MSIE Security Worsens: Patch Bungled

mansoft was one of several to send us a followup to last week's story about the massive MSIE/Outlook security hole. He points us to this Wired news article: "Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft." Ack! If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch. I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout. If Melissa or ILOVEYOU had been able to install backdoors as they spread, that would have really, really sucked. Update: 04/03 04:24 PM GMT by J : According to this Wired story, Microsoft was given six weeks of silence to prepare and issue the patch.

Re:Why should I care about security anyway?

Steal your identity and thus steal money from your bank accounts, create alter egos assuming your name. Use your e-mail address for devious deeds. There all kinds of ways that a wide open computer can be used to devious ends. I suggest that you start paying attention, before becoming a victim. Not to mention it sucks when a virus hits a dumbasses computer with Outlook and clogs bandwidth by replicating itself by sending itself to e-mail addresses across the network.

Mozilla

If you like browsers with sluggish menus and dialog windows, then yes. It is usable. Barely.

I use IE at work and Linux Netscape 4.6 at home on a similar hardware (same P-III + 128 MB memory). Netscape 4 is OK, but every time I've tried the latest Mozilla, it feels like my computer has suddenly lost half of its MHz. You get used to it if you use Mozilla for a longer time, but if you constantly switch from IE to Mozilla, it really bothers you.

Re:Mozilla

[QuantumG]

Slow menus. I dont see it pal. If you want stuff to bitch about mozilla, there's plenty of things. Like the search box opening at the top left of the screen instead of in the middle, the status bar that always displays "resolving host" even though there's all this code in mozilla to cache host resolution, the back button that refuses to go back to dynamically generated pages that use post data (when I press back I want the exact page that I was on, I dont want you to connect back to the server and download another one!), the default of open new window at homepage (I always turn that to last visited), the fact that the key bindings are not the same as netscape 4.x (yer, that's a triviality but why did we move to microsoft's key bindings?) The list goes on. Speed is definitely not something that I feel, but all these trivial things add up, and can start a guy considering fixing stuff.

Re:Biased

You missed a whole series of 4.5x releases and the entire 4.6x series.

But point well made -- Netscape has a shit load of bugs and patches. Well, if they released patched, but they don't -- you need to download the whole multi-megabyte thing each time.

Re:$1

you forget that no one that uses windows even cares. The typical person using windows knows nothing of updates or even installing anything. If their computer does fuck up or completely crash, they just see it as a normal occurence and take it to the computer shop as if it were a car getting a oil change.

Re:Seriously...

I'm not sure its a fair point to say "anyone who can't keep a windows box up for more than a day is a moron". I thought MS products where supposed to be easy to use? And instability is not attributable to the users. The fact is the users shouldn't be able to crash a system at all. That's considered a bug in real operating systems and generally fixed promptly.

As for how annoying it is to have to reboot the OS for a relatively simple application patch to be installed, you've never run anything else have you? You can replace the bloody C library and devices drivers in Linux without rebooting, let along a simple browser patch.

As for it not mattering, you've also never had to support 500 desktops have you? So is it really any wonder MS don't get such good press. Would you be so defensive if your weekend was spent patching 500 corporate desktops due to someone elses fsck up? I didn't think so.

Go back to playing games and thinking you know what you are talking about.

Nobody will care till its exploited

A potential threat doesn't count.

A. We've had self propagating trojans

B. We've had breakins at major web sites with web page defacements.

Now we have the link for A+B, a way of automatically downloading a trojan onto most peoples computer from a cracked web site page.

Can you imagine the damage it would do to Microsoft's image and the image of Windows if someone exploited this? Maybe 90% of users won't install the patch and those users are sitting targets.

So please Script Kiddies, DON'T DO THIS, it is bad and I am older than you and I know best.
Bad kiddies, BAD BAD BAD.

Biased

You guys sound like nobody ever finds any holes in Linux.

BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Slashdot
News for Linux. Stuff that's biased.

Re:Biased

[Trepidity]

Almost everything (of which Linux is just a few percent) has better security than Microsoft products

Except Netscape of course, which for some reason UNIX users continue to insist on using. How many security releases is the 4.x series up to now? 4.77 just came out this week, so I think we're up to at least 20-30 security patches, many of them for serious holes.

Re:Biased

[DataPath]

Whoa, cowboy! Cool down them boots!
I don't think this article was so much as a rant of another bug as it was a warning about the non-fix, and a rant about Microsoft's botched fix.

Re:Biased

[Sloppy]

Hey dude, you're the one who brought up Linux; the story didn't. Nobody said Linux and all the assorted Unix tools out there are a special case that are better than average in terms of security.

Microsoft is the special case here. Almost everything (of which Linux is just a few percent) has better security than Microsoft products, because even most below-average-intelligence programmers know that data != code. At least when Linux or BSD or MacOS or Amiga or QNX or OS/2 or BeOS fucks up, it's usually just due to a bug, not due to the really stupid premise that external data should be executable (and with full privledges!).

Microsoft is damned lucky that most of the exploits up to now have been so benign. It's pretty clear that whoever has been writing them, has been pretty Microsoft-friendly by just doing proof-of-concepts and having fun, rather than actually causing serious damage that would make users demand a serious response. (And before someone goes off on how many thousands of dollars their company lost due to ILOVEYOU or Melissa, count your blessings that you got off so easy.)

---

Re:Biased

[Black+Parrot]

> You guys sound like nobody ever finds any holes in Linux.

> BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Woo-hoo! How many Windows holes have been discovered since the BIND hole was?

--

Re:Biased

[macpeep]

Yeah. I know.. I was just thinking that too.. Weird how people have such selective memories. Netscape.. let's see:

4.0
4.01
4.02
4.03
4.04
4.04a
4.05
4.06
4.07
4.08
4.5
4.51
4.7
4.71
4.72
4.73
4.74
4.75
4.76

and a few days ago, 4.77 appeared on Netscape's FTP sites even though Netscape 6 (don't even get me started!) was released.. Oh.. And Netscape 6 is actually at 6.01 now.. Yes, you guessed it.. a security patch release. I'm sure I left out some 4.x versions, but notice that only a couple of those are feature releases (4.5, 4.7 and 4.06 if memory serves). For many of those releases, way more than one bug has been patched. So to claim that this is a Microsoft-only problem is just plain wrong.

Re:Biased

[radja]

>A self spreading trojan so simple an 8 year old could use it?

Better a self-spreading well-written trojan so simple an 8yr old can use it, than

a user-spreading trojan (pic of tennis-star) so simple an 8yr old could've written it.

//rdj

Re:Biased

[clare-ents]

"
BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?
"

BIND is an application used by serious network administrators and should only be used by technically competent people.

IE is part of the underlying operating system and is present on all windows machines - even on those where it's not wanted.

Re:Biased

[SgtAaron]

You guys sound like nobody ever finds any holes in Linux.

BIND?

Man, BIND is not Linux. IE and Outlook Express are shipped with and tied into the operating system known as Windows. We give a set up CD with Netscape to our customers, but IE and Upchuck Express stay there; why risk a gotcha by uninstalling the OS's choice browser. Who knows what that will mess up?

People installing multi-user operating systems with multiple services such as Linux are supposed to know what they need to do to secure the thing. I think many will agree that, in order to more tailor Linux for the masses (and I don't think that should be a prime focus, anyway, IMO), work needs done by vendors to provide locked down installations by default, and not install potentially dangerous software without active selection. The proliferation of inexperienced system administrators putting insecure linux boxen--machines open to trivial security breaches, that is--on the 'net is certainly a dilemma. Perhaps the demand for such talent is outstripping the available experience, especially in certain overseas (from me) locales, it would seem (my IDS shows most intrusion attempts and port scans coming from Asia these days). Anyway, I'm just speaking from anecdotal evidence here, and not using any hard data. So, back on topic:

Microsoft, however, touts their OS as the choice for the masses, yet most day-to-day operations and the act of actively checking for security holes and getting patches is beyond the ability or willingness of most users.

Bugs like this have serious implications for administrators and ISPs. Hey, when Joe User has problems upgrading to the latest version of IE to fix the security hole of the week, who do you think they call? Answer: their poor Internet Service Provider since MS support costs extra, and users have come to expect almost total support from their ISP for such things.

Ask me how many double-bounces I wade through every day thanks to W95.Hybris.gen -- it ain't pretty ;-)

Re:Biased

[GiorgioG]

The fact is that NO system is 100% secure. If someone wants to screw with your system, they will find a way to do it. "If your system's properly configured, you can make sure it's secure." - To the best of YOUR knowledge it's secure. Unless you poured over every single line of code, considered every possible way to hack/attack the system, it is impossible to ensure absolute security.

Ok, so Microsoft's system isn't the most secure, deal with it if you're a Windows user or switch to a "more secure" operating system. If you're a *nix user, stop fighting the "big bad power" - it isn't your issue. People have the instinct of always fighting the "King of the hill" (i.e. Microsoft, Intel) and cheering on the underdog (i.e. Linux, Netscape, AMD). And yes, Linux is an underdog in the desktop/business-end user market. When Linux becomes "idiot-proof" for the most part ala Windows, then you'll actually get end-users & businesses to use it. Then again do you hardcore Linux guys really want hundreds of thousands of end-users asking stupid "newbie" questions? Sure you can tell them to RTFM, unfortunately that won't get you an Microsoft-like user-base. Alright..enough ranting - now mod me down.

I'm a Windows user by choice, I've tried Linux and I really did not like the GUI. It wasn't (at the time) as polished as Windows - who knows now. I actually prefer QNX's interface (http://get.qnx.com) over Windows', but there aren't quit enough applications for QNX just yet....

Re:IE used by other programs

[Tony+Shepps]

Well, that's all fine, until installing IE5.02 shafts the software I use to earn money.

Yes, being a Windows code whore always sounds like a good idea at first.

(Aw come on, you left yourself wide open for that one)

Re:If Netscape would just get off their ass

[Trepidity]

Konqueror runs on Windows now?

Re:...blow your byte limit, wipe your drive...

[Trepidity]

You keep unencrypted credit card details and account passwords on your computer? That's not a very good idea.

Re:If Netscape would just get off their ass

[Reid]

I started using Opera a couple days ago, too. Unfortunately, it also tends to crash pretty regularly. Its speed makes up for it, at least until mozilla gets a little more cleaned up from recent major changes.

Cheap red herring/spin doctoring

[Tim+Doran]

"Scott Culp, Microsoft's security program manager, said on Friday that the flaw exists only with a few out of several hundred MIMEs that are used to encode files as e-mail attachments."

In other words: "Chrysler spokesman Corporate G. Bastard said that although every Chrysler vehicle produced in the last year could be unlocked, its alarm disabled and driven away using Bic brand ballpoint pens, the vulnerability exists only for a few of several hundred colours available."

This is the worst (ie. least skillful) spin doctoring I've ever seen. Just because all MIME attachments don't open your machine's front door, well, we shouldn't worry about this "typical software error."

Re:Slightly O/T

[stephend]

It's the same problem with all commercial software: they have to pretend that their software is perfect.

If they have to distribute patches for *anything* they are saying that they made a mistake. That's like admitting liability, and what would an insurance company say about that?

Microsoft has tried to cover it up by including enhancements (service packs) and making it automatic (Windows update) but we all know these don't work properly either.

I recommend you read Neal Stephensons "In the begining..." as he talks about all of this in much more detail.

Re:In fairness to Microsoft

[sheldon]

This is slashdot!

When slashdot's connection to the internet fails and I can no longer read posts about goat sex, it is Microsoft's fault!

Re:Who do you want to sue today?

[RelliK]

The EULA says something to the effect "to the maximum extent permitted by the applicable law Microsoft hereby disclaims all damages yada yada yada...". The key word (or phrase rather) is "to the maximum extent permitted". It would seem to me that all you need to do is sue them in a state where such disclaimer is not permitted.
___

Com'on

[Repvblic]

No one honestly expects any microsoft product to be secure. It's the virus attacks that wipe out your system that keep it running so well, since we all know that after 6 months all versions of windows need to be re-installed or they stop running correctly.

Re:Com'on

[Kid+Zero]

Yeah, Like I just passed 3 years. Installed it right after it came out. No reinstalls. And I've installed a ton of non-MS software that was crappy. I do have Office 97, mainly because I use Word, and the wife uses Powerpoint for work.

I hated Outlook Express from the beginning. Only within the past 18 months I switched over to IE full time.
-----------------------------
1,2,3,4 Moderation has to Go!

Re:Com'on

[Timinithis]

No, no one honestly expects them to be secure, but for those that havent had the opportunity to look at M$ next Office innovation M$ Office XP (XP for experienced) Outlook XP will NOT accept any executable or scriptable attachments. If you can't prevent the problem, just delete everything that MAY cause a problem. And it does just that...deletes any attachment it doesnt like, and no, there isnt a check box to stop it from doing that. How do you want your mail today? No, I think you want it this way.

All your attachment belong to us

Re:Com'on

[thechink]

since we all know that after 6 months all versions of windows need to be re-installed or they stop running correctly.

Oops, I'd better re-install Windows right now! According to you, I'm about two years overdue!

Re:Overstating Things

[datazone]

yep, wired is stupid. If someone is stupid enough to not read ALL the information in a security message, then they deserve whatever they get. I am not a MS supporter, but they clearly stated that IE 5.01 SP1 and IE 5.5 SP1 are the ONLY two versions the patch can be installed on. They even show you how to find out what version of IE you are using, and how to see if the patch was applied sucessfully. It cant be any easier than that.

Re:Overstating Things

[GypC]

What did they spell out clearly? That the patch may not work and you may still be vulnerable to exploits? Really? Sounds unusually honest.

Re:Opera

[GypC]

Are you talking about http://mi-net.dynup.net/ ? I just ran it through http://validator.w3.org/ and got loads of errors.

Opera isn't very forgiving of bad HTML, sorry.

Being a new web author you should really spend more time at http://www.w3.org .

Re:If Netscape would just get off their ass

[juuri]

I tried to use opera once.

Can someone explain to me whose retarded idea it was that doesn't page down? How do you enable this "feature" under opera?

Re:Opera

[Jaffa]

...It ships on multiple platforms (BeOS, Win32, Linux... even Epoc ?)

EPOC is the nice operating system from Symbian which runs on Psion PDAs, the Ericsson R380, the Diamond Mako, the Nokia 9210 and a whole load of other stuff...

It's quite nice having a browser as good as IE 5 on your palmtop :-). If you've got an EPOC PDA, install the Opera 5 beta now! :-)

...blow your byte limit, wipe your drive...

[leonbrooks]

If people get access to my PC, why should I worry?

...borrow your credit card details, passwords to any/all accounts you access through the machine, use your machine to break others (thus dropping you in the pooh en passant), post emails and the like in your name, yadda yadda yadda.

Trust me, it's not a good idea.

Re:...blow your byte limit, wipe your drive...

[Tackhead]

> But emails can be forged by anyone with access to port 25 on an SMTP server

Cripes, you had to make me wonder why nobody (ILOVEYOU, etc.) has launched one of these Windoze viruses through an anonymizing open relay out of China.

1) 0wn some poor fux0r's insecure Linux box.
2) Install ssh and tunnel your way to a shell on it.
3) From the 0wned box, telnet to port 25 of an open relay that masks the IP of the spammer and send a few thousand ILOVEYOUs or Melissas.
4) Wipe the logs, the rootkit, and then cp /dev/random /dev/hd0
5) Sit back, relax, and watch the networks melt down.

The use of an anonymizing open relay makes the only publicly-available trail go back to China. The admin may not even know his box is being used as an open relay, let alone keep logs of it.

The use of an 0wned box means that if the Chinese admin keeps logs, the logs will point back to the innocent victim.

The innocent victim's hard drive will be largely wiped when FBI comes knocking on his door. Can you say "Guilty unless proven innocent"?

With the drive and logs mostly wiped, good luck finding the evidence that the box was 0wned and the logs showing an incoming ssh connection from the real perp.

Hell, good luck finding that out even if /dev/hd0 hadn't been wiped.

We're vulnerable. We have been for years. And the only thing we can be thankful for is that skr1pt k1dd13z are morons. The real adversaries are just biding their time.

Re:...blow your byte limit, wipe your drive...

[91degrees]

But emails can be forged by anyone with access to port 25 on an SMTP server, I don't keep my CC detail on my machine, and if people want to use my machine to hack into someone elses machine, why should it be MY responsibility to stop them? Surely that is up to the person whose machine is being hacked.

Re:...blow your byte limit, wipe your drive...

[91degrees]

You could interpret it that way. I meant that if my machine is being hacked, it is my respnsibility to stop it. If my machine is being used to hack into a third machine without my knowledge then it is the responsibility of the owner of the third machine.

If I actually put something worthwhile on my machine then of course I would take a little care over security. But thats because it would be my job.

Re:...blow your byte limit, wipe your drive...

[Black+Pete]

I'm sure this is a troll... but....

If you seriously and honestly believe that it's not your responsibility whenever someone uses your machine to hack into other machines, think again.

Can you say "frame-up"? Good, I knew you could.

When the cops come knocking on your door because they traced the hack back to your computer, I'm sure you'll be singing a different tune. Especially if the hacker was smart enough to wipe all logs (or better yet, scramble your HDD) to wipe out any evidence that your machine had been hacked into.

Not your responsibility? Tell that to the cops. And good luck proving it, this THIS is the favourite excuse used by hackers who did get busted.

One final question - how many of those busted "hackers" were really telling the truth? Could you be next?

Re:...blow your byte limit, wipe your drive...

[mvdwege]

Last I knew cracking into another computer was still a crime in most industrialised nations. So someone is using your deliberately unsecured machine to crack another one. That would constitute criminal negligence on your part wouldn't it?

Try using your line of reasoning on the FBI agents (or whatever you have where you're coming from) that come knocking on your door soon, but don't bother us with it please.

Mart

Re:...blow your byte limit, wipe your drive...

[mooman22]

...and if people want to use my machine to hack into someone elses machine, why should it be MY responsibility to stop them? Surely that is up to the person whose machine is being hacked

Did i miss something or have you just said it is your responsibility?

Re:If Netscape would just get off their ass

[scrytch]

> If you're not morally opposed to running KDE, you should give serious thought to trying out Konqueror. It runs using the Gecko rendering engine

It does not. It uses KHTML, which is not based on Mozilla code.
--

Re:no security model

[whydna]

> IE 5.5 i mean come on, ...

Doesn't this problem affect 5.0.x also?? I though I remember hearing that.

-Andy

Re:But will IE use slacken?

[Dr.Dubious+DDQ]

the assumption that Netscape is more secure[...]Yeah, so go ahead, feel happy and surf the web with Netscape 4.7x[...]

Who said anything about Netscape? What I want to know is has anyone found any security problems in Konqueror, Galeon, or Opera.

And ARE there any...

---
"They have strategic air commands, nuclear submarines, and John Wayne. We have this"

Re:Slightly O/T

[ethereal]

Playing the devil's advocate for the moment, I could argue that Microsoft has to protect the home user, because that person must be their own sysadmin. The corporate desktop, on the other hand, should be managed by the company IT team who are subscribed to the necessary Microsoft security mailing lists. One could argue that there's a higher standard of security required for corporate networks and an expectation that a company will have a real security team to handle it.

In reality, of course, they've sold corporations on how they won't need to pay for those extra admins because of "TCO" and "ease of use". So in the end I'll agree with you that corporate networks get screwed, but I think they're more screwed by Microsoft marketing than by the inherent security of Microsoft code.

No, I'm not bitter, I just got switched to Exchange mail (latest stats: in 2 weeks, 2 emails inexplicably deleted and 1 duplicated). Why do you ask? :)

Re:erk...

[jelle]

You may be right on the speed of development part, except that 95% of the Linux users out there don't use the KDE or Gnome CVS to stay up-to-date with the latest features. Most wait until it's in their distrubution, so that they can 'rpm -i', or 'apt-get install' it.

Fast security fixes will only help if the distribution packagers are right on top of it with fast response of packaging the security-fixed versions. And even then, the user must known about it, or have an automated (cron) way of keeping up-to-date with just the security fixes.

Currently, that is not the situation we're in...

Re:erk...

[jelle]

"Who cares if you can get root access?"

If they can't get root access, they can't change user. And with 32bit UIDs, which are available from 2.4 on, the browser can run in its lonely little dedicated UID space, without even having access to the user's files, just the browser cache and configuration.

There is your 'security model' for you. Much better than 'trust all officially microsoft approved activex applets and give only one prompt for all others'

Re:If Netscape would just get off their ass

[sammy+baby]

I kinda hate posting this, just because it's such a predictable old saw, but...

If you're not morally opposed to running KDE, you should give serious thought to trying out Konqueror. It runs using the Gecko rendering engine, but has the added benefit of... well, you know. Not crashing constantly. It also runs very quickly, orders of magnitude faster than the last 'zilla build I tried (m18).

The only problems I've had with Konqueror involve javascript-heavy sites, and I really don't feel I can blame that on the browser.

Re:If Netscape would just get off their ass

[Sloppy]

What makes you think that would work? There are already plenty of non-sucky browsers out there. But MSIE is the one that come preloaded on 'Doze systems. You can't even move the icon off the desktop into the recycle bin or a "MS Stuff" folder.

BTW, making a browser that doesn't suck, doesn't really require much in the way of resources. It's pretty much just a one-man job. Web browsers aren't particularly difficult apps. They only start to get hairy when companies like MS start trying to turn them into desktop shells.

---

Overstating Things

[augustz]

"despite all claims to the contrary from Microsoft"

For those of us who read the security notice Microsoft released, this is old news because Microsoft spells it out clearly and did so when the patch was first released.

required msie5.5 upgrade deleted netscape

[abraxas]

THOSE FSCKERS!!!!

Seriously, it's deleted. Now what gives them the right to do that without even asking me. The aggreement you say 'ok' to says nothing about deleting 3rd party software installed on your machine. It went into c:\prog\net\blah and deleted the fscking binary for netscape.

ARGH!!!

why are they so freakin incompetant? it's not like they don't spend tons of money addressing this issue. i mean really.... would they rather have us think them incompetant or intentionally evil??

pig fsckers, all of them...

Re:Oh shit.....

[Black+Parrot]

> Wasn't that bug an April fools? Now Im *really* in trouble ;D

The exploit was an AF Joke, but the bug in the fix wasn't.

--

Re:Seriously...

[bogado]

Well I realy don't know for the others but I do it. Because if more people stoped using this piece of s*** software maybe we would have access to more hardware drivers or video players. I realy don't care if we don't have MS word or excel, but I would realy like to be able to play quick time and some other file formats that people put on the web. I would realy love to be able to use my F**** scaner without rebooting.

Everyone seems to use windows, besides the fact the most of the people know that it dosen't work. And because of this fact alone I can't use my linux for some tasks, and this p*** me off.
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabbit hole goes"

Testing and QA

[Wonko42]

Before Microsoft puts anything on the official Windows Update site, they run it through the QA department for testing. Their testing procedures are very rigorous, so it takes some time. In any case, the untested patches are always announced on NTBugTraq and other security mailing lists. These test procedures are a good thing -- they make sure bugs like this one don't take advantage of the helpless users who click on the Windows Update icon and expect everything to go smoothly.

--

Re:Testing and QA

[manyoso]

Where was this "very rigorous" testing in this episode... Not only have they blown the patch but, as the update states, they have known about this since February and they still don't have this available on Windows Update!

Re:If Netscape would just get off their ass

[Ch0k3r]

Has anyone seen the mozilla milestone build they are trying to push as Netscape 6?

You didn't intend to type Millstone instead, did you?

Re:Seriously...

[Platinum+Dragon]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products, claiming that they're the most worthless piece of shit software company on the planet?

Probably because a lot of us have watched Windows crap out for no discernible reason, under loads and uses that Linux and the *BSDs regularly chew up and spit out. I've watched both the cruddy 9x series, and the slightly more stable NT 4 collapse for bizarre reasons. Watching a DVD shouldn't cause a lockup. The OS shouldn't need a reboot every once in a while to "speed it back up." As for NT, watching someone nearly snap because an out-of-nowhere crash wiped out the video they'd been editing is *not* fun. I guess one could argue that NT 4 wasn't made for video editing...but then, why where these rather expensive machines purchased, and why did the company that sold them choose NT as the platform?

It's that inability to handle regular, everyday use without very careful shepherding that drove me - DROVE ME - to install Linux in the first place.

Incidents like this do not help. It's good that Microsoft mentioned in the initial patch summary that people who got a "this patch is not necessary" message needed to install it anyway - but then, that message shouldn't have popped up in the first place.

Too much crap wasting too much of my time. That's why I stay away from MS software whenever possible.

Re:In fairness to Microsoft

[atlep]

So, basically you're saying that:
- it is OK for M$ to not offer pathces for older versions since there exists a nev version to be downloaded.
- it is OK to leave bugged pathces for download, because everebody can read somewhere that the patch is bugged?

I will say that a company like M$ should have the resources to do some proper quality control before giving out new software. I'm not saying that IE should be guaranteed to be bug-free but the patch should at least have been tested with several verions of IE first. This is so simple and basic....

M$ cannot force every end-user to download huge version of IE because M$ cannot be bothered to give out pathces for older versions! For this there are at least two reasons.
1. dl'ing IE takes TIME, especially for all those who still use analog modems.
2. Not everybody needs (for other reason than removing old bugs) or wants these upgrades.
M$ should show some responsibility, then again why should they as long as they have monopoly?

Say no to addictives, say no to .doc

Re: erk...

[mpe]

GNOME is being designed fromt eh ground up to avoid the very things microsoft calls "features" but are really just inviting back doors.

These "features" are also known as "spaghetti code"...

Re:If Netscape would just get off their ass

[mpe]

they have decided to build in all these nice features, like HTML rendering of e-mail and atttachments opening automatically when double clicked.

It's impossible to have an email program which can render HTML emails without simply throwing them at a browser? It's impossible to have an email program which can tell the difference between application data files and executables?

Re:Slightly O/T

[mpe]

I believe Microsoft has actually done a good job with this. First, Windows includes a prominently placed "Windows Update" menu item, which most users will click on just by accident often enough to be useful. Second, they're training users to update the OS by including "cool" updates like Microsoft Messenger and Media Player alongside more mundane updates.

All of this kind of thing targeted at the standalone/home user.
When most damage is done by the security problems with corporate networks.
Effectivly it's a variation on "expect the end user to be the sysadmin".

Re:market share

[macpeep]

Netscape 5.x is what is in the user agent string of Mozilla.

Re:market share

[macpeep]

What I meant was that Netscape 5.x is caused by the user agent string of Mozilla, which is what you said (Mozilla/5.0 ....).

Re:market share=incorrect

[macpeep]

Look, I'm not making these stats up. I'm not the one who coded the app that collects the stats but you do have a point that the lack of ME is weird.

I assume it's not under "other" because that share is so low. These all come from the user agent strings so whatever a browser under Win ME would identify itself with, that's what would show up here. Anyone with Windows ME who can tell us? I would also not be completely surprised if the guys who wrote the stat app just thought that ME is basically 98 SP2 and decided to combine the stats under "Windows 98".

Also, if anyone else have similar stats, I'd like to see those too - if nothing else but to compare how "average" our stats are.

Re:market share=incorrect

[macpeep]

I started wondering about the lack of Windows ME and I found an answer to the question in a message by Jerry Baker in a Mozilla newsgroup:

FROM: Jerry Baker
DATE: 07/15/2000 07:39:03
SUBJECT: Properly reporting Windows Me

Well, Windows Me has been released to manufacturing and is supposed to
go gold in September. I`m just curious if we want to setup
/mozilla/netwerk/protocol/http/src/nsHTTPHandler .c pp to recognize it.
Some might say that Mozilla should just continue reporting it as Win98,
but I don`t think so. Just as Win98 was really just an upgraded Win95,
so ME is to Win98. It is a different OS and should be reported so that
people widhing to detect the presence of this OS can find it (such as
measuring its adoption rate, etc.).

The real question comes down to how to report it. It looks like Mozilla
is trying to provide UA compatibility with IE where possible (a good
thing), but IE has an interesting take on Windows Me. The info I have so
far shows IE reporting Windows Me as

Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

To me that seems ridiculous. Should Mozilla go ahead and follow MS`s
previous "standard" and report it as "Windows ME", or use Netscape`s
"standard" and report it as "WinME"?

What do you think?

--
Jerry Baker

PGP Key:
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&s ea rch=0xD0AEE429

Re:What if this happened to Linux?

[macpeep]

The guy goes "Modify the source to do all sorts of decryption and hacking" and gets modded up for "insightful". Hello?!

It doesn't matter if the source is available or not. A worm or virus that gains access to the system - any system - can do anything it wants. Period. There's absolutely no difference if it's Windows or Linux, except that on Windows (especially the non-NT variants) code would more easily be run under an account that has more access to the machine (administrator, system etc.). On Linux and other UNIX's, typically, the worm would be executed under some non-root account and have only limited access to do harm. On a properly set up Win NT box, it's basically the same tho.

market share

[macpeep]

The company I work for hosts a *large* number of sites for all kinds of companies - both B2B and B2C. For the record, the sites are in Finland *mostly* but they should reflect pretty good global market shares as well.. The combined stats from all those sites are as follows:

(btw, like for Slashdot polls, if it doesn't add up to 100%, it's due to rounding errors)

Browsers:

MSIE 5.x 75.79%
MSIE 4.x 13.67%
Netscape 4.x 9.28%
MSIE 3.x 0.44%
Netscape 3.x 0.36%
Netscape 5.x 0.22%
MSIE 6.x 0.15%
other 0.09%
Netscape 6.x 0.01%

Operating systems:

Windows 98 64.17%
Windows 95 18.18%
Windows NT 15.92%
Macintosh 0.95%
Linux 0.33%
Windows 3.1 0.23%
other 0.19%
Misc Unix 0.05%

I think these stats show a couple of things:

1) Windows OS's have a HUGE lead over anything else. Macintosh is lower in Finland than it is in the USA, I'm sure, but then you'd think Linux is higher here than over in the USA...

2) IE has a HUGE lead over Netscape and anyone else, with almost 90% market share

3) IE 5 has a surprising amount of users - I was expecting IE 4 to have a much higher number relative to IE 5. I think this shows that people are actually upgrading their version 4 IE browsers to IE 5 themselves and not just sticking with what came with the OS - otherwise we'd see more IE 4's.

4) Mozilla + Netscape 6 are completely marginal at this point, though I'm sure they will slowly grow. At this point, there are even more Netscape 3 users than there are Netscape 6 users! Even IE 6, which only has had a beta out for about two weeks is higher than Netscape 6 right now.

I don't know about the rest of you, but I'm pretty surprised at the huge Microsoft domination in these stats; both OS wise and browser wise. Considering security problems like today, it's a little scary, because Joe Sixpack will NOT install security patches. At least the stats seem to show that users do update their browsers every now and then..

Re:market share

[bertilow]

Netscape 5.x is what is in the user agent string of Mozilla.

No. This is Mozilla's user agent string:

Mozilla/5.0 (Windows; U; Win98; en-US; 0.8.1) Gecko/20010323

Actually this kind of statistics has very little value. To the usual problems we can add the clueless handling of the user agent strings. Some report figures for "Netscape". I have no idea if that includes all versions of Netscape browsers. Version 6 is so different it makes no sense to bundle it with version 4.

And then there is Opera which presents itself _by default_ as MSIE 5 with an additional "Opera 5.02" added on at the end. How many just check for MSIE and miss the added "Opera 5.02"? I have seen sniffers that just check for "Opera/" + version number (e.g. Netscapes "Ultimate Browser Sniffer"). They miss "Opera " + version number. Opera can also spoof as Mozilla 5. And some don't report Opera at all, listing perhaps a cathegory "Others". Some _unknown_ part of MSIE (and perhaps of "Netscape" or "Mozilla") is probably Opera in these statistics!

(I'm no Opera fanatic - quite the opposite...)

Re:market share

[bertilow]

What I meant was that Netscape 5.x is caused by the user agent string of Mozilla, which is what you said (Mozilla/5.0 ....).

OK. I thought so. But this just underlines how cluelessly user agent strings are being handled, and again how worthless the resulting statistics are. If they don't even know what browsers there are out there, and how they identify themselves, what value will their statistics have?

Re:market share

[bertilow]

Later releases of Mozilla correctly identify themselves as "6.0".

You mean "not yet released releases of Mozilla", I suppose. I just quoted the string that Mozilla 0.8.1 uses:

Mozilla/5.0 (Windows; U; Win98; en-US; 0.8.1) Gecko/20010323

Do you have a newer user Agent string for Mozilla with "6.0" in it? I don't think so...

Re:If Netscape would just get off their ass

[umeshunni]

The timing is really odd.. but's here's the list of commands i executed just before i visited this story

bash-2.00$ uname -a
SunOS tetra 5.7 Generic_106541-02 sun4u sparc SUNW,Ultra-5_10

bash-2.00$ gunzip -c mozilla-sparc-sun-solaris2.8.tar.gz |tar xvf - >/dev/null

bash-2.00$ cd mozilla

bash-2.00$ ./mozilla moz_debug=0
moz_debugger=
Segmentation Fault - core dumped

bash-2.00$ cd ..

bash-2.00$ rm -rf mozilla*

bash-2.00$ /opt/NSCPcom/netscape &

... but of course i know why the segfault occurred so don't flame/mod-down me for that !

Re:If Netscape would just get off their ass

[umeshunni]

I added the -v option so that i could see what was going on.. and when i posted the commands to slashdot, i added the redirect so that i wouldn't need an excuse as to why the list of files are not there..
tar zxvf comes naturally, converting that to gunzip -c |tar xvf when under solaris is painful enf...

Re:Stupid question

[umeshunni]

I added the -v option so that i could see what was going on.. and when i posted the commands to slashdot, i added the redirect
so that i wouldn't need an excuse as to why the list of files are not there..
tar zxvf comes naturally, converting that to gunzip -c |tar xvf when under solaris is painful enf...

Re:erk...

[unapersson]

I don't believe this for one minute, users want to log in using their own username, and most modern distributions seem to make setting up user accounts one of the first steps. They don't want to log in as root, it's their own machine so they'd rather log in as "bob".

Re:Opera

[unapersson]

The validator is completely up to date, it uses whatever DTD you quote at the top of your documents. It's designed to pick up the kind of mistakes you can make by misunderstanding what is written in the standards. Mozilla for instance has the best CSS support out there, barring none.

Re:If Netscape would just get off their ass

[BZ]

M18.... Right.

0.8.1 is not "orders of magnitude" faster than M18 (as in not over 10 times faster). But it _is_ 2-4 times faster, I would say.

And you can absolutely blame your browser for not handling JS-heavy sites correctly assuming the sites in question use the W3C DOM (and some do).

Re:But will IE use slacken?

[kettch]

I think that microsoft seriously needs to change the way that they release security updates. First, they need to always make sure that all fixes can appear in windows update. Second, they really need to create period mass updates for download that contain a series of smaller updates.

I want to be able to download a 100 meg file that i can burn to cd that contains all critical updates, security patches, and compatability updates and service packs that have been released since win2k was released. It really is a pain in the rear to have to update a computer that is on a dialup, or spend the time doing windows update when i could just whip out the cd and fix it all right there. The same goes for IE.
----------------------

Re:If Netscape would just get off their ass

[sesquiped]

Actually, it can do both. Granted, using Gecko is a bit harder to configure, and I think it's only in CVS at the moment, but it is technically possible. But there's nothing wrong with KHTML. I've been using it for the past few months and I've found very few sites that don't render properly.

it was possible

[CAIMLAS]

it was possible for the melissa/ILOVEYOU programmers to write code to install a back door. Given all the exploits out there, and how infrequently people patch their computer software (most people at least), there's a pretty high likelyhood that most windows systems have at least one or two such security holes open.

The whole situation's just pretty darn funny, if you ask me.

-------
CAIMLAS

Sweet Mozilla,

[QuantumG]

if only you didn't occasionally refuse to scroll the screen with the cursor keys, I'd make you my wife.

Re:Sweet Mozilla,

[QuantumG]

who closes their browser?

Re:Sweet Mozilla,

[majestyk2000]

"95% of people polled believe their IQ is above average."

Actually, according to the following story:

http://www.apa.org/journals/psp/psp7761121.html

the smarter you are, the more likely you are to think yourself below average.

Re:Slightly O/T

[QuantumG]

wow, I thought they were inticing people to upgrade their software by constantly crashing.

Re:$1

[QuantumG]

not even, many many examples have been made. Microsoft is never to blame. It's those evil hackers! You gots to think about it the other way. Consider attacking Microsoft's internal network. Just make it impossible to get any work done. Strangle hold.

Re:Why should I care about security anyway?

[QuantumG]

hack places, get the cops to trace them to your computer who dont think twice about impounding it for a year.

Re:slashdotters rejoice!!

[QuantumG]

IE is a damn good product. It's hard to believe it's a Microsoft one until shit like this happens.

Re:Gender?

[QuantumG]

did you post this on the last article about this or are you just so unoriginal as to get a redundant when you're already on score 0?

Re:Slightly O/T

[QuantumG]

dare I say that their software is crap and their windows update program exemplifies that (I've used that word twice today).

Re:If Netscape would just get off their ass

[QuantumG]

there are many little things that piss me off, and some of them I have to blame on X I must admit.

Re:What's the difference from a patch?

[QuantumG]

You say you got a real solution, we'd all like to see the plan.

Re:Who do you want to sue today?

[QuantumG]

bingo. Now say goodbye to your lawyer and put the cell phone down. You have no legal recourse.. what you can do is not buy the crap (pirate it, run linux, I dont care) and go hang out at your local software selling shop (what do they call them anyways) and tell people not to buy it. "Hey pal, what ya doing?" "I'm buying this copy of winMe" "Oh no, you want this mandrake cd." "no I dont, get away from me you freak" "ok ok, here's a burned copy of me, and just incase you change your mind it's double sided, linux on the back". Now that is activism.

Re:What's the difference from a patch?

[QuantumG]

No, that is exactly the reasoning. Unless you can do better, keep your trap shut.

Re:If Netscape would just get off their ass

[QuantumG]

why would you be morally opposed to running KDE? It's GPL.

Re:What's the difference from a patch?

[QuantumG]

Oh please, mix that analogy up baby. Did you happen to pay any of the mechanics over at the Mozilla project? Does your mechanic often try to do something that has only successfully done three times in history? If you want Mozilla to be better, get off your arse and fix it. If you dont have the skillz, then just shut the fuck up and take what you're given. Sheesh, perhaps you could even drop off a few hundred grand for programmers eh? I'll tell you want. If you can start a company, find a few dozen programs, pay them and then produce a better product than Mozilla and successfully sell it for a profit, then I'll honour your mechanic analogy.

Re:If Netscape would just get off their ass

[QuantumG]

downloaded the lastest mozilla build? No, of course not, you're opinion is completely based on last month's releases. Shit, I'm almost tempted to actually submit a patch or three, it's getting that good.

Re:April FOOLS!@!

[QuantumG]

do you think all them kids who used to type in CAPS back in the day are all lawyers now? It would explain a lot.

Re:In fairness to Microsoft

[Kwil]

Funny you should say that.

I read that disclaimer and figured no problem, since I upgraded to 5.5 quite a while ago.

BUT

I got the same message. (Does not need to be installed)
I've already written Microsoft and am waiting for a reply.

Re:erk...

[Tackhead]

> As for the "professional courtesy" part, I seriously doubt that that has anything to do with it. In my opinion, among others, these things limit the spread of concept virii on Linux:

In addition to fragmented software and development speed, there's one very important reason the skr1pt k1dd13z don't attack Linux boxen, which is this:

If all the poorly-administered Linux boxen in the world went down tomorrow, where would they launch DDoS attacks from?

Re:Not on MS security notification service EITHER

[Cy+Guy]

While I agree that anyone who has admin responisbility for machines running MS must be on the Microsoft security notification service distribution, it would not have helped in this case as they haven't issued a notice of the faulty patch yet. The last bulletin to go out was MS01-020 on 3/29/01, and is still revision 1.0 (it hasn't been updated). While it does contain the caveat that the error message should be ignored, this is buried more than 2/3rds of the way through it and is not highlighted in any way other than being under the sub-heading caveats. The caveat MUST be displayed in as obvious a manner as the message will be that the patch is not necessary.

My question about this hole is that the MS Security Bulletin keeps phrasing it in terms of an "HTML email" but notes that the "HTML email" could be hosted on a website. This sounds like a deliberate attempt to downplay that is a hole in the MSIE browser itself, not in one of MS email products. I think this may relate to the fact that the Court of Appeals has yet to rule in US v. MS, since this hole demonstrates clear consumer harm from MS bundling/integrating the browser with the OS and MS's main argument before the Court of Appeals is that the government did not prove consumer harm.

Forcing to upgrade

[gotan]

And as a nice sideeffect everyone is forced to upgrade his Browser. Even if the upgrade is free this has some implications. My major concern would be changes in the Licensing terms, i.e. what you are allowed to do with that browser and the files with your data it is managing. See here why this might be a concern. As an example, if it manages your email, and that updated browser is using a proprietary format to save it you're suddenly tied to that productline if you want to keep that e-mail. Extend that to address-lists, bookmarks, etc.

So i think there are valid reasons not to want a free update, but security-holes that large are plain unbearable.

Re:Forcing to upgrade

[gotan]

The straight way to conspiracy theory. (Although maybe not, considering that much of todays consumer products have a "builtin" finite lifetime). But since enough older versions of IE are still in use (else the artilcle wouldn't be an issue) the question is, if it was really too much asked of Microsoft to provide a patch for those versions as well.

Re:Forcing to upgrade

[jesser]

You're expected to upgrade open-source software, too, especially when there's a security hole in an older version.

--

Re:Forcing to upgrade

[DeepDarkSky]

...so it would actually be in some companies' best interest to keep a controlled list of security holes so that they have the flexibility of having patches that may change compatibility and licensing agreements? Perhaps that's why Microsoft software is as "buggy", because they need to have license "upgrade path"? :)

Re:Forcing to upgrade

[clare-ents]

True,

but the source modification is printed so you can simply apply it yourself if you want to and not upgrade.

Re:Forcing to upgrade

[psychosystem]

I agree... Being forced to upgrade has never made me happy, and I'm sure that goes for many other /. readers. How many of you are still running Netscape 4.7?? I tried the upgrade to 6, saw how horribly it runs on my redhat system, and then went back to 4.7 Netscape, with a little mozilla thrown in to play with...

M$ is certainly a bit out of line in my mind by not supporting previous versions of their software. Many people can't upgrade their hardware ($$$) just to get the latest IE.

I've got *the* solution:

[gotan]

Let's do it from scratch ;-)

Re:No need to worry

[bungalow]

However, you should recognize that some of us actually use computers for professional purposes, that others are in charge of multy terabyte databases, that some of us are responsible to guarantee a mere 3'000'000 transactions a day on our clustered systems and that - if our systems crash - every minute might cost 10'000s of $.

If a server is necessary for that amount of money, time, and prestige, then WTF are you doing, using it to surf the web, read email, or whatever other various and sundry stuff outside of the firewall?

If you don't have the common sense required to

1) download necessary patches on a computer with low security mandates (relative to mulitbilliondollarservers)

2) end the inet session, close your browser, and run a virus scan on downloaded files with the latest dictionary

3) THEN copy it to servers where it's needed,

you almost are as innocent as a man who superglues his hand to his forehead. I mean, sure, he looks deep in thought for the first half hour, then people catch on to the fact that his IQ matches the sticky stuff he used in the first place.

Re:erk...

[BorgDrone]

"You can make it fool proof, but you can't make it damn fool proof"
---

Re:erk...

[mattcasters]

The major difference between Win32 and Linux is that Linux has a good security model. Regardless of how bad Gnome/KDE-scripting, the possible damage is going to be limited to the users files.
Even with the worst possible scripting installed in terms of security, it still would be very difficult to gain root access.

Now the same can be said about Windows NT/2K but it's soo much easier to give yourself admin rights on these platforms isn't it? I wonder how many people like to work without it. The lack of an su command kind of takes the fun away...

Cheers,

Matt

Re:erk...

[mattcasters]

You're probably right in the end. I've been a unix sysadmin for a long time and I still have diffuculty adapting to the idea of only one person using one computer. (I think that the trend for the future will be different though.)

As for the "professional courtesy" part, I seriously doubt that that has anything to do with it. In my opinion, among others, these things limit the spread of concept virii on Linux:

- Fragmented use of software: people don't just use outlook & IE, they use a long list of different softwares and distributions. Fortunately, the competition between KDE & Gnome is still going strong, and there will always be different distributions people can use.

- The speed of development. By the time someone developed a concept virus, the mail-client wil have had 3 revisions of it's code base. As an example, KDE is releasing code at an amasing pace.

To finish, I don't really NEED a full blown attack, but it sure is fun to watch at times. ;-)

just my 2 -cents.

Matt

Re:Not on windowsupdate

[iceT]

It did. It's in the form of MS IE 5.01 SP2. The security bulletin noted that that version was not victim to the exploit.

Re:erk...

[manly]

I think what's really ridiculous is that M$ has given their typical short shrift to what is potentially a major security nightmare "in the wild". Sure, they did issue a patch in a timely manner, but they absolved any support for all of their browsers that are not either version 5.01 or version 5.5 (with the exception of 5.01 SP2 which is unaffected).

It's unlikely enough for the typical home user to go to windowsupdate.microsoft.com or monitor Mickeysoft's security bulletins.. But when a patch claims that your software does not need the security patch, then the chances that a common user would then go out of their way to download a full browser and reapply the patch are quite remote.

It also makes you wonder how the problem is already fixed in IE 5.01 SP2, but not in their latest flagship version 5.5 SP1. Sure, software is complex and obscure bugs like this may actually come and go without notice, but do they really care about exposure to their customers until a white hat tips them off?

Talk about narrow minded.

[Inoshiro]

I laugh my ass off at the poor BIND using admins as much as I do the poor IE using clients.

Really, I use djbdns. It's an alternative that is available to me, just like Mozilla is an alternative available to me. I use these programs every day, and I don't have to deal with any problems.

BIND sucks, IE sucks, most code sucks. Go for the relatively open stuff, stuff that is designed well, and you don't get these problems.
--

Two problems with this..

[alispguru]

1. Installing the patch(es) once is not enough. When Windows pollutes its environment enough so you have to reinstall it, you have to reinstall the patches, too, which means you have to be organized about downloading them, putting them somewhere safe and easy to find, installing them all in order, and cleaning them out as service packs come along. I suspect most users would prefer to live in denial ("I don't really need that").

2. How can we trust Microsoft/whoever to not add extraneous stuff in patches? I would object if they decided to issue a security patch that also upgraded, say, your DNS service to work better with Microsoft servers. I want to be able to choose whether or not to participate in the latest embrace&extend maneuver, but with closed-source patches, there's no way to tell.

End users should know that MS is shafting them...

[Christopher+Whitt]

so why doesn't somebody write an exploit for this "massive security hole" that will put a textfile in every directory of a victim system with a little message like

Microsoft Windows has many security flaws, one of which allowed this file to be created here without your permission. Nothing else has been done, but other files could have been deleted or modified without your knowledge. Please contact Microsoft and demand that they replace your defective copy of Windows (at their expense).

Note that Microsoft posted a security update on 2001-03-29 addressing this flaw, but that update was also flawed. It only works for certain versions of Internet Explorer, and erroneously claims the update isn't needed when it actually is. To apply the update you are also forced to download a different version of Internet Explorer, since Microsoft has chosen not to fix this flaw in most versions of their products.

Don't be content with paying exorbitant prices for low quality software.

It could be even dandier if such a virus made the locations of such text notices somewhat random, and had a stock of several different messages to choose from.

A really nice one would be to stick a little executable with some scary splash screen in an obscure directory, and then add a shortcut to the Startup folder or the RunOne key in HKEY/Local Machine/Software/Microsoft/Windows/. The file could delete itself after it ran.

It's too bad that something like is probably illegal, since it's about the only way most people would ever have a chance to clue in to MS's mistakes.

Oh well...

No wonder I couldn't install it...

[antdude]

I was wondering why I couldn't install the security fix for Windows 95 laptop with Internet Explorer v5.01.

Is there a way to force the install without upgrading to v5.5? Microsoft needs to fix this! :(

Re:No wonder I couldn't install it...

[antdude]

Hmm, I have been using all the post fixes for IE5.01 since M$ products always have bugs.

Re:No wonder I couldn't install it...

[Goose+In+Orbit]

Funny... I'm running 5.5 on 95 and I'm still getting the "Don't need this" message...

Paraniod?

[friode]

Maybe this is just my paranoia speaking, but who else thinks this was deliberate? Now don't get me wrong, I'm not saying that it was a deliberate security hole, but the release notes for that patch said that basically that they hadn't tested for the security hole on earlier versions of IE than 5.01.

Now, it's changed to "the patch doesn't work for earlier versions, you should download the latest version so the patch will work". Where do they say that the hole actually existed on earlier versions of IE? And why doesn't it affect 5.01 SP2? Why the hell wouldn't 5.5 include whatever code was in 5.01 SP2?

I've got a better idea. Install Opera, or better yet, Linux.

Re:Paraniod?

[13Echo]

That's exactly why I don't use Windows at home anymore. I have to have it at work for some database stuff, but even then- I have my work machine set as a dual boot running Slackware. On top of that, I use Opera 5 on both operating systems. I can handle the banner ads in order to have a fast/lean web browser. As soon as the Linux version gets all of the normal features, I will actually pay the get rid of the ads and support the company. Windows users don't realize that they pay for IE when they pay for Windows. Do you want to pay for faulty software? I don't hate Microsoft, nor do I hate Windows. I just don't care to use thier products because of reasons like this. I got sick of the machine trying to configure hardware by itself and doing it incorrectly of all things! I also got sick of the frequent puking occasions that my machine fell victim to under regular use. I NEVER experience crashes with Slackware 7.1 , weather it be the OS itself or even XF86. The only time I experience a program crash is if the program is poorly written. Loosing the ability to play new, Direct X based games is only a small price to pay to have the functionality that I want. It's all up to all of you. I really could care less what OS you use, though I am quite surprised at the number of MSIE and Outlook users that frequent Slashdot.

*BANG* -- my wife!

[barneyfoo]

I love mozilla, and yes that intermittent scrolling seems to be a problem (it even shows up in galeon).

Why not make marriage plans for the future. Mozy baby is only at 0.8.1, and I imagine she'll be oh-so-near perfect by 1.0.

Re:*BANG* -- my wife!

[markbthomas]

> Mozy baby is only at 0.8.1, and I imagine she'll be oh-so-near perfect by 1.0.

Which will be in 2010 or so. I'd like a usable browser NOW, thanks.

Moz is usable now. By 1.0 it should be pretty darn good.

Besides, I'm convinced that any decent web browser would reduce to the Halting Problem.

Re: erk...

[barneyfoo]

Im not sure about KDE, but you should have no fears about these IE-type security issues cropping up in gnome. GNOME is being designed fromt eh ground up to avoid the very things microsoft calls "features" but are really just inviting back doors.

Re:Slightly O/T

[Pfhreakaz0id]

The other thing folks is, people don't LIKE the restricted functionality that being security concious (it's too early to spell properly) brings. My father in law got mad when Outlook was changed to not let him run .exe's directly from the email (you have to save them first, so they can be viurs scanned & stuff).
---

Re:Opera

[Fross]

Me too.

always had my eye on Opera as it was pretty good, but i have to say 5 was good enough for me to register as well. it renders quickly, can use plugins, is incredibly stable, has many wonderful features for configuration and filtering, and can pretend to be different browsers for badly-written sites :)
I'm a web developer, and the only time I go into IE now is to doublecheck that its bad implementation doesn't break things i'm working on.

Fross

Re:no security model

[kb5vya]

At least things like this mean that Mr. Gates is insuring job security for people like me who are interested in network and internet security. It may not be the kind of security needed in this case, but it is some kind of security.

Re:Driven by market, not Quality

[TummyX]

On a paranoid note about MS: It makes one wonder whether MS would distribute something knowing darn well it had security holes just to get 'something new' on the market.



And ofcourse tommorrow you'll be complaining about how Microsoft always delivers products late.

You think Redhat is finished? It's shipped with holes and masses of bugs that are KNOWN and aren't fixed yet. Let the users fix it themselves, they've got the source.

Re:erk...

[fanatic]

Even with the worst possible scripting installed in terms of security, it still would be very difficult to gain root access.

I disagree for the following reasons.

1. Many newbies come up and stay up as root.
2. Any user on the system could host a DDOS client, as they only need unprivileged ports.

So if a problem like this existed in a Linux browser, you'd often get the whole system owned, and even if you didn't, you can still become a major nuisance for the rest of the internet.

--

Re:What's the difference from a patch?

[fanatic]

Sure, but the straight John Lennon quote was irresistable. (From the song "Revolution" for thos who didn't know.)

--

morons

[graniteMonkey]

The fact that it doesn't work on older IE versions is clearly printed in the FAQ. Maybe if some of the whiners here learned how to read and write they might have better luck. Those of you who can't cope with that obviously deserve to be computing on nothing more complicated than a webTV anyway.

Re:Who do you want to sue today?

[cigarky]

Given the litiginous atmosphere these days, the fact that MS doesn't get sued all the time suggests that the protections claimed by MS in the EULA are very strong indeed. Otherwise, wouldn't someone have already challenged Microsoft; or some lawyer be trying to make some money off a class action lwsuit for Melissa, ILoveYou, etc, etc, etc.

Re:In fairness to Microsoft

[Ronin441]

Yeah, but said caveat is hidden behind a stupid '+' widget that you see nowhere other than microsoft.com; so it's easy to miss. If you search for "caveat" on the page without the appropriate section expanded, IE doesn't find it.

Incidentally, the advisory is for IE 5.x, but if you read other fine print, the only reason IE 4.x isn't listed is that Microsoft haven't bothered to test it to see if it's affected.

Re:Opera

[Dorao]

I've used the demo quite a bit and am generally pleased with it (stability, speed, etc). The only problem I have with it (the reason it hasn't become "my" browser) is it doesn't render some foreign languages (Japanese in particular). It won't render jis, s-jis or euc and it doesn't seem like it ever will. As for unicode, the support isn't built in for it yet, even though there is an option in preferences for Japanese.

Even if they do get unicode support for it, there aren't very many Japanese sites that use it...

my 2 cents,
Dorao

Re:But will IE use slacken?

[}{avoc]

What makes me sick about this discussion (and the last one) is the assumption that Netscape is more secure because they do a worse job of publishing security flaws.

While this may be true, I haven't seen NEAR as many serious holes as are in IE. Now, it MAY be a worse job publishing the flaws, but, um, what about sites that focus on this stuff? Wouldn't they break the news if an exploit was found? Now, I'm in no way trying to raise Netscape to a standard it doesn't deserve, and I haven't done any research to do so. I'm only saying that as far as I know, Netscape has had significantly fewer serious flaws than IE has.

Microsoft does the right thing and publish security bulletins and you fucks view it as a giant 'Kick Me' sign.

Okay, sure, we see them as a Kick Me sign, but only due to the sheer number and seriousness of them. I mean, it boggles the mind how many huge holes appear in IE, and especially the frequency of them.

But some stupid edge case bug which is just a bug like this one is not worth standing up on your soapbox.

Maybe you're right, but again, with the number of bugs, you have to speak up some time.

-Dan

Re:But will IE use slacken?

[}{avoc]

Nice post, sure, it's satirical, but in regards to "Governments set an example by stopping their use of software that puts their data at risk"... We've been there, done that. The NSA's SELinux :).

-Dan

But will IE use slacken?

[}{avoc]

Sure, IE / OE, MS's webserver, etc. have all shown great flaws in the ways of security, but let's focus on IE for the moment.

First I want to get a few things out of the way. IE is good for browsing, but not for security. It opens fast, renders fast, has great support for CSS and includes many MS-only features (like customized scroll bar color on websites). Sure, this is really screwing over standards, but hey, It's MS. Your average user runs Windows, which is so conviently bundled with a copy of IE. Also, with something that runs fast and apparently well, your average user wouldn't want to upgrade, much less learn a whole new program if they're newbies. Plus, think about the chance that an average user would even HEAR about this! Very poor.

Sure, IE has huge problems with security, but because it's bundled, and so many people learn how to use a computer with IE (and IE integration into the OS), Netscape, Mozilla, and Opera (heaven forbit lynx gets used more) don't have much of a chance to break into the market. This is the problem.

For the people that read /., most of us will either continue using Netscape / Mozilla / etc, or we will consider switching, but then patch up and continue using IE. We would worry about the security. Your average user would see the patch, install it, and be more motivated to use IE ("they fix thier problems!")

So how can we get this to change? Make a huge chonologically ordered list of MS's security problems? Sure, but how would we get your average user to see it, much les pay attention to it. Even if we got copmuter retailers to install Netscape with every computer, would the average user want to wait longer for it to load, or not have as many pages compatable with it, or have a browser with a different UI style than their OS?

So what do we do?
Any ideas?

-Dan
I'm not reading what I wrote, and I just woke up, so please, excuse my ignorance.

Re:But will IE use slacken?

[SgtAaron]

Yeah, so go ahead, feel happy and surf the web with Netscape 4.7x, an acknowledge POS that has had huge security holes in the past and will in the future. Or go use Mozilla, which might be better, but nobody knows because it's hasn't been audited due to it's pre-1.0 version number.

I can't remember the last time I saw a public notice regarding a security hole in Netscape. Does this mean that nobody is looking for them? There are a plethora of people on bugtraq that feel no compunction when reporting bugs without notifying the vendor, or writing to bugtraq if the vendor fails to notify the public. I have, over the millenia it seems, seen lots and lots of discussion regarding IE bugs, and so very little about Netscape. So, yes either they are extremely good at finding their bugs (that have security implications, I'm talking about), the vast majority of which seem to be very obscure, or else there is a major emphasis on finding IE bugs and ignoring Netscape's, or else there just haven't been any recent serious security problems.

Which is it? We distribute Netscape because of the whole of IE's security history, in my estimation, plus the fact that Netscape is so less a tech support nightmare, and I hate to do MS's work for them.

Re:But will IE use slacken?

[SgtAaron]

You aren't paying attention, which is completely retarded especially because you are justifying shipping Netscape for security reasons. (Tech support I can see.)

No, I'm not a windoze tech support guy, which is precisely why I am retarded in not paying attention.

The deal is, we have selected the lesser of two evils for the sake of tech support's sanity. I wish it were different, yes, believe me. The fact remains that I see lots of MSIE security discussion on Bugtraq but little regarding Netscape (maybe a search of the archives will glean more than I may realize, but I'm not in the mood right now :). Probably why I have less knowledge of Netscape's particular vulnerabilities. So, the fact that you know of them means they were published *somewhere*, eh?

Re:But will IE use slacken?

[Petrophile]

Netscape 4.76 - Remote excecution exploit fix
Netscape 4.75 - 'Brown Orafice' exploit fix
Netscape 4.74 - Image overflow exploit fix
Netscape 4.73 - Cookie reading exploit fix
...
(Maybe somebody has kept track for all 200 other .01 releases of Netscape 4.x)

You aren't paying attention, which is completely retarded especially because you are justifying shipping Netscape for security reasons. (Tech support I can see.)

Re:But will IE use slacken?

[Petrophile]

For the people that read /., most of us will either continue using Netscape / Mozilla / etc

So how can we get this to change? Make a huge chonologically ordered list of MS's security problems?

What makes me sick about this discussion (and the last one) is the assumption that Netscape is more secure because they do a worse job of publishing security flaws.

You want a cronological list of MS's security problems: http://www.microsoft.com/security . There you go. Now show me Netscape's security page or even a fucking fix list for one of their myriad .01 point releases. Or were all of those minor upgrades just for the heck of it.

But, even though the karma whore mantra here is "Security Through Obscurity Doesn't Work", apparently "PR Through Obscurity" works just fine with you chuckleheads. Microsoft does the right thing and publish security bulletins and you fucks view it as a giant 'Kick Me' sign.

Don't get me wrong -- I'm all for raking Microsoft for stupid design decisions (say the Outlook COM Automation interfaces). But some stupid edge case bug which is just a bug like this one is not worth standing up on your soapbox.

Yeah, so go ahead, feel happy and surf the web with Netscape 4.7x, an acknowledge POS that has had huge security holes in the past and will in the future. Or go use Mozilla, which might be better, but nobody knows because it's hasn't been audited due to it's pre-1.0 version number.

Re:If Netscape would just get off their ass

[Deluge]

What makes you think that would work? There are already plenty of non-sucky browsers out there. But MSIE is the one that come preloaded on 'Doze systems. You can't even move the icon off the desktop into the recycle bin or a "MS Stuff" folder.

I've said it before, and I'll say it again: This is a load of crap. It was true back in the days of IE3/4 and Win95, but since IE5 came along, it's just a matter of right clicking on the icon and selecting "Delete". Or dragging it to the trash bin. Or unselecting "Show IE icon on desktop" in Internet Settings. Ya dig?

---

Re:Seriously...

[Temporal]

Oh... the old "I know this post will be modded down" trick. By some bug in the moderation system, you get modded up if you say that. *sigh*

I am no Linux zealot (see sig). I am posting this from Win2k right now. I use Debian Linux, Win2k, and MacOSX on a regular basis, and I like them all about the same.

I have to disagree with your post, however. Not only is it blatantly insulting, but it is insulting people for reasons that are beyond their control. Riddle me this: My roommate has a fresh Win98SE install on his system. If he leaves it on for more that 12 hours or so, he finds that Deus Ex gets really really choppy. Reboot and the problem is solved. Is that his fault? No, it is a combination of driver problems and a not-so-well-written OS.

Win2k is great. I have no qualms with it. Win9x is NOT. Just out of curiosity, which might your system be? Oh, and BTW, 4 days is not an impressive uptime.

I agree with your main point -- that the Linux zealots are out of control around here. However, you don't have to be a GOD DAMNED ASSHOLE to express that point.

Oh, I almost forgot. Yeah, I bet this post will be modded down because... um... moderators are stupid or something. Right? Right? So if you mod this down, you are stupid. Really. Trust me. wink wink, nudge nudge.

------

Re:erk...

[bmajik]

Unix has a terrible security model. You need to be root to do anything moderately useful, and if you're root, then you're able to fuck the system.

This gives us the current unix security fiasco - sendmail ahs never been a secure product, apache cgi, no one seems to make a secure ftpd, no one makes a secure bind, etc etc..

It's all ridiculous. If priviledges were granted/deny'd based on some finer granularity - perhaps at the syscall level, and in a way where programs/conditions authentticated themselves to the security policy, then these problems could be avoided.

For instance, rewrite the kernel and libc so that bind on a privledged port (80) succeeds for a non-root user, so long as the process is "apache", has a trusted md5 sum, was started by a user in group wheel, lives in directory /usr/local/bin/httpd, etc etc.

Then apache doesn't need to run as root even for a _little_ bit of the time.

Also, NT has "su". Look at "runas".

You're right though. Being non-admin on NT sucks, for now. Thats being worked on pretty actively.

Re:erk...

[bmajik]

I'm quite aware of all of those "solutions".

None of them change that fact that the _design_ is broken. No amount of great implementation can fix a broken _design_.

sudo isn't even relevant for what i was referring to - daemon processes (although you seem to acknowledge that).

As long as the only granularity is "god" or "shit", programs that are useful will need to run as "god", and they'll cause system-wide compromises unless they're written by security experts, have limited functionality, are designed with security as the primary concern, and the developers and administrators happen to get lucky.

Like I said, the design is broken.

Re:Seriously...

[Legion303]

The fact is the users shouldn't be able to crash a system at all. That's considered a bug in real operating systems and generally fixed promptly.

Remember in the olden days of MSDOS (well, OK, it's not that olden) when you had to actually poke bad data into a memory address to crash or reboot a machine? "Hey, cool, I can crash this thing with a debugger!"

Then Win95 came along and took all the fun out of it. Instead of poking data into memory to crash the machine, the OS does it all for us (and quite frequently, in the case of Win9x and its leaky memory)...

-Legion

Your firewall avails you nought

[dingbat_hp]

What use is a firewall against a mail client that can't wait to sink its teeth into anything remotely executable ?

At home I do lots of news, I get loads of Spam, and I have a decent mailer. At work I use minimal external email, never publish my address anywhere likely to be scraped into a list, and I'm pretty much forced to use Outlook. If these two environments were ever to merge, then truly my ass would be owned and all my bases would belong to someone else.

We don't need security patches. We need a mailer that doesn't have the trusting "I just want to be loved" behaviour of a lonely spaniel trying desperately to please. If M$oft saw email a bit more as being an Internet protocol, and less as something that's only used within a large corporate, then they might understand why this is such a dumb attitude.

Mailers just shouldn't trust incoming email.

Re:Your firewall avails you nought

[gimgol]

Mailers just shouldn't trust incoming email.

TIP: Set the security in Outlook/Outlook Express to 'Restricted sites zone'.

It's normally under Tools > Options > Security.

Re:Your firewall avails you nought

[JohnSmith1138]

The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however. - Microsoft's Security Bulletin


Looks like your open too. :-)

Re:In fairness to Microsoft

[cyoon]

You're drawing conclusions from the author's statements that weren't made. No, the author did not say that it was acceptable for Microsoft to not patch previous versions. No, the author did not say that it was the best means of getting information out. Don't pin the author down for something that he didn't say.

erk...

[bencc99]

This is really starting to get ridiculous. I suspect it would be far less of a problem were IE (and it's renderer/scripting) and the other parts of windows scripting not so heavily integrated into the shell - at least people would have some kind of control.

What's more worrying is that the increasing integration of things like KDE and Gnome are heading the same way. Admittedly the problems won't be around for so long, but as the number of unclued linux users goes up I suspect things may only start to get worse...

Re:erk...

[demus]

It's the "format c:" type of things that are really bothersome. On a reasonably set up Unix, if one user has all his files deleted, that doesn't mean that everyone else suffers for it too.

Of course the friendly cracker can gain a lot other useful info to get root access by reading all the nice globally readable files on a Linux machine.

Just because you're paranoid doesn't mean they're not after you.

Re:erk...

[DrSkwid]

you are joking?
IE & the shell is nothing to do with it. It's the ActiveX security model. It's about getting IE to execute malicious code. Nothing to do with the shell.
.oO0Oo.

Re:erk...

[CBoy]

There is an equivalent to a "sudo" (well, kindof) in win2k. Hold shift, and right click on an EXE. Select "run as".

CB

Re:erk...

[chasec]

You need to be root to do anything moderately useful, and if you're root, then you're able to fuck the system.

Not necessarily so -- sudo allows you to define groups and users that are allowed to execute certain commands.

This gives us the current unix security fiasco - sendmail ahs never been a secure product, apache cgi, no one seems to make a secure ftpd, no one makes a secure bind, etc etc..

Look at exim, qmail (both MTAs with an eye toward security), and djbdns.

For instance, rewrite the kernel and libc so that bind on a privledged port (80) succeeds for a non-root user, so long as the process is "apache", has a trusted md5 sum, was started by a user in group wheel, lives in directory /usr/local/bin/httpd, etc etc.

I agree -- it'd be nice to have non-root users bind low ports. Sudo can fix half of this (allowing users to run apache, ftpd, etc) but the daemon would still have too much power.

disclaimer: I'm no unix guru, but this stuff works for me.

Re:erk...

[sydb]

Who cares if you can get root access?

If an attacker gets root access, they can wipe not only your user files but all your files

Granted the system files are not secrets and are easy to recreate. But if you've got backups then it's much easier and faster to restore your home directory than it is to rebuild the machine.

So, for someone with backups, yes, loss of user files hurts, but loss of everything is going to hurt a whole lot more.

Worse still, if an attacker has root, they can do a lot more damage covertly than just wiping files. They could be snooping your local network, if you have one. They could be silently changing your system files so that you don't notice that they've set up a cron job to email your password and shadow files to them every week. Or whatever the Win32 equivalent is. These things are easier to do silently as root than as a user; as root you can modify log files and so on, modify the ps executable so no-one knows you are there, etc. etc.

Don't give out root!

Re:erk...

[YKnot]

Who cares if you can get root access? An intruder doesn't need access to root on your system to get the oh-so-valuable OS files. They can be downloaded for free from the net at redhat.com, suse.com or whereever. User files is exactly where it hurts! The only reason Linux has yet to see some really nasty widespread attack is "professional courtesy": Script kiddies don't attack the Leet OS (tm). Are the proof of concept virii not enough to make you believe? Do you really NEED a full blown attack?

Re:erk...

[YKnot]

That's completely beside the point. Does it take a root attack to make you not trust a compromised system? If a Windows-user gets attacked, how many users' files are affected? If a Unix-user gets attacked, how many users' files are affected? How is it different that the worm/virus has to attack the next user's files via email because the direct route is blocked on unix? How many real users does your home linux box know anyway? Are you sure?

Re:erk...

[YKnot]

User stupidity can't be cured by technical means. You will learn this the hard way. "What? I can't save porn to my home directory? Better change those permissions..."

Re:erk...

[methodic]

the difference between MS and linux, is that you actually have a _choice_ with linux. i run only blackbox for my window manager, and i seriously doubt that I would ever be affected by a linux (scripting) virus.

Re:erk...

[osorronophris]

Me too. We'd probably have to add it to our menu like
[exec] (Scripting Virus) {virus.sh}

Wow! I guess RMS can give up gcc

[Christianfreak]

because now even tiny viruses can read source code and change it and just change the system. Are compilers obsolete now? I guess I better get rid of Linux with all that open source code and get nice secure windows...

Seriously this isn't possible, I can't believe that someone believed this FUD and modded him up.

"One World, one Web, one Program" - Microsoft promotional ad

your procmail script avails!

[Jeppe+Salvesen]

There are procmail scripts out there that will kill evil messages. I've even heard of virus scanning in realtime all in/outgoing email.

However, this takes processing cycles, and means a possible DoS target.. (Send a few long emails with a virus at the end. Lather, rinse, repeat. You'll find your email server kneeling)

So What

[ratboy666]

If you rely on your Winders box for ANYTHING
security related, you're in serious trouble.

Just do what I do... View software in different
classes:

1 - Commercial ware
2 - Free ware
3 - Open source ware
4 - Share ware
and ... drum roll
5 - INVOLUNTARY WARE

Hope this clears up any confusion.

Ratboy666

Re:In fairness to Microsoft

[MrBlack]

I downloaded and installed this patch as soon as I read about this problem on /. last week. I am running IE5.5 Service Pack 1 which (If I remember correctly) should have been covered by this patch. I still got the "error" message saying the patch was not needed. I was going to post back to /. telling everyone it was a dud patch but then my manager walked in and started to ask how our deadline was going and I never got around to it.

Practical vs Impractical

[loki2eng]

Like most admins, I didn't need wired news to know to read the fine print. But upgrading everyone (Even brand new win2k ships with 5.00.something) to a new browser was not practical. But the good news is you can just disable active scripting, which I did by pushing it out on login. I also killed some of the active X controls. So occasionally someone won't be able to use a site that has heavy M$ buy-in by their developers. I just upgrade them if they can show me they need it for work. Having these emotional discussions is fun, but real geeks find solutions. Get it?

Re:Practical vs Impractical

[virg_mattes]

Got it. Now, what do I do with the users I can't get to upgrade? Oh, yeah, I should mention that I'm not allowed to force setup changes to systems on login. All I can do is issue strong warnings and nail my servers back together every time they get crushed by the newest 1337 k1dd13 toy.

What fix do you suggest for this apparently-not-a-real geek, other than to get a new job?

Virg

Why doesn't

[giberti]

Microsoft issue the patch by exploiting the security hole. Most IE browsers check the MS site on load anyway for a new version, before being let free to go to the default homepage, why don't they use that interim to exploit the hole and correct the problem?

Moreover, they could publish the link and patch up the holes when people visited. This is typical MS BS.

Standards in UI are critical, anyone who doesn't think that has obviously been burned by MS on this one. Error messages, regarless of who they are for, need to be clear, and in a language the user will understand. GPF 234 doesn't help anyone.

$1

[sPaKr]

1 dollar to first script kiddie that figures out how to squeeze a nice backoriface installer into a 'ILoveYou' variant. I think MS wont fix anything until their back is against the wall. It used to be that full discloser would scare a company enough to plug the bugs, I guess with MS its not only going to take an example, but rather a worst case app to drive home the point.

Re:$1

[donutz]

isn't it illegal to let loose computer viruses? You better think about that before you finance skript k1dd1es for making them...

. . .

Re:If Netscape would just get off their ass

[demus]

I use Galeon, which uses Gecko for rendering and fast and stable, and doesn't fuck the layout much, so it's definately getting there.

Mozilla is also becoming nice and fast actually. Surprising really, taking into account it's size. So there is hope.

Relax, plenty more opportunities to show up MS

[e7]

You make it sound like this is the last IE hole they'll ever have to plug :)

Kinda like those kids who got their hands on the IE6 beta, and after using it for 4 hours proclaimed: "NO bugs! NO crashes!" A bug-free beta? From Microsoft? Now that's 1337.

Re: rapid shift from IE4 to IE5

[e7]

I think this shows that people are actually upgrading their version 4 IE browsers to IE 5 themselves and not just sticking with what came with the OS

And it doesn't hurt that IE always checks for version upgrades on startup. ;-) You have to disable it in Advanced Options, someplace most users would never venture. I hate to say it, but NS SmartUpdate is a pain compared to Microsoft's auto-updating features -- homogenous platform, more attention to user-friendliness, etc.

Slightly O/T

[MonkeyMagic]

It's quite interesting how the average computer user is unused to patching applications for security concerns/product upgrades. Most people won't apply this patch regardless of any problems the installation may or may not cause. It's just not something they are aware of - they have never really been told (by the software houses) that the product must be upgraded. When I first became interested in the unix world it was quite a shock to see the rapidity with which everyone spread the word about a major bug or (minor) security issue. This information doesn't filter down to average users, and they don't go looking for it (I find most www.linuxrules.org or www.macrulez.com websites as boring as hell so god knows how most people would find them).

I think it really is time that some of the companies that produce software started to make it clear that patching is an important part of software maintenance for everyone and not try to hide the whole process incase someone thinks their software is crap.


DILBERT: But what about my poem?

Re:Slightly O/T

[shippo]

It suprising how few end users bother to install patches, even if told by their vendor that the patch must be installed.

One OS we resold included a must install patch on a floppy disk with the normal distribution CD, together with a note detailing the fix. The note was difficult to miss, being placed in the same envelope as the CD-ROM, and printed with large red type. The fix bumped up the minor revision number of the softeware, to make it easy to discover that the fix hadn't been applied. We still took support calls from customers who hadn't installed the fix, even though it would only cause a system outage of 10 minutes or so.

Some people are just stupid.

Re:Slightly O/T

[FastT]

I believe Microsoft has actually done a good job with this. First, Windows includes a prominently placed "Windows Update" menu item, which most users will click on just by accident often enough to be useful. Second, they're training users to update the OS by including "cool" updates like Microsoft Messenger and Media Player alongside more mundane updates. Finally, one of the most prominent updates is the Critical Update Notification program, which should help even non-proactive users get the base updates they really need. Hopefully, all this handholding will rub off enough for people to begin to realize that software needs to be maintained regularly, like changing the oil in your car.

Re:Slightly O/T

[doug363]

This is exactly right. When I told one of my friends about this patch and asked her if she was going to upgrade her copy of IE, her response was basically, "no, I won't be going to any websites with malicious HTML code, and I don't use Outlook Express for email, so I don't need to". She's not computer illiterate either.

Anyway, I'll bet there's heaps of people who have heard about this patch but won't bother with it because of that sort of reasoning.

Re:Slightly O/T

[XMyth]

"no, I won't be going to any websites with malicious HTML code, and I don't use Outlook Express for email, so I don't need to". She's not computer illiterate either.

She's not? =)

Re:Slightly O/T

[Anemophilous+Coward]

I think it really is time that some of the companies that produce software started to make it clear that patching is an important part of software maintenance for everyone

Actually, the new dreaded Windows XP claims that it automatically calls Windows Update in the background whenever the user is connected to the Internet (which M$ probably wants to be all the time). Therefore, Joe average user *supposedly* doesn't need to worry about manually doing the updates...good ole M$ will make sure his computer is running nice and clean all the time.

Interesting that some companies tried to cash in on this...such as those who made 'Oil Change'. Never used it myself, but I believe the premise is that it scans all your programs installed, then goes out on the Interenet and see if there are updates for them and subsequently dl's and installs them. The user still has to run the program, but supposedly doesn't have to worry about anything else.

I'm actually curious how the auto-WindowsUpdate will work if someone immeadiately installs ZoneLabs 'ZoneAlarm' on their machine. It's pretty good at detecting foreign things running on your machine. It would probably block the update and the user would think it's a trojan program running on their machine. Come to think of it, I think ZoneAlarm would stop this IE defect. If the firewall is running properly, when the illegal code tries to run itself on your machine, it wouldn't be able to go back through the firewall. Even if it modified IE (zonealarm wont run a program after an update unless you tell it to...it doesn't rely on trusting the name of the program) and tried to run through that it should be stopped. Unless they've found a way through ZoneAlarm....

- A non-productive mind is with absolutely zero balance.

Re:no security model

[DrSkwid]

I meant having 5.1 (or rather 5.00.3315.1000!)and 5.5 as parallel released products and then service packs for them both.

There's no real explanation of the difference except corporate conservatism in moving to 5.5 but if they are the same product ....


.oO0Oo.

Re:slashdotters rejoice!!

[DrSkwid]

i belive it's called first to market not marketing
.oO0Oo.

Re:slashdotters rejoice!!

[DrSkwid]

no I meant that with the IBM deal back when they were first in the PC-DOS market for IBM PC's and Clones.

The deal to license MS-DOS instead of sell it to IBM was the cause of ALL of this. DOS compatibility was the ball to chase then. If you're PC Clone didn't run DOS it was dead (Apricot springs to mind). MS has always run with the ball shimmying and handing off all the way to the ever exending goal line and at the same time setting the rules of the game, buying the other teams players & staff etc (sorry this metaphor is getting laboured).

MS products are mostly crap once you can use a computer.
Regular Expressions
Symbolic links
Named pipes
Multi-user capabilities (and /windows/profiles does not count)

the list goes on.

NT better Unix than Unix - I'm still waiting
.oO0Oo.

no security model

[DrSkwid]

well this is probably how /. ers would expect MS to go. With the usual MS model of release and then service pack the old one while working n the new.

IE 5.5 i mean come on, everyone knows it's not going to work until at least service pack 2 or three.

MS Security is a bit of a joke. I onlyhope my firewall will help me most of the time. Any day I sit down I expect to have been owned.

There shouldn't be any market niche for Virus checkers!
.oO0Oo.

Re:no security model

[XO]

5.5 introduces some more flaws into the CSS stuff, also.. which are corrected in 6.0, with a compatibility mode.. which the web-page author can toggle. not too bad a job on 6.0 from microsoft.. never thought i'd say a good word about microsoft anywhere anyhow

Re:no security model

[no+names+left!!!]

coloured scrollbars from stylesheets - thats one difference between IE 5.0 and 5.5 - the only ive come across really

Re:no security model

[SRF]

"MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2." (Jamie orig. post)

http://slashdot.org/article.pl?sid=01/03/30/041325 2&mode=thread

Re:If Netscape would just get off their ass

[DrSkwid]

hehe I see this kind of comment :

Poster A : Mozilla sucks
Poster B : You should see last night's build - awesome

one month later

A : Mozilla sucks
Poster B : You should download last night's build

and so the treadmill continues

.oO0Oo.

Re:IE used by other programs

[dtr21]

And congrats on the upcoming wedding :)

Opera

[smallstepforman]

One word - Opera.

Seriously, if you haven't tried Opera, now is a perfect time. It ships on multiple platforms (BeOS, Win32, Linux... even Epoc ?), is HTLM4 compliant, fits in under 2 Mb, has tons of useful features to ease navigation/zooming/filtering. I've even registered it, it really is **that good**(TM).

Re:Opera

[jmu1]

Viva La Opera!
Seriously, I have been using the bannerware version for a few months now on my winders boxen at work, and on my Linux boxen at home (swapping between that and Konqueror). It's not open source like most of us would want it, but I'll tell you what, it is the best work I have seen in a long time. Hell, these guys not only know that their goods are better, they brag! Right click on a page, go to the Frame menu and validate that HTML! Good stuff guys... really. Now, let's start talking about the price, I'll pay $20(US) but I don't know about $40(US). Bring it down and I'm sure that a bunch of folks would hop on the opera bandwagon... Oh, and don't go the way of Netscape and add a mailer and an instant messaging system(ICQ). We don't want to integrate everything. Make a killer app. Then another. Again, you folks really should give Opera a try.

Re:Opera

[donutz]

I've downloaded opera at work, and after using it for a while, it's nice, it's fast...but for whatever reason it keeps locking up on me (Java? Firewall?). I haven't tried it at home on Linux yet....

. . .

Re:Opera

[XO]

I was going to moderate some things in this thread, but decided to pass, as I can't pass this up.
Just what hole are you guys living in?
Opera is a complete and total piece.
It's CSS support is virtually nil (or at least functioning properly CSS support is virtually nil). It's Javascript implementation totally rots.. it's integration with Java is a complete and total joke..
On the bright side, I use Opera to load any page that takes too long in other browsers. About 50% of the time Opera will fail when I attempt to do this.
I crashed Opera once, in a Java program.. and had to uninstall Opera, re-install Windows, and re-install Opera to be able to run a Java app from -anywhere- after that. (note: i didn't reinstall Java)
Opera has one advantage: it's as fast as browsers of years gone by. It's HTML4 support is good, but it's CSS is completely missing or totally bungled up. It downloads web pages lightning fast, but it's file download speeds are significantly slower than other browsers. If you don't need Java, Javascript, or CSS, then Opera is for you.

Being a new web author, I say screw being compatible with old browsers. I'm only using the latest specs on everything (as far as I know), and there's only one browser that gets it even close to right: IE 5.x. My page looks like a complete piece of trash in Mozilla, Netscape, Opera. Lynx and IE 5.x handle it just fine, though. Go figure. (of course, Lynx can safely well ignore any stylistic things)
Netscape/Mozilla's rendering of my page seems almost random - the same element in different places renders totally differently. Opera just fails to render half the page, almost as if it were in comments. It's laughable.

Re:Opera

[XO]

I'm under the impression that the validator is a little bit out of date, as everything i'm using checks with all the current reference materials that I have, and most of it i've learned from pages at http://www.w3.org/

Re:Opera

[snoop_chili_dog]

The email is nice. The icq is useless. As for the banners. I don't know about the linux version but in the windows version if you browse at full screen you don't see them. I personally don't mind because their banners are usually pretty interesting stuff. If you're a student you can get it for half price.

Yeah, I know you probably aren't. Just FYI.

Re:Opera

[resprung]

Yep.

Re:huh?

[MPolo]

For me, the English-only release was the least responsible thing M$ could have done... I mean, really, they thank the person who brought this to their attention so that they could get the patch out before any bad people could exploit the bug. Then they say, "Hey everybody! There's a massive bug in our browser, and everyone who has been naive enough to install a non-English version of our product is completely vulnerable. Start your attacks now!"

Of course, M$ has always been a bit poor about support for foreign (non-English) languages... Word 97 could translate a Word 6 document only if that document was written in English... Outlook in a non-English language can't communicate properly with Exchange Server in English... And at least under Windows95, DLL-Hell was a few degrees hotter if you used products in different languages. (The DLL that is currently installed is in a different language than the program you are installing. Do you want to change it?) -- for I while, I had a system with Windows in German, Word in Spanish, WordPerfect in English...

huh?

[Otis_INF]

Yeah I got the same remark that I didn't need the patch. Perhaps this comes from the fact that my Outlook and Outlook express are both using 'Restricted Zone' as default zone for all mail and news, thus all mail and news are threatened as if it comes from a site in that restricted zone, and all security settings are set to 'max' for that zone, i.e.: no script nor activeX component will be started.

I also dunno how to 'upgrade' my IE, since I already run 5.5 sp1, the latest released version.
--

Re:huh?

[Otis_INF]

I have the english version of 5.5 sp1. I'll check if I got the wrong patch (still stupid to release 2 files though :(, why not 1 patch) The files are no problem, but upgrading or re-installing IE on a machine that already has 5.5 sp1 is not possible.

Thanks, I'll check for that other 'patch'
--

Re:huh?

[ion++]

The other day when i upgraded work's few windows machines, i found out that there are 2 patches, with the same name, of different size. One works for IE5.01 sp1, the other for IE5.5 sp1. And ONLY the english version.

So, not only do you need the patch, you also need to upgrade to a newer, and switch to an english version.

Further more, if you already run IE5.5 in a non-english version, you're fucked. And if you dont have 62MB free on drive C: you are fucked too.

Dear microsoft, it's great you make it so EASY to be a sysadmin, and apply patches. NOT!


ion++

Re:huh?

[Jaysyn]

You could get IEradicator & start over completely. (Who needs those quick launch bars anyhow!)

Jaysyn

Re:huh?

[mvdwege]

Nope, sorry. Still exists. I have a UK version of Win98SE, and my ISP gave me a dutch version of IE5.5. I kept getting these kind of error messages too, and now half my desktop is in dutch, the other half in english.

Thank $DEITY that I haven't booted the bloody thing in 3 months now, and I am still considering throwing it off entirely, since there is no software on that partition that I actually need.

Mart

Re:If Netscape would just get off their ass

[jeremyp]

If Opera had the functionality of IE5, it would probably also have some of the security holes.

The reason M$ has all these problems is:

a) they have decided to build in all these nice features, like HTML rendering of e-mail and atttachments opening automatically when double clicked. They didn't do all this stuff through spite, they actually wanted to make an interface that was easy to use

b) lots of people use their products, which makes them the top target for a cracker. What's the point of writing a virus that's only going to affect a few Unix geeks?

At least I sleep good at night...

[CptnHarlock]

Well, using Mozilla makes me sleep good at night - I'm not helping Billy G. expand his empire... So who cares it's slower? It's stable and fast _enough_ eventhough I start it on my Linux box (333Mhz) and show it on the X-display of my OpenBSD runing a 180Mhz PPro!.. :) ...

Cheers...
--
$HOME is where the .*shrc is

Re:What's the difference from a patch?

[Kaa42]

Oh come on there was nothing in his post saying he has a solution, even less the solution.

The whole "can't complain unless you have a better idea" reasoning is just silly.

Driven by market, not Quality

[HerrGlock]

That is one of the things you get when your product is driven by the market. Upgrade, got to push new product, even if it is not quite ready for market. People will decide they need the newest and latest and upgrade. Sales flat? Push an upgrade. Everybody knows that they have to get service patches so they won't mind if the service patch comes out before the actual release of the product (as in WIN2K) so there is no real PR harm in pushing a product that is not ready for the masses. Debian may be slower to market, but their stuff is darn sure ready to be distributed when it gets there.

On a paranoid note about MS: It makes one wonder whether MS would distribute something knowing darn well it had security holes just to get 'something new' on the market.

DanH
Cav Pilot's Reference Page

Re:Driven by market, not Quality

[HerrGlock]

Thus my comment about Debian. Notice I did not sing RedHat's praises? Note I did not say how wonderful it was?

Maybe that's because RedHat has some of the same problems MS has with production Vs stability.

RedHat shipped 7.0 with a compiler that broke quite a bit. Poor planning and rush to ship, JUST like what this column is about.

Maybe you should not be quite so quick to assume that just because someone likes Linux, they are blind to the drawbacks. Read all of it and not just what you want to.

DanH
Cav Pilot's Reference Page

Re:If Netscape would just get off their ass

[kel-tor]

and opera has all those cool things, multiple homepages, restore all open windows (even after a crash), cross platform, disable animated gifs, gui css interface, to name a few of my favorites.

Thats a bold statement

[Lizard_King]

Have any facts to back it up? Being built from the 'ground up' means absolutely nothing to me, as I've seen software built poorly from scratch. but at least it was from the ground up, right?

If you have any examples, I'm curious...

I bet it's just an excuse

[fedos]

I think MS is just trying to force everyone to use IE 5.01 or 5.5 instead of an older version.

"We found a serious security risk" (When was the last time they announced one without someone else exposing it first?). "Oh, sorry, if you're using anything older than 5.01, then we won't fix it for you but you're still at risk".

BTW, since I upgraded to 5.00 last month, I keep getting "Critical Update Alerts" telling me I need to install the VisualBasic support, which I intentionally deselected in the install menu.

One more bug...

[rsteele19]

Ok, so they've found one more bug... how many more could there be? I mean seriously, IE's gotta be close to perfect now!

Grandma and head in the sand

[innocent_white_lamb]

The worst-hit people when these sorts of problems come up are one of two types. First, the Grandma-on-the-net, who knows just enough to boot up the computer and send email to the grandchildren. Do you think that Grandma is going to install a patch on her computer when a vulnerability is discovered? Do you think she will even hear the word that her computer is vulnerable or know what it means with regard to the computer sitting on her sewing table even if she does hear anything?

"Does my computer run what? Windows? Well, I don't know about that, sonny. It says Hewitt Rand on the front of the box, does that help?"

There are also a lot of head-in-the-sand people who will never install the patch. "I live in a little town called Upper Barnswallow, who would ever bother with a computer located in Upper Barnswallow? Sounds like a big-city problem to me!"

Never realizing that on the Internet, everything is next-door to everything else and a computer in Upper Barnswallow is just as accessible and just as vulnerable as a computer in downtown New York City.

"Well, it's too much fuss and bother to fiddle around with all of this patch stuff. Nobody will bother me here anyway."

Right.

The people who have a problem here are not people like you and me and Joe-Hacker in the next cubicle over. It's the everyday-everyway guy and gal on the street who don't really understand all of this Internet stuff and don't want to do anything other than email their friends and grab tunes off of Napster.

Any patch that's issued will never overcome the inertia and apathy that is almost guaranteed to insure that in five years, 25% of the Windows-based computers on the Internet will still have this vulnerability.

Oh shit.....

[Smuffe]

Wasn't that bug an April fools? Now Im *really* in trouble ;D
/Smuffe

Class Action Suit May Be Pending

[PingXao]

I was affected ("effected" - for all the lusers) by this flaw in MSIE. Who's with me?

Re:If Netscape would just get off their ass

[jayhawk88]

He said Netscape, not Mozilla. There's a difference, at least as far as Joe Internetuser is concerned.

Mozilla could be walking on water right now, but it doesn't change the fact that Netscape6 still sucks balls.

Re:In fairness to Microsoft

[shippo]

So why doesn't it display a message stating that the patch is for the wrong version, as every other patch system appears to do?

Service Pack 2 for Patch 1452 for IE 5.5

[heytal]

So now we need to have service packs for patches too.. ;-)

Embrace & Extend

[insipid]

If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch.

This is typical MS. We used to be able to take a phrase like "This update does not need to be installed on this system," at face value, but now because of MS' practice of embracing and extending we can't be sure what it means.


dp
---

Re:If Netscape would just get off their ass

[nagora]

But I was SOOO disappointed with it that i had sworn off mozilla..

Same here, I've used Linux-Opera for a couple of months now and it's very good.

TWW

We need government regulation

[Teflon+Coating]

If a regular product fails the government recalls the product. Why don't we do this for software? Probably if they started regulating it there would be more software holes discovered, just as products today are tested by the government. The only way to have a safe product is to have the government interven and help us because we can't do it alone

Re:If Netscape would just get off their ass

[YKnot]

Oh shut up. Will there be a version any time soon that is "officially it, the must download version"? If so, tell us about it, so everybody can finally download it and give this browser its place in the history of a competition won by MS. No more "the current release is just great" please. It isn't. The last one wasn't when you said it was and the one before wasn't either. I am willing to wait for good software, but I won't take any more bullshit about how great the development versions are already and how ueber-great the final thing will be. Don't tell me I should help the project then. The world is not all webbrowsers. Now mod me down.

No need to worry

[CaptainZapp]

You are absolutely right and I wholeheartedly support your opinion, if:

you use your PC to play [insert favorite game]

the main purpose is to listen to ripped off MP3s

the sole purpose is to watch pr0n

it's mainly used to troll /.

However, you should recognize that some of us actually use computers for professional purposes, that others are in charge of multy terabyte databases, that some of us are responsible to guarantee a mere 3'000'000 transactions a day on our clustered systems and that - if our systems crash - every minute might cost 10'000s of $.

Go ahead, use your PC as a toy, but please don't slam us professionals whose lifehoods actually depend on the fact that the systems for which we are responsible don't get corrupted.

You can go now and play with your personal computer

Re:Two years overdue...and counting!

[thechink]

Could it be that non-MS-brand software is better, more stable, and doesn't screw things up so badly?

Maybe, the only MS software I use besides Windows itself is Office 2000 (without Outlook installed) and IE 5.01 SP2 (IE 5.5 sucks, as does Netscape). My NT installation has been rock solid for over two years now.

Re:IE used by other programs

[tomknight]

Oops, I meant IE5.01sp2.

Tom.

Re:If Netscape would just get off their ass

[tomknight]

Oh so true....

These are exactly the comments that have appeared at every stage of the Netscape release cycle, no, not just then, but in every discussion (it seems) on the relative merits of different browsers.

This is why I use Opera.... it works, dammit! It's not as feature-rich as IE5, but that's true in two senses! Seriously, if Opera had the functionality of IE5, it would be truly lovely. Even without, it's the browser for me.

Tom.

(Yes, I guess this is off-topic)

Re:If Netscape would just get off their ass

[tomknight]

Not sure if that's so easy in WinNT.... (or is it? Is there something I'm totally ignorant of here?)

Once I buy a new hard disk for my home PC, I'm slap Debian or OpenBSD onto it, and then I'll certainly try Konquerer. I've been told by a fair few people that it's a damn fine browser. For Windows, however, Opera's the only browser that I really feel happy using.

Having said that, howver, IE5 has some nice features. Yes, really! The reason I moved away was not because it didn't satisy my needs, but because I wanted to use an alternative browser. Opera is by far (IMHO) the best of the crop.

Tom.

Re:IE used by other programs

[tomknight]

Ah, I didn't install the update.....

My solution was to upgrade my browser. Then repair it. Sadly, then I had to remove it (and go back to IE2!!), and reinstall. If InstallShield didn't require IE4 or above, I would have left IE2 on my machine....

Repairing InstallShield was also necessary.

Tom.

Re:If Netscape would just get off their ass

[tomknight]

Oh yes, oh yes, oh yes.... and a hell of alot more. I rather like the built in privacy settings. What else? Oh, saved windows... lovely.

Strangely the two things I miss most about IE5 are that I can't use shift-backspace to go back a page (hey, it's what I'm used to!!), and that it's easy to cut and past web pages into email, retaining html formatting and piccies. I hate using html in email normally, but if I want to send someone a (tiled) map from an online mapping service, it's pretty handy.

These features both benefit the lazy, but that's one reason IE5 is successful! (And why so many web designers design for it; it lets them get away with crap html....)

Tom.

Re:IE used by other programs

[tomknight]

Thanks.....

Nerve-wrecking though it all is, I know it's worthwhile. I just can't wait until the day arrives, and there's nothing left to prepare!!

Tom.

IE used by other programs

[tomknight]

Okay, I thought, I'll have to sort my PC out, so I'll upgrade to IE5.02. I only have IE on there because InstallShield for Windows Installer requires IE4 or above to work. I have no problem with this, reusing components is a good thing, right?

Well, that's all fine, until installing IE5.02 shafts the software I use to earn money. As it happens, I only wasted a morning sorting this problem. I hardly minded this, as I was suffering an immense hangover from my stag days and nights, and couldn't cope with anything demanding.

Still, if I had a deadline, I would have been mightily pissed off!

Tom.

Re:IE used by other programs

[sunwukong]

As it happens, I only wasted a morning sorting this problem. I hardly minded this, as I was suffering an immense hangover from my stag days and nights, and couldn't cope with anything demanding.
...
Eat drink and be merry.... and do the same again tomorrow.

How many times have you installed the update? ;-)

Re:IE used by other programs

[p_code]

Theres a component in Visual Basic 6 called the "Web Browser Control". It's a visual component that is little more than an implementation of the IE renderer that is yours to program. Any program that references this OCX will not install unless IE is installed, AND it has to be IE of a certain version or higher if I remember.

Re:Not on windowsupdate

[tomknight]

This is why I subscribe to the Microsoft security notification service (http://www.microsoft.com/technet/security/notify. asp), not to mention NTBugTraq (http://ntbugtraq.ntadvice.com/default.asp?pid=31& sid=1#020). As a sys admin (among other things), I've found these two lists damn useful. They give more information than the average user needs, but if you're tech-savvy, and interested about what's going on, they're useful lists to be on.

Tom.

in all seriousness, though...

[cbr372]

Mozilla has been improving rapidly since M16 or so. I've been a Mozilla user since M13 and it seems to me, that the Mozilla development model benefits greatly from user feedback from the Talkback Builds. I reported bugs every time I encountered them, and I'm quite sure that if everyone who tried Mozilla did this, instead of just saying: "Ah well, this sucks...IE is so much better"...Mozilla would've reached the incredible stability it has now (0.8+) a lot sooner. Yes, Mozilla is stable, fast and pretty good at the moment. There are still bugs, but there are bugs with all browsers, including the touted IE. Noone's managed to crack my PC using a bug in Mozilla, Explorer.exe has never been crashed and caused a demanded reboot because Mozilla went down. So perhaps it's time to stop complaining, and start using and reporting bugs you find with Mozilla. It's GPL now, so the far-left GPL'ers have no excuse either. Support Free Software!

Re:in all seriousness, though...

[Godwin+O'Hitler]

You're dead right of course. One of the biggest reasons for OSS's superiority (the "eyes" one), squandered by people too lazy to sumbit bug reports. I must make a note to stop being one of them.

BTW your monospace font makes your post look lousy on konq. Just thought you'd like to know.

hacker .vs. cracker

[mark_lybarger]

i like how the author of the article distinguishes between hacker and cracker. the cracker being the one who can access your system through ie. the hacker who found the exploit. nice job!

In fairness to Microsoft

[phaze3000]

This was on the original bulletin:

Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

--

Re:In fairness to Microsoft

[CowbertPrime]

you don't need the patch if you run 5.0 SP2. It was stated in the same KB article that 5.0 SP2 (l)users were not vulnerable.

Re:In fairness to Microsoft

[CowbertPrime]

You need to be running 5.5 SP1.

Mein Gott you people, read the stupid KB article like you read slashdot, and then you'll be better off.

Re:In fairness to Microsoft

[skoda]

I've got IE 5.0 SP1, which would seem to have been supported. Yet the patch failed (with the message that I don't need to install it).

I looked through the bulletin and didn't see any mention of need SP2 for IE 5.0. Perhaps its there, but if so, was not obvious to someone wanting to get in, get the patch, and get on with life.

Now to get SP2 and hope that does it...
-----
D. Fischer

Re:In fairness to Microsoft

[dSV3Hl]

I agree. We can all blame Microsoft for THAT one. :)

Re:In fairness to Microsoft

[Petrophile]

You post seems confused. The patch is quite small, and IE 5.0 (an older version) is supported and probably will be until Windows XP ships.

Look at Netscape for example:
1) Doesn't support older versions at all (no 4.6x patches for you, and even further 4.7x releases are questionable)
2) You must download the entire 17MB 'Communicator' package for each patch release -- Unless 'SmartUpgrade' finally started working after a 2 year hiatus, but I'm not bothering to check
3) Netscape doesn't publish security bulletins, so you don't really know if you need the upgrade or not (answer is Netscape has had a similar security track record to IE and you do need those patch releases)

I'll take the MS situation, thanks.

You do have a point about patch quality control. If you are good about keeping your Win systems updated, you'll notice that they tend to have quite a few 'bugged' patches, or patches that silently withdrawn and replaced with working versions a few days later.

Re:In fairness to Microsoft

[philovivero]

If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

Misinformation is hardly a non-issue. If I attempt to install a patch, and the patch tells me it's not needed, then it's one of two things:

(a) Right. Why should I go looking for reasons why the patch message is wrong? Sounds to me like if the patch says it's unnecessary that it's unnecessary, but maybe that's because I'm a moron.

(b) Wrong. If it's wrong, why should I then trust Microsoft (or any other company's) documentation? When I see a glaring error in one part of a product, I immediately assume I can't trust anything from any other part of that documentation which means I'm wasting my time reading any single other piece of information from that entity.

Any message ever displayed to the user had better be right, and 20 minutes of ensuring its correctness before coding it will save every individual hours upon reading it.

--

Re:Seriously...

[Godwin+O'Hitler]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products

Hey, give the other zealots a chance!

...claiming that they're the most worthless piece of shit software company on the planet?

Come on now, convince me they're wrong.

Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron.

No he's not - he's just one of hundreds of millions of typical Windoze lusers. But if he does keep it up for 4days 4hrs 55mins 23secs then he's a god!

Sure, you have to reboot to patch and install software, but who the hell cares?

Uh - someone who'd rather it kept running?

Come on, get a damn clue and jump off that damn bandwagon.

But that's exactly what we're advocating ;^

Re:Who do you want to sue today?

[Godwin+O'Hitler]

It seems to me that some time ago governments forced filthy rich tobacco companies to print BIG PROMINENT warnings on their packaging about the dangers of their product.
So what are you waiting for govts: prove you're still responsible!

Why should I care about security anyway?

[91degrees]

You can't deny that IE is the best browser, simply because it can access all the sites without crashing, deciding that it can't display the site because of broken tables, or just freezing while it makes sense of javascript.

So when using the best, you have to live with the disadvantages that that gives you. Who really cares about security? If I get a virus, then I'll have to reinstall the OS, but I have to do that once a month or so anyway. If people get access to my PC, why should I worry? What are they going to do? Use my modem to launch a DOS attack? Look at my email from my mum? Ooh, I'm frightened.

Re:Why should I care about security anyway?

[virg_mattes]

> You can't deny that IE is the best browser, simply
> because it can access all the sites without crashing,
> deciding that it can't display the site because of
> broken tables, or just freezing while it makes sense
> of javascript.

Most certainly I can deny it. Since being able to view any and all web sites is your sole criterion for judging a browser, you will think it's the best. Since security of the browser is more important to me than being able to view any and all web sites, it's a bag of rocks to me.

> Who really cares about security? If I get a virus,
> then I'll have to reinstall the OS, but I have to do
> that once a month or so anyway.

Well, I care about security. Did it cross your mind that you might not have to reinstall your OS every month if you concerned yourself more with security? Well, never mind, it is Windows, after all. Still, reinstalling every month or so? That's excessive even for MS.

> If people get access to my PC, why should I worry?
> What are they going to do? Use my modem to launch a
> DOS attack? Look at my email from my mum? Ooh,
> I'm frightened.

Well, since you don't use your PC for business (and because of your statement I certainly hope you don't store anything sensitive on your machine), you don't have much to fear. How about your mum? Does she store anything sensitive? How about the other people in your address book? Do they? If someone 0wnz your machine, they'll certainly 0wn your address book as well. I can't speak for your mum, but I'd certainly be annoyed if I started getting spammed (or got a poison pill email message from you) because you don't give a whit about securing your machine.

Your entire post just reeks of egocentrism. You should consider working on your social responsibility before making more statements like "Who cares about security?" in the future.

Virg

Re:You know its bad...

[wadetemp]

Well, IE 6 is only a beta, so you can't expect that kind of support anyway.

Now seriously...

[juliao]

How can we fix this kind of stuff once and for all? Any ideas?

I don't really have the time for testing, I'm a think-er, not a do-er, but let me know what you think.

The problem we have is that the browser/email client/whatever is in effect a shell.

This is a problem with Windows, but it's also a problem if you some day use Emacs to surf the Web and read your email. Not saying it would be a problem, just saying it could be a problem.

Now for the fixing part: Can we run the browser as SUID nobody? Can we run the browser chrooted? Can we do the same for an email client? (I'm just talking UN*X, here)

Ok, now the new micro-soft operating system actually has permissions on the filesystem, doesn't it? And you can actually do an equivalent of setuid, can't you?
Not sure about chroot, but then...
So why don't we create a user mailo, with very low permissions, no Write outside the mail client dirs, no Read either (except where mandatory), and run the email client as setuid mailo?

Can this be a starting point for something? Or did I have one drink too many last night?

Remember, we're engineers, we're supposed to fix stuff, not bitch about it...

-----

This hasn't seemed to affect me yet.

[AFCArchvile]

I have the IE6/Outlook Express 6 public beta, and aside from the plus signs on every folder in Explorer (regardless of whether they actually have subfolders or not), I haven't seen any weird things going down. Then again, I use the /etc/hosts trick to block out DoubleClick, and I've been very, VERY careful about my e-mail address (I'm still spam-free to this date).

I don't know if IE6 and Outlook Express 6 are free from this conundrum, but still, I haven't seen anything weird. I've only run IE 5.0 right from the Win2K disk before I got IE6, and I haven't seen anything like this. Of course, I'm also careful about where I browse, so that's half the battle.

Uhhh

[Auckerman]

"You need to upgrade your IE and re-patch"

Troll time, cause this is just fucking stupid. I had someone ask me last night why I use a Mac and I found it difficult to explain how a bunch of little easyness adds up to a nice system. When this is a great example, even if Apple had such massive security holes and released a patch, they would NEVER give such idiotic instructions. It's like Microsoft is saying "We are too damn lazy to actually patch IE so that it installs without the massive security hole AND additionaly we are too damn lazy to write a patch that works on all affected systems, therefore you may have to upgrade your version of IE (how convient) then patch it"

Stupid, just fucking stupid. Get a clue Microsoft.

LP??

[smaughster]

Last post???

Ermz, sorry, subject is Micro$oft, prolly 2k replies to follow.

What's the difference from a patch?

[FastT]

And just what's the difference between this and downloading an IE patch? Mozilla is FUBAR--poor architectural choices have made it nearly impossible to fix in any reasonable amount of time without a high cruft factor.

Re:What's the difference from a patch?

[MxTxL]

I don't know how to fix a car, but i know when it isn't running properly. Are saying that when your mechanic bungles a job that you aren't going to complain about it? Sure as hell you are.

Some people, in fact most of even /. readers couldn't make a better browser on their own, but we know when things are broken. Why is it that so bad when we complain about that?

IE damn good?

[2ms]

As someone with quite a lot of experience with web applications development and, more pertinently, cross-browser JavaScript and CSS work, I would like to know what you think is "damn good" about IE.

I'm genuinely curious because this seems to be a popular sentiment among Slashdot posters and yet I'm completely bewildered by it.

I personally find its extreme noncompliance with standards (many of which have been around for half a decade now) and many apparently deliberate incompatibilities a nightmare to anyone who would like to see browsers do more than what they have been for the last five years.

I'm guessing that a lot of people are comparing IE on Windows to Netscape 4.x on Linux. I completely understand people being disgusted with Netscape 4.x's stability, unwieldiness, and general bugginess on Linux, but this can't be the only explanantion.

Please inform me.

Re:Not on windowsupdate

[Vollernurd]

If you read their security bulletins, the order goes something like this:

1. 'Issue' gets posted to the security site as a bulletin;
2. Patch is available as a download from the bulletin, or from other parts of the MS Security site;
3. Eventually, it gets bundled to the Windows Update site.

Because patches require additional packaging and set-up for the Windows Update site, they are delayed by about a week, depending on dependencies.
---
Vollernurd.

Re:Seriously...

[zencode]

i just purchased a new mootherboard and chip, which of course required installing windows again.

once the os was installed, i popped in the included cd and installed the lan, direct x 7 and sound drivers and it had to reboot no less than 8 times. i was speechless. and we're not even talking an interactive "would you like to restart your system now" prompt, it just *did* it.

My .02,

Who do you want to sue today?

[Codeala]

Nowadays, everyone is suing everyone else so how come M$ can still get away with crappy software? Now, some of you may say "IE and Outlook are free, so what are you gonna do?". Wait a minute! Didn't M$ paid some serious $$$ to a bunch of lawyers last year to provide, in court, that IE is an essential and inseparable part of the Windows Operating System? IE is bolted to Win98 and up, and there is no option to NOT install, right? And you did pay for your OS, right?

So basically someone is forcing you to buy faulty software, and no one is suing? Imagine you brought a car with door locks that only work 50% of the time. If it was stolen, it is the fault of the thief AND the manufacturer.

But then again I am sure you already "sign" away all your rights (and your soul) in the Windows EULA (sp?).

====

Re:Who do you want to sue today?

[mvdwege]

If you can make a reasonable claim (note: not proof, just a claim) that they are knowingly selling defective software, then I do believe you would be able to sue them in most EU jurisdictions. In Dutch law, the no-warranty provisions in the Microsoft EULA are a so-called 'unreasonably restrictive' (onnodig bezwarend, for those that know Dutch), and I believe this holds in most EU countries. Of course IANAL, but I did take 2 years of law school.

There might be light at the end of the tunnel: it appears that EU anti-trust prosecutors had a deal with the US DOJ not to launch independent investigations, but let the DOJ have preference. So if MS gets off (mostly) scott-free in the USA, expect pressure to ramp up overseas, probably including the above argument as a subsidiary charge.

Mart

Re:Who do you want to sue today?

[dachshund]

But then again I am sure you already "sign" away all your rights (and your soul) in the Windows EULA (sp?).

That depends on the damage. I'm not sure how the EULA would stand up if a bunch of major corporations suffered multi-million dollar losses because of MS's negligence. Being that they essentially have a monopoly on the business OS market, one might be able to argue that the EULA should not apply. Or perhaps somebody not bound by the EULA will find grounds to sue.

Fallout?

[arfy]

>> I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout.

It's at the point where almost nothing surprises me anymore about how tenaciously some managers cling to Microsoft.

I was at a company that bought some fairly esoteric, hard-to-find parts from another company through a web-interfaced front-end app that accessed the other company's inventory system. About a year-and-a-half ago, they migrated to IIS from Apache for the front-end. They'd previously been an all-UNIX shop but had trouble when the front-end went Windows NT and the inventory app stayed UNIX. So, with the help of many consultants and at least two clueful in-house geeks they went all-NT.

Problems out the wazoo, but my company tended to be faithful to suppliers so we put up with bungled orders, downtime and other problems that would cause us not to buy from a supplier if they were new to us. Finally an IIS update was applied at the supplier's site that broke the web ordering for anything but Internet Explorer.

Our company used and supported Netscape only, so we tried to persuade them to make their site work with Netscape. I'll give them credit; they really tried. (Then again, our orders were over 60% of their revenue stream.) Our CEO lunched with their CEO and told him exactly what was at stake: it was costing us too much to do everything by phone and they had to get something running that was usable or we'd have to go elsewhere.

Keep in mind the old UNIX-based system was still around and running parallel and could've benn brought back online. Their IT manager was so committed to keeping NT that he wouldn't switch back.

We stuck with them for another few months despite the additional costs associated with doing business by phone only. They went out of business several months after we regretfully took our trade elsewhere. I know some of the other IT guys at other companies that used the supplier and the word was that their move to NT from UNIX eventually cost them more than 80% of their revenue due to the higher-volume customers leaving.

This was no startup company; they'd been around since at least 1989. Was their move to NT the major factor in their death or just a sign of other bad decisions that were going on behind the scenes? I suspect the former. Why did they cling to Microsoft as they lost more and more revenue because of that decision? Their IT manager had dropped beaucoup bucks on MS products in an attempt to save the company money and didn't want to lose his job for that catastrophically bad decision.

So, will there be fallout? Probably not enough to make Microsoft mend its ways, if not its programs.

Re:Seriously...

[ffsnjb]

If you looked at the link in the post header, its for my webserver, which runs FreeBSD. Why? because it's the best for the job.

Re:Seriously...

[ffsnjb]

Oh, and yes, I did spend the weekend upgrading a shitload of desktops for the IE patch. I get paid to do it. And fuck games, they waste my time even more than Slashdot.

Re:Seriously...

[ffsnjb]

this machine is running 98SE with ie 5.5 sp1 and all the related security patches. My other windows machine is running 98se with IE removed. (98Lite) The other 2 machines in my room run FreeBSD. Fun.

Seriously...

[ffsnjb]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products, claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron. Sure, you have to reboot to patch and install software, but who the hell cares?

This System Has Been On For 4days 4hrs 55mins 23secs ---Oh, it's been JUST about that long since the latest IE patch was released and installed. Come on, get a damn clue and jump off that damn bandwagon.

No, I'm not a troll, but guess where you'll be reading this in half an hour... -1 I bet.

Re:Seriously...

[mvdwege]

Well,

A couple of days ago I snapped while moderating because of all this kind of whining, and I chewed out someone in a discussion (see my posting history for details).

I must say I do not quit agree with you, but my general attitude would be to mod the parent down and you up, mostly because there is a difference between a pointless rant and a well thought out argument.

Oh, and for the record, I hadn't used a PC in 10 years when I bought one last summer, and my first thought on seeing Win98 in action was: "Holy $DEITY, computing hasn't advanced at all!". Win9x was and is a piece of shit, and even NT costs a clueful admin a handful of work to keep it running smoothly, according to the admins I spoke to at work.

Mart

Re:Seriously...

[raymondlowe]

Quite so, I use WinNT4.0 workstation in an office environment and we have machines that have not rebooted in months. We even have machines that have been in a single dial-up RAS session for weeks. Not for any fancy technical reason but just because a user did it from home and it worked (phone calls are free here).

I regularly undock my office laptop, send it into sleep mode - take it home, plug it into my home LAN - type "ipconfig/renew" to get a new IP address (served off the Linux DHCP server) and work from home. Then I unplug and go back into my office, type ipconfig/renew and get an ip address.. And continue working. I do this for weeks sometimes without even logging out let alone rebooting.

Windows, at least NT, can be perfectly stable.

R.

You know its bad...

[NoCashValue]

when even M$ doesn't recognise its Beta version of IE6 and tells you that you don't need the patch. Wankers.

Two years overdue...and counting!

[Interrobang]

Oops, I'd better re-install Windows right now! According to you, I'm about two years overdue!

Yeah, you and me both, man. This same recension of Windows, which has been on the machine since I got it (although it was not pre-installed), has never been re-installed. I always find it so perplexing that so many people I know (especially my dad, who seems especially clueless and/or unlucky in this department -- "Oh, something's not working right! Bet if I reinstall Windows it will!") seem to reinstall Windows more often than they change their underwear (guess they're changing their underware instead, haw haw!).

I have no problems with my recension, despite in the interim having taken software off, put software on; having almost completely repartitioned and reformatted the HD in order to make room for and make my Linux partition, and various other bits of clumsy hackery.

Then again, I still think that keeping the MS-brand software level down to a bare minimum (if I didn't have to have Office for work, I wouldn't have any at all) helps, somehow. Could it be that non-MS-brand software is better, more stable, and doesn't screw things up so badly?

I wonder.

Disease Disease Spreading the Disease.

[bwhalen]

Not sure what else to say about this, hope their stock implodes like a lot of other tech companies. P/E ratio is rather healthy unfortunately.

When this was first noticed...

[captainstupid]

I saw many a post saying "All software has bugs, this is no big deal!" "M$ did such a good job handling this, why bash 'em????" I hope all you dimwits now see the error in your ways. M$ is incapable of dealing with their mistakes. Why do you continue to trust them?

Re:There probably is no security hole

[WebMasterJoe]

That wasn't insightful! Who modded this?? No conspiracy, just people who don't care about putting out good code.

Re:best foot forward

[beanpolerc]

How about when you install package B, and package A, C, and D, ceases to work because package B over-wrote a DLL file with an older version, in the SYSTEM directory.

I have not found any 3rd party application that (by default) installed in /usr/bin, /usr/lib, and in no-way conflict with or writes to the same directory that system files are in.

Another story...

If I had to install a package on 50 windows machines (not even 1000) I would scream. With any *nix flavour, I can install this package from over the network, and not have any fear that the installation will screw up my remote connection to that machine.

Then I can (in the space of an hour or two) write a script that will update each machine without my even having to babysit.

Microsoft Freak: Not that simple!!!

[somethingwicked]

First, let me say that I am a unknowing, stupid MCSE. I like MS products for the most part and feel that /.s generally slam MS at any chance, whether justified or not.

That said, this IS Microsoft's fault. It helps that they put it in the documentation, but that is not enuf.

If the product contradicts the documentation, it is still their fault

It should pop up an error that you are not using a version the patch was intended for. A simple version check before the patch runs would do this

"This update does not need to be installed on this system" is flatly incorrect. If any logical person saw this message, they would NOT go back and read the documentation to confirm it.

They should read it first, but come on, did you read the Quake manual before you installed???

Did you read your response before you submitted?

[Gruneun]

IE is bolted to Win98 and up, and there is no option to NOT install, right? And you did pay for your OS, right?

So... you buy an OS, knowing that it comes with a shoddy browser...

Imagine you brought a car with door locks that only work 50% of the time. If it was stolen, it is the fault of the thief AND the manufacturer.

This would only be the same situation if you bought the car, knowing that the locks don't work. Last I checked, the fact that IE was part of the OS was advertised as a selling point. I don't picture the car dealer writing "Broken Locks Included!" on the windshield with soap. If that is the case, you're an idiot for buying it.

Re:i didn't believe it

[Isaac+Sorge]

He's talking about if this was a Linux security thing, not a new kernel release. - Isaac

Time for the product liability shoe to drop

[Voltaire99]

MS can't hide behind the EULA forever.

Which law firm is going to make a big pile suing MS for the known defects in IE/OE?

April FOOLS!@!

[deran9ed]

See Microsoft played the biggest joke on everyone yet. They knew so many people would run out and download the fixes for MS' issues, so MS decided to take it to next level by issuing a `fix` which was really an April Fools joke... Read on...

MacroShaft Security Bulletin (MS99-054)

Patch Available for "Microsoft Advisory" Vulnerability
Originally Posted: December 15, 1999

Summary
Macroshaft has resolved the problems stemming from the spammage being spewed by Microsoft Advisories. It seems that MS is such a crappy and backwards product scores of exploits and crashes plague this system. While we at Macroshaft do not condone the use of Microsoft trash, we do pray daily for the users of this plague and beg of God's forgiveness for their lack of knowledge.

Issue
Too many to list on a file without buying a 47gigabyte RAID5 storage system. Microsoft dedicated an BSD server with OC192 bandwidth to support the millions of luzers worldwide who receive Microtrash advisories on a daily basis. Actually we didn't know where to begin on this issue so we laughed all the way to the bathroom to wipe our noses from the water that erupted after the episode.

Affected Software Versions

• Microsoft * (note the *boolean* symbol)

Patch Availability
The vulnerability is eliminated by downloading one of the following.

• http://www.openbsd.org
• http://www.freebsd.org
• http://www.netbsd.org
• http://www.qnx.com
• http://www.slackware.com
• http://www.redhat.com

Frequently Asked Questions:

• http://rtfm.mit.edu

Macroshaft Knowledge Base

• http://microsoft-knwledge.is.a.joke.org

AntiOffline re-introduces chick of the week

• http://www.antioffline.com/newflix/

Obtaining Support on this Issue
This is a fully supported patch available for download at: http://yew.must.be.j0wking.or.something.com

Acknowledgments
Gill Bates of Macroshaft.org

Revisions
THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE THEFT OF YOUR CAR AND OR ITS AUDIO EQUIPMENT. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS AFFILIATES CARE ABOUT ANYTHING YOU SAY OR DO. NOR DO WE CARE ABOUT ANY THREATS YOU MAKE TO US BOTH LEGALLY AND PERSONALLY. MACROSHAFT AND ITS AFFILIATES WILL SIMPLY FLY TO YOUR TOWN AND KICK YOUR JIBRONIE ASS AND SLEEP WITH YOUR GIRLFRIEND AND HER SISTER AND MOTHER IF NECCESSARY. MACROSHAFT DENIES AND WILL CONTINUE TO DENY THAT WE SUPPORT THE GROUP KNOWN AS HACKING FOR SWEDISH CHICKS, HACKING FOR GIRLIES, AND UNITED LONE GUNMEN. INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF THE MACROSHAFT CORPORATION OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR EVEN TAKE US SERIOUS ALL YOUR PATCHES ARE BELONG TO US

(c) sil@antioffline 1999 - 2001 Macroshaft
Corporation. All rights stolen anyway.

you dont wanna know

[deran9ed]

funny you should ask... I posted Diary of an AOL user here last week (www.antioffline.com/hackers2001.html) and its funny as all hell to think people can be so dumb... Well anyways I had made another spoof recently which said Hackers stole codes to launch nukes and stuff... (antioffline.com/news/0-1003-200-5222484.html) and posted it with an obfuscated URL... I had people emailing me saying "If you know who they are, you should be a responsible citizen and turn them in", as well as a slew of *.gov and *.mil sites which were there shortly after I posted the original... Now I know it can be trivial to deal with spoofing articles like that, but clearly I would have hoped the copyright would have given it away... ©1995-2001 CN3T Networks, Inc. (Cumshot News Network) No dice some people are just... dumb

best foot forward

[deran9ed]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products,

First off its not ALL of the Linux zealots and in fact I've noticed the majority who get caught up in that (OS name calling) mix, tend to be newer users of Linux who could barely chop up source on their own often jumping on irc channels or mailing lists with the shittiest questions.

claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron.

Actually I don't think its the most worthless piece of shit OS on the market by any means, in fact I think MS has strategically placed itself on the markets for reasons like Ease of Use, familiarity, since OS's like Linux, NSD, etc., are almost impossible for Mary Joe Homemaker, and Sally Secretary to handle, however its bullshit to think anyone can keep a Windows machine up all day is a moron. E.g. there's been plenty of times I've seen Windows go bonkers for no reason especially Windows2000k with all the patches to date for the machine.

Last year when I was tinkering with codes on a DoS paper I wrote, I slightly modified my code to connect to a non open TCP port on my Windows laptop and it still crashed it for no reason. (FYI code is here) The OS did a great job of crashing from time to time when it wasn't online, no one touched it, just pooped out on its own.

Sure, you have to reboot to patch and install software, but who the hell cares?

I would care if I oversaw a network of 1,000 boxes which needed patch upgrades every week, only to be restarted. Think about it for a quick second as I outlined in the funny Microsoft Kills paper, 1,000 servers multiplied by about 3 minutes downtime, then you've got lost time spent and I don't think any administrator be it Microsoft or any other company is going to be kind enough to say "Hey don't worry I'll patch these on my own time, no need to pay me." Fuck no that shit costs money after a while.

Come on, get a damn clue and jump off that damn bandwagon.

I find it funny seeing OS wars go on when in reality 95% or more depend on Windows in some shape form or fashion, last time I checked accounting was looking for Excel files, secretaries were saving *.doc files... Sure Linux advocates have the right to moan its their choice, just sit back and get a kick out of it, I do.

Re:If Netscape would just get off their ass

[Rogerborg]

the next month or so while this would still be a big deal

That may be wishful thinking. Most corporate IT departments are already in the "all your soul are belong to Microsoft" category, and this is just another in a long, long list of screwups that they've already shown that they'll tolerate. My own employer doesn't bother putting out advisories or upgrading desktops any more. And how many personal users will even find out about this, much less care? If it doesn't hit the mainstream media, it's purely a geek issue.

Re:If Netscape would just get off their ass

[MxTxL]

I'm almost tempted to actually submit a patch or three, it's getting that good.

Is that right? It's true, i'm basing that statement on the recent big release. But I was SOOO disappointed with it that i had sworn off mozilla... well, at least until they would get their act together, i'm glad to hear you say that they did that sooner than i would have ever expected.

If Netscape would just get off their ass

[MxTxL]

This is a wonderful opportunity for Netscape to release something that doesn't suck. And by being the least sucky browser, recapture some of the market.

Of course, I don't honestly think they HAVE the resources or ability to make their browser suck less than IE, especially within just the next month or so while this would still be a big deal. But it would be neat.

Re:If Netscape would just get off their ass

[p_code]

Dont forget that Netscape==AOL
Has anyone seen the mozilla milestone build they are trying to push as Netscape 6?

Re:FP???

[Stackis]

Looks as if he/she did indeed get the FP!

Not on windowsupdate

[AaaL]

Why, oh why, does this patch NOT show up on http://windowsupdate.microsoft.com? Good thing I read Slashdot--otherwise I never would have known about this patch (which, incidentally, installed correctly for me). Windowsupdate had a critical update over the weekend but that was for MS01-017 (the Verisign certificate problem) but NOT MS01-020. !@#$!@#$

Re:slashdotters rejoice!!

[JohnSmith1138]

First to market? In what? IE is a rippoff of Netscape and Mosaic. Windows is a ripoff of the MAC interface. Windows 95 is a ripoff of OS/2. DOS was bought from someone else. Microsoft has been first to market with very few products. Marketing and ease of use give them the market share they have. Don't get me wrong, I like MS products and use them everyday, but they hardly are "innovators". They are damn good at polishing a product for the general public.

Patch of patch of patch?

[mystery_boy_x]

So my computer isn't safe after all. Everyone in the company got this update by email recently, and sure enough, I got that message. I'm using ie5.

Now i'm afraid ... If I upgrade to 5.5, what if it breaks my system? I have so much MS garbage on my system as part of my work, what if the update is not compatible with something??

Upgrading to install a patch, and then another patch, is a patch of a patch of a patch?? If something goes wrong with this one, will it be a patch of a patch of a patch of a patch??

Bill Gates has a noose around my neck....

--

Betting the Company

[Waffle+Iron]

Microsoft likes to play the high roller. They "bet the company" at each new stage: switching from DOS to Windows; creating and dominating with IE; fighting the Gov't instead of settling; and now, the .NET initiative.

But I don't think that any of these gambles is as large as one they've been involved in for quite some time. That gamble is shipping software into a monopolized market without extensive security auditing. They've created a monoculture of OSs and applications that has become a prime target for attacks from all over the world.

The risk is that someone would combine the technology behind ILOVEYOU, a hole like the latest IE bug, a subtle and automatic propagation method and a destructive payload. Since a single version of an MS DLL might be installed on 30% of all of the computers on the Internet, you could easily imagine that 10% of all of the computers on the Internet could fall to a single super-worm in a matter of hours. If this worm were to destroy all of the information on those computers, the devastation would be mind-boggling.

If these events came to pass, the repercussions could spell the end of the company as we know it. At the very least they'd be tied up in congressional hearings and lawsuits for years. Yet, they seem to go on with business-as-usual, blithely ignoring the potential disasters they are enabling. In fact, the .NET technologies will only multiply the odds of this scenario.

Given how paranoid they are about competitive and regulatory threats, it's strange that they haven't responded to this bigger threat.

Sendmail Milter

[Brunan-G]

If you are feeling daring, and are using Sendmail 8.10+ you can try using some of the milter filters out there to strip away some of those pesky attachments that Outlook loves to run. The downside is it does take some more cpu cycles, and the milter implementation is still "For Future Release" meaning it may be a bit shaky... (No problems here with it however) Of course if you are a complete MS shop you may just be screwed....