Another Critical Microsoft Hole

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Aaahhhh!

[SledgeHBK]

"can make IE and IIS to run any code in the system"

Noooooo!

Minesweeper WON'T stop coming up!

--This girl at the library the other day

Re:Aaahhhh!

[andrew_0812]

Wait a minute. You mean I can't trust Microsoft?

Re:Aaahhhh!

[GnomeKing]

Minesweeper WON'T stop coming up!

Perfect!!!!

I now have an excuse that I can use when my boss finds me playing it!

Re:Aaahhhh!

[Dinosaur+Neil]

That depends. According to their bulletin, you can't trust MS. But the bulletin came from MS, so you can't trust the bulletin. So you can trust MS. Whch means you can't trust them which...

Ah, the classic "I am lying" paradox...

Re:Aaahhhh!

What's worse is that Microsoft told me I can't trust them. I already knew they were lying, though, so I did just the opposite of what they told me to!

Re:Aaahhhh!

Don't say BS. Where does the bulletin say that user can't trust MS?

Re:Aaahhhh!

INDUSTRIAL-TECHNOLOGICAL SOCIETY CANNOT BE REFORMED
111. The foregoing principles help to show how hopelessly difficult it would be to reform the industrial system in such a way as to prevent it from progressively narrowing our sphere of freedom. There has been a consistent tendency, going back at least to the Industrial Revolution for technology to strengthen the system at a high cost in individual freedom and local autonomy. Hence any change designed to protect freedom from technology would be contrary to a fundamental trend in the development of our society. Consequently, such a change either would be a transitory one -- soon swamped by the tide of history -- or, if large enough to be permanent would alter the nature of our whole society. This by the first and second principles. Moreover, since society would be altered in a way that could not be predicted in advance (third principle) there would be great risk. Changes large enough to make a lasting difference in favor of freedom would not be initiated because it would realized that they would gravely disrupt the system. So any attempts at reform would be too timid to be effective. Even if changes large enough to make a lasting difference were initiated, they would be retracted when their disruptive effects became apparent. Thus, permanent changes in favor of freedom could be brought about only by persons prepared to accept radical, dangerous and unpredictable alteration of the entire system. In other words, by revolutionaries, not reformers.

112. People anxious to rescue freedom without sacrificing the supposed benefits of technology will suggest naive schemes for some new form of society that would reconcile freedom with technology. Apart from the fact that people who make suggestions seldom propose any practical means by which the new form of society could be set up in the first place, it follows from the fourth principle that even if the new form of society could be once established, it either would collapse or would give results very different from those expected.

113. So even on very general grounds it seems highly improbably that any way of changing society could be found that would reconcile freedom with modern technology. In the next few sections we will give more specific reasons for concluding that freedom and technological progress are incompatible.

Re:Aaahhhh!

[rastos1]

> recent vulnerability in IE that can run any program in an unpatched windows system.

Perhaps it's just my bad english, but ... you mean ... ANY ??? .. you mean ... I can just throw avay this debugger thingy and let IE to fix that damn bug for me?

Re:He's right about the fonts

[Rebel+Patriot]

Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)

Sound Advice

[stevens]

``Don't trust Microsoft'' is just a good security principle in general. Finally they realize it. :-)

Re:Sound Advice

[nougatmachine]

I removed Microsoft from my "trusted publishers" list a long time ago ; )

Re:Sound Advice

[ichimunki]

Let's hope the US Government gets it. There is cause for concern (article titled "Microsoft seeks government partnership").

Re:Sound Advice

[FatRatBastard]

They should move everything over to FreeBSD since they like it so much.

Amazing how their own internal whitepaper points out that a Unix based system is simple, easy to administer, secure, modular, and can be bloat free.

Re:Sound Advice

[RyoSaeba]

Well yes, but now you run in the horrible paradoxal loop !!
Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !
Finally their claim is just another way to make your system / brain crash due to stack overflow...

Re:Sound Advice

[Violet+Null]

"shouldn't be trusted" != "lies all the time"

Re:Sound Advice

[dead+sun]

Trusted publishers list? That thing's empty. I don't trust anybody to decide what should be on my system besides me.

Re:Sound Advice

[morgajel]

wonder if microsoft will mention this to the japanese when they're evaluating OSS? :)

Re:Sound Advice

[llamafresh]

OK, so this happens a year from now, let's say: MS: OK, we think we have this ActiveX stuff fixed. Really. This time for sure. You can trust us now. user: I don't think so. You told us you couldn't be trusted. Back in November 2002 if I'm correct. MS: Oh yeah... user: Go away. Microsoft learning the hard way that it takes many good experiences to build trust and just one bad experience to break it.

Re:Sound Advice

"I may be lying" is not equivalent to "I am lying."

Re:Sound Advice

[stinky+wizzleteats]

Damn. Succinct, on point, and devastating. That may be the best /. comment I've seen this year.

Re:Sound Advice

[DarrylM]

Ahh, It's all coming clear... Microsoft is using A.L.I.C.E. now!

Microsoft1: All things you need to trust are from Microsoft.
Microsoft2: But all things are not always me need to trust are from Microsoft.
Microsoft1: Umm. But all things are not always are not always you need to trust are from Microsoft.
Microsoft2: Interesting. But all things are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Interesting. But all things are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Huh. But all things are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Huh. But all things are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Umm. But all things are not always are not always are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: And. But all things are not always are not always are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.

etc.

:-)

Re:Sound Advice

[Anonymous+Custard]

Let's hope the US Government gets it. ..."Microsoft seeks government partnership"

If, like me, you're not pleased with the current (and soon to be republican dominated) government, you might want to do this: Encourage the government to join up with MS for a two-year contract, and make it a very visible decision. Then, furtively encourage hackers to fsck with all the new security holes in the governmental systems, in ways that do not directly hurt anyone but cause public outrage by privacy breaches, scandal exposures, and whatever else. Then, when elections come around, everyone will vote the republicans out, we can all get the new government to switch away from MS, and all will be fine in the world of tech and politics. :-)

Re:Sound Advice

[ninewands]

Quoth the poster:

"shouldn't be trusted" != "lies all the time"

This is true and makes the situation all the more problematic. If the two were equivalent we'd no not to EVER believe them. It is not, so, sadly, we don't know when they are or are not lying.

Re:Sound Advice

[revery]

So basically, pretend to support something that you know will introduce serious vulnerabilities into government infrastructure, then trust crackers and foreign governments to only play fun and playful jokes just to get everyone riled up. Then, when those in charge are called on the carpet for implementing something that you supported, you can get those you really support voted into office. HA HA HA HA HA. That is funny. Too bad you don't have any morals.

Re:Sound Advice

[cheezedawg]

Who do you trust? Linux?

Re:Sound Advice

OSS isn't any better

Re:Sound Advice

[jez9999]

What makes you think that your 'new government' (read: Democrats) will be any better?

Re:Sound Advice

[1010011010]

Do something like this in a logon script:

WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Wi nTrust\Trust Providers\Software Publishing\Trust Database\0\"
WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Wi nTrust\Trust Providers\Software Publishing\Trust Database\0\",NULL ... and it will flush that list on every login. Your users will click the "always trust" box. This will undo the damage.

Re:Sound Advice

[Anonymous+Custard]

Too bad you don't have any morals

(going a little off-topic, sorry)

Starting a war in order to gain control of middle eastern oil production, and to finish a family feud (or voting for those who would), does indicate a lack of morals. Making a joke on slashdot doesn't.

Re:Sound Advice

[revery]

Even further off topic....

I agree. You just left yourdelf too darn open to pass up.

Translation: Apparently I am lacking in the moral department as well.

Re:Sound Advice

[Anonymous+Custard]

What makes you think that your 'new government' (read: Democrats) will be any better?

(sorry this is going off topic, I won't reply again unless it's about the new MS security hole)

The main thing that would be better (although it may be too late in 2-6 years) is that democratic presidents have tended to appoint federal judges that are more in line with my political and social views than republican-appointed judges. Several supreme court justices are reaching the age of retirement. I'm frightened that president bush will try to appoint supreme court justices who would want to repeal roe vs. wade, and would give bogus "because i said so" judicial opinions when they do. A republican dominated congress would likely pass the republican president's nominations, and I'd be stuck with a highly conservative supreme court for 30 or more years, not matter how many non-republican presidents are elected over those three decades, since supreme court justices are given lifetime appointments.

Re:Sound Advice

[SHiFTY1000]

Why don't you download me?

Re:Sound Advice

[Xerithane]

Who do you trust? Linux? [yahoo.com]
That's a bad troll. Both on your part and on Yahoo's part. This has already been discussed in length, and while a number of different software packages and operating systems have a higher number of CERT advisories combined than Microsoft, Microsoft is still less secure.

That article says this: Microsoft Products hav fewer CERT advisories than Linux and Open Source combined.

Well.. Open Source: FreeBSD, OpenBSD, Linux, Gnome, Mozilla, KDE, BIND, Sendmail, etc. What does Microsoft have that CERT would report on: IIS, Operating System, and IE.

Not only that, but just counting the number of vulnerabilities reported on CERT is like counting the number of times you have cut yourself and saying that you bleed more than your friend who has cut himself half as much as you, but one time lost half his blood in one cut.

Microsoft ActiveX Controls?

[og_sh0x]

Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"

Re:Microsoft ActiveX Controls?

[Vengeance_au]

Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"

... I wonder if the DOJ had this clicked during the antitrust hearing?

why?

[el_mex]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

It's getting tiring to see all this sarcasm, like open source is so free of bugs or something...

Re:why?

Slashdot reports on pretty much anything security related. Besides this is not a little problem it's something that is pretty damn serious if you ask me.

Re:why?

[jandrese]

Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.

Re:why?

[NecroPuppy]

Because there are still quite a few of us
who still use Windows...

I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.

This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.

And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.

Do you?

Re:why?

[netsharc]

Probably because a lot of us are sysadmins with companies stuck with Windows, and with this sort of news, we can take steps to protect our computer systems from MS-induced death, including convincing the PHBs to switch to Linux. ;-)

Also, Windows is more popular, so this sort of thing affects more people, especially clueless ones, the ones we need to educate to switch to Opera (ohokay, Mozilla then)

Re:why?

Open source (Linux and Linux Apps in particular) is probably more buggy in my opinion. Expecially anything that uses X. At least the M$ windowing system doesn't crap out constantly.

The difference is it's not more insecure primarily due to the deny by default theory used with most distros. If we'd get ACLs in place and use them and they were tightly integrated to make them decently easy to use it would get even better.

The reason people bash M$ so much in this case is because they've got an insecure system and they have a horrible attitude toward fixes and security in general. What kind of fix is "Don't trust us."?

Re:why?

[GnomeKing]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

I guess the same reason that...
Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3
Trojan Found in libpcap and tcpdump
Bind 4 and 8 Vulnerabilities
and
Vulnerability In Linksys Cable/DSL Router

were posted?

i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system

Re:why?

[kir]

. . .or is it because we're always trying to make windows look bad??

You know, I don't think that's fair. The slashdot community dogs out everything they think is controlled by 'the man'. Just look at how much BIND and sendmail get bashed. Granted, these things have proven to be significantly less problematic.

Re:why?

"like open source is so free of bugs or something"

I have yet to see two root holes in Mozilla during a one week period.

Re:why?

[gosand]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.

2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?

Re:why?

[_bug_]

Because in a recent /. story there is reference to a recent /. poll which shows 47% of those who responded still use a Windows operating system.

Nearly half of /. users use Windows.

This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on /.

Re:why?

[pooh666]

Current Microsoft story on CNN Tech news:
"Microsoft innovates"

With a nice little sponsered by, Microsoft icon right under the headline. That is why..

Re:why?

[kalidasa]

It's getting tiring to see all this sarcasm, like open source is so free of bugs or something.

Sarcasm directed at success can be quite healthy for those who wish to motivate themselves to compete against and surpass that success - and to make sure that they do not repeat the mistakes of that success.

Re:why?

[Jucius+Maximus]

"Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?"

It's because a lot of slashdot users (47%) still use windows.

Re:why?

[pwtrash]

This is not just a security breach. In their tech bulletin, MS advises users to completely eliminate downloadable ActiveX controls. If you recall, ActiveX was their strategy for dynamic web content. In other words, their suggested solution for dealing with this problem is to completely refute their own strategy. True, they have .NET as a replacement, but it is not quite cooked nor is it accepted publicly.

Were the public to follow their suggestion, this would be a big deal. They would basically have deprecated ActiveX controls as a dynamic content strategy (you can use what you have, but you won't get any more). You could argue that this has been done for them over the last year or so, but this is the first time I've seen them admit it.

However you look at it, having a bug that causes even a temporary strategy change is big news, regardless of how you feel about MS.

Re:why?

[IPFreely]

Most of the people here on slashdot have already figured out that "Most people here on slashdot are always trying to make windows look bad".

You seem to be a little slow on the uptake....

Or maybe you already knew that and this was just a rhetorical question. How many times is a rhetorical question relevant before it becomes redundant?

Re:why?

[el_mex]

Well, like someone else in the /. apache section said... "Apache bugs never make the front page"

Some people here have waaaay too much anger towards MS

Re:why?

[Jaysyn]

Just wondering, why can't you run Quake under Linux/*BSD/WhateverYouUse. I ask this because I'm a total Linux idiot, and even I can get it working.

Jaysyn

Re:why?

[Kierthos]

Some of column A and some of column B.

Okay, let's face it. The average /. reader (which is different from the average /. poster), when reading from work, is probably using a Windows box. Sure, in certain fields, the likelyhood of a /. reader not using a Windows box rises dramatically, but let's stick with the "common perception".

And in that "common perception", Windows has one hell of a large chunk of market share. No amount of /. posting on the sheer wonders of "insert your distro here" brand of Linux is going to change that overnight. Therefore, news about yet another "gaping hole" in Windows, especially in the "browser that cannot be separated", is going to be news.

Also, who doesn't like seeing the big dog getting taken down a peg? It's "American" nature to root for the underdog, and that means wishing all kinds of nasty things to happen to the big dog. It just so happens that Microsoft does so many things to shoot themselves in the foot, or at least wing themselves, according to the editors here.

And no, Open Source is not free of bugs. But you know what? It sure seems to have a damn sight less, and they seem to get fixed faster.

Kierthos

Re:why?

[TrancePhreak]

Let's all root for the under dog so that the economy of Washington goes down...... Sorry, don't think I'll bite on that one.

Re:why?

[Archie+Steel]

It's not about anger, it's about vigilance and fairness. I may run Linux, but - like many here I imagine - I'm also the de facto Windows Support guy for family members and non-technical friends. So I want/need to stay informed of severe Microsoft vulnerabilities.

To tell you the truth, it's been a while since I've no longer needed stories such as these to convince me that Linux is more secure than Windows...there's no "anger" left (I don't thing there ever was - outrage and disdain, yes, but no anger), just a desire to be informed so that I can better protect my windows-using loved ones...

Re:why?

[christopherfinke]

The average /. reader [...] is probably using a Windows box.

I, an average Slashdot reader (methinks), can trace my maturation through the versions of DOS or Windows that I was using. The earliest I remember is MS-DOS 3.0, but I may be wrong. I came through Win3.1, 95, 98, and now I have XP. I love working with computers, and I hold a strong interest in Linux, OSS, and all that other good stuff. The thing is, I don't have the time to implement Linux, nor the patience to learn it right now. So, in the meantime, I like to know about all the bugs in Windows so that my system (and my extended family's systems, for that matter) can be as secure and reliable as possible. It's a good thing.

Re:why?

While I agree with you that pressure needs to b applied to MS to do their job, the reality is that MS is fundametally flawed from a security POV. Their won executives admit as well. Truthfully, simply getting MS to do the "right thing" will yield nothing in the end as MS will still allow unsecured stuff to get by all the time. It is in their nature.

Re:why?

[SEWilco]

Well, like someone else in the /. apache section said... "Apache bugs never make the front page"

Didn't I recently see on the front page an article about unpatched Apache servers? Wasn't this Apache OpenSSL Worm article on the front page last month?

Re:why?

[gosand]

Just wondering, why can't you run Quake under Linux/*BSD/WhateverYouUse. I ask this because I'm a total Linux idiot, and even I can get it working.

Cause I am lazy. :-)

Seriously, because I haven't been able to get my scroll mouse to work under Redhat 7.3. I have tried to get imwheel to work, but it just doesn't. I need my wheel when I play Quake (I play the old Team Fortress, not that fancy-pants new one). I have a zoom cfg file that uses the wheel mouse to variable zoom. Quite handy.

Ahh, what the heck - here is where you can get my my zoom cfg file...
SuperflyTNT's Quake Page

Re:why?

[walt-sjc]

Agree, but you only had one little error. In this particular flaw, you don't get a pop-up. It downloads automatically and silently. You have no idea that you have been penetrated.

Hmm. Reading the above sentance, I just KNOW some karma whore is gonna make some comment about "penetration" and "MS"... Sigh.

Re:why?

While this may be true in general it is wrong here. Microsoft fixed it before it was made public. I had the patch installed before it made it to both heise and /.
I actually believe they take their TWC seriously and you have to give them a little time. They do not have any expieriences in this field ;)

Re:why?

microsoft allows cyber-rape.

Re:why?

[david.johns]

Less than half? Interesting. The numbers for the rest of the world are astonishingly different.

Re:why?

[trumpetplayer]

Isn't that a virus by definition?

Re:why?

[Jaysyn]

Good reason, I'm a UT guy myself....

Jaysyn

Re:why?

No. It is a bug. See this

Re:why?

[Cro+Magnon]

Nearly half of /. users use Windows.

see my sig. :)

Re:why?

[caluml]

The thing is, I don't have the time to implement Linux,

What do you mean, implement it?!! It virtually installs itself! Head off to some mirror, and burn some Redhat 8.0 ISOs to CD, and stop using lame excuses.

Re:why?

[gosand]

I like UT for all out fragging, but I really like the old Team Fortress for the gameplay. Half-life was OK for this too, but it seems a little refined for my tastes. Kind of like driving a new sports car vs an older one - the older ones have a certain raw charm about them. Plus, I like the modding that has been done for TF, and I even created my own map. Fun stuff.

Re:why?

[spitzak]

It's fun to see MicroSoft make a mistake, but there is serious implications behind this, that would apply to Linux or any other system, and brings into question some new ideas.

The basic idea of signing code sounds quite good until you look at it deeper. There is no guarantee that signed==good. This is an excellent example where the signed one is actually worse. Now imagine if palladium was in there, refusing to accept a patch, or cheerfully undoing any attempt to fix the system, with NO way to fix it (you would no longer be able to say "I don't trust MicroSoft").

If you think only MicroSoft does such mistakes, I seem to remember there was a design error in the new Linux capabilities where it was possible to throw away the capability of *changing* your capabilities. If a bug happened to throw this away, and then your program tried to drop capabilities (and then ignored the error return, because that would be assummed to work always) and then execute untrusted code, the code would execute at full capabilities! Suddenly a system being advertised as a big improvement in security has turned into a worse liability!

I'm afraid that there are a lot of problems like this that are going to bite people. When you start to work on security you better know exactly what you are doing and plan ahead, and write a lot of real appliations, and assumme that there could be a mistake *anywhere*.

Re:why?

[Skater]

How do you know the readers are idiots? The only ones you can see are the ones that actually post messages.

Re:why?

[Jaysyn]

If you never play any other UT Umod, you've got to at least check this one out.

http://www.planetunreal.com/u4e/

Jaysyn

Re:why?

[PhrackCreak]

1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work...

Not anymore. You've been fired for reading slashdot on work time.

- Your boss

Re:why?

[christopherfinke]

Head off to some mirror, and burn some Redhat 8.0 ISOs to CD.

The university that I am attending has a 300MB download limit per week. At that rate, it would take about a month and a half to download... I saw a website once that sold Linux distros on CD-R's for the approximate price of shipping. Does anyone have that address handy?

Also, is there a way to install Redhat dual-boot with XP without uninstalling XP first? I don't just have an extra PC sitting around.

It's mainly been these things that have been keeping me from diving into Linux just yet, but I'd like to start. I just can't seem to find a site to stay up to date on all the latest Linux news.:-)

Re:why?

[rat7307]

At home, on the other hand, I only boot up the Windows machine if I need a Quake fix

If you'd bothered to look, id have had a Linux binary for q1,2 &3 for ages.
also Return to Castle Wolfenstein

The 'no games run on linux' argument is dead.

If only a few more games houses would follow id's example...

Total Annihilation on linux would make me happy....

Re:why?

[Zorton]

Check out this site, it should do what you want.

As far as installing Redhat dual boot I'm pretty sure you will have to reformat your drive. However there are tools that can shrink your partitions without destroying all the data. Partition Magic by powertech comes to mind, but there may be freeware utilites avaiable as well. Check out This HOWTO for a little more information. I would also encorage you to look around metalab and read as many of the docs avaiable for your paticular choice of linux/BSD before you attempt to install. Good luck if you decide to do it.

Justin

Re:why?

[ColaMan]

If you'd bothered to look, id have had a Linux binary for q1,2 &3 for ages.
also Return to Castle Wolfenstein

The 'no games run on linux' argument is dead.

Replaced by a 'four games run on linux' argument instead. Hardly a real improvement

(ducks and runs for cover)

Re:why?

your program tried to drop capabilities (and then ignored the error return, because that would be assummed to work always)

That about says it all. Since when is a Unix kernel supposed to protect the user from what they told it to do, much less coddle idiots who don't even care whether their code worked?

This bodes well

[evilpenguin]

Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.

I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.

Re:This bodes well

[aphor]

HERE HERE! I'll drink to that! There is no such thing as implicit trust, and if you think there is, please send me a blank check. I agree not to abuse it ;)

Re:This bodes well

[kmellis]

"There is no such thing as implicit trust, and if you think there is, please send me a blank check." - aphor

Sure, just give me your address, and it'll be on its way.

Re:This bodes well

[cyberkreiger]

Where, where?

You mean "Hear, hear!".

Re:This bodes well

[aridhol]

LOL Thanks for my new sig :)

Re:This bodes well

actually just send me you account info and pasword, I'll depositi it and make sure it gets there. Thanks.

Re:This bodes well

[A.Gideon]

What you're seeing is the distinction between authentication and authorization. Unfortunately, certain parties do not see the difference. Of course, these are the same parties that give us systems where the default behavior (and, in many cases, the only possible behavior) is to authorize *any* action given *any* authentication.

Re:This bodes well

[Tony-A]

There is no such thing as implicit trust, and if you think there is, please send me a blank check.
Trusting something does not imply trusting everything.
A blank check. Hmmmm. Lot's of ways to fill that request. You didn't say whose blank check.
Actually, you trust most things in your environment implicitly. You trust the ground in front of your feet to be solid and not a holographic projection. You trust your drink to be more potable than rat poison. You trust the sun to come up again tomorrow morning.

Re:This bodes well

[aphor]

If I had known it would spark a philosophical debate, I would have narrowed my defenition of "trust." I'm sorry if I twisted your noodle.

Trusting the sun to come up is a little bit^H^H^H^H^H^H^H^H^H^HSIGNIFICANTLY different than trusting Microsoft to refrain from buggering up your machine on an automated update.

It's even further than the potable drink thing: actually GingerAle is very effective rat poison. Rats can't expel gas (belch or fart), so when they drink carbonated liquids, their distended little bellies explode.

I'm sorry, but I have to bring an empirical distinction to bear on my defenition of trust. Statisticians can calculate a (alpha), or significance, for a particular principle if you state it as a repeatable trial: If you do this, then your result will be that. The alpha is the percentage of time that reality will confound your hypothesis if the trial is repeated infinitely regardless of whether you are wrong or right. Some hypotheses will have an alpha between 0.5 and 0.75. The kind of trust you put in those (if you're wise) is "suspicious." Some hypotheses have an alpha that approaches zero ( 0.05 is the accepted minimum practical scientific alpha ). These hypotheses are trustworthy on a different level.

Re:This bodes well

[Tony-A]

Trusting the sun to come up is a little bit^H^H^H^H^H^H^H^H^H^HSIGNIFICANTLY different than trusting Microsoft to refrain from buggering up your machine on an automated update.

Yes. The sun comes up.

Typical slashdot crap

The solution from the page linked is to install MDAC 2.7. There is no mention of removing MS from the trusted list.

Re:Typical slashdot crap

[compwizrd]

From the article:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft.

Re:Typical slashdot crap

[evilpenguin]

The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.

To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.

Re:Typical slashdot crap

[SirSlud]

Sure there is.

Bigger issue: If 'trusted' sources can be shown to turn out untrustable code (like the Active X control in this case), there isn't much use in trusting them in the frist place.

Its cute tho; 'trustworthy' computing from Microsoft involves not trusting them. I don't see how you could possibly not find that funny unless you were employed by MS.

Re:Typical slashdot crap

[ViVeLaMe]

yeah, but to see that, he would have had to click on the [+] thingie, yeah, the one next to Frequently Asked Questions and that's waaaaaay to technical for a windows user...

Re:Typical slashdot crap

[_bug_]

Fine and good for those of us that take an active interest in exactly what our PCs are doing.

But for the average family are they really going to want to see a pop-up window asking them if they trust a piece of software every time they run it?

This is where things are heading with Palladium. Every piece of software being digitally signed and those that aren't trusted will generate some kind of pop-up asking the user's permission to run it.

After a (no so long) while I'm sure many casual users will consider this a nuisance and simply checkmark the "Always trust software from company X".

Then something like this happens and the validity of the system should perhaps be called into question. But how do you still protect users from trojans and virii?

Re:Typical slashdot crap

[abdulwahid]

The solution from the page linked is to install MDAC 2.7. There is no mention of removing MS from the trusted list.

The page linked to, MS02-065, says...

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft.....

Of course, what they really mean is to only remove MS because since the control is only signed by MS then it is only their certificate that will allow the control to be installed again malicously.

Re:Typical slashdot crap

[REBloomfield]

hey look!! flamebait!!

Re:Typical slashdot crap

[evilpenguin]

I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?

So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.

Re:Typical slashdot crap

[cscx]

Which is funny, because the Slashdot article keeps citing "IIS." Maybe someone forgot to edit the "canned microsoft submission.txt" file before submitting the story.

Re:Typical slashdot crap

So I guess he didn't read the article.

Re:Typical slashdot crap

[cscx]

No, the article is wrong... the issue is IE not IIS-related.

pain

It truly hurts me each time they put out a new patch. As I am addicted to microsoft, each patch seems to not help as much as the one before. I'm feeling like a smoker now trying to quit.

Re: Another critical Microsoft hole

[T1girl]

Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.

Difficult to read this post is, hmmm?

i don't think

[mrpuffypants]

microsoft has never been a trusted partner in my mind....or on my computer

Another hole.....

Wheres the slashdot article on the whole "leaked longhorn alpha" deal? I have 2 different releases, and it still hasnt been an article here at /.

"Don't trust Microsoft"

[ctid]

This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.

Re:"Don't trust Microsoft"

[Jucius+Maximus]

"This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief."

I agree. I can't wait for the next worm or ILoveYou mass e-mail infection that spreads this. Hopefully whoever writes it will wipe "\My Documents" or perhaps the whole machine so that people will finally get the idea that responsible decisions must be made when computing, both with software choices, software administration, and useage in general. There are too many people out there who STILL haven't realised that irresponsibility when using computer has reprocussions in the real world.

In other news

[beaviz]

Microsoft's new security initiative announced that a 100% secure Operating System Platform (tm) is possible. And it's very simple too: Don't trust Microsoft. Don't buy Microsoft Products. Don't talk about Microsoft. Don't look in any direction.

We knew that already...

I Like Their Solution!

[0101000001001010]

The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft.

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers.

Will Do!

Re:I Like Their Solution!

Lets see... to remove them from my trusted list I need to..

fdisk
Pop in my Mandrake 9.0 disk
click next, next, yes, ok, next, ok, next, yes, install
pop in disk 2, then disk 3
click ok, ok, next, next, ok, finish
Reboot
DONE!

Re:I Like Their Solution!

The Amended Microsoft Security Bulletin MS02-065A
Microsoft has recommendations for both dialup and broadband users to protect themselves from this vulnerability.

For Broadband
Unplug the cable at the back of your computer which connects to your cable modem/router/hub.

For Dialup
Follow the cable that runs from your modem to your computer and unplug it.

Warning:
You might notice some impact to your normal internet browsing experience. Use this opportunity to go outside and get some sunshine. Read a book. Meet new people. The pr0n will be still waiting for you as soon as we can figure out a way to have all people who target our software labelled as terrorists and hunted down.

Microsoft Security Bulletin MS02-065

[henben]

Interestingly, that page doesn't render properly in Opera 7 Beta unless you identify as MSIE - when it works fine.

Re:Microsoft Security Bulletin MS02-065

[henben]

Actually, the DHTML stuff is still broken, but you can at least read the page.

This must be a first...

[WampagingWabbits]

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

...at last we can all agree about something!

More Bias

[OpCode42]

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.

*flame retardent jacket on*

That is all.

Re:More Bias

[Seahawk]

Well - I see your point, an I am oppesed to needless MS bashing as well! The difference between the OSS vulnaribilities and this IE is that the OSS vulnaribilities is fixed rather easy, and Microsofts solution to the problem(Dont trust MS activex controls) just wont help the average user as he has no idea how to not trust Microsoft

As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!

Re:More Bias

[mao+che+minh]

Stop stating the obvious and go away. Slashdotters don't need to hear this. We love our comfortable little world.

Re:More Bias

[warrior_on_the_edge_]

It just makes us look like insecure teenagers

Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

Re:More Bias

[binaryDigit]

Well the biggest problem is the sheer number of IE users and therefor the potential impact of a security hole. While a problem in say, Samba, has fairly limited exposure.

And probably the thing that any OS proponent will gleefully point out, is that the "solutions" offered by M$ are typically not very satisfying and there really isn't much you can do about it (vs switching OS's of course ;)

I agree that there is a a large amount of M$ bashing, but then what would one expect, when in Rome ....

Re:More Bias

"*flame retardent jacket on*"

More like a flame retardent wet blanket.

Re:More Bias

[richie2000]

Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

Don't bother, it was signed by Bill Gates himself twenty years ago.

Re:More Bias

If you read the article, their advice is to "make sure you have no trusted publishers, including Microsoft." Every time that you hit a website that uses an ActiveX control, you'll get a warning message.

So they are requesting that people do what most people here recommend already - don't trust anyone.

Re:More Bias

[keyne9]

Well, in my household, I will generally only update the secondary computers every month, give or take. More critical patches, I'll update immediately. I do not really consider these updates as bashing, per se, but rather a boon for me.

I seem to remember a poll that indicated that a significant portion of the /. crowd used or otherwise had installed Windows on at least one machine. I can't see how this woudl be totally irrelevant.

I can, however, see that the updates are quite one-sided. Is it, perhaps, that less people submit the linux related bugs? or that the editors choose to publish more Microsoft-related ones? I think only they know for sure. Either way, people benefit.

Re:More Bias

[harks]

Yes we all know microsoft bashing is bad, but this really is news, its something people should know, and there are plenty of open-source security alerts published on /.

Re:More Bias

[xeno-cat]

This is'nt just IE, it effects IIS as well so it's releavent for both User types and admins.

I'd have to agree with you that it gets tiring seeing IE exploit of the week ( or day ) and the retreaded jokes and karma hores. But then maybe you can filter them in your preference?

The thing is MS is the system that is allegedly on 90%+ of the desktops in the USA and maybe the world. They did'nt get there legally and they do not take security, law, or human rights seriously. They spend millions on advertising, FUD and outright lies. So in the end I guess I don't mind suffering the constant reminders as to why I don't use any of their products. What other news source reports this stuff?

Besides, nothing puts I smile on my face in the morning like a cup of coffee and a new MS exploit.

Kind Regards

Re:More Bias

As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!

1. This bug only affects versions of MDAC prior to 2.7, which has been out since April.

2. The patch for the vulnerability is out now.

3. Anyone who automatically trusts software downloads from any company is an idiot.

Re:More Bias

[platypus]

Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

Because samba et.al. use a completely different security philosophy. This shows and proves something that many people have said before, namely that MS' security philosophy based on "trust us, we know better what to do" is flawed. In the light of this news you can only laugh about popups like "Always trust content from microsoft corp.".

This is also not very encouraging for MS' auto-update feature in XP, and their whole fucking ideas of stuff in their OS's downloading components from the net without asking the user.

Note that the above is also true for other software publishers, but MS takes the spotlight for various reasons, like their omnipresence and their bullheadedness concerning these problems.

Re:More Bias

> Can we please stop all this MS bashing?

We're yelling and bashing because the majority of all computers connected to the internet run Microsoft Windows.

If we didn't, what would you think would happen?

Re:More Bias

[Tuqui]

And what is your point?.
How can you decide which page is OK or not?
Trust ActiveX is the problem.

Re:More Bias

[SirSlud]

The day my bug-ridden OSS software starts silently self-installing across the web because my box was automagically set up to 'trust' the 1s and 0s, I'll stop making fun of MS.

Until that day, I'll get my kicks from MS bashing. You've read and heard the things Baller & co have said about Linux (I particularly liked the "Linux is unamerican" comment, hehe) .. you can't honestly think that the Linux crowd is the only group of users that enjoy crass, glib jabs at the competition now, can you?

So cease thy whining and either bash or don't. No need to pass judgement unless your prepared to accept that the whole world is guilty of the behaviour you are so desperate to eschew.

Re:More Bias

[FortKnox]

What's worse? /. bitches and moans when MS doesn't supply a patch right away (in order to test it fully), now that MS does release a patch quickly, it is full of flaws that would have been checked if they would have just tested it longer like they normally do.

Damned if they do, damned if they don't.

Re:More Bias

[platypus]

This begs the question why they did implement this trust "feature" in the first place.

Re:More Bias

What other news source reports this stuff?

WinOSCentral, NTCompatible, and too many other decent Windows sites to list.

Re:More Bias

[Blkdeath]

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

Yes, Slashdot announced a recent KDE vulnerability, and security holes affecting a popular open-source RAW TCP stream library as well as recent BIND 4 and 8 security vulnerabilities, and the trojan'ing of a Sendmail distribution, not to mention the privacy leak in the poster-boy browser for OSS - Mozilla, and how could we forget the Linux Worm that created an "attack network"?

Slashdot reports security vulnerabilities that affect large portions of the userbase. All of the above affect large portions of the OSS world, and IE vulnerabilities affect the vast majority of the workstation userbase (globally!). The difference between OSS and Microsoft security bulletins, however, tends to be that the OSS bulletins are generally followed-up shortly after release with "... and get the patch here, here, and here, and download [updated|backported] versions from your vendor here, here, and here". Only too often do we see updates to Microsoft bulletins that read along the lines of "... and Microsoft is stonewalling [me|us] ... " or "... Microsoft has officially denounced this as invalid ... " or "... Microsoft has accepted the bug report and is working on a solution ... " (which doesn't arrive for six weeks, and does so very silently with little more than yet-another-MS-bulletin and another item in the Windows Update listing).

The reason Slashdotters 'bash' Microsoft, especially in the face of "yet another IE/IIS critical security vulnerability" is that they're so recurring. The fact that this one happens to be digitally signed by Microsoft themselves, and that the only way to get around the vulnerability is to literally stop trusting Microsoft makes it more than hilarious; it's downright embarassing for them. When something embarasses one of the Open Source world's largest nemeses, and the very giant who has its sights set on Linux (primarily) and phasers set to kill, it gives us a warm tingly feeling, and human nature dictates that when this feeling is present, "I Told You So!" is a response that gives us imense amounts of pleasure.

Speaking of "I Told You So", I have to remember to show this one to our co-op student when he's next in. It'll make for a good practical demonstration of why I told him not to check "Always trust from ... " checkboxes within IE.

Re:More Bias

No asshole, we can't. Do you realize the scope of this bug? If you don't like it go somewhere else.

Re:More Bias

[wytcld]

in a week where we have alerts for Samba, php, kde (libs and network) and apache

The only Apache security alert I can find is for 1.2.26 - and 1.2.27 has been out for awhile (plus some distro versions of 1.2.26 are patched against it). This alert has been out for weeks too.

There are no alerts I can find against the current version of PHP.

As for the KDE alert, updating Gentoo has already fixed that here. Your mileage may vary.

The Samba alert is for something with no known exploits, and a new version of Samba was released yesterday that fixes it.

Meanwhile tens of millions of people are using MS browsing or e-mail and opening what should be secure systems and networks to intrusion. You tell me where the problem is. I don't think it's in a bias on /. As a matter of national and corporate security, MS should not be run on any system with e-mail or browser access to the public Net.

Re:More Bias

[TrancePhreak]

Let's not forget all the people who install a *nix distro with no password.

Re:More Bias

[inerte]

Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

Countered by Beer-Exploit. It exposes what is inside your system using a standard talk port.

Re:More Bias

[RAMMS+EIN]

I mostly agree that the M$ bashing that goes on on /. is rather childish. The same goes for all those comments from posters whose words basically come down to ``I hate the RIAA because they are taking away my right to pirate music''. However, this case is different, because it shows a fundamental design flaw rather than a programming bug. By all appearances it seems that MicroSoft has no way to revoke signatures on controls once issued. This means they have no way to stop others from installing the broken control on users' systems if those users have chosen to trust MicroSoft. The idea of websites installing software on my computer gives me the creeps, but this is even more scary. If I understand things correctly, it is now possible to automatically install broken but signed controls on windoze-lusers boxen and subsequently use these controls to execute virus code, all without the user having to take any action (other than surfing the web as normal). It seems that WinXP users are not affected in this particular case (remniscent of ``This issue has been fixed in OpenBSD 2 years ago''), but it does raise the question of how many controls are out there that _do_ affect WinXP, and if it applies only to ActiveX controls. (but doesn't M$ just call everything ActiveX these days?)

Re:More Bias

[Archie+Steel]

It's not MS bashing, it's warning people of a dangerous bug/vulnerability so they can be better prepared to deal with it.

Despite, what's wrong with bashing a 40-billion quasi-monopoly that dominates the OS and Office markets while doing its best to destroy the competition by spreading FUD and distributing payolas around? Vocal criticism and boycotting are the sole weapons of consumers in facing this juggernaut, and you'd want us to forfeit these as well? Are you a MS employee or shareholder? If not, then why does MS-bashing annoy you so much? In my view, MS has more than deserved all the bashing it can get!

Re:More Bias

[xeno-cat]

To bad there is nothing else there of interest.

Re:More Bias

[jazmataz23]

I would wager that less than 2% of us here are allowing XP to install patches willy-nilly. The only things it downloads automatically are the critical updates, and you're pretty foolish not to run those patches. I still review them before I allow it to install.

Auto-update is for mom & pop and yes -- Microsoft, as thick as they are, know more than M&P.

I personally sent an email out to all my less-literate friends with the info here explaining what the problem is & how to right it. They are now as wary as I am about implicitly trusting Microsoft code, and that's a good thing.

jaz

Re:More Bias

[tshak]

This is also not very encouraging for MS' auto-update feature in XP

I understand your point, except that in this case XP is not affected by the vulnerability so this isn't an issue.

Re:More Bias

[DickBreath]

Can we please stop all this MS bashing?

Yes, the adolescent bashing should stop.

No, the news coverage should not stop. Whether you read it on Slashdot or elsewhere, this is a newsworthy item. Worthy of discussion. Microsoft's marketshare alone makes it newsworthy.

Nevermind that it is one more of many examples of Microsoft selling an inferior insecure product at an outrageously inflated price making obsecne profits (see recently filed SEC Form 10-Q) used to subsidize predatory pricing in other new markets to kill competitors and gain new monopolies.


(...we now return you back to the adolesecnt Microsoft bashing...)

Re:More Bias

[Gleep+The+Dragon]

More like trying to counter the established Microsoft bias. When an IS department which has spent a gadzillion bucks on MS training and certification can't explain why their server continuously gets hacked they lie to management and blame it on a rogue employee or something. Getting the real problem out in the open makes it possible for managers to use it as ammunition for making changes.

Re:More Bias

[5KVGhost]

This is not an OSS vs close-source issue. A Red Hat vulnerability is just as much of a burden on a typical desktop user as a Windows vulnerability. And how easy it is to fix any kind of software problem varies wildly with the complexity of the problem, the interest/capabilities in the support community, and ultimately the technical ability of the end user.

MS' solution to this bug is a kluge. They either failed to consider this problem or implemented their solution poorly. Hindsight is 20/20. Either way, it looks like they (or other people using the flawed module) painted themselves into a corner.

But don't kick back and assume that the same thing can never happen on an open source project, because I guarantee you're mistaken.

Re:More Bias

[throx]

This is also not very encouraging for MS' auto-update feature in XP

Why not? I don't think you read the problem here. It's not that the versions of the updates on Microsoft's site are bad it's that 3rd parties can have the bad codebases on their own site and therefore people can download the faulty code again.

Autoupdate in XP connects to Microsoft, not an arbitrary 3rd party. There's not the possibility of downloading the older code.

Re:More Bias

[greenrd]

Yeah, and will this warning message warn you that this ActiveX control could exploit a security hole?

So my question is this, does their "solution" actually patch the security hole?

Re:More Bias

[Tony-A]

except that in this case XP is not affected by the vulnerability so this isn't an issue.
Rubbish.
XP is not the only Microsoft product.
XP is not immune to all possible vulnerabilities.
XP has not totally and permanently disabled auto-update.
XP being not affected by one of many vulnerabilities does not make auto-update a non-issue.

Re:More Bias

[Tony-A]

Damned if they do, damned if they don't.
Ah, the grasshopper is catching on. Microsoft is damned.

Re:More Bias

[croftj]

Because it's more fun to bash microsoft than samba and the others

Re:More Bias

Look harder -- NT Compatible has a buttload of information on how to get old games running under NT/2K/XP.

Re:More Bias

[platypus]

Unless there's a DNS server or router compromised.

Re:More Bias

This begs the question why they did implement this trust "feature" in the first place.

It raises the question; to beg the question is to use a circular argument.

At any rate, the feature might conceivably be useful in an intranet environment connected to the internet; intranet computers would trust entities on the intranet, but not outside internet entities.

-Anon

Re:More Bias

That patch will take several years to complete.

Usually, it's secure when the program is around [insert legal adult age here] years old.

Re:More Bias

[throx]

Then the https connection is just going to barf at you, if I remember my crypto correctly.

Re:More Bias

[WNight]

So why bother signing code if it's all going to come down to trusted-host security?

What prevents someone downloading all the MS updates, making a collection of all of them with reported bugs, and then when they have a collection of software with enough holes to allow them to "root" any windows box, hacking into a few DNS servers and pointing the XP update name to them (or, if it's an IP, changing routing information) and offering people the authentically signed, broken, MS patches?

Microsoft needs a PK-signed list of current updates, on a signed and dated page (with the ID address of the server in it) so that when you go to a page and it offers you a pluggin you instead go to MS and ask for the most recent version, downloading it from the site only if MS says they're up-to-date and then carefully checking the signature.

Re:More Bias

[throx]

First, I believe changing the IP address doesn't work if you are using SSL. Private key won't match the public key. I *think* (big assumption there) the auto-updater in XP uses SSL and if it doesn't then it's dumb.

Second, what I really don't understand about all of this is why they didn't just increment the version number so the Windows installer program saw the reverse patching as a downgrade and refused to do it (or at least gave another one of those wonderful warnings that everyone ignores).

Third, this isn't just a Windows problem. Many Linux distros as well as MacOS X have auto-updaters which could just as easily be fooled by a routing change unless using a combination of SSL and signing of the downloads.

Re:More Bias

[WNight]

Couldn't you just not do an SSL site, and thus not offer a signature at all? Or would the updater require it? Ideally it would, but I dunno.

Yeah, the version number incrementing and either upgrading everyone, so the OS would see the broken one as a downgrade, or a "trusted" site that had md5 sums and a list of the latest versions (if not the actual downloadables) so that software could be "expired" remotely.

Courtney Love Fans?

[CatWrangler]

They keep attaining hole records all the time. It just makes me wonder.

Re:Courtney Love Fans?

courtney love is a skanky ho

'hole' is just so appropriate

a solution...? I reckon.

[girl_geek_antinomy]

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Am I the only one who finds this uproariously funny...?

Micro$oft wants us not to trust it. Not that this will be a problem in many cases, but... Maybe if we applied this more generally the world would be a nicer and safer place?

Don't worry, we know just what to do...

[Spazholio]

"Now listen to me very closely, because I have the answer for your problems. The way to fix your troubles is to not trust me..."

Catch-22, eh? The company that's giving you the solution is also telling to that they're not to be trusted. I don't care WHAT company that comes from, it's funny...

Question

[zero-one]

Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?

Re:Question

[pVoid]

The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

IIS needs to run as system for a couple of reasons that aren't worth detailing. The issue was the there was no distinction between Local-System, and Network-System as there is now in XP.

Re:Question

[Peer]

The current user is a perfectly safe security context

Sure if you never store personal documents under it.

Re:Question

[RyoSaeba]

Hum, i assume Mozilla under Linux has the user's privileges...
Therefore if you run as root, if there's a security hole, too bad for you...
After all, Linux documentation tells us to avoid at all cost using root account except in special situations. The same probably apply to Windows too, so if you run IE under a low-level account, and it takes your privileges, that's ok.
Now of course maybe IE runs at a high level privilege whatever user you're logged in as (haven't checked).

Re:Question

yes, it does. that is why when logged in as an unprivileged user, you cannot download from mozilla to a directory that does not belong to the user (like /usr/local) by default.

Re:Question

[marauder404]

What kind of privilege set do you recommend using instead? It's consistent with current security models -- the application runs at the privileges of the user. The problem seems to be that most users (myself included) have users in the Administrator group, so any time something goes wrong, it happens at the root level. Oh well.

Re:Question

Equally important question:

Why can't Mozilla run in a process with reduced privaliges? Why does Mozilla need the privalages of the current user on Linux when all it does is browse the web?

Re:Question

[0x0d0a]

run as admin

Umm...yes. And until XP, it was a complete fucking pain in the ass to run as non-admin. I don't get off on having to log out of my machine every time I want to install a piece of software. This sort of crap might be palatable in a business workstation environment, where you can't install whatever you want, but on a home machine, running as Administrator on Windows was the only reasonable thing to do for a long time.

Now, I'll grant that that's pretty pathetic when you compare it to UNIX...

Re:Question

[gmoschin]

Actually, you can.. at least, on Windows XP.. I haven't tried earlier versions.

Create a shortcut to Internet Explorer.

Right-click the shortcut, choose "Run As.."

The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.

Click OK to run Internet Explorer in "secure mode".

Caveats to running in this mode:
Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
Other web-based programs may not run correctly.

You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.

Re:Question

> Why can't Mozilla run in a process with reduced privaliges?

It can.

> Why does Mozilla need the privalages of the current user on Linux when all it does is browse the web?

It doesn't.

Re:Question

[digitalsushi]

I prefer the bipolar approach- on personal machines, run as admin||root. On work machines, always always the regular user, unless you need admin||root. Make sure you have much different passwords so that you think about what you're doing (personal passwords="meh", work passwords="50m3.0th3r-th1ng-2362hj", to force you to think on the work machines) Then after a few system screw ups from running as admin||root on your personal stuff, you train yourself enough to know when you're doing something risky or stupid, and that seems to be enough time to avoid regular disasters. Either that or just alias su='export PS1=#' and get on with your simple life.

Re:Question

[pmz]

Why can't IE run in a procesWhy can't IE run in a process with reduced privaliges?s with reduced privaliges?

Does Windows (any shade or flavor) have the ability to run a process under something equivalent to UNIX `su`? I do this with Mozilla on Linux/UNIX using an account that has very limited filesystem permissions.

Re:Question

[dnoyeb]

How will it read the 'current user(s)' favorites? How will it save its cache to the current users documents and settings? How can it store its history, etc...

Any 'user' program will need at least the privledges of the current user. the OS can never know what the program will need to do so best to let it do what ever the user wants it to do.

I personally would be surprised if IE ran only with current user privledges. Its trying to be so smart and do so much within the OS that it more than likely is running at a higher privledge that you are :D

Re:Question

[Alan+Shutko]

The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

That's why we don't have to worry about any of the viruses that send the payroll listings to everyone in your addressbook, or delete your personal files, or insert profanity in your resume when you print it.

Thank you for reassuring me.

Re:Question

[Fizzlewhiff]

NT, 2000, and XP can run services under different user accounts and XP can run applications under different user accounts which you set via shortcuts.

I have never done this with an interactive application. I would imagine for some applications you would encounter problems related to NTFS permissions when trying to read or write data. Of course in a malicious attack this would be a good thing.

Re:Question

[artemis67]

For the same reason Outlook and Word needed a scripting engine that was enabled by default; because they say so and to hell with security.

Re:Question

[jafac]

Then after a few system screw ups from running as admin||root on your personal stuff, you train yourself enough to know when you're doing something risky or stupid

yeah, like rm -rf *; oh wait a second, what directory am I in again?

Re:Question

[digitalsushi]

here's my favorite

>/dev/hda1

Re:Question

[pVoid]

Hey, if you knew how to use your computer, you'd know that shift right clicking an executable gives you the "Run As..." option.

I use Win2k as a regular plain old user, and I am perfectly happy with it. And I don't need to log off, even if I want to install SPs or hotfixes...

Another perfect example of pointing fingers at others for your own incompetence.

Re:Question

A really dumb question when every process runs as some user. You do want the session you are using to have something to do with you and the umask and fs restrictions available to you. or would you like not to be able to browse all the p*rn you downloaded?

Re:Question

[shepd]

>unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

I'm not a bad user. I just have to use bad code most of the time (nothing new in Microsoft land, though, is it?)... :-(

Re:Question

[Kompressor]

About 3 years ago, when I was still wet behind the ears, I made the mistake of rm -rf .* thinking it would wipe out all those pesky hidden files...
That's not a mistake you make twice ;-)

Re:Question

[tcoady]

Caveats to running in this mode:
Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.

I tried this and the bookmarks remained, but I happened to disable ActiveX in a very dumb and unsuccessful attempt to stop pop-ups, but this caused windows update to fail until I ran as admin as per microsoft's untrustworthy suggestion.

All of this is pretty ironic since I was trying to fetch the patch that is supposed to fix the holes in the function that's needed to install the patch.

Re:Question

Shouldn't there be a commando similar to except (. ..) rm -rf .* as in 4DOS? Hm, probably wouldn't work unless it was a shell-builtin.

This is big

[ceswiedler]

Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?

Re:This is big

[GooRoo]

It would be bigger if this was a default setting, but I don't believe it is.

You have to have said at some point that you trust Microsoft, and while I use their products all the time I certainly don't trust them.

So basically unless you said at some point 'Always trust software from Microsoft Corporation' when those security warnings come up to install active x controls, or you always click ok when you go to web sites that try to install things, then you don't need to worry.

Re:This is big

It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

Well, I think they've reached the point where they realize that the company's public image is already floating in the toilet with last night's bean burrito-- if the only place to go is up, it's possible to save face by taking a few more eggs to it.

Re:This is big

[jaclu]

>You have to have said at some point that you >trust Microsoft

If you want to run windowsupdate (to remove security risks ;) you _have_ to agree to trust them.

The only system that doesnt trust Microsoft is a outof the box unpatched one - and then you are fried anyhow...

A clear catch 22

Re:This is big

No you don't.

Re:This is big

This is incorrect. MS made the control vulnerable by not activating the kill switch on the control citing backwards compatibility issues with current websites. They could have fixed this by breaking the old web pages but choose not to. Thus their actions are rather... uhh... bad.

Re:This is big

[marauder404]

It sounds like the paradigm is fairly solid, but it was not completely thought out and not well executed. Sounds like it'll take version 2 or the mighty version 3 release to get it right. Not terribly surprising.

Re:This is big

[0x0d0a]

But after being asked four million times, you'll click yes anyway. I don't particularly trust Microsoft, but when I'm stuck using a Windows box, minimizing the amount of pain I have to go through to get Windows Update working is high on my priority list.

Re:This is big

[deanpole]

Removing Microsoft from the list is absurd. Microsoft should enhance the signature checking
code to also check an internal list of revoked
hashes.

Re:This is big

"Quis custodiet ipsos custodes: Who watches the watchers?"

Custodio.

Re:This is big

[Iamthefallen]

You can chose to trust that one install, it does not mean you have to trust everything from Microsoft for all time to come. If your system is set up properly you will always be asked if you wish to install ActiveX components, no matter who made them. I only trust components when I also trust the site that wants me to use them, no matter who signed them.

Re:This is big

Absolutely, and everytime I log on to my Linux box it asks me for a password. It's a pain in the ass, so I set it to [enter]

Re:This is big

[Jucius+Maximus]

"If you want to run windowsupdate (to remove security risks ;) you _have_ to agree to trust them."

Agreed. I just removed the certificates and now all other security patches refuse to install, you can't upgrade your MSIE to a newer patch or encrpytion level, you can't run windowsupdate, etc. Nasty.

Re:This is big

[Rich0]

There is an option to check for revoked certificates. It is off by default.

As I recall, when ActiveX first came out, MS justified running controls outside of a sandbox by using the "do you trust ...?" rationale. The idea is that users should decide what can and can't run, and who they should trust. Unfortunately, this just shows that nobody can be trusted to be perfect.

They do need a method of revoking a signature from a control across the board...

Re:This is big

[IntlHarvester]

Actually, when ActiveX first came out (IE3), they didn't even have the "Do You Trust?" dialog. Led to some very nasty exploits because it ran whatever was signed by anyone.

The main issue is that it's impossible to sandbox C/C++ code that's running in the same process space as your browser. The ONLY solutions are something VM-based like Java or .NET -- or to radically alter how memory-protection works on multi-user OSes (drumroll... Palladium).

This is equally true for Mozilla Plugins as it is for ActiveX controls, BTW, except it looks like that Mozilla is missing the signature layer that ActiveX has.

Reversal of Fortune.

[viper21]

I never though I would see Microsoft telling us NOT to check the box:

"Always trust content from Microsoft Corporation"

I guess with the next version of IE they will be changing it to:

"Never trust content from Microsoft Corporation"

Now that's the kind of checkbox I'm talking about.

-S

Re:Reversal of Fortune.

[program21]

They'll probably forget to change the behavior when that box is checked, and so it'll still "Always trust content from Microsoft Corp."
And then they'll call it a feature.

Microsoft knows best

[Anarchofascist]

All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.

"Don't trust us"

Re:Microsoft knows best

[TheRealDeal]

OK where does everyone see that it says not to trust Microsoft? All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...

Oh and if I see M$ or Micro$oft one more time I'm going to puke... It's not witty, it's not funny, and above all else it is NOT in any remote fasion new... get over it...

Re:Microsoft knows best

[richie2000]

OK where does everyone see that it says not to trust Microsoft?

In Microsoft's Technet Security Bulletin MS02-065. It's linked from the submission and still not Slashdotted. However, as a free service (maybe you're afraid of surfing to untrusted websites), I am hereby reproducing some of the juicy bits:

But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

What steps could I follow to prevent the control from being silently re-introduced onto my system? The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message.

Please note that this will generate a warning message EVERY TIME you encounter an ActiveX control - whether it is signed or unsigned. So how would you tell the difference between a 'bad' Microsoft-signed control and a 'good' one (ignoring for a moment the inherent badness in ActiveX)? The short answer is: You can't. You're toast. Muahahahaha!

All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...

Not that easy, I'm afraid. First, if you have been a good astroturfer you have undoubtedly cheched the "Always trust content from Microsoft Corporation" checkbox the first time you saw it (or your keeper checked it for you). Therefore, you will NOT be getting a pop-up warning. Second, the pop-up warning you may get if you haven't added Microsoft to your list of Trusted Publishers does indeed come from Microsoft. Bill Gates more or less personally guarantees the security and validity of Microsoft Corporation's digitally signed certificates (unless they've been hacked again, but that's so unlikely that it probably didn't even happen the first time).

Oh and if I see M$ or Micro$oft one more time I'm going to puke...

Most astroturfers do. It's a feature of your implants and nothing to be ashamed of.

Re:Microsoft knows best

[Anarchofascist]

OK where does everyone see that it says not to trust Microsoft? All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...

You can't just install the patch. You must remove Microsoft from your list of trusted content providers in IE, because if the old (unpatched) ActiveX control is hosted on a malicious web site, it is still signed by Microsoft, and can be automatically installed over the top of the patch! To quote from the Book of Microsoft, chapter Security Bulletin MS02-065:

Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

Why not revoke the certificate that was used to sign the control?

The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid. OOPsie!

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message.

Oh and if I see M$ or Micro$oft one more time I'm going to puke.

You and me both, brother. Even complete Microsofties don't go around writing "Linsux". Derogatory labels help no-one.

Re:Microsoft knows best

[Fascist+Christ]

"Don't trust us"

On the contrary, it reads as follows: The simplest way is to make sure you have no trusted publishers, including Microsoft. See, they are saying not to trust any certificates. They are effectively implying that the certificate is not trustable, not that the company can't be trusted. Or if you take the sentence out of context, you might show that they are saying don't trust any companies, even them. So that would mean that they are not the problem, but that everyone is a problem.

As a side note, I wouldn't trust them anyway.

Re:Microsoft knows best

[greenrd]

It's not witty, it's not funny, and above all else it is NOT in any remote fasion new... get over it...

Let me clue you in on something. Not everyone uses it to try to be humourous or cool. Some people use it to express their contempt of Microsoft.

Re:Microsoft knows best

the problem lies in the control, not the certificate.

The certificate shouldn't be used, because its CA key is in the hands of idiots who cheerfully sign code that hasn't been properly audited.

In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid.

As it should. At this moment we have no grounds for deciding those control are (or ever were) safe.

Trusted computing.

[MongooseCN]

As this control is Microsoft signed...

Trusted computing, digital signing... I guess it all boils down to "You can trust Microsoft that this signed control will screw over your computer."

Re:Trusted computing.

[LostCluster]

Yep, that's all a digital signature can assure you of. Whoever's piece of crypto is involved did in fact sign that piece of software.

The problem is, knowing the source of the code is not the same as knowing the source code. You have only the name on the signature as information and then are asked whether you wish to grant full access to whatever that code wants to do.

Now, Microsoft's really done it. Their infamous security holes have snuck into an ActiveX element that they've signed. They can replace it with a clean version of element, however, any website that has the unpatched ActiveX control can put the unsafe version on their website, and then require it in their HTML. Even with "Always trust Microsoft Corp." disabled, the user is presented with a window to the effect of "Hey, you need an ActiveX control you don't have to read this page. You can trust it, it's from Microsoft Corp."

So much for ActiveX security....

dammit

[mschoolbus]

"I knew we shouldn't have enabled Active X in my rocket..." --John Carmack

Re:dammit

That must be some really wacky tabaccy if you thought THAT was funny... :-)

Excellent.

[grub]

The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft.

Ah excellent, for years I never trusted anything from Microsoft but now I can just distrust their signed ActiveX crud.

The admission is in the faq section.

[terradyn]

Reproduced for your enjoyment:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Re:The admission is in the faq section.

[Jucius+Maximus]

"The simplest way is to make sure you have no trusted publishers, including Microsoft."

Of course with Palladium this would be built into the hardware. I doubt they would tell us to rip a circuit or two out of the motherboard.

Re:The admission is in the faq section.

[fishboy]

i re-wrote your post for mac users:

What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

1. In Internet Explorer, choose "Preferences..." under the Edit menu.
2. Select the Security item tab.
3. For each certificate in the list you want to delete, click on the certificate and then select Remove.
4. When you've removed all entries from the list, click on OK to close the dialog.

Re:The admission is in the faq section.

[LittleGuy]

Hmmmm... what if you never clicked on the little box "Always trust content from Microsoft"?

Security warnings are only as good as the choice between "OK/Cancel" and automatic install.

Don't trust...

[Torinaga-Sama]

"The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

That is solid GOLD.

It is poetic justice that Microsoft's own measures for security are working against them.

MS from the list of Trusted Publishers.

[oliverthered]

Already done, a long long time ago........
I didn't want them running anything they happened to sign on my PC.

Ok, I don't run windows at home any more, unless I need it for reverse engineering drivers or file formats.

So what..

[ybmug]

that can run any program in an unpatched windows system.

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

Re:So what..

[lalas]

that can run any program in an unpatched windows system.

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

If you had read a little further:
The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email.

Re:So what..

[Penguinoflight]

No, man there would be quite a few user-root exploits. I.E. if someone had shell access, they could get full access. That's a HUGE difference. They don't need your password to get in with the IE hack.

Re:So what..

The problem isn't so big, all complex systems have errors and anomolous events (read bugs when that complex system is software), the response from Microsoft is moronic though.

Re:So what..

[richie2000]

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?

I don't think so.

Re:So what..

I sincerely doubt you know how to use linux.

Re:So what..

[jim3e8]

I wouldn't even trust my priest with a moist sponge in a bathtub. Wait...

Re:So what..

>people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?

Give me one of these, and make sure the water is chock full o' non-tested on animals bubbles and I can assure you I can go blind.

DOJ reaction

[MosesJones]

Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.

"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"

Re:DOJ reaction

"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"

Or like asking Bill Clinton to run a shelter for abused women !

Re:DOJ reaction

I find a post that misspells the word "it's" and has the words "literacy program" in it highly amusing.

Muha

[mao+che+minh]

Right about now, Bill Gates is asking himself why in the world he paid millions for that "security approval" thing for Windows 2000 and wasted all of those marketing dollars in the over-hyped (and non-existent) "we make all of our programmers go to security school or something" campaign.

what can one do?

[proky]

If Microsoft tells users not to trust it for this, when should users trust it?

The joke is to say never. But with Microsoft controlling however many trillions of computers, it seems like something they should seriously be addressing. And more seriously than they are.

flaming retard jacket?

is that some kind of Leisure Suit Larry thing?

I also don't trust software i write

[TrueKonrads]

I also don't trust software i write, why should MS do different? I mean you can't say elseway " The programmer was a moron" and keep the pride

Bad Timing

[YetAnotherDave]

Damn, when I saw this there were no coments listed, I thought I might be able to post 'first yawn'.

I mean, how is _another_ IE flaw even news anymore...

Ironically, I probably missed is cuz I was opening my morning comics in other (mozilla) tabs...

Microsoft update!

[j4pjeff]

If you have bad controls, patch it. If you have security issues, patch it. The whole of their operating system is becomeing one giant windows update...

Re:Microsoft update!

[mschoolbus]

Well it is, they have to fix the current bugs and introduce some new ones for users to get fucked over with...

Windows Update

[Peer]

The real pain is that people that have used Windows Update often will have checked "Always trust content from Microsoft", otherwise they will have RSI by now from clicking Yes.

Re:Windows Update

Except they won't. You only have to accept the Windows Update controls the first time you visit the site. After that, the only time you have to click Yes is when the EULA pops up before downloading updates, something that will happen whether or not a user chooses to always trust MS.

Redundant

[anno1a]

Dammit, all news about security issues with microsoft products should be rated reduntant... I know I'm losing interest by now... There's just a limit to how often you can get amazed by a new security hole in the same company's products. :P

funny

[sT0n3_h34d]

i don't know if it's a innocents week (days) but it's funny to hear microso~1 saying "don't trust our software and either our company"
that's what i'd like to expect from my supplier XD

hahaha
i couldn't help XD

pd: what about making a 100 things that you shouln't expect to hear from microso~1?

Re:funny

[Blkdeath]

microso~1

<NIGGLE>
Actually, it's "micros~1". First six characters, tilde, then number to allow it to fit with in the "8" of the 8.3 file format.
</NIGGLE>

Re:funny

XD, is that a Cartman smiley or something?

Re:funny

[MWelchUK]

Just out of interest, what happens if you have over 10 directories with the same first 6 letters?

Do you loose another letter and get a 2 digit number?

Re:funny

[Malcolm+MacArthur]

Well, this is what Win98 gives you.

C:\>cd tmp
C:\tmp>md longnamedir
C:\tmp>for %%i in (1 2 3 4 5 6 7 8 9 10 11) do md longnamedir%i
C:\tmp>dir
Volume in drive C has no label
Volume Serial Number is 0428-17EA
Directory of C:\tmp

.<DIR>21/11/0218:36 .
.. <DIR>21/11/0218:36 ..
LONGNA~1 <DIR>21/11/0218:36 longnamedir
LONGNA~2 <DIR>21/11/0218:36 longnamedir1
LONGNA~3 <DIR>21/11/0218:36 longnamedir2
LONGNA~4 <DIR>21/11/0218:36 longnamedir3
LONGNA~5 <DIR>21/11/0218:36 longnamedir4
LONGNA~6 <DIR>21/11/0218:36 longnamedir5
LONGNA~7 <DIR>21/11/0218:37 longnamedir6
LONGNA~8 <DIR>21/11/0218:37 longnamedir7
LONGNA~9 <DIR>21/11/0218:37 longnamedir8
LONGN~10 <DIR>21/11/0218:37 longnamedir9
LONGN~11 <DIR>21/11/0218:37 longnamedir10
LONGN~12 <DIR>21/11/0218:38 longnamedir11
0 file(s)0 bytes
12 dir(s)92,536,832 bytes free
C:\tmp>for %%i in (17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 3 7 38 39 40 41 42 43 44 45) do md longnamedir%i
C:\tmp>for %%i in (46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 6 6 67 68 69 70 71 72 73 74 75) do md longnamedir%i
C:\tmp>for %%i in (76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100) do md longnamedir%i
C:\tmp>dir [...]
LONGN~97 <DIR>21/11/0218:46 longnamedir97
LONGN~98 <DIR>21/11/0218:46 longnamedir98
LONGN~99 <DIR>21/11/0218:46 longnamedir99
LONG~100 <DIR>21/11/0218:46 longnamedir100
0 file(s)0 bytes
102 dir(s)89,817,088 bytes free

So, now you know :-)

But if I can't trust Microsoft...

[ksheka]

...who can I trust?

No more Windows Updates

So I guess this means they'll be discontinuing the windows updates program as it tries (or used to) load an Active X componenet signed by M$.

Incredible...

[Pellelelle]

I didn't beleve this was true at first but this is actually what it says in the Security Bulletin:
--
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
--

why the kill bit does not work.

[leuk_he]

According to the MSTECH bulletin:
Why isn't it feasible to set the Kill Bit in this case?

The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.


Conclusion:
-Microsoft refuses to kill itself.

how does this relate to: the story Microsoft on Security: We'll Break Your Apps

Hey... linus refused to change the behaviour of kill -9 -1 also

Re:why the kill bit does not work.

Wow, thanks Microsoft. You could fix a major vulnerability and result in some minor inconvenience breaking stupid websites that require ActiveX or you can allow any rogue website to run arbitrary code on your customers' systems. Way to go!

Re:why the kill bit does not work.

[RAMMS+EIN]

I don't get it. Surfing the web with Mozilla/Linux leaves me without _any_ ActiveX controls, right? And I've never encountered a website that I wanted to use but couldn't because I didn't have an ActiveX control installed. What sorts of websites use these control, what does it even do, and why does M$ think it's indispensible, even if it's broken? Maybe this is where the NSA Backdoor is?

Re:why the kill bit does not work.

[gmack]

"Hey... linus refused to change the behaviour of kill -9 -1 also"

I don't see how that's revelevent at all. Kill -9 -1 is not a security bug and there are many instances whre kill -somethingelse -1 is quite reasonable.

If you type that it's your own problem and Unix will happily shoot the gun exactly where you aimed it..

An attacker would need root access to do that and if an attacker has root there are much worse things (s)he can do to your system than shut off all it's processes..

Re:why the kill bit does not work.

[de_rus]

Also according to the MSTECH bulletin: Will Microsoft eventually set the Kill Bit on this control?

Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.

So.. Microsoft is developing technology that can/will deactivate controls a user has explicitly downloaded and trusted.
And -as it implies- replace it with a new one without the user knowing.

That's just great! It'll be a source for completely new virusses when (not if) this 'new technology' gets cracked.

Re:why the kill bit does not work.

> Wow, thanks Microsoft. You could fix a major vulnerability and result in some minor inconvenience breaking stupid websites that require ActiveX or you can allow any rogue website to run arbitrary code on your customers' systems. Way to go!

From their point of view, websites that require ActiveX is exactly what they want - no such thing as "stupid websites that require ActiveX". I'm not suprised they jumped on this so quickly given that they'd like ActiveX to replace Java as the active content deliverer of choice.

Re:why the kill bit does not work.

Surfing the web with Mozilla/Linux leaves me without _any_ ActiveX controls

No, because Mozilla has reimplemented their own version of ActiveX, and it has the exact same design problems. Look at the docs for XUL and XPCOM.

Re:why the kill bit does not work.

[DoctorFrog]

Conclusion:

-Microsoft refuses to kill itself.

how does this relate to: the story Microsoft on Security: We'll Break Your Apps

I find it interesting that this problem does not affect Windows XP...

Re:why the kill bit does not work.

[leuk_he]

I don't see how that's revelevent at all.

That is a Joke! You really need to get more out.

(an kill bit and kill -9 are not related but it just sounds nice.)

now please smile.

Re:why the kill bit does not work.

[leuk_he]

It'll be a source for completely new virusses when (not if) this 'new technology' gets cracked. Then why is the signed code of the x-box still not cracked?

You better use a back door than software that is desinged to be a security improvement.

Re:why the kill bit does not work.

[FirstEdition]

You really need to get more out.

What should he get out?

I found it ammusing...

[oconnorcjo]

but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.

Re:I found it ammusing...

[Sycraft-fu]

Ummm, IE doesn't run in root mode. IE runs as whoever you are logged in as. If that's an administrator, well then it has near root powers (root would actually be more analogus to the Local System account) including things like formatting the harddrive. However if you user does not have permissions to do things like htat, neither does IE.

Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

Re:I found it ammusing...

[Winterblink]

You make a VERY good point here. Really, it boils down the root of the legal action against them, and that's the integration of IE into the guts of the OS. It's used in admin tools, the desktop itself, etc, etc, etc. To revoke it's overall "rootness" would end up crippling the OS, which has been Microsoft's argument all along. I suppose the simple suggestion is to *gasp* not run the IE components in a rooty mode when it's active in a normal user application. *shrug* Is that even possible? Who knows. :)

Re:I found it ammusing...

[Waffle+Iron]

Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

At least as of Win2K, so many things break when you try to run as non-administrator, it's just not worth it for most people.

Re:I found it ammusing...

[0x0d0a]

I believe you're thinking of IIS, which runs in Ring 0, not IE.

Re:I found it ammusing...

[stinky+wizzleteats]

but I think Microsoft is doing the right thing here.

A good faith effort to fix a problem is one thing. Microsoft's behavior, viewed as a whole, is another. It's hard for me to be sympathetic to a company who is saying this out of one side of their mouth, and then trying to wrest control of my computer from me via Palladium with the other. This hypocrisy screams to be addressed, and I think it is valid to do so.

Re:I found it ammusing...

[Tony-A]

IE doesn't run in root mode. IE runs as whoever you are logged in as.
This depends on what APIs that do root-level stuff are exposed and useable by IE. Microsoft presumably knows. I sure don't, but it seems rather naive to assume that there aren't any such.

Microsoft update /.'ed

[ITShaman]

As of 10:01am EST, the microsoft update website displayes the message "SERVICE UNAVAILABLE". Oh the irony of it all...

I find it amusing...

[analog_line]

...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.

Re:I find it amusing...

[CrazyJoel]

doesn't IE run as root:admin on OS X?

Re:I find it amusing...

No. It runs under the user you logged in as. If you're an admin(first user), then there might be a problem. But you're not root unless you use NetInfo Manager to make a root password, and you have to know what you're doing to do that. (Hopefully...)

If it wasn't running under your user account, you couldn't force quit it. Trust me, you can(and at some point will have to) force quit IE.

Re:I find it amusing...

> doesn't IE run as root:admin on OS X?

Hm no,

[localhost:~] fz% ps -o 'pid uid pgid command' -p 1
PID UID PGID COMMAND
1 0 1 /sbin/init
[localhost:~] fz% ps -o 'pid uid pgid command' -p 1336
PID UID PGID COMMAND
1336 501 192 /Applications/Internet Explorer.app/Contents/MacOS/Internet Explorer

Re:I find it amusing...

(oops, better)

[localhost:~] fz% ps -axo 'pid uid rgid command'
PID UID RGID COMMAND
1 0 0 /sbin/init
2 0 0 /sbin/mach_init
51 0 0 kextd
...
1332 501 20 /Applications/Mozilla.app/Contents/MacOS/mozilla-b in -psn_0_12451841
1336 501 20 /Applications/Internet Explorer.app/Contents/MacOS/Internet Explorer
1495 0 20 ps -axo pid uid rgid command

WTF ?

[FauxPasIII]

How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...

Re:WTF ?

Excellent point.

Re:WTF ?

[kcurtis]

Sure they did. I think you did not read the notice, and are the one missing something here...

From bulletin:
===
Why not revoke the certificate that was used to sign the control?

The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid.
===

Additionally, there is this tidbit, about killing the control w/o revoking the certificate:
===
Will Microsoft eventually set the Kill Bit on this control?

Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.
===

Bottom line: they *could* revoke the certificate, but it would screw up other controls that use it.

Re:WTF ?

[Violet+Null]

The OP is +5 insightful, and the parent is 1, unmoderated? Mod parent up.

Re:WTF ?

[FauxPasIII]

> The certificate that was used to sign the control is still valid ...
> revoking the certificate would cause all of them to become invalid.

This just indicates a braindead design of their PKI. If they're going to be using a certificate to sign controls, then they need to keep a control revocation list associated with each certificate.

Read 'Applied Cryptography' by Schneier. It's better than drugs.

Re:WTF ?

[gclef]

Did you miss the last time this came up? (here:
http://www.microsoft.com/technet/security/ bulletin /MS01-017.asp
)

There is no CRL checking for Microsoft browsers. To be fair, Verisign doesn't include CRL Distribution Point info in their certs, either, so there really isn't any way for Microsoft to check, since they don't know who to ask. The way they handled the extra Verisign keys was to push out a *locally stored* CRL for just those keys.

Whee.

Re:WTF ?

[dbarclay10]

They did. The reason why they refuse to revoke this control is that many sites hard-code the object ID, thus they would stop working.

While I commend them for suggesting a fairly complete solution (including not trusting Microsoft-signed controls any more), I piss on them for not being willing to revoke the old control simply because some sites would not work.

Were they to do this, there's no doubt that administrators and programmers everywhere would TRULY understand the issue, and fix their code to not use the hardcoded value. Instead, Microsoft is coddling them, and now we have another hundred thousand zombied machines in DDoS attack-networks.

Re:WTF ?

"The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer. I was pretty naive.
The result wasn't pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like "128-bit key" and "public-key infrastructure." A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography."

-Bruce Schneier

Re:WTF ?

[FauxPasIII]

> A colleague once told me that the world was full of bad security
> systems designed by people who read Applied Cryptography

Apparently the Microsoft code-signing system is one of them.

We can go back and forth all day long about the quality of that or any book; it happens to be one I get a great deal of use from. Fact of the matter is, there are open, standard public-key infrastructures that are designed such that this "problem" wouldn't be a problem at all, just a barely noticed update to the CRL that wouldn't disturb anything else in the system. Microsoft got infected with the Not Invented Here syndrome, and Windows admins are now suffering the results.

This thread is tiresome, so I'll leave it at that. Cheers. =)

Re:WTF ?

[iabervon]

Or designing the revokation/signing mechanism such that a new control could be issued with everything available to the programmer the same (except that pages that used the exploit wouldn't work).

Re:WTF ?

[Pfhreakaz0id]

right, that works if people use COM correctly by using say ado.recordset instead of the GUID {!S2a, whatever) ... then you could just put out a new version. I agree with the parent post.. why should Microsoft coddle these folks? why would you hard code the objectID of an MDAC component? My user could have any number of versions installed....

Re:WTF ?

[WayTooOldForThis]

Microsoft's problem, as they explain in the bulletin, is that the same certificate covers not only this control but several others as well. So revoking the certificate apparently would break a whole bunch of stuff.

Re:WTF ?

[Chazmyrr]

Q: why would you hard code the objectID of an MDAC component?

A: because your code has been tested against and works with that version. because you haven't completed testing against newer versions. because the newer version behaves differently and would require a significant rewrite that hasn't been completed. some or all the above. take your pick.

Re:WTF ?

[iabervon]

Since this is Microsoft we're talking about, the reason is probably that your user could have any number of versions installed, and your code will only work with one of them, so you really do need the same version.

All this means is that MS should have had a way of producing bugfixed versions of objects with the same GUIDs. Given MS's attitude toward specification, hard coding the objectID is using COM "correctly", because it works (and nothing else necessarily does).

The problem is that there's no way of specifying that you need an object compatible with a certain interface; you either get an object for the same general purpose, or you get exactly that object.

Why don't people use something else?

[Mr_Silver]

See this comment followed by my response.

People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.

Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.

Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.

Re:Why don't people use something else?

[fferreres]

There will be a sept 11 for communications. That day, a bastion of the IT industry will be just destroyed (not infected, but deleted, formated). That will be a simple and effective way to push Microsoft's any everyone else trying not to profit from this market, but to control our communications and daily lives.

After that day, Palladium (or something similar) will be mandated, encription will be banned (goverment provided encription will be the only legal encription, with the due unlock key in their hands). P2P will be banned.

Or does anybody still think they will care what a bunch of "anarchists" have to say about the freedom to trade porn movs or mp3?

So it is VERY important that people patch their systems. If they don't, they dumping fuel on what will benefit "cyberterrorists" and "anti privacy, pro control" organizations. It is indeed crucial, the fate of the information era depends on taking care about security BEFORE anything important has happened. For as when something important has happened, you will have no freedom so as to enjoy the "added _security_"....

Re:Why don't people use something else?

[marauder404]

You're exactly right. People don't protect their privacy until they've lost it. They don't protect their car until it's stolen. They don't protect their home until it's been burglarized.

This bug is tantamount to someone being able to break into your home, secured by a Microsoft lock, if they use a certain kind of paperclip and you left the door locked in a particular way. It's not going to cause a mass panic and people aren't going to suddenly fix their locks, let alone swap the whole lock out for something else (like a Mozilla branded one). Even if your neighbor's house gets scored, you're not even likely to get that lock fixed. Human nature is fun, ain't it?

Re:Why don't people use something else?

[Reziac]

Back in the DOS era, we had boot sector viruses and file infectors. Some of them did cute things like slowly encrypt all your data. Eventually the majority of users got the message and started scanning everything with a good antivirus program. But remember, in that era computer users were a tiny minority. It's a lot easier to teach security habits if you don't have to reach the farflung masses.

Since then we've had a whole generation of new users who never heard of boot and file viruses. There was a spasm of awareness in the early days of the macro virus scare, but it seems to have died out, likely in part because now the overwhelming majority of computer users are relatively NEW at the whole thing, and are still struggling with basic concepts and everyday use. There really isn't any good solution to that, unless you propose restricting computer use to only the select few.

One of the contributing reasons, IMO, is the usual lame (and unnecessary) recommendation to "reformat and reinstall" every time there's a problem. This promotes ongoing ignorance as to causes and cures for daily issues, as well as to various hazards and security issues.

Re:Why don't people use something else?

Eeeewww, formatting your hard disk when you visit an evil web page, as described in a previous alert, won't cause damage to personal files? For most people, that is about 90% of computer users, who store everything in the 'My Documents' folder, this IE exploit will cause a lot of data loss.

Re:Why don't people use something else?

[Mr_Silver]

Eeeewww, formatting your hard disk when you visit an evil web page, as described in a previous alert, won't cause damage to personal files? For most people, that is about 90% of computer users, who store everything in the 'My Documents' folder, this IE exploit will cause a lot of data loss.

(I normally don't bother with replying to AC's because they generally never get the point I'm making, but I'm bored...)

Theres a subtle difference between an exploit that can do a lot of harm and an exploit out there that is doing a lot of harm.

One has the potential to harm you, the other is actually harming you. Until Joe Blow experiences the latter, he's just going to discount it as someone elses problem and carry on as normal.

Re:Why don't people use something else?

[DickBreath]

Or does anybody still think they will care what a bunch of "anarchists" have to say about the freedom to trade porn movs or mp3?

I dare say that those in power are not going to give up their freedom to trade porn.

Seriously.

Re:Why don't people use something else?

[fferreres]

Mh, maybe they will make us give up our freedom, so that they can get OUR pron :) Imagine, all the FBI, CIA, whatever servers set up with keywords "lez, chloe, ..." with -20 priotity ...

Bush: "all your pron belongs to us, for GREAT JUSTICE"!

Guess I can't trust Windows Update

[shoptroll]

/me chucks Windows Update out the window...

remember when...

microsoft announced that their public keys had been stolen?

(i cannot remember my slashdot password.. haha)

Re:remember when...

[vinsci]

You mean this? The quote below is from this article in The Age.

"In the United States, certification authority VeriSign failed spectacularly in its role when, in early 2001, it accidentally issued a key pair to someone - it doesn't know who, or isn't saying - under the name "Microsoft Corporation". This allowed the mystery hacker to sign software under this name.

Anyone installing this software was assured that the software originated from "Microsoft Corporation", which, of course, it didn't.

The only way Microsoft could fix this blunder was to patch the operating systems of all its customers to deliberately reject anything signed with this key."

FWIW: .NET may help this...

[Kanagawa]

I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.

Looking forward, I recently picked up .NET Framework Security -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.

Mobile code that runs in the .NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...

Frustratingly, you can't run .NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?

Anyway... here's some additional links to M$ references on mobile code:

Security in .NET: Enforce Code Access Rights...
Security in the .NET Framework

Re:FWIW: .NET may help this...

[0x0d0a]

allow only internal ActiveX publishers

Does anyone have any reason to allow ActiveX at all? It seems to pretty consistently be a low-benefit recipe for trouble...

Re:FWIW: .NET may help this...

[mkeller]

.NET is a COM dll. You might be interested in
this talk by Don Box.
http://technetcast.ddj.com/tnc_play_stream.h tml?st ream_id=605

Re:FWIW: .NET may help this...

[tshak]

.NET common language runtime (read: M$ JVM)

I hate it when people say this. Please, go pick up a book on the CLR by a "CS academic type" who hasn't worked for MS or Sun. The book I chose was "Compiling for the .NET CLR" (or something close to that). I learned a lot about the CLR, and because the author has a lot of experience with abstract stack machines (the JVM being one of them), he compared the CLR to many of them. Although there are similarities, and although the CLR was a reaction to the JVM, there really are some fundamental differences.

Unfixable?

In the bulletin, Microsoft tells you to not trust it. But windows update, where I guess you have to go to fix the problem, says to click yes to install everything signed by microsoft. so?

When will they learn?

[SLASHAttitude]

Microsoft has been trying to make the same buggy code work for a few years now. When will the start over? I think the do alot right, but they do not to think a little more about security and change there code. Microsoft is so big that I bet there is not one team there that knows what all is in the kernel. That is wrong! I am no programer but I do know a few. I know they tell me they hate fallowing some ones undocumented buggy code becouse they can never figure out all the problam. This has changed in the open source comunity becouse of all the per review and support. I wonder why, with all of its vast billions, Micosoft can not come up with a better system. For now on all my systems that store stuff that is importaint I will just keep using *BSD and linux.

Re:When will they learn?

Comments are for the weak. If you can't figure out what my code does without me telling you of its nature, stay the hell away from it. You'll only screw it up.

As for Microsoft trying to make buggy code work, what of Linux?

Just look at the history of any major distribution's errata. You'll notice the same familiar names popping up again and again. (glibc's my favorite, because it's so fscking huge. I love grabbing a new one every other week!)

Microsoft already has an advantage. Not anyone can contribute. People say this is a bad thing. It isn't. Look at Sourceforge sometime. It's swamped with dead and sub-par projects. I don't deny that Open Source is a great learning tool, but as for quality code, Microsoft's putting a hell of a lot more out.

Re:Hey great

If you'd bothered to read the article, you'd see that the ``patch'' consists of a nonvulnerable ActiveX control. The problem is that the old control has been signed by Microsoft, so it's considered safe by default in IE. Unless you turn that off, I can create a website that uses the old control, and your browser will upload it. It would seem that either there is no fix, or Microsoft must change their signature so that all controls are void. Either way, it's another good reason to not use IE.

Time to upgrade

[Hasie]

The solution is to upgrade to Windows XP because it doesn't have this problem. This is the best news Microsoft has had in years!

Re:Time to upgrade

[paulbiz]

It's not that Windows XP doesn't have the problem, it's that the version of MDAC (2.7) that ships with Windows XP doesn't have the problem. You can install MDAC 2.7 on W2K or NT4 or whatever, for free (if you agree to the license, of course).

Trusted

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers.

Yes, I had better remove security.microsoft.com from my apt sources.list as quickly as possible.

Does no one realize its a TROJAN PR MOVE

[peculiarmethod]

Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph

or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it

pm

Re:Does no one realize its a TROJAN PR MOVE

Or you could just upgrade to MDAC v2.7, which also isn't affected and has been out since April.

Re:Does no one realize its a TROJAN PR MOVE

[_bug_]

A PR move? I don't know about that. I guess it depends on how you look at it.

To me this shows how digitally signing software and perhaps TCPA itself can fail. It shows me that perhaps a system of trust based on digital signatures won't offer the protection that some may have assumed.

This adds doubts to the effectiveness of Palladium and it's comming from Microsoft itself.

I don't think that would make good PR.

Re:Does no one realize its a TROJAN PR MOVE

[peculiarmethod]

Ah, but remember that they admitted at the beginning of this year that they too have security problems and will maintain focus (vigilance!) on reporting and fixing proper holes and bugs- they've always had these procedures in place.. and it's been painfully obvious they release them only when its a wide spread problem.. _or_ when it will help their newest release in the long run.. imho

Pego

Re:Does no one realize its a TROJAN PR MOVE

[laigle]

Yeah, there have been a few security flaws of late that didn't cause problems with XP. So I guess that's one good point for me since I upgraded when my last computer blew out (almost literally, my apartment complex needs severe rewiring). Then there's spider solitaire. Then there's...

Oh wait, that's it. Mildly increased security and spider solitaire. Well worth the cost of the OS.

Re:Does no one realize its a TROJAN PR MOVE

[OvertlyPedantic]

Spider Solitaire? Sun had that 15 years ago! Does that mean that Microsoft is now slipping backwards in its "Innovation" and is now MORE than ten years behind everyone else?

Re:Hey great

You gotta admit, though, that it's funny as hell that MS recommends that MS be removed from the trusted list.

Install MDAC 2.7

[Brazzo]

Yes, there are still bugs with MDAC 2.6; install MDAC 2.7. You'll note at the bottom of the security update that MDAC 2.7 is not affected by this issue.

Here's a URL for you, even...

MDAC 2.7 Refresh

Keeping Windows secure is hard, but it's easier if you install the recent components...

Re:Install MDAC 2.7

[stefanb]

Yes, you need to install the patch.

However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.

Sheesh, now /.er don't even read the blurb anymore?

Re:Install MDAC 2.7

[Brazzo]

I'll include a link to Microsoft's security bulletin(MS02-065), since it's obvious you didn't read it.

MDAC 2.7 isn't affected by this problem. Since MDAC 2.7 is installed on Windows XP, that's also the reason that XP isn't affected by this bug.

If you choose to patch instead of upgrade (stability, possible incompatibilities with MDAC 2.7 and legacy applications, though I haven't seen any yet) then yes, you're vulnerable to all the nasty things mentioned here.

If you upgrade, you're safe from this specific problem. When MDAC 2.7 bugs are found, obviously you're vulnerable to those. Beast You Know instead of the Beast You Don't. If you upgrade, especially in a corporate environment, always test first.

Blah, blah, blah.

Also, learn to read the bulletin before responding to someone who knows what they're talking about, please...

-- Braz (MCSE/Win2K)

Re:Install MDAC 2.7

[stefanb]

Sorry, my bad. And the "sheesh" bit was meant to be funny.

Anyway, after reading the bulletin again more carfully, I make the following of the situation:

• Installing MDAC 2.7 will make your server invulnerable;
• Installing the patch will make your server invulnerable;
• Installing the patch will make your client secure as long as you don't visit a malicious site or read a malicious email, which could restore the vulnerable version of the ActiveX control.

I can't find information in the bulletin about the chances of having a malicious page load a vulnerable version of the ActiveX control on a system with MDAC 2.7 installed. The bulletin only states that Windows XP (due to it having 2.7) is not vulnerable.

So I assumed that it's still possible. Is my assumption wrong? Quite possibly. I'm sure quite a number of people will check this ;-)

Use separate certificates for each control?

[virtcert]

According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.

Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?

It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...

Re:Use separate certificates for each control?

[zbuffered]

I say they revoke the certificate anyway, and re-issue the other controls with new certificates. Inconvenient? Yes. But it would fix the problem, and that's job #1 for them. If, as others have said, heads are rolling over this one, I think revoking the certificate is the least they could do.

Re:Use separate certificates for each control?

[91degrees]

At the very east, they should revoke the cert, and recertify the rest with a new one. Perhaps this would mean that everyone would need a new version of everything else with that certificate, but that's the price they pay for taking this shortcut.

As it stands, this makes a mockery of the whole system.

Re:Use separate certificates for each control?

[the+bluebrain]

erm ... because it would take a veritable shitload of certificates that would have to be installed, and kept updated, on every single MS system out there?

How about an ID-list, with a unique ID for each control, and a sporadically-synchronised list of revoked IDs? ... means that the app that did the synching would have to be robust, because if you had to void it ... :)

Re:Use separate certificates for each control?

[Animats]

Agreed.

Microsoft created this problem, when they developed a technology that allowed web sites to download "trusted" code onto customer's platforms. They should be liable for that mistake.

Downloaded controls should run in a jail. Microsoft could make that work.

Re:Use separate certificates for each control?

That would require websites to "reauthor" their web pages using these controls. That would be bad PR for Microsoft. They claimed they would move security to #1, but this clearly shows PR is still above security. I bet profit is too.

resistance is futile

*inserting vulnerable forced activex code here*
*execute WMP, forced to update to DRM*
*blinding laser from BillBorg "from this time forward, you will service us."*

Wait A Minute....

[Tsali]

I thought we were all critical Microsoft 'holes.

Oh.... I misread it....

J.

Want some cheese with that whine?

[tiltowait]

Because without passive-aggressive complaining about Microsoft we'd have nothing to talk about. The whole approach that Slashdot takes on Microsoft with is not helping the common cause.

Like the story about X-Box mods being banned. Blizzard does the same thing with Diablo and Warcraft hackers as it is a very good idea, so no need to heap on the accusatory tone.

This reminds me of two things: the criticism of Dilbert that it makes workers more content to whine than change the system, and the lament by CmdrTaco about childish anti-Microsoft tactics, framed nicely against the Slashdot topic icon for Microsoft.

Re:Want some cheese with that whine?

[JWW]

I've read that critique of Dilbert before and it is utter crap.

I've also read "The Dilbert Principle" by Scott Adams as well. It is an insightful and honest book about business.

What the author criticizing Dilbert does is say that by stating and exaggerating some of the bad things business does, he is condoning them. What a load of crap.

As for Microsoft, there are actions that they have taken that I do not like. But I have to use Microsoft products at work and have to know a lot about them. It doesn't mean that I can't also totally disagree with their licensing schemes. And while it may not seem like a big deal to you, my decision at work is whether to let users run Active X controls or not. There are big implications here, this story is absolutely not trivial and Microsoft made a major screw up in allowing this security hole to exist in this particular product in the first place.

Re:Want some cheese with that whine?

[lordaych]

Of course this is terribly off-topic, but you've completely missed the point. Entirely. The point is not that "by making fun of corporate culture, Scott Adams embraces it." Rather, the point is, "Scott Adams entrenches himself deeply in corporate culture and has commercialized every aspect of his creative existence, by making fun of the very environment in which he thrives." Duh. Think.

Re:Want some cheese with that whine?

[Tony-A]

"Scott Adams entrenches himself deeply in corporate culture and has commercialized every aspect of his creative existence, by making fun of the very environment in which he thrives."
Nice bit of irony. More power to him.
It would be a bit hard for him to make fun of the corporate culture if he were *not* deeply entrenched in it.

A bit of fuzzy logic

[leoboiko]

So Microsoft says to not trust them. Ok, I will not trust. But then I don't believe in this request. So I should trust MS. Ok, I'll trust'em. But then the request is true, and I should not trust...

Re:A bit of fuzzy logic

[paulbiz]

I thought "fuzzy logic" was an AI term dealing with presence of uncertainty in complex sets (or something). Seems to me you are talking about a paradox...

Re:A bit of fuzzy logic

[leoboiko]

Fuzzy logic is the theory that statements aren't always 100% true or 100% false - they can have an infinite continuous range of values between 0 and 100. You are talking about fuzzy sets, an interesting field of fuzzy theory that deals with sets where elements can belong partially to a group (for example, I belong to the "fuzzy theory students" group more than you, and you more than my mom).

"Don't trust me" is a paradox in traditional logic, but it is a common example of fuzzy statement. It is a 50% true statement, so that it is the same as it's opposite.

Re:A bit of fuzzy logic

[jemoody]

The solution is to ask them "Which road leads to Redmond?"

A mountain of sloppy code?

[Futurepower(R)]

While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.

Windows XP Shows the Direction Microsoft is Going.

MS buffer overrun theory

[bfrog]

Here's a theory I've long held regarding the excessive number of buffer overrun security holes in MS software:

The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.

What do you think?

Re:MS buffer overrun theory

[ChaosDiscord]

The lack of an snprintf method in the DevStudio standard C lib...

From my time as a Windows developer, I have alot of grudges against Microsoft. (I've even publically aired some of them.) But I can't complain about lack of a snprintf. It's right here, and has been for at least five years. If an obvious function appears to be missing, look for a version prefixed with an underscore. (Of course, it seems stupid to me that it's prefixed with an underscore, instead of conforming to other systems, but that's a different issue.)

Re:MS buffer overrun theory

[RupW]

The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.

It's called _snprintf.

I presume they adopted it before ANSI did, hence the underscore prefix.

Re:MS buffer overrun theory

[Bert+Peers]

It needs to be prefixed by an underscore because those are the only names in the global namespace that are reserved for the implementor ? I'd rather they conform to C++ than to "other systems" :\

Re:MS buffer overrun theory

I think that you roll it yourself, whats the BFD?

Re:MS buffer overrun theory

[J.+Random+Software]

Yeah, ISO/ANSI didn't define it until C99. (In C++ you should have been using stringstreams anyway.)

While it's fun to pile on his Majesty Satanic...

[smittyoneeach]

I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
Security and utility are two contestants in a zero-sum game.
Which is not to say that <insert browser here> isn't a technically superior product...

Feeding this to port 25...

[KjetilK]

Oh well....

From MS02-065:

After emptying the Trusted Publishers list, if I do see a warning saying that a web site or an HTML mail wants to download a control, how can I decide whether to let it proceed?

The best criterion to use is whether you trust the web site or the sender of the HTML mail. If you don't trust the web site offering the control, cancel the download.

So, who want to bet that the e-mails we will soon see circulating will have something like:

From: billg@microsoft.com
Subject: You can safely trust me

<html><body> Please read this e-mail carefully and make sure you download the provided control.

Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...

Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)

Re:Feeding this to port 25...

[RyoSaeba]

The trouble is that, at some point, you HAVE to trust somebody, or something....
Would you trust ./'s site with an ActiveX control if it was certified ? Or simply ignore it ?
More easier, you probably install software (either executables or sources you compile) regularly, no ? How do you know you can trust the program ? Did you check the sources to make sure there is no trojan hidden ?
(hint: recent libcap troubles, anyone ?)
Bottom line is, at some point you just have to trust blindly..... or simply stop using computers !

Re:Feeding this to port 25...

[Tony-A]

Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster.

I've got something for you. I won't tell you what it is, but you know me. Trust me.

Methinks the first thing I've got to know is *what* it is that I'm supposed to be trusting.

Not true...

[Ford+Fulkerson]

...you could run it on Solaris too.

Re:Not true...

[kalidasa]

...you could run it on Solaris too.

What, does the Solaris Ocean do something to prevent MS operating systems from sucking? Man, that's wild.

(Gratuitous Lem joke)

Migrate away

I don't know if I'm karma whoring, but this last security hole gives me the creeps. In all honestly, I kinda ignored them up until now -- I don't know why, but I think it was because "they" could not delete my data (nothing scares me more than losing my documents (read: not "My Documents"). This security hole that allows people to "format my hard disk" (quote from the original /. article that I cannot be bothered to find) has me burning My Documents to CD-RW which I'm going to (finally) migrate to my Linux laptop which I previously used only for programming.

I know we've seen a million security problems from MS before, but this one (for me at least) is the last straw.

Comic Shop guy:

[LinuxHam]

best... article... ever

Well, DUH...

Microsoft was never on my list of trusted publishers!

(Actually, that list would have 0 entries, thankyouverymuch...)

What if...

[mirko]

What if I deactivate ActiveX controls to avoid this one to be operated ?

Isn't that what we all want?

[zenofjazz]

Microsoft has just said "Don't Trust Signed Code from Microsoft".. what about all those poor saps who clicked "Always trust code from Microsoft"?

nothing gnu

it's ?easy to see? why the billybuks weNT up 2 buks at the opening tick. or is it? does the payper liesense FraUD eXtend to the pourtolls of wall street of deceit?

will J.'s impending knowledge that the evile m$bugwear is worthless, cause fuddles to have to manipulate the "news"/markups, even more? then, will J. BUY into the same old billonlyUS scams? i DOWt it.

looks LIEk fud is dead/on the run. long live the hobbyist whiner dogooders.

Another Microsoft Security Bulletin !

Microsoft Security Bulletin MS-666: it is recommended that you remove microsoft windows in order to prevent the above mentioned vulnerability from accessing your server. there is no security hotfix available at this time.

Re:Another Microsoft Security Bulletin !

[Tuqui]

There is a secury fix online now in www.linux.org

Ahead of the curve on that.

I must finally be way ahead of the curve on not trusting M$ as I have not trusted them since the beta release of WinNT 3.51 and the first release of Visual C++. I went completely over to UNIX at that point and eventually included FreeBSD, and now Linux because of Billy's lame assed products. Any M$ box I have is company provided and is used strictly for email, not productivity or development.

Re:Hey great

[agallagh42]

This isn't nearly as bad as the poster is trying to make it look. Microsoft is not by default in the list of "Trusted Publishers". The default configuration is that no one is trusted, and a dialog box pops up to warn that something is being installed.

These kinds of dialogs pop up all the time when surfing questionable sites (warez, cracks, pr0n, etc.) and most users know to click No on these. Just because it says "Signed by Microsoft" on the pop up at the cracks site, are you going to go ahead and click Yes? I sure wouldn't...

Preaching to the Choir

[DeadSea]

I have seen several posts in the last few days questioning why the Slashdot editors are posting a particular story. The complaint usually runs along the lines, "Everybody on slashdot already knows this, post it somewhere that will do some good."

The folks that are out there converting people to free software are the people that read slashdot. Keeping the slashdot crowd informed of the latest security holes in Windows, Microsoft's most recent snafu, and the best new open source project allows Slashdot readers to spead the word more effectivly. New information and new arguments are key.

Re:Preaching to the Choir

[walt-sjc]

While this may be a new vunerability, lack of security in Windows is not a new argument.

Frankly, the only thing that is going to wake people up is a continual barrage of REALLY nasty viruses / worms that wipes out their entire system (or at least all their important files.)

Then again, there are people SO loyal to MS that they won't leave a burning house.

And while where at it...

[Theodore+Logan]

Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes talked about at too many places. Why I don't know. They are certainly vicious.

However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?

Re:And while where at it...

"do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?"

Yes.

Re:And while where at it...

[GigsVT]

no matter how insignificant, is made public?

Arbitrary remote code execution that affects every Windows computer is a big deal.

That can really never happen to anything like Linux or BSD, unless there was a remote kernel exploit that allowed arbitrary code execution, and as far as I know there has never been one in any open source OS, save for some unconfirmed rumors.

Re:And while where at it...

[nolife]

Considering this article already has over 260 comments and its only been up less then 2 hours I would say there is some type of positive response from it (positive meaning total responses, maybe not useful responses). You have the option to edit your user preferences and delselect articles from MS from showing up. I've done this in the past for certain things before..

Re:And while where at it...

[ottffssent]

You're sick and tired of Microsoft stories? Well, quit bitching about it and make them go away. Click the little box on Your Preferences page and shut up.

Re:And while where at it...

[Theodore+Logan]

There's a difference between saying all are unnecessary and that there's too many of them. I think some are good, but not all. Do you know how to uncheck only the bad ones? If not, I suggest you shut up.

Also, there's no reason to be rude. Especially not when you're wrong.

Re:And while where at it...

[mangu]

I think some are good, but not all. Do you know how to uncheck only the bad ones?

No, nobody knows that. So, the only way is to publish all of them, and let the readers decide. And why so many stories about M$ security problems and bugs? Maybe because there is so much to write about? AFAIK, every single OpenBSD security exploit is also mentioned in /. Do you think there are too many stories about OpenBSD exploits?

Re:And while where at it...

Well obviously the article and it's posting on this board did not do any good after all. This does not affect EVERY windows computer. Far from it. So all this article posting has done is once again fan the flames of anti-ms FUD that has become the most important part of /. Almost eclipsing anything else.

Re:And while where at it...

[1010011010]

Yes. There are a *lot* of MSFT systems out there, and the more people who know about the problems, and the fixes, the better.

Re:And while where at it...

[Tyreth]

When it generates 600+ comments every time, I'd say there's enough interest in seeing it :)

Re:And while where at it...

[GigsVT]

This does not affect EVERY windows computer.

Last I checked, every Windows computer runs IE. All the time. Can't unload it.

That sounds a lot like "every Windows computer" to me.

Re:He's right about the fonts

[CowboyMeal]

Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy

BSD?

I don't understand...

[awptic]

If this doesn't affect XP, why can't Microsoft just issue a patch that installs the Windows XP components which aren't vulnerable? And also... why the hell isn't XP vulnerable? maybe they knew about this for a long time...

Re:I don't understand...

[paulbiz]

XP isn't "safe" and the pre-XP MS OS's are not "vulnerable". MDAC 2.7 which ships with XP is safe, older versions (which shipped with older MS OS's) are not. You have been able to download and install MDAC 2.7 onto the older MS OS of your choice for quite some time already now (a year+?). The patch is for people who, for whatever reason, cannot use (or are not using) the current version of MDAC.

You can download all the various MDAC versions at MS's site.

In other words, RTFA :)

Re:I don't understand...

Money.

Win98 has a nice little bug where if you have a DVD drive and auto-insert notification, the system will randomly reboot when you insert a new CD. A patch for this is available (a 40k replacement file iirc), but only if you pay for the support.

WinME, not surprisingly, doesn't have this bug.

Re:I don't understand...

[Fizzlewhiff]

XP isn't vulnerable because XP uses a newer MDAC and you can't install an older MDAC on XP. Non XP users can download the newer MDAC and I'll refer you to the rest of the thread for the issues with that. I seriously doubt this is a conspiracy. If you are looking for conspiracies, try looking at why trojans occasionally slip into OSS releases.

If I were Microsoft

[teamhasnoi]

I would *gasp* follow Apple's lead. Give up on windows. Start from stratch, with a new operating system that is well documented and code reviewed. Run windows virtually, just like Classic. Faze it out slowly. No backwards compatabillity .

I've acually thought that MS would buy out Connectix just as a bargaining chip against Jobs (apple).

OT - Why would Connectix *not* make a Virtual PC for Linux? Do they have a deal with MS? It seems to me that they could rake in the dough, hand over fist.

Virtual PC is great for 'trying out' untrusted software. It's too bad that Windows itself now fits that catagory. Run with it Bill!

Oooo! He card read good!

[Codex+The+Sloth]

Since probably a million people submitted this, maybe we could pick the post that actually doesn't read like an entry from the Yoda diaries?

brain hurt make!

Apologies if the poster suffers from dysphasia.

Re:Oooo! He card read good!

[gl4ss]

beowulf cluster of yoda there are.

karmasuicide2k2

why remove *ALL* certificates?

[oktaya]

"The simplest way is to make sure you have no trusted publishers, including Microsoft."

So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?

It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?

Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?

Oh, if we can't run anything we want on your system, nobody else should either. pfft.

oktay

ATTN: Slashdot Editors

[Jucius+Maximus]

Hello, today when browsing the site, I found an error (probably typographical) on the site. I would appreciate it if you could correct this: The story "Another Critical Microsoft Hole" should be reposted under the "It's Funny. Laugh." category. Thank you for your time.

And in the future

make sure that when you are prompted to accept a certificate from Microsoft, make sure you don't have a check in the box "always trust content from Microsoft".

how trustworthy

[kraksmoka]

at least we can trust them when they tell us to not trust them, right?

ahh yes, another flaw in the ointment that every day users will never hear about, bring on tcpa, then you can wipe machines even easier.

as shitty as paladium would be, do you even think it will be programmed??? M$ is starting to look like IBM of days gone bye.

bring on the blackcomb warp server.

Who gives a shit?

Honestly, folks: M$ is buggy closed source in wide usage - making it somewhat of a security risk. OSS is buggy open source with less risk.

M$ IE has backdoors, the sky is blue and water is wet. Picking at it won't make you look so much cooler. Trust me.

Great googoomoogoo!

[Valen+Faerlwynd]

I sure am glad I use linux.
I kinda feel sorry for the uninitiatied masses who will never find out about all this till someone malicous person reformats their hard drive from half-way around the world.

Wow, I could say something on Microsoft's shody workmenship or their testing and debugging strategies, but I think the best have already been said. It's almost as if they aren't even trying anymore. *sigh*

Love and Peace,
Valen

Re:Great googoomoogoo!

[RyoSaeba]

It's not because you don't use Windows that you're totally secure...
Just think of all recent security nice things: OpenSSL vulnerability, the libcap thingy, all those root exploits, and so on.
Ok it's easy to trash MS, but security holes can appear anywhere.

Re:Great googoomoogoo!

Security holes "appear" when they are discovered. If there are holes, they already exist in the software. :)

Re:Hey great

[macdaddy357]

I've got a tool to fill in holes. Is Microsoft hiring?

I would really

[a7244270]

really, really, hate to be the poor sap who is lead of IE software development. I mean talk about bad publicity - IE has really taken a beating of late, and I am willing to bet that probably none of it was stuff he was responsible for.

He was probably told "go make activeX on the browser tie in seamlessly with our applications", did what they asked, and boom, all these vulnerabilities.

As far as I know, Microsoft doesn't have a policy of hiring bad programmers - in fact there are many web pages out there discussing Microsoft interview questions and how tough they are.

For some reason these stories seem extremely popular on slashdot, becuase it seems that everyone here hates microsoft.

For years Microsoft has ignored consumers/bug reports, customer service, etc. because they were invulnerable. Unfortunately, what goes around comes around.

Lets not go overboard on this stuff, lest the same thing happen to us - remember - open source does NOT mean bug free.

Better fix

[Java+Pimp]

1. Open Control Panel.
2. Select Add/Remove programs.
3. Select Microsoft Internet Explorer.
4. Select Add/Remove...
5. Download Mozilla.
6. Run the mozilla installer.

Re:Better fix

[CptNoSkill]

I'll play along... Let's say I delete IE... now I have no web browser, how am I going to downlad Mozilla? Windows doesn't come with a FTP client, so in most cases, people might not have one.....

Re:Better fix

[murgee]

Well, actually it does... Start->Run->cmd->ftp ftp.mozilla.org :)

It sucks, though. but you didn't say anything about the FTP client needing to be good..

Re:Better fix

[Cee]

Well, last time I checked, there was a ftp client included in Windows (I don't think it's related to IE). Try "ftp" from the command line.

Re:Better fix

Yes, it does.

Open your command prompt and type "ftp ftp.mozilla.org"

Re:Better fix

[Royster]

Get a command line, type (this is the hard part, I'm sure you've forgotten how to type a command) ftp ftp.mozilla.org and press the big enter key.

Re:Better fix

[Lizard_King]

[yaaaawn] The 'ole hackneyed "Fix windows by installing (insert your favorite oss tool here)" gripe.

Come on... It shows *some* integrity for a company with historic ethical issues to come out with a recommendation such as they have (remove MS from trusted partners). Either grow up or try and come up with something original for once.

This type of shit is exactly why I think the "News for Nerds" slogan is misused. This isn't news for nerds, this isn't educated discussion, this is a bunch of babies cracking the same boring jokes and bitching about how *everything* sucks.

Re:Better fix

[Java+Pimp]

Nice come back. "Grow up." You obviously don't get it.

It was supposed to be a facetious attempt at sarcasm directed at this discussion group. I was debating on wether or not to put 7. ??? 8. Proft! but I thought that was enough for most to get the joke.

BTW, I haven't had any rogue ActiveX controls even attempt to infect my system since I started running Mozilla.

Yes, Micro$oft has some real issues, and yes it's still fun to laugh at them. Get over it.

Re:Better fix

[derF024]

I'll play along... Let's say I delete IE... now I have no web browser, how am I going to downlad Mozilla?

actually, you can't uninstall IE (unless you use some 3rd party app like win98 lite), you can only remove the shortcuts to it and remove it from the "default browser" list. when MS said that IE was part of the OS, they weren't joking. all you need to do is pop open a windows explorer window after "uninstalling" IE, type http://www.mozilla.org/ in the address bar and you're back in an IE window.

Re:Better fix

[Lizard_King]

I understand the joke. The problem is that its just not funny anymore... (although it used to be three years ago)

I haven't had any rogue ActiveX controls even attempt to infect my system since I started running Mozilla
yeah, me neither.

Re:Better fix

[Tony-A]

Well, last time I checked, there was a ftp client included in Windows
Still is.
XP Professional
C:\WINDOWS\SYSTEM32\FTP.EXE
Copyrig ht (c) 1983 The Regents of the University of California.
All rights reserved.

Re:Better fix

BTW, I haven't had any rogue ActiveX controls even attempt to infect my system since I started running Mozilla.

Whatever.

Mozilla will download and install "XUL Components", which are conceptually identical to ActiveX controls, except there's no signature-check.

If IE is insecure by design, Mozilla is moreso.

I have a question...

what can ActiveX do that JAVA can't, besides being tied down to the windows platform?

Because it is Technology News

'nuff said

Don't blame Microsoft...

[Neutron+Zenith]

It's all Eolas' fault :)

If not Microsoft...

[CaptCanuk]

If you can't trust Microsoft, then who can you trust?

I bet that they'll have to update their Windows Update page Knowledge Base Article to reflect their new Trust issues.

For all your security info...

If its a bug in MS code....

I would NOT go to
1. www.symantec.com
2. www.cert.org
3. itsecurity.com
not even www.microsoft.com

Coz slashdot.org has become the leading provider of MS windows security info.

thx guyz ... u are doing Bill and company big favors.

Re:Hey great

[soapvox]

In my office it is just recommended the Microsoft is removed.

Windows Update Slashdotted?

[jlanthripp]

Having just clicked Start|Windows Update on my only Windows box, which opens http://v4.windowsupdate.microsoft.com/en/default.a sp, I get:

Service Unavailable.

Interesting indeed. Did Windows Update get Slashdotted?

You can download a patch here

[shodson]

http://www.mozilla.org

HAHAHHAHA

[wrax]

hahahahahahahahh this is so funny. "Microsoft's solution is to remove Microsoft from the list of trusted vendors on your system." HAHAHAHAHAH

More design flaws

[SgtChaireBourne]

Actually, the bias seems to be pro-Microsoft. If any other project had the same severity and quantity of compromises as MSIE, it would be history.

What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.

Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.

Re:More design flaws

[TrancePhreak]

There is the fact that some internet sites require IE that make it required for some.

Re:More design flaws

[tshak]

I love Opera. I'm testing Opera 7 B1. It's very promising. It's small, fast, and IMHO better then Mozilla. However, although it's features beat out IE, it's rendering doesn't. I'm hoping the final release of Opera7 can allow me to use it full time, but it's just not there yet.

Re:More design flaws

[Mr_Silver]

Microsoft is falling further behind in technology every month.

Can I have a credible source for this? I'm interested to read it.

Rather than trying to catch up, they've been trying to hold everyone else back.

And one for this too?

It's time for them to get out of the way and stop hindering economic growth in the IT sector.

Oh go on, give us one for this too whilst you're at it.

Or is this just plain and pure FUD?

Re:More design flaws

Well if it is, it doesn't make you look any more intelligent by quoting his little unprovable bits and saying 'please sir, can I have some more?'

To an extent though, the parent has a point. I don't see you disputing their claim that, given all the mistakes MS has made, they should be dead and buried long ago. Why do people put up with this crap? Products that have security issues so enourmous that now MS is telling us to trust noone, after they've made it their business model for others to trust them (see .net).

They are hindering ecoomic growth, just look at their admitted profit margins on Office/Windows. They enjoy a comftorable monopoly, only making money on their monopoly products and losing it everywhere else. Were there competition, the end result would mean lower prices for consumers, not a Microsoft Tax (the OS and Office) that can represent up to 1/3 of a computer's cost, or more if the poor sap buys retail and not OEM.

So, yea, congratulations, you've made yourself look like a bumbling idiot for picking only the parts of the post you disliked and putting them on the chopping block, while ignornig the point. For everyone joining us, here is the point again:

MS is a Bad Thing(tm)

These are not the words of a zealot, these are the words of someone who's tired of this idiotic need on /. to defend MS to death, just because there is apparent 'bias' against them.

Re:More design flaws

[SirSlud]

Just as there are folks out there who will defend telemarketers, for the simple reason that most people dislike them and they feel compelled to defend them as individuals.

When people rail against telemarketing, they're railing against telemarketing (although people will often personify and channel their agnst towards the industry using the person that last called them, of course.) Similarly, when people diss MS, they're dissing what MS has made, not the people within MS. IE, you dont have to believe the pope is flawed to believe that christianity is flawed.

But why people jump in for MS is beyond me. With their kind of money and legal might, they have absolutely no need for anybody to defend them in the court of public opinion. I always wonder why folks waste their breath .. regardless of whether or not they have a legitimate point.

Re:More design flaws

[Mr_Silver]

Well if it is, it doesn't make you look any more intelligent by quoting his little unprovable bits and saying 'please sir, can I have some more?'

Actually I asked if I could see some facts to back up his assertions. It's all very well saying MS is dragging the industry behind, but unless you've got credible sources then it's pure speculation. Give me facts, good solid facts.

So, yea, congratulations, you've made yourself look like a bumbling idiot for picking only the parts of the post you disliked and putting them on the chopping block, while ignornig the point.

Go read his post again. I quoted EVERYTHING. That was the ENTIRE post. I didn't dislike the post, I just wanted some facts.

I don't dispute that MS is a bad thing - but when people start making claims that they drag the industry back then they need to quote some sources otherwise people will just bash it as mindless FUD.

If you can cite a source that backs up your comments, you'll find people are very ready to believe you more. It's all very well screaming "MS is eeeeeevil" till you're blue in the face - but it doesn't exactly help change peoples minds.

That's really lame of MS

[Tenebrious1]

Interesting- seems like they're telling you to remove all certificates, not just those from Microsoft.

So What's The Real Answer?

[airrage]

I don't think the question revolves around whether open-source or closed-source is better or worse. Honestly, they both have their pros and cons. As for this issue, ActiveX Controls were a good way (way back when) to get a rich feature set onto a web-browser. But eventually it was realized you needed some security around this, so they started to digitally sign them, now it seems this might have a hiccup in this logic as well. So what's the real answer? How do I get a rich feature set to the web without running anything local (the most secure way)? When you really start to understand the challenge you understand how difficult the problem is. Think about it: people who don't download ActiveX controls also are the same people who download MODs to their favorite games and those dlls don't have to play in a small sandbox! I think people are accustomed to lots of snazzle with their web pages and we, as technical folks, should find a way to do that securely. Good luck.

Re:So What's The Real Answer?

[jlanthripp]

How do I get a rich feature set to the web without running anything local (the most secure way)?

Depending on how you define "rich feature set" I would suggest PHP or perl or some other server-parsed scripting language. PHP in particular, when combined with MySQL, makes a *great* web development combination. Java code can be fairly secure to run, but it's run locally.

Your answer...

[13Echo]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

Yes.

duh!

[zloppy303]

Don't trust/run ActiveX controls signed by Microsoft.

recommends that you remove MS from the list of Trusted Publishers.

... been there, done that, got the t-shirt! :)

Another hole?

[someguy42]

I removed MS from my list of trusted publishers a long, long time ago. (Translation: I switched to Linux a long, long time ago.)

Wasn't this just a poll option?

[SamTheButcher]

Oops, that one was "Favorite Past Slashdot Headline", not "Funniest Slashdot Headline".

I realize most /.ers use IE, but...

[autopr0n]

Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.

Re:I realize most /.ers use IE, but...

[Dog+and+Pony]

Because Opera is not evil, just Norwegian? ;-)

I just noticed that Opera 7 is out in a Beta. I think I'll go give it a spin right away...

Re:I realize most /.ers use IE, but...

[LtOcelot]

Reread your title, drop the "but", and you'll get it. (With respect to this particular story, at least.)

Re:I realize most /.ers use IE, but...

[Skiboo]

Out of curiosity, what was the security hole?

Re:I realize most /.ers use IE, but...

[workindev]

What about all of the Open Source exploits? They outnumber Micrsoft exploits now.

Re:I realize most /.ers use IE, but...

[damiam]

96% of people use IE. Something like 0.5% of people use Opera. Those numbers may be different among Slashdotters, but an IE exploit is still far more significant than an Opera one.

Don't trust Linux either...

[Cpt_Corelli]

Aberdeen Research Group has this to say about open source and Linux security:

Open Source and Linux: 2002 Poster Children for Security Problems

November 12, 2002
Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.

Read more here

Re:Don't trust Linux either...

[MWelchUK]

But how many of those security issues are still unpatched?

Isn't it better for an advisory to be made and the software patched fully (Note: I don't concider what they are doing in this case to constitute fully) than to have fewer advisories but the holes to remain?

Re:Don't trust Linux either...

[walt-sjc]

It's interesting, but a rather useless statistic. Go read up on what others in the security industry are saying about this study.

If you look at the DETAILS of many linux advisories, you will find that many of them have no known exploits but rather a POTENTIAL that it MAY be possible to exploit the flaw. Also, 2002 is not over yet, and we have had several REALLY nasty MS flaws come to life. Aberdeen may have to restate the results :-)

If the study looked at the severity of advisories on some sort of scale, the results would be quite different.

Note the WORDING of this press release: Open source software is now the major source of elevated security vulnerabilities for IT buyers.

Excuse me? IT buyers? What, do I BUY vunerabilities for linux now? From who, Microsoft? Anyone with a little intelligence can see right through this crap. WHen you use the word "buyers" you are dealing with marketing. PR. Spin. By the way, who paid for this study?

Anyway, what's that old saying again? There are lies, damn lies, and statistics.

Re:Don't trust Linux either...

Basic misunderstanding.

You guys are looking at this security hole thing as a pissing contest.

The consulting guys are looking at as a cost of ownership issue. That is, you can't put in Linux and fire the sysadmin who's job it is to keep up on patches.

Re:Don't trust Linux either...

Excuse me? IT buyers? What, do I BUY vunerabilities for linux now? From who, Microsoft? Anyone with a little intelligence can see right through this crap. WHen you use the word "buyers" you are dealing with marketing. PR. Spin.

You forgot to include the smiley face to indicate that was a joke. At least i hope it was a joke otherwise you're being incrediably dumb.

When they say "IT Buyers" they mean people who purchase a PC and decide what operating system to put on it.

Re:Don't trust Linux either...

[derF024]

Kind of a silly statement, since they're comparing every piece of software that runs on a linux platform to only microsoft applications. what would happen if you compared the "Linux security flaws" to flaws in every single piece of software that ever ran on Windows..

in addition, i think you'll find that since applications and libraries can be used by 3rd party applications more easily on open source systems, you have more code re-use. thus, 1 vulnerability, such as the one in OpenSSL, turns into 10 when you count in all the packages that use OpenSSL's SSL libraries. since MS closes the ssl libraries that they use with IIS, you'll find that there are probably 10 different ssl implementations on any one MS based system.

a third point is that this study counts advisories from each vendor regarding the same application as seprate advisories. so you have the following situation:

1 bug in OpenSSL affects 10 applications that use the OpenSSL libraries. advisories for those 10 applications are reported by 10 different Linux vendors. therefore, 1 bug in a piece of linux software generates 100 vulnerability reports. according to this logic, there are still roughly 100X more bugs in microsoft software alone then there are in every piece of software that is capable of running on Linux based OS's. that number is somewhat inflated, however my points are still valid, this study is turning 1 bug into many and comparing apples to oranges.

Re:Don't trust Linux either...

[Atryn]

OK, So you are saying that the combination of all open source projects from all developers in the OSS and Linux communities COMBINED had more vulnerabilities that MS ALONE had... Wow.

We could look at vulnerabilities per line of code... But then MS has bloated code too... hmmm...

Re:Don't trust Linux either...

[Tony-A]

Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories.
With no analysis of the severity and impact of the vulnerabilities, and more important, any analysis of the difficulty of discovering the vulnerabilities. That's Research???
The count for Open Source and Linux vulnerabilities may be greater, but that is really the count of vulnerabilities *fixed*. This years crop doesn't seem to be able to do much or go very far. Next years crop will have an even harder time. Microsoft seems to have plenty of low-hanging fruit left.

browser integration

[jman+sr]

windows update wouldn't work if the browser ran in a sandbox, it needs full access to the computer to patch the kernel, etc.

josh

Re:browser integration

[dagashi]

Yeah, but that only means you should run windows update with the administrator account.
It doesn't mean that IE needs to run with full access when a normal user is just browsing the web.

translation

[jaymz666]

so, is there a translation from broken/bad English to English

Re:This is big \\\\\--0-0--///////

I second that emotion. But many people that see that pop-up will go ahead and say yes.

Re:I found it amusing...

[befletch]

but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution

I've seen this said several times now, how Microsoft's solution is a good one, but I can't accept that claim.

A good solution is one I can apply to my Mother's home PC and feel confident that the problem will stay solved. If I have to explain to her that she should never "trust Microsoft", the Windows UI is broken.

Yes, she can remember this rule, but she shouldn't have to. As other people occasionally use her computer, she would also have to explain the rule to them, or learn to go through the process of regularly checking that nobody has added any trusted certificates to her computer.

Is that reasonable? For a home computer?

infinite loop

[3k9]

ok, so Microsoft says "You can't trust us".

Anybody see that this resembles the following situation:

"I am a pathological liar,
Everything I say is a lie,
you can trust me on this."

Now what are ya gonna believe??

Re:Redundant %%%%%%(8)%%%%%

About as 'amazed' as I get when I read about a train accident or a tornado ripping through a mobile home park. But still I read. Morbid curiousity???

Practical fix and to increase general IE security

[j_dot_bomb]

Change the IE "Internet" zone security settings so that ActiveX and Java and everything else is disabled. Then add to the "Trusted sites" the few sites that you go to that require it. When you find a site that isnt functioning (or you get that damn ActiveX warning) and you think its a commercial reputable site, add it to trusted. This will stop 90% of all of these kinds of bugs WITHOUT a patch.

RTFM : lol... Try Runas..

[bored]

Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

Yeah, the drivers/setups are getting better as they migrate to a system where user privileges are involves (as opposed to 9x), but it's still a joke. I have a scanner that won't FUNCTION under win2k unless you are in the admin group. The manufacturer seemed to not care "run as admin", they said. So I turned on auditing, and found the specific files it needed to have access to (and didn't). Emailed them the result six months ago. No response and no updated drivers or even and KB article describing the workaround. Lovely.

Re:RTFM : lol... Try Runas..

[Iamthefallen]

This is a problem with a LOT of win32 software, stupid developers assuming that everyone who's gonna use their software is an administrator. Even to run it, I can accept "Run as..." to install apps, but to run them? If I want to limit access for executables to Administrators or some other groups I'll use CALs and not some hardcoded "security" check.

Re:RTFM : lol... Try Runas..

[dboyles]

I'm far from being a bigshot Windows admin (or Unix admin, for that matter), but this seems to be a huge problem in Windows. I work at a university, and in my department we end up having to give nearly all users administrator rights because they have to run programs that require them. In the searching I have done, there is no way to fine-tune these rights. For example, in Unix I would either set permissions/ownership appropriately, or if something truly needed root, I'd set up a command alias in sudo to allow it.

Can anything like this be done in Windows (2000 Professional)?

Re:RTFM : lol... Try Runas..

[Whibla]

What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

I think that this is due to the fact that these installs are modifying the registry. But, you say, Win2k has a user portion of the registry that the user can edit. Well, yes, but this does not allow for dependancies and global file extension settings. Basically, when a "dependant" program is installed it increments a counter in the registry branch for the program that it is dependant on (if that makes sense :-)), so that if you try to un-install the 'higher-level' depenency, or run a disk clean up, Windows knows not to remove it. Anyway, to get back to the point, you need the admin rights to be able to make changes to the non-user portion of the registry. I do agree though - bloody stupid.

Intelli-sync for Palms is one program like this. Their solution - install / run as Administrator. Just make sure that when you do this you only make the user a LOCAL adminstrator. I made this mistake once - and spent most of a night putting one of our servers back together. Never again!

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

well, the way to do it is to turn on security audiiting and log "failed" accesses (you don't want to do this permanently, turn on, run software, turn off). then look at the log. You want to do this for registry as well. Sometimes it is a physical file, sometimes a registry key you need to give the "users" group permission to.

It pisses me off, because I am doing the company's job. You can usually figure it out and write a script or bat file with cacls to apply the permisions the user needs.

Re:RTFM : lol... Try Runas..

[Rich0]

Unless of course you have XP home edition... No ACLs there - at least not editable ones...

Re:RTFM : lol... Try Runas..

[Rich0]

Ironically, MS Flight Simulator 2002 Professional is in this class. You'd think that at least MS would get this right.

I have kids that I let play games on my PC. However, I'm hesitant to give them admin rights. While I know how to be on the lookout for spyware when I download junk from the web, they don't...

Re:RTFM : lol... Try Runas..

[pVoid]

Let's not forget stuff like pppd which has to run as su... Everyone is guilty of this sort of behaviour.

This relates to a previous post about how certain practical (mis)applications do not surmise the overal design.

Win32 developpers tend to be much more novice than UNIX pure breads I find, and I think it has to do with the fact that the main IDEs on Win are very nice and easy to push buttons on. (click "create win project", click "build", run)...

Going from this to Win32 being an insecure system, though, is a giant leap of (il)logic.

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

that's because xp home is a steaming pile of shiat.

I'd really, really, like to understand why the upgrade to xp pro costs the same whether you have 98, me, 2000 pro, or xp home...

Re:RTFM : lol... Try Runas..

[Amazing+Quantum+Man]

Yeah, but you can setuid pppd. To use "Run As...", you have to give out the administrator password.

Re:RTFM : lol... Try Runas..

This is a problem with a LOT of win32 software, stupid developers assuming that everyone who's gonna use their software is an administrator.

More like stupid testplans that only test on 9x.

Of course, all l335 Win32 developers run as Administrator themselves.

What if - it were not a security hole at all ...

[dudemaster]

What better way for the US Gov to get some spyware into all M$ installations, than to have M$ issue a major warning like this. I'm sure they're considering using M$'s monopoly to exploit eavesdropping on some of Al Qaeda's employees.

Click...refresh...huh?

[CodeShark]

'xcuse me -- thought I'd pulled a Rip Van Winkle and woke up just in time for a Malda & Co. April Fools Joke.....Microsoft admitting that that content from Microsoft can't be trusted?

--note to self--

Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.

Re:Micro$oft knows best

:P

Unsafe at any release?

[geoff+lane]

For those of us still running Win95 on hardware that cannot support '98 or XP there is no fix for the recent critical IE security problems.

So, to fix this particular little problem needs a hardware replacement "upgrade" :-(

Re:Unsafe at any release?

[Bald+Wookie]

You could always upgrade your software.

Re:Unsafe at any release?

[tswinzig]

Well, you could do one of these things:

(a) Use Mozilla instead.

(b) Change IE to browse in high security mode for all internet sites, except those in your Trusted Sites zone.

(c) Spend $100 and get yourself a computer that can run something beyond Win95???

(d) Stop surfing the internet. You don't need porn THAT badly.

Re:Unsafe at any release?

and

(e) PROFIT!

Re:Unsafe at any release?

[VB]

There's no need (perceived or practical) to use Win95 to surf the 'Net. I know people who use it for certain multi-media things and just keep it off-line. I personally use it to test my own web applications and for QuickBooks... that's it. If I wish to surf the 'Net (like right now for instance) in a zone I can't trust, I use an OS I can trust with Java disabled and cookies selectively controlled. You too can take this approach.

Contrary to popular belief, the Internet isn't really necessary, either. You can get news from TV, mail via the postal system, and talk to people using a phone. They all still function virtually risk-free.

Don't go buying new hardware and paying more to M$ for licensing fees because they forced you to due to their own incompetence. If you do, you're a sheep...

Re:Practical fix and to increase general IE securi

[RyoSaeba]

I use a firewall at home to filter those active content thingy. Pretty much safe, and not that many sites require you to have ActiveX / Java / you-name-it enabled.
Of course sometimes i hafta change the settings to allow some sites (like windows update)...

At work it's even more safe, all active content turned off & regular users can't change the settings ! (though i'm using good ol' IE4, having all those active content things turn off makes it less unsecure...)

In other news...

[pixelated77]

Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.

KillBit etc

The "KillBit" problem is already solved with MS-0266 patch (Q328970): http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-066.asp

How normal of SlashDot to "forget" this piece of information. .

Dr.Who reference?

[Ami+Ganguli]

I think Doctor Who tried this once. Tried to confuse an intelligent computer with the statement "The next thing I say is the truth, but the last thing I said was a lie."

Don't think it worked.

Re:Dr.Who reference?

[msfodder]

James T. Kirk would have caused seven types of electronic hemorrhage with that statement. The man had a definite gift.

Re:I found it amusing...

[marauder404]

Reasonable for a home computer is to do nothing, actually. I'll probably get railed for saying this, but for most people, security isn't really that big of a deal. They pick shitty passwords, leave tons of security holes open, don't bother patching, and don't even know what they're doing is unsafe.

Granted, this vulnerability is considered critical, but few people will ever encounter it. Someone has to hit upon one of these malicious sites with IE after having trusted Microsoft by default and must have MDAC 2.7 (comes with Windows XP, I believe). The chances of this are very low.

You asked what you would do for your mother's PC and I would say do nothing. My dad browses all the time, but he pretty much sticks to the same big-name sites, reads the news, keeps up on a few messageboards, and sends email. I'm not going to give him a confusing list of things to worry about -- I'd be calling him every day for things to watch out for, trojans to be wary of, and websites to avoid. Most people won't encounter the problem, so I'm fairly comfortable with not having to panic about it and call everyone I know.

Great solution, what about SPAM?

[insac]

(...)
"The simplest way is to make sure you have no
trusted publishers, including Microsoft. If you do
that, any attempt by either a web page or an HTML
mail to download an ActiveX control will generate a warning message."
(...)

We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!

This message doesn't need a signature

re: protecting users from trojans and virii?

I imagine someone in the microsoft camp came up with something along the lines of "lock the settings then chop off their fingeres" but marketing couldn't find a way to package it as an "update"

Score one against DRM !!!

[Anonymous+Custard]

From the MS Technet article:

Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.

Re:Score one against DRM !!!

[sbwoodside]

huh?

what's the connection?

Re:Score one against DRM !!!

[Anonymous+Custard]

huh? what's the connection?

Microsoft's digital signature system is a type of DRM (although the user is still in control of his own system with this type). ActiveX controls can be very powerful, and can execute commands on your computer. You wouldn't want to download a malicious activeX control to a windows computer, it could do virus-like damage. Digital signatures allows files such as activeX controls to be 'signed' by a 'trusted' company that has been registered with MS (i think). So if you're dl'ing an activeX control that has been officially signed by Macromedia, you can assume it's safe as long as you trust Macromedia. On activeX controls signed by Microsoft, it means the activeX control has been developed by MS and has not been changed since development, and most importantly that you can trust it not to cause any damage to your pc.

But now there is an MS-signed activeX file (see article) which has proven to be a security hazard. Plus, MS can't kill it, as it does have a valid MS digital signature (and other reasons). Most people have IE set to automatically trust Microsoft-signed activeX controls. So malicious webmasters can distribute this old activeX control to a user who has no way of telling that although it is signed by MS, it has a severe security flaw. So MS's early effort at trusted computing has proven vulnerable.

Actually, I suppose it is more a case of trusted-computing than of Digital Rights Management, but the two are related concepts in the sense that they both aim to label software or hardware as safe in order to be used. This situation shows that although something is labeled as safe (digitally signed by MS), it is actually not safe. DRM is more restrictive and less under user-control; the only thing that users can do at the moment is exercise the control that they have and remove MS from the auto-trust list.

What if something like this happens in a future DRM situation (palladium?), where the user isn't able to decide what's trusted and what's not, and MS can't fix it?

Re:Score one against DRM !!!

[sbwoodside]

Hmm... If the entire palladium paradigm is based on digital certificates authorizing this program and denying that other program...

Here is an example of how that paradigm breaks. Because under palladium, I don't get a choice, my computer decides what I can run and what I can't run for me. But if BigBrotherSoft in control of the palladium system screws up, and issues a certificate for buggy code, then suddenly I can no longer stop my own computer from running malicious code. Because apparently under palladium, my computer trusts BigBrotherSoft and doesn't trust me.

And then what does BigBrotherSoft do? If they say to my computer not to trust BigBrotherSoft, then who can it trust?

Doesn't sound like such a great idea to me...

simon

Re:Score one against DRM !!!

[sineltor]

Not at all - this is ammunition for DRM since with DRM microsoft can expire a certificate at any time for any specific piece of software or content... correct me if i'm wrong but i'm pretty sure files don't have 'certificates' as such, they're merely signed+encrypted with a unique code that microsoft has to repetedly authorise every week or so.

...of course the end effect being that microsoft can say "No, linux has a bug in the code. *click* ... why don't you go and 'upgrade'?" and linux will no longer be able to start up on your computer....

Preaching to the converted, but bugs like this only strengthen DRM

hopeful and naive optimism

Maybe if MS just read the book, "Writing Secure Code" (published by Microsoft Press) they could fix all these security issues.

did you read the eula?

[leuk_he]

did you read the EULA?

You just sold your soul! 1 d (e)"indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorneys' fees, that arise or result from ...."

Re:did you read the eula?

[marauder404]

did you read the EULA [microsoft.com]? You just sold your soul! 1 d (e)"indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorneys' fees, that arise or result from ...."

Did you read the GPL? (lameness filter requires changing to lowercase letters -- it comes in screaming caps)

In no event unless required by applicable law or agreed to in writing will any copyright holder ... be liable to you for damages, including any general, special, incidental or consequential damages arising out of the use or inability to use the program (including but not limited to loss of data or data being rendered inaccurate or losses sustained by you or third parties or a failure of the program to operate with any other programs), even if such holder or other party has been advised of the possibility of such damages.

Indeminification of software writers is standard practice. There are tons of better things you can use against Microsoft than this lame argument.

Why MS bugs so publicised?...

[CowardNeal]

..and Linux bugs not?

Why MS bugs so publicised and ridiculed on slashdot, when there is just as many in Linux, and the readership is mostly Linux users here?

Re:Why MS bugs so publicised?...

[foniksonik]

Linux users know all about their bugs. They are the ones fixing them. Bugs in proprietary software are more interesting/important because they acknowledge commercial vendors inability to get working code out the door before profiting from it, a despicable but almost always necessary evil (if you're commercial and proprietary, that is).

1. Get an idea for useful softwaree
2. Write a lot of working but buggy code
3. ??????
4. Profit

Then later when you can rest assured that the investors or collectors are happy...

5. Fix bugs

And if you're a monopoly...

6. Release bug-free "Upgrade" and charge more money.

Re:Why MS bugs so publicised?...

[Dolemite_the_Wiz]

Because the Unix admins love to rag on any bad press that has to do with Microsoft. Every OS on the market has it's strengths and weaknesses (Ever manually install an SGI box before? One of the worst setups I have ever seen in an operating system. That is if there aren't any bugs in the setup program.). Of course you won't see that attitude here.

linux community hypocrisy

[buddyjones]

you linux geeks (this means you, slashdot "editors"), take every opportunity to crow about Windows security holes, but conveniently fail to mention the number and frequency of patches issued for linux, which is at least as many as for Windows.

Microsoft has admitted that it has a poor security track record. The frequency (& ease of update) is evidence that Microsoft is making good on its promise of taking security seriously.

Compare ease of patching Windows with that of Linux, please.

Re:linux community hypocrisy

Sure. With RedHat, you use Update, download your patches, and unless it's a kernel fix, you're done. No rebooting. Don't think I have ever downloaded a patch from MS ever without having to reboot. Are all MS patches kernel fixes?

It's a brave new world ma

*buried amid the hype*

--"ma dont bother me, i'm attempting identity spoofing using certificates"

Windows Update V4

[fwr]

Hmm...

I just got a prompt to update to Windows Update V4, signed by Microsoft. Should I trust this???

Re-exposing vulnerability

[flanker]

There is really no need to have Microsoft be a trusted publisher of ActiveX controls. The "complete fix" for this problem, removing Microsoft from the trusted publisher list, is a standard part of securing IE.

It's funny

It's funny that right as I was reading the post, my taskbar flashed that there was a new critical update ready for download.

Re:Hey great-- (((77))) cheapo ISPs

I was just at a friends house attempting to secure their WinME machine (laugh its funny) and I was unable to download ANY *.exe files from the net. Zone Alarm, MDAC.exe ,,.
Windows update did work but I hate having to use that service.
ISP in question is Wal-mart(aol).

In other news..

..glibc was 'fixed' again, causing another 25 mb download for Linux users across the planet.

"This is the third time this freaking month!" one user exclaimed. "I feel like I'm running Windows!"

Yes, I know, troll, flamebait, because people don't want to hear about how you have to patch Linux distributions more than you have to patch Windows.

.NET has similar design flaw

[goombah99]

From what I have read .NET has a similar design flaw. Where java uses rigorous theorem proving approach to making sure that code cannot exceed its authority, .NET once again trusts code that has been signed rather than attempting to check it. The reason for this apporach I believe is 1) the potential for speed by distirbuting compiled binary rather then VM code 2) the ability to take quick shortcuts, call undumented APIS and the litiny of other very handy but bad programming ideas that make MS what it is.

So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.

Re:.NET has similar design flaw

[msfodder]

And then we would have waited for the java vm to crawl to it's next try..finally, and heave another exhausted heap of resources into the oven for the garbage collector to come.. Java demands patience, like a glacier.

Re:.NET has similar design flaw

[pavera]

Its still faster than reinstalling/reconfiguring windows after the virus reformats your hard drive.

Re:.NET has similar design flaw

What you didn't learn the first time? Don't reinstall it.

Re:.NET has similar design flaw

[pavera]

lol. good point.
unfortunately my clients don't have that option (I run linux and OS X everywhere on my machines, but lots of my clients are dependent on windows... sad but true...) I don't really mind the viruses actually, more money for me... but hey whatever.

Break out of the liar's paradox

[yerricde]

According to their bulletin, you can't trust MS. But the bulletin came from MS, so you can't trust the bulletin.

The way out of this joke: According to their bulletin, you can't trust Microsoft's key. Microsoft Corporation and Microsoft's key are two different entities; thus, the liar's paradox no longer applies.

Re:Install MDAC 2.7 (what about JET?)

[Insightfill]

Yeah, but if you rely on JET to provide any functionality, 2.6/2.7 don't provide it. If you're working on a non-WinNT kernel machine, you have to install 2.5, then install 2.7 to get JET and be secure. Or, there's a sep. D/L for JET.

Yeah, I know, you shouldn't be using JET anymore, but sometimes it's the hand (or product) you're dealt.

What a pain...

not all Unixes use Sendmail & Bind

[DrSkwid]

whereas almost all windows boxes have IE installed

half of /. users use Windows. the below avg half

[DrSkwid]

wheeeeeeeep

IE has root on win98, thats a huge number of users

[DrSkwid]

so it's a huge piece of news

Web Servers should be ok after applying the patch

[kjeldsen]

I don't see anywhere that it's possible to reverse the patch on the Web Servers, the news story seems to indicate that.

Unless you browse "certain" web sites from the web server.. As any NT/2000 Admin could tell you we only connect to windowsupdate.com (twice a day :-)

. . I have the ultimate solution . .

[phuturephunk]

. . I think we all need to deny our Brains the authority to run the Circulatory, Neural and Endocrine system services . . cuz then we'll all be dead and crappy MS software will be a non-issue . . . ;) . .

Don't forget XP like me.

[Keebler71]

Yup...it doesn't apply to XP.

The Lasiest Coders in Redmond

All your trust aren't belong to us;
all your anti-trust are belong to us!

Drop the M$ please...

... it is just so lame. Matter of factly, maybe the only thing that is lamer than leetspeak.

Oh yes, forgot. You wanted some cheap karma. Scriptkiddie scoring cheap points. Turns my stomach.

the real problem is NOT a hole in IE or Windoze...

...because there's a really simple fix.

The real problem is that so many internet pages are dependent on proprietary M$ extentions. The correct fix has nothing to do with M$, its to fix all the broken websites so no-one needs to enable dangerous M$ code.

Then there'll be a real choice of browser and more protection from these regular designed in screw-ups.

Re:I found it amusing...

[befletch]

They pick shitty passwords, leave tons of security holes open, don't bother patching, and don't even know what they're doing is unsafe.

Right, in which case they are placing themselves at risk. My mother's computer is running Norton AV with regularly updated definitions, and it has Windows Critical Update Notification enabled. I believe that these measures, plus reasonable caution on the part of the user, ought to be enough to keep someone safe from all but persistent, directed attacks. I mean, if someone really wants in, they can always break in and steal the hardware.

I just don't think that Microsoft has put together a full solution here, suitable for use on a home computer, if known-bad code signed by Microsoft can still be accepted by a fully patched machine.

we're mising the point

[b17bmbr]

it doesn't affect XP. is this m$'s plan all along. you have office people saying that win9x is impossible to make secure, and office 11 will only run on 2000 SP3 or higher. in the end, this is a good thing for m$. all the more reason to upgrade. it is a greaet sales pitch. in fact, wasn't m$ using no more BSODs as a selling point for XP? as if BSODs were somehow from some mysterious OS.

Witch Huns again.

It's amazing how everyone plays up a MS vunelability. However, when a KDC type exploit is published. Nothing. ::sigh::

like the one on today's front page?

[DrSkwid]

this one

To all the "Run as..." replies

you missed the point

yes, you can set/change/modify the privileges of an app.

the question was, however, why the hell does an app that's only supposed to download and display content have _any_ privileges at all to the system?

Because.

[artemis67]

Opera isn't running on 90% of all computers out there. I'm not even sure that Opera is running on 10% of all computers out there.

Opera could have a big gaping security hole, but the impact is still going to be marginal because of the (relatively) small size of the installed base.

Re:Because.

So those 10% don't deserve the same ridicule/warning that the other 90% do? Isn't that like completely anti everything O.S. which itself only takes up 10% of the market for anything? Maybe we should all just shut O.S. down and go home then. I mean if THIS isn't the place to mention opera vulns, then this sure isn't the place to mention MS ones either!

Re:Install MDAC 2.7 (what about JET?)

[Brazzo]

::scratches head::

Install 2.7, and install the JET tools separately. Yes, Microsoft is trying to move people away from Jet, and yes, Microsoft doesn't include Jet components in MDAC > 2.5 by default. But, scrolling down the Universal Data Access page gives you a download link.

Why is this an issue, again?

Re:Hey great

[mangu]

Just because it says "Signed by Microsoft" on the pop up at the cracks site, are you going to go ahead and click Yes?

Wasn't that the rationale for the existence of "certification authorities"? If one must make one's decision about trusting a software or not based upon the site where it seems to be, then there is no need at all for security certificates. Speaking for myself, if it says "Signed by Microsoft", I don't trust it at all, no matter if it was in a cracks site or not.

time line

[merbywerby]

Id reallly like to see all of these laid out on a time line. Seems everday there is a new M$ "critical" issue. :)

Think Ahead to Palladium

[serutan]

Watcha gonna do when something like this happens, and the airtight MS security system is burned into your hardware?

Comforting thought, huh?

RTFA

[captainstupid]

I'm sorry, but it doesn't appear that anyone read the freaking article.

From the MS TechNet article:
* Customers using Windows XP, or who have installed MDAC 2.7 on their systems are at no risk and do not need to take any action.

* Web server administrators who are running an affected version of MDAC should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability.

The "fix" to this vulnerability is installing MDAC 2.7 which is available on all versions of Windows back to 98.

Other than the fact that this is the 50,000th security patch that I have to install on all my machines, what's the big deal?

Re:RTFA

Unfortunately, you're not out of the woods even if you're running XP. If you'd RT *ENTIRE* FA, you'd know that a malicious website could actually install the vulnerable version on your XP box (probably by faking version numbers). Once that happens, you're just as vulnerable as the win9xers.

Re:RTFA

[captainstupid]

Unfortunately, you're not out of the woods even if you're running XP. If you'd RT *ENTIRE* FA, you'd know that a malicious website could actually install the vulnerable version on your XP box (probably by faking version numbers). Once that happens, you're just as vulnerable as the win9xers.

The malicious website can install a vulnerable version of the active x control, NOT MDAC.

What company?

[Amazing+Quantum+Man]

So whos scanners should we avoid? (my money is on UMAX as the culprit).

Re:What company?

[Pfhreakaz0id]

BING! BING! BING! excellent answer.

Tell him what he's won bob!

Re:He's right about the fonts

[DickBreath]

Why doesn't Microsoft wake up and just apply the "mozilla patch"?

Seriously? Because this would work against the goal of creating a seperate Microsoft Internet that requires Microsoft platforms to run on. The enticement to lock yourself in is the additional features. Like a narcotic. It's the easy solution. No more pain. Surprise, you're addicted. Installing Mozilla takes you a step in the wrong direction. The direction of being more platform neutral and standards compliant. From this standpoint it would be better to keep you off of Mozilla and just do whatever embarrasing thing is necessary to fix IE.

CNN

[theonetruekeebler]

CNN's headline for the story is: Microsoft: Yet another security flaw. The story describes it at the 65th alert MS has issued this year and notes that MS has dumbed down its security alerts to the point that the people affected by them (e.g. darned near everybody) can read them.

I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.

What will happen when people start treating Microsoft's security lapses like the epidemic they are?

untrustworthy != liar

[mangu]

If you can be sure that someone always lies, then it's very easy dealing with that person: just turn 180 degrees everything he says. Not being able to trust someone is different, it means he lies or not according to a random pattern, so you can never be sure.

Re:untrustworthy != liar

i am the straightest person alive.

Re:Typical slashdot crap Not!

[WayTooOldForThis]

From the Microsoft security bulletin:

What steps could I follow to prevent the control from being silently re-introduced onto my system? The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

In Internet Explorer, choose Tools, then Internet Options. Select the Content tab. In the Certificates section of the page, click on Publishers. In the Certificates dialog, click on the Trusted Publishers tab. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Keep your hands off my brain

So why does this surprise anyone? I thought Mundie admitted that their products were not designed for security.

OK, that's a cheap shot. But seriously, folks...I do agree that this particular string of vulnerabilities is big news. They are ugly, to be sure, but the big deal is in the strongly-worded description of the bugs and the recommendations they've issued in the bulletin. I've read those bulletins for years, and I can't get over the things this one said. Don't trust Microsoft? Don't use ActiveX? These recommendations are nothing new to us, but I'm interested to find out what impact they may have on Joe and Jane User. When the media packages it for them, maybe a few of them will actually have a better understanding of why "Microsoft" and "security" just don't go together. And even if the only thing that some people take away is "don't trust Microsoft," well, that may make people think twice about the whole concept of Microsoft's "Trusted Computing" initiative.

That having been said, this story is just plain funny. It's not funny to think of all the patching that's going to have to take place or the hacks that are going to come out based on this stuff, but I just couldn't help laughing. This is a good Slashdot day. Also, speaking of funny, I couldn't help but post a link I found on the BBC concerning Microsoft's attempt to develop an "online life archive" of your memories

Here's a taste from the first paragraph:

"Microsoft researchers are working on ways to create a 'back-up brain' that will do a much better job of containing and cataloguing every picture you take, document you write or conversation you record."

Trust Microsoft with your freakin' memories?! Ha ha ha ha!!! It alomost deserves a whole other post. "Security vulnerabilities? I don't remember any security vulnerabilities."

Good Gods NO!

have you not noticed that virtually _all_ of the Mac exploits ever published involve IE and/or Outlook?

I refuse to put Office X on my system, and only use IE to verify why a poorly coded page won't display in Mozilla or OmniWeb

Re:the real problem is NOT a hole in IE or Windoze

Then we'll just have java viruses instead. Hooray.

Bias and the 'solution'

[mythosaz]

The problem is not that Slashdot is picking and choosing bug reports in an attempt to make M$FT look bad. They're reporting bugs from all the "major" OSs. The problem is the bias in the reporting and by the upwards modded comentators. Take this example from the article (and the note which it closes on):

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

NO! The 'solution' from Microsoft is that you just patch your MDAC to include the component from 2.7 or that you just update your MDAC to 2.7

For Christ's sake people, if this were a *nix bug, you'd all be beating your "we know how to update our machines" drum complaining that only stupid Windows users don't use updates.

Or perhaps it would be the "at least fixes are available immediately for *nix" argument. MDAC 2.7 isn't new, kids.

Just report the bug, and report the CORRECT fix.

You disagree with me. Mod me down.

Thanks for the advice...

[DrunkenPenguin]

but I think I'll remove Microsoft from my life!

Windows Update

[Captain+Large+Face]

Does Windows Update require signed ActiveX controls?

If so, I presume the default action would be to trust Microsoft controls? Will this mean that the majority of users will be exposed to this problem?

My new Vaio

In July, I bought a totally bitchin' little Vaio R505-EL. It runs Linux *VERY* well..

It has been a couple of months since I booted into XP. But I have yet to allow XP onto the internet.

I have router with NAT and a squid add-blocking proxy that I send all of my HTTP through. I don't even feel safe letting it browse through Squid..

I don't have anything of value on the XP partition, but I worry that the box could be used to compromise my Linux servers, etc.

It just blows me away *how far* away Microsoft is from being reasonably secure. They aren't even close. What a sad joke.

when the unreasonable try to reason...

if I may paraphrase, lying may make you untrustworthy, but being untrustworthy doesn't necessarily make you a liar.

however, if I don't trust you, why should I believe anything you say?

If you can be sure that someone always lies, then it's very easy dealing with that person: just turn 180 degrees everything he says.

and what if he says, "don't believe what I'm saying - I'm lying?" If that itself was a lie, then it would be truth...which would make it a lie...

when someone says, "don't trust anything we say - trust us on that," how can that not be paradoxical (at least)?

Not being able to trust someone...means he lies or not according to a random pattern...

and when the lion says, "I won't eat you," in truth he may not. but what is the cost of not trusting him when he's truthful, versus the cost of trusting him when he's not? ...so you can never be sure.

exactly

Does - Not - Compute

[duck_prime]

Well yes, but now you run in the horrible paradoxal loop !! Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !

[Blinkenlights machine shudders and dies in a cascade of sparks and clouds of billowing smoke]

Evil Space Scientist: You win this time, Kirk. But I'll be back. Mua ha ha ha ha!

this is getting old....

[jedinerd]

It is getting to the point that with any of microsofts products installing them is putting your computer at dire risk to intrusion. when will the public figure out that quality of product is more important then general trends?

The recent patch fixes the earlier hole

[TrevorB]

I've not seen anyone actually state it here, but I can confirm that the most recent IE cumulative patch that came out this morning does indeed patch that rather nasty hole reported earlier this week. I now get a lovely "Permission Denied" Javascript error...

Now.. Seeing that Microsoft got off their butt and fixed the hole in just a few days, what does this have to say about releasing the exploit publicly?

Actually, nix that... the flame war was way too long last time.. :)

Wrong

[WayTooOldForThis]

MS is not advising users "to completely eliminate downloadable ActiveX controls." Rather, it is advising users to disable the trusted-publisher status, which simply suppresses the warning prompt before downloading an ActiveX control.

Why do they advise to remove ALL publisher certs??

[extropalopakettle]

They say:
"What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft."

Sounds like they're saying: You can't trust us, and if you can't trust us, who can you trust?

Why should I remove the certificate of some other vendor from my trusted certs list, unless I expect they're likely to go and sign Microsoft's buggy control?

Paradox?

[piotrr]

If someone tells you you should not trust them, would you trust them? I mean.. isn't that like saying "This is a lie."?

Re: Another critical Microsoft hole

[jackbang]

Bear in mind that the Internet is a global medium and not eveyone speaks English as a first language. Most native English speakers posting on Slashdot can't even get their own language right, as it appears that very few of them understand the difference between its and it's, who and whom or less and fewer, just to mention a few of the most common mistakes. (I mention these only in the misguided hope that at least a couple people will take this opportunity to figure it out.)

ROOOOFFLLE

[CakerX]

Hold on, if I keep laughing any more, I think I am going to choke. MAN IS THIS FUCKING HILLARIOUS. This is almost like the time my freind poured lighter fluid on his pants and lit himself on fire. When his balls started heating up, he screamed for someone to kick him in the nuts to put it out. They did, and after three or four stomps it went out.

Moral of the story(intented to microsoft), DO NOT LIGHT YOUR OWN NUTS ON FIRE. IT GOES DOWNHILL FROM THERE

Are they trying to compete on # of vulns?

[miffo.swe]

This exploit should be known if they have fixed it in XP as another reader stated. Are Microsoft hiding vulns until they are found by others to keep the numbers on bygtraq etc. down? Heck, i understand them if they have a hard time getting less vulnerabilities than the biggest linux dists, together and with some vulns counted multiple times. Not to mention that a typical linux dist includes a couple of thousand applications more than windows.

I have a hunch that Microsoft is actively trying to downplay vulnerabilities. They probably knows about many more than they tell just to keep their numbers down.

The audit that took place at the launch of their Trusted Computer initiative hasnt made any impact. It hasnt resulted in new bugs found in any significant number. I would think that it points towards:

a) They did a crappy job and didnt find any new bugs.
b) Windows hasn't got any more vulns left (not bloody likely)
c) They found a bunch but to release them would show that windows is a schwiss cheese of code so they only aknowledge the ones found by outsiders. They hope they go unoticed until Net is ready.

Personally i vote for c since they should have found a bunch if they really did audit the code.

And I found it amusing...

[doorbot.com]

At least as of Win2K, so many things break when you try to run as non-administrator, it's just not worth it for most people.

Such as? I've been running as a standard user on my own personal laptop (W2K) for nearly two years and have had no major problems. The problems I did have were due to so-called "Windows 2000 Compatible" apps that were not. Simply finding the files which I needed write access to was usually enough to fix things -- use SysInternals' FileMon for this.

I've heard you argument many times, though... how difficult it is to run things as a regular user. There are some arguments that can be made, but without specifics, it's just FUD.

Are these security problems intended?

[whoppers]

These last few MS security holes have stated that XP isn't vulnerable. Per chance did MS in their infinite wisdom/corruption plan this? Seems like a good strategy if you're into that sorta thing.

Ah, the irony...

[syylk]

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Trustworthy Computing!

Yeah, sure... And then they recommend to be removed from the trustworthy list...

Why no fix is going to work

[Shadestalker]

Telling your computer not to trust MS is all fine and dandy, but what about the legions of point-and-clickers who are conditioned to mindlessly click 'OK' buttons without even reading the dialog box? Even those who glance at the box will most likely see 'Microsoft' and click 'OK' anyway.

The problem isn't the technology, it's the users who slavishly obey all the 'Eat This' signs they see in Wonderland.

It's just so depressing

[derhurz]

really.
no shit. (spacing out and going offtopic here)

Windows is the most depressing OS i have ever used.
Just booting it up and watching my poor machine struggle with all that, that - badly written and inefficient code, plastered with the strobing lights of a user interface designed for tripping playschool children.

And there is no escape. I don't want to bash Microsoft. I just wish I could develop software for another platform or that I'd taken on a decent profession altogether, become a joiner or plumber or whatever. Something you put your hands and your mind to and it works and works exactly the same again when you go through the same movements.
You even know why it works and the things you touch don't just do something of their own accord, even though I've heard of nasty chainsaw accidents.

God, it might be the november weather, but sometimes I hate the IT business so much, I can taste it in my balls.

Re:While it's fun to pile on his Majesty Satanic..

[IamTheRealMike]

Why does Java not qualify for that?

So THAT's how they plan on getting massive money..

[kcb93x]

Every time a new vulnerability comes out, people'll have to go buy new hardware (or take it into a MS certified repair shop) to physically upgrade the software.

Re:While it's fun to pile on his Majesty Satanic..

[smittyoneeach]

I suppose you can define robust and arbitrary in a way that makes Java an answer. Furthermore, I've seen demos of teleconferencing/whiteboard software under Java with a 56K dial-up pipe, given righteous data compression.
Yet, Java applets are not overtaking all browsers in sight. Begs the potentially trollish question: is Java the new Betamax?, or is it just Mr. Softy playing monopoly?, or is it something else?

Or Here

[kcb93x]

Opera.com

Well, we did it.

[Maxwell'sSilverLART]

Well, gang, we did it: we slashdotted Microsoft! Windows Update is reporting "Service Unavailable" when I try to update my boxen here at work. Yay, Slashdot!

Stupid question?

[pod]

Uh, ok, stupid question.. but can't MS just revoke the signature on the compromised applet? If not, why not? Does that mean that anything MS signs, is signed for life? What about 3rd party software/drivers? What if there is a backdoor or some other hidden malicious code?

Wha?

BwaHaHa!!!

That's funny.

Oh my God

[2names]

I've gone cross-eyed. "If I go back to the past and interfere with my birth, that would mean that I was never born and so I couldn't have gone back to the past to interfere with my birth which would mean that I actually HAD been born so I could grow up and go back to the past and interfere with my birth and........."

Again? Oh well.

[Jowr]

I do run Windows 2000 Professional - great desktop/gaming OS and stable!

This is not a problem for me, because I have removed most of the MS cruft. I run litestep as a shell, I use openoffice for wordprocessing, and I use Mozilla for web browsing.

I could care less. Just confirms what I already knew even more.

Open Source is on a different playing field

[Lokist]

I guess some of you out there don't realize that Microsoft is on a totally different playing field out there. Security issues on Microsoft products are a big deal because those products are suppose to be trusted. Although Microsoft may not go out of there way to deserve this trust it is still assumed. The difference between a Microsoft Exploit and a Linux exploit is huge. Linux was founded in very unique way. The internet is its home...It is still a system under development. You have tons of distro's out there...did anyone ever notice that with most applications in those distro's the software is either considered "stable" or "development". I have been using Linux for over 12 years, and personally I am okay with using applications that are considered just "stable"... Microsoft Windows was not founded on the net... It is almost completly closed source. Microsoft tells us that we don't need there source code because there system is there problem... Im not a CEO of any company, not even management...but if I was, in order for my entire company to be using Windows I would want complete trust from the company that makes it. This post may not even be seen by the slashdot people. I just wanted to add my 2 cents.

Catch-22 is probably a better description

[Tired_Blood]

From the recommendation page:
Who could exploit the vulnerability?
...
* Web client. A user could exploit the vulnerability against a web client if he or she were able to construct a web page that would send an appropriate HTTP command, and then convince a user to open it. Typically, this would be done by either hosting the page on a web site that the attacker controlled or sending it directly to users as an HTML mail.

Also:
A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

HTTP commands are the method for exploiting this vulnerability. By default, IE trusts MS. I must use HTTP commands to visit the MS site and thereby learn not to trust MS (as advised). But in doing so, I accepted anything that may be malicious, before I knew exactly how not to.

From this point of view, it seems to be more of a Catch-22. But then, in that scenario, MS would host the malicious server, which would be horrible PR and therefore improbable.

One last thing, AFAIK it's the "Paradox of the Lie" and not the "Liar's Paradox", since the classic example is a statement (Like: "This statement is false" or my sig: "This is not my sig."), and does not refer to a person or liar. I lost points on a philosophy paper for just that reason. Pissed me off enough that I still remember it today.

Re: Another critical Microsoft hole

Its people whom are grammer police that I have fewer respect for.

Why not just Microsoft?

[Jacco+de+Leeuw]

I don't get it. If there is a bug in this ActiveX control by Microsoft, why do you have remove certificates of all other Trusted Publishers?

Re:Why not just Microsoft?

Try to imagine the belief system that makes this action a credible alternative.

slashdotters who...

[selfdiscipline]

use windows in most cases shouldn't care so much about postings like this... Microsoft vulnerabilities are almost all in the explicitly internet related microsoft tools. If you don't use IE or outlook, you shouldn't have to worry much. I really think that even if 43% of slashdotters use windows as their main OS, only 5%-10% of them would use IE as their main browser. At least I hope so. Has there been a survey lately?
So I think that IE and outlook vulnerability stories could be said to be needless and redundant... but then, I'm reading them out of curiousity.

Re:slashdotters who...

[sir99]

Not really on topic, but...

Microsoft vulnerabilities are almost all in the explicitly internet related microsoft tools.

I think if user-level security was as important to Windows as it is to 'nix, you'd see a lot more non-internet-related holes being announced. For example, the shatter attack that lets you gain system priviledges as a normal user on many systems. Most of the non-network holes on Linux have to do with gaining priviledges and overwriting other users' files, but these issues don't matter much on single-user Windows systems.

How did it got there?

[mentin]

I removed Microsoft from my "trusted publishers" list a long time ago ; )

How did it got there? This list is empty on clean install. To be able to remove something from "trusted publishers", you have to add it to this list first.

So you clicked "trust Microsoft" link to be able to remove it later. Are you sadomasochist? ;)

Re:He's right about the fonts

[mbogosian]

Actually, I think more realistically, this would mean that Windows Mozilla would become the next hot bugtraq item. Mozilla running on Windows is not the same as Mozilla running on any other OS. Mozilla is guilty of using Windows-specific stuff too (like the JavaScript interpreter).

While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.

Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).

Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).

However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.

No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.

In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.

Okay, maybe that analogy doesn't work either, but I think you get my point.

More info can be found here:

http://www.microsoft.com/linux/goatse/hax/warez/fu ll version windows xp download/cock/porn/bill gates fuck fest

Serious Question Here

I have a serious question for anyone who cares to answer. I never use IE anymore now that I have Opera. I've set the "security" settings on IE to high and I never use it for anything anymore. If I have to use another browser for some reson, I use Netscape.

OK, my questions is this: Can I simply ignore all security problems with IE now, or do I still need to keep installing the endless patches and fixes for IE vulnerabilities? In other words, is my system still vulnerable simply because I have IE on my comp, or is it safe from IE vulnerabilites since I don't use IE anymore?

Re:Serious Question Here

IE is integrated into the system. Yes you are vulnerable.

This "study" was completely debunked.

First of all, in their comparison of the number of critical bugs in Linux vs. Windows, they counted application bugs in the Linux totals, but not in the Windows totals. If they had included all the bugs in IE, IIS, Office, etc., the Microsoft numbers would have been MICH higher.

Their other deceitful manipulation of the statistics was that they counted every bug in every Linux package once for every distro they evaluated. So even barring the other deception, you have to divide their Linux bug count by 15 or something to get a meaningful comparison.

A grain of salt ain't gonna cut it with this so-called "study". It's not just bad methodology; it's an outrageous pile of shit. You'd have to be a pointy-haired boss not to smell it.

Re:RTFM : lol... Try Runas.. WAAY TO LATE TO POST

[pVoid]

But, hey, if you read this, you might learn something useful!

If you feel up to it, go to SysInternals, and download FileMonitor, ProcessExplorer and WinObj. These three tools are hardcore.

Run your app in normal mode, and watch what it's doing with FileMonitor (if you see ACCESS_DENIED entries, you can fix that pretty easily).

Now, if for example, you have a CDROM burner, open WinObj (as an administrator), and go to /device/Cdrom1... check the properties, and select the security tab. You will have an ACL editor a-la file system. There you can allow others than just Administrator burn (write) permissions.

That's a very cool tool. And as you can notice, burn rights are ACL entries, not user token priviledges. BIG difference.

I'm sure there's the same thing for scanners.

All Zealots: please notice how winobj actually shows the real NT namespace. And just like any other system, it starts at /. Also notice /Device/Null, and /Device/PhysicalMemory...

Yes. Just like in NIX.

Re:Bias and the 'solution'... Due Diligence.

Read the whole page from Microsoft. Its right there. Microsoft advises users to not only update MDac but also to STOP trusting microsoft.
FUDpucker
Oh yeah take a lookat number 66. Its great.

Windows specific?

What Javascript interpreter? It sounds like the same one that runs on every other Mozilla platform. Sure, Mozilla does have some Windows-specific features, particularly Quick Start, but I don't think Javascript is one of them. Maybe you were thinking of Java.

Re:Windows specific?

[mbogosian]

It sounds like the same one that runs on every other Mozilla platform.

If that were true, then the behavior of the following would be the same across platforms:

// This is an undocumented
// IE way of accessing the
// attributes of a form
// named FORMNAME
document.forms.FORMNAME;

// This is the standard
// method
document.forms["FORMNAME"];

Note: the first statement works in all versions of IE that support JavaScript on both the WIndows and Mac OS X platforms. The first statement doesn't work in any version of Mozilla except the Windows versions. Several conclusions might be drawn from this:

1. The Mozilla JavaScript interpreter is different for its Windows binaries
2. Mozilla running on Windows is borrowing the built-in JavaScript interpreter
3. The Windows loader/linker (or equivalent) is forcing Mozilla to use the wrong JavaScript interpreter (though this is pretty unlikely)

If someone knows/finds out, please let me know. I'm dying to find out.

Last Post!

[alpg]

Here is a simple experiment that will teach you an important electrical
lesson: On a cool, dry day, scuff your feet along a carpet, then reach your
hand into a friend's mouth and touch one of his dental fillings. Did you
notice how your friend twitched violently and cried out in pain? This
teaches us that electricity can be a very powerful force, but we must never
use it to hurt others unless we need to learn an important electrical lesson.
It also teaches us how an electrical circuit works. When you scuffed
your feet, you picked up batches of "electrons", which are very small objects
that carpet manufacturers weave into carpets so they will attract dirt.
The electrons travel through your bloodstream and collect in your finger,
where they form a spark that leaps to your friend's filling, then travels
down to his feet and back into the carpet, thus completing the circuit.
Amazing Electronic Fact: If you scuffed your feet long enough without
touching anything, you would build up so many electrons that your finger
would explode! But this is nothing to worry about unless you have
carpeting.
-- Dave Barry, "What is Electricity?"

- this post brought to you by the Automated Last Post Generator...