Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
It's sad that, when I saw that the patch was released, the first thing I thought was, "I hope the EULA won't force me to accept automatic installs from now on."
I think I'd rather have an insecure system than one that gives MS carte blanche to install what it wants. There's something wrong with that.
Arbitrary commands run by strangers if I don't,
Arbitrary commards run by Microsoft if I do.
If only more sites complied with standards, I could dismiss MS entirely for Opera.
I can spell. I just can't type.
Download now to continue keeping your computer secure.
So apparently my computer is allready secure and there is no need to download the patch then!
Silly Microsoft.
if they can't be trusted, you shouldn't allow them to connect to the internet at all.
As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.
A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
For the quickfixes listed on the url, there is no EULA to install them.
GPL'd web-based tradewars themed space game
Um, shouldn't you allow your family to make their own decisions? You can suggest they don't use MS, but saying you don't allow it seems a little peculiar. And guess what? Programmers aren't perfect. Even the best ones make errors (even Knuth, rarely). The fact that Microsoft found six holes, disclosed it, and released patches is a terrible reason to say "I won't allow my family to use MS". Jeez. Remember the hole in OpenSSH? Do you refuse to let your family use that too?
slashdot!=valid HTML
I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".
For now, my PC is safe from Microsoft forced modifications (relativily speaking)
Avantslash - View Slashdot cleanly on your mobile phone.
Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?
Am I the only who noticed this does not include the fix for invalid SSL certificates? Pretty big (and very expensive) problem, I think....
The Right Reverend K. Reid Wightman,
You have to reboot to complete the installation. Great. Now all my server updates (please do not ask why, I just follow orders) are going to be a joy. I can't believe I have to reboot to patch a damn browser.
I don't want knowledge. I want certainty. - Law, David Bowie
If someone with the corporate edition key for XP Pro installed SP1, would they be able to apply this patch as well? I thought the SP1 would lock out all further updates?
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
While I agree with you on giving people choices I disagree with the comparison of OpenSSH. You said it yourself, six holes in Windows/IE (today) and the hole in SSH. 100's of vulnerablities vs. one is not a very good comparison.
"OH MY GOSH!!!! MICROSOFT HAS ANOTHER VULNERABILITY!!! THAT'S NEWS!!!"
Just for kicks, I signed up for Microsoft security bulletins. I get hoards of e-mail every week, as new vulnerabilites are continually found in each of their products. Being an IE administrator it's important to subscribe to this stuff.
New IE patches come out about every 2 months. This patch is not all that big of a deal. All the fixed issues had workarounds, and a lot of it could be prevented by using a good proxy server.
The fact that Slashdot immediately jumps all over Microsoft for this is ludicrous. Get a life.
There is no reasonable defense against an idiot with an agenda
:wq
One interesting IE security resource happens to be PivX Solutions' "Unpatched IE Security Holes." Extensive information about many of the vulnerabilities addressed by this patch was available there months ago.
;)
My original title (which was edited by michael for purposes of clarity, I'm assuming) failed to mention Office; the CNN story and Microsoft TechNet article didn't seem to coincide. However, it's entirely possible that a few shared components may be vulnerable.
Do you like German cars?
They already know. Remember a couple of months ago, when Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. The architecture of Windows is inherently insecure and cannot be fixed. Read all about it here.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Fine, you spend your life in greif and fear, I shall honor the dead by living free in my country. Putz.
-- Insert wisdom here:
I'm tempted to send a warning to my Boss the following warning.
"Beware gophur attack in coming days.
Tunnels created by gophur may break windows.
Advise careful monitoring of the handler."
To see if he goes all Caddyshack on me.
I need more old protocols coming back purely to be used for my amusement.
Working for the (other) man
Why is it that companies (and individuals) complain and complain about how much time/money/energy they spend on patching Microsoft products and yet don't do anything to change a) their practices and b) their product choices?
This is an honest question that I'm wondering about. I agree with the people who also wonder why Microsoft flaws get so much attention from /. and Linux/Solaris/Apple/etc flaws get next to none. To those that say "Because there aren't any worthwhile reporting on." I say "Read more." The recommended patch cluster from Sun has lots of interesting reading.
There seem to be _alot_ of alternatives for almost everything. How many of those alternatives are used by more than the developers of those alternatives? By more than the friends/family of the developers? For my part, I don't have the money right now to get a second machine and my current Windows machine is used primarily for games. However, when I get the money, I will be running something other than Microsoft products where possible. My browser of choice right now is Mozilla. But there are sites that require me to use I.E. much to my disappointment. What are the technically savvy people doing to help their companies move away from Microsoft and what alternatives are they proposing? [And no 'Linux' isn't a good answer. What distro of Linux?]
Personally, I'm glad Microsoft changed their EULA to say that it gives them the right to run whatever they want on your computer. It gave me a wakeup call to read the EULAs more carefully. Occasionally, I turn down the EULA and don't use the product. Are other people finding that they are reading EULAs more carefully and actually turning them down more?
--Maarten
Don't -1 the parent, a good point was made , just not that well.
If your servers are configured correctly and you have redundancy in place then there should be no problem installing this update,
If you don't use load balancing then just bring the warm/cold server online while you take the server your about to update off line.
Spend a few days testing the updated server.
and then sync with the cold/warm server and repeat.
If you load balancing then take some servers out of the loop and run them concurrently to make sure Microsoft hasn't broken anything then repeat until all servers are updated.
If all of the above sounds like voodoo then you should be more concerned about you internal systems than any bugs that might be in Windows.
thank God the internet isn't a human right.
Yes AC I know there is more than one OpenSSH hole but lets go back and count all bugs ever found in IE so we can be fair. I was refering to the fact that he knew of one hole (ok lets say three this year) and we are talking about six on one occasion.
MSFT announces security patches.
Film at 11.
Next!
RedHat and Mandrake announce security patches.
Film at 12.
Next!
Really. I'm glad they are doing this. Glad they are taking some active measures to improve their security. If everyone who has a windows machine actually performs the update, we'll have a safer world of computing :)
If they don't pshaw the other holes that other people find and admit their seriousness now, I'll actually have one less reason to hate them.
-- Who is the bigger fool? The fool or the fool who follows him? --
That's what I said to my friends and now I have time to enjoy myself. Before that, I would go over to a friends house and find myself cleaning up their system.
Now I tell them that I don't do windows.
DRM? No thanks, I'll just get it somewhere else...
You know. The time that someone thought it would be gnarly to hack OpenBSD's FTP server and trojan the makescripts?
The folks at OpenBSD still haven't explained how that's happened so we've got six theoretical bugs (which will undoubtedly become reality Real Soon Now) versus an unexplained, but very real, hack, which may or may not manifest itself elsewhere. And as long as we're calling apples and oranges, take a look at the size of the codebase and the amount of functionality of one versus the other.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
In the same e-mail, I sent a link to RedHat.
Hopefully, my family will finally switch to an OS that actually works.
Thanks Microsoft, for helping me make my family realize how much your software sucks -- couldn't have done it without you! *smiles*
When faced with a problem, many web developers say "I know, I'll use JavaScript!".
Now they have two problems.
Yet six more reasons why I dont allow my family to connect to the internet using MS. They can't be trusted.
:-)
Who? Microsoft, or your family?
"Mod, mod, mod...and another troll bites the dust."
When developers try to make operating systems more user friendly by binding commonly used social security holes (alt-ctrl-del) to intutive items like log into computer, we sure know where everything is headed
OK, now here's something I don't understand, but you appear to, so I'll ask now..
How (exactly) does ctrl-alt-del make a computer MORE user friendly?
When you boot Win NT/2K/etc, you have to 'hit ctrl-alt-del' to log in - exactly what is being accomplished by doing that? Would it not be easier to simply present a login screen?
Exactly how does adding a step - which seems (to me, at least) to be a NOP - make the computer easier to use?
And where does the writer of the article get off saying "The world's No. 1 software maker said ..."
Microsoft is not the worlds' number one software maker. They've bought most of their current product line. Now, if the article had said "The world's No. 1 software bug producer said ..."
And that Debian releases a security notice for every flaw found in every (over 10k) packages that they maintain.
MS on the other hand offen ignores security issues (21 open security problems with IE.) and do not maintain as many packages.
Lets just hope he didn't find out about these issues looking like this.
Disclaimer: I've met him in real life several times, thankfully he was fully clothed. He often pops on to the place linked below under the name of "Foon".
Avantslash - View Slashdot cleanly on your mobile phone.
Especially considering to get the "Designed for Windows 2000 / XP" Logo on your software, you have to have an install that doesn't require a reboot.
I am not a number! I am a man! And don't you
from the bottom of the BBC article:
I'm gonna start smoking again and drinking and having unprotected sex and them I'm gonna stop paying taxes and start cursing out the the cops and run through the airport with a gun.
I can't cope anymore. Tomorrow there will be 6 more critical problems and 6 more and 6E5 more. What's the fucking point?
Get Naked And Start The Revolution!!
But I won't work on Windows computers in my free time, which means I will not help them fix their windows computers if and when they break.
Period.
Of course, my mom prefers GNU/Linux and hates her Windows box at work (her home Linux box works, and works well).
My sister's husband, on the other hand, prefers Windows. Fine. Their computer is broken alot and they have trouble finding anyone to help them fix it. *shrug*
The Future of Human Evolution: Autonomy
Fixing six vulnerabilities is good. They're not _finished_,
but it's progress.
Cut that out, or I will ship you to Norilsk in a box.
And how do you know it doesn't? After all, Windows Update sends stuff to Microsoft. Latest Service Pack for W2k has a completely Automatic Update incorporated (now, I thought service packs shouldn't include new features). I know, in their privacy policy on the web they state they don't send info...but privacy policies on the web represent nothing nowadays and are subject to change any day in the week.
And it will load virusen (note spelling) on your computer so they can h4x0R you!!
Small anecdote: recently I "fixed" the PC of a acquitances of mine (clueless computer user). This family uses only Microsoft products and is clueless about maintenance (their Antivirus was hopelessly out of date). So, I say that this was an unpatched Windows 98, with an unpached Outlook (5, I think) and an unpatched Internet Explorer(5, I think). Now, what did I find on this machine: spyware *en masse*, and besides that at least 5 instances of Klez and *two* programs that Norton Antivirus identified as "Backdoors". Now, what again about haxorring?
Microsoft doesn't give you the blueprints of the software, yes. I'm perfectly okay with that. However knowing that many skilled programmers all over the world tinker daily with the open-source equivalents gives me this warm and comfy feeling that malicious code *will* be detected and *will* be fixed. It's just a feeling, so it's rather subjective... but honestly, do you prefer to be part of a community that might care for you *or* know that a company that is only after money (which is after all the goal of any company) is responsible for your security?
Of course your post was flamebait, and I took the bait.
It's not a news site, it's Rob + Friends blog! If you don't like it, don't come back here. Is that it?
Well, I'd put it like this: the site is concerned with open source software, free software, Linux, privacy issues especially related to technology, various general tech issues and toys etc., plus various cultural things of interest to its target audience, like anime, sci-fi, etc. If you don't share the interests and perspective, and aren't interested in learning more about those things, then yeah, you probably shouldn't be here. Then again, /. could probably do with the advertising dollars, so by all means stick around, just try to keep down the whining.
Read the OpenBSD FAQ for the details of why the FTP server isn't an OpenBSD box, but IIRC it's basically because it's a donated box and bandwidth from a university, and beggars can't be choosers.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.
What does that tell us about .NET?
I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.
Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.
Hell, my 3 year old son gets it OK?
(While playing Zoboomafoo Alphabet the Critical Update came onto the screen obscuring the Lemurs. "Daaaad stupid Windows is bothering me!")
This
ctrl-alt-del is a key-combo that no program can 'steal' from the OS
Thank you, that answers my question nicely.
Although it's kind of strange that the original poster attributed this behaviour to user-friendliness instead of security..
It'll cut that down to 10 minutes. Forget going to individual desktops - and FORGET MICROSOFT SMS.
heh heh
It's nothing, just you're carbodyluminocap acting up... just a couple of hours to fix.
-dave
First, if you read the message, you'll see it says "CTRL-ALT-DEL helps protect your login" or something like that.
The reason is simple-- it's the only key sequence that can't be trojaned away. Remember people "hacking" hotmail by emailing a link to a webpage that looks just like the hotmail login? Or replacing login on a *nix box with a spoofed version. CTRL-ALT-DEL is trapped by the OS, so it can always give you a "secure" (and I use the term loosely) login prompt.
In theory, there's no difference between theory and practice. In practice, there is.
-- Is "Sig" copyrighted by www.sig.com?
...a lot of Microsoft patches do not under go regression testing.
HotFixes and QFE patches state that they have NOT been fully regression tested.
This is a known fact to most decent NT/W2K sysadmins.
Consider the workload and instusiveness of patching windows compared to Linux.
Windows - either buy expensive software to automatically distribute patches, and force users to reboot, or run around at each station.
Linux - have each station check your local security updates mirror on a nightly basis, and install when something is available. No downtime or reboots, just perhaps opening and closing an app. Users don't even need to know!
Stop the brainwash
Comment removed based on user account deletion
Automatic update for home users that aren't technology-saavy like us = good
:)
Automatic update for my dad that only watches stock quotes and doesn't even know what to do when his windows box opens a menu like scandisk (so forget about patching and all) = good.
Automatic update for people that don't care about their machines being a hub for a potential DDoS attack = GOOD THING.
Automatic update for people that are knowledgable and responsible netizens = more or less evil.
Above but with no way to turn it off = just plain lame.
So okay, let them have it their way, and the DAY they send up a patch that breaks everything and kill all of their userbase with a major flaw, you will have enough ammos to fire back at them. Before that, nobody cares, people leech kazaa with spyware, they don't care as long as they get MP3s or videos, face it, if the majority don't care, you don't have a case. When the majority will face a serious flaw, bug, or their computers won't boot again and it will happen to their friends family and everyone, now they will pay more attention to the people that try to advocate this matter. It will happen, just be patient
--- Metamoderating abusive downgraders since my 300th post.
No it wouldn't M$ disciple! Obviously if you compile your own code, they you are responsible for the blow up. Now back and patch your M$ machines!
From a end-user support standpoint, this appears to a more critical bug due to the ease of use. Anyone can email someone a fake link that deletes their system folders. I'm not sure that Microsoft has addressed this in anyway. Maybe they don't know about it yet.
If link above goes down, here's the quoted text:
There has been a very serious flaw discovered in the "Help Center" included in Windows XP.
To try it out, do the following, but, BE WARNED. IT WILL LIKELY delete anything you put in the "test" directory.
Create a folder called "test" at the root directory of your hard drive. Put some files in it (junk, whatever, stuff you don't care about losing). YOU HAVE BEEN WARNED AGAIN!
Then, copy and paste the "link" below into any address bar and hit enter.
Wait a few seconds, then, check that directory again. Gone, gone, gone.
This is a HORRIBLE exploit because it can be a link in any web page and exploits a terrible flaw in the Windows Help Center included in XP.
hcp://system/DFS/uplddrvinfo.htm?file://c:\test\*
Ways to fix this issue:
Delete/rename the "uplddrvinfo.htm" file (located in C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS).
Or, open it , find, and delete the following section of code:
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" ); try { oFSO.DeleteFile( sFile ); }
Or unregister the hcp protocol handler.
Deleting the section of code breaks the exploit (I have verified it myself) and it is highly recommended that anyone here using XP take steps to fix this because it won't be fixed until SP1 for XP comes out.
>The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.
No, the fact of the matter is that the oldest security hole still present in internet explorer is over...
2 years and 2 months old.
Look, if they ACTUALLY fixed their OS (and by OS I mean browser, which MS says is the OS) we wouldn't care. But, you see, since they don't care to fix their OS (and if you can't fix it in 2 years then you are one very pathetic uncaring company) then we will care to explain to others that they don't care.
Get it?
You can apply every security patch in the world, but IE is still lets any site read:
- Any and all of your files
- Run any code they please
- Upload files of their choosing
- Modify files they want to
- Delete files they want to
- Delete your BIOS so you can't boot up your computer
- Make your computer dial 911 constantly, tying up emergency systems
- Install viruses on your computer
- Make your computer do DDOS attacks
- Make your computer email bomb threats to the president under your name
All without warning you. And any amount of patching won't affect it.
Is that not serious enough? Do they need to set your computer on fire to make it serious enough? Does your computer have to reach out and throttle you before you see how serious it is?
Sheesh.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Courts are already still a little leary about the EULA you agree to by opening the package containing the EULA; I don't think that one has ever even gone to court, and the enforcability of EULAs remains a big legal unknown. One purpose of the still-abortive UCITA is to nail this point down (with a "yes", of course).
But even in my most paranoid fantasies, I can't imagine a thing that you can't even see, ever, that you somehow "automatically" agree to, ever being binding. The EULA is not negated, in this case, it simply never existed.
One of the things this fixes is "a buffer overrun vulnerability affecting the Gopher protocol handler." Good lord, gopher's been dead for a decade! Why the hell does IE still bother supporting it at all?
I'm the stranger...posting to
Windows 2000 server has a built-in DHCP and DNS server, but it costs considerably more than $500, I believe. The primary purpose of this machine is a NAS server, and since I'm doing it on the cheap, I don't want to put a hardware RAID in it. Either Linux or Windows 2000 Pro (i.e., not Server) will do a software RAID-5, I believe, so those were my choices. If I'd wanted to spend more money, I could have, but I didn't want to.
With Red Hat, I get the OS and the RAID support for free for the cost of my time, and the DNS and DHCP servers are practically free because it was just a matter of copying over our DHCPD and BIND configs from another system.
South side of Chicago? Harlem? Watts? Compton? Africa?
:)
Might get more than 10% then.
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
The EULA was shown to you at if you used microsoft's window's update website. I know that I am looking at it right now.
.NET Framework component of the OS Components to any third party without Microsoft's prior written approval."
.NET has been available. Wonder why they are so "afraid" of people saying what their benchmarks were.... Makes you wonder how doctored the results that they are publishing are if you can't disclose the ones that you receive.
"You may not disclose the results of any benchmark test of the
That is the main right that you giveup with this patch, but I think that has been in all their supplimental EULA's since
I did not see anything about forcing DRM on us in this patch, but don't think that will stay this way for long.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
i thought you ment IT administrator. it's really sad that the browser has so many holes you need an admin for it.
-- john
And how do you know it doesn't?
Because someone would have noticed it, posted it on Slashdot, and there'd be much (rightful) outrage.
As for the antivirus issue - if Linux becomes the desktop OS of choice, it'll happen there too. Just because most viruses (and most clueless users) are on Windows doesn't mean the writers can't make Linux ones too.
I must admit, Mr. Gates is one incredible business man.
Don't announce security holes unless you are ready to release a patch, then you look like you're acting fast with no delay to solve the problem. Customers like that. Customers don't like to be warned that there is a hole with no patch, even if it will help them avoid potential problems, because it makes your company look irresponsible or slow or lazy or whatever.
When I say customer, I mean the portion of the population that doesn't even know what an EULA is. I mean the portion who, if told they need to pay a monthly license fee, would shovel out the money as a necisary expense. I mean those who think a web browser or it's home page determine the ISP that you use.
TodayTM BillyJoelTM GoogleTMd for StitchTMes due to WindowsTM while RollerbladeTMing with an AppleTM and a PopsicleTM
Does this EULA have the infamous "we have the right to turn off functionality and delete files" clause that Microsoft has been putting in EULAs lately, in preparation for extra-aggressive digital rights management?
I have personally caught M$ stuff going around ZoneAlarm on two occasions:
... until Frontpage98. My first clue was when FP98 whined about being unable to find the nonexistent modem. ZAP didn't make a peep.
WinME, no patches, ZAPro; system had no modem, thus no internet connexion. ZAPro dutifully reported every attempt to connect (which a lot of programs try to do for one reason or another, usually innocently)
Win98, no patches, ZA Amateur 2.63 (I think); system has moden and DUN configured in the usual way. HAD been well-behaved. Made the mistake of installing TurboTax this past April, and it forcibly installed IE5.5. Which FUBAR'd DUN. When I finally got DUN working again and went online, ZA *immediately* reported an attempt to intrude, from a M$ IP address (I whois'd it, so I'm sure), IIRC on a UDP port. Excuse me? What business does M$ have trying to get into MY computer? And since IE5.5 wasn't running per se (I only use Netscape online), clearly it had suborned Windows itself. And again, ZA didn't make a peep, tho it had always reported every other attempt to get in or out.
This is why I IEradicated IE5.5 [see 98lite.net] and reverted the system to IE5.0, which had never exhibited any underhanded behaviour (tho I don't let it out on the net, I only use it for checking my HTML locally).
And yes, there is a hardware firewall in my future, exactly because of this sort of security breach.
~REZ~ #43301. Who'd fake being me anyway?
First off, im not saying that MS doesnt need to work harder at making thier software more secure BEFORE releasing it. But if you think about it, there really is nothing computer related that is 100% secure. Theres always someone that finds some way around whatever security that gets implemented. Windows is the #1 OS by a long shot, and therefore has WAY more people trying to exploit any vulnerabilities. I believe that if Linux or some other OS had such a huge market share that perhaps there would be a lot more people finding security holes in those systems. Personally, I run FreeBSD on my server, but I use WinXP on my personal box, b/c its primarily used for gaming. Anyway, just my viewpoint
R.
Um, folks?
Windows 2000 Server is "expensive software." $859.99 right now on Amazon... for a 5-client license.
Don't you wish your girlfriend was a geek like me?
nor do you need to reboot, except in a few cases
We had the FC JBODs lying around. They used to be part of another system, but now they're not in use. We have tons of Fibre Channel drives and JBODs lying around, leftovers from a business venture now cancelled. Combined with a spare QLA2200 and a PC, they make a fine NAS server for no money down, and no payments until never.
Even if we'd wanted to blow some cash, is there such a thing as a Fibre Channel RAID card? I don't care much for RAID cards, so I've never looked, but I've never heard of one, either.
Yeah, because Mozilla doesn't have any bugs, right? Oh, wait... there're 51 new bugs reported so far today [whoops... Bugzilla bans linking from Slashdot, lol... c&p into you address bar]!
I love Mozilla too, but that doesn't mean it's perfect. I use IE and Mozilla about equally.
So.... You prove your point (that ie isn't the only insecure browser) by linking to a page, that lists ONE hole in mozilla and related, which is FIXED? Actually, if that page speaks the ultimate truth, mozilla isn't insecure, since they fixed their one bug.
Besides. The same page shows that IE has 16 unpatched vulnerabilities!! And about 15 patched ones. How can you even begin to think that that comparison speaks in favour of anything than mozilla and it's offspring?
------- I fumbled my registration and I now must suffer
That link scared me at first, then I followed it, and found out that it was a known problem for a couple of days, then fixed immediately. Furthermore, It's ONE problem. IE just patched *SIX* problems, and that's not even half of them. And finally, even serious vulnerabilities in other browsers have less potential for harm than IE vulnerabilities, because they don't have direct access to system components like IE does.
All that link does is make IE look even worse.
Don't you wish your girlfriend was a geek like me?
It's irresponsible to advise people to read the EULA on software before installing it? How does that work? The reaction to the comment was based on people's past experiences with MS EULAs, not the general idea that you should read the EULA. I'm sure that if you told some MS executive that a major geek site posted a note about these new releases, and reminded people to read the EULA before installing, they'd actually be somewhat reassured. (unless of course, they're counting on people not reading it...)
/. isn't responsible for that history, MS is.
People are leery of the EULA and the patch because it comes from Microsoft, which has nothing to do with the post, and everything to do with MS's history.
Don't you wish your girlfriend was a geek like me?
I wonder if Microsoft's EULA could be considered a form of coercion? Look at it this way:
Microsoft creates a flawed piece of software. They sell it to millions of unsuspecting victims under one EULA.
Then, they release patches for flaws that are serious enough to destroy a business if left uncorrected. They tell the victims: ?Agree to this new EULA that takes away many of your rights or we won't fix our software!?
The race isn't always to the swift... but that's the way to bet!
Of course, this only works insofar as people know that you have to hit ctrl-alt-del to log in, and that if they have a login prompt without hitting that, there's something wrong.
I've never seen much effort on the part of MS to get this across to folks, so this bit of security is pretty much wasted.
Don't you wish your girlfriend was a geek like me?
We do, its called linux.
"I'm not a procrastinator, I'm temporally challenged"
PivX Solutions has a good list and commentary of remaining vulnerabilities in IE at http://www.pivx.com/larholm/unpatched
...
They say it best - for now best to run IE with Scripting turned off
"The basic tool for the manipulation of reality is the manipulation of words." - PK Dick
"OSS "vendors" will have to warranty thier software to do something, and do it a certain way, or else."
Or else... what? Refund the purchase price +10%?
It all depends on what you warranty and what you promise if the user collects on the warranty. It also depends on who is required to warranty software... would make sense that only commercial vendors would have to. Even the big Linux distros aren't "sold," rather, you can buy a CD with the free software and a manual to go with it, or you can download it all for free.
Besides, what is the likelihood that someone will spend $2000 on Win2k Server and licenses for their little office and be unsatisfied that the software does what it warrants, vs. the likelihood that they'll spend $100 on the deluxe RedHat package with a year of phone support and be unsatisfied that the software does what it warrants?
Don't you wish your girlfriend was a geek like me?
"And to make sinister allustions like 'Be sure to read the EULA first' as if the EULA on this patch is somehow different than the EULA on the original Windows or any other patch that has come out for it (and thus to hint that persons should not apply MS security patches) is irresponsible."
Oh, you believe that suggesting that Microsoft may try to sneak in a modified EULA is irresponsible? The have already done this in their service packs.
I don't think it's a bad idea to double and triple check any agreement with this monopolistic, anti-competitive, power mongering group of corporate thugs. After all, they have repeatedly proven that they cannot be trusted.
Not to follow the law, not to deal fairly with their competitors or the consumer in general.
The race isn't always to the swift... but that's the way to bet!
It makes them look worse, because it's a perfect example of how browser security holes *should* look. There's one hole, it was patched immediately. Rather than a laundry list of issues ranging from a couple weeks to a couple years old.
From following that link, you can see that it is obviously *possible* to build a browser (a good one, in my experience... upgraded to Mozilla 1.0 from Netscape 4.7, since I hated NS6 and won't use IE) that has relatively few security holes, and it is also possible to fix them as they come up. What excuse do you want to give on MS's behalf for being so behind, especially when they have a lot more resources to throw at the issue?
Don't you wish your girlfriend was a geek like me?
No, silly, the Internet!
You can't handle the truth.
"the unfortunate truth is that hardly any casual computer user can set up and use an open source OS like they can with Windows"
Same computer, same hardware, 5 operating systems:
Windows ME: Decent drivers for half the hardware didn't exist. Never worked right. Lost count of install program reboots after 30. Had to download drivers from 5 sites, and let me tell you, the Creative Labs site is a POS.
Windows 2000: 12 reboots to install drivers. Had to do things like configure obscure settings in the Device Manager to get the USB Drives working.
Mandrake Linux: Everything was configured. Everything was working, no obscure options.
SuSe Linux: Had to run a command line to get the sound card working.
BEos: Didn't support half the hardware, and no drivers existed. No shock, I tried it just for fun.
The argument about Linux being hard to install is an old chestnut that does not apply to most the current distros. Today Linux is easier to install and get up and running than Windows, even for beginners.
"Live Free or Die." Don't like it? Then keep out of the USA
Actually, the 2 year old bug he was talking about was the SSL man in the middle attack. Now if I understand that bug and how it works, a malicious site operator would have to obtain and install the certificate from the site he would like to spoof. Then he would simply link to an image on the real secure site and IE would be fooled and think it was on the real site. The problem is the first part, obtaining the certificate of the site you want to spoof. It is not something that can be easily done in the real world.
'Same speed C but faster'
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Your comment is flat out wrong.
Below are quotes of the exact text from the "Designed for Windows XP spec v2.3" document:
"The application must not require or suggest an unnecessary reboot during or after installation."
* Installing a Windows Service Pack or authorized system redistributable may require a reboot.
* Installing a Graphical Identification and Authentication dynamic link library (GINA) requires a reboot."
The above quote comes straight from the horse's mouth.
Actually, If you use Windows Explorer you ARE using IE...so what might have been a general browser issue has threatened your OS.
Is that not poor security? Irresponsible?
Were it not for the EULA, it would probably be actionable in most jurisdictions...
Never by hatred has hatred been appeased, only by kindness - the Buddha
That last WMP7 patch had the same language, and turned out to offer nothing new except DRM.
Well, it goes like this: MS produces software of all kinds. Later, people discover that there's a bug in a particular piece of their software. We say, "Patch it!" If MS says, "No!" then they're lazy (or greedy). Even if they just take forever to do it, same deal. Instead, if MS says, "We can't, it'll break other stuff," then MS is incompetent for writing their software in such a way that it wouldn't be patchable later.
:)
As long as MS has the domination they do, it will be more profitable for them to go lax on quality control, so that people will be forced to buy upgrades down the line that have the fixes that SHOULD have been released for free.
And yeah, we can be glad Larry Ellison doesn't have the kind of power Bill Gates does. I know I am. BG may be a megalomaniac, but LE is just a maniac.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Ha-ha ! Jealous? ;)
You can't handle the truth.
Actually for some silly unknown reason Amercan and British boys were spilling their blood to save your country of cheese-eating surrender monkeys while your Grandmother was sucking off Gestapo officers for cigarettes and cheap wine.
Why do all xemophobic, racist idiots insist on posting as Anonymous Cowards? If you're so proud of your views that you feel the need to share them then why not let us know who you are?
You're just like the KKK - they hid behind their hoods and you hide behind the "Post Anonymously" option.
(Oh, and I find it funny that Americans endulge in France-bashing. If it wasn't for their help during the American War of Independence then it's highly unlikely that there would even be a USA as we know it. And who do you think gave the Statue of Liberty to the US as well?)
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Well, then setting up Red Hat takes even less time then with a kickstart diskette. Time: Put in disk and install CD, turn on computer, come back when it is done configuring everything.
Click here or here.
Shutting down KDE doesn't stop sshd, apache, oracle, ftpd, nfsd, or any other server from functioning. So an update to Konqueror could be done with 0 down time....
Though why you'd be using Konqueror on a critical server machine (where 0 down time was important) enough that you'd need to be updating it is another thing entirely....
Advanced users are users too!
He said, "we should be pushing for accountability". What I think he's saying is that if Microsoft refuses to open it's code, then that's fine - it's their right. However, if they don't, then they should be held liable for their incompetence or maliciousness (whichever applies today).
It's an interesting concept. Personally, I think Microsoft would be better off opening the code, rather than expose themselves to that kind of liability.
would be the cost of the oil change.
Read the fine print, and the flip-side of the oil change contract.
Patching problems doesn't indicate laziness or incompetence, it indicates the acknowledgement of the problem and a willingness to fix it.
So what does not patching a problem indicate? What does not patching a problem for over two years indicate? What does leaving half of your open bugs unpatched in a big "bug fix" patch indicate?
Don't you wish your girlfriend was a geek like me?
Comment removed based on user account deletion
No, I don't think that all Americans share the same views on the French (or any other topic) but I do find it annoying that none of the people who find the time to post this kind of crap on /. have the balls to post under their own accounts.
If they enjoy practising their right of free speech so much shouldn't they at least have the guts to say "these are my views, this is who I am and I make no apologies for it"?
And, for the record, I am not French. What I am is bored of (and pissed off at) having to read this kind of junk on every discussion that has any kind of non-American interests mentioned.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
> Nice, I wonder how many of those sites simply don't work
...)
> because of the VM you're using
Sorry, I must have miscommunicated. This is not on my Linux box,
but on the Windows box upstairs. So, Windows is running right on
the hardware, with no intervening VM. Sorry for any confusion.
(If you meant the Java VM, it was the latest one available at the
time, although some browsers may use their own implementation
instead.)
> or some setting you've been messing with in the registry
The only settings I mess with in the registry are the ones that
applications abuse to start themselves at system start time.
Allowing apps to do this seriously degrades system performance.
If one app does it, that app starts a bit faster, but when
twelve[1] apps do it, they all start slower, because you have no
RAM left. So I don't let any apps do this, especially not ones
we don't use all the time. What's really annoying about
misbehaved apps that put themselves in the Run keys without
asking is, they invariably take measures to insert themselves
into the Run keys not just on install but every time they run.
When the user manually starts up an application, then it loads
just as it would have at system start, had it been allowed to do
so at that time.
I was personally surprised that he didn't find more sites using
MS-specific code (mainly, the document.all interface), but there
weren't that many (that he visited -- YMMV). Mostly he got sites
in one of two categories: their HTML was obviously broken (you
know, mismatched tags, misspelled tags, imaginary tags, tags
missing their closing right angle bracket, required close tags
missing, imaginary attributes, attributes from one tag placed on
another tag that has never accepted them in any known browser,
unquoted attributes containing spaces, and that sort of nonsense)
or else they relied on the Plugin Of The Week (by which I mean,
some plugin that is not listed on Netscape's plugin finder
service and does not come with IE; the only one I remember is
Shockwave (which as it turns out is produced by the same company
as Flash, but less well-known), but we ran across perhaps a
couple dozen different ones, all obscure).
The former type of site (HTML run through a blender) was the more
common type. The Plugin Of The Week issue mostly happened when
he was looking for WTC news last fall.
My mom also ran into at least one instance of bad server-side
sniffing, wherein if the browser was neither NS4 nor IE,
nonstandard characters were inserted in a document (in places
where the other browsers got spaces, according to View Source)
that didn't declare its character set. This was at Ancestry.com,
but the issue went away because my mom doesn't visit that site
any longer. Any email to the webmaster is answered (by a bot,
apparently) with a letter explaining which browsers are
supported. Funny thing is, the letter says Netscape 4 or later,
but later versions are handled incorrectly.
[1] A slight exaggeration only. MSIE, AIM, the MSN IM client
(and its associated spyware), and YIM all do this without
even asking. Other apps (Mozilla, Netscape, OpenOffice,
ask, and respect your choice, so I don't have a problem with
them. But the misbehaved ones I keep in check by editing the
registry, yes. There were at one time some other apps doing
this (well, trying to) that I haven't listed, but they've
been uninstalled now.
Cut that out, or I will ship you to Norilsk in a box.