüève experienced absolutely no problems. Furthermore,ØÄȦ®$ûüè w0w d00d 1 4m 50 3l337 ØÄȦ®$ûüèsecurity issues on the web today. What about Netscape 6? For instance, NetØÄȦ®$ûüè m$ c4n suX0rz my c0ckz!!! llolololol ØÄȦ®$ûüèPerhaps Slashdot is blowing this out of proportion.

--

Re:No problems here...

[GreatUnknown]

h4w h4w! I 0wn 4ll j00r b0X0rz!!

I own all your boxers?
How low can these script kiddies go? :)

Re:No problems here...

[leviramsey]

About three feet lower in my case...

Re:No problems here...

[lanrokobal]

Absolutely wonderful!

Info, please.

[jmd!]

Where in the HELL is the real info on this bug? Microsoft's release is just a bunch of fluff, spelling everything out so that even an MCSE could understand it. What MIME types? How am I supposed to filter this out for my users without any information.

Anyone have a link? I have a feeling if I don't have this procmailed tonight, there are going to be lots of support calls tomarrow.

Re:Info, please.

[davizinho]

They have more info here, in english as well as spanish:

http://www.kriptopolis.com/cua/eml.html

yeah, I know karma whoring, somebody had to do it :-)

Re:SP2

[-brazil-]

You have no idea how computer programs work, do you? buffer overflows are by far not the only way in which particular input can crash a program.

That explains it!!

[Robber+Baron]

So THIS is why my system starts going apeshit every time I visit slashdot...

Signed patch

[aridhol]

Remember to use our patch, signed by us and Verisign.

Re:Joys of non-competition

[Rakarra]

Now this here is a textbook-quality example of why it is so hard to tell from written messages whether someone is trying to be funny or not. Taken seriously, this person seems to be suggesting that normal people, or at least normal slashdot people, should be willing to evaluate the relative advantages of 0.7, 0.8, 0.8.0.x, and 0.8.1 builds of a web browser over the course of a month or so. Taken as a joke, HiThere is pointing out how some of us have jobs or go to school.

It's not an unreasonable demand if you take it in the context that he's beta-testing various versions. You upgrade, if it happens to be worse, report the bugs and downgrade. If you're running Mozilla, you're a beta-tester. There's a reason there is no Mozilla 1.0 (and don't get me started on AOL's decision to release a beta as a full version...)

Microsoft doing disservice to users

[biohazard99]

I finally got my system up and running today again (shipped with a fried stick of SDRAM, not sure how that one got out the door) decidied that it was time to do the windows equivalent of using dkpg, hit windows update. Fresh JVM, DirectX8a, IE 5.5sp1 build, the whole nine yards, just completed ~1.5 hrs ago. No warnings there at Win Update, I have to go to an "alternative focus" web site to get word that I have a huge security leak on my system. I wonder why the apache team even bothers making a win32 port if the system gets wiped out by a newbie admin who checked his mail from the web server.

MS hints about evil female h4x0rs...

[jvmatthe]

From the MS page describing the bug:

In order for the attacker to successfully attack the user via this vulnerability, she would need to be able to persuade the user to either browse to a web site she controlled or open an HTML e-mail that she had sent.

Wow. Check that out. Cool.

Re:MS hints about evil female h4x0rs...

[AndyChrist]

The author had probably earlier that day whacked off watching "Hackers".

Great Oogly-Moogly

[Yekrats]

I read it.

All I can say is, "Great Oogly Moogly". Thanks a lot Microsoft.

What kind of bone-headed thought processes allow a web-browser to have full control over an operating system. Is it just me, or is that REALLY STUPID? I'm no programming Einstein, but doesn't someone at Microsoft have a clue that this is cross-the-streams bad? This isn't the first time that IE has had this sort of problem: What about the infamous "IE 5.5 Cross Frame security vulnerability" from a few months ago which essentially lets someone read any files on your computer. There's been at least a half-dozen more, I'm sure.

Mark my words, the virus writers are acting right now to take advantage of this vulnerability. In two months, when they release their virus, it will spread like wildfire. If you thought LoveLetter and Melissa were bad, this one will be much worse!

What gets me is MS's nonchalance towards the issue. After all, it's just same-old, same-old to them. Another month, another *serious* vulnerability.

Thanks for letting me get this off my chest. :-)

True Marketeering

[Molt]

So now a cracker can hit an exploit a hole in a Microsoft IIS site (Running on Microsoft Windows 2000) and replace the front page with an identical copy, with the malicious code added, then let the people idly browse up to it with their security-compromised Microsoft Internet Explorer browsers.

*Sigh*

It is true, Microsoft do provide complete solutions.

Re:Inaccurate

[DrSkwid]

thing is IE isn't a browser

it's an appliaction platform almost akin to a little OS.

And I'll gladly bet ya $5 there are thousands of Linux machines running vulnerable Bind in small web shops and on hosted machines in ISPs.
.oO0Oo.

Re:that breaks important browser features

[Animats]

Yes, it breaks some browser features. Here's how that could be dealt with.

To let a file out of the jail, it has to be shown to be harmless. This is the job of a "downgrader", (actually, we're talking about an "upgrader" here, but the terminology comes from DoD security and is traditional) a trusted application which examines files to determine if it safe to change their security level. A reasonable automatic downgrader for web content would strip all executable content and anything else it didn't understand, leaving only plain HTML and images. A manual downgrader for other stuff may also be available, depending on site policy. Its use might be restricted; in a DoD environment, only the security officer could run it. The point, though, is that this sort of thing is a rare event and requires special attention. The browser does not need enough privileges to do it independent of the user.

Letting the browser run player-type apps is OK, but they have to run in their own jails. This handles things like PDF, MP3, Flash, etc. But it prevents players from snooping around the local system and secretly sending info out to somewhere else.

Within a session, the browser can reply to cookies. Whether it's allowed to save them permanently is a separate issue. It's quite possible to have a browser that has no memory at all from session to session. You'd want this in a kiosk system, but not in other places. The right way to do this is to have a browser state downgrader that runs at browser exit or on user request. It examines new cookies and bookmarks and asks whether it's OK to save them. This is a trusted program, but a small one.

Note that none of the enforcement of these rules is in the browser. It's all in the mandatory security system that restricts what a process can do. The browser has to be modified to work under the restrictions. Again, the code in the browser isn't trusted. Only small, dumb programs with the absolute minimum functionality to do their job are ever trusted.

The trick is doing this without annoying the user too much. From this discussion, it looks like that's possible.

Web browsers belong in a jail

[Animats]

Web browsers should be running in a partition with very few privileges. They should be able to talk to the net, read their own code and resource files, write their own windows, see mouse and keyboard events in their own windows, and that's all.

A good exercise would be to take NSA Linux and Mozilla and make them work under such restrictions. This might include managing the cache in a separate process with slightly different privileges. The cache manager needs to read and write the cache, but should never interpret the content. (Think of the cache as being managed by a built-in proxy server, while the main browser does no cacheing.) Configuration also needs to be done by a separate program and process, one that gets its input from the user, can't get input from the net, and can write the preferences files. This gets all the code that can write permanent files out of the main part of the browser.

Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.

New read and execute features in IE 5.5

[mr_gerbik]

Combine this new exploit with this old one that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.

-gerbik

Re:New read and execute features in IE 5.5

[Joe+Snipe]

Better yet, combine this bug with the "I love you" virus and patch everyones system for them, one at a time...

Re:New read and execute features in IE 5.5

[leviramsey]

What about Huckster?...

Wohoo!

[c.r.o.c.o]

I guess this is why I'm using Netscape, Mozilla, lynx and a few other non-M$ browsers. Umm... No, wait... It's because M$IE won't run on Linux.

Seriously though, I really don't remember any such exploits for Netscape, or the other browsers. I mean sure, there were (and are) web pages that would crash Netscape hard, but the worst case scenario was "killall -9 netscape" (or Ctrl+Alt+Del in Winblows) and that was it. It was only when the M$ crap took over the market that such things started happening...

I'm not even going to go into that subject, since the rant that would follow would take maybe... 2-3 years? I mean between MSIE, Outlook and all the other M$ Internet software, we've had pretty much an attack a day...

So this is hardly any news.

Re:Wohoo!

[Ayende+Rahien]

http://www.linuxsecurity.com/advisories/mandrake_a dvisory-590.html - Netscape execute arbitry code in JPEG files.

�Red Hat Linux not without its flaws

[yerricde]

Better to use an operating system that has not had a remote hole in three years: OpenBSD. (That is, if you can tolerate it's slow-ass filesystem implementation.)

Re:Browser/OS integration will always be risky

[vex24]

When will Microsoft finally realise that integrating their browser into their OSes is not a good idea until it can guarantee security (ie, never)?

Shouldn't that read... (I.E., never!)?

Joys of non-competition

[olman]

The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;

The problem is that we cannot move on. There is no alternative. We have to use whatever Microsoft gives us and smile while they shaft us. IMHO that's what the anti-trust trial is really all about and not whether or not someone's ability to "innovate" is being stifled by goverment regulations. If their product was just so good that everyone chose it out of their free will, people would move on to competitors when something like this happens.

Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.

Re:Joys of non-competition

[kel-tor]

i like opera, it can even disable animated gifs, and mulitiple homepages is cool for my daily comics.

Re:Joys of non-competition

[Ayende+Rahien]

So, in other words, MS has the best browser in the market, and you somehow reached the conclustion that it is MS' fault that all the other browsers aren't as good, right?

You *might* have a point in NS case, although I never heard of good evidence about it. Mozilla's faults are its own, however.
Beside, there are dozens of other browsers for windows that you can try.

Re:Joys of non-competition

[Ayende+Rahien]

There were free browser long before Netscape.

Re:Joys of non-competition

[clontzman]

Think: if not for Microsoft, it would still today be realistic to charge money for a web browser.

It's easy to forget that people had stopped paying for Netscape LONG before IE became a freebie. Of the millions of Netscape downloads before IE 3 (the first viable version of that browser), I'd be willing to bet that the percentage of those copies of Navigator actually purchased and paid for was in the single digits. The browser was never a viable revenue stream for Netscape (though, ironically, it seems to be for Opera).

Besides, if the open source model really works, Netscape should be able to make a superior, more bug-free version faster, give it away for free, and charge for the support and/or distribution media.

Right?

Windows Update doesn't have this?

[_Bean_]

I kinda figured this would at least warrent a critical update instead of some patches hidden away where my parrents will never find them.

Re:Inaccurate

[Kristopher+Johnson]

I'd really like to moderate this up, as it's the nicest rant-counterrant exchange I've ever seen on /. Kudos to both of you. It's too bad that more posters don't act like this.

What's the big deal?

[Otis_INF]

There is a bug, MS released a patch, thanks to the generous Juan Carlos Cuartango and everyone can go on with their lives.

/., you will have a busy time, reporting all KB articles about security of all MS products, as you also report all security related documents about all Linux related software of course. I think bugtraq can file for chapter 11.
--

Re:Inaccurate

[fungai]

Microsoft is developing a literal track record when it comes to security vulnerabilities
So does every one else. Go to securityfocus.com and you'll see that every Linux distro, SUN, HPUX, *BSD etc has a bad track record when it comes to security. This is not just a MS thing.

browsing or e-mail?

[kisrael]

The security brief seems a little unclear... it seems like the vulnerability is e-mail related, but you can get it browsing websites? Is it IE using outlook, or outlook using ie that's the source of the problem?
--

Next monday?

[jedwards]

Next monday you have this security update to look forward to.

The URL is http://www.microsoft.com/windows/ie/download/criti cal/q293818/default.asp and the page starts

Security Update, April 2, 2001
This update resolves the "Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard" security vulnerability,

Re:Linux doesnt get bugs?

[starseeker]

Pardon me, but nobody is paying large amounts of money for Linux unless they want to. Microsoft demands large hunks of cash, so they should be held to a standard. Linux is free. It makes a difference

Re:SP2

[Darth+Turbogeek]

Enlightened and Netscape are not two words I would associate with each other. Spectaclar crash and Netscape.... well there we are on more agreeable ground.

It's a worry, aint it? On one hand you have fairly common security holes, on the other you have usability issues. Browsers suck, no doubts about that.

Well okay, fair complait re : security of system

[Darth+Turbogeek]

But to be honest, a system is only as secure as the user or the admin sitting at it. Uneducated users are the most dangerous security hole there is. You can have the best security, the lest buggy code, but if you have a tool using the system you may as well go flush your hard worked over secuirty systems down the drain. Okay, that is expanding on the truth, but it's a frustration I feel every day.

I know we will see dozens of anti M$ bites, but really, who are we kidding? Security is not an easy thing and everyone gets it wrong at some point. I had a supposably secure Sun OS 0wnd by a script kiddie all because the damn admin wanted telnet open. What can you do if people wont take security seriously? I run a IIS webserver due to an app needing it and it has been attacked - it has stood up because I keep up with the lastest problems. You just have to do it.

You also have to realise security is tradeoff. I can guarenttee I could build you a Linux server so tight only the true elite would root it.... but how usuble will it be? Not very. The problem demonstrated here is that very tradeoff, MS wants usabliity, so do the unwashed masses. Makes it easy to exploit. Tighten it up and the unwashed wonder why they cant download their porn without some popup telling them that this download or link could be malicious and to proceed after the seven other warning they would get.

What's the solution in the end? Geeks like us educate the Great Unwashed maybe, I dont know. Certainly a different security paradigm than what Microsoft has.

...

[Darkness+Productions]

Oh my god! How many more bugs do you think people will find in M$ software? I'm actually getting very tired of hearing about it!

Re:Inaccurate

[f5426]

> OK. My apologies. :)

OK. Let's say I remove this comment about the placement of your head. :-)

You know, I just commented on your first sentence, and I must admit nor having read the rest of your post. So much of intellectual honesty. You were such an easy target...

> I would go into a long rant here about my personal belief that unweildiness of Mozilla

That would be interesting. I find mozilla code awful, and beleive that the original sin was to make 'dynamic' code with C++. When I look at the code, I pity them, as they took great amount of pain to code in C++ things that would have been natural with Objective-C. Of course, I am biased on this :-)

Cheers,

--fred

Re:Inaccurate

[f5426]

> first off, Creating something like BIND is infinitely more difficult than something like MSIE--

Gently put your head out of your ass. You obviously don't know what you are talking about. Bind is a two-banana hack compared to MSIE. MSIE have about the same complexity as Mozilla. Ever looked at mozilla source code ? Ever tried to build it ? Now take a look at BIND source code. Build it. Draw you conclusion in term of complexity.

A BIND bug is very serious because it can compromise huge segments of the network. But people that run BIND know what they are doing (or should know). And there are alternatives.

A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.

So, IMNSHO, a MSIE bug is more serious than a BIND bug.

Cheers,

--fred

Re:Not Suprising

[Chester+K]

Then again, it wasn't CmdrTaco who posted this, but we're making strides.

I'm impressed with the comments I've seen moderated up so far. Usually stories like this are flooded with comments like "Microsoft sux0rz, this is why Open Source is better!"

Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?

Don't worry, you're safe... Uh, no, you're not...

[EschewObfuscation]

from the ms website describing the flaw:

Mitigating factors:
The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however.
[snip]
Would IE always execute the attachment?
No. IE would only execute the attachment if File Downloads were enabled in the Security Zone that the e-mail was opened in. However, File Downloads are enabled in all zones by default.


(email addr is at acm, not mca)
We are Number One. All others are Number Two, or lower.

Re:SP2

[cyber-vandal]

Or Kmeleon or Galeon.

Reality Check

[DeICQLady]

Yes, yes, blame Microsoft, they are the reason that my friends from other countries are profiled on campus, they are the reason it rained today...

If anyone ever stopped to actually look into their "Internet options"(under Security, wow!) they woyuld realize that they can be as paranoid as they want and get every security message known to mankind if they wish, to only run signed scripts etc.

I am actually getting quite tired of the Slashdot mentality of blame the [big] company first, then look into the facts after. (How come no one bashes Sun? They don't take the time to invest in young developers... How come no one bashes IBM, well they are cool and all but don't you think that if Linux moves no where between now and the XP release that they'll not push it as hard?). This is what I do not understand, sorry I don't buy into group mentality.

Microsoft, like every other software company, Red Hat, blah, blah cannot find every bug in a release, heck, no software works exactly the way you want it to.

Come people, the found the bug and made a fix, lets start being a little more mature about this stuff.

You have to use the Windows Update feature...

[ram.loss]

in my system it was not enough to download the patch. I had to use Windows Update and select the IE upgrade from the website.

It seems that the "patch" is just an install program, because it downloads a bunch of additional files from MS site (~8 MB depending on what you choose).

I dare not install Mozilla at work...

[vandan]

I work for a cost analysis company. We receive some of our data to be analysed by email. And we also need to keep copies of past email for legal purposes (disputes). We can't have Mozilla eating our mail because someone installed a theme it didn't like. Or destroying the whole .mozilla directory when I upgrade to a less buggy version. I just can't put my butt on the line and have Mozilla barf. I can handle having IE installed and blaming Microsoft for the problems. I assume this situation will swing when Mozilla stabalises...

This explains it

[slashdoter]

I class mate asked why the NSA was not using windows for its high security version. heh gota love it.

________

Whats *arbitrary* code?

[Smuffe]

...a user code execute arbitrary code...
This Im not worried about. Its when they start executing specific code that I become scared.

you obviously don't TRY to run Mozilla

[Xiphoid+Process]

Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.
Drop the FUD, I've been using Mozilla exclusively for months, if you grab a good nightly build off of mozillazine.org Mozilla almost never crashes. Actually, i can remember only twice in two weeks, and i run mozilla on My Linux box, my '98 box, my roomates '98 box, my girlfriends 2000 box, and my nt4 box at work.

Re:Inaccurate

[bluebomber]

I know of no Linux user who runs server software like bind or proftpd who does not monitor their logs, subcribe to security listserves and is generally paranoid about being hacked.

Unfortunately, as linux use by the great unwashed masses grows, there will be more instances where the user presses the "server" button on the installation gui, thus exposing bind, ftpd, and everything else with a potential vulnerability.
-bluebomber

Linux

[kowpie]

I can work on it without having it crash on me over every damn thing. WINDOWS BLOWS any person who knows what there talking about knows that and linux works well while sun os's and unix blow everything away so stfu about windows being great you people dont know jack go change the screen saver i got work to do in my SECURE and STABLE os

Re:Linux

[Cigamit]

I run both Linux and Win2K and found both of them to be fairly stable and secure.

In RH7, I have had X crash on me many many times and for no apparent reason that I could see. But after finally solving that problem, I had to take a trip to the redhat site and installed the 50 or so security patches / updates. RHN made it alittle easier, but not as easy as it is for me to just to jump onto the windows update site and click a few times.

I currently have a Win2K box at work that has a uptime of 124 days. And that is only because the power went out. It does everything I use the redhat box for; http server, ftp, mail server, mysql, php, cgi, irc bot, and I use it to backup my workstations nightly over the network. It boots faster and its easier to manage.

Now don't get me wrong, I luv Linux (I use both daily) but it just irritates me when someone gets so fanatical about something to where they can't see the good points on both sides of the line. I say embrace them both, each one to its purpose.

Jimmy

Not Suprising

[ASyndicate]

Big Shocker!

Re:Not Suprising

[Fervent]

Unless you like it, like myself. Windows 2000 only, thanks.

Re:Not Suprising

[Fervent]

I just like Linux because I can develop easily on it (I learned g++ first and it's still just about the only compiler I like to use).

"Pride of ownership" means absolutely nothing to me. Usually people who try to fix their own faucets end up flooding the house anyhow.

Re:Not Suprising

[Fervent]

That should be +1 funny for sarcasm.

Re:Not Suprising

[Fervent]

No, the shocker is that a Microsoft bug was posted on Slashdot with the (entirely unbiased comment I might add) phrase "patch now, patch now". For once, Slashdot is caring about those who view their site from the other side of the fence. Then again, it wasn't CmdrTaco who posted this, but we're making strides.

Re:Not Suprising

[telekon]

I don't find Taco's MS-bashing-even-though-he-uses-windows amusing, because it's not ironic. Of course the /. man who uses Windows bitches more; he has more to bitch about. I still have to use Windows more than my friend who has managed to run 100% Linux and BeOS for about a year... I bash Microsoft approximately 637% more than he does, because he only has to deal with the news and propaganda; I still have to use their crappy product.

Re:Not Suprising

[WPL510]

The real shocker is that we're slashdotting a Microsoft site. You know, something about that just feels... wrong.

Re:Not Suprising

[grammar+fascist]

Your sig is absolutely frightening. :)

Re:Not Suprising

[terrymah]

It's my opinion that the majority of people here (95%) don't hate Microsoft, aren't very evanglistical, and probably use Windows with some frequency. Most of them are just afraid to speak up, or lie because they're karma whores.

The other 5% just happens to be much louder.

Re:Not Suprising

[Henry+the+Orange]

Windows Update, of course, automatically distributes patches, so it isn't really necessary for Windows Update users to know about security holes, but theres no harm in knowing either. On the other hand, these things are generally found/patched before anyone with criminal intentions finds them. There was a similar remote exploit in every UNIX version of Netscape for literally years (all versions prior to 4.76 were vulnerable), and I haven't heard of one case of it being exploited before it was found and fixed. Of course, now that its known, anyone running pre-4.76 versions of Netscape is asking to be attacked, since, as far as I know, the only fix is to upgrade (i.e. no patch for old versions).

Re:Not Suprising

[Rabi+Schmooley+Schek]

Why must you Microsoft zealots be so defensive about your OS? Don't you see how it only makes the world dislike you more? We are all aware of Microsofts callous attitudes towards protecting it's less informed users and how they essentially take advantage of them. I think it's really sad to see so many of you here in this tech forum who continue to turn a blind eye. It makes me sad to see so many people get hurt by these inept attempts to make a secure product. I beg of you all, lets all band together and raise the bar.

Re:that breaks important browser features

[3247]

It's good to be able to browse pages and decide to save them to a file, and that means the browser has to be able to write to the file system. It's also good to be able to upload files, and to get to a certificate store (for SSL).

You could use a sandbox that allow the browser to access all web-browsing related data (e.g. SSL certificates etc.). You could also use some interfaces that allow the browser to escape the sandbox for certain operations like saving etc.

For example, the browser could only read its SSL certificates in its sandbox but another programme not running in the sandbox and does not trust the browser could accept SSL certificates or other data for saving only after the user chose to do so.

Headline

[/dev/urandom]

"Serious Security Flaw in MSIE 5.01, 5.5"
Flaw? Singular?

Re:How many IE users will download this patch then

[mroshea]

"Tested Versions: Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." In other words the vunerability probably exists in IE 4 too but they don't care - not supported. Also, I'd expect most Mandrake (or does that affect all Linux kits - I guess so) users to be reasonably aware of the bug you mention. However, I wouldn't expect ordinary corporate/home IE users to habitually check Microsoft's security update centre, even if they knew such a thing existed. I'm thinking of the countless squillions of non-techie desktop users who just don't know about these issues. The dominant market share held by IE with this demographic only exasperates the problem.

I, for one, am glad I'm aware of issues like this and can avoid it (Mozilla :) - it's frustrating to think of millions of others without so much as a clue the vunerability exists...

How many IE users will download this patch then?

[mroshea]

This has to be the worst bugs turned up in IE to date - visiting a website gives them full permission to run executables on your machine. Aaarrrgghh. Why don't the Windows OS's ship with anonymous telnet and ftp daemons running by default? Save you the "edge of your seat" ride while you tippy-toe around the net in fear.

I wonder how long it will take the 5 squillion users running IE5.x to install that patch(let alone the 50 squillion running IE4.x) How quickly will coporate IT departments roll it out? Combined with Verisign accidently issuing Class 3 certs to some bloke with the common name "Microsoft Corporation" Microsoft must be just waiting for the class action suits to roll in.

I can't wait until .net comes. Think about it, I can just forget my windows passwords I keep in my head because they will be redundant

IT admins, go to brown alert...

Re:Inaccurate

[Gibbys+Box+of+Trix]

if you run Windows you have no such choice. It is installed and it is running

So explain how come I read my email and browse the web from Windows without using OE and IE?

Hint: Lotus Notes and Opera.
--

Re:Pet Peeve

[sydb]

Yeah but you are just making everything up. You are grasing at straws. Got any actual references?

Re:Pet Peeve

[sydb]

In light of this feeble response to "Computer!", I'd like to take this opportunity to advise other readers not to post at 3AM after a night of substance (ab)use.

Understand I stand by what I originally wrote, but right now I can't motivate myself to defend my position.

Re:Pet Peeve

[sydb]

You are delusional.

Windows has existed in its present forms for about five years.

I presume you are judging the OS by the GUI. Windows NT version 3.1 was released on July 17, 1993. The GUI was different, but the architecure was there, care of David Cutler.

That was the release date. Microsoft recruited David Cutler in 1988, well before Linus started.

Superior UI? Look at the quality of window managers. I'm sorry, but Sawfish, Window Maker and Enlightenment all kick Windows' butt when it comes to utility and control. And themability makes them look good too.

OO Architecture? Um, I think you'll find Gnome and KDE are riddled with OO.

Greater variety of hardware? NT had x86, Alpha, MIPS, even PowerPC, but they're all unsupported now. The free OS's easily wipe microsoft's peachy behind with their portability and the number of actual ports. All of those above plus loads more.

They've had the desktop market since the PC clone became popular. There wasn't a real desktop market before this. They didn't take that from anyone.

Yes, NT is taking share from Unix. But the free OS's, chiefly Linux, along with the rise of the Internet, is challenging this.

MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has
No, they just keep re-releasing the same code with new bells and whistles. The bulk of the code has been made by other companies, later bought up by MS.

Perhaps you can tell I do not like MS. I grew up with MS and I used to love their products. I still like the style of their early manuals (when you got them). But maturity and familiarity have given me perspective. I think you need some too.

Re:Inaccurate

[Fervent]

The browser code isn't "integrated" into the system. It consists of a bunch of libraries that can be used by other applications. See Norton Systemworks, NeoPlanet and the like for apps that use the IE libraries.

Re:I hope this is enough of a definition for you.

[ebola_elvis]

I checked out
http://lists.nat.bg/~joro/webctrl2.html
and the date on the page was september 4th, 2000. why is this only getting publicity now?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Inaccurate

[Reality+Master+101]

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]

That is inaccurate. It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? It's a feature, not a bug, that you can reuse components in various applications without having to rewrite them.

KDE would have exactly this flaw if the Konquerer component had this flaw and an e-mail reader used the component.

In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.

--

Re:Inaccurate

[eV_x]

Then your friend is full of complete and TOTAL crap. Having worked at MSFT for quite some time with about 20 different groups, your friend is just telling you BS. The poster wan't referring to OO in the sense you're referring to, but the component model that MSFT uses (.dll). Almost all MSFT apps share components between each other so your statement is completely not true.

What's sad is that people reading your post will take it as the truth and go post the same elsewhere to distribute more FUD crap.

Re:Inaccurate

[ThomK]

HTF is this funny? Please moderate responsibly.

Re:Inaccurate

[Torak-]

You're a moron

Re:Inaccurate

[CowbertPrime]

So why don't we all bash BIND or BIND distributed for linux? Or maybe we can bash sendmail (pun not intended) or wu-ftpd. They all have terrible track records. Every unix admin knows that.

In effect, if you really wanted to bash Microsoft, you would need to go all the way back to DOS as a single-user system and no application-kernel protection. As the system isn't even designed with multi-user security and posix safety interlocks, how do you expect it? In IE, the application is the only barrier between the web and the kernel. In UNIX, you might be able to defeat the software (like qmail) but can't root the box because you'd have to defeat 5 or so saftey interlocks presented as multiple user accounts (in the case of qmail).

If you want to make a constructive criticism, then you should have them rewrite the whole OS. This has partially been done; this vulnerability isn't as "bad" in Win2k as long as the victim isn't logged in as administrator (root).

Re:Inaccurate

[FreeForm+Response]

And btw, I'm a versed FreeBSD/OpenBSD/Linux/Win NT 4.0/Win2k administrator and have rouhly 600 servers under my belt and in working order even as we speak. And yet he cannot spell... =)

Re:Inaccurate

[Coyote67]

This is such utter bullshit. You blame microsoft because the people who use windows don't know what they are doing? For BoB sakes, the link to the update site is on their start menu. How much easier does it get? Also, remember that notification thing thats on by default on almost all retail systems? I know tons of brain dead users who see that thing popup and they go and update. Saying that so few people will use the updates and that they are morons just goes to show what a prick of a guy you are. People are less brain dead then you think.

Re:Inaccurate

[NecroPuppy]

Why would you want to uninstall IE?

Because I don't want that bloat on my machine?

Because I never use IE?

Because I prefer using a browser that doesn't cause unrelated, third-party apps to crash?

Re:Inaccurate

[MeowMeow+Jones]

Maybe your "friend" should run regedit and look at HKLM/Software/classes or at least read a book on COM

Trolls throughout history:

Re:Inaccurate

[einhverfr]

Nothing prevents you from using another browser/email/news program in windows.

Of course not. But you cannot uninstall IE without breaking WIndows.

Sure you can install KDE and GNOME on the same Linux box, and all their APIs remain exposed, allowing KDE apps to run in a GNOME environment, etc. The same holds true to a lesser extent with IE, though many of its core functions are called by other core Windows programs like explorer.exe.

And any VB app with an browser control calls IE, etc. Heck, without IE, Windows won't run!

Re:Inaccurate

[einhverfr]

So why don't we all bash BIND or BIND distributed for linux? Or maybe we can bash sendmail (pun not intended) or wu-ftpd. They all have terrible track records. Every unix admin knows that.

I agree to a point. However, if you run Linux, you have the choice of running Bind or Sendmail while if you run Windows you have no such choice. It is installed and it is running. This is exactly why I run Linux is because I can strip down portions of the OS that are of questionable security and/or heavily restrict them. Again with Windows I cannot so this, though I can:
* refuse to run MS Access on any computers that I browse the internet on. (Major security problem here... I am sure dedicated people will find more info).
* try to install what security fixes don't break the system.

With Linux or UNIX, the modularity is a real advantage when a box is properly administrated0-- a bind fix is unlikely to crash X, and a fix for sendmail is unlikely to crash Apache. With Windows, the integrated environment makes this separation next to impossible. A fix for IE might break IIS, for example because IIS depends on IE. It could even crash Windows!

THat is a very real difference. Yes, most Linux distros out of the box are quite insecure, though Mandrake offers high-security settings which are rather effective at making a single user's experience misarable by locking out any administrative features (great for servers, though).

Don't get me wrong. I don't think that Microsoft deserves all the blame here. Why is it that consumers seem to favor expediency (unsandboxed VBA, etc) over security. Microsoft has a track record particularly in the consumer products regarding security which is far worse than any of the products you mention. But it is because there is no profit in it for them to have security at this point, but rather be able to market massive features to the public.

We should not blame a company or consider their actions to be irresponisble. Rather we should try to make consumers aware and hence change the market.

Re:Inaccurate

[einhverfr]

So explain how come I read my email and browse the web from Windows without using OE and IE?

Just because you are running Opera does not mean that IE is not running (hint: since Win 98, explorer.exe and iexplore.exe are not soo different and they can call eachother).

Yes, as demonstrated in the antitrust trial it is possible to suppress IE on even these systems (and despite the added overhead of such a program, Windows 98 ran faster, see the "Findings of Fact"). However it is impossible to completely eliminate it because the core functions of IE are burried deep in the OS. (ibid)

Re:Inaccurate

[TGK]

A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.

Ok, I'm gonna be Captain Obvious here, but isn't this the crux of the problem? Fundamentaly, if you want to have a system that's compatable with Joe Sixpack's you've got to buy a MS product.
Because of this system, every PC out there built within the last 6 years has a copy of IE on it. Hell, you can't even get the damn icon off your desktop without going to rather a lot of trouble.
Many have touted the superiority of the IE browser over Netscape due to running speed. This is (of course) due to the fact that MS can look at the f&%*ing kernal! This does make optimization rather easy eh? As far as running speed and superiority of the product because of, I think this boils down to apples and oranges.
But back to the main point. So we've got all these PCs run by Joe Sixpack. MS puts a notice up on some obscure portion of their website and calls it a warning. (We won't get into the fact that this bug forces you to download a newer version of IE or switch to Netscape if you are running an unsupported browser.) What kind of responcibility is that?
MS has a responcibiility to protect its users from security holes. Put a hole like this in, say, a home security system, and they have to recall the damn thing. When the very functionality of the system is endangered and the user (or in this case the users data) is laied naked before the world that's a time for a RECALL OF THE PRODUCT. MS needs to take out adds on major television networks, this kind of data needs to be made available to the public in a widespread manner. Why is software any different than any other product? When it's hazardous it is the responcibility of the company to let the user know.
This has been another useless post from....

Re:Inaccurate

[BVis]

MS isn't responsible for User Head Gap. If the user is dumb enough not to read the box when it pops up, this gives their tech support one more opportunity to tell them "If you READ the SCREEN you will find the answer to your question is there." I dream of a world where tech support reps can say this to the idiots that call. Without being fired, that is. $deity forbid someone should be TOLD when they're being dense. They might actually (gasp) LEARN from the experience.

Re:Inaccurate

[dachshund]

Well, don't forget how many million more users run IE/Windows than wu-ftp. BIND holes are a big problem, but they get good coverage (despite the fact that the actual BIND-running community is small, and they all have their own listservs.)

Really, if Coke announced that there was Benzine in their 2-litre bottles, and Moxie did the same, which do you think should make the biggest splash?

Re:Inaccurate

[_n2d33p_]

Okay, I use linux as much as possible, but one problem with linux trolls like the one that wrote this article is that they LOVE to bash every other OS when applicable, but get all defensive and start spouting off BS when someone mentions an issue with their OS of choice. Case in point, OMG THEY CAN RUN CODE ON MY WINDOWS BOX" woo, ph34r n4sty popups. okay, now, take linux, RedHat, hrm, i can think if 5 different ways to root a RedHat 6.2 server and hammer out 80M/sec of bandwidth or just destroy a companies web presence in no time at all. Now, the next thing that will be said "anyone that relies on out of the box security is stupid." MS Does, and releases patches when necessary. just like linux, only difference is, I'd much rather have some code run on a windows box, rather than have My companys web presence deleted. Every OS Has a time and place. A truly good admin understands this, accepts this and implements this. You my friend are your avg. MS Bacshing cause it's cool linux zealot and should be shot. And btw, I'm a versed FreeBSD/OpenBSD/Linux/Win NT 4.0/Win2k administrator and have rouhly 600 servers under my belt and in working order even as we speak.

Re:Inaccurate

[Ayende+Rahien]

What about IE on NT?
Security is not worth talking about in 9x.

Re:Inaccurate

[Ayende+Rahien]

Nothing prevents you from using another browser/email/news program in windows.

Re:Inaccurate

[Ayende+Rahien]

Your friend saw a small amount of code, and somehow reached to the conclustion that MS doesn't re-use code, right?

Here is a thought, maybe, in the small amount of code your friend saw, there wasn't a point in reusing code?

Beside, it doesn't take long to see code reuse in windows.

Outlook & OE, frex, use IE as an HTML renderer.
A lot of other applications do the same, FWIW.

Re:Inaccurate

[Ayende+Rahien]

> What is the point of that statement? A would have this flaw if A had this flaw? Well.. yeah. But the point is it doesn't. And even if it did. You have the source. Even more important, you have choice. GNOME? KDE? WIN32?

Netscape, Mozilla, Opera

Re:Inaccurate

[Ayende+Rahien]

Are you insane? You think that IE is the only one with bad track record, here is a short list:

http://browserwatch.internet.com/news/story/nets ca pe31.html - Bad encryption in netscape

http://www.linuxsecurity.com/advisories/caldera_ ad visory-649.html & http://slashdot.org/articles/00/08/06/0222241.shtm l - Netscape expose all your files to the web.

http://slashdot.org/articles/99/02/05/101227.sht ml - Netscape expose personal data

Here is what I was looking for:

http://www.linuxsecurity.com/advisories/mandrake _a dvisory-590.html - Netscape execute arbitry code in JPEG files.

Re:Inaccurate

[Ayende+Rahien]

Why would you want to uninstall IE?

As you noted, it's used extensively by a lot of applications. If you would remove it, you would lose a lot of functionality.
Think about it like a installing KDE API on GNOME desktop, you need the API for the applications to run.

Re:Inaccurate

[Ayende+Rahien]

You use IE all the time.
There are two parts of IE, the bigger one is the rendering engine, the other is the UI.
Since Windows use IE rendering for a lot of things, (help, explorer's side bar, active desktop, customized folders, programs, etc).

What prevents you from using another browser? And when & how does IE cause unrelated 3rd party apps to crash.

Re:Inaccurate

[Ayende+Rahien]

You can use another browser, and not use IE at all.

Re:Inaccurate

[Ayende+Rahien]

That is... extremely strange.
I wonder how it's done.

Re:Inaccurate

[Ayende+Rahien]

Actually, Netscape's track record is much worse, but I just choose several random ones.

I don't know where netscape keeps its bugs database, but I'm sure you would find a lot of security problems with Netscape.
They are less heard off because Netscape lost so much mind & market share.

Re:Inaccurate

[beelzebubu]

In your dreams.

A friend of mine has been able to see some of the source code of M$' products (somertimes, M$ provides small bits of source code to students). According to him, the amount of reused OO-code is nada (z-e-r-o).

Probably only the GUI-toolkit (buttons, boxes, etc), but is that what we really care about for a good OS?

And for anyone yawning about us bashing IE/M$ when new bugs are discovered - far more bugs have been discovered for IE than for, for example, mozilla. Also, outlook is far more buggy than evolution. Although evolution and mozilla are not even final (non-beta) yet! coincidence? I don't think so...

SP2

[Alien54]

For those of us not so enlightened as to use netscape or mozilla, this means another trip to the microsoft website.

Special note of warning, the website has been more messed up than usual over the past few days, especially in trying to download the 5.01 sp2. I'm still trying to find the full package in one compressed file so that some folks can save the bandwidth.

My opinion: reports and pr to the contrary, the bit and piece auto install over the net is not more convenient. Especially when you have poeple mobbing sites for an update.

But if you are here reading this, you probably know this already.

Check out the Vinny the Vampire comic strip

Re:SP2

[Halcyon-X]

But if you are here reading this, you probably know this already.

Does this mean you're asking people to mod this to "Redundant"?

Re:SP2

[leviramsey]

There's always Opera...

This is NOT news

[The+Llama+King]

This problem has been known for some time, and is patched in the IE 5.5 SP1 that was released a couple months back. In fact, I believe there was a separate patch for it prior to the release of the SP.

Nothing to see here, folks, move along ....

--

French fries and Opera

[dstone]

I can't tell you how many people I've talked with, technical people mind you, who don't know that there's any browser besides IE.

You've talked to lots of technical people that aren't aware of Netscape?! Are these the "technical people" who clean the fry vats at McDonalds?

Now, I'm not saying that Netscape is a good browser, mind you... (I just can't believe a technical person hasn't heard of it)

I really really dig Opera, and you're right -- way more people need to give it a try. The bug reporting on their site is fine, but they would really be top-notch in my books if they'd let us browse their bug database.

This has happened on many browsers before.

[Bungie]

I don't know what the big deal is here. This has happened to many other browsers before, including older versions of IE. With new standards, scripting and virtual machine technologies being implemented in browsers continually, it is expected. It is a simple browser vulnerability, and that is all.

This is not new, if you read Bugtraq, or even Georgi Guninski's page, you will see this and many other exploits are a common occurance in many browsers. Even browsers that handle only plain html like Lynx have been proven vulnerable at times.

Since IE3, many vulnerabilities like this have popped up in MS's browser. IE3 was far worse, as both the Windows and Macintosh platform could both be explotited in terrible ways. Also, we can't forget the famous Netscape Brown Orifice exploit, which Netscape admittedly couldn't even fix in their 4.x series of browsers. I'm sure there are some fine exploits waiting to be found in the lesser used browsers too, but they are just far less reviewed by the security community.

Now I don't think its right that such vulnerabilities exist, but bugs will always be present in software. Internet Explorer just happens to use a lot of mixed technologies and therefore there are more ways for it to be exploited. This is nothing more than someone exploiting a vulnerable version of BIND or RPC. The only difference I find here is that Microsoft is involved, and thus makes a good sensationalist Slashdot target.

Re:This has happened on many browsers before.

[Quazion]

quote: Internet Explorer just happens to use a lot of mixed technologies and therefore there are more ways for it to be exploited

why mix techonolgies! To get a better security ? If i want to see html files i use a html-viewer, etc why mix all these things ? userfrienldy...maybe but in the end ? exploits.

I think we would have less exploits if we seperate all software for what you want it todo and not want we can put for extra features in it, so we can show off with it...

Ahem.

[ZanshinWedge]

so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine.

Not everyone uses Outlook to read their email. If you do. Tools > Options.... > Security > Zone Settings ... > set to "Restricted Sites" then click "custom level..." ... disable all scripting and active X shtuff.

Poof, done. Now you should be safe.

Re:Ahem.

[ZanshinWedge]

Uhhhh no, as another person has pointed out, this sets your default security zone for Outlook (or OE as well) to "Restricted" and sets up that zone to not run any scripts whatsoever. If you have IE's default zone set to "Restricted" and you have it set to run scripts then you fucked up. All of the other security zones are unaffected, and your default security zone for your browser can still be whatever you choose it to be.

Does this affect IE6?

[WPL510]

Micrsoft made the Public Preview of IE6 available a few days ago. Does anyone know if it's affected by this bug? How is security shaping up for it so far? And speaking of new browser releases, Mozilla 0.8.1 has been out since Monday. New history, gopher support, theme uninstall (if only there were more themes to uninstall...)- works for me.

Re:I found an even bigger one!

[perlyking]

Sometimes I wish there was a moderation option -1 : Makes everyone read fixed width text but stupid enough to try HTML tags anyway

That is *so true*

[LuckyLuke58]

Very very very true. When I used to work 8+ hours a day DirectX stuff on Win98, it was very uncommon for me to have to press the ol' reset button less than 2 or 3 times a day. It did not influence my demeanour in a very positive manner. But when bitching about how crap it is to some other people I'd often get replies along the lines of "jeez you must be doing something wrong because my PC doesn't crash nearly so much". Upon thinking about it, I realised that these people used their PC's only a few hours a day, and also did not run very intensive applications (e.g. a bit of word processing here and there, maybe some web browsing + email, some game playing etc). I've thankfully now shifted my development over to (almost) primarily Win2K. And what a pleasure it is. Win9X is dogshit, no doubt about it. "Pulsating screaming hatred" pretty much hits the nail on the head.

Win2k

[Starbreeze]

Well it seems if you are running Win2k with ie 5.55 you don't need this patch, at least thats what it tells me when i try to install it :)

AWESOME! This means that I can

[spineless+monkey]

If I can execute any code that I want, perhaps my windows applications will run? Correct?

Uh oh, the patch is signed with a Verisign cert!

[phr1]

So how do we know it's not really from last week's hax0r???

Why can't Microsoft have signed this with a cert from its own CA, like it did with the patch for the the root store that fixed the compromised Verisign cert?

Really careful users should make sure to install the Verisign patch before installing the IE patch.

It's also funny that they tell you to run the IE patch by clicking it and choosing "run from current location", which can run code without checking signatures at all (though for this particular download, it lets you check the sig). That's probably how a lot of viruses and malicious code get spread in the first place.

The patch may have screwed up my browser!

[phr1]

I'm running IE 5.5 under w2000. I installed the patch and I can no longer download PDF files from my SSL-secured server. I can still download them through the non-SSL port. Can someone else try this?

that breaks important browser features

[phr1]

and doesn't stop some obnoxious attacks. It's good to be able to browse pages and decide to save them to a file, and that means the browser has to be able to write to the file system. It's also good to be able to upload files, and to get to a certificate store (for SSL). Trusted mobile code (signed applets and plugins) are also a worthwhile thing, if people weren't so sloppy about deciding when to trust them. For example, it's good to be able to look at pdf files by having the browser run Acrobat. Even browser cookies are a good thing, though browsers should by default not accept profiling cookies.

On the other hand, running the browser in a jail does nothing to stop MITM attacks against web sites (do you really look at the SSL certificate every time you fill in a form?),

The one time...

[djocyko]

I woulda checked out a linked page that fully demonstrates this problem, and there's no link? I mean, how am I supposed to believe this "hacker is gonna get you" jibber-jabber when all I get is a paragraph from an editor?

I'll believe it when I see it... I am joking...

Windows Update?

[pjdepasq]

What I find pathetic is that it's not listed (as of this reply) in the Windows Update "feature".... shouldn't it be in there? That's supposed to be the one stop location for my bug fixes and patches.... Grrrr.

define unusual

[wadetemp]

text/html? 345% more seriously, does anyone have any idea what these "unusual" mime-types are? I have to see this for myself to believe it.

Re:I hope this is enough of a definition for you.

[wadetemp]

Thanks, but that's not the vulnerability the slashdot article was talking about. I meant the mime types one... what are the "unusual" mime types that cause IE so much grief?

Another good reason to use non-MS products...

[OCatenac]

I know I'm probably preaching to the converted considering that I'm posting these remarks on /. but so be it.

These security holes are just more proof that we, as informed users, need to not only use non-MS solutions (use Eudora for email; use Opera for browsing; etc. etc.) but we also need to let others know that there are alternatives to the security-hole-ridden stuff that Microsoft puts out. I can't tell you how many people I've talked with, technical people mind you, who don't know that there's any browser besides IE.

--
Onorio Catenacci

--
"And that's the world in a nutshell -- an appropriate receptacle."

Re:This explains it - the source

[ackthpt]

NSA not using M$ because Herr Gates refuses to turn over the source to Win*. Though, it would seem otherwise, with all these holes popping up al the time. With such a preponderance of evidence, they must be guilty of something, eh?

--

Pet Peeve

[ackthpt]

Years ago I worked in a PDP-11 shop and we had a nice agreement with DEC where they alerted us to security holes and sent out patch tapes, usually within the week.

The current paradigm is, you must go out and see if there are security holes and procure the patches yourself. This is progress. Can't just blame M$, even IBM does this (I learned of the rlogin -froot bug by catching the culprit in the act, not by a bulletin from IBM, whee.)

Want to see which of the Linux are most popular?

--

Re:Pet Peeve

[ackthpt]

Right, but imagine everyone with a M$ product signing up and getting only the security bulletins which pertain to them. Consider the number of users who never even installed Win*, but bought a system pre-installed. If M$ ran a public serice ad everytime there was a major security hole they'd be done. Yet, they keep cranking out new writes of the same old horse with new bugs every couple of years to make $$$$$$$$$$$..

--

Re:Pet Peeve

[jotaeleemeese]

I like NT. I wouldn't let it in my server room, but it makes a damn good workstation OS
Agree and disagree ;-) , but as they say mileage can vary.

I have to shutdown my NT workstation (forced to use it because is the company's standard....) once every week because it becomes unusable or it freezes. Our NT guys are the best you can find, they keep machines up to date, latest patches, bla,bla,bla. Still I think I will program the machine to reboot automaticaly once a week like the old UNICES 15 years ago.

And my UNIX boxes are never farther away than a telnet session.

Are you using NT native telnet! Brave soul.

Re:Pet Peeve

[Ayende+Rahien]

My Whistler 2296 uptime:
3 Weeks, 5 Days, 20 Hours, 23 Minutes, 53 Seconds.

Re:Pet Peeve

[osorronophris]

Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux. So Windows runs on ppc, alpha, sparc, m68k, and vax? Cause I have two OpenBSD CDs that cover just that, and I've *never* heard of MS dealing with any of that hardware...

Re:Pet Peeve

[DarenN]

Oh, such rubbish. M$'s first OS was bought for $10,000 from a small company down the street from their first offices, and resold to IBM for $250,000 when Mr William Gates realised that his company couldn't make the ship date for a desktop OS that he had promised IBM. (I'm not TOO sure about the numbers. Consider them approximate.)Hence M$DOS.

He then created a GUI (Windows) for the IBM architecture which "borrowed" heavily from Apples GUI. Then, in a logical next step, they incorporated their DOS with their GUI. This same windows has been re-released again, and again. WinME is Win 95 5th ed (or is it 6th. I get confused), and not just in looks!

Windows was going to be a winner from the start, because it arrived to a "virgin market" and had already been proven sucessful by Apple.

M$ in the main have taken ideas from others and refined them useing thier greater available monies. Great business sense, but it hardly makes Gates a geek!

Re:Pet Peeve

[Computer!]

Windows has existed in its present forms for about five years.

I presume you are judging the OS by the GUI. Windows NT version 3.1 was released on July 17, 1993. The GUI was different, but the architecure was there, care of David Cutler.

Maybe he was judging by NT 3.5, or maybe he was just wrong by 4 years. Either way, 8 or 9 years isn't long for an OS to be on the market before it gains such widespread use.

OO Architecture? Um, I think you'll find Gnome and KDE are riddled with OO

Obviously, you've never written with COM. Even die-hard Linux fans have to admit: Windows has better object support than any other platform, thanks to COM. And that's all the way to the core system, not just the GUI. Windows gets programmed, Linux just gets scripted or configured. Check out msdn.microsoft.com for details, if you can stand to stop lashing out for 0.5 sec.

Greater variety of hardware? NT had x86, Alpha, MIPS, even PowerPC, but they're all unsupported now. The free OS's easily wipe microsoft's peachy behind with their portability and the number of actual ports. All of those above plus loads more.

Maybe, all together, but there aren't many free OS distros that run on POS terminals, handhelds, cell phones, desktops, servers, and minicomputers. Just the kernel doesn't count.

There wasn't a real desktop market before this. They didn't take that from anyone.

So, you're saying that either Apple and IBM never released a microcomputer OS, which means that Microsoft _invented_ the desktop and everyone else (Linus T. included) is merely emulating MS, or that there wasn't enough users to make the desktop market "real". If it's the latter, doesn't that mean Linux isn't a "real" OS yet either? You might want to rethink that.

No, they just keep re-releasing the same code with new bells and whistles. The bulk of the code has been made by other companies, later bought up by MS.

Who told you that bedtime story? Microsoft's programmers don't work 14-hour days for nothing. Those guys are the best coders I've ever met, hands down. Some of them have PHDs in CS! Can you say that? In fact, none of them are even posting to this thread. Probably because they're too busy producing production code that people actually buy.

There are some products Microsoft bought:

• SQL Server (from Sybase)
• FoxPro (from Fox Software, I think)
• Visio

Not enough to say they never wrote ANYTHING.

My point: whenever you put your head down and charge at anything, you're blinding yourself a little. Less zeal, more research.

Re:Pet Peeve

[Computer!]

References? I could post MS email addresses, but I don't think those guys would be too happy w/me for /.ing their work accounts. I know at least 10 MCS (Microsoft Consulting Services) developers in the NYC/NJ metro area. I've met (briefly) members of the COM+ and ADO product teams. I've worked side-by-side with Microsoft developers for over a year at a stretch. My boss at my last job was a former MS developer. They're great guys, every one of 'em. That's the biggest argument against bashing MS code. Their developers are genuinely nice people who work hard to solve problems. Ex:

• Visual Basic
• IIS
• The Windows JVM
• Visual C++
• MSXML

And the list goes on...

Target Microsoft

[ackthpt]

Granted M$ is the largest distributor and integrator of their own software and thus O/S (I'll call it an environment, which it really is) I'm perplexed at all this innovation which enables so many destructive viruses and this sort of security breech. Such liabilities, has anyone thought of a class action suit against M$ for perpetrating^H^H^H^H^H^H^H^H^Hinnovating such disasters? EULA considered, shouldn't they be held responsible for this kinda of crap? It seems everyone else gets sued over lesser crimes of negligence. The cost of doing business with M$ when this sort of thing happens must be in the millions -- lost productivity, financial loss, etc.

--

Re:Target Microsoft

[Ryokos_boytoy]

Damn, let me in on that class action. But you can't sue General Motors for making their cars easy to steal. The defects are being brought out by 3rd party software.

Re:Great Googly-Moogly

[n7lyg]

The correct quote is "Great googly moogly". Watch out where the huskies go And don't you eat that yellow snow!

Re:previous versions

[Johnny+Starrock]

yeah, well i am 31337!!! i'm using IE 6!!!

no, wait...

please issue an award!

[eclectro]

This one belongs in the hall of fame!!

Re:The MS bulliten really annoyed me

[TheBaboonCometh]

yeah baby, l33t uk h4x0r5 always say 0n3

Re:The MS bulliten really annoyed me

[TheBaboonCometh]

cos ther're all cunts innit

A funny thing happened...

[Kasreyn]

I went to the MS webpage using my IE 5.01, since I need to get the patch... and suddenly a message popped up saying "BillG 0wNz Yu0!" and Windows Update started up. As I post this, it's upgrading my system into I know not what...

-Kasreyn

How to kill HTML and Javascript?

[Kasreyn]

Well, I've already taken care of Javascript. But defeating HTML? I'm using an http proxy called the The Proxomitron, and it's a very useful tool... an http filtering proxy. I've noticed when Outlook is reading emails, this http proxy registers open connections. Does this mean it's filtering html emails?

Just curious to see if I'm already "safe" from this (ie., as safe as you can be running Windows), or whether I need work. IE 5.0, too - probably vulnerable to this, though MS just couldn't be *bothered* to mention on their page.

-Kasreyn

Re:previous versions

[NineNine]

That's why they provide the upgrade to Service Pack 2 for FREE. Unfortunately, they can't go back to change earlier releases to implement this fix. That kind of violates the idea idea of having software versioning, now doesn't it? I guess the other alternative is for them to AUTOMAGICALLY update everyone's copy of IE. Would you prefer that? I think that them telling everybody that there IS a problem, and offering a fix for it is abot the best that they can do under this circumstance.

MSIE Wing 5.5

[necrognome]

All your hard disk are belong to us.

Corporate MS networks are 'TIED' to IE

[BroadbandBradley]

server side authentication is used on many corporate networks which requires that users use MS IE or they won't be allowed to view content on the companies intranet.(IIS Server anyone?)
It's MORONIC of people to provide a web based information resource, tied into being viewed by one brand of browser only. BUT, because of the special MSF Microsoft Framework that's sold to many corporations, FEATURES exclude the use of Netscape.because it doesn't support the same type of security verification needed by the MS server used to turn Word Docs into Web Sites.
a few months back I saw an ad in a computer magazine touting the way to make your business run smooth using Microsofts Digital Nervous System.....
well it must be working because it makes me nervous.
what are these 'unusual MIME types' anyhow?
All I need to do is edit the MIME type of a malicious file and I have an exploit?

No Patch todaaaaay my Patch has ..

[SirFlakey]

Oh youknow teh rest .. seriously though there appears to be no "critical update" on the Small'n'Squishy site. Have they done away with their fix?
--

Re:Well okay, fair complait re : security of syste

[einhverfr]

Still, Even as insecure as NT/2000 is, it is still easier to call up an average user and say, "Hi, this is Joe Smith, from IT. We are tracking down a security breach and need to make sure your account is not infected. I just have a couple questions. Have you noticed anything unusual? And what was your username? OK. One more thing. We need to check your password. OK. Thanks That is all."

Most /.ers are too smart for such a thing and their computer is the weak link but not so for the corporate user. I work in a high0tech company and you would be amazed at how many of our management would probably fall for something like that.

I do agree that user education should come first, including a brief introduction to social engineering threats. Otherwise a network will never be secure. Without education, OS is irrelevent because it is not at all the weak link...

That being said, Linux firewalls are some that I have always been very happy with.

That is the wrong sploit, fool.. but this isnt

[snowshovelboy]

http://www.kriptopolis.com/cua/eml.html You would think you people could surf in foreign languages.. but I guess not.

So.

[schnitzi]

Fifty quatloos to the first person to set up a web site that people can go to that will use this "feature" to automatically run the patch install on their machines.

Re:Male or Female?

[GooRoo]

Taken from the Dartmouth Introductory Writing Class Web Page:

Watch your gendered pronouns. When you write, you'll want to make sure that you don't do anything to make your readers feel excluded. If you use "he" and "him" all the time, you are excluding half of your potential readership. We'll acknowledge that the he/she solution is a bit cumbersome in writing. However, you might solve the problem as we have done in this document: by alternating "he" and "she" throughout. Other writers advocate always using "she" instead of "he" as a way of acknowledging a long-standing exclusion of women from texts. Whatever decision you make in the end, be sensitive to its effect on your readers.

Lots of writers use this now. It's not really new anymore.

Exploit Demos

[Control6]

Heres a link to some demos of the exploit. (Just check out the source to see how they work)

http://www.kriptopolis.com/cua/eml.html

I couldnt actually get any of them to run on my machine, but they are by the guy who was given credit for finding the hole.

This exploit seems quite similar to the IE5.0 one a few years back. When viewing multipart HTML docs (.mhtml) IE would use the windows temp directory (not the temp internet files dir) to store any parts of the doc that were uuencoded. It was then trivial to access the files in this dir. So you could uuencode your nastyprog.exe and attach it to the end of a HTML doc, then use some activeX scripting or sunnit to run it.

That stuff was all patch a while back, but this new stuff seems to be able to run the code/script without it having to be stored on the disk.

I fucked up... here is my retraction...

[loucura!]

The previous post was in error... I was reading this, and posted it as an answer to a different question. Sorry about that...

I hope this is enough of a definition for you.

[loucura!]

Below is the link to the explaination of said hack, that includes 'source' et al.

http://lists.nat.bg/~joro/webctrl2.html

and the URL from ZDNet that linked to it.

http://www.zdnet.co.uk/news/2000/35/ns-17763.htm l

Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html

Workaround: Disable Active Scripting

Re:I hope this is enough of a definition for you.

[AnonymousCohort]

Are they sure that patch works?

Screen shot of hack demo after patching

WTF ?

Good Times

[dbowden]

So - is it just me, or did Microsoft, in its infinite wisdom, just make it possible for the "Good Times" virus to work as advertised -- in all of it's myriad variations!

but this is a microsoft bashing forum

[blonde+rser]

I opened up this story not because it affects me but because I wanted to read some good microsoft bashing by those who do it best. But rescently I'm finding more and more articles that are defending microsoft that I have to filter out. Ofcourse there are more than one point of view on microsoft but 1 or 2 pro microsoft comments per article is enough... not 5 or 6.

I'm PISSED!

[erroneus]

I went to the Windows Update page and though I am running MSIE5.01 SP1, it doesn't present me with the option to DL the SP2. I don't want MSIE5.5.

Moderator!!Re:JIJ BENT EEN VIEZE KINDERVERKRACHTER

[TaboE]

this is racist, sexist etc. language: dutch Does not compute with subject

Went to Windows Update...

[Scoria]

I guess they aren't supporting the 6.0 beta. I see no patches for it. It'd be nice if they told us if it was affected or not...

Thanks for leaving your beta-ers out in the cold, MS.

Re:Went to Windows Update...

[Scoria]

Actually, I own my copy of Windows 2000 Pro. Purchased it retail and downloaded the IE6 beta, with authorization, from MS's site.

Have a great day. :)

Almost waiting for...

[Scoria]

... a real Good Times Outlook Express-based virus. And it would spread fairly fast now that everyone thinks it's a hoax... :/

MS should be indicted under RICO

[Voltaire99]

There's a sufficient pattern of corrupt practices - and the purveying of endless patches and lucrative OS "upgrades" should be construed as an ongoing protection racket.

Let's close down the Redmond mob.

How Microsoft can fix these problems.

[Bistronaut]

Whenever IE or Outlook or other Microsoft programs have this type of full security breach, they should exploit the problem to apply a patch :-).

Damn you Microsoft!

[deran9ed]

csh-2.04# explorer
csh: explorer: command not found

oops... I'm not on Windows...

April Fools is coming!@!

Macroshaft Security Bulletin (MS01-069)

Patch Available to Improve Packet Pigeon Performance

Originally Posted: October 22, 1999

Summary
MacroShaft has released a patch to ensure delivery of packets via Packet Pigeon birds. This is long overdue and is a must secure vulnerability on all MacroTrash products.

Frequently asked questions regarding this vulnerability will always be laughed at MacroShaft and AntiOffline

Issue

The Packet Pigeons used in large cities were sometimes affected by those in the geriatric stages of their lives, as these 60+ year olds fed Packet Pigeons en route to their destinations causing a denial of service.

Affected Software Versions

• MacroShaft Windoze NV 4.0 Crashstation
  
• MacroShaft Windoze NV 4.0 Server
  
• MacroShaft Windoze NV 4.0 Server, Enterprise Crash Edition
  
• MacroShaft Windoze NV 4.0 Server, Terminally Ill Edition
  
  

Patch Availability

• x86:
  http://download.some.0-day.warez.com/at/some/other /site
  
• Alpha:
  http://download.some.0-day.exe.files.com/else/wher e
  
  

(NOTE: MacroShaft really cares about it luzers.)

More Information
Please see the following references for more information related to this issue.

• MacroShaft Security Bulletin: Frequently Asked Questions,

http://www.MacroShaft.org/cgi-bin/display?=%2edev% 2enull

• MacroShaft article MS.Kills, How Microshit products may be actually killing its users, (Note: Read our new book "Hax0ring sluts for fun and profit.")
  
• HURT Advisory NY-69.4u, Topic: Campbells soup set to release new product,
  http://www.antioffline.com/scriptkiddiesoup.html

Microsoft Insecurity Advisor web site, http://www.wiretrip.net

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting MacroShaft Technical Support is available at http://support.macroshaft.and.all.of-its-h0es.com

Acknowledgments
MacroShaft acknowledges deran9ed/sil of AntiOffline for bringing this issue to our attention and we will up his p0rn quota to 2 gigs.

Revisions

• October 22, 1999: Bulletin Created.

THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, OR EVEN EXORTED INTO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS WHORES BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES TO YOUR PORN DIRECTORIES NOR PACKET PIGEONS, AND POKEMON, EVEN IF MACROSHAFT CORPORATION OR ITS H0ES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. PEOPLE OF GERIATRIC AGE SHOULD HAVE THEIR LICENSES REVOKE AND THROWN INTO LABS TO SERVE AS LAB MICE. AND IF YOU ACTUALLY READ ALL OF THIS THEN YOU MUST BE AS BORED AS WE WERE. ANTIOFFLINE RESERVES THE EXCLUSIVE RIGHT TO POKE FUN AT YOU, WITHOUT INDEMNIFICATION, OR GRIEVANCE TO YOUR PATHETIC COMPLAINTS. SOMEONE SHOW ME WHERE THE CAPS LOCK KEY IS!@!

(c) 2001 AntiOffline Corporation. All rights stolen. Terms of Use.

You have received this e-mail bulletin as a result of your moronic use of our Products. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to WE-PAY-NO-ATTENTION-TO-YOUR-MAIL@MACROSHAFT.ORG The subject line and message body are not used in processing the request, and can be anything you like.

For more information on the MacroShaft Security Notification Service please visit http://www.packetstorm.securify.com For security-related information. For MacroShaft products, please visit the MacroShaft web site at http://www.macroshaft.org/ more advisories like this can be found here

previous versions

[Anonymous+Admin]

"Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." You are on your own.

Re:The MS bulliten really annoyed me

[Scorchmon]

How about "it"? That would be grammatically correct, and some would argue gives the hacker the proper respect "it" deserves.

Deja vu...

[asciimonster]

I'm haveing a deja-vu. Wasn't there a security flaw last week and the week before?

Microsoft is just one big security flaw. Or one big flaw for that matter...

damn eh

[seann]

well that means I have 20 computers to upgrade tomorrow, thank aplath thats only 20..

Browser/OS integration will always be risky

[WIAKywbfatw]

When will Microsoft finally realise that integrating their browser into their OSes is not a good idea until it can guarantee security (ie, never)?

The biggest threat to 99.99% of PCs isn't fire, theft or a badly written application but malicious code. And the number one method of delivery of malicious code is now the Internet. Email worms like the ILOVEYOU and Melissa attack via your email and vulnerabilities like this one attack via your browser. Giving applications like Outlook Express and Internet Explorer access other elements of the operating system is like posting the combination to your safe on your open front door.

Microsoft's browser/OS integration strategy was designed to protect it from accusations that it killed off Netscape unfairly - "gee, IE isn't an application, it's a core part of the OS" - but this has always been a poor defence for the company's actions. I mean, can you name any part of any OS that is available on a rival platform like IE is for the MacOS?

Given that Microsoft has all but lost its legal battles with the US government et al isn't it time it abandoned this browser/OS integration policy that only serves to make Windows more vulnerable to attack? Wouldn't such a move be in the best interests of its customers? Or would such a move be a bitter blow for "innovation"?

Re:This explains it - the source

[Ayende+Rahien]

I don't think so.
MS always gave the code to OEM, and recently to anyone who buys 1500 2K licenses.
I don't think that giving the code for the NSA to review would be such a big problem.
Unless you suggest that the NSA wanted to use 9x, in which case, I can understand their big electrical bill, they have to keep three computers for each person, because two of them are always rebooting.

Re:How many IE users will download this patch then

[Ayende+Rahien]

Netscape will execute arbitry code if you are viewing a picture!

http://www.linuxsecurity.com/advisories/mandrake _a dvisory-590.html

And more people are running IE5 than IE4.

Re:Why do people insist on doing this?

[Ayende+Rahien]

What? You want to tell me that you don't know?
Didn't you know that MS make such fine products that whenever there is a (rarely) discovered bug, we must all raid Redmond and find out who did this?
After all, who will keep MS' high quality but us?
Imagine, for a second, a world where buggy OS are the norm, they are found on any desktop, and computers crashes are not something to stop you dead.
Do you think you could bear living in such a world?

Re:uptime

[Ayende+Rahien]

Not really.
For an early beta, however, this is a good uptime.

Re:How many IE users will download this patch then

[Ayende+Rahien]

It's somehow MS obligation to inform every user?
Okay, how do you suggest they would do this?
Oh, I know, how about posting a warning in their website.

You don't purpose that MS should phone or email every windows user, right?
If so, the first thing you should do is to give MS your phone or email adress.

They did what they should do, what more do you expect from them?

BTW, ordinary corporate user shouldn't, the IT stuff would.

What is 'Active Scripting' in Russian?

[lilmouse]

But I think my MSIE4.0 in Russian doesn't run javascript anyway - the implimentation is so bad, I shouldn't have to worry about this, right?

Read the liscence

[lilmouse]

Microsoft's implementation of Java is such (wrote suck - sorry for the slip) that they felt the need to put the following (paraphrased) warning in one of the Microsoft products I own (all of which are probably too old to support this bug, uh..feature, uh...bug)

We are required to put this disclaimer here by Sun Microsystems: This product should not be used for any mission critical systems, including but not limited to [let's see what I remember] military equipment, hostpital systems, ...airline? systems, ...

Anyway, you get the idea. There SHOULD be a law, but until there is, no one should be using Microsoft for anything other than playing Counter-Strike, which thank God(tm) runs under NT.

I would think businesses would save more money by using Unix or Linux and simply training people to use WordStar...

Cheers!
Little White Mouse

-- Ctrl-e in Netscape for Windows does not move the cursor to the end of the line
-- Fun facts for Windows

HTML problem

[lilmouse]

The problem is in the way Microsoft renders HTML code, so if you have HTML-enabled e-mail (i.e., outlook express) you are exposed to the problem.

Re:HTML problem

[lilmouse]

If they'd only do it right the first time around...
it might even improve performance!

re: kriptopolis.com

[xnuandax]

I loove the word "Hacktivismo" on their menu panel. Not exactly sure what it means, but it sure is fun to say ;-)

Re:The MS bulliten really annoyed me

[SamuraiX]

Maybe the bulletin was written by a woman. The advice my English teacher always used to give us whenever we needed to refer to some person in the singular was to use our own gender.

How often are these holes exploited?

[Faust7]

Out of curiosity... It seems to me that most of the news I hear has to do with the discovery and nature of these holes, not present-time exploitation of them. If so, is it because of the quick release of patches, or are these flaws (however serious) largely ignored by the unscrupulous, or is coverage of actual attacks slim, or is it something else? And actually, this seems to apply for most computer security issues I hear about, viruses excepted (again, just an impression). (Yeah, this was sent with IE 5.5; tell it to the University of Iowa physics department IT staff.)

Re:The MS bulliten really annoyed me

[DrSeudo]

Yeah, but "they," "them" and "their" when referring to a single hax0r is grammatically |nc0rr3c7.

Duh

[pjt48108]

It's a wonder *anyone* continues to use MSIE X.Anything. As a by-my-bootstraps network administrator, I have been very fortunate in avoiding MSIE (and Outlook, for that matter). Not the most enlightening post, but I gotta wonder.

Isn't it obvious?

[ez76]

The real problem with MSIE isn't a lack of open source, the browser/OS integration, or a weak security model ... ... it's that malicious executable code doesn't have its own MIME type! application/x-trojan baby!

If they told you what the MIME types were...

[mystery_boy_x]

... it would make it that much easier for almost ANYONE to exploit this flaw on unsecured computers.

As it is, all you have to do is experiment with different types until you find one that works, and voila!

mod to -1;Tragic

Nobody gets out of here alive....

[the_weasel]

http://www.sans.org/y2k/lion.htm

Seems there was a lion stalking the net just last week :->

Re:Some day even you will grow up

[Henry+the+Orange]

Not at all. NT has been available since 1993, and Windows 3.x/9x deliberatly sacrifice robustness for compatibility and flexibility (since thats what the vast majority of home users want). Thats why NT/2000 has long been the recommended desktop for business users (where stability is presumably more important than the ability to use old games, etc.), while 9x was designed primarily for home users (where users would rather have the system crash from time to time than lose their old software, certain features of their hardware, etc.).

It actually surprises me that Linux advocates are often so narrow-minded that they cant even conceive of the possibility that some people (most home users, in fact) have very different priorities when it comes to choosing an OS. Its like the driver of a lorry deriding all those `stupid car drivers because their cars cant each carry a years supply of tomatoes.

Why do people insist on doing this?

[Telek]

I don't see what the big deal is. Ever notice that when linux has a hole exposed, or netscape has a problem, everyone says "yeah, well it's software, what do you expect?" but when Microsoft has a security hole found everyone is so quick to bash them? Yeah so what, so there's a security hole found... IE6.0 already has this problem fixed, and it's not that big a deal. I don't even use IE/outlook for my email anyways, so I don't care. I never have to worry about any problems, and anything I do use always has any sort of auto-execute options disabled. Simple precaution = no problems. I know that people seem to think that there is a daily quota for MS bashing, but I'm really getting tired of seeing this all the time. Maybe I should start to bash Linux whenever a problem is found there? Don't get me wrong, I use linux as well and have a great deal of respect for it and how far it's come since it began, but can we please stop the immature MS bashing at every opportunity that we get?

workmates must wonder

[slaida1]

"why is Fanatic looking that hobble picture everyday?"
"yeah, you know I asked him about it last monday and he mumbled something about goat sex. I can't see any goats in that pic.."
"goats?! why can't he just use sheep like everybody else? some kinda pervert?"
"well anyway there wasn't any goats in that pic, that's for sure. let's tell admin to block any sites with the word 'goat'."

I dare you to use that pic as desktop wallpaper on your computer.

DISCLAIMER

[thorman]

lawyers and non-warranty.

Re:The double standard

[madskills]

I sort of see your point, but I don't really agree. It doesn't matter that it is really part of the OS, you don't have to use it. Nothing is stopping you from using Netscape to browse the web. All Linux systems I've set up have sendmail installed, and sendmail is known for security issues. It doesn't matter that it's not part of the OS, it's still part of the distribution, which is very much like the same thing. You could with enough tweaking replace sendmail with qmail on your average Red Hat install and that would very much be the analog to using Netscape in place of IE.

Re:The double standard

[madskills]

But you also don't have to use MS email clients.

If you install Netwscape, you can use Netscape mail. Eudora might be inflicted with the problem though since I beleive that it hosts IE.

As far as the MS help system goes, it doesn't really matter if IE is used there. The help system isn't public and therefor it couldn't be used to expose a security flaw on the system.