Slashdot Mirror
Latest IE Hole Lets Gopher Root You
rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""
Written in one of my journal entries.
See if this story follows pattern (I think it will).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Let the "gopher hole" jokes begin.
Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?
sPh
"hostile Gopher site"? Ouch ... I think shall wear kevlar underpants while using IE in future.
From the article:
In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority.
Yeah, looks like everythings moving full steam ahead on that front.
----
One of us needs to stick ones' head in a bucket of ice water.
- Hobbes
And yet, despite regular reports like this, posters on Slashdot keep asking why anybody who "cares about the web" would bother using a browser other than IE, and suggest that somebody who wants to use another browser (and, heavens, support cross-platfrom and cross-platfrom browsers) is a naive moralistic high-horse-rider who needs to wake up and get with the program.
With the program doesn't look like a very nice place to get to me....
-Rob
"Where do you want to gopher today?"
"I smell varmint poontang, and the only good varmint poontang is dead varmint poontang, I think."
Well you can't expect Microsoft to keep up with all these new technologies and formats!
--
Don't sweat the petty things, and don't pet the sweaty things.
...I can only imagine how someone found this one.
However dangerous this hole may be, there are a few reasons why it probably won't create an end of the world scenario, most imporatant of these that gopher is absolutly archaic. I personally havn't seen a gopher server since 1996 (at MIT).
Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...
*Ducks and covers due to flying penguins*
Linux is dead.
LU
To protect from potential exploiting, you can temporarily disable the gopher
protocol like this:
Go to Tools -> Internet options -> Connections. Click on "LAN settings".
Check "Use a proxy server for your LAN". Click on "Advanced...".
Go to the Gopher text field
and enter "localhost", and "1" in the port field. This will stop Internet
Explorer from showing and processing any gopher pages.
this will protect you for now, at least until M$ pull their finger out
I don't have a root user...this must mean my M$ machine is perfectly safe!?
Has anyone ever tried to compile stats on security holes in browsers? What I'd like to see is a comparison of browsers in this case, with each version listed with the various vulnerabilities found? Obviously, IE is going to come out on top here, but I'd be interested to see such a list anyway. I've looked around the SANS site and didn't see anything like that. I'd even settle for a short summary. Something like IE has X amount of holes, Netscape has Y amount of holes, Opera has Z amount, and so on.
Life is hard, and the world is cruel
Don't use IE!
You're using her as bait, Master!
Most of the other browsers have security holes found in them from time to time as well, but most of the kind crackers out there seems to take a diabolical pleasure in focusing on IE (and since it's one of the core technologies of it, Windows...). If people spent as much time trying to break many of the other Browsers out there, I'm sure they would find they're all their own brand of swiss cheese.
No software is rock solid, even when it's written to be. There's always a european teenager with way too much time on their hands just waiting to turn you Titanium fortress into a window screen...
Linux is dead.
LU
segfault.org is temporarily out of busines or it'll be a good time for an "arcticle" in the lines of "no IE security flaws found this week".
/. to only publish news about IE when the head line is someting in the lines of the segfault.org's style headline above. It'd save a lot in terms of my patience and bandwidht.
now seriously, this is getting anoying. since I started to rely on mozilla only (or since I ditched netscape 4.x for good) some 6 months ago I saw only ONE serious security flaw reported on it and it was corected in a week or so. but with IE we have at least 2 anoucements a month. this is getting so frequent I'm here asking
What ? Me, worry ?
And Microsoft is just getting around to hunting down security holes *now*? What does this say about more current protocols?
I predict that by 2005, they'll start looking for holes in SOAP )
DO NOT LEAVE IT IS NOT REAL
Sandy: "I want you to kill all the gophers on this course."
Spackler: "Check me if I'm wrong Sandy, but if I kill all the golfers, they'll lock me up and throw away the key."
Sandy: "The GOPHERS, man! Kill all the GOPHERS!"
"And like that
Keep the burglars out of your house with the new Microsoft Door. Complete with not dead-bolts, but tape, yes TAPE to keep it locked. Also, we've reached an all new level of user friendliness with the omission of door-knobs!!!
"The best laid plans of mice and men gang oft agley..." - ROBERT BURNS
...anybody clicked on a gopher link?
If there isn't a patch yet, or if MSFT says you gotta have IE6 or something, easiest thing to do is just block gopher. What is the gopher port anyway?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The Official Bugtraq Post:
. asp
OVERVIEW
========
Gopher is a protocol developed at the University of Minnesota in the
early 1990's. Gopher servers offer hierarchically organized directories
and files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.
Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
which parses gopher replies contains an exploitable buffer overflow
bug. A malicious server may be used to run arbitrary code on an IE user's
system.
DETAILS
=======
When the overflow is triggered, a fixed sized buffer in stack gets
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.
The attack can be launched via a web page or an HTML mail message which
redirect the user to a malicious gopher server when the victim views them.
The server can be very minimal, ie. a program that can listen on a TCP
port and write a block of data; a fully operational gopher server isn't
necessary in order to carry out the attack.
The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.
Full technical details aren't disclosed at this time to prevent
exploitation.
WORKAROUND
==========
Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.
An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft you can remove these gopher
proxy settings (or restore them to values they had before).
For more information and a vulnerability test see
http://www.solutions.fi
VENDOR STATUS
=============
Microsoft was contacted on May 20th. At the moment of writing this
advisory, Microsoft has started designing and coding a fix, but hasn't
given any approximation of when it would be released. The patch will be
available at
http://www.microsoft.com/technet/security/current
when it is completed.
I'll have something intelligent to add one of these days...
A nice browser feature would be a regular expression based prefilter of web pages. If a file called prefilter.rules exists, the browser would run the raw html of each pages it downloaded through the filter. This would allow admins to make the browser safe again (with some lost functionality) until the browser was patched.
In this case you might want to use a rule something like:
s/(gofer\:[^'" \n\r\t]*)/about:blocked.html?$1/
I should see if this is a requested feature for mozilla yet. With browsers knowing about regexp for javascript this probably wouldn't be too hard to implement. Plus once it was implemented, you could use it for blocking ads and other annoyances.
Microsoft is so good at screwing up its own OS, thank God they seem to do a good job with Mac apps (though 90% of our security problems are due to M$).This will be moot for Mac Users anyway with Chimera looking better every day (nightly build).
Strange women lying in ponds distributing swords is no basis for a system of government.
Hmmm... Two headlines I saw immediately on going to /. today:
;))
One about a company releasing a report indicating that Open Source software is inherently insecure.
Another about a new security hole in IE (Thank god I use Konqueror
Now we need the good PR people at Microsoft to release the source code to Internet Explorer and IIS so that they can prove their first point...
LedgerSMB: Open source Accounting/ERP
For those of you who don't know what gopher is or where it's being used, here is a little info and some links to projects and sites related to this good old protocol.
About gopher:
Gopher is an infoserver which can deliver text, graphics, audio, and
multimedia to clients. Keeping documents "link clean", making linking a
function of the server info-tree and not in the doc, layout is kept to
its most frugal minimum, and is standard across all docs. No graphic
design means its the ideal navigable interface, a hypertext Eden. It
gives simplified usage for sight-impaired users, same contents for
wired/wiredless, and requires no capital investments in layout and
"design". Gopher is real -- and it was fully functional in 1992, even
without advertisements!
Taken from the gopher manifesto
Google's Gopher stuff
Yahoo's Gopher stuff
For those that want to go gopher hunting. Here's a link to a gopher server at the University of MN. I don't think they will install BackOrifice or something, but user beware!
I wonder how secure a gopher server is?
However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/
gopher://gopher.cac.psu.edu/
(These actually return data -- some others I found the server up but no data returned).
As to why gopher died out, Tim Berners-Lee offers the following:
(from his book, Weaving the Web)
-- Alastair
Comment removed based on user account deletion
Obligitory reference to story posted earlier today...
'Think Tank' Issues Microsoft-Funded Troll
According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure.
Everybody knows terrorists love to target Mozilla users by sending them links which causes there system to email Star Office attachments to everybody with payloads that will delete all your OGGs and PNGs by exploiting security holes in Sendmail.
"Communism is like having one [local] phone company " - Lenny Bruce
Well, sort of, anyway. They don't go into much detail because of fear of people exploiting it, but it's some kind of buffer overflow (big surprise there) triggered by a malicious Gopher server.
certainly more applicable to the concept of fixing security holes in Microsoft software.
FYI: Whack-a-Mole is an old arcade game where you hold a padded mallet facing a slightly inclined surface with a half-dozen or so holes. Periodically a little mole pops up from a hole, and you try to whack him before he goes back down on his own. A little bit like playing XBill, only in the Real World.
The living have better things to do than to continue hating the dead.
Here is another article from SecurityFocus about the issue, along with the original post to the BugTraq mailing list about this problem.
--Kylus
Idiot-proof something, and Life will build a better Idiot.
Because legit gopher sites that already aren't the problem.
/. post)
It's bogus trap Gopher sites (Or likely merely URLs) that are.
I'm guessing that the attack doesn't even involve contacting a Gopher server, it is likely to be a buffer overflow attack in the URL. (I'm guessing that it's a relative of previous URL BO attacks that both NS and MSIE were vulnerable to.)
It's just as newsworthy as bogus HTTP URLs rooting your system were. Because these gopher links look just like HTTP links unless you look at your browser's URL display. Most of us, including myself, don't bother looking unless we have reason to be suspicious. (Like any link in a
retrorocket.o not found, launch anyway?
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
Since when did M$ start offering downloads of Mozilla?
I stole this Sig
Where are you getting that? The related article says, 'According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know'
According to the oy online page "The part of code in IE which parses gopher replies contains an exploitable buffer overflow bug... . The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack. "
It looks like an accurate link to a gopher server is needed for this attack.
It looks like there needs to be a hostile site existing, unless you have another link.
"It looks like an accurate link to a gopher server is needed for this attack.
It looks like there needs to be a hostile site existing, unless you have another link."
It also looks like I should actually read what I write when I preview instead of just checking to make sure that the links work.
As you can imagine, "the gopher hole" was a project microshaft envisioned early-on. They couldn't let this go public until they had something to catch the little beasts with. Fortunately now they can catch the gophers with microshaft's giant .net.
"UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things."
I just found a site with more details. Turns out that a hostile server has to be set up.
? lang=fi
So it is a valid remedy.
The site's URL (It's all over this story, but for good measure...) - http://www.solutions.fi/index.cgi/news_2002_06_04
retrorocket.o not found, launch anyway?
It's a buffer overflow originated by a hostile Gopher server.
Just as dangerous, unless you block all Gopher sites using your firewall preferences. As I said before - It's not the legit links (Of which almost none still exist) that are the problem, it's the hostile servers whose links are displayed identically to HTTP links.
retrorocket.o not found, launch anyway?
... this is why I'm still using Lynx. I'll maybe give one of these new fangled "GUI port 80 telnet clients" a whiz once they're robust enough to deal with ten year old technology.
If you were blocking sigs, you wouldn't have to read this.
The possibility of this being a Mosaic hole reminds me of one of life's fun little ironies:
Marc Andreessen wrote Mosaic while at the University of Illinois. After he went on to found Netscape, Microsoft came to an agreement with the University of Illinois to license the Mosaic source code to use it as the core of the Internet Explorer browser. The fact that they still license it is referenced in IE's "About Box". Now the UofI's intellectual property policy is that the creators of the property get ~40% of the licensing money. So, the odds are pretty good that Marc gets annual checks of Microsoft money to pay for his old source code, which was used to destroy his beloved company. Makes me feel bad for him.
Still, it is kind of funny that Microsoft ends up paying some miniscule part of my University salary because they've never been able to write a web browser from scratch.
How long till this is put in a javascript / html email exploit???
Why do we need anything but text in email? I could even live with a subset of html that would display graphics, but full html???
scary....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
Archie was for FTP. The Gopher equivalent was Veronica.
Microsoft: Now with more exploited holes than a two-dollar hooker.
--
I Hit the Karma Cap, and All I Got Was This Lousy
And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?
So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.
So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?
Nope, no sig
I agree. This is just criminal on software makers part to say something is 2K compatible, but obviously never tested at the non-admin level. I tried having my wife's account in the "power users" level (just so there were certain things she wouldn't inadvertently do) and I got tired of stuff not working correctly and eventually put 'em in the admin.
I went round and round with a scanner manufacturer (agfa, anyone?), finally the POS scanner broke and I bought a new one. I actually did a security audit on registry and this is exactly what they were doing. I emailed the info to tech support, told them to please send to their developers. Never did hear anything. What morons are programming this stuff? Who QA's it? I mean, are they not capable of creating an account that isn't an admin? Biz software is fairly good at this (because at your office, you probably not an admin of the box), but home software is bad. Really bad.
DO NOT DISTURB THE SE
The sad thing is, so much stuff doesn't work on NT/2000/XP if you're not a local admin.
Really? I've been using W2K since beta 3 came out, and the only thing I haven't been able to do as a normal user is run Windows Update. (And I'm not exactly complaining about that.)
Tarsnap: Online backups for the truly paranoid
gopher://gopher.URr00t3d.ru
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
Asked to comment on the implications of this discovery for Microsoft security, Bill Gates pointed to the sky, uttered some comment about "ze plane," snapped his fingers and promptly vanished.
Eloi are stupid, throw morlocks at them!
Hmmm, yet another underground uprising eh?
Not only does the thing damage IE, they're hell on lawnmowers too.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
For those with firewalls, be sure to block port 70, if you do not already.
Port number
Not sure if a user could redirect gopher to port 80, but at least this will lock out the script kiddies. Be on the lookout for html emails with this stuff. Count your blessings that MicroSoft has not been able to put all traffic on port 80 (yet), and you can still filter some things....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
This is fine and good, but could we please stop this needless bashing of MS? There are better places for security information than Slashdot. Perhaps show just a hint of optimism instead of negativity all the time.
/.) in terms of security. It is nonsense and articles like this tell me that Slashdot editors are more interested in emotionally attached flamewars to increase page hits and advertisment views than actual unbiased news.
Many Slashdot readers have a serious flaw in placing the blame on one entity known as "Microsoft." They forget that MS is divided into many project groups with many developers that most likely do not have contact with other group members. If you want to make a better comparison of MS vs open source then take 80-90% of _all_ open source programs and compare the number of flaws to MS' flaws. Take a simple program like "BitchX," an IRC client. It has had countless security issues, and IRC has been around since '89 or so. We like to conveniently forget about sendmail and bind and focus on the Linux kernel stability. Let's not forget that the Linux kernel has a very poor track record of stability and security. Remember the 2.0.3x series? Nearly every other kernel had a remote exploit. In conclusion: there is no equal or objective comparison between MS and "Linux" (or whatever you want to define as the yardstick of security.. which is typically "Linux" on
Dijkstra Considered Dead
LOL this story after reading that crap about Open Source helping terror.
Who needs a patch? just download OPRA and bam fixed.
...why do they have to find and fix them one by one? Can't they switch to a programming language, or debugging tool, or run-time library, that would find and fix all of them?
Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?
Should buffer overflows be as outdated as Gopher itself?
"How to Do Nothing," kids activities, back in print!
Closing all the pop-up windows that you get at some sites is like playing whack-a-mole.
In Soviet Russia, hot grits put YOU down THEIR pants.
This could bring the entire Internet community to a halt!
Next thing you know, they'll discover people using IE for archie searches will allow users to hack your windows box too.
---
The Internet is generally stupid
Actually four. But that's not really the point.. Probably none of the existing 'legitimate' gopher sites are 'hostile', so it doesn't matter if it's 4 or 400000000. It's not that hard to publish a _new_ gopher link to a hostile site.
--
Stay tuned for some shock and awe coming right up after this messages!
Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.
A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.
None of this has anything to do with the number gopher servers left on the Internet.
-josh
You don't have to click. All the cracker need do is force a redirect to a "gopher" site via HTTP or Javascript or whatever. And it doesn't have to be a real gopher site, just a server that injects the exploit.
What's worse? Saying "Don't use IE!" as a blatant attempt at karma whoring, or that some idiot moderators modded that up.
Logic check: "Don't use the browser that most websites are designed for!"
Do you really think I'd be using IE right now if Opera was cutting it?
"Derp de derp."
But it started off a pretty good thread, eh?
sPh
if Microsoft's programmers spent more of their time on writing clean code and less time on coding Easter Eggs in Office Applications, Internet Explorer and Windows.
utter rubbish
I agree that moderating this crap up is even worse than posting it.
3.243F6A8885A308D313
If you are using Mozilla then it appears that it has a few problems handling the gopher protocol, since those same links work fine in MS-Internet Explorer.
Jumpstart the tartan drive.
Set your gopher proxy to something bogus.
I found it humorous that in the "Special Offers" Box there was a ad/link that read: "Access Your PC from Anywhere - Free Download"
The problem is that with only 32-bit addressing it's impossible to programatically store all of the bugs in Microsoft's software.
The global economy is a great thing until you feel it locally.
They don't care.
Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
There are just too many morons out there buying their stuff, so the situation won't change anytime soon.
And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.
Click here to download it.
my other penis is a vagina
Close one window, two more pop up!
Since when does Windows use Root for its superuser account???
Stop mixing windows and linux lingo!
In related news, Mozilla 1.0 is finally out! celebrate!
Do you even need to redirect? What happens if you do img src="gopher://site.running.exploit.server"?
Damn gopher holes, routing around my backdoor. Guess I'll have to close up my ground floor Windows to stop them from coming in and gnawing at the foundation.
--- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
Whaddya expect, original writing at /. ?
t_t_b
I'm on PJ's "enemies" list! Are you?
$5 / month hosted VPS on linux = awesome!
Hey, maybe we could use this to our advantage, like Click here to upgrade to Linux!!
Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."
Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our company's reputation."
He deserves it.
There's an intrinsic problem, but it's not specific to client-server. The basic problem is programmer attitude. There's two basic attitudes towards input data:
- All input data is assumed to be valid and legal until proven otherwise.
- All input data is assumed to be invalid and illegal until proven otherwise.
The correct attitude to take is #2: assume anything handed to your program from outside is completely screwy until you can validate it. So, for example, you assume an input stream is infinitely long and will overflow your buffers until you determine, by hitting an end-of-data mark without having overflowed your buffer, that it isn't. But this is hard to do, because your code has to handle arbitrary input and be prepared to handle anything thrown at it. It's easier to code to handle correct input and throw in a bit of error handling that you hope will catch all the invalid cases. That's attitude #1 at work, and as proven again and again it results in conditions that your program can't handle correctly and can't detect correctly.Until attitude #1 is eradicated, we'll continue to see security holes that exploit problems in input data handling.
From the article: "Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the security hole on May 20 but the software giant has yet to produce a software patch to fix the problem."
I don't see why Microsoft just doesn't disable the gopher protocol--that wouldn't take long, would it? I haven't seen a gopher site for five years. I don't see any point in keeping it...
Anyone want to start with conspiracy theories that M$ wants bugs in its software? ;-)
There are some things that don't require Admin access, but I'd say installing hardware drivers should.
Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.
Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.
For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...
I agree, but I wasn't very clear. This was just USING the software. It flat out wouldn't work without admin access.
Actually, I've ran across some stuff that has the opposite problem of putting stuff in HKLM section. It ONLY put it in the current user. IMHO, a product shouldn't be able to say it is nt/2k/xp compatible without giving you the option of installing for the current user only or ANY user of that machine. Sometimes you have to run the install twice or more (once for each user), overwriting files, just to insure everyone gets the registry entries.
DO NOT DISTURB THE SE
DETAILS
When the overflow is triggered, a fixed sized buffer in stack gets overwritten with data from the gopher server
You have got to be terminally thick in the head to write code that does that. I always hear these stories about the IQ-testing Microsoft entrance exams... did they outsource IE production to some schoolboys or something?
MS should be bashed...it's like the diner that tries to sell rancid water and stale bread for $100(us). They use whatever means necessary to beat down their competition, so almost all of the other diners (or food producers) have gone out of business or are struggling. You can get better food from homeless shelters for free.
Probably 80-90% of all open source programs are made by one or more of: script kiddies, teenagers playing around, hobbists, power users, people that bought "Learn to Program C in 21 Days" who now think they are "experts", and the people can't program so they start a project on SourceForge with a basic description and hope someone bites. None of these people should be expected to create a decent, bug-free program. For you to even think MS needs to be compared with them shows how backwards your position is.
Anyone and their cat can start an open source project in their garage. It doesn't mean anyone will use these programs, and it is absurd to compare those projects with a funded company that has paid professional programmers. However, from what I've seen, Microsoft would barely scratch by with even this test. If compared with the commonly used (and made by real programmers) Open Source projects, Microsoft wouldn't even have a chance.
I've used it before. Not to dis the guy who made it (BitchX isn't too bad an effort), but it does seem a bit script kiddie-like. In fact only a script kiddie would choose such a name. ;-) In fact read their page: "BitchX was started by Trench and HappyCrappy as a script for the ircII client."
Why don't you compare BitchX with Microsoft's IRC client--assuming they still have one. All I remember about it was almost no features and stupid cartoons. BitchX has lots of features. Not that I'm saying they should be compared, BitchX is made by script kiddies after all--in fact they seem to want to be known as script kiddies--just look at their page!
What kind of dumbfuck would use sendmail or bind on their servers??? There are plenty of alternatives to those programs...
There is no equal or objective comparison between the two because MS doesn't care about security or bugs! Whatever Linus would call a "Brown Paper Bag Bug", Bill calls a "feature". ...and I don't think most slashdot readers define Linux as a "yardstick of security". That would be something more like OpenBSD, who kick the hell out of Microsoft in terms of paranoia and therefore security. Numbers from bug reports aren't a good comparison between them either--the OpenBSD people seem to raise hell when they find the tiniest potential exploit, while Microsoft won't even acknowledge the most horrid of bugs/exploits and will only release a patch if they are embarrassed into it.
tried having my wife's account in the "power users" level (just so there were certain things she wouldn't inadvertently do)
Wow. You've taken the BOFH persona to a new level...
Now you will probably say "Well they aren't expected to make bug-free programs," and I will tell you that you do not give a damn about bug-free programs and you simply want to bash Microsoft. If you cared about it then you would have well payed professionals who _designed_ the software. Instead you are using software designed by hobbyists in their spare time which at any given moment could theoretically crash and burn and destroy your entire computer. You won't believe this is possible simply because you are so sold on the Linux hackers reputations of good, honest, giving people.
To gripe about bug-free programs and to be using software that was not designed, but hacked together is pure hypocrisy. Actually it is a horrible effort. It is an extremely hacked-up ircII (the original IRC client). Because of the layers upon layers of hacks almost nothing works consitently. There are antiquated features still present with new features simply thrown ontop. But this is my point. Microsoft is not simply one individual, nor are they one group. They have many different groups working independently. I'm sure they have varying degrees of skill level too. Many, many people would (and still do). This is FUD. MS released info on the Code Red worm way before Slashdot (and many others) got word. If I remember correctly, it was _months_ before Slashdot posted about it. There was no pressure to say anything about it.
Dijkstra Considered Dead
Schizophrenia is not what you think it is.
What you are thinking of is Multiple Personality Disorder.
graspee
"Anyone and their cat can start an open source project in their garage"
Whoah! Maybe this would be a good idea for a new claymation by Nick Park (of Wallace and Grommit fame).
graspee
Windows doesn't have "root", it has an "Administrator" account. They are substantially different (I think Microsoft's security scheme is considerably worse and more difficult to secure).
With even people who know the definitions of words misusing them for the benefit of people who don't, what hope for the English language, the human race ?
graspee
1) I didn't exactly "slam" the poster, I merely offered information, which the poster agreed was correct.
2) It's a while since I did my Psychology degree, so I had to recheck the DSM-IIIR, but I was in fact right, and the code 300.14 is given to "Multiple Personality Disorder".
3) " both dissociative identity disorder and schizophrenia work for the joke." Haha, jokes about debilitating mental illnesses- I'm really laughing.
graspee