Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
It's sad that, when I saw that the patch was released, the first thing I thought was, "I hope the EULA won't force me to accept automatic installs from now on."
I think I'd rather have an insecure system than one that gives MS carte blanche to install what it wants. There's something wrong with that.
Arbitrary commands run by strangers if I don't,
Arbitrary commards run by Microsoft if I do.
If only more sites complied with standards, I could dismiss MS entirely for Opera.
I can spell. I just can't type.
You're right, the fact that there are security holes isn't news but the fact the the MS programmers have finally got off their collective fat arses and released a patch IS news.
I'll be pressing the Windows Update button when I get home tonight.
Anyone want to bet on how long before the next MS vunerability is discovered?
And the people shall be oppressed, every one by another, and every one by his neighbour Isaiah 3:5
A problem... with a patch? And they announced it? No way... must be one of those infamous typo's. Or maybe just another repeat story...
-- Is "Sig" copyrighted by www.sig.com?
pronoblem
Download now to continue keeping your computer secure.
So apparently my computer is allready secure and there is no need to download the patch then!
Silly Microsoft.
Why hasn't M$ patented software bugs? I mean, they could easily prove prior art and by the sheer volume of bugs they produce, you'd think they'd want to own the concept.
if they can't be trusted, you shouldn't allow them to connect to the internet at all.
As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.
A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
For the quickfixes listed on the url, there is no EULA to install them.
GPL'd web-based tradewars themed space game
Um, shouldn't you allow your family to make their own decisions? You can suggest they don't use MS, but saying you don't allow it seems a little peculiar. And guess what? Programmers aren't perfect. Even the best ones make errors (even Knuth, rarely). The fact that Microsoft found six holes, disclosed it, and released patches is a terrible reason to say "I won't allow my family to use MS". Jeez. Remember the hole in OpenSSH? Do you refuse to let your family use that too?
slashdot!=valid HTML
I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".
For now, my PC is safe from Microsoft forced modifications (relativily speaking)
Avantslash - View Slashdot cleanly on your mobile phone.
Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?
How funny it is to click on this story mocking Microsoft and then see the big fuckin ad for Microsoft Visual Studio.Net
A little too ironic, dontcha think?
SIG:Slashdot: indymedia for nerds.
Am I the only who noticed this does not include the fix for invalid SSL certificates? Pretty big (and very expensive) problem, I think....
The Right Reverend K. Reid Wightman,
You have to reboot to complete the installation. Great. Now all my server updates (please do not ask why, I just follow orders) are going to be a joy. I can't believe I have to reboot to patch a damn browser.
I don't want knowledge. I want certainty. - Law, David Bowie
If someone with the corporate edition key for XP Pro installed SP1, would they be able to apply this patch as well? I thought the SP1 would lock out all further updates?
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
You know, I really hate this changing of the EULA... It should be illegal. Its their fault that they screwed up and had it insecure...
This is like Ford issuing a recall, then changing your lease/puchase agreement when you bring it in for the recall...
Slashdot is like Playboy: I read it for the articles
you forgot 'Microsoft warns about security holes'
posted on Friday August 23, @12:38PM
thank God the internet isn't a human right.
While I agree with you on giving people choices I disagree with the comparison of OpenSSH. You said it yourself, six holes in Windows/IE (today) and the hole in SSH. 100's of vulnerablities vs. one is not a very good comparison.
Ok, it's good that they are at least finding and fixing these, but how many ways to execute code through IE can there possibly be?!?
There already are 16 unpatched security holes in IE, and now there are even more holes. While these ones have patches out there, think about how many Windows users actually do patch their systems; it's not very many. For most home Windows users, there might as well not be a patch available, since they won't patch IE anyway.
In the mean time, I'm more than happy to keep using OpenOffice and Mozilla and know that arbitrary code won't be executed on my system if I click the "back" button. Thanks, Microsoft, for giving us yet another reason to use Mozilla.
"OH MY GOSH!!!! MICROSOFT HAS ANOTHER VULNERABILITY!!! THAT'S NEWS!!!"
Just for kicks, I signed up for Microsoft security bulletins. I get hoards of e-mail every week, as new vulnerabilites are continually found in each of their products. Being an IE administrator it's important to subscribe to this stuff.
New IE patches come out about every 2 months. This patch is not all that big of a deal. All the fixed issues had workarounds, and a lot of it could be prevented by using a good proxy server.
The fact that Slashdot immediately jumps all over Microsoft for this is ludicrous. Get a life.
There is no reasonable defense against an idiot with an agenda
:wq
One interesting IE security resource happens to be PivX Solutions' "Unpatched IE Security Holes." Extensive information about many of the vulnerabilities addressed by this patch was available there months ago.
;)
My original title (which was edited by michael for purposes of clarity, I'm assuming) failed to mention Office; the CNN story and Microsoft TechNet article didn't seem to coincide. However, it's entirely possible that a few shared components may be vulnerable.
Do you like German cars?
...Microsoft has issued at least 30 security bulletins for flaws in its software.
Well, it seems that they're actually starting to solve some of the problems with their buggy and security flaw ridden software.
Well, as it's been said many times, the first step to solving any problem is to first realize there is a problem. The next step? Use Opera.
If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
They already know. Remember a couple of months ago, when Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. The architecture of Windows is inherently insecure and cannot be fixed. Read all about it here.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
don't even mention the finger worm or sendmail
Fine, you spend your life in greif and fear, I shall honor the dead by living free in my country. Putz.
-- Insert wisdom here:
When asked about what effects the EULA would have on security a Microsoft spokesman said,
'Giving us [Microsoft] access to your [the ELUA agreers] computer will ensure that your computer systems are impervious to viruses[Microsoft Windows]'
thank God the internet isn't a human right.
>Please be sure to read the EULA before installing the patch.
.com economy goes KABLOOEY!
/. effect, but with no viable evolution occurring
Okay, quick overview of the obvious:
1. Slashdot was born as Rob's blog.
2. Rob's blog was so neat that people told their friends who told their friends who told their friends who told there friends which means
3. Slashdot grows into a meta-geek-culture site.
(Funny to use 'a' there considering slashdot was probably the first, but I digress.)
4. Slashdot the hobby becomes Slashdot the business because Slashdot has juicy eyeball potential and everybody who's anybody is getting a web presence. Rob brings friends aboard to ride the train and help keep it big.
5.
6. Slashdot, struggling as a business model, reinvents its advertising model to essentially become OSDN's advertiser. Not enough banner ads purchased == put the owner's product on every page the eyeballs see.
(Trolls at this point would yell 'unless they pay to get out of it! HA ha ha!' Ahem. Behave.)
7. Slashdot still retains a sizable chunk of the eyeballs it originally grew in step 3. They can still produce the (in)famous
8. Slashdot becomes (reverts to?) Rob and Friend's blog.
Kay. Overview done. ONTO the comment..
>Please be sure to read the EULA before installing the patch.
Well, yeah. It's the same EULA that was in the last security update. That was in the update before that. That was in the update before that. I know, I got bored and started saving them. All of them say the same thing:
'All your microsoft belong to us.'
What I mean is, there's nothing new, nothing earth shatteringly different, it's the same old crap. You run Microsoft on your computer, Microsoft wants you to know that they pretty much own your computer.
Where is the news there? Precisely, what is it worth nothing about the EULA?
Then again, well, who cares? It's not a news site, it's Rob + Friends blog! If you don't like it, don't come back here. Is that it?
I just think it's odd that nearly every article michael posts starts off as a news piece, and then turns into a vehement OpEd. I mean, make up your mind, are you news, or are you a teenage blog?
Of course.. I could ignore michael in my preferences, but without Jon Katz around, I find I need somebody new to keep my testosterone pumping.
He's just doing his little part to "bring down the infidels!" He's brainwashing his family into becoming pinko commies such as himself. Most likely, he's the "computer guy" in the family, and let loose with some ludicrous bullshit such as "If you install M$ (don't forget the dollar sign) on your computer it will catch fire! And it will e-mail your social security number, credit card numbers(s) and your personal information to Microsoft so they can rip you off! And it will load virusen (note spelling) on your computer so they can h4x0R you!! Plus, they don't give you the blueprints to their software, so that just pisses me off!"
Kind of reminds me of this linux-obsessed professor I have - he makes us do our programming in a special Linux lab; of course, half the fucking computers don't boot Linux correctly, and the other half give you errors-a-plenty in X.
Aw, fuck it. Let's go bowling. - The Big Lebowski
I'm tempted to send a warning to my Boss the following warning.
"Beware gophur attack in coming days.
Tunnels created by gophur may break windows.
Advise careful monitoring of the handler."
To see if he goes all Caddyshack on me.
I need more old protocols coming back purely to be used for my amusement.
Working for the (other) man
Is this a new technique to reduce the total number of patches they put out? They wait until 4-5 vulnerabilities come out before coming out with a patch. That way, they can say "in 2002, linux had 60 security patches, we only had 56".
Why is it that companies (and individuals) complain and complain about how much time/money/energy they spend on patching Microsoft products and yet don't do anything to change a) their practices and b) their product choices?
This is an honest question that I'm wondering about. I agree with the people who also wonder why Microsoft flaws get so much attention from /. and Linux/Solaris/Apple/etc flaws get next to none. To those that say "Because there aren't any worthwhile reporting on." I say "Read more." The recommended patch cluster from Sun has lots of interesting reading.
There seem to be _alot_ of alternatives for almost everything. How many of those alternatives are used by more than the developers of those alternatives? By more than the friends/family of the developers? For my part, I don't have the money right now to get a second machine and my current Windows machine is used primarily for games. However, when I get the money, I will be running something other than Microsoft products where possible. My browser of choice right now is Mozilla. But there are sites that require me to use I.E. much to my disappointment. What are the technically savvy people doing to help their companies move away from Microsoft and what alternatives are they proposing? [And no 'Linux' isn't a good answer. What distro of Linux?]
Personally, I'm glad Microsoft changed their EULA to say that it gives them the right to run whatever they want on your computer. It gave me a wakeup call to read the EULAs more carefully. Occasionally, I turn down the EULA and don't use the product. Are other people finding that they are reading EULAs more carefully and actually turning them down more?
--Maarten
.. that Microsoft products have new security holes or that Michael interjects yet another snide pseudo-troll at the end of the summary.
These were the people that said they couldn't open source their software because their products were so flawed with security that it would be a threat to national defense. Could it be that they were actually telling the truth for once?
There will always be security problems, fix it and move on. But when a company knows about it, sits on it forever, tries to silence anyone else who finds it, and denies it... then way down the road writes a fix (finally) and says "Look at us, we're taking proactive steps to insure our customers security", that's absurd.
I'll bet you $20,000 it will take 24 hours before the next MS vulnerability is discovered. Then I'll give Andreas Sandblad $10,000 and have him find another one. It was supposedly a fairly trivial process...
Don't -1 the parent, a good point was made , just not that well.
If your servers are configured correctly and you have redundancy in place then there should be no problem installing this update,
If you don't use load balancing then just bring the warm/cold server online while you take the server your about to update off line.
Spend a few days testing the updated server.
and then sync with the cold/warm server and repeat.
If you load balancing then take some servers out of the loop and run them concurrently to make sure Microsoft hasn't broken anything then repeat until all servers are updated.
If all of the above sounds like voodoo then you should be more concerned about you internal systems than any bugs that might be in Windows.
thank God the internet isn't a human right.
Yes AC I know there is more than one OpenSSH hole but lets go back and count all bugs ever found in IE so we can be fair. I was refering to the fact that he knew of one hole (ok lets say three this year) and we are talking about six on one occasion.
MSFT announces security patches.
Film at 11.
Next!
RedHat and Mandrake announce security patches.
Film at 12.
Next!
It just allowed the MPAA to post a banner ad on Slashdot!!!
I don't understand why people complain about the number of patches from MSFT. They're not that hard to apply. I think Linux is just as bad - I have 36 messages since 1st June (DSA-129-1 through DSA-157-1) in my Netscape folder for the Debian Security Announce mailing list. The only difference is that one OS normally requires rebooting after patching.
Really. I'm glad they are doing this. Glad they are taking some active measures to improve their security. If everyone who has a windows machine actually performs the update, we'll have a safer world of computing :)
If they don't pshaw the other holes that other people find and admit their seriousness now, I'll actually have one less reason to hate them.
-- Who is the bigger fool? The fool or the fool who follows him? --
That's what I said to my friends and now I have time to enjoy myself. Before that, I would go over to a friends house and find myself cleaning up their system.
Now I tell them that I don't do windows.
DRM? No thanks, I'll just get it somewhere else...
You know. The time that someone thought it would be gnarly to hack OpenBSD's FTP server and trojan the makescripts?
The folks at OpenBSD still haven't explained how that's happened so we've got six theoretical bugs (which will undoubtedly become reality Real Soon Now) versus an unexplained, but very real, hack, which may or may not manifest itself elsewhere. And as long as we're calling apples and oranges, take a look at the size of the codebase and the amount of functionality of one versus the other.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
In the same e-mail, I sent a link to RedHat.
Hopefully, my family will finally switch to an OS that actually works.
Thanks Microsoft, for helping me make my family realize how much your software sucks -- couldn't have done it without you! *smiles*
When faced with a problem, many web developers say "I know, I'll use JavaScript!".
Now they have two problems.
Yet six more reasons why I dont allow my family to connect to the internet using MS. They can't be trusted.
:-)
Who? Microsoft, or your family?
"Mod, mod, mod...and another troll bites the dust."
So I have to choose between a dangerously insecure system, or one which Microsoft has some control over. Hrm....lets see...I don't patch and risk losing everthing to a malicious hacker, or I do patch and maybe, at some point on the future Microsoft MIGHT push a update onto my machine.
I think I'd rather have the secure machine...
When developers try to make operating systems more user friendly by binding commonly used social security holes (alt-ctrl-del) to intutive items like log into computer, we sure know where everything is headed
OK, now here's something I don't understand, but you appear to, so I'll ask now..
How (exactly) does ctrl-alt-del make a computer MORE user friendly?
When you boot Win NT/2K/etc, you have to 'hit ctrl-alt-del' to log in - exactly what is being accomplished by doing that? Would it not be easier to simply present a login screen?
Exactly how does adding a step - which seems (to me, at least) to be a NOP - make the computer easier to use?
And where does the writer of the article get off saying "The world's No. 1 software maker said ..."
Microsoft is not the worlds' number one software maker. They've bought most of their current product line. Now, if the article had said "The world's No. 1 software bug producer said ..."
Lets just hope he didn't find out about these issues looking like this.
Disclaimer: I've met him in real life several times, thankfully he was fully clothed. He often pops on to the place linked below under the name of "Foon".
Avantslash - View Slashdot cleanly on your mobile phone.
Especially considering to get the "Designed for Windows 2000 / XP" Logo on your software, you have to have an install that doesn't require a reboot.
I am not a number! I am a man! And don't you
If I were in this position, I'd let the family run whatever they wanted. After all, they're not on my network, they bought their own computers, and they should be able to learn from their own mistakes. I can -suggest- they try Mozilla or Opera instead of just using IE, but alas, that's just my suggestion.
I use Mozilla, spell The Company's name "MICROS~1," and enhance my usability under their OS with cygwin. Keeps the frustration in check, especially after the last round of troubleshooting a locking-up laptop which went into a machine check (and apparently was a motherboard driver issue). At least I have more respect for MS than, say... shrub!
--
Me spell chucker work grate. Need grandma chicken.
I think I have finally figured out why /. *pretends* that they don't like Microsoft.
/. readers know that the editors have a habit of posting the same story multiple times. This results in hordes of geeks complaining about having to read the same thing twice, making comments about the IQ of the editorial staff and generally having a good whine.
/. editors don't like M$. By pretending not to like M$ they simply make their jobs a lot easier.
Regular
But...
Articles bashing M$'s security are sure fire winners. There are so many security holes in M$ code having a duplicate story is difficult simply due to the laws of probability. And if you do manage a duplicate you can just point out (in perfect safety, without bothering to check whether it is true) that the hole hasn't been fixed yet and this is just an update on a critial security flaw.
So it isn't that the
People couldn't type. We realized: Death would eventually take care of this.
You mean there isn't already an M$ bug deadpool?
Jaysyn
There is a war going on for your mind.
from the bottom of the BBC article:
> Um, shouldn't you allow your family to make their own decisions?
V ersio n|Run* keys.
> You can suggest they don't use MS, but saying you don't allow it
> seems a little peculiar.
I theoretically let my (non-geek) family members use IE if they
want, but I make sure it's not the default browser and that it
doesn't load itself at system startup time. (Yes, this requires
doing a registry merge from autoexec.bat, but I have to do that
anyway to keep the %$#! instant messaging clients out of the
HKLM|HKCU/Software|Microsoft|Windows|Current
It also requires a Custom install of IE6, but you knew to always
to custom install of everything anyway, right?) So if they want
to use IE, they go to the Browsers folder (there is a shortcut
on the desktop for this) and choose IE from a list of assorted
choices. The default browser (current NS7.0PR1 IIRC) has an
icon directly on the desktop, as well as in the Browsers folder.
Guess what? They use the default browser. Because they don't
really have a preference, and whichever one has an icon right
on the desktop is the one they use. IE is two doubleclicks
away, and they know it's there (or knew at one time -- I'm
pretty sure they don't all remember), but they never use it.
Because an extra doubleclick is too much trouble.
That extra doubleclick saves me a lot of admin hassle.
At first, every time my dad found a website that didn't work
right, he asked me why, and I suggested it might have been
designed for a certain browser, and why didn't he try one of
the other options. He'd try the same site in IE and Opera
and Mozilla and Netscape 4, but nine times out of ten NONE
of them would get it right. So I'd tell him that if at least
one of those browsers couldn't get it right, the site must
just be broken. After a while, he sensed a pattern. These
days, he just uses the default browser all the time.
Sure, users with a bit more knowledge will make their own
shortcuts. But users with a bit more knowledge might have
some idea what it means for random people on the internet
to be able to do arbitrary things on their computer, if
you explain it to them. (They might not care, but at
least they might understand the risk they are taking.)
Cut that out, or I will ship you to Norilsk in a box.
Damn never new about Mandrake. Its gone, hate them stinky French. Redhat always ran better anyway. Still M$ may be American but so are 90% of the other people in the country I can't stand.
I'm gonna start smoking again and drinking and having unprotected sex and them I'm gonna stop paying taxes and start cursing out the the cops and run through the airport with a gun.
I can't cope anymore. Tomorrow there will be 6 more critical problems and 6 more and 6E5 more. What's the fucking point?
Get Naked And Start The Revolution!!
Have you been paying attention? OpenSource releases patches quicker than any closed development method. Like a remote hole on OpenBSD with a patch released merely six days later. Get your lovable, huggable, faceless corporation to do that...
But I won't work on Windows computers in my free time, which means I will not help them fix their windows computers if and when they break.
Period.
Of course, my mom prefers GNU/Linux and hates her Windows box at work (her home Linux box works, and works well).
My sister's husband, on the other hand, prefers Windows. Fine. Their computer is broken alot and they have trouble finding anyone to help them fix it. *shrug*
The Future of Human Evolution: Autonomy
If I were in this position, I'd let the family run whatever they wanted. After all, they're not on my network, they bought their own computers, and they should be able to learn from their own mistakes. I can -suggest- they try Mozilla or Opera instead of just using IE, but alas, that's just my suggestion.
And if they are on my network, I'd just put them all behind an OpenBSD firewall and be fairly secure knowing that I can keep my systems from being compromised if their systems are somehow breached. Then again, it doesn't take much to keep any system relatively safe from harm, even running MS software.
-PainKilleR-[CE]
Fixing six vulnerabilities is good. They're not _finished_,
but it's progress.
Cut that out, or I will ship you to Norilsk in a box.
And how do you know it doesn't? After all, Windows Update sends stuff to Microsoft. Latest Service Pack for W2k has a completely Automatic Update incorporated (now, I thought service packs shouldn't include new features). I know, in their privacy policy on the web they state they don't send info...but privacy policies on the web represent nothing nowadays and are subject to change any day in the week.
And it will load virusen (note spelling) on your computer so they can h4x0R you!!
Small anecdote: recently I "fixed" the PC of a acquitances of mine (clueless computer user). This family uses only Microsoft products and is clueless about maintenance (their Antivirus was hopelessly out of date). So, I say that this was an unpatched Windows 98, with an unpached Outlook (5, I think) and an unpatched Internet Explorer(5, I think). Now, what did I find on this machine: spyware *en masse*, and besides that at least 5 instances of Klez and *two* programs that Norton Antivirus identified as "Backdoors". Now, what again about haxorring?
Microsoft doesn't give you the blueprints of the software, yes. I'm perfectly okay with that. However knowing that many skilled programmers all over the world tinker daily with the open-source equivalents gives me this warm and comfy feeling that malicious code *will* be detected and *will* be fixed. It's just a feeling, so it's rather subjective... but honestly, do you prefer to be part of a community that might care for you *or* know that a company that is only after money (which is after all the goal of any company) is responsible for your security?
Of course your post was flamebait, and I took the bait.
It's not a news site, it's Rob + Friends blog! If you don't like it, don't come back here. Is that it?
Well, I'd put it like this: the site is concerned with open source software, free software, Linux, privacy issues especially related to technology, various general tech issues and toys etc., plus various cultural things of interest to its target audience, like anime, sci-fi, etc. If you don't share the interests and perspective, and aren't interested in learning more about those things, then yeah, you probably shouldn't be here. Then again, /. could probably do with the advertising dollars, so by all means stick around, just try to keep down the whining.
At first, every time my dad found a website that didn't work
right, he asked me why, and I suggested it might have been
designed for a certain browser, and why didn't he try one of
the other options. He'd try the same site in IE and Opera
and Mozilla and Netscape 4, but nine times out of ten NONE
of them would get it right. So I'd tell him that if at least
one of those browsers couldn't get it right, the site must
just be broken. After a while, he sensed a pattern.
Nice, I wonder how many of those sites simply don't work because of the VM you're using or some setting you've been messing with in the registry, rather than an actual problem with the site (other than the fact that it might use MS-specific code, which is a problem, but not an error in the true sense).
-PainKilleR-[CE]
Read the OpenBSD FAQ for the details of why the FTP server isn't an OpenBSD box, but IIRC it's basically because it's a donated box and bandwidth from a university, and beggars can't be choosers.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
As I understand it, ctrl-alt-del is a key-combo that no program can 'steal' from the OS. That way you can make sure that one you are logging into really IS a login screen, and not something a kid wrote in VB that's going to email your username and password to him - Ctrl-Alt-Del would make it obvious right away that it was an application, not the login. Granted, I don't know for sure that this is true, but it makes sense to me.
The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.
Then there is this warning to 'be sure to read the EULA' as if there is something in this EULA different than every other EULA for Microsoft Products? It is proprietary software, it has a EULA. Just like every piece of proprietary software from every other non-evil company. Get used to it. Not every company wants to make free software. Not every software makes sense to be created under a free model. And in a free world software developers should have that choice too, should they not?
The people that are really doing the user community a disservice are the ones who, out of misguided stubborness or as a misdirected 'protest' against Microsoft, (or because slashdot implied that the EULA with this patch was somehow troublesome) don't apply security patches. Because now that the vulnerability is well known every script kiddie on the planet can write a few lines of code to use it to do things that harm all users, like set up a DDOS attack on sites.
I'm sure my karma's going to take a hit for this, but here goes:
/. that really hasn't gotten the point that Micro$oft makes horribly insecure products? Why is it that every single time yet another gaping hole is found for IE that it gets frontpage treatment here? Is this really news? Is this really surprising to anyone here?
Is there anyone reading
It would seem to me that anyone having to deal with this problem (ie, the poor admins who have to look after Windows machines) would have already been alerted to this by the various security mailing lists available. The only point of posting these stories is for the militant OSS guys to pat themselves on the back and bemoan how Microsoft can't do anything right.
We already know this, people. Yes, IE is a POS. Yes, this is what happens when the marketing people dictate what direction your application development goes in. Yes, IE is more full of holes that swiss cheese.
Enough already.
"Oh my God! The dead have risen! And they're voting Republican!" - Bart Simpson
If you are really concerned enough about security in the first place, either don't plug in your ethernet cable or don't buy Windows. If you don't use Windows, why the hell are you complaining? You laugh at Microsoft because they have to fix security in their software all the time. Well, I'm laughing at Linux because your line of supported applications and games is comparable to the Mac section in any general computer store on Earth.
Come up with something else to complain about for once. Geez. Open source is great, monopolies are bad. Yipee. Now get off your asses and do something, you know, useful.
You're joking, right? By God I hope you are...
In the UK, the Unfair Contract Terms Act puts the onus on the company to prove that an apparently unfair contract term is in fact fair. If they can't prove it, the term doesn't apply. Threatening to force people to run insecure software unless they agree to allow arbitrary future modifications to their systems (or unless they agree to new unwanted restrictions on how they use those systems) sounds, prima facie, unfair.
The Act applies to consumers, but I don't know whether it applies to business customers as well. But it's a start.
Everyone here should read this HOWTO. I suppose it more or less describes what you were thinking when you (and other people like you) took that decision.
My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.
What does that tell us about .NET?
I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.
Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.
To have a monopoly (already proven in court), put out an inferior product and not have to worry about being sued for all the damaging worms and viruses that said products inflict upon your clients.
If a totalitarian regime put out software for it's masses it would be just like this.
(Go ahead Redmond disciples and mod me down. What good is a ton of karma if you can't burn it?)
Comment removed based on user account deletion
Hell, my 3 year old son gets it OK?
(While playing Zoboomafoo Alphabet the Critical Update came onto the screen obscuring the Lemurs. "Daaaad stupid Windows is bothering me!")
This
ctrl-alt-del is a key-combo that no program can 'steal' from the OS
Thank you, that answers my question nicely.
Although it's kind of strange that the original poster attributed this behaviour to user-friendliness instead of security..
It'll cut that down to 10 minutes. Forget going to individual desktops - and FORGET MICROSOFT SMS.
heh heh
It's nothing, just you're carbodyluminocap acting up... just a couple of hours to fix.
Once there were a time where we pathed our Windows machine because we concerned about the security of our machine.
Now we think twice about install a patch because we are concerned about the security of our machine.
And about the new EULA's, it can be a Windows, Linux, FreeBSD, AIX, Solaris, Mac or whatever. I would never want my machine to update some components by itself. For the machine on my desk, I could live with it. But I do have machines running, doing more important tasks where I like to be completly in charge of what's updated.
Sure, it requires more work and attention, but what if the automatic installation of a patch could have implications that would render the service that the machine provides useless, or even worse the entire machine.
That's why you would choose to install updates by yourself. This enables you(with proper documentation) to pinpoint if a update is causing problems with a service, decide if the lack of the update is a threat to the security or uptime of the machine. And you can choose roll back to a previous state to correct the problem.
So while a automatic update is great idea for those without any knowledge about their personal computer that they have at home in their living room, I would never run a system where I could not choose myself if I want to use the automatic updates.
my sig
-dave
1) http://www.suse.com (or your fav *nix distro)
or
2) http://www.apple.com/switch/
As a secondary point, I don't know why this is but every time these vulnerabilities pop up the media writes about them as if they have the same effect as the EMP from a nuke airburst. I quote from their current article on these new vulnerabilities:
Jesus Christ! It's like the end of the world for my computer or something. The only thing missing is the bit about the vulnerability causing my computer to become artificially intelligent and start trying to annihilate all humans. Give me a break.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
First, if you read the message, you'll see it says "CTRL-ALT-DEL helps protect your login" or something like that.
The reason is simple-- it's the only key sequence that can't be trojaned away. Remember people "hacking" hotmail by emailing a link to a webpage that looks just like the hotmail login? Or replacing login on a *nix box with a spoofed version. CTRL-ALT-DEL is trapped by the OS, so it can always give you a "secure" (and I use the term loosely) login prompt.
In theory, there's no difference between theory and practice. In practice, there is.
-- Is "Sig" copyrighted by www.sig.com?
Wondering if MicroSoft builds in bugs which allows them to announce the fix, then ship an update which changes the EULA. Just need to supply enough bugs to handle the number of EULA changes expected. Obviously, they expect to change it frequently.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Just noticed, but it is probably very old.
* You may not disclose the results of any benchmark test of the
So, if we translate it to "Ford-style", I would not be allowded to post any performance results (mileage, design issues, bad tires...) of Ford SUV without consulting with Ford firts and getting their approval???
I'm no big M$ fan, but doesn't windows 2000 server support DNS and DHCP as is, I know Windows 2000 AS does.
Perhaps a database and mail server would make a better better argument.
thank God the internet isn't a human right.
...a lot of Microsoft patches do not under go regression testing.
HotFixes and QFE patches state that they have NOT been fully regression tested.
This is a known fact to most decent NT/W2K sysadmins.
Why? Windows has one purpose, Gaming!
Browse with mozilla or opera on linux using the junkbuster proxy
and never see another banner ad or popup again!
And when everyone's running some kind of *nix derivative and it gets the same kind of cracker attention and media coverage on security issues, what then?
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Whoever mod'ed this as a troll needs to get out into the real world for a while... Mod'ing this as a troll is just plain *wrong*.
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
Comment removed based on user account deletion
Automatic update for home users that aren't technology-saavy like us = good
:)
Automatic update for my dad that only watches stock quotes and doesn't even know what to do when his windows box opens a menu like scandisk (so forget about patching and all) = good.
Automatic update for people that don't care about their machines being a hub for a potential DDoS attack = GOOD THING.
Automatic update for people that are knowledgable and responsible netizens = more or less evil.
Above but with no way to turn it off = just plain lame.
So okay, let them have it their way, and the DAY they send up a patch that breaks everything and kill all of their userbase with a major flaw, you will have enough ammos to fire back at them. Before that, nobody cares, people leech kazaa with spyware, they don't care as long as they get MP3s or videos, face it, if the majority don't care, you don't have a case. When the majority will face a serious flaw, bug, or their computers won't boot again and it will happen to their friends family and everyone, now they will pay more attention to the people that try to advocate this matter. It will happen, just be patient
--- Metamoderating abusive downgraders since my 300th post.
From a end-user support standpoint, this appears to a more critical bug due to the ease of use. Anyone can email someone a fake link that deletes their system folders. I'm not sure that Microsoft has addressed this in anyway. Maybe they don't know about it yet.
If link above goes down, here's the quoted text:
There has been a very serious flaw discovered in the "Help Center" included in Windows XP.
To try it out, do the following, but, BE WARNED. IT WILL LIKELY delete anything you put in the "test" directory.
Create a folder called "test" at the root directory of your hard drive. Put some files in it (junk, whatever, stuff you don't care about losing). YOU HAVE BEEN WARNED AGAIN!
Then, copy and paste the "link" below into any address bar and hit enter.
Wait a few seconds, then, check that directory again. Gone, gone, gone.
This is a HORRIBLE exploit because it can be a link in any web page and exploits a terrible flaw in the Windows Help Center included in XP.
hcp://system/DFS/uplddrvinfo.htm?file://c:\test\*
Ways to fix this issue:
Delete/rename the "uplddrvinfo.htm" file (located in C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS).
Or, open it , find, and delete the following section of code:
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" ); try { oFSO.DeleteFile( sFile ); }
Or unregister the hcp protocol handler.
Deleting the section of code breaks the exploit (I have verified it myself) and it is highly recommended that anyone here using XP take steps to fix this because it won't be fixed until SP1 for XP comes out.
You can run the 'clinet' inside of a VM on the firewall but that is kinda resourse intensive.
...at least not according to their lawyers.
Alas, Babylon.
That sounds like the tagline of every Jerry Bruckheimer movie I've ever seen
Courts are already still a little leary about the EULA you agree to by opening the package containing the EULA; I don't think that one has ever even gone to court, and the enforcability of EULAs remains a big legal unknown. One purpose of the still-abortive UCITA is to nail this point down (with a "yes", of course).
But even in my most paranoid fantasies, I can't imagine a thing that you can't even see, ever, that you somehow "automatically" agree to, ever being binding. The EULA is not negated, in this case, it simply never existed.
I read the EULA comment as an attempt at humor, poking fun at the fact that everything this side of cola cans is starting to have a EULA slapped on it.
Seems like everyone is making too much of it...
One of the things this fixes is "a buffer overrun vulnerability affecting the Gopher protocol handler." Good lord, gopher's been dead for a decade! Why the hell does IE still bother supporting it at all?
I'm the stranger...posting to
Comment removed based on user account deletion
I'm glad I don't live in your dictatorship.
Same rule for me... I had setup common internet acces in my building that I share graciously to my neighbourg, BUT i setup a special VLan for them and some special firewall rules too. Internet acces ok Network guerilla no thanks
I used Windows Update to get the IE patches, and a EULA did appear. One of the EULA items said I could not publish a benchmark of the .NET framework without written consent from Microsoft.
You complain about it when it's patched.
You complain about it when it isn't patched.
You complain about them finding security holes.
You complain about them not finding security holes.
Grow up.
It's a big program used by a lot of people with a lot of other people trying to break it.
There will always be holes.
Nothing is perfect.
Nothing is totally secure.
Except possibly something broken and completely worthless, and probably not even then...
South side of Chicago? Harlem? Watts? Compton? Africa?
:)
Might get more than 10% then.
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
simply don't work because of the VM you're using or some setting you've been messing with in the registry
I don't know much about windows, but if a setting in a registry or your VM can screw up specific individual sites I would still call the web site broken.
Well, can't is a strong word. It's harder, yeah, but it can be done; you just have to trap it at a lower level. It can be done with the NT core at least (2K, XP, etc.) if your trojan intercepts the keystrokes more or less the same way a device driver would. It's a bit more complicated than it sounds, but totally possible.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
apparently I don't know much about closing tags either ;-)
The EULA was shown to you at if you used microsoft's window's update website. I know that I am looking at it right now.
.NET Framework component of the OS Components to any third party without Microsoft's prior written approval."
.NET has been available. Wonder why they are so "afraid" of people saying what their benchmarks were.... Makes you wonder how doctored the results that they are publishing are if you can't disclose the ones that you receive.
"You may not disclose the results of any benchmark test of the
That is the main right that you giveup with this patch, but I think that has been in all their supplimental EULA's since
I did not see anything about forcing DRM on us in this patch, but don't think that will stay this way for long.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
i thought you ment IT administrator. it's really sad that the browser has so many holes you need an admin for it.
-- john
I don't know much about windows, but if a setting in a registry or your VM can screw up specific individual sites I would still call the web site broken.
It's possible to change rendering options in IE through the registry, which could make websites appear to be broken when in fact you have simply disabled the ability to render it properly. If a site uses Flash and you've broken your Flash installation, it's not exactly the site's fault.
Similarly (and since I just recently experienced this) some of Sun's java VMs will do some really odd things on certain sites. A great deal of that is because of Microsoft's VM supporting non-standard things and people writing to that VM, but other times there's no easy explanation as to why it doesn't work in the Sun VM (or they fixed it in a later version).
-PainKilleR-[CE]
If a site uses Flash and you've broken your Flash installation, it's not exactly the site's fault.
;-)
If a site uses flash, then its definitely the sites fault
Slashdot needs a "-1: yet another ranting jackass" moderation button...
0 1 - just my two bits
Unless of course, you download a trojaned copy of BSD from the compromised server.
You know what? ALL software has holes. The "l33t haX0r" OS'es have their fair share as well, but you fucking zealots like to try to just sweep that under the carpet. Buuuut, whenever ANY type of problem shows up in a Closed-source product, you use that to trash all over the product, the company, the company's dog, their mothers, the second grade teacher, etc.
You know something? When I installed Windows XP on my laptop, it detected and installed ALL my devices, first try. It even detects and installs my cisco Aironet PCMCIA card. And it doesn't crash, ever. Linux STILL doesn't have support for this card, even though it's been out for 2 years, and X-windows is a buggy piece of shit. Why don't you guys fix the problems with the damn operating system instead of wasting all of your time bitching about FIXED security holes?
I've been called a "Fucking Dick" by better people than you.
And how do you know it doesn't?
Because someone would have noticed it, posted it on Slashdot, and there'd be much (rightful) outrage.
As for the antivirus issue - if Linux becomes the desktop OS of choice, it'll happen there too. Just because most viruses (and most clueless users) are on Windows doesn't mean the writers can't make Linux ones too.
I must admit, Mr. Gates is one incredible business man.
Don't announce security holes unless you are ready to release a patch, then you look like you're acting fast with no delay to solve the problem. Customers like that. Customers don't like to be warned that there is a hole with no patch, even if it will help them avoid potential problems, because it makes your company look irresponsible or slow or lazy or whatever.
When I say customer, I mean the portion of the population that doesn't even know what an EULA is. I mean the portion who, if told they need to pay a monthly license fee, would shovel out the money as a necisary expense. I mean those who think a web browser or it's home page determine the ISP that you use.
TodayTM BillyJoelTM GoogleTMd for StitchTMes due to WindowsTM while RollerbladeTMing with an AppleTM and a PopsicleTM
Does this EULA have the infamous "we have the right to turn off functionality and delete files" clause that Microsoft has been putting in EULAs lately, in preparation for extra-aggressive digital rights management?
I have personally caught M$ stuff going around ZoneAlarm on two occasions:
... until Frontpage98. My first clue was when FP98 whined about being unable to find the nonexistent modem. ZAP didn't make a peep.
WinME, no patches, ZAPro; system had no modem, thus no internet connexion. ZAPro dutifully reported every attempt to connect (which a lot of programs try to do for one reason or another, usually innocently)
Win98, no patches, ZA Amateur 2.63 (I think); system has moden and DUN configured in the usual way. HAD been well-behaved. Made the mistake of installing TurboTax this past April, and it forcibly installed IE5.5. Which FUBAR'd DUN. When I finally got DUN working again and went online, ZA *immediately* reported an attempt to intrude, from a M$ IP address (I whois'd it, so I'm sure), IIRC on a UDP port. Excuse me? What business does M$ have trying to get into MY computer? And since IE5.5 wasn't running per se (I only use Netscape online), clearly it had suborned Windows itself. And again, ZA didn't make a peep, tho it had always reported every other attempt to get in or out.
This is why I IEradicated IE5.5 [see 98lite.net] and reverted the system to IE5.0, which had never exhibited any underhanded behaviour (tho I don't let it out on the net, I only use it for checking my HTML locally).
And yes, there is a hardware firewall in my future, exactly because of this sort of security breach.
~REZ~ #43301. Who'd fake being me anyway?
First off, im not saying that MS doesnt need to work harder at making thier software more secure BEFORE releasing it. But if you think about it, there really is nothing computer related that is 100% secure. Theres always someone that finds some way around whatever security that gets implemented. Windows is the #1 OS by a long shot, and therefore has WAY more people trying to exploit any vulnerabilities. I believe that if Linux or some other OS had such a huge market share that perhaps there would be a lot more people finding security holes in those systems. Personally, I run FreeBSD on my server, but I use WinXP on my personal box, b/c its primarily used for gaming. Anyway, just my viewpoint
R.
I can appreciate the advantages of open source, but the unfortunate truth is that hardly any casual computer user can set up and use an open source OS like they can with Windows. A furthering of that is that those are the people driving the computer industry by buying computers and software. It's a sad thing to say, but the geeks are minority.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
I try to get my parents to use Gecko based browsers. They use NS6 on the laptop because IE doesn't work. They seem to think, "we have Norton, it will keep us safe!" What BS.
Support the Chagossians
You get hoards of e-mail every week since subscribing to the security bulletin list? I think not.
This patch is bulletin number 47 for the year. By my primitive math, since this is the 34th week of the year, that would be about 1-2 pieces of mail a week.
You have an odd definition of "hoards".
You know what? ALL software has holes. The "l33t haX0r" OS'es have their fair share as well, but you fucking zealots like to try to just sweep that under the carpet. Buuuut, whenever ANY type of problem shows up in a Closed-source product, you use that to trash all over the product, the company, the company's dog, their mothers, the second grade teacher, etc.
Perhaps you responded to the wrong poster, since the window I'm typing this in seems to be IE6 running on Win2k, and the machine on the other side of my desk is running XP Pro, as is my primary home computer.
Use the best tool for the job. I simply mentioned OpenBSD because I tend to believe that OpenBSD and FreeBSD are usually the best tool for the job if you want to setup an older system as a firewall to monitor and/or block traffic on your network. The primary reason for that is, of course, because of the record for security in OpenBSD, though reasons for that abound. In the end, if you know what you're doing with the system, there's a reasonable chance that you can keep it secure.
-PainKilleR-[CE]
You know what? ALL software has holes. The "l33t haX0r" OS'es have their fair share as well, but you fucking zealots like to try to just sweep that under the carpet.
... X-windows is a buggy piece of shit.
True. Folks do need to back off of MS's case just a bit. However, Microsoft hatred has been well earned over the years.
Yes, and this would be because Aironet writes Microsoft device drivers for the hardware they make. Very few companies actually do this for Linux, yet Linux supports a vast array of hardware as well, all by it's little self. Hardly worth discrediting Linux developers for. It's a status quo problem.
And [XP] doesn't crash, ever.
I'll admit that XP isn't bad in the stability dept., but for all intents and purposes, it seems like an updated 2K with a bloated interface. You want to argue with me on the bloated issue? Then explain why the XP start menu takes up most of the screen on small resolutions. =\ Not to mention the colors and "3D-ish" look.
Why don't you guys fix the problems with the damn operating system instead of wasting all of your time bitching about FIXED security holes?
True. Again, people should settle down. Microsoft is doing better. In the past, I would have said, "Yes, finally, Microsoft is paying attention to security." It looks like their "security initiative" back in January has taken affect. However, Microsoft has dissapointed, lied and plain abused us (crappy, insecure products for too much $$ is abuse in my book) long enough to deserve my indifference at this point.
And don't anyone give me that libertarian crap about free choice. True free markets do not exist, and there is such as thing as compatibility. When Jack Doe goes to work, often he's forced into using Windows, likewise at home, to view certain files and run certain programs.
~Dalcius
Rome wasn't burnt in a day.
Doh -- should have previewed.
Yes, and this would be because Aironet writes Microsoft device drivers
Note somehow my quote of your "Aironet card is supported under Windows" part got lost.
What problems do you have with X? I'm doing fine -- I can't remember the last time X or Linux locked up on me, and I use a laptop with Linux around 8-12 hours every weekday. My panel has crashed a couple times in the last few weeks, but it restarts itself with no problems.
~Dalcius
Rome wasn't burnt in a day.
Ok, i believe the 'they' the parent poster meant was MS, not his family. Geez people, think a little..
In the Eula that specifically says
.. any how all you server people using win2k
... if you use your server to browse the
MS will download automatically download
into your system whatever files it wants
Perhaps MS looks at yer partition to see
if you have linux installed before giving
you that version of EULA because I sure as
hell can't find what people are talkinga bout
The only thing I did see is of course.. if you
didn't buy windows 2000 you are in violation
blablablalbla that's been in the EULA from way
back
server stop complaining about the browser/OS
issue
web You are definitely putting yourself at a
greater risk Regardless of OS.
Anyhow that EULA if anything is more of a
Anti Piracy feature. How many of you have
Paid for windows? (Raise your hands)
What 1 maybe 2?
So in essence even though it's software you have
to pay for.. I doubt many of you have
so in that sense it's pretty much free like
linux. And since most of you warez kiddies
out there just praise linux mostly cuz the
various programs for it are free... I really
don't see a purpose of you whining.
Better yet are those people who continue to use
windows yet complain about it all the time
For god sakes stop using the OS then if yer
gonna whine all the time about it.
Virii, spyware, programs that put 10 icons in 3 places each on your computer will all come to Linux.
But considering file permissions, and how devices, configs and other such things are held strictly to these permissions, I think it's safe to say that although one user might get messed up on a Linux box, unless he's running as root (stupid, of course), only his portion of the system will be messed up.
Unless, of course, virii start exploiting local root hacks, but that's an issue of keeping your system up to date. up2date and Red Carpet are very handy here.
~Dalcius
Rome wasn't burnt in a day.
I wonder if Microsoft's EULA could be considered a form of coercion? Look at it this way:
Microsoft creates a flawed piece of software. They sell it to millions of unsuspecting victims under one EULA.
Then, they release patches for flaws that are serious enough to destroy a business if left uncorrected. They tell the victims: ?Agree to this new EULA that takes away many of your rights or we won't fix our software!?
The race isn't always to the swift... but that's the way to bet!
Of course, this only works insofar as people know that you have to hit ctrl-alt-del to log in, and that if they have a login prompt without hitting that, there's something wrong.
I've never seen much effort on the part of MS to get this across to folks, so this bit of security is pretty much wasted.
Don't you wish your girlfriend was a geek like me?
We do, its called linux.
"I'm not a procrastinator, I'm temporally challenged"
PivX Solutions has a good list and commentary of remaining vulnerabilities in IE at http://www.pivx.com/larholm/unpatched
...
They say it best - for now best to run IE with Scripting turned off
"The basic tool for the manipulation of reality is the manipulation of words." - PK Dick
using internet explorer to surf the internet and do anything important is like fucking a prostitute with no condom
13 year old white supremacists are shitty web designers.
Try updating Konqueror without shutting down KDE. :0)
Bruhahahaha!
No, silly, the Internet!
You can't handle the truth.
"the unfortunate truth is that hardly any casual computer user can set up and use an open source OS like they can with Windows"
Same computer, same hardware, 5 operating systems:
Windows ME: Decent drivers for half the hardware didn't exist. Never worked right. Lost count of install program reboots after 30. Had to download drivers from 5 sites, and let me tell you, the Creative Labs site is a POS.
Windows 2000: 12 reboots to install drivers. Had to do things like configure obscure settings in the Device Manager to get the USB Drives working.
Mandrake Linux: Everything was configured. Everything was working, no obscure options.
SuSe Linux: Had to run a command line to get the sound card working.
BEos: Didn't support half the hardware, and no drivers existed. No shock, I tried it just for fun.
The argument about Linux being hard to install is an old chestnut that does not apply to most the current distros. Today Linux is easier to install and get up and running than Windows, even for beginners.
"Live Free or Die." Don't like it? Then keep out of the USA
If most web-sites render correctly, and one (or a select few) do not, then what again is wrong with the client machine and it's browser?
www.dedserius.com
VB != VisualBasic
I am just a stickler for security, thats all. We have 5 computers in my house, mostly for my work, and if they want to use the 'net, they have to do so with secure products. I won't have my work or machines compromised for the sake of "entertainment." If they can do it with Moz/Galeon and other open source tools that I know are secure, then they are welcome to the unregulated 'net in my house. I have a cd-rw so they can just burn software they download and transfer it ;)
-- 4 8 15 16 23 42
The pope announced today that all non-catholics are going to hell...
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
Your comment is flat out wrong.
Below are quotes of the exact text from the "Designed for Windows XP spec v2.3" document:
"The application must not require or suggest an unnecessary reboot during or after installation."
* Installing a Windows Service Pack or authorized system redistributable may require a reboot.
* Installing a Graphical Identification and Authentication dynamic link library (GINA) requires a reboot."
The above quote comes straight from the horse's mouth.
That last WMP7 patch had the same language, and turned out to offer nothing new except DRM.
"Keeping your computer secure"
Maybe it implies that your computer is secure unless you download the patches regularly? Like a vulnerability is not a vulnerability until Microsoft acknowledges it?
Oh yeah that's right, it's a feature!
Ali
Ph33r m3!!!
indeed; however, kde is only a window manager. reloading kde does not mean rebooting the server [thus affecting everything else that the server is doing]
--- d'oh
"The security warnings are the latest headaches for the Redmond, Washington- based software company."
Headaches for Microsoft? How about headaches for their users?
Why the hell can't MS stop making these stupid mistakes and save us all form these damn headaches?
Then when something has a bug, we can turn it off.
Someone set us up the bomb, so shine we are!
Yet another Microsoft patch batch. Why don't they put out these patches in a FIFO manner? This buffered output hinders my impression of their responsiveness.
This corporation has performed an illegal operation and will be shut down. (That was irrelevant, but necessary.)
true && more || less
To clarify for the uninitiated, the "key generator" referred to here is, of course, TheBlueList's famous (infamous?) XP KeY ReCoVeRER AND DiSCOVErER 5.12 (xpkey.exe, 49152 bytes, crc 1F259976, md5sum AE01E7CB9215AF1899931C524359ABD7).
.NET. (Good.)
/a (which is the activation wizard), which should tell you you need to activate, select activate by phone and look for the option that allows you to change the product key. Be VERY sure you enter it correctly, because there's no hard checking here, before the reboot - and if it isn't valid, Windows won't boot (in which case you have to hold F8 and select Last Known Good, which should restore your old product key again - I say *should*).
It doesn't *generate* keys as such - it searches for valid keys. Not merely apparently-valid keys that pass some of the checks, but ones with a valid PID too. That's why it takes so damn long. If you let it generate about 600 keys, in fact, the probability is that amongst those somewhere is a REAL, ACTUAL product code of a copy of Windows XP that is still sitting in a warehouse for despatch somewhere, and you can activate it (and presumably cause a major hassle for whatever unlucky user or enterprise eventually buys that copy).
The keys WILL work, and the only way MS can disable them is to check for a range of sold keys, which they can't because I have enough genuine leaked volume license, and other, keys to know they aren't always contiguous or always in the low 640 range, or connect to the net to check the key against a database, which is, well, WPA and my guess is, they probably won't do that (for the same reason they created the corporate version in the first place). And yes, there are still things we can do even if that happens (like the obvious one, which is <sigh> patch the service pack... what have we come to?).
I reckon that even if they could come up with a way to separate the keys, a way which would undoubtedly give a large number of false negatives when checking for genuine keys, they wouldn't use it due to time constraints. SP1 is due Real Soon Now and should - I stress *should* - be in regression testing already, and the QA team really won't like it if the current logic bombs (which have a very low probability, but not zero, of misfiring due to a hash collision with a blocked key) get tweaked at the 11th hour.
I would, however, when SP1 comes out, recommend that you download the corporate deployment executable directly rather than use Windows Update, and disconnect from the net before applying. Just in case. This applies to legit users as well as those people who refuse to pay MS on principle, but just can't resist that yummy-but-evil Windows goodness. (You might want to wait until others have tried and look at their results with the release version - why risk messing your machine up when there's a queue of testers that long?)
Try turning off automatic updates completely, stop certain services (background transfer, automatic updates, ssdp discovery service, etc - use your imagination, that's what last known good and system restore are for) blocking incoming ports using the internal firewall if there's nothing else (it'll _do_) and using, say, Mozilla (or Opera, if you prefer, but if you're in the market for XP, you're probably spec'ed for Mozilla to run very well) to browse the 'net/email until you're patched.
But, for MS, there's no quick fix - or even slow fix (truly secure digital signatures are too big to fit into an existing product key, even using one of the minimal discrete log-ECC derivative schemes) - for TheBlueList. It's become a major headache for them, and is why they have decided to completely dump the existing product code system for
To change the product code, in case your copy of Windows has a logic bomb misfire, change at least one byte of the binary string at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\oobetimer (which will deactivate Windows, even a corp Windows), run %SYSTEMROOT%\system32\oobe\msoobe.exe
MS apparently support this method and have suggested this as a possible mitigation in the event that their logic bomb misfires and locks out legit users (which would be amusing, and if they try to lock BlueList keys, very very likely). If you can, and you aren't paying the tab, and you're legit, phone them up and shout at them if that happens. They probably won't get the message, but it'll make you feel better.
I happen to be on the same internet as software pirates, and don't want their machines being used by script kiddies as a staging post for DDoS attacks and/or active worms, and thus definitely do not support MS's hardline approach on updates. I'll leave the zealotry to others - after all, this IS Slashdot.
The information in this post may be used and copied freely. Share and enjoy.
- Just Another Anonymous Cracker
Ha-ha ! Jealous? ;)
You can't handle the truth.
Funny how everyone's arguing over the EULA and fails to note that this patch doesn't do a damned thing about the SSL cert authentication bug.
To prepare for the Fall, there is a story of rebel coding in Finland. What happened to make Mr. Torvalds seek refugee status in India? And what version of the YQ terminal do you want in your head?
another EULA alteration (oh, and yet another critical patch needed!)...
which came first? the decision to change the EULA or the discovery of the hole?
There are 6 new security holes in Windows, (The security hole is actually in Windows since you cannot separate Internet Explorer from the operating system, Michale please make sure that your statements are correct, a hole in IE is a hole in Windows.) and Office?
How can this be? Microsoft as been focusing on security all year, and I just patched my system last month.
Actually for some silly unknown reason Amercan and British boys were spilling their blood to save your country of cheese-eating surrender monkeys while your Grandmother was sucking off Gestapo officers for cigarettes and cheap wine.
Why do all xemophobic, racist idiots insist on posting as Anonymous Cowards? If you're so proud of your views that you feel the need to share them then why not let us know who you are?
You're just like the KKK - they hid behind their hoods and you hide behind the "Post Anonymously" option.
(Oh, and I find it funny that Americans endulge in France-bashing. If it wasn't for their help during the American War of Independence then it's highly unlikely that there would even be a USA as we know it. And who do you think gave the Statue of Liberty to the US as well?)
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Well, then setting up Red Hat takes even less time then with a kickstart diskette. Time: Put in disk and install CD, turn on computer, come back when it is done configuring everything.
Click here or here.
Shutting down KDE doesn't stop sshd, apache, oracle, ftpd, nfsd, or any other server from functioning. So an update to Konqueror could be done with 0 down time....
Though why you'd be using Konqueror on a critical server machine (where 0 down time was important) enough that you'd need to be updating it is another thing entirely....
Advanced users are users too!
He said, "we should be pushing for accountability". What I think he's saying is that if Microsoft refuses to open it's code, then that's fine - it's their right. However, if they don't, then they should be held liable for their incompetence or maliciousness (whichever applies today).
It's an interesting concept. Personally, I think Microsoft would be better off opening the code, rather than expose themselves to that kind of liability.
As an avid Microsoft software user I haven't come to expect anything less.
At least they come out with patches and fixes relatively promptly and have a good software-based distribution system to get the fixes to everybody.
But it does seem they are producing fixes more often than not.
would be the cost of the oil change.
Read the fine print, and the flip-side of the oil change contract.
Well sure, they have to do it. Great Wall of China: Hey, here's a hole! Several hundred chinese go patch it up. What eventually happened? Same bunch took over both sides of the wall, so no wall needed for a while. That won't happen to internet security, for there is always us vs. them. Then, the wall was in part, disassembled (whoah, short circuit) for building materials. Then, rebuilt during communist era to act as showpiece for Nixon visits, etc. Gee, none of this applies... Well, anyway, I'm using Mozilla with win 98 instead of ie6. I really don't have to keep utd on the patches, unless I have nothing else to do. Linux? Gave up long ago trying to keep up with the patches. Redhat swamped me with them. I just install the latest version, and for a few days, everythings patched!
Rapidweather's Linux Screenshots.
(Oh, and I find it funny that Americans endulge in France-bashing. If it wasn't for their help during the American War of Independence then it's highly unlikely that there would even be a USA as we know it. And who do you think gave the Statue of Liberty to the US as well?)
While obviously some Americans do that, having the view from the inside, it's just as obvious that the vast majority do not. In fact, I don't personally know anyone who does. I have high regard for the French. As do many others. Don't let the jerks get under your skin. And please, don't let them make you think we're all like that. If you think Americans in general are France-bashers, or are "xenophobic, racist idiots", then you're as guilty of stereotyping as you seem to think we are. Granted, you didn't actually say you think all, or even most, Americans are like that. But the tone of your post makes one wonder.
As for the Statue of Liberty, and the assistance with winning our independence, all I have to say about that is "Thanks.".
Comment removed based on user account deletion
I totally agree. I have been using Mandrake 7.x stuff for about 2 years. Recently, ( 1:30am up 6 days, 22:24, 2 users ), I DL'd 8.2. Backed up the important stuff and wiped the disk. Install took 10 minutes. All hardware detected and working properly, cable modem, dhcp, NAT, for two win 98 boxes, ftp & telnet (for lan), etc.., worked on post install reboot. Spent 1/2 the day tweaking for personal choice stuff like iceWM and apps I like. Other than my personal preference stuff, I had a fully patched, running and decently configured system in under 20 minutes.
My wifes' system is WIN98SE, she is the master of the reinstall, it still takes her 6 hours just to get the bare OS installed and configured. Something about rebooting 25 times in 6 hours is just a bit time consuming.
End result, the current revs of the bigger distros are pretty damn slick and the installs are FAR better than anything I ever experienced. The developement rate of linux is quite astounding.
I can only imagine what Mandrake 9 or higher will be like. The GUI config stuff is getting to the point that you only use CLI if you want to.
Hats off to the OSS world. I am impressed.
Bill
No, I don't think that all Americans share the same views on the French (or any other topic) but I do find it annoying that none of the people who find the time to post this kind of crap on /. have the balls to post under their own accounts.
If they enjoy practising their right of free speech so much shouldn't they at least have the guts to say "these are my views, this is who I am and I make no apologies for it"?
And, for the record, I am not French. What I am is bored of (and pissed off at) having to read this kind of junk on every discussion that has any kind of non-American interests mentioned.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
> Nice, I wonder how many of those sites simply don't work
...)
> because of the VM you're using
Sorry, I must have miscommunicated. This is not on my Linux box,
but on the Windows box upstairs. So, Windows is running right on
the hardware, with no intervening VM. Sorry for any confusion.
(If you meant the Java VM, it was the latest one available at the
time, although some browsers may use their own implementation
instead.)
> or some setting you've been messing with in the registry
The only settings I mess with in the registry are the ones that
applications abuse to start themselves at system start time.
Allowing apps to do this seriously degrades system performance.
If one app does it, that app starts a bit faster, but when
twelve[1] apps do it, they all start slower, because you have no
RAM left. So I don't let any apps do this, especially not ones
we don't use all the time. What's really annoying about
misbehaved apps that put themselves in the Run keys without
asking is, they invariably take measures to insert themselves
into the Run keys not just on install but every time they run.
When the user manually starts up an application, then it loads
just as it would have at system start, had it been allowed to do
so at that time.
I was personally surprised that he didn't find more sites using
MS-specific code (mainly, the document.all interface), but there
weren't that many (that he visited -- YMMV). Mostly he got sites
in one of two categories: their HTML was obviously broken (you
know, mismatched tags, misspelled tags, imaginary tags, tags
missing their closing right angle bracket, required close tags
missing, imaginary attributes, attributes from one tag placed on
another tag that has never accepted them in any known browser,
unquoted attributes containing spaces, and that sort of nonsense)
or else they relied on the Plugin Of The Week (by which I mean,
some plugin that is not listed on Netscape's plugin finder
service and does not come with IE; the only one I remember is
Shockwave (which as it turns out is produced by the same company
as Flash, but less well-known), but we ran across perhaps a
couple dozen different ones, all obscure).
The former type of site (HTML run through a blender) was the more
common type. The Plugin Of The Week issue mostly happened when
he was looking for WTC news last fall.
My mom also ran into at least one instance of bad server-side
sniffing, wherein if the browser was neither NS4 nor IE,
nonstandard characters were inserted in a document (in places
where the other browsers got spaces, according to View Source)
that didn't declare its character set. This was at Ancestry.com,
but the issue went away because my mom doesn't visit that site
any longer. Any email to the webmaster is answered (by a bot,
apparently) with a letter explaining which browsers are
supported. Funny thing is, the letter says Netscape 4 or later,
but later versions are handled incorrectly.
[1] A slight exaggeration only. MSIE, AIM, the MSN IM client
(and its associated spyware), and YIM all do this without
even asking. Other apps (Mozilla, Netscape, OpenOffice,
ask, and respect your choice, so I don't have a problem with
them. But the misbehaved ones I keep in check by editing the
registry, yes. There were at one time some other apps doing
this (well, trying to) that I haven't listed, but they've
been uninstalled now.
Cut that out, or I will ship you to Norilsk in a box.
Flash wasn't the problem. We did install Flash on the PC
my parents use. I generally don't keep it installed on
my Linux box, because I personally don't _like_ annoying
flashy blinking things, but that's unrelated.
Cut that out, or I will ship you to Norilsk in a box.
So, Windows is running right on
;) Overall, though, it sounds like he's simply hitting a lot of obscure sites, which is unusual, because I don't see all that many sites that have those kinds of problems. One thing I do see a lot, though, is generated HTML that does the broken tag thing and ends up cutting half the content from the page, but then view source usually lets me finish reading the article that was cut off.
...)
the hardware, with no intervening VM. Sorry for any confusion.
(If you meant the Java VM, it was the latest one available at the
time, although some browsers may use their own implementation
instead.)
I meant the Java VM. Specifically I've had problems with certain VM's from Sun (and a few problems with a couple of Microsoft's VMs), and find that many times when people are complaining about sites not working it's related to their Java installation, though, of course, it depends on what the site is using in the first place.
The only settings I mess with in the registry are the ones that
applications abuse to start themselves at system start time.
Allowing apps to do this seriously degrades system performance.
If one app does it, that app starts a bit faster, but when
twelve[1] apps do it, they all start slower, because you have no
RAM left. So I don't let any apps do this, especially not ones
we don't use all the time. What's really annoying about
misbehaved apps that put themselves in the Run keys without
asking is, they invariably take measures to insert themselves
into the Run keys not just on install but every time they run.
Yeah, I understand that. There are very few apps that I would allow to run automatically, and I have a tendency to seek out alternatives when a particular app is pushy about it. msconfig and gpedit.msc (depending on the version of Windows being used) are really helpful at keeping those out of there without having to remove the registry entries on every startup.
I was personally surprised that he didn't find more sites using
MS-specific code (mainly, the document.all interface), but there
weren't that many (that he visited -- YMMV). Mostly he got sites
in one of two categories: their HTML was obviously broken (you
know, mismatched tags, misspelled tags, imaginary tags, tags
missing their closing right angle bracket, required close tags
missing, imaginary attributes, attributes from one tag placed on
another tag that has never accepted them in any known browser,
unquoted attributes containing spaces, and that sort of nonsense)
or else they relied on the Plugin Of The Week (by which I mean,
some plugin that is not listed on Netscape's plugin finder
service and does not come with IE; the only one I remember is
Shockwave (which as it turns out is produced by the same company
as Flash, but less well-known), but we ran across perhaps a
couple dozen different ones, all obscure).
Shockwave isn't all that obscure, and is installed by default in newer versions of IE. At one time it was more common than Flash, back in the days when everyone was on dial-up
[1] A slight exaggeration only. MSIE, AIM, the MSN IM client
(and its associated spyware), and YIM all do this without
even asking. Other apps (Mozilla, Netscape, OpenOffice,
ask, and respect your choice, so I don't have a problem with
them. But the misbehaved ones I keep in check by editing the
registry, yes. There were at one time some other apps doing
this (well, trying to) that I haven't listed, but they've
been uninstalled now.
MSN IM, in my experience, is pretty good about respecting the choice as well, though you're right in that it doesn't ask in the first place, and it's not very nice about presenting the choice to the user, as it's buried in the options dialogue. I don't think I ever figured out a good way to get rid of AIM except for removing it from the system, and I've never used YIM. Real Player and QuickTime are also banned from my systems (though QT eventually finds it's way back for content reasons) for similar behavior, though I do find that eventually they'll go away when told to as well.
-PainKilleR-[CE]