Slashdot Mirror
MSIE Uber-patch Of The Month
mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/"
Maybe not even all six -- the maintainer of the above URL
claims in a post to Bugtraq
that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability.
Also, please compare to previous MSIE Uber-Patches Of The Month:
December 2001, 3+? holes in IE;
March 2002, 2+? holes in IE;
April 2002, 2+? holes in Mac IE.
Microsoft released another security patch for Internet Explorer
Is it Thursday already?
--saint
Saying you're trying to fix all the holes in IE is like saying you mean to turn a sieve into a bowl.
::shudder::).
Seriously, it seems they are finally turning around and trying to make their products more reliable. They've come a long way since Win95 (or WinME...
The speed of time is one second per second.
luckily several other competing browsers have much less patches that have to be applied.
netscape - doesnt have any holes - it crashes before anyone have time to exploit them.
mozilla - its not called holes, its a feature until further notice.
opera - pages download quick, dont they? then stfu.
According to NTBUGTRAQ it breaks certain javascript
= 1& A2=ind0205&L=ntbugtraq&F=P&S=&P=2859
http://www.ntbugtraq.com/default.asp?pid=36&sid
The example code that fails with the patch is here.
Those who will sacrifice Freedom and Security will get Windows...
you know - with this many patches, IE is moving from the realm of science fiction to high fashion!
It's all that Microsoft non-compliant human behavior. As soon as they fix that the need for patches will go away.
A feeling of having made the same mistake before: Deja Foobar
This is the big patch that really should be fixed.
It is the one that makes it dangerous to push the Back Button
the page you link to HAS the vulnerabilities fixed LISTED.
i tical/Q321232/default.asp)
And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cr
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
It worries me that a patch can be news. Microsoft really has people waiting in anxiety for a new patch to fix (and add some new) security holes.
Brr. I hate monopolies.
I going to write a letter like the Peruvian one to my government right now!
DNA is the ultimate spaghetti code.
What about this?
Netscape isn't secure either. A well written web page can read and capture local files.
Micro$oft, although they write their fair share, isn't the only company that writes bad code.
The difference is we don't claim Linux to be completely secure and infallable and we just didn't announce several months ago that we would dedicate our selves to security (and fail to fix a significant numbers of bugs, besides are they even the ones who found these bugs?). They are unspeakably arrogant and claim to be the best in every area, are we not allowed to mock them when they fail miserably?
I stole this Sig
...doing NOTHING BUT addressing security issues as part of their new security focus.
Do you suppose they need to do more?
"How to Do Nothing," kids activities, back in print!
I think it matters becuase a ton of slashdotters use IE, whether they admit it or not. And for those folks who do use it, they might not have the auto-update turned on, and therefore might not know about the update any other way. Of course they all should be using Opera. . .
The "Windows Update" icon on my taskbar failed to retrieve the patch last night, I had to manually go to the Windows update site and download it. I only discovered this when I started wondering why my VAIO was getting so damn warm, and why the fan hadn't stopped in several hours...
And then they "recommend" that you go for automatic updating. Typical.
My sig is too lon
I'm glad to see them stepping up to patch this stuff. Really. I'm not being sarcastic. A lot of people use IE, and we shouldn't jsut curse our grandmothers and mothers to using a flawed browser. I really salute them for taking the security stance a little more seriously.
Of course, I say this even though my mother got Mandrake 8.2 for Mother's Day.
-- Who is the bigger fool? The fool or the fool who follows him? --
Warning! Positive comments about Microsoft ahead...
I have Windows XP on my desktop and RedHat on my public server.
I have grown to appreciate the way Windows XP patches itself. Frankly it is a bit of a pain in the butt having to apply patches to my RedHat server each month and I would be much happier if it could just do it itself, automatically, like XP does.
I hate Microsoft. They're bastards. But the auto-patching that Windows XP does is great. We need it for Linux, both desktop and server.
With this patch, IE will finally be perfect and I can sleep in peace knowing that Big Bill® is watching over me.
Don't anthropomorphize computers, they don't like it.
Out of laziness, but lately I am not patching IE or any of the other known vulnerabilities on the software I have installed, unless the vulnerability is really dangerous: It comes to a point, that simply, I don't care anymore.
You might say that this is against me, not to patch my software, and you are right, but I am tired.
I think the security model used by MS and others (well, assuming this is a security model) is not valid anymore, I cannot go patching my software every morning after booting the computer!!
Although, there is a NTBugtraq post just now that say the patches break Javascript on MS browsers so maybe you don't want to install it just yet. It states:
The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this case) breaks the following Javascript code. This code works in IE versions *not* patched with Q321232 but fails to execute on IE6 which has been patched. I don't have IE 5 or below so I don't know if they broke those versions as well.
Russ Cooper had an article on NTBugtraq recently pointing out how bad MS quality control is. They have separate patch sites for different products with tools that break each others patches. We don't need to break Microsoft up. It is doing so on its own.
Well, the primary purpose of the last patch seemed to be to *add* bugs. My guess is that this patch is to take them away?
-Sara
Microsoft is a formidable opponent. They're very rich and very good at using those riches to get what they want. We need to avoid being smug.
Miko O'Sullivan
Windows Update fatally crashes my system each time I go to download all the 'critical updates' my system needs. Which means that I'm unable to actually patch my boxen, unless I maybe reinstall the operating system, which would make me lose all my application settings/components and be forced to reinstall them, etc, etc.
One central source, one update system. One critical point of failure. One of the many problems that come with having one operating system to rule them all and in the darkness find them...
Boy, do I hope nobody tries to r00t my 98 box. After plugging in my shiny new cable modem it probably looks real attractive now.
speaking of bugtraq, this just came through my e-mail from Greg Chatten with St. Louis Internet.
;)
Date: Thu, 16 May 2002 12:32:17 -0500
Subject: MS02-023 Patch Breaks JAVASCRIPT
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The installation of the 15-May-2002 Cumulative Patch for IE (V6 in this
case) breaks the following Javascript code. This code works in IE versions
*not* patched with Q321232 but fails to execute on IE6 which has been
patched. I don't have IE 5 or below so I don't know if they broke those
versions as well.
Then there is lots of javascript. Just like microsoft to break something else while they fix another thing.
The original message should be in the bugtraq archive by now
-- this space for rent --
You are mad if they do patch. You are mad if they don't patch. Make up your mind Slashdotters!
... You know, kind of like the standards we also hold the rest of the software industry to?
I think everybody would be content if Microsoft made an attempt to make their software reliable and secure before they release it
It's been a long time.
I tested the link and supposed vulns with Mozilla 1.0 RC2 and was unable to replicate. If anyone else can do so with the latest build of Mozilla speak up.
What?
Slashdot opinion:
Bah, I'm clicking "ignore posts from MS" on my preferences. I'm starting to think Taco could get his "cult" to commit mass suicide if he could prove that it'd help them rail on MS...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I think this represents a big change in MS's aproach to security.
:)
Now if only theyd fix the winnuke bug.
I remember one guy in the office wanted me try and break his
über secure win2k box with software firewall.
I winnuked his ass and he cloudn't even move his mouse.
There was no way he could filter it out as the bug is in the TCP/IP stack i think.
Yes I understand this is lame but he asked for it
I know I'm going to hell, I'm just trying to get good seats.
2. Choose a cool marketing name for the hole, like "achilles' hole" or such. Make it fancy.
3. Call the news agencies. Once there is a fancy marketing name, they will jump on it and create public hysteria. Remember "Code Red" ? It was just like any other worm attack except that it had a cool name for the media blew it way out of proportion.
4. Watch the patches roll in.
5. Lather, rinse, repeat. Every six weeks should do it. The public should see a pattern sooner or later.
...and then the flood of users to Opera would cause "security experts" to find the exploits that undoubtedly exist in that product.
The reason why exploits are written for IE/Outlook is not necessarily because Microsoft packs their product full of holes, but because more people use the products, more people will be affected by the exploit, and the chance of the "security expert" seeing their name mentioned in the media goes up.
Come on, they exist.
upgrading with apt is easy, and not much work.
*BSD also have their update tools, and some other posters mentioned Redhat tools.
These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.
For those that are SO lazy that you can't click on the link:
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:
Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.
At least M$ is fixing problems, maybe not as fast as the oss companies/people, but christ.. None of you guys bash redhat, suse and the like when they release an update for an app that can give you root. I know in the /. eyes M$ is the root of all evil, but you know what, best item/app/os for the job.
/. hypocrites, bring this post to a -1.
I don't care if its a mac/ms/*nix/*BSD or what, but if it gets the job done, relatively well and fast, I will use it.
For programming, i don't care if its VB/C/Glade/Perl/Python whatever.. whatever suits the job best. And yes, sometimes, if not MOST of the time, it's a MS solution (for me at least, YMMV).
And for the record, win win98 installation, which I just reinstalled everything ( 2 days worth of installs and hundreds of reboots ) is showing the same symptoms of the problem for the reinstall, which I'm assuming came from windows-update. So no, I'm not living in a perfect world. At the moment, I'm cursing Billy boys name, but I'm still using Win98 for most of development work and 2 linux machines as servers, since, like I said, best solution for the problem.
So flame away, you
"It's not like your minds are as open as the source you love..." - Me to the majority of Slashdot.
they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
They are finally making the software robust and not crash 20 times a day.
They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
They are finally making it a good product.
What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.
The URL had an extra space in it (which must have been added by slashdot, as I copied/pasted straight from IE.) I just redid this, and Slashdot broke it again (but using HTML the link part works.) Here it is whole:
. asp?url=/technet/security/bulletin/MS02-023.asp
http://www.microsoft.com/technet/treeview/default
fobbman gushes:
The reason why exploits are written for IE/Outlook is not necessarily because Microsoft packs their product full of holes, but because more people use the products, more people will be affected by the exploit, and the chance of the "security expert" seeing their name mentioned in the media goes up.
Exactly, security is directly tied to popularity, why just look at Apache... oops.
The diference is that the people who bring you Apache are subject to peer review everyday, and they don't whine that people only exploit their code because it is popular when holes are found, but rather look at their project rationally, and FIX IT. Pretty amazing difference in handling criticism I would say....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
it is a bit of a pain in the butt having to apply patches to my RedHat server each month
Try AutoUpdate. It does a good job keeping RedHat up to date.
People who disagree with you are not automatically evil, greedy, or stupid.
Indeed. Also s/Microsoft/USA/ and the same would be true.
--
E_NOSIG
While everyone is harping on Internet Explorer problems, I have to openly (pun intended) ask this question: how will we see bug and/or security fixes for Mozilla 1.0 when that is released very soon? Will it be in the form of patch files? Or do we have to download the whole browser all over again?
Raymond in Mountain View, CA
Right, because no software from companies other than Microsoft ever has security or reliability issues? Don't kid yourself!
Most of those products are lambasted as buggy and insecure as well.
Besides which, I don't know of many companies which have such a bad track record of having nearly every product they release almost unsuable because of bugs in it's first release.
It's been a long time.
Actually, it does matter to those people who maintain machines in any sort of environment.
/. rails Microsoft for not patching their bugs, and rallies behind patching up the Linux bugs. Well, let me say this: If you make a patch that no one uses, what's the good in doing it?
If we milk up all of the patches that we can, they're more likely to keep popping them out. If we can give them more feedback, let them know what we need, chances are they'll be more willing to give it. At least they're making an effort to patch the bugs, unlike other companies out there.. And certainly, if you're responsibly doing your job in a corporate environment, this matters- don't want no one compromising your system, does ya?
Just because an article doesn't matter to one doesn't mean that other people won't find it interesting. I don't like Mr. Katz, but I realize that other people find him insightful..
And if you don't use windows at all, lucky you, but I'm sure you have a friend out there who runs MS products, and THEY may want to know. So it does matter in some way.
.
We don't need no Net Explorer We don't need no Thought control
Nobody else claims their browser is a key component of the operating system-- that it cannot be removed because its functionality is so interwoven into the operation of the system.
Of course people are going to flame Microsoft for designing such a product with so many critical security holes which compromise their computer, making it part of the OS and then arrogantly refusing to give people the ability to remove it. At least I can un-install every other browser if I decide it doesn't suit me.
You complain about people flaming Microsoft. I submit to you that if that corporation wasn't so arrogant, pushing its views and way of doing things onto everyone else then stifling the innovation of others, that people would be a lot more forgiving of mistakes.
I have no sympathy. Not for this corporation. Microsoft made this bed, it can sleep it in now.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
These constant Internet Exploer fixes are a result from the "browser wars", when MS an Netscape competed to release their new browser every six new months or so. The rush prevented good code auditing, and several bugs were not wiped.
Now that this "war" is over, I hope MS (and Netscape) make a good review of their browser before releasing it, and stabilize the existing code. If we are lucky, IE 7 will be shipped only in 2003 or 2004 - and by "we" I mean every internet user, for the bugs in IE helped the spread of annoying worms like Nimda and Klez.
Except (if you read the bugtraq post) MS left IE6 vunerable (and released no patch for IE5). It gave incorrect information about several vunerabilities, which makes one suspect that they might have not fixed them correctly.
/. users use IE. Some of them may well be opera or other browser users who have their browsers to announce otherwise, but certainly, a number of /. users actually use IE. Some of us still use Win98 too, even if just at work or at home because our families can't use another OS (yet...)
I can't vouch for the accuracy of the bugtraq post, but if true, this is not 'fixing the symptom until the underlying problem can be fixed', this is 'fixing one popularized symptom while leaving others untouched'.
A number of people have noticed that a majority of
Bullsh*t.
How come my firewall is *still* seeing 80+ Code Red/Nimda probes daily?
Just like any other worm?
You have no clue.
The number of infected Micro$oft boxes out there is scarcely any less than it was six months ago, thanks mainly to clueless Micro$oft users...
t_t_b
I'm on PJ's "enemies" list! Are you?
Just because someone bashed MS, that doesn't mean that they are being unreasonable.
My beliefs do not require that you agree with them.
the MS link to the detailed info about the patch is 'unavail' (ms slashdotted? *grin*) as is the link from the windowsupdate site. What is available follows (I hope you enjoy this as much as I did):
System Requirements: This update applies to Internet Explorer 5.5 Service Pack 2.
How to use: Restart your computer to complete the installation.
How to uninstall: Uninstall is not available.
closed minded is as closed minded does
Have you confirmed these are the exact same people?
Slashdot has many readers and posters, sometimes what seems hypocrite just means different opinions from different sources show up.
Hell yes you are 100% correct.
Not that this affects me at all as I only use mozilla now.
... which has been in progress for the last 4 years, with an existing codebase to work from, and still isn't officially at a 1.0 RTM release.
Simon
Coming soon - pyrogyra
I ran Windows Update last night and downloaded this patch for my Win2k system. I logged into my regular user account and all I get is my backgrond screen - no icons, no start menu, etc. I was able to do CTRL-ALT-DELETE to start the task manager and therefore Mozilla, which I'm using now to post this message.
I tried the same method described above to start IE and Windows Explorer. Both failed. I read the TechNet bulletin referred to in other posts. It looks like MS updated the code that support something they're calling a "local resource file". Correct me if I'm worng, but doesn't MS use "local resource files" to handle the desktop in Win2k?
BTW, the only positive outcome is that my memory usage has dropped form 135 MB to about 80 MB. Besides my desktop, among the missing applications are my AntiVirus program and firewall.
Finally, I get the same symptom when I try to use the Administrator account. I don't know how I'm going to back out the patch if I can't run the Control Panel Applet without IE/Windows Explorer.
Any pointers would be appreciated. Good thing I have a Linux box and/or Mozilla to fall back on.
"I'm The Bounty Bear. I will find him anywhere. I'm searching."
The difference is that the Linux kernel is a work in progress the various patches and changes are released as they are developed - It's a collaborative development effort.
On the other hand IE is developed behind closed doors at Microsoft which claims to do all it's quality control and testing in house before it's software is released - Indeed microsoft claims this as a reason to use Microsoft Software rather than Linux.
I'm starting to think Taco could get his "cult" to commit mass suicide if he could prove that it'd help them rail on MS...
So would we be drinking the Kool*Aid out of a Slackware cup? Or a Debian cup? Or a SuSE cup?
I have to agree. Just earlier today at an online Microsoft seminar, the presenter mentioned that the original version of the IIS Lockdown tool completely broke Exchange Server. To paraphrase him to the best of my abilities, "pretty interface, no email." To be fair, he demonstrated the newest version of the tool, which is supposed to do an outstanding job of locking down IIS, and that problem now has been completely eliminated.
Please subscribe to see the more insightful version of th
For Linux users, it would be up to the Linux distro to provide patches like that if they wished. But none of them will either. Too much work for no money
... its just the snazzy new versions of things that take a lifetime before you see them ... e.g. "Stop asking me when X 4.2 debs will be out, it will be months!" as one of the developers posted, a day or two after 4.2 had been released by the XFree group, and was already up and running on my Source Mage and Gentoo boxes.
On my Source Mage system I simply run a 'sorcery update' before going to bed, and any new versions of packages are downloaded, compiled, and upgraded accordingly. All dependent packages are recompiled as needed, such that all are optomized and compiled against the most current rev. Downloading and compiling mozilla may be time consuming, but if I'm asleep while its happening who really cares?
On my Gentoo system I do an 'emerge rsync' followed by an 'emerge --update system --pretend' (to first see what it is going to do), then if I like what is going to happen, the same command again without the --pretend to actually do the update, followed by an 'emerge --update world --pretend' and, once again if I like what is going to happen, an 'emerge --update world'. If I don't want to upgrade everything (not as safe to do under Gentoo as Source Mage) I simply do an 'emerge --update [package-name]', such as 'emerge --update mozilla' before going to sleep.
In either case, the next morning I wake up with the most current security patches (if any) and newest stable versions of all the Free Software out there, including Mozilla.
I had Mozilla rc2 running within 24 hours of its release, fully compiled and optimized for my machine. No waiting on Red Hat, Suse, or, God forbid, Debian to get around to pushing their versions out. (Though in defense of Debian they do push SECURITY fixes out very fast
The Future of Human Evolution: Autonomy
I notice that everytime MS gets a negative posting here, which is often and to be expected, since this is a place where you don't have to fear any recriminations when posting negative MS articles (Rob Malda does not have to report to an editor in chief and explain why he's undermining the MS advertising on the site), A lot of people post a lot of anti-slashot commentaries about anti-MS bias etc.
/. Criticism keeps MS on it's toes and stops them from doing what they like with users' (including your) rights. It gives me a good critical counterclaim for every piece of anti-linux FUD that comes from MS.
This is one of the few *very* public sites that I can go to and read public criticisms of MS, step by step. If I wanted to read what a fantastic job MS is doing with it's security and how it really is such a *fab* company, then I could either go to MS' site and read the marketing departments latest press releases or go to ZDNet and read commentaries by the zombies in their editorial department.
I *want* to read extremely critical news here on
/. May often be wrong but they don't try to tell me how wonderful is and how I can just back and let MS handle all my problems.
Read my post again.
I was not comparing Apache's complexity to MSIE. I was not comparing Open Source to MSIE. What I did say is that a product's popularity has NO corelation to it's security, and whining that MSIE only has security problems because there are a lot of copies in use is STUPID, and from an engineering perspecitive, DANGEROUS.
But I will try to use smaller words for you next time....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
I just went to WindowsUpdate to update IE. The installation of the security patch caused my computer to crash. No kidding.
I go back to the site to try again, but it says I have the patch already. The question is, did it finish installing before it crashed?
Actuially it's nothing to do with popularity, It's to do with bloat. IE isn't a web browser, it'a an applications platform. It is these features that erode security.
think of the difference between lynx and IE.
99% of web sites hardly scrape at the surface of the capabilities of IE. Sadly the days of quick html rendering have almost gone.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
So how do I go about updating 20+ Win2k machines at a client site running all different version of IE?
There has to be an easier way than running around to each machine applying a patch every month.
Just downloaded the patch. After download, a ... not
security info gets displayed, and it says that
the patch was signed 24.04.02 21:04
really sure what to think about that, but there
is nothing really important on the box anyway.
The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.
Rather, let me decide and then it's my fault if I download a worm.
You know what I hate? Dialogs that are designed to shift blame to the user if the program makes bad decision. "This code is signed and looks safe. Are you sure you want to run it?" (Use a sandbox!) "It was my fault I lost my mail because I clicked 'yes' when it said my Inbox was corrupted and wanted to know whether it should rebuild the indexes." (Don't ask the user confusing technical questions!)
Having the user verify each security patch does little to protect against patchworms, and it prevents patches from being distributed while the admin is sleeping. I would not be happy if a Code Red-like worm broke into my computer while the patch system waited for my permission to install a critical security patch.
Including a verification dialog would make it seem to me that the system was designed insecurely -- insecurely enough that the author decided he needed to be able to blame me for clicking "Yes" when the crypto-based verification breaks.
The shareholder is always right.
Comment removed based on user account deletion
I was thinking the exact same thing. I didn't hear a damn thing come of the month-o-fixin'. Nobody noticed.
The latest version ;)
Well all jokes aside, its the latest version that comes with the a new OS. Next would prob be the "betas".
You got me thinking now. I will look.
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
And which existing codebase would that be?
What about IE 5.0 and Outlook Express 5.0 ? While any of these patches work on them? Do they even have the vulnerabilities found in 5.01 and up?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
4. Exactly what does this update do. (What someone want me to believe it does doesn't count;)
And which existing codebase would that be?
Netscape. Whether they started from scratch or not is irrelevant; it means that they had a whole boatload of signposts and maps with which to plot their course - they didn't have to forge ahead on their own.
Simon
Coming soon - pyrogyra
This post to bugtraq claims Windows XP Pro is not vulnerable with the patch. If true this would support Microsoft's argument, "Well, if you upgrade ..."
"...Remember "Code Red" ? It was just like any other worm attack..."
I sympathize, but he's right. Predictive, not historical. Even if Microsoft does manage to get all the Code Red/Nimda boxes patched, there's plenty more holes to exploit. Melissa was the first. Code Red was the second. I'd worry about the third.
certainly, a number of /. users actually use IE. /. is probably the only source for unbiased technical information about Microsoft products. (I know there's bias too, plenty of bias, but have you noticed that useful technical information comes from the bashers not the astoturfers;)
You have to realize that
Apparently I have not been clear enough. Obviously the technology used to propagate the worms was different. Exploiting holes in web servers that people don't (or perhaps do) know they're running is very different from tricking a person to click on loveletter.vbs. This makes it more effective and widespread.
But "Code Red" was just like any other worm in the sense that it was another thing targetting vulnerabilities that were patched long before the attack occured and any user that had their head on straight would not get infected.
Not 3 weeks, but 49 days, 17 hours, 2 minutes and 47.296 seconds of continuous operation.
Microsoft now acknowledges the existence of a bug in tens of millions of copies of Windows 95 and Windows 98 that will cause your computer to "stop responding (hang)" -- you know, what you call crash -- after exactly 49 days, 17 hours, 2 minutes and 47.296 seconds of continuous operation.
Well not exactly like that for Windows. The RedHat bug was found and fixed in something like five days, fast enough so that it is unlikely that anyone ever got bit by it. The Windows bug took nearly 4 years before discovery, probably as a result of some Y2K testing.
The earliest version you can both find and put up with.
Of course it's unpatched and a lot of holes are widely known.
Then there's the Russian Roulette with the latest and greatest. And the latest and greatest patches. And the latest and greatest exploits.
upgrading with apt is easy, and not much work.
Apt-get works fien on Red Hat and has for a very long time. Check out www.freshrpms.net and its various mirrors.
Security conflicts with Microsoft marketing stratgies. Real security demands that the owner of a computer is root and M$ is not. See Slashdot article "read the fine print" here for details.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
It's a matter of opinion there, really. I ended up using 6.0 and 7.0, and while they didn't have the refinement of later incremental releases, the programs and the underlying OS ran without much of a problem.
It's been a long time.
It looks like software quality was a factor in convincing AOL to drop MSIE from its OS X version beta.
The change virtually ensures that AOL for Mac OS X will be Gecko based. AOL claims that beta results so far have shown significant improvements in speed and compliance with HTML standards by using Gecko. One can only assume that future Windows versions will at least have the option of a Gecko based browser as well.
Work for Change & GET PAID!
It's called free speech. Luckily Slashdot (for the most part) allows it here. Just like Microsoft proponents have to deal with Microsoft bashing, Microsoft opponents have to deal with posts supporting Microsoft.
It's a good system. Why complain about it?
T
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
I'm not sure I'd say *unbiased*, but certainly /. is a heck of a lot more informative than MS themselves.
2 words
Google Ranking