Slashdot Mirror
MSIE Uber-patch Of The Month
mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/"
Maybe not even all six -- the maintainer of the above URL
claims in a post to Bugtraq
that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability.
Also, please compare to previous MSIE Uber-Patches Of The Month:
December 2001, 3+? holes in IE;
March 2002, 2+? holes in IE;
April 2002, 2+? holes in Mac IE.
Microsoft released another security patch for Internet Explorer
Is it Thursday already?
--saint
Yet another reason to use lynx :)
or even better
telnet www.webserver.com 80
GET / http/1.0
Internet Explorer is the most stable and secure web browser ever made. Why do they need a patch for it?
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
Saying you're trying to fix all the holes in IE is like saying you mean to turn a sieve into a bowl.
::shudder::).
Seriously, it seems they are finally turning around and trying to make their products more reliable. They've come a long way since Win95 (or WinME...
The speed of time is one second per second.
God forbid Microsoft release a patch. What would you rather have them do? If this were the newest version of the Linux kernel, the people of Slashdot would be planning a parade. It is a patch to a microsoft product though, so it is time to bring out the bashing. Give me a break!!!
News for Nerd. Stuff that matters.
Does this really matter anymore? It's kinda like my weekly routine of buying milk. It's getting pretty dull...
luckily several other competing browsers have much less patches that have to be applied.
netscape - doesnt have any holes - it crashes before anyone have time to exploit them.
mozilla - its not called holes, its a feature until further notice.
opera - pages download quick, dont they? then stfu.
According to NTBUGTRAQ it breaks certain javascript
= 1& A2=ind0205&L=ntbugtraq&F=P&S=&P=2859
http://www.ntbugtraq.com/default.asp?pid=36&sid
The example code that fails with the patch is here.
Those who will sacrifice Freedom and Security will get Windows...
you know - with this many patches, IE is moving from the realm of science fiction to high fashion!
This is just silly. Does Slashdot post a huge exposé every time someone fixes another crippling security hole in Mozilla? Really, it's this kind of duplicity that bothers me about Slashdot. Surely, Microsoft isn't the only one who writes occasionally buggy software?
"I don't know that atheists should be considered citizens, nor should they be considered patriots." - George Bush
This is the big patch that really should be fixed.
It is the one that makes it dangerous to push the Back Button
the page you link to HAS the vulnerabilities fixed LISTED.
i tical/Q321232/default.asp)
And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cr
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
It worries me that a patch can be news. Microsoft really has people waiting in anxiety for a new patch to fix (and add some new) security holes.
Brr. I hate monopolies.
I going to write a letter like the Peruvian one to my government right now!
DNA is the ultimate spaghetti code.
When a kernel patch comes out it usually consists of fixes to features (speed, stability, etc.) and yet more new features. Read the changelogs, that's what they are.
When MS releases an IE patch it's because they need to fix the ability for some random porn site to install software on your computer. Or make it easier to spy on you with their messenger client.
Not that this affects me at all as I only use mozilla now.
What about this?
Netscape isn't secure either. A well written web page can read and capture local files.
Micro$oft, although they write their fair share, isn't the only company that writes bad code.
As the subject states; this is not news for nerds.
if (newPatch.Source() == Microsoft)
{
Post("Evil buggy software");
}
else
{
Post("Great aftermarket support!");
}
Slashdot Posterbot 1.0!! Can I be a slashdot editor now?
Didn't Intestinal Exploder have enough bugs to begin with?
especially when compared to the hundreds of bugs found often in Linux
...doing NOTHING BUT addressing security issues as part of their new security focus.
Do you suppose they need to do more?
"How to Do Nothing," kids activities, back in print!
Another MS bashing article: They found another bug in a MS software! Those f*cking bastards! How can they release software with bugs! /. If this was the linux kernel or mozilla or KDE or whatever, the crowd would be delighted at the wonders of open-source, and how fast they can fix the bugs.
It's the same-old double-standard
Don't you think it's time for a break and for news that really matter?
lmao
Do it for da shorties
The "Windows Update" icon on my taskbar failed to retrieve the patch last night, I had to manually go to the Windows update site and download it. I only discovered this when I started wondering why my VAIO was getting so damn warm, and why the fan hadn't stopped in several hours...
And then they "recommend" that you go for automatic updating. Typical.
My sig is too lon
I'm glad to see them stepping up to patch this stuff. Really. I'm not being sarcastic. A lot of people use IE, and we shouldn't jsut curse our grandmothers and mothers to using a flawed browser. I really salute them for taking the security stance a little more seriously.
Of course, I say this even though my mother got Mandrake 8.2 for Mother's Day.
-- Who is the bigger fool? The fool or the fool who follows him? --
Warning! Positive comments about Microsoft ahead...
I have Windows XP on my desktop and RedHat on my public server.
I have grown to appreciate the way Windows XP patches itself. Frankly it is a bit of a pain in the butt having to apply patches to my RedHat server each month and I would be much happier if it could just do it itself, automatically, like XP does.
I hate Microsoft. They're bastards. But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.
Does anybody provide support for beta Mozilla builds now that Mozilla is 1.0? In fact, does anybody provide any support for Mozilla 1.0? (Other than IRC chat rooms...)
With this patch, IE will finally be perfect and I can sleep in peace knowing that Big Bill® is watching over me.
Don't anthropomorphize computers, they don't like it.
Out of laziness, but lately I am not patching IE or any of the other known vulnerabilities on the software I have installed, unless the vulnerability is really dangerous: It comes to a point, that simply, I don't care anymore.
You might say that this is against me, not to patch my software, and you are right, but I am tired.
I think the security model used by MS and others (well, assuming this is a security model) is not valid anymore, I cannot go patching my software every morning after booting the computer!!
Most ppl use MS products. Hence the greater need to inform people. It's called a monopoly.
Show me the quote where Microsoft has ever claimed to be the "best in every area". Show me the quote where the claim to be "completely secure and infallable [sic]".
You can't, because they have never made those claims.
So the question is, why do you feel you need to flat-out lie and spread bullshit like this?
Microsoft is a formidable opponent. They're very rich and very good at using those riches to get what they want. We need to avoid being smug.
Miko O'Sullivan
Windows Update fatally crashes my system each time I go to download all the 'critical updates' my system needs. Which means that I'm unable to actually patch my boxen, unless I maybe reinstall the operating system, which would make me lose all my application settings/components and be forced to reinstall them, etc, etc.
One central source, one update system. One critical point of failure. One of the many problems that come with having one operating system to rule them all and in the darkness find them...
Boy, do I hope nobody tries to r00t my 98 box. After plugging in my shiny new cable modem it probably looks real attractive now.
Do you still live at home, or ever eat there? Do you know what happens when you don't tip at restaurants? Might want to start checking your food...
speaking of bugtraq, this just came through my e-mail from Greg Chatten with St. Louis Internet.
;)
Date: Thu, 16 May 2002 12:32:17 -0500
Subject: MS02-023 Patch Breaks JAVASCRIPT
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this
case) breaks the following Javascript code. This code works in IE versions
*not* patched with Q321232 but fails to execute on IE6 which has been
patched. I don't have IE 5 or below so I don't know if they broke those
versions as well.
Then there is lots of javascript. Just like microsoft to break something else while they fix another thing.
The original message should be in the bugtraq archive by now
-- this space for rent --
Anyone who cares about this stuff should be subscribed to Microsoft's Security Notification Service or NTBugTraq. Unless Slashdot intends to start posting every single security advisory that gets published (utter nonsense), this sort of news story doesn't belong on Slashdot.
Attack The Of Clones versus the Digital Copyright Millenium Act: The battle to decide how many /.ers can get it wrong.
I think this represents a big change in MS's aproach to security.
:)
Now if only theyd fix the winnuke bug.
I remember one guy in the office wanted me try and break his
über secure win2k box with software firewall.
I winnuked his ass and he cloudn't even move his mouse.
There was no way he could filter it out as the bug is in the TCP/IP stack i think.
Yes I understand this is lame but he asked for it
I know I'm going to hell, I'm just trying to get good seats.
is M$FT needs to de-integrate IE from Windoze, make it so IE can not be used as a file browser on your compooter, and a file manager (Windoze Explorer) that can not access the internet, that would resolve some vulnerabilitys, most people wont like the inconvience (so what it would be more secure)
/root
an even better idea woulld be to get Windoze off of your harddrives and get Linux (any flavor)
got
2. Choose a cool marketing name for the hole, like "achilles' hole" or such. Make it fancy.
3. Call the news agencies. Once there is a fancy marketing name, they will jump on it and create public hysteria. Remember "Code Red" ? It was just like any other worm attack except that it had a cool name for the media blew it way out of proportion.
4. Watch the patches roll in.
5. Lather, rinse, repeat. Every six weeks should do it. The public should see a pattern sooner or later.
Mozilla has the same security bug described by greymagic.com
Just a Reminder for all the End Users out there using XP
;)
one of these days M$ WILL release a critical update that will deactivate any copies of XP with illegal Product Codes #'s
make sure your copy is legal ppl
(not that i expect any one on this site would be running XP
The More Knowledge you have the Luckier you Get- J.R. Ewing
Windows, an alternative to Linux, has far more security problems, costs a bundle, and source code is generally unavailable.
Linux, an alternative to Windows, has almost no useful applications, is worth what it costs (same as Windows), and source code is available but is totally useless to the vast majority of people.
Ignoring politics (apt, that), the Microsoft folks win hands-down over Linux.
Come on, they exist.
upgrading with apt is easy, and not much work.
*BSD also have their update tools, and some other posters mentioned Redhat tools.
These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.
It was fixed VERY quickly as soon as the Mozilla team learned of it, which was weeks ago, and it's been in all of the builds since.
You must now have ever had a MS sales rep come talk to your company.
http://www.windmeadow.com/
For those that are SO lazy that you can't click on the link:
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:
Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.
This page shows what can happen when IE is allowed to spread...
Ray for the orange and the blue!
Ray, ray, ray, ray, ray for the orange and the blue!
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
At least M$ is fixing problems, maybe not as fast as the oss companies/people, but christ.. None of you guys bash redhat, suse and the like when they release an update for an app that can give you root. I know in the /. eyes M$ is the root of all evil, but you know what, best item/app/os for the job.
/. hypocrites, bring this post to a -1.
I don't care if its a mac/ms/*nix/*BSD or what, but if it gets the job done, relatively well and fast, I will use it.
For programming, i don't care if its VB/C/Glade/Perl/Python whatever.. whatever suits the job best. And yes, sometimes, if not MOST of the time, it's a MS solution (for me at least, YMMV).
And for the record, win win98 installation, which I just reinstalled everything ( 2 days worth of installs and hundreds of reboots ) is showing the same symptoms of the problem for the reinstall, which I'm assuming came from windows-update. So no, I'm not living in a perfect world. At the moment, I'm cursing Billy boys name, but I'm still using Win98 for most of development work and 2 linux machines as servers, since, like I said, best solution for the problem.
So flame away, you
"It's not like your minds are as open as the source you love..." - Me to the majority of Slashdot.
they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
They are finally making the software robust and not crash 20 times a day.
They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
They are finally making it a good product.
What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.
but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/
What a silly thing to assume! You do realize this is Microsoft we're talking about?
Follow me
The URL had an extra space in it (which must have been added by slashdot, as I copied/pasted straight from IE.) I just redid this, and Slashdot broke it again (but using HTML the link part works.) Here it is whole:
. asp?url=/technet/security/bulletin/MS02-023.asp
http://www.microsoft.com/technet/treeview/default
it is a bit of a pain in the butt having to apply patches to my RedHat server each month
Try AutoUpdate. It does a good job keeping RedHat up to date.
People who disagree with you are not automatically evil, greedy, or stupid.
The point of all these MS stories is simply to get hits on pages with ads.
Money money money . .
-r
Just because something is free does not mean you have to take it.
Does Slashdot post a huge exposé every time someone fixes another crippling security hole in Mozilla?
Maybe once Mozilla is actually released, then they might.
I don't know about you, but I consider beta software and final released software somewhat differently.
is good PNG support. Fix the damn lack of transparency! Security can wait!
While everyone is harping on Internet Explorer problems, I have to openly (pun intended) ask this question: how will we see bug and/or security fixes for Mozilla 1.0 when that is released very soon? Will it be in the form of patch files? Or do we have to download the whole browser all over again?
Raymond in Mountain View, CA
The following is taken from http://bennyhills.fortunecity.com/hardy/203/nonbel iever/page50.html
. I don't know if it's valid or not.
When George Bush was campaigning for the presidency, as incumbent vice president, one of his stops was in Chicago, Illinois, on August 27, 1987. At O'Hare Airport he held a formal outdoor news conference. There Robert I. Sherman, a reporter for the American Atheist news journal, fully accredited by the state of Illinois and by invitation a participating member of the press corps covering the national candidates had the following exchange with then Vice President Bush.
Sherman: Surely you recognize the equal citizenship and patriotism of Americans who are Atheists?
Bush: No, I don't know that Atheists should be considered as citizens, nor should they be considered patriots. This is one nation under God.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
I fired up Moz the other day and was greeted with a very polite screen telling me that the version i was running had a vunerability and would i please update to the fixed version. Admitedly thats only cos I'd been too lazy to change my hompage but still, can you see that happening in an MS product?
Nobody else claims their browser is a key component of the operating system-- that it cannot be removed because its functionality is so interwoven into the operation of the system.
Of course people are going to flame Microsoft for designing such a product with so many critical security holes which compromise their computer, making it part of the OS and then arrogantly refusing to give people the ability to remove it. At least I can un-install every other browser if I decide it doesn't suit me.
You complain about people flaming Microsoft. I submit to you that if that corporation wasn't so arrogant, pushing its views and way of doing things onto everyone else then stifling the innovation of others, that people would be a lot more forgiving of mistakes.
I have no sympathy. Not for this corporation. Microsoft made this bed, it can sleep it in now.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
These constant Internet Exploer fixes are a result from the "browser wars", when MS an Netscape competed to release their new browser every six new months or so. The rush prevented good code auditing, and several bugs were not wiped.
Now that this "war" is over, I hope MS (and Netscape) make a good review of their browser before releasing it, and stabilize the existing code. If we are lucky, IE 7 will be shipped only in 2003 or 2004 - and by "we" I mean every internet user, for the bugs in IE helped the spread of annoying worms like Nimda and Klez.
Version 6.01 patch from www.opera.com and it works great
Malda would want to get to the BACK of the line, so he could go AFTER Katz.
Bullsh*t.
How come my firewall is *still* seeing 80+ Code Red/Nimda probes daily?
Just like any other worm?
You have no clue.
The number of infected Micro$oft boxes out there is scarcely any less than it was six months ago, thanks mainly to clueless Micro$oft users...
t_t_b
I'm on PJ's "enemies" list! Are you?
No wonder I've backsliding...
t_t_b
I'm on PJ's "enemies" list! Are you?
Just because someone bashed MS, that doesn't mean that they are being unreasonable.
My beliefs do not require that you agree with them.
the MS link to the detailed info about the patch is 'unavail' (ms slashdotted? *grin*) as is the link from the windowsupdate site. What is available follows (I hope you enjoy this as much as I did):
System Requirements: This update applies to Internet Explorer 5.5 Service Pack 2.
How to use: Restart your computer to complete the installation.
How to uninstall: Uninstall is not available.
closed minded is as closed minded does
Look brain-boy if you want you can cruise the linux
sites to pick up info and then post linux bugs here.
Also do not equate the average programming error
with a security threat. Every programmer makes mistakes
its up to QA to find them before product ships.
All software has bugs but once you get to the 5.x
or 6.x versions you would hope that the pace of
discovery of serious security problems would slow
down, but that is not the case with the wild-eyed
boys from Redmond. Plus with $4,000,000 US for R&D
you would think they would find the security problems.
Well if you want to be an SA, expect low pay, little respect, alot of work, and no glory. :-)
.com BS, so I didn't drop out to work in .com.
.com insanity.
But you get to play with cool toys..
Now if you still want to be an SA, read on....
Well, it's a hard one.. I don't have a degree, but I spent 6 years in college, physics+comp sci double major. I dropped out after I ran out of money and needed to work.
I dropped out before all the
Been working for nearly nine years as a professional UNIX system administrator. And fortunately never worked in the
I would recommend going to college and getting your degree. I've been very lucky and have been able to put together a pretty strong resume. I would not recommend my course of action for everyone. I worked at my Universities computing center as a UNIX operator and learned alot there.
But not everyone has those opportunities.
I get alot of calls, even these days from head hunters and queries from old bosses and what not.
But I would recommend learning how to program, for SAs, most importantly, Perl, *SH, and of course learn C too. Though these days there is not alot of C programming being done by SAs, (.. in the olden days...)
Also learn lots about networking and database systems, snmp and most importantly to be a successful systems administrator....develop thick skin!
Check out USENIX's SAGE web page...
http://www.usenix.org/sage/
But get a degree in either CS, IS (IT MGMT), EE, Physics, Chemistry or even Biology. And if you take a physical science route, minoring in comp sci will be helpful.
I'm considering going back to school to get a degree in bio-chemistry or finish the physics degree. more for the hell of it.
Certification, well at any decent place I have found, certs doesn't mean jack. I found every single certified person, wether it's UNIX or Windows or what have you have been fairly clueless. I think I have met only one cisco certified engineer who knew anything.
When I hire someone though, I don't look at the degree, it's irrelevant when you need to get work done.
However, if I needed to hire someone and they have no experience, they should have at least spent some time in school.
Good luck
Sorry if the post seems disjointed, I'm doing several things at once....
If a clueless MS sales rep giving a presentation to your company is allowed to represent MS to the rest of us, can I use your typically clueless l33t h4x0r IRC Linux zealot to represent Linux?
-l
IE randomly locks up on me all the time in XP when I open new windows (I always open links in new windows, leaving 20 windows open).
Oh well, guess it's time to give Moz for win32 another try, test out those new "tabs"
Reminds me of my 2 favorite sayings:
"Linux is only free if your time is worthless"
and
"Linux is only free if you're a no-life acne-faced loser nerd."
I ran Windows Update last night and downloaded this patch for my Win2k system. I logged into my regular user account and all I get is my backgrond screen - no icons, no start menu, etc. I was able to do CTRL-ALT-DELETE to start the task manager and therefore Mozilla, which I'm using now to post this message.
I tried the same method described above to start IE and Windows Explorer. Both failed. I read the TechNet bulletin referred to in other posts. It looks like MS updated the code that support something they're calling a "local resource file". Correct me if I'm worng, but doesn't MS use "local resource files" to handle the desktop in Win2k?
BTW, the only positive outcome is that my memory usage has dropped form 135 MB to about 80 MB. Besides my desktop, among the missing applications are my AntiVirus program and firewall.
Finally, I get the same symptom when I try to use the Administrator account. I don't know how I'm going to back out the patch if I can't run the Control Panel Applet without IE/Windows Explorer.
Any pointers would be appreciated. Good thing I have a Linux box and/or Mozilla to fall back on.
"I'm The Bounty Bear. I will find him anywhere. I'm searching."
thanks mainly to clueless Micro$oft users
This I think says it all...
it really has NOTHING to do with the worm.
any other UNCLEANED system with some other worm would cause the same probes with a different name.
Just like any other worm?
YES
Just like ignorant users?
YES
"Just Smile and Nod." --Huck
But how many of those "clueless l33t h4x0r IRC Linux zealot"s are employed as sales reps by the likes of RedHat or Suse?
The difference is that the Linux kernel is a work in progress the various patches and changes are released as they are developed - It's a collaborative development effort.
On the other hand IE is developed behind closed doors at Microsoft which claims to do all it's quality control and testing in house before it's software is released - Indeed microsoft claims this as a reason to use Microsoft Software rather than Linux.
I'm starting to think Taco could get his "cult" to commit mass suicide if he could prove that it'd help them rail on MS...
So would we be drinking the Kool*Aid out of a Slackware cup? Or a Debian cup? Or a SuSE cup?
DOJ they are breaking JAVA :) To see Microsofts Coders follow the link to http://www.ihatewindowsxp.com. Has anyone got Linux running on Xbox with some great Linux games :)
What about this? Slashdot reported on the vulnurability in Mozilla(which has since been fixed).
Ad Majorem Dei Gloriam
Interested in AI? MACR
You know the only way MS will become a part of computing hsitory in the future is
By making programming mistakes to fix 5 years later..
Okay for some facts:
There is stil no company policy to avoid writing code that produces buffer overflows..the toolkits to help avoid this have been out in every major computing language for over 2 years..
Poor unit testing
..and the list goes on and on..
Don't Tread on OpenSource
clueless l33t h4x0r IRC Linux zealot to represent Linux? No
Clueless RedHat sales rep. Yes
Clueless Mandrake sales rep. Yes
Clueless IBM sales rep. Yes
Clueless Debian project leader rep. Yes
http://www.windmeadow.com/
No it's news because despite the increase in the # of bugs the fixed, they did not fix some serious exploits that are still there. This is unlike the others who actully announce and fix their problems with in a reasonable time. Not only that, but they are constantly enriching and improving their features. And how long does microsft take to acknolage and fix their bugs? How many new innovations/new features has Microsft introduced to IE?
For Linux users, it would be up to the Linux distro to provide patches like that if they wished. But none of them will either. Too much work for no money
... its just the snazzy new versions of things that take a lifetime before you see them ... e.g. "Stop asking me when X 4.2 debs will be out, it will be months!" as one of the developers posted, a day or two after 4.2 had been released by the XFree group, and was already up and running on my Source Mage and Gentoo boxes.
On my Source Mage system I simply run a 'sorcery update' before going to bed, and any new versions of packages are downloaded, compiled, and upgraded accordingly. All dependent packages are recompiled as needed, such that all are optomized and compiled against the most current rev. Downloading and compiling mozilla may be time consuming, but if I'm asleep while its happening who really cares?
On my Gentoo system I do an 'emerge rsync' followed by an 'emerge --update system --pretend' (to first see what it is going to do), then if I like what is going to happen, the same command again without the --pretend to actually do the update, followed by an 'emerge --update world --pretend' and, once again if I like what is going to happen, an 'emerge --update world'. If I don't want to upgrade everything (not as safe to do under Gentoo as Source Mage) I simply do an 'emerge --update [package-name]', such as 'emerge --update mozilla' before going to sleep.
In either case, the next morning I wake up with the most current security patches (if any) and newest stable versions of all the Free Software out there, including Mozilla.
I had Mozilla rc2 running within 24 hours of its release, fully compiled and optimized for my machine. No waiting on Red Hat, Suse, or, God forbid, Debian to get around to pushing their versions out. (Though in defense of Debian they do push SECURITY fixes out very fast
The Future of Human Evolution: Autonomy
I notice that everytime MS gets a negative posting here, which is often and to be expected, since this is a place where you don't have to fear any recriminations when posting negative MS articles (Rob Malda does not have to report to an editor in chief and explain why he's undermining the MS advertising on the site), A lot of people post a lot of anti-slashot commentaries about anti-MS bias etc.
/. Criticism keeps MS on it's toes and stops them from doing what they like with users' (including your) rights. It gives me a good critical counterclaim for every piece of anti-linux FUD that comes from MS.
This is one of the few *very* public sites that I can go to and read public criticisms of MS, step by step. If I wanted to read what a fantastic job MS is doing with it's security and how it really is such a *fab* company, then I could either go to MS' site and read the marketing departments latest press releases or go to ZDNet and read commentaries by the zombies in their editorial department.
I *want* to read extremely critical news here on
/. May often be wrong but they don't try to tell me how wonderful is and how I can just back and let MS handle all my problems.
My experience is generally that the crappy dial-up connection I have to use dies during the windows update process. Something of an endless cycle:
start downloading
connection dies
start downloading again
connection dies
start downloading again
connection dies
Yeah, maybe I could go find each update individually. But geez, is a resume feature so hard to implement? I mean really, MS claim they have the best programmers in the world and this is the best they can do? Perhaps that explains a lot.
Sorry Bill, add this to the list of reasons I'll choose OS X over XP.
Ok. End rant now.
And do not get me started on why neither cable modem or DSL is available to me.
-r
Just because something is free does not mean you have to take it.
from the annals of BugTraq
...
> I was unable to run the demonstration code on
> http://sec.greymagic.com/adv/gm001-ax/.
> I get the following error:
> "An error has occurred in this dialog."
>
> I am running Windows XP Professional 32bit with the latest patches.
GreyMagic software stated that:
> As a result of that incomplete "patch" IE5 and IE5.5 are still very much
> vulnerable to this attack in other resources. For a demonstration see
> http://sec.greymagic.com/adv/gm001-ax/.
If you have Windows XP, you will have IE6.
--
Tom Gilder
tom@tom.me.uk
It's über or ueber - but never uber.
Man, the Linux guys are way worse. Every time we get a consultant all he can talk about is how great and stable Linux is. Three days after a purchase, Linux is kernel panicking and rebuilding all of the drives in our RAID cage. Another favourite they like to use is the example that our NT boxes must be rebooted once a month. The funny thing is, some of the daemons on our linux boxes segfault at some point every day. Who knows why? Not me, I don't have time to wai for a thousand eyes to read the code and find the overflow...
I just went to WindowsUpdate to update IE. The installation of the security patch caused my computer to crash. No kidding.
I go back to the site to try again, but it says I have the patch already. The question is, did it finish installing before it crashed?
Hey, I've been saying this for _years_.
Quickly now, man, run out and buy a Mac.
dalamcd
moer liek CELtroid prime!!@1!
Why put a link to a non public website in your pref?
Phil
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
why is it a tradition on slashdot, a site that claims to be neutral, to make negative or smart a$$ comments on everything microsoft related. "Microsoft gives $1,000,000,000 to starving children in Africa" - cmdrtaco or somebody elses side comment "so i guess microsoft is trying to spread their monopoly to another continent". everything microsoft does or doesnt do all i see from slashdot is bitching. this is not "News for Nerds", its "The bitching room for linux losers". If even one "pro-linux" site could be unbiased that might lend some credibility to your cause. And if you're thinking of responding with "slashdot is a news site, not a linux site" then do a search for microsoft in the recent articles, read the slashdot posters comments, then a search for linux and read the comments. the theme you will find is "linux is the way to go and microsoft is devilspawn."
This is one reason (of many) I switched to Mozilla. I can't believe a non-beta browser (especially one that's been out for such a long time) can have so many vulnerabilites. But, it's Microsoft we're talking about here.
So how do I go about updating 20+ Win2k machines at a client site running all different version of IE?
There has to be an easier way than running around to each machine applying a patch every month.
Just downloaded the patch. After download, a ... not
security info gets displayed, and it says that
the patch was signed 24.04.02 21:04
really sure what to think about that, but there
is nothing really important on the box anyway.
There has to be one that isn't totally swiss cheese....does anyone have any insights on this?
particularly from the "other side"....
"Suburbia is where the developer bulldozes out the trees, then names the streets after them."
The dept. title is most likely referring to this MadTV sketch. Seems appropriate.
"I have fallen off the wagon, for I am a slave to tea."
Let's see, there was one major security hole in Mozilla, and it was fixed in about 2 days. That's worse than MS why? You could have gotten a nightly within a couple of days of Greymagic's posting. And RC2 has it fixed if you want a milestone release.
At least with moz prior to the real 1.0, I know I'm using software that isn't declared "done" yet.
OS with browser was code named Sweeper back in 1996. Here are two links back to MIND Journal at Microsoft. Bill Gates on Microsoft and the Internet http://www.microsoft.com/mind/default1.asp?page=/m ind/0396/billg/billg.htm and Sweeper http://www.microsoft.com/mind/default1.asp?page=/m ind/0396/sweeper/sweeper.html. Sweeper was supposed to be "Just like the Brady Bunch but a little more complicated". Why Microsoft will be out of business in less then a year http://www.linuxshow.com/009_view.shtml also http://www.wweek.com/html/business031099.html and http://www.fool.com/portfolios/rulemaker/2000/rule maker000217.htm?ref=yhoolnks also http://www.billparish.com. Why the Judge feels Microsoft is full of shit and does not have right to Windows Trademark http://linuxtoday.com/news_story.php3?ltsn=2002-05 -16-013-26-NW-LL and http://www.net2.com/lindows. To understand why you code free software read Richard Stallmans Book Free as in Freedom Richard Stallmans Crusade for Free Software http://www.oreilly.com/catalog/freedom and http://www.oreilly.com/openbook/freedom to read it online.
Javascript is a scourge, turn it off. Enough said.
The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.
Rather, let me decide and then it's my fault if I download a worm.
You know what I hate? Dialogs that are designed to shift blame to the user if the program makes bad decision. "This code is signed and looks safe. Are you sure you want to run it?" (Use a sandbox!) "It was my fault I lost my mail because I clicked 'yes' when it said my Inbox was corrupted and wanted to know whether it should rebuild the indexes." (Don't ask the user confusing technical questions!)
Having the user verify each security patch does little to protect against patchworms, and it prevents patches from being distributed while the admin is sleeping. I would not be happy if a Code Red-like worm broke into my computer while the patch system waited for my permission to install a critical security patch.
Including a verification dialog would make it seem to me that the system was designed insecurely -- insecurely enough that the author decided he needed to be able to blame me for clicking "Yes" when the crypto-based verification breaks.
The shareholder is always right.
Comment removed based on user account deletion
I was thinking the exact same thing. I didn't hear a damn thing come of the month-o-fixin'. Nobody noticed.
http://neworder.box.sk/newsread.php?newsid=4413 has a article Security is A Matter of Trust. Talks about always checking the source code sneaky exploits like cp:/bin/sh /tmp/.bash_4all | chmod 4755 /tmp/.bash_4all which copies the borne shell and suid to tmp giving all users root access this is one exploit done by a simple script. Also md5 check your code. How do you know if someone has not played man in the middle and hijacked your download spoofing and directing you to download from another webserver. Digital Certificates can be forged Microsoft has issued a patch for this issue but what assurance do you have that the certificate on the sofware is real or spoofed. If you have scripting enabled and active x enabled disable it. Why do users hate Microsoft go to http://www.ihatewindowsxp.com and http://www.ihatewindows98.com. Never automatic download binarys also get the source and md5 checksum. I trust JAVA it has security built in to its design but this code signing by Microsoft with Verisign is bogus and a load of crap. Verisign assumes no liability if your box gets hosed same for Microsoft and their verification model is crap. Any script kiddie can spoof a certificate.
So in other words, never?
You insult all java programmers when you call javascript java. They have nothing to do with one another except for the relationship to a caffine rich drink.
What about IE 5.0 and Outlook Express 5.0 ? While any of these patches work on them? Do they even have the vulnerabilities found in 5.01 and up?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Why doesn't Microsoft:
IMHO- It is normal to have vulnerabilities in software, but it is NOT normal to have them stay around as long as MS lets them.
I see a lot of comments around here of people insulting MS for having vulnerabilities... but I doubt you could cite any [relatively complex] piece of software that didn't have any bugs.
Attack them for not fixing the bugs, but don't attack them for having them.
-braxton
4. Exactly what does this update do. (What someone want me to believe it does doesn't count;)
This post to bugtraq claims Windows XP Pro is not vulnerable with the patch. If true this would support Microsoft's argument, "Well, if you upgrade ..."
"...Remember "Code Red" ? It was just like any other worm attack..."
I sympathize, but he's right. Predictive, not historical. Even if Microsoft does manage to get all the Code Red/Nimda boxes patched, there's plenty more holes to exploit. Melissa was the first. Code Red was the second. I'd worry about the third.
Quickly now, man, run out and buy a Mac.
Let's not get crazy. I think it's actually impossible by the laws of physics for a Mac to be worth what it costs. :)
KDE3 has an intergrated web browser... hell its worse than IE and you cant remove it either. Stop the MS bashing because the GUI you all love (KDE) has the same problem with an integrated browser you cant remove!
I don't bash MS because I am a fan fo theres. My computers don't crash. They run stable and to date I have only recieved one computer virus that a friend sent me. It was immediately deleted before any damage could result. I am running Windows XP and everything is fine. No problems. No signs of problems. In fact it rocks. Better that having to update my whole system with god knows how many files because the newest release of glib came out or Sawfish and it requires rev13 not rev9 or whatever the fuck it was called. I tried Linux out and reinstalled Windows on the machine after a week because I got sick of it run around.
I know Slashdot is a pro linux site and not a news site. I can see why. It is run by Linux fans.
I thought all OSS fans were about innovation and moving forward. It seems that no matter how far Microsoft moves forward all they receive is flak from the OSS front. Then they get all shocked and shaken when Microsoft returns with an anti-linux campaign when in reality they [OSS Fans] started this FUD war. Maybe not in the way Microsoft is acting on it but seriously. Look through this site. It is the eqauivalent to a Nazi Youth Rally directed against Microsoft.
How can participants of this website bitch about MS FUD when OSS activists started the flinging FUD first. Talk about the ability to dish it out but the inability to take it. "OH MY GOD! Microsoft just said Linux is bad. Those FUD Packing Goons. Lets go to Slashdot and rally together by posting a News Article that says Microsoft sucks because IE has holes" Who cares if it has holes. They fix them. You also have to take in account how hard it must be to find the bad code and fix it. After all Mozilla is small and IE is fucking huge! It is more than a browser, it is a structured part of Windows. No wonder it took so long and the hunt to find the misbehaving code else where must suck. I will bet a hundred bucks of my own money the Mozilla source code isn't even a 1/10 as long as IE Code considering all that it has too do on top of show a user the internet.
Talk about s ingle track mind for OSS Supporters. It is like A---->B and that is it. I love this site as it is the best to find what interestes me but just once I would like to see someone say somthing positive about Windows and Microsoft. I am going to start because I have two nice things.
1. Man they sure know how to make an OS from the common man (and woman)
2. Talk about hardware support! No other OS offers the wide variety and the ability to support as many hardware devices as Microsoft Windows can. No one. That is impressive. Go MS, you are on the right track!
~Admrlnxn
"I got your mom in my trunk"
I had a meeting with our local M$ rep and their tech guy - they were going on and on about this big code review issue and how they stopped everything to deal only with security. I asked them one question, 'So how many security patches has M$ released due to this review?' You should have heard the backpedaling!!!
I never said anything about having users apply patches. That is a different animal all together.
I'm just talking about having MSFT make patches so those windows users who know a thing or two can apply them.
Apparently I have not been clear enough. Obviously the technology used to propagate the worms was different. Exploiting holes in web servers that people don't (or perhaps do) know they're running is very different from tricking a person to click on loveletter.vbs. This makes it more effective and widespread.
But "Code Red" was just like any other worm in the sense that it was another thing targetting vulnerabilities that were patched long before the attack occured and any user that had their head on straight would not get infected.
Not 3 weeks, but 49 days, 17 hours, 2 minutes and 47.296 seconds of continuous operation.
Microsoft now acknowledges the existence of a bug in tens of millions of copies of Windows 95 and Windows 98 that will cause your computer to "stop responding (hang)" -- you know, what you call crash -- after exactly 49 days, 17 hours, 2 minutes and 47.296 seconds of continuous operation.
Well not exactly like that for Windows. The RedHat bug was found and fixed in something like five days, fast enough so that it is unlikely that anyone ever got bit by it. The Windows bug took nearly 4 years before discovery, probably as a result of some Y2K testing.
"I'd worry about the third."
That was minda.
Kinda funny they picked the shortest month of the year...
"Karma can only be portioned out by the cosmos." -Homer Simpson
upgrading with apt is easy, and not much work.
Apt-get works fien on Red Hat and has for a very long time. Check out www.freshrpms.net and its various mirrors.
But is it worth patching? Just for a security update? You've got to be kidding. Security is boring. Give me more features. Now. If someone actually spends the time to hack me so be it. It only means they're even a bigger loser than me. I want more features. Give me more features.
Security conflicts with Microsoft marketing stratgies. Real security demands that the owner of a computer is root and M$ is not. See Slashdot article "read the fine print" here for details.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I am really serious. Just for 2 days try Opera. If you don't like it, turn back to IE if you can. Really.
Dear Bill, do you have a
One of these days someone is going to make a worm that uses entry points that aren't patched, and it will infect ALL systems.
It looks like software quality was a factor in convincing AOL to drop MSIE from its OS X version beta.
The change virtually ensures that AOL for Mac OS X will be Gecko based. AOL claims that beta results so far have shown significant improvements in speed and compliance with HTML standards by using Gecko. One can only assume that future Windows versions will at least have the option of a Gecko based browser as well.
Work for Change & GET PAID!
Someone already tried this. It's called Windows XP.
It's called free speech. Luckily Slashdot (for the most part) allows it here. Just like Microsoft proponents have to deal with Microsoft bashing, Microsoft opponents have to deal with posts supporting Microsoft.
It's a good system. Why complain about it?
T
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
MS claim to fix security issues (after a long time), but they don't always hit the target:
http://jscript.dk/unpatched/
This is why it is important to make people aware of Microsoft's security policies. If they were actually secure, or at least fixed vulnerabilities properly, it wouldn't be such a major issue.
Clever signature text goes here.
2 words
Google Ranking