Slashdot Mirror
Another Critical Microsoft Hole
gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another
related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
"can make IE and IIS to run any code in the system"
Noooooo!
Minesweeper WON'T stop coming up!
--This girl at the library the other day
Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)
Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy
``Don't trust Microsoft'' is just a good security principle in general. Finally they realize it. :-)
Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.
Difficult to read this post is, hmmm?
This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.
Reality is defined by the maddest person in the room
The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft.
The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers.
Will Do!
All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.
"Don't trust us"
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
As this control is Microsoft signed...
Trusted computing, digital signing... I guess it all boils down to "You can trust Microsoft that this signed control will screw over your computer."
Outdoor digital photography, mostly in New Engl
Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.
"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"
An Eye for an Eye will make the whole world blind - Gandhi
I also don't trust software i write, why should MS do different? I mean you can't say elseway " The programmer was a moron" and keep the pride
Lone Gunmen crew.
It just makes us look like insecure teenagers
Maybe we should apply the SECURE teenager patch I thought I saw somewhere....
...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.
The solution is to upgrade to Windows XP because it doesn't have this problem. This is the best news Microsoft has had in years!
The current user is a perfectly safe security context
Sure if you never store personal documents under it.
So Microsoft says to not trust them. Ok, I will not trust. But then I don't believe in this request. So I should trust MS. Ok, I'll trust'em. But then the request is true, and I should not trust...
Prescriptive grammar:linguistics
Microsoft Security Bulletin MS-666: it is recommended that you remove microsoft windows in order to prevent the above mentioned vulnerability from accessing your server. there is no security hotfix available at this time.
Current Microsoft story on CNN Tech news:
"Microsoft innovates"
With a nice little sponsered by, Microsoft icon right under the headline. That is why..
Hello, today when browsing the site, I found an error (probably typographical) on the site. I would appreciate it if you could correct this: The story "Another Critical Microsoft Hole" should be reposted under the "It's Funny. Laugh." category. Thank you for your time.
It's all Eolas' fault :)
http://www.mozilla.org
Yes.
beowulf cluster of yoda there are.
karmasuicide2k2
world was created 5 seconds before this post as it is.
ok, so Microsoft says "You can't trust us".
Anybody see that this resembles the following situation:
"I am a pathological liar,
Everything I say is a lie,
you can trust me on this."
Now what are ya gonna believe??
--note to self--
Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.
(...)
"The simplest way is to make sure you have no
trusted publishers, including Microsoft. If you do
that, any attempt by either a web page or an HTML
mail to download an ActiveX control will generate a warning message."
(...)
We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!
This message doesn't need a signature
This message doesn't need a sig
Id reallly like to see all of these laid out on a time line. Seems everday there is a new M$ "critical" issue. :)
What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..
:-)), so that if you try to un-install the 'higher-level' depenency, or run a disk clean up, Windows knows not to remove it. Anyway, to get back to the point, you need the admin rights to be able to make changes to the non-user portion of the registry. I do agree though - bloody stupid.
I think that this is due to the fact that these installs are modifying the registry. But, you say, Win2k has a user portion of the registry that the user can edit. Well, yes, but this does not allow for dependancies and global file extension settings. Basically, when a "dependant" program is installed it increments a counter in the registry branch for the program that it is dependant on (if that makes sense
Intelli-sync for Palms is one program like this. Their solution - install / run as Administrator. Just make sure that when you do this you only make the user a LOCAL adminstrator. I made this mistake once - and spent most of a night putting one of our servers back together. Never again!
The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
Trustworthy Computing!
Yeah, sure... And then they recommend to be removed from the trustworthy list...