Slashdot Mirror
Serious Security Flaw in MSIE 5.01, 5.5
Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2. Read the
security bulletin
and download the patches. Discovery props to
Kriptopolis.
This is exactly how the white hat in question (Juan Carlos Cuartango) operates. MS had plenty of warning.
.01 version bumps with missing release notes. I don't think there's been any major Mozilla holes discovered, but it's not 1.0 yet, so the white hats are probaby sitting on their hands for now.
Cuartango, BTW, is probabaly the number one white hat working on IE and HTML Mail issues, and he's gone public a number of times when MS was unresponsive. Quite a few of his warnings have turned into real exploits.
Microsoft, of course, is just fixing the potholes. They really need to go back and re-evaluate their implementation of Rich Text (HTML) e-mail from the ground up.
And for anyone crowing about Netscape/Mozilla -- Don't forget that Netscape 4 has had numerous mail exploits, just that Netscape doesn't release "Security Bulletins", they release
Just think of the following scheme: (If I understood correctly, it should be possible to create the following worm)
1) Send this worm to everyone in the address book using the randomly taken subject from the your previous emails.
2) Install timebomb into computer, which deletes all the files after few days
3) Send all your previously written emails to random recipients taken from the address book.
Worm would spread like a wildfire as the message does not look suspicious (it comes from a known sender and the subject is reasonamle as it has been used before by the sender). As no questions are asked from the user - all the outlook users reading the message would be affected.
Worm would be totally destructive, as all the files would be deleted.
Probably most damage would be done by sending the previous communication to random recipient. Just look into your sent messages folder and imagine what would happen if you would send the messages to random recipients taken from your address book.
Do you still have the gust to use Windows/IE/Outlook ?
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Well, I don't like the reality behind that, simply because of what has happened to the comments as a result.
Believe it or not, at one time, that wasn't the case.
But it's funny, in a pitiful sort of way, anyhow.
There was a revenue sctream, and netscape did have to adjust to that. I always thought that it was pretty clear that they didn't care about the $30 from end users--they were making their mane money off server software, which needed the brosers out there. However, they *did* get paid by OEM's who included netscape.
I don't know what the deal is with my particular system;
Win2k Pro, SP1, Dell PE1300 P III 600MHz 256meg RAM -
But ever since I loaded IE 5.5, it's actually SLOWER to launch than Netscape 4.73. I don't mind the crashes all that much anymore.
(this problem also affects Word; so much for wonderful "shared libraries")
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Sniff...
:(
You don't like me.
I feel really hurt.
Boo Hoo.
Boo hoo.
:(
:)]
You don't like me either.
[Obviously your someone who can't appreciate sarcasm
I find it odd that people are bashing MS because so many programs are using IE to render HTML.
Think about it. There is a standard way for any program to render HTML in a window. Instead of everyone reinventing the wheel, all a programmer has to do is create a COM object and display it in a window.
Of course, the average Slashdotter is using this as evidence that Microsoft is the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.
Modularity is good. Standard ways of doing things is good. Code reuse is good.
Now, the fact that there is absolutely no way to replace IE with your web browser of choice is evil (despite the fact that email clients, HTML editors, conferencing software and whatever else can be easily replaced) and the fact that Microsoft is terminally unable to write a program that doesn't serve as a speedy means of either crashing the OS or inviting in unwanted network guests is also evil. So they are the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.
On a side note, GNOME is doing the same thing. Any program can use gtkhtml to render HTML in a window. Evolution is using it to display email messages (sound familiar?), Red Carpet uses it for UI, and GNOME Help uses it to render content. IIRC, the plan is to eventually replace gtkhtml with Mozilla (which does a much better job of complying to standards and rendering documents than gtkhtml.
Although it seems kind of contradictory, it's basically the difference between owning a house and renting an apartment. If you own a house, when something breaks, you feel a sense of pride of ownership when you fix it. If you rent an apartment and something breaks, you only can think about how long the stupid manager is taking to fix the problem. That's one of the main reasons that people (me included) like Linux - the pride in ownership.
Engineering and the Ultimate
It's not disabling active stuff, you also have to disable downloads, that's right, downloads. Not executables, not active crap, just downloads.
Engineering and the Ultimate
Well, maybe I am a dumbass, but I didn't know that. I always thought I'd have to find the specific download package, which is not that easy to find from their website.
what are the offending MIME types, so people can block them at the mail server?
Microsoft already has a fix out. I think this bug was reported today. I'm impressed.
So many people here always scream that Open Source is better because you don't have to "wait for the service pack" in order to get fixes. Granted, the bug probably would've been found sooner if the source were open, but the fact that there is a fix out already is admirable.
I think this is going to be another long thread of unwarranted Microsoft bashing. You can bitch about the bugs in IE and it's security hazards, but if they get fixed this fast then it really detracts from your argument that Microsoft sucks. There have been security flaws found in Linux with a fix issued and instead of posts saying "Linux sucks, here's yet another security patch I have to add!" they're praising the community for getting a fix out so much faster than Microsoft would have.
--
Because Windows 95/98/ME has no concept of security, all code has full access to the machine. Even with Windows NT/2000, many users run under accounts with Administrator privileges, due to the large amount of broken software that doesn't work properly when run under an account with User privileges.
Mea navis aericumbens anguillis abundat
You could make that case, very easily. Think: if not for Microsoft, it would still today be realistic to charge money for a web browser. Meaning it would be possible for a web browser to exist on its own terms, with SERIOUS resources devoted to their development, rather than the current situation where the major browsers must squeak by with either hand-outs from a massive corporation who are only developing the browser as a political tool, or beg (unsucessfully) for money and developers from passerby.
I'm don't know if it necessarily follows from this that MS was acting in an immoral fashion by leveraging its huge pool of resources to drive everyone serious out of the browser market, but you can CERTAINLY make a good case that it is "MS' fault that all the other browsers aren't as good"..
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
As far as Wu-ftpd goes.. dude. Seriously. Use Proftpd. It's better anyway.
> If you want to make a constructive criticism, then you should have them rewrite the whole OS.
MS doesn't need to *rewrite* this stuff, not *really*, but initiating a large-scale security-oriented code audit of the entire text of their networking and web browser code is something that they could really stand to do, BEFORE they start thinking about windows xp or whatever. They certainly have the resources. How do you propose to get them the initiative? Cuz it's sure as hell not my problemNot a bad idea. Here's a better one. Two words: CODE AUDITS.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
YESS, it really kind of *is* an MS thing. Except for one vague memory or so of an incident involving a java hole, you just plain don't *SEE* security holes popping up with Netscape or Opera or Omniweb or really ANY browser except MSIE! *Netscape* got security right, and their software was AWFUL! But that there should be THIS many instances of hardware-access-level vulnerabilities in something meant to display web pages.. just. blah. it blows my mind.
--mcc
it is late and i am spastic and bitter
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;
i can think of at least four times since MSIE 4 that ways for attackers to affect the contents of an MSIE user's hard drive have been discovered, and i haven't even been watching it closely.
Are you really sure that "forgive and forget" is a good idea?? Do you honestly think that this isn't going to happen again? Do you honestly think if people let this issue rest-- and they will-- that microsoft is going to change its ways on its own? It certainly didn't the LAST couple of times this happened.
Keep in mind these are the people that you're supposed to be buying an attempted NETWORK OS (windows xp) from in a year or so, and they can't pull off security in a passive web browser. XP involves the passing around of remote executable code, doesn't it? Don't you think some SERIOUS pressure needs to be brought to bear on microsoft until they take steps to ensure that the security issues in their browsers are dealt with, COMPLETELY?
I am a Mac OS X user, so i am not *too* worried about this, but i do use MSIE from time to time, and so i for one am extremely alarmed with microsoft's nonchalance with security issues. Microsoft seems to have no interest to bring these "technologies" (activex, for example) that seem to be causing the problems to the macintosh platform, and the Macintosh port of IE shares no codebase with the windows version, so i am not directly threatened; however i still feel somewhat insecure with using MSIE.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Mozilla crashes within 15 minutes? Are you running release version 0.8? Switch to 0.8.1 immediately! (Most of the versions between 0.8 and 0.8.1 were pretty bad...I went back to 0.7 for awhile, but 0.8.1 was reasonably good again. 2001032804 hasn't given me any trouble yet (I think the scrambled graphics were a problem at the User Friendly site), but the day is young.
... which ever came first. I haven't clicked on one of their agreements since then, and don't intend to. If someone insists on MS, then they have to make the agreement. That's one thing I won't do for them.
And investigate win98Lite. I stopped choosing to upgrade MS products before the first UCITA law was passed, or perhaps it was before the DMCA was passed
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Well, he said few rights, not none. Presumably the browser would be able to write to a file in its own (home?) folder. It could save all of it's downloaded files into one folder (allowing the user to create sub-folders as appropriate). Then the users could log in as themselves and move the file to the appropriate location.
Thinking this over, the web browser should have a special folder under each user to which it could write. Starting the web browser should be equivalent to logging in as user WebBrowser, with the current directory set to the web browser folder for whoever you happened to be before starting the web browser. The web browser user shouldn't have the right to open any directories belonging to any other user. Quitting the web browser shell should exit you back to who you were before. And ever web-capable user should be able to read files and execute folders owned by the web browser user.
This might be a bit inconvenient, but not terribly so. Setting it up would be a pain, but could easily be worth it (OTOH, I'm thinking of installing a distribution with the 2.4 kernel, so I probably won't run out and do this right now).
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
My guess is the reason they don't do that, is that they don't believe IE4 is affected. Admitting that would make them look bad, so they're rather spread FUD about the safety of their older software, to try to encourage upgrades.
That kind of violates the idea idea of having software versioning, now doesn't it?
No, it doesn't. It's perfectly normal to continue to release patches for older products, for just about any software company other than Microsoft. In fact, Microsoft itself has done this in the past: they released a service pack for NT 3.51 after NT 4.0 was out. I don't remember the timing on NT4 SP6a - that may have come out after Win2K, too.
What about Huckster?...
That's the name of the holding corporation that MS will use to sell Hackster.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I wonder, given the number of days it will take between now and when they finally get off their tuckuses and add it to the update page, how many people will be affected that otherwise could have been protected.
If it takes more than a week, I could imagine the lawyers would be drooling over the negligence of Microsoft, EULA or no.
Note that few contracts are totally rock solid; it depends on how many lawers you can affort to hammer on it. Look at what happened to poor Toshiba...
-- "I am disrespectful to dirt. Can you not see that I am serious!"
Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker
I fail to see how that makes sense... What does the fact that IE is part of the OS have to do with email?
If this security flaw existed in, say, mozilla, then any program that used it's HTML rendering engine would be just as vulnerable.
ReadThe ReflectionEngine, a cyberpunk style n
Well, i guess they really do withhold updates... Who would have guessed =:-)
---
Play Six Pack Man. I
Yesterday when I was on a tech support call with Microsoft (our Exchange server was glowing red and hovering), they simply told us to start up Internet Explorer and they'd fix the problem from their end. Just like magic, the server floated back into the rack and stopped glowing!
Hats off to M$ for writing such an amazing tech support tool!
-brain
just a quick note. I checked the MS update page after I saw this story. It did NOT list this as a "critical update", at least not for 5.01. Upgrading to SP2 was an option under "Recommended Updates". I don't know if this bug set off their "critical updates" program since I don't use it. It is a tough situation for them, tons of clueless users who will get abused, but it should be their responsibility on some level for damages associated with abuses for their software. Yes, I know their EULA tries to head off that argument, but the whole monopoly thing seems to be a decent counteragument.
--
+&x
Well I guess Microsoft has finally realized that we males are too stupid to be "attackers," since everyone knows that the vast majority of 5r1pt k1dd13s are women. I was going to try to be an 3133t hax0r, but apparently the women have beaten us to that, too. I suppose the only quick and dirty way to rake up some cash now is to audition for Survivor.
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
But when the 2.2.x kernels have a _BIG_ security hole that allows users to exploit it against _ANY_ SUID binary, well that must not be news worthy...
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
That is inaccurate.
What you quoted is not inaccurate. It was established in the FoF that it is virtually impossible to remove IE from Winduhs98, and thus simply removing the vulnerable software is not an option. If KDE had such a flaw, you could rm it entirely, or simply stop running it.
What's perhaps worse, is that a lot of Winduhs users I know would think they could avoid the problem by using a browser like NeoPlanet, not realising it's just an IE wrapper. They'll plunk themselves into the worse situation of thinking they're safe when they aren't.
That is what M$ innovation gave us.
Ever heard of the term "reuse"?
Yes, it's called linking a library and it wasn't invented with OO. And from the way DLLs get sprinkled all over the system I don't think a lot of SW authors accomplish/bother with "reuse" on Winduhs anyway.
"Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine."
Why does integration with the OS automatically give an attacker full access to your machine? Just because IE comes with the system and because it shares DLL's that the system uses doesn't mean that you would be running your email app or your browser as root / administrator or anything like that. What's the ingress here refering to?
I would guess that most slashdot users probably don't run wu-ftpd. Even if they do they probably subscribe the listserve which let's them know immediately when something is cracked. Unfortunately most lusers who use IE will never even know that this security hole exists and will never upgrade their IE thereby unleashing all kinds of meyhem on the internet which we will have deal with.
I know of no Linux user who runs server software like bind or proftpd who does not monitor their logs, subcribe to security listserves and is generally paranoid about being hacked. Recently when a vulnerability was anounced in proftpd (first one in a long time) I got email both from the proftpd folks and debian. I upgraded via apt withing minutes after I got the email (I sshed in from work) and I was safe.
Too bad less then 5% of IE users will ever take that kind of action.
War is necrophilia.
I highly doubt that even the most idiotic luser would accidently press the "SERVER" button instead of the "WORKSTATION" button. Even so more and distros are installing safer defaults. In fact I was recently at bust buy and noticed thad SUSE was actually selling two boxes one for workstation and one for server (the server costing a bit more).
War is necrophilia.
Come on now BIND, wu-ftpd, and even sendmail get bashed regularly on slashdot (and rightfully so especially BIND). It's because of all the bashing that BIND9 was re-written from scratch.
Don't you remember the recent thread about BIND? Whenever a major security breach is discovered it gets covered on slashdot why should MS be immune?
War is necrophilia.
Well that's not what they testified to in court. Are you suggesting that the top brass on MS committed perjury?
War is necrophilia.
Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook
Atlanta, Ga. (SatireWire.com)
Scientists at the Centers for Disease Control and Symantec's AntiVirus Research Center today confirmed that foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.
"Frankly, we've never heard of a virus that couldn't spread through Microsoft Outlook, so our findings were, to say the least, unexpected," said Clive Sarnow, director of the CDC's infectious disease unit.
The study was immediately hailed by British officials, who said it will save millions of pounds and thousands of man hours. "Up until now we have, quite naturally, assumed that both foot-and-mouth and mad cow were spread by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By eliminating it, we can focus our resources elsewhere."
However, researchers in the Netherlands, where foot-and-mouth has recently appeared, said they are not yet prepared to disqualify Outlook, which has been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna Kournikova," and "Naked Wife," to name but a few.
Said Nils Overmars, director of the Molecular Virology Lab at Leiden University: "It's not that we don't trust the research, it's just that as scientists, we are trained to be skeptical of any finding that flies in the face of established truth. And this one flies in the face like a blind drunk sparrow."
Executives at Microsoft, meanwhile, were equally skeptical, insisting that Outlook's patented Virus Transfer Protocol (VTP) has proven virtually pervious to any virus. The company, however, will issue a free VTP patch if it turns out the application is not vulnerable to foot-and-mouth.
Such an admission would be embarrassing for the software giant, but Symantec virologist Ariel Kologne insisted that no one is more humiliated by the study than she is. "Only last week, I had a reporter ask if the foot-and-mouth virus spreads through Microsoft Outlook, and I told him, 'Doesn't everything?'" she recalled. "Who would've thought?"
Copyright © 2001, SatireWire
--
$ find
Now this here is a textbook-quality example of why it is so hard to tell from written messages whether someone is trying to be funny or not. Taken seriously, this person seems to be suggesting that normal people, or at least normal slashdot people, should be willing to evaluate the relative advantages of 0.7, 0.8, 0.8.0.x, and 0.8.1 builds of a web browser over the course of a month or so. Taken as a joke, HiThere is pointing out how some of us have jobs or go to school.
Somebody want to help me out here?
If you say, "now I'll be modded down because of X", I'll happily oblige.
Sad but (more or less) true. Konqueror, on the other hand, is now pretty stable, does 95% of things right, and is very close to being a thoroughly satisfactory browser.
I'm old enough to remember when discussions on Slashdot were well informed.
Dude, that is so fucking funny. Sounds like you're saying. "that is NOT a cube; THAT is a physical object with six squares of the same size for physical boundaries. ha ha ha he ROTFL
It has little to do with "object orientation" also. It has to do with the security system. Whether code is reused or not does not matter...if vulnerable applications are run with powerful privelages, bad things will happen.
It's 10 PM. Do you know if you're un-American?
Short answer:
s/All/Most/
[Too ]Long answer:
Not really. I've seen some code written by disciplined programmers that I would say is perfect. So I think software had bugs because of a lack of programmer discipline. I think most people will agree that it's possible to make a perfect function (i.e. it does exactly what it's supposed to do, handling all possible errors, etc). It's also possible to make every function perfect. Therefore, it is possible to make an entire program perfect. I've done it with smaller programs (nothing I've released yet) and I intend to do it again with a larger one I'm beginning to write (it's an XMMS replacement).
Anyway, I agree with everything else you said. That's just a pet-peeve of mine.
--------
Genius dies of the same blow that destroys liberty.
Buckling in pain. Please refrain from comparing dpkg to Windows Update as if they're almost the same thing. It just hurts.
--------
Genius dies of the same blow that destroys liberty.
It goes the other way, too. I've seen crappy programmers who are so proud of their code they think it's worth millions of dollars, and they don't want to let anyone see it.
--------
Genius dies of the same blow that destroys liberty.
The problem with Linux guys is that they use Linux because of its robustness, and an OS that *ever* *needs* a reboot because of memory leaks simply isn't robust.
I'll probably get flamed for this, but I think a large portion of Linux advocates are just like a large portion of <anything> advocates: they are people who blindly try to follow what the intelligent people are doing, so they can look and feel intelligent too. Of course, they often miss the REASONS why intelligent people act a certain way and do regally stupid things that make the real intelligent people look bad. (I know I've done that, though I tend to notice it later.)
Get used to most people being stupid in one way or another.
--------
Genius dies of the same blow that destroys liberty.
Pine sucks. Use mutt.
--------
Genius dies of the same blow that destroys liberty.
Ok, I did a fresh install of windows on a computer at work. Windows 98 first edition. I popped in the cd, the install ran, and in 30 minutes the computer booted and I went to the Windows Update site. Four downloads and two reboots later, I have a reasonably secure system with no known exploits. Full install, all fixes applied - less than an hour and a half.
This is a pretty useless argument. Atfer spending this amount of time with an install of Windows 98, adding the updates and rebooting a couple of times you have an OS installed. If I spent the same amount of time with a Red Hat 7 install and updates I have everything I need to get my work done. I have Emacs and and gcc andPERL and Apache and MySQL and OpenSSH and Abiword and Gnumeric and Netscape and Mutt, etc.
You have Windows, IE, Outlook Express and WordPad. Joy, just what the hell are you going to do with that?
You're comment about Windows being secure is true. On the other hand its' not like it does anything either. As soon as you install an FTP server, a web server, an RDBMS and a remote acces program you have the potential to get just as "owned" as any other OS.
What people are trying to say here is that making my email program execute code because I've got something showing in the preview pane is pretty damn dangerous. Yesterday, for the first time in my life, I recived an email that makes use of these fancy scripting features. Its' a piece of spam (which I signed up for) from the Ministry of sound with a link to their new TV ad and a little flash animation. Its' pretty cool but I'll live without it if that's the cost of not getting email that causes some trojan to be executed.
> So basically, this lets someone malicious tell your computer what to do.
Especially since Micro$oft's crypto certificate has been leaked. So you cannot even be sure that the patch is from the real Micro$oft either!
Say no to software patents.
Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.
That works if you only use the web for fun and/or reference, but if you type your credit card number into any website, you should hope that other sites aren't able to read your cookie file or hijack your browser to send everything you type into other sites to the malicious site. I guess you could tell the user to restart their browser after visiting any questionable site and throw out the cookies file between each session, but I doubt it would be worth the effort and loss of functionality.
By the way, preventing the browser from mucking with your files wouldn't solve privacy problems such as bug 57351 (present in both IE and Mozilla).
The shareholder is always right.
This whole "integration" label is kind of wrong-headed to begin with. Technically calculator is integrated into the OS (bundled, whatever you want to call it).
.NET the embraced and extended internet of the future (as they would have it). It's too bad that if people dont want IE it's tough shit for them. Mozilla would be a /much/ better alternative if they were allowed the hooks into the OS that loads it on startup into memory, and makes it persistent, and makes it so it loads the mozilla widget when you type in a url in the explorer application.. Too bad those API's aren't documented. Maybe MS considers them "application specific" and not part of the OS. What nebulous nit picking.
Browser "integration" into the os isn't risky if it's done intelligently. A Browser now-a-days is an external browser interface, a core html rendering widget, and plugins. It's not ludicrous to put the rendering widget into a system library (like microsoft does) because this doesn't preclude security in any way. (although it is ludicrous to make it non-removable *cough*).
Imo, the correct way to look at this is in the legalistic manner. Monopolies can be found guilty of a method called "Tying" which basicly what MS did. They bolted IE onto the side of windows and made it catastrophic to remove IE functionality (not for very good reasons). Should MS make it possible to remove the browser? Of course. I'm sure there would be many sys admins out there drooling at the chance to do just that. Of course MS would never do that. IE is now their forced-onto-everyone interface to
I'll see you in splittsville, MS.
Haven't you guys ever heard of Windows Update? I assume (I don't know, because I run IE6 preview) that everyone has a critical update notification about right now (assuming you run it). Windows update even works for older OS'es where it wasn't built in (like nt4). Again, before I get flamed I'm assuming this patch is on Windows update, but I don't know, because I don't run ie 5.5. I'm sure it will be shortly.
---
DO NOT DISTURB THE SE
That is inaccurate. It's thanks to an object oriented operating system that we have this problem.
Not sure what OO has to do with it; the problem is a program that executes code recieved from the net without even asking. That's the problem. Let's hope KDE never does anything that silly.
--
--
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
In IE you go to Tools -> Internet Options, and uncheck "Play Animations." Bingo, no more animated gifs.
---
Exactly. The technical knowledge and skill necessary to position the mouse over the IE icon, right click, and select "Delete" is beyond the average user's ability. It needs to be made simpler. I think the desktop should have the IE icon, and the rest of the desktop should be devoted to a 600x600 button saying "Click here to remove IE icon from desktop." Would that please you and the hapless idiot users you seem to be speaking on behalf of? Cheers!
---
I find that quite understandable. People who don't deal with Windows on a regular basis generally don't have very strong feelings about it. This makes it easy (and fun) to maintain an attitude of casual scorn and contempt toward that particular festering pile. When one is forced to use Windows, however, one's attitude unfortunately degenerates into pulsating screaming hatred.
hehe i was gonna take out all but the end but i actually said to myself, in my head... "the end will redeem me"
El Karma: excelente(principalmente la suma de moderación hecha a los comentarios de los usuarios)
Here's the translation for your average slashdotter
Originally posted: March 29, 2001
We would have told you earlier, but we were sharpening our throwing knives and trying to install "Unix" on our computers...
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Let's see... IF I were running IE, then the Attackers^tm would be fiercely attacking me now and I wouldn't be reading this right now... but the translation is:
Who should read this bulletin: any of the sheeple that we have convinced to use our (superior) product.
Impact of vulnerability: Run code of attacker's choice.
So basically, this lets someone malicious tell your computer what to do.
Recommendation: Customers using IE should install the patch immediately.
So basically, this lets someone malicious tell your computer what to do.
El Karma: excelente(principalmente la suma de moderación hecha a los comentarios de los usuarios)
The second reason is the complete lack of commercial software. (Even FreeBSD does better in this area!) GNU/Linux may have more reported bugs, but it also runs fucking Oracle 8i. (And, yes, anyone who suggests that I replace my Oracle installations with MySQL gets beaten with the clue stick.)
OpenBSD only has a future as a firewall for the 386 in the corner, and frankly, most admins with a clue would rather run GNU/Linux on that firewall because encrypted swap doesn't mean shit if the machine is just looking at packets all day.
Not to mention the fact that the future of the product rests in the hands of a single Canadian cryto-nut with a well-deserved reputation as a whiny, bitchy, moody control freak. The project has other developers but it is no secret that Theo 0wns OpenBSD. Before you mod this as flamebait, think: maybe there's a reason why everyone who has heard of DeRaadt has heard of DeRaadt's emotional instability. Even if OpenBSD ran Oracle on my company's SMP RS/6000s, I'd be hesitant to use it because of this sticking point.
--
--
I like to watch.
Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux.
NT has only taken market share from UNIX. (Which, as most of you are too ignorant to know, was a Big Bad Corporate OS in the 80s. Just like IBM was evil in the 80s. How things change... a few open-source UNIX-ripoffs later, and UNIX is considered "grassroots" by many people here, just like IBM is now seen in a similar light for their "heartfelt" support of Linux.)
They've also completely taken over the desktop market. Of course the roots of this monopoly are 20 years old, but they've only had a truly desirable product for about five.
I like NT. I wouldn't let it in my server room, but it makes a damn good workstation OS. I like its interface best of all I've tried. It has excellent hardware and application support. In addition to being a great development environment, it plays games and DVDs. And my UNIX boxes are never farther away than a telnet session.
MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has, and NT is still four times younger than UNIX. So I'm willing to forgive some bugs.
--
--
I like to watch.
--
--
I like to watch.
Remember to use our patch, signed by us and Verisign.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I finally got my system up and running today again (shipped with a fried stick of SDRAM, not sure how that one got out the door) decidied that it was time to do the windows equivalent of using dkpg, hit windows update. Fresh JVM, DirectX8a, IE 5.5sp1 build, the whole nine yards, just completed ~1.5 hrs ago. No warnings there at Win Update, I have to go to an "alternative focus" web site to get word that I have a huge security leak on my system. I wonder why the apache team even bothers making a win32 port if the system gets wiped out by a newbie admin who checked his mail from the web server.
Read my plan to save the Bengals
To let a file out of the jail, it has to be shown to be harmless. This is the job of a "downgrader", (actually, we're talking about an "upgrader" here, but the terminology comes from DoD security and is traditional) a trusted application which examines files to determine if it safe to change their security level. A reasonable automatic downgrader for web content would strip all executable content and anything else it didn't understand, leaving only plain HTML and images. A manual downgrader for other stuff may also be available, depending on site policy. Its use might be restricted; in a DoD environment, only the security officer could run it. The point, though, is that this sort of thing is a rare event and requires special attention. The browser does not need enough privileges to do it independent of the user.
Letting the browser run player-type apps is OK, but they have to run in their own jails. This handles things like PDF, MP3, Flash, etc. But it prevents players from snooping around the local system and secretly sending info out to somewhere else.
Within a session, the browser can reply to cookies. Whether it's allowed to save them permanently is a separate issue. It's quite possible to have a browser that has no memory at all from session to session. You'd want this in a kiosk system, but not in other places. The right way to do this is to have a browser state downgrader that runs at browser exit or on user request. It examines new cookies and bookmarks and asks whether it's OK to save them. This is a trusted program, but a small one.
Note that none of the enforcement of these rules is in the browser. It's all in the mandatory security system that restricts what a process can do. The browser has to be modified to work under the restrictions. Again, the code in the browser isn't trusted. Only small, dumb programs with the absolute minimum functionality to do their job are ever trusted.
The trick is doing this without annoying the user too much. From this discussion, it looks like that's possible.
A good exercise would be to take NSA Linux and Mozilla and make them work under such restrictions. This might include managing the cache in a separate process with slightly different privileges. The cache manager needs to read and write the cache, but should never interpret the content. (Think of the cache as being managed by a built-in proxy server, while the main browser does no cacheing.) Configuration also needs to be done by a separate program and process, one that gets its input from the user, can't get input from the net, and can write the preferences files. This gets all the code that can write permanent files out of the main part of the browser.
Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.
Combine this new exploit with this old one that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.
-gerbik
Shouldn't that read... (I.E., never!)?
People shape laws. Not the other way around.
The problem is that we cannot move on. There is no alternative. We have to use whatever Microsoft gives us and smile while they shaft us. IMHO that's what the anti-trust trial is really all about and not whether or not someone's ability to "innovate" is being stifled by goverment regulations. If their product was just so good that everyone chose it out of their free will, people would move on to competitors when something like this happens.
Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.
--
Never underestimate the relief of true separation of Religion and State.
The URL is http://www.microsoft.com/windows/ie/download/criti cal/q293818/default.asp and the page starts
Security Update, April 2, 2001
This update resolves the "Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard" security vulnerability,
Pardon me, but nobody is paying large amounts of money for Linux unless they want to. Microsoft demands large hunks of cash, so they should be held to a standard. Linux is free. It makes a difference
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
But to be honest, a system is only as secure as the user or the admin sitting at it. Uneducated users are the most dangerous security hole there is. You can have the best security, the lest buggy code, but if you have a tool using the system you may as well go flush your hard worked over secuirty systems down the drain. Okay, that is expanding on the truth, but it's a frustration I feel every day.
I know we will see dozens of anti M$ bites, but really, who are we kidding? Security is not an easy thing and everyone gets it wrong at some point. I had a supposably secure Sun OS 0wnd by a script kiddie all because the damn admin wanted telnet open. What can you do if people wont take security seriously? I run a IIS webserver due to an app needing it and it has been attacked - it has stood up because I keep up with the lastest problems. You just have to do it.
You also have to realise security is tradeoff. I can guarenttee I could build you a Linux server so tight only the true elite would root it.... but how usuble will it be? Not very. The problem demonstrated here is that very tradeoff, MS wants usabliity, so do the unwashed masses. Makes it easy to exploit. Tighten it up and the unwashed wonder why they cant download their porn without some popup telling them that this download or link could be malicious and to proceed after the seven other warning they would get.
What's the solution in the end? Geeks like us educate the Great Unwashed maybe, I dont know. Certainly a different security paradigm than what Microsoft has.
"Old Rallydrivers never die - they just fail to book in on time"
> OK. My apologies. :)
:-)
:-)
OK. Let's say I remove this comment about the placement of your head.
You know, I just commented on your first sentence, and I must admit nor having read the rest of your post. So much of intellectual honesty. You were such an easy target...
> I would go into a long rant here about my personal belief that unweildiness of Mozilla
That would be interesting. I find mozilla code awful, and beleive that the original sin was to make 'dynamic' code with C++. When I look at the code, I pity them, as they took great amount of pain to code in C++ things that would have been natural with Objective-C. Of course, I am biased on this
Cheers,
--fred
1 reply beneath your current threshold.
> first off, Creating something like BIND is infinitely more difficult than something like MSIE--
Gently put your head out of your ass. You obviously don't know what you are talking about. Bind is a two-banana hack compared to MSIE. MSIE have about the same complexity as Mozilla. Ever looked at mozilla source code ? Ever tried to build it ? Now take a look at BIND source code. Build it. Draw you conclusion in term of complexity.
A BIND bug is very serious because it can compromise huge segments of the network. But people that run BIND know what they are doing (or should know). And there are alternatives.
A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.
So, IMNSHO, a MSIE bug is more serious than a BIND bug.
Cheers,
--fred
1 reply beneath your current threshold.
Then again, it wasn't CmdrTaco who posted this, but we're making strides.
I'm impressed with the comments I've seen moderated up so far. Usually stories like this are flooded with comments like "Microsoft sux0rz, this is why Open Source is better!"
Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?
NO CARRIER
Mitigating factors:
The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however.
[snip]
Would IE always execute the attachment?
No. IE would only execute the attachment if File Downloads were enabled in the Security Zone that the e-mail was opened in. However, File Downloads are enabled in all zones by default.
(email addr is at acm, not mca)
We are Number One. All others are Number Two, or lower.
(email addr is at acm, not mca)
We are Number One. All others are Number Two, or lower.
--The Sphinx
Unfortunately, as linux use by the great unwashed masses grows, there will be more instances where the user presses the "server" button on the installation gui, thus exposing bind, ftpd, and everything else with a potential vulnerability.
-bluebomber
The Daily Build
I wonder how long it will take the 5 squillion users running IE5.x to install that patch(let alone the 50 squillion running IE4.x) How quickly will coporate IT departments roll it out? Combined with Verisign accidently issuing Class 3 certs to some bloke with the common name "Microsoft Corporation" Microsoft must be just waiting for the class action suits to roll in.
I can't wait until .net comes. Think about it, I can just forget my windows passwords I keep in my head because they will be redundant
IT admins, go to brown alert...
if you run Windows you have no such choice. It is installed and it is running
So explain how come I read my email and browse the web from Windows without using OE and IE?
Hint: Lotus Notes and Opera.
--
You are delusional.
Windows has existed in its present forms for about five years.
I presume you are judging the OS by the GUI. Windows NT version 3.1 was released on July 17, 1993. The GUI was different, but the architecure was there, care of David Cutler.
That was the release date. Microsoft recruited David Cutler in 1988, well before Linus started.
Superior UI? Look at the quality of window managers. I'm sorry, but Sawfish, Window Maker and Enlightenment all kick Windows' butt when it comes to utility and control. And themability makes them look good too.
OO Architecture? Um, I think you'll find Gnome and KDE are riddled with OO.
Greater variety of hardware? NT had x86, Alpha, MIPS, even PowerPC, but they're all unsupported now. The free OS's easily wipe microsoft's peachy behind with their portability and the number of actual ports. All of those above plus loads more.
They've had the desktop market since the PC clone became popular. There wasn't a real desktop market before this. They didn't take that from anyone.
Yes, NT is taking share from Unix. But the free OS's, chiefly Linux, along with the rise of the Internet, is challenging this.
MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has
No, they just keep re-releasing the same code with new bells and whistles. The bulk of the code has been made by other companies, later bought up by MS.
Perhaps you can tell I do not like MS. I grew up with MS and I used to love their products. I still like the style of their early manuals (when you got them). But maturity and familiarity have given me perspective. I think you need some too.
Yours Sincerely, Michael.
The browser code isn't "integrated" into the system. It consists of a bunch of libraries that can be used by other applications. See Norton Systemworks, NeoPlanet and the like for apps that use the IE libraries.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Unless you like it, like myself. Windows 2000 only, thanks.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
"Pride of ownership" means absolutely nothing to me. Usually people who try to fix their own faucets end up flooding the house anyhow.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
That should be +1 funny for sarcasm.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
No, the shocker is that a Microsoft bug was posted on Slashdot with the (entirely unbiased comment I might add) phrase "patch now, patch now". For once, Slashdot is caring about those who view their site from the other side of the fence. Then again, it wasn't CmdrTaco who posted this, but we're making strides.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]
That is inaccurate. It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? It's a feature, not a bug, that you can reuse components in various applications without having to rewrite them.
KDE would have exactly this flaw if the Konquerer component had this flaw and an e-mail reader used the component.
In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.
--
Sometimes it's best to just let stupid people be stupid.
Special note of warning, the website has been more messed up than usual over the past few days, especially in trying to download the 5.01 sp2. I'm still trying to find the full package in one compressed file so that some folks can save the bandwidth.
My opinion: reports and pr to the contrary, the bit and piece auto install over the net is not more convenient. Especially when you have poeple mobbing sites for an update.
But if you are here reading this, you probably know this already.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
I can't tell you how many people I've talked with, technical people mind you, who don't know that there's any browser besides IE.
You've talked to lots of technical people that aren't aware of Netscape?! Are these the "technical people" who clean the fry vats at McDonalds?
Now, I'm not saying that Netscape is a good browser, mind you... (I just can't believe a technical person hasn't heard of it)
I really really dig Opera, and you're right -- way more people need to give it a try. The bug reporting on their site is fine, but they would really be top-notch in my books if they'd let us browse their bug database.
I don't know what the big deal is here. This has happened to many other browsers before, including older versions of IE. With new standards, scripting and virtual machine technologies being implemented in browsers continually, it is expected. It is a simple browser vulnerability, and that is all.
This is not new, if you read Bugtraq, or even Georgi Guninski's page, you will see this and many other exploits are a common occurance in many browsers. Even browsers that handle only plain html like Lynx have been proven vulnerable at times.
Since IE3, many vulnerabilities like this have popped up in MS's browser. IE3 was far worse, as both the Windows and Macintosh platform could both be explotited in terrible ways. Also, we can't forget the famous Netscape Brown Orifice exploit, which Netscape admittedly couldn't even fix in their 4.x series of browsers. I'm sure there are some fine exploits waiting to be found in the lesser used browsers too, but they are just far less reviewed by the security community.
Now I don't think its right that such vulnerabilities exist, but bugs will always be present in software. Internet Explorer just happens to use a lot of mixed technologies and therefore there are more ways for it to be exploited. This is nothing more than someone exploiting a vulnerable version of BIND or RPC. The only difference I find here is that Microsoft is involved, and thus makes a good sensationalist Slashdot target.
The clash of honour calls, to stand when others fall.
so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine.
... > set to "Restricted Sites" then click "custom level..." ... disable all scripting and active X shtuff.
Not everyone uses Outlook to read their email. If you do. Tools > Options.... > Security > Zone Settings
Poof, done. Now you should be safe.
Sometimes I wish there was a moderation option -1 : Makes everyone read fixed width text but stupid enough to try HTML tags anyway
no sig.
If I can execute any code that I want, perhaps my windows applications will run? Correct?
On the other hand, running the browser in a jail does nothing to stop MITM attacks against web sites (do you really look at the SSL certificate every time you fill in a form?),
--
A feeling of having made the same mistake before: Deja Foobar
I went to the MS webpage using my IE 5.01, since I need to get the patch... and suddenly a message popped up saying "BillG 0wNz Yu0!" and Windows Update started up. As I post this, it's upgrading my system into I know not what...
-Kasreyn
Kasreyn: Cheerfully playing the part of Devil's Advocate to hairtrigger
Well, I've already taken care of Javascript. But defeating HTML? I'm using an http proxy called the The Proxomitron, and it's a very useful tool... an http filtering proxy. I've noticed when Outlook is reading emails, this http proxy registers open connections. Does this mean it's filtering html emails?
Just curious to see if I'm already "safe" from this (ie., as safe as you can be running Windows), or whether I need work. IE 5.0, too - probably vulnerable to this, though MS just couldn't be *bothered* to mention on their page.
-Kasreyn
Kasreyn: Cheerfully playing the part of Devil's Advocate to hairtrigger
All your hard disk are belong to us.
Let's get drunk and delete production data!
Oh youknow teh rest .. seriously though there appears to be no "critical update" on the Small'n'Squishy site. Have they done away with their fix?
--
Jon - TheSpork
Below is the link to the explaination of said hack, that includes 'source' et al.
m l
http://lists.nat.bg/~joro/webctrl2.html
and the URL from ZDNet that linked to it.
http://www.zdnet.co.uk/news/2000/35/ns-17763.ht
Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html
Workaround: Disable Active Scripting
Black and grey are both shades of white.
csh: explorer: command not found
oops... I'm not on Windows...
April Fools is coming!@!
Macroshaft Security Bulletin (MS01-069)
Patch Available to Improve Packet Pigeon Performance
Originally Posted: October 22, 1999
Summary
MacroShaft has released a patch to ensure delivery of packets via Packet Pigeon birds. This is long overdue and is a must secure vulnerability on all MacroTrash products.
Frequently asked questions regarding this vulnerability will always be laughed at MacroShaft and AntiOffline
Issue
The Packet Pigeons used in large cities were sometimes affected by those in the geriatric stages of their lives, as these 60+ year olds fed Packet Pigeons en route to their destinations causing a denial of service.
Affected Software Versions
- MacroShaft Windoze NV 4.0 Crashstation
- MacroShaft Windoze NV 4.0 Server
- MacroShaft Windoze NV 4.0 Server, Enterprise Crash Edition
- MacroShaft Windoze NV 4.0 Server, Terminally Ill Edition
Patch Availabilityhttp://download.some.0-day.warez.com/at/some/othe
http://download.some.0-day.exe.files.com/else/whe
(NOTE: MacroShaft really cares about it luzers.)
More Information
Please see the following references for more information related to this issue.
http://www.MacroShaft.org/cgi-bin/display?=%2edev
http://www.antioffline.com/scriptkiddiesoup.html
Microsoft Insecurity Advisor web site, http://www.wiretrip.net
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting MacroShaft Technical Support is available at http://support.macroshaft.and.all.of-its-h0es.com
Acknowledgments
MacroShaft acknowledges deran9ed/sil of AntiOffline for bringing this issue to our attention and we will up his p0rn quota to 2 gigs.
Revisions
THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, OR EVEN EXORTED INTO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS WHORES BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES TO YOUR PORN DIRECTORIES NOR PACKET PIGEONS, AND POKEMON, EVEN IF MACROSHAFT CORPORATION OR ITS H0ES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. PEOPLE OF GERIATRIC AGE SHOULD HAVE THEIR LICENSES REVOKE AND THROWN INTO LABS TO SERVE AS LAB MICE. AND IF YOU ACTUALLY READ ALL OF THIS THEN YOU MUST BE AS BORED AS WE WERE. ANTIOFFLINE RESERVES THE EXCLUSIVE RIGHT TO POKE FUN AT YOU, WITHOUT INDEMNIFICATION, OR GRIEVANCE TO YOUR PATHETIC COMPLAINTS. SOMEONE SHOW ME WHERE THE CAPS LOCK KEY IS!@!
(c) 2001 AntiOffline Corporation. All rights stolen. Terms of Use.
You have received this e-mail bulletin as a result of your moronic use of our Products. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to WE-PAY-NO-ATTENTION-TO-YOUR-MAIL@MACROSHAFT.ORG The subject line and message body are not used in processing the request, and can be anything you like.
For more information on the MacroShaft Security Notification Service please visit http://www.packetstorm.securify.com For security-related information. For MacroShaft products, please visit the MacroShaft web site at http://www.macroshaft.org/ more advisories like this can be found here
360 degrees of Karma
"Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." You are on your own.
When will Microsoft finally realise that integrating their browser into their OSes is not a good idea until it can guarantee security (ie, never)?
The biggest threat to 99.99% of PCs isn't fire, theft or a badly written application but malicious code. And the number one method of delivery of malicious code is now the Internet. Email worms like the ILOVEYOU and Melissa attack via your email and vulnerabilities like this one attack via your browser. Giving applications like Outlook Express and Internet Explorer access other elements of the operating system is like posting the combination to your safe on your open front door.
Microsoft's browser/OS integration strategy was designed to protect it from accusations that it killed off Netscape unfairly - "gee, IE isn't an application, it's a core part of the OS" - but this has always been a poor defence for the company's actions. I mean, can you name any part of any OS that is available on a rival platform like IE is for the MacOS?
Given that Microsoft has all but lost its legal battles with the US government et al isn't it time it abandoned this browser/OS integration policy that only serves to make Windows more vulnerable to attack? Wouldn't such a move be in the best interests of its customers? Or would such a move be a bitter blow for "innovation"?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux. So Windows runs on ppc, alpha, sparc, m68k, and vax? Cause I have two OpenBSD CDs that cover just that, and I've *never* heard of MS dealing with any of that hardware...
I don't see what the big deal is. Ever notice that when linux has a hole exposed, or netscape has a problem, everyone says "yeah, well it's software, what do you expect?" but when Microsoft has a security hole found everyone is so quick to bash them? Yeah so what, so there's a security hole found... IE6.0 already has this problem fixed, and it's not that big a deal. I don't even use IE/outlook for my email anyways, so I don't care. I never have to worry about any problems, and anything I do use always has any sort of auto-execute options disabled. Simple precaution = no problems. I know that people seem to think that there is a daily quota for MS bashing, but I'm really getting tired of seeing this all the time. Maybe I should start to bash Linux whenever a problem is found there? Don't get me wrong, I use linux as well and have a great deal of respect for it and how far it's come since it began, but can we please stop the immature MS bashing at every opportunity that we get?
If God gave us curiosity
Why must you Microsoft zealots be so defensive about your OS? Don't you see how it only makes the world dislike you more? We are all aware of Microsofts callous attitudes towards protecting it's less informed users and how they essentially take advantage of them. I think it's really sad to see so many of you here in this tech forum who continue to turn a blind eye. It makes me sad to see so many people get hurt by these inept attempts to make a secure product. I beg of you all, lets all band together and raise the bar.
Peace be with you