Another Critical Microsoft Hole

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Aaahhhh!

[SledgeHBK]

"can make IE and IIS to run any code in the system"

Noooooo!

Minesweeper WON'T stop coming up!

--This girl at the library the other day

Re:Aaahhhh!

[andrew_0812]

Wait a minute. You mean I can't trust Microsoft?

Re:Aaahhhh!

[Dinosaur+Neil]

That depends. According to their bulletin, you can't trust MS. But the bulletin came from MS, so you can't trust the bulletin. So you can trust MS. Whch means you can't trust them which...

Ah, the classic "I am lying" paradox...

Re:He's right about the fonts

[Rebel+Patriot]

Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)

Sound Advice

[stevens]

``Don't trust Microsoft'' is just a good security principle in general. Finally they realize it. :-)

Re:Sound Advice

[nougatmachine]

I removed Microsoft from my "trusted publishers" list a long time ago ; )

Re:Sound Advice

[ichimunki]

Let's hope the US Government gets it. There is cause for concern (article titled "Microsoft seeks government partnership").

Re:Sound Advice

[RyoSaeba]

Well yes, but now you run in the horrible paradoxal loop !!
Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !
Finally their claim is just another way to make your system / brain crash due to stack overflow...

Re:Sound Advice

[Violet+Null]

"shouldn't be trusted" != "lies all the time"

Re:Sound Advice

[dead+sun]

Trusted publishers list? That thing's empty. I don't trust anybody to decide what should be on my system besides me.

Re:Sound Advice

[morgajel]

wonder if microsoft will mention this to the japanese when they're evaluating OSS? :)

Re:Sound Advice

[DarrylM]

Ahh, It's all coming clear... Microsoft is using A.L.I.C.E. now!

Microsoft1: All things you need to trust are from Microsoft.
Microsoft2: But all things are not always me need to trust are from Microsoft.
Microsoft1: Umm. But all things are not always are not always you need to trust are from Microsoft.
Microsoft2: Interesting. But all things are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Interesting. But all things are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Huh. But all things are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Huh. But all things are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Umm. But all things are not always are not always are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: And. But all things are not always are not always are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.

etc.

:-)

Re:Sound Advice

[Anonymous+Custard]

Let's hope the US Government gets it. ..."Microsoft seeks government partnership"

If, like me, you're not pleased with the current (and soon to be republican dominated) government, you might want to do this: Encourage the government to join up with MS for a two-year contract, and make it a very visible decision. Then, furtively encourage hackers to fsck with all the new security holes in the governmental systems, in ways that do not directly hurt anyone but cause public outrage by privacy breaches, scandal exposures, and whatever else. Then, when elections come around, everyone will vote the republicans out, we can all get the new government to switch away from MS, and all will be fine in the world of tech and politics. :-)

Re:Sound Advice

[ninewands]

Quoth the poster:

"shouldn't be trusted" != "lies all the time"

This is true and makes the situation all the more problematic. If the two were equivalent we'd no not to EVER believe them. It is not, so, sadly, we don't know when they are or are not lying.

Re:Sound Advice

[cheezedawg]

Who do you trust? Linux?

Re:Sound Advice

[1010011010]

Do something like this in a logon script:

WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Wi nTrust\Trust Providers\Software Publishing\Trust Database\0\"
WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Wi nTrust\Trust Providers\Software Publishing\Trust Database\0\",NULL ... and it will flush that list on every login. Your users will click the "always trust" box. This will undo the damage.

Re:Sound Advice

[Xerithane]

Who do you trust? Linux? [yahoo.com]
That's a bad troll. Both on your part and on Yahoo's part. This has already been discussed in length, and while a number of different software packages and operating systems have a higher number of CERT advisories combined than Microsoft, Microsoft is still less secure.

That article says this: Microsoft Products hav fewer CERT advisories than Linux and Open Source combined.

Well.. Open Source: FreeBSD, OpenBSD, Linux, Gnome, Mozilla, KDE, BIND, Sendmail, etc. What does Microsoft have that CERT would report on: IIS, Operating System, and IE.

Not only that, but just counting the number of vulnerabilities reported on CERT is like counting the number of times you have cut yourself and saying that you bleed more than your friend who has cut himself half as much as you, but one time lost half his blood in one cut.

Microsoft ActiveX Controls?

[og_sh0x]

Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"

This bodes well

[evilpenguin]

Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.

I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.

Re:This bodes well

[aphor]

HERE HERE! I'll drink to that! There is no such thing as implicit trust, and if you think there is, please send me a blank check. I agree not to abuse it ;)

Re:This bodes well

[kmellis]

"There is no such thing as implicit trust, and if you think there is, please send me a blank check." - aphor

Sure, just give me your address, and it'll be on its way.

Re:This bodes well

[Tony-A]

There is no such thing as implicit trust, and if you think there is, please send me a blank check.
Trusting something does not imply trusting everything.
A blank check. Hmmmm. Lot's of ways to fill that request. You didn't say whose blank check.
Actually, you trust most things in your environment implicitly. You trust the ground in front of your feet to be solid and not a holographic projection. You trust your drink to be more potable than rat poison. You trust the sun to come up again tomorrow morning.

Re:This bodes well

[aphor]

If I had known it would spark a philosophical debate, I would have narrowed my defenition of "trust." I'm sorry if I twisted your noodle.

Trusting the sun to come up is a little bit^H^H^H^H^H^H^H^H^H^HSIGNIFICANTLY different than trusting Microsoft to refrain from buggering up your machine on an automated update.

It's even further than the potable drink thing: actually GingerAle is very effective rat poison. Rats can't expel gas (belch or fart), so when they drink carbonated liquids, their distended little bellies explode.

I'm sorry, but I have to bring an empirical distinction to bear on my defenition of trust. Statisticians can calculate a (alpha), or significance, for a particular principle if you state it as a repeatable trial: If you do this, then your result will be that. The alpha is the percentage of time that reality will confound your hypothesis if the trial is repeated infinitely regardless of whether you are wrong or right. Some hypotheses will have an alpha between 0.5 and 0.75. The kind of trust you put in those (if you're wise) is "suspicious." Some hypotheses have an alpha that approaches zero ( 0.05 is the accepted minimum practical scientific alpha ). These hypotheses are trustworthy on a different level.

Re:This bodes well

[Tony-A]

Trusting the sun to come up is a little bit^H^H^H^H^H^H^H^H^H^HSIGNIFICANTLY different than trusting Microsoft to refrain from buggering up your machine on an automated update.

Yes. The sun comes up.

Re: Another critical Microsoft hole

[T1girl]

Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.

Difficult to read this post is, hmmm?

i don't think

[mrpuffypants]

microsoft has never been a trusted partner in my mind....or on my computer

"Don't trust Microsoft"

[ctid]

This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.

Re:"Don't trust Microsoft"

[Jucius+Maximus]

"This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief."

I agree. I can't wait for the next worm or ILoveYou mass e-mail infection that spreads this. Hopefully whoever writes it will wipe "\My Documents" or perhaps the whole machine so that people will finally get the idea that responsible decisions must be made when computing, both with software choices, software administration, and useage in general. There are too many people out there who STILL haven't realised that irresponsibility when using computer has reprocussions in the real world.

I Like Their Solution!

[0101000001001010]

The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft.

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers.

Will Do!

Microsoft Security Bulletin MS02-065

[henben]

Interestingly, that page doesn't render properly in Opera 7 Beta unless you identify as MSIE - when it works fine.

Re:Microsoft Security Bulletin MS02-065

[henben]

Actually, the DHTML stuff is still broken, but you can at least read the page.

More Bias

[OpCode42]

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.

*flame retardent jacket on*

That is all.

Re:More Bias

[Seahawk]

Well - I see your point, an I am oppesed to needless MS bashing as well! The difference between the OSS vulnaribilities and this IE is that the OSS vulnaribilities is fixed rather easy, and Microsofts solution to the problem(Dont trust MS activex controls) just wont help the average user as he has no idea how to not trust Microsoft

As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!

Re:More Bias

[mao+che+minh]

Stop stating the obvious and go away. Slashdotters don't need to hear this. We love our comfortable little world.

Re:More Bias

[warrior_on_the_edge_]

It just makes us look like insecure teenagers

Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

Re:More Bias

[binaryDigit]

Well the biggest problem is the sheer number of IE users and therefor the potential impact of a security hole. While a problem in say, Samba, has fairly limited exposure.

And probably the thing that any OS proponent will gleefully point out, is that the "solutions" offered by M$ are typically not very satisfying and there really isn't much you can do about it (vs switching OS's of course ;)

I agree that there is a a large amount of M$ bashing, but then what would one expect, when in Rome ....

Re:More Bias

[keyne9]

Well, in my household, I will generally only update the secondary computers every month, give or take. More critical patches, I'll update immediately. I do not really consider these updates as bashing, per se, but rather a boon for me.

I seem to remember a poll that indicated that a significant portion of the /. crowd used or otherwise had installed Windows on at least one machine. I can't see how this woudl be totally irrelevant.

I can, however, see that the updates are quite one-sided. Is it, perhaps, that less people submit the linux related bugs? or that the editors choose to publish more Microsoft-related ones? I think only they know for sure. Either way, people benefit.

Re:More Bias

[xeno-cat]

This is'nt just IE, it effects IIS as well so it's releavent for both User types and admins.

I'd have to agree with you that it gets tiring seeing IE exploit of the week ( or day ) and the retreaded jokes and karma hores. But then maybe you can filter them in your preference?

The thing is MS is the system that is allegedly on 90%+ of the desktops in the USA and maybe the world. They did'nt get there legally and they do not take security, law, or human rights seriously. They spend millions on advertising, FUD and outright lies. So in the end I guess I don't mind suffering the constant reminders as to why I don't use any of their products. What other news source reports this stuff?

Besides, nothing puts I smile on my face in the morning like a cup of coffee and a new MS exploit.

Kind Regards

Re:More Bias

[platypus]

Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

Because samba et.al. use a completely different security philosophy. This shows and proves something that many people have said before, namely that MS' security philosophy based on "trust us, we know better what to do" is flawed. In the light of this news you can only laugh about popups like "Always trust content from microsoft corp.".

This is also not very encouraging for MS' auto-update feature in XP, and their whole fucking ideas of stuff in their OS's downloading components from the net without asking the user.

Note that the above is also true for other software publishers, but MS takes the spotlight for various reasons, like their omnipresence and their bullheadedness concerning these problems.

Re:More Bias

[SirSlud]

The day my bug-ridden OSS software starts silently self-installing across the web because my box was automagically set up to 'trust' the 1s and 0s, I'll stop making fun of MS.

Until that day, I'll get my kicks from MS bashing. You've read and heard the things Baller & co have said about Linux (I particularly liked the "Linux is unamerican" comment, hehe) .. you can't honestly think that the Linux crowd is the only group of users that enjoy crass, glib jabs at the competition now, can you?

So cease thy whining and either bash or don't. No need to pass judgement unless your prepared to accept that the whole world is guilty of the behaviour you are so desperate to eschew.

Re:More Bias

[FortKnox]

What's worse? /. bitches and moans when MS doesn't supply a patch right away (in order to test it fully), now that MS does release a patch quickly, it is full of flaws that would have been checked if they would have just tested it longer like they normally do.

Damned if they do, damned if they don't.

Re:More Bias

[platypus]

This begs the question why they did implement this trust "feature" in the first place.

Re:More Bias

[Blkdeath]

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

Yes, Slashdot announced a recent KDE vulnerability, and security holes affecting a popular open-source RAW TCP stream library as well as recent BIND 4 and 8 security vulnerabilities, and the trojan'ing of a Sendmail distribution, not to mention the privacy leak in the poster-boy browser for OSS - Mozilla, and how could we forget the Linux Worm that created an "attack network"?

Slashdot reports security vulnerabilities that affect large portions of the userbase. All of the above affect large portions of the OSS world, and IE vulnerabilities affect the vast majority of the workstation userbase (globally!). The difference between OSS and Microsoft security bulletins, however, tends to be that the OSS bulletins are generally followed-up shortly after release with "... and get the patch here, here, and here, and download [updated|backported] versions from your vendor here, here, and here". Only too often do we see updates to Microsoft bulletins that read along the lines of "... and Microsoft is stonewalling [me|us] ... " or "... Microsoft has officially denounced this as invalid ... " or "... Microsoft has accepted the bug report and is working on a solution ... " (which doesn't arrive for six weeks, and does so very silently with little more than yet-another-MS-bulletin and another item in the Windows Update listing).

The reason Slashdotters 'bash' Microsoft, especially in the face of "yet another IE/IIS critical security vulnerability" is that they're so recurring. The fact that this one happens to be digitally signed by Microsoft themselves, and that the only way to get around the vulnerability is to literally stop trusting Microsoft makes it more than hilarious; it's downright embarassing for them. When something embarasses one of the Open Source world's largest nemeses, and the very giant who has its sights set on Linux (primarily) and phasers set to kill, it gives us a warm tingly feeling, and human nature dictates that when this feeling is present, "I Told You So!" is a response that gives us imense amounts of pleasure.

Speaking of "I Told You So", I have to remember to show this one to our co-op student when he's next in. It'll make for a good practical demonstration of why I told him not to check "Always trust from ... " checkboxes within IE.

Re:More Bias

[wytcld]

in a week where we have alerts for Samba, php, kde (libs and network) and apache

The only Apache security alert I can find is for 1.2.26 - and 1.2.27 has been out for awhile (plus some distro versions of 1.2.26 are patched against it). This alert has been out for weeks too.

There are no alerts I can find against the current version of PHP.

As for the KDE alert, updating Gentoo has already fixed that here. Your mileage may vary.

The Samba alert is for something with no known exploits, and a new version of Samba was released yesterday that fixes it.

Meanwhile tens of millions of people are using MS browsing or e-mail and opening what should be secure systems and networks to intrusion. You tell me where the problem is. I don't think it's in a bias on /. As a matter of national and corporate security, MS should not be run on any system with e-mail or browser access to the public Net.

Re:More Bias

[Archie+Steel]

It's not MS bashing, it's warning people of a dangerous bug/vulnerability so they can be better prepared to deal with it.

Despite, what's wrong with bashing a 40-billion quasi-monopoly that dominates the OS and Office markets while doing its best to destroy the competition by spreading FUD and distributing payolas around? Vocal criticism and boycotting are the sole weapons of consumers in facing this juggernaut, and you'd want us to forfeit these as well? Are you a MS employee or shareholder? If not, then why does MS-bashing annoy you so much? In my view, MS has more than deserved all the bashing it can get!

Re:More Bias

[tshak]

This is also not very encouraging for MS' auto-update feature in XP

I understand your point, except that in this case XP is not affected by the vulnerability so this isn't an issue.

Re:More Bias

[DickBreath]

Can we please stop all this MS bashing?

Yes, the adolescent bashing should stop.

No, the news coverage should not stop. Whether you read it on Slashdot or elsewhere, this is a newsworthy item. Worthy of discussion. Microsoft's marketshare alone makes it newsworthy.

Nevermind that it is one more of many examples of Microsoft selling an inferior insecure product at an outrageously inflated price making obsecne profits (see recently filed SEC Form 10-Q) used to subsidize predatory pricing in other new markets to kill competitors and gain new monopolies.


(...we now return you back to the adolesecnt Microsoft bashing...)

Re:More Bias

[5KVGhost]

This is not an OSS vs close-source issue. A Red Hat vulnerability is just as much of a burden on a typical desktop user as a Windows vulnerability. And how easy it is to fix any kind of software problem varies wildly with the complexity of the problem, the interest/capabilities in the support community, and ultimately the technical ability of the end user.

MS' solution to this bug is a kluge. They either failed to consider this problem or implemented their solution poorly. Hindsight is 20/20. Either way, it looks like they (or other people using the flawed module) painted themselves into a corner.

But don't kick back and assume that the same thing can never happen on an open source project, because I guarantee you're mistaken.

Re:More Bias

[throx]

This is also not very encouraging for MS' auto-update feature in XP

Why not? I don't think you read the problem here. It's not that the versions of the updates on Microsoft's site are bad it's that 3rd parties can have the bad codebases on their own site and therefore people can download the faulty code again.

Autoupdate in XP connects to Microsoft, not an arbitrary 3rd party. There's not the possibility of downloading the older code.

Re:More Bias

[greenrd]

Yeah, and will this warning message warn you that this ActiveX control could exploit a security hole?

So my question is this, does their "solution" actually patch the security hole?

Re:More Bias

[Tony-A]

except that in this case XP is not affected by the vulnerability so this isn't an issue.
Rubbish.
XP is not the only Microsoft product.
XP is not immune to all possible vulnerabilities.
XP has not totally and permanently disabled auto-update.
XP being not affected by one of many vulnerabilities does not make auto-update a non-issue.

Re:More Bias

[Tony-A]

Damned if they do, damned if they don't.
Ah, the grasshopper is catching on. Microsoft is damned.

Re:More Bias

[platypus]

Unless there's a DNS server or router compromised.

Re:More Bias

[throx]

Then the https connection is just going to barf at you, if I remember my crypto correctly.

Re:More Bias

[WNight]

So why bother signing code if it's all going to come down to trusted-host security?

What prevents someone downloading all the MS updates, making a collection of all of them with reported bugs, and then when they have a collection of software with enough holes to allow them to "root" any windows box, hacking into a few DNS servers and pointing the XP update name to them (or, if it's an IP, changing routing information) and offering people the authentically signed, broken, MS patches?

Microsoft needs a PK-signed list of current updates, on a signed and dated page (with the ID address of the server in it) so that when you go to a page and it offers you a pluggin you instead go to MS and ask for the most recent version, downloading it from the site only if MS says they're up-to-date and then carefully checking the signature.

Re:More Bias

[throx]

First, I believe changing the IP address doesn't work if you are using SSL. Private key won't match the public key. I *think* (big assumption there) the auto-updater in XP uses SSL and if it doesn't then it's dumb.

Second, what I really don't understand about all of this is why they didn't just increment the version number so the Windows installer program saw the reverse patching as a downgrade and refused to do it (or at least gave another one of those wonderful warnings that everyone ignores).

Third, this isn't just a Windows problem. Many Linux distros as well as MacOS X have auto-updaters which could just as easily be fooled by a routing change unless using a combination of SSL and signing of the downloads.

Re:More Bias

[WNight]

Couldn't you just not do an SSL site, and thus not offer a signature at all? Or would the updater require it? Ideally it would, but I dunno.

Yeah, the version number incrementing and either upgrading everyone, so the OS would see the broken one as a downgrade, or a "trusted" site that had md5 sums and a list of the latest versions (if not the actual downloadables) so that software could be "expired" remotely.

Courtney Love Fans?

[CatWrangler]

They keep attaining hole records all the time. It just makes me wonder.

a solution...? I reckon.

[girl_geek_antinomy]

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Am I the only one who finds this uproariously funny...?

Micro$oft wants us not to trust it. Not that this will be a problem in many cases, but... Maybe if we applied this more generally the world would be a nicer and safer place?

Don't worry, we know just what to do...

[Spazholio]

"Now listen to me very closely, because I have the answer for your problems. The way to fix your troubles is to not trust me..."

Catch-22, eh? The company that's giving you the solution is also telling to that they're not to be trusted. I don't care WHAT company that comes from, it's funny...

Question

[zero-one]

Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?

Re:Question

[pVoid]

The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

IIS needs to run as system for a couple of reasons that aren't worth detailing. The issue was the there was no distinction between Local-System, and Network-System as there is now in XP.

Re:Question

[Peer]

The current user is a perfectly safe security context

Sure if you never store personal documents under it.

Re:Question

[marauder404]

What kind of privilege set do you recommend using instead? It's consistent with current security models -- the application runs at the privileges of the user. The problem seems to be that most users (myself included) have users in the Administrator group, so any time something goes wrong, it happens at the root level. Oh well.

Re:Question

[0x0d0a]

run as admin

Umm...yes. And until XP, it was a complete fucking pain in the ass to run as non-admin. I don't get off on having to log out of my machine every time I want to install a piece of software. This sort of crap might be palatable in a business workstation environment, where you can't install whatever you want, but on a home machine, running as Administrator on Windows was the only reasonable thing to do for a long time.

Now, I'll grant that that's pretty pathetic when you compare it to UNIX...

Re:Question

[gmoschin]

Actually, you can.. at least, on Windows XP.. I haven't tried earlier versions.

Create a shortcut to Internet Explorer.

Right-click the shortcut, choose "Run As.."

The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.

Click OK to run Internet Explorer in "secure mode".

Caveats to running in this mode:
Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
Other web-based programs may not run correctly.

You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.

Re:Question

[digitalsushi]

I prefer the bipolar approach- on personal machines, run as admin||root. On work machines, always always the regular user, unless you need admin||root. Make sure you have much different passwords so that you think about what you're doing (personal passwords="meh", work passwords="50m3.0th3r-th1ng-2362hj", to force you to think on the work machines) Then after a few system screw ups from running as admin||root on your personal stuff, you train yourself enough to know when you're doing something risky or stupid, and that seems to be enough time to avoid regular disasters. Either that or just alias su='export PS1=#' and get on with your simple life.

Re:Question

[pmz]

Why can't IE run in a procesWhy can't IE run in a process with reduced privaliges?s with reduced privaliges?

Does Windows (any shade or flavor) have the ability to run a process under something equivalent to UNIX `su`? I do this with Mozilla on Linux/UNIX using an account that has very limited filesystem permissions.

Re:Question

[dnoyeb]

How will it read the 'current user(s)' favorites? How will it save its cache to the current users documents and settings? How can it store its history, etc...

Any 'user' program will need at least the privledges of the current user. the OS can never know what the program will need to do so best to let it do what ever the user wants it to do.

I personally would be surprised if IE ran only with current user privledges. Its trying to be so smart and do so much within the OS that it more than likely is running at a higher privledge that you are :D

Re:Question

[Alan+Shutko]

The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

That's why we don't have to worry about any of the viruses that send the payroll listings to everyone in your addressbook, or delete your personal files, or insert profanity in your resume when you print it.

Thank you for reassuring me.

Re:Question

[Fizzlewhiff]

NT, 2000, and XP can run services under different user accounts and XP can run applications under different user accounts which you set via shortcuts.

I have never done this with an interactive application. I would imagine for some applications you would encounter problems related to NTFS permissions when trying to read or write data. Of course in a malicious attack this would be a good thing.

Re:Question

[artemis67]

For the same reason Outlook and Word needed a scripting engine that was enabled by default; because they say so and to hell with security.

Re:Question

[jafac]

Then after a few system screw ups from running as admin||root on your personal stuff, you train yourself enough to know when you're doing something risky or stupid

yeah, like rm -rf *; oh wait a second, what directory am I in again?

Re:Question

[digitalsushi]

here's my favorite

>/dev/hda1

This is big

[ceswiedler]

Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?

Re:This is big

[jaclu]

>You have to have said at some point that you >trust Microsoft

If you want to run windowsupdate (to remove security risks ;) you _have_ to agree to trust them.

The only system that doesnt trust Microsoft is a outof the box unpatched one - and then you are fried anyhow...

A clear catch 22

Re:This is big

[marauder404]

It sounds like the paradigm is fairly solid, but it was not completely thought out and not well executed. Sounds like it'll take version 2 or the mighty version 3 release to get it right. Not terribly surprising.

Re:This is big

[0x0d0a]

But after being asked four million times, you'll click yes anyway. I don't particularly trust Microsoft, but when I'm stuck using a Windows box, minimizing the amount of pain I have to go through to get Windows Update working is high on my priority list.

Re:This is big

[deanpole]

Removing Microsoft from the list is absurd. Microsoft should enhance the signature checking
code to also check an internal list of revoked
hashes.

Re:This is big

[Iamthefallen]

You can chose to trust that one install, it does not mean you have to trust everything from Microsoft for all time to come. If your system is set up properly you will always be asked if you wish to install ActiveX components, no matter who made them. I only trust components when I also trust the site that wants me to use them, no matter who signed them.

Re:This is big

[Jucius+Maximus]

"If you want to run windowsupdate (to remove security risks ;) you _have_ to agree to trust them."

Agreed. I just removed the certificates and now all other security patches refuse to install, you can't upgrade your MSIE to a newer patch or encrpytion level, you can't run windowsupdate, etc. Nasty.

Re:This is big

[Rich0]

There is an option to check for revoked certificates. It is off by default.

As I recall, when ActiveX first came out, MS justified running controls outside of a sandbox by using the "do you trust ...?" rationale. The idea is that users should decide what can and can't run, and who they should trust. Unfortunately, this just shows that nobody can be trusted to be perfect.

They do need a method of revoking a signature from a control across the board...

Re:This is big

[IntlHarvester]

Actually, when ActiveX first came out (IE3), they didn't even have the "Do You Trust?" dialog. Led to some very nasty exploits because it ran whatever was signed by anyone.

The main issue is that it's impossible to sandbox C/C++ code that's running in the same process space as your browser. The ONLY solutions are something VM-based like Java or .NET -- or to radically alter how memory-protection works on multi-user OSes (drumroll... Palladium).

This is equally true for Mozilla Plugins as it is for ActiveX controls, BTW, except it looks like that Mozilla is missing the signature layer that ActiveX has.

Reversal of Fortune.

[viper21]

I never though I would see Microsoft telling us NOT to check the box:

"Always trust content from Microsoft Corporation"

I guess with the next version of IE they will be changing it to:

"Never trust content from Microsoft Corporation"

Now that's the kind of checkbox I'm talking about.

-S

Re:Reversal of Fortune.

[program21]

They'll probably forget to change the behavior when that box is checked, and so it'll still "Always trust content from Microsoft Corp."
And then they'll call it a feature.

Re:why?

Slashdot reports on pretty much anything security related. Besides this is not a little problem it's something that is pretty damn serious if you ask me.

Microsoft knows best

[Anarchofascist]

All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.

"Don't trust us"

Re:Microsoft knows best

[richie2000]

OK where does everyone see that it says not to trust Microsoft?

In Microsoft's Technet Security Bulletin MS02-065. It's linked from the submission and still not Slashdotted. However, as a free service (maybe you're afraid of surfing to untrusted websites), I am hereby reproducing some of the juicy bits:

But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

What steps could I follow to prevent the control from being silently re-introduced onto my system? The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message.

Please note that this will generate a warning message EVERY TIME you encounter an ActiveX control - whether it is signed or unsigned. So how would you tell the difference between a 'bad' Microsoft-signed control and a 'good' one (ignoring for a moment the inherent badness in ActiveX)? The short answer is: You can't. You're toast. Muahahahaha!

All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...

Not that easy, I'm afraid. First, if you have been a good astroturfer you have undoubtedly cheched the "Always trust content from Microsoft Corporation" checkbox the first time you saw it (or your keeper checked it for you). Therefore, you will NOT be getting a pop-up warning. Second, the pop-up warning you may get if you haven't added Microsoft to your list of Trusted Publishers does indeed come from Microsoft. Bill Gates more or less personally guarantees the security and validity of Microsoft Corporation's digitally signed certificates (unless they've been hacked again, but that's so unlikely that it probably didn't even happen the first time).

Oh and if I see M$ or Micro$oft one more time I'm going to puke...

Most astroturfers do. It's a feature of your implants and nothing to be ashamed of.

Re:Microsoft knows best

[Anarchofascist]

OK where does everyone see that it says not to trust Microsoft? All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...

You can't just install the patch. You must remove Microsoft from your list of trusted content providers in IE, because if the old (unpatched) ActiveX control is hosted on a malicious web site, it is still signed by Microsoft, and can be automatically installed over the top of the patch! To quote from the Book of Microsoft, chapter Security Bulletin MS02-065:

Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

Why not revoke the certificate that was used to sign the control?

The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid. OOPsie!

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message.

Oh and if I see M$ or Micro$oft one more time I'm going to puke.

You and me both, brother. Even complete Microsofties don't go around writing "Linsux". Derogatory labels help no-one.

Re:Microsoft knows best

[greenrd]

It's not witty, it's not funny, and above all else it is NOT in any remote fasion new... get over it...

Let me clue you in on something. Not everyone uses it to try to be humourous or cool. Some people use it to express their contempt of Microsoft.

Trusted computing.

[MongooseCN]

As this control is Microsoft signed...

Trusted computing, digital signing... I guess it all boils down to "You can trust Microsoft that this signed control will screw over your computer."

Re:Trusted computing.

[LostCluster]

Yep, that's all a digital signature can assure you of. Whoever's piece of crypto is involved did in fact sign that piece of software.

The problem is, knowing the source of the code is not the same as knowing the source code. You have only the name on the signature as information and then are asked whether you wish to grant full access to whatever that code wants to do.

Now, Microsoft's really done it. Their infamous security holes have snuck into an ActiveX element that they've signed. They can replace it with a clean version of element, however, any website that has the unpatched ActiveX control can put the unsafe version on their website, and then require it in their HTML. Even with "Always trust Microsoft Corp." disabled, the user is presented with a window to the effect of "Hey, you need an ActiveX control you don't have to read this page. You can trust it, it's from Microsoft Corp."

So much for ActiveX security....

The admission is in the faq section.

[terradyn]

Reproduced for your enjoyment:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Re:The admission is in the faq section.

[Jucius+Maximus]

"The simplest way is to make sure you have no trusted publishers, including Microsoft."

Of course with Palladium this would be built into the hardware. I doubt they would tell us to rip a circuit or two out of the motherboard.

Re:The admission is in the faq section.

[LittleGuy]

Hmmmm... what if you never clicked on the little box "Always trust content from Microsoft"?

Security warnings are only as good as the choice between "OK/Cancel" and automatic install.

Don't trust...

[Torinaga-Sama]

"The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

That is solid GOLD.

It is poetic justice that Microsoft's own measures for security are working against them.

MS from the list of Trusted Publishers.

[oliverthered]

Already done, a long long time ago........
I didn't want them running anything they happened to sign on my PC.

Ok, I don't run windows at home any more, unless I need it for reverse engineering drivers or file formats.

So what..

[ybmug]

that can run any program in an unpatched windows system.

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

Re:So what..

[Penguinoflight]

No, man there would be quite a few user-root exploits. I.E. if someone had shell access, they could get full access. That's a HUGE difference. They don't need your password to get in with the IE hack.

Re:So what..

[richie2000]

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?

I don't think so.

Re:Typical slashdot crap

[compwizrd]

From the article:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft.

DOJ reaction

[MosesJones]

Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.

"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"

Muha

[mao+che+minh]

Right about now, Bill Gates is asking himself why in the world he paid millions for that "security approval" thing for Windows 2000 and wasted all of those marketing dollars in the over-hyped (and non-existent) "we make all of our programmers go to security school or something" campaign.

what can one do?

[proky]

If Microsoft tells users not to trust it for this, when should users trust it?

The joke is to say never. But with Microsoft controlling however many trillions of computers, it seems like something they should seriously be addressing. And more seriously than they are.

I also don't trust software i write

[TrueKonrads]

I also don't trust software i write, why should MS do different? I mean you can't say elseway " The programmer was a moron" and keep the pride

Re:why?

[jandrese]

Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.

Windows Update

[Peer]

The real pain is that people that have used Windows Update often will have checked "Always trust content from Microsoft", otherwise they will have RSI by now from clicking Yes.

Incredible...

[Pellelelle]

I didn't beleve this was true at first but this is actually what it says in the Security Bulletin:
--
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
--

why the kill bit does not work.

[leuk_he]

According to the MSTECH bulletin:
Why isn't it feasible to set the Kill Bit in this case?

The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.


Conclusion:
-Microsoft refuses to kill itself.

how does this relate to: the story Microsoft on Security: We'll Break Your Apps

Hey... linus refused to change the behaviour of kill -9 -1 also

Re:why the kill bit does not work.

Wow, thanks Microsoft. You could fix a major vulnerability and result in some minor inconvenience breaking stupid websites that require ActiveX or you can allow any rogue website to run arbitrary code on your customers' systems. Way to go!

Re:why the kill bit does not work.

[gmack]

"Hey... linus refused to change the behaviour of kill -9 -1 also"

I don't see how that's revelevent at all. Kill -9 -1 is not a security bug and there are many instances whre kill -somethingelse -1 is quite reasonable.

If you type that it's your own problem and Unix will happily shoot the gun exactly where you aimed it..

An attacker would need root access to do that and if an attacker has root there are much worse things (s)he can do to your system than shut off all it's processes..

Re:why the kill bit does not work.

[de_rus]

Also according to the MSTECH bulletin: Will Microsoft eventually set the Kill Bit on this control?

Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.

So.. Microsoft is developing technology that can/will deactivate controls a user has explicitly downloaded and trusted.
And -as it implies- replace it with a new one without the user knowing.

That's just great! It'll be a source for completely new virusses when (not if) this 'new technology' gets cracked.

Re:why the kill bit does not work.

[DoctorFrog]

Conclusion:

-Microsoft refuses to kill itself.

how does this relate to: the story Microsoft on Security: We'll Break Your Apps

I find it interesting that this problem does not affect Windows XP...

Re:why?

[NecroPuppy]

Because there are still quite a few of us
who still use Windows...

I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.

This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.

And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.

Do you?

I found it ammusing...

[oconnorcjo]

but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.

Re:I found it ammusing...

[Sycraft-fu]

Ummm, IE doesn't run in root mode. IE runs as whoever you are logged in as. If that's an administrator, well then it has near root powers (root would actually be more analogus to the Local System account) including things like formatting the harddrive. However if you user does not have permissions to do things like htat, neither does IE.

Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

Re:I found it ammusing...

[Winterblink]

You make a VERY good point here. Really, it boils down the root of the legal action against them, and that's the integration of IE into the guts of the OS. It's used in admin tools, the desktop itself, etc, etc, etc. To revoke it's overall "rootness" would end up crippling the OS, which has been Microsoft's argument all along. I suppose the simple suggestion is to *gasp* not run the IE components in a rooty mode when it's active in a normal user application. *shrug* Is that even possible? Who knows. :)

Re:I found it ammusing...

[Waffle+Iron]

Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

At least as of Win2K, so many things break when you try to run as non-administrator, it's just not worth it for most people.

Re:I found it ammusing...

[0x0d0a]

I believe you're thinking of IIS, which runs in Ring 0, not IE.

Re:I found it ammusing...

[Tony-A]

IE doesn't run in root mode. IE runs as whoever you are logged in as.
This depends on what APIs that do root-level stuff are exposed and useable by IE. Microsoft presumably knows. I sure don't, but it seems rather naive to assume that there aren't any such.

I find it amusing...

[analog_line]

...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.

WTF ?

[FauxPasIII]

How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...

Re:WTF ?

[kcurtis]

Sure they did. I think you did not read the notice, and are the one missing something here...

From bulletin:
===
Why not revoke the certificate that was used to sign the control?

The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid.
===

Additionally, there is this tidbit, about killing the control w/o revoking the certificate:
===
Will Microsoft eventually set the Kill Bit on this control?

Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.
===

Bottom line: they *could* revoke the certificate, but it would screw up other controls that use it.

Re:WTF ?

[FauxPasIII]

> The certificate that was used to sign the control is still valid ...
> revoking the certificate would cause all of them to become invalid.

This just indicates a braindead design of their PKI. If they're going to be using a certificate to sign controls, then they need to keep a control revocation list associated with each certificate.

Read 'Applied Cryptography' by Schneier. It's better than drugs.

Re:WTF ?

[gclef]

Did you miss the last time this came up? (here:
http://www.microsoft.com/technet/security/ bulletin /MS01-017.asp
)

There is no CRL checking for Microsoft browsers. To be fair, Verisign doesn't include CRL Distribution Point info in their certs, either, so there really isn't any way for Microsoft to check, since they don't know who to ask. The way they handled the extra Verisign keys was to push out a *locally stored* CRL for just those keys.

Whee.

Re:WTF ?

[dbarclay10]

They did. The reason why they refuse to revoke this control is that many sites hard-code the object ID, thus they would stop working.

While I commend them for suggesting a fairly complete solution (including not trusting Microsoft-signed controls any more), I piss on them for not being willing to revoke the old control simply because some sites would not work.

Were they to do this, there's no doubt that administrators and programmers everywhere would TRULY understand the issue, and fix their code to not use the hardcoded value. Instead, Microsoft is coddling them, and now we have another hundred thousand zombied machines in DDoS attack-networks.

Re:WTF ?

[FauxPasIII]

> A colleague once told me that the world was full of bad security
> systems designed by people who read Applied Cryptography

Apparently the Microsoft code-signing system is one of them.

We can go back and forth all day long about the quality of that or any book; it happens to be one I get a great deal of use from. Fact of the matter is, there are open, standard public-key infrastructures that are designed such that this "problem" wouldn't be a problem at all, just a barely noticed update to the CRL that wouldn't disturb anything else in the system. Microsoft got infected with the Not Invented Here syndrome, and Windows admins are now suffering the results.

This thread is tiresome, so I'll leave it at that. Cheers. =)

Re:WTF ?

[iabervon]

Or designing the revokation/signing mechanism such that a new control could be issued with everything available to the programmer the same (except that pages that used the exploit wouldn't work).

Re:WTF ?

[Pfhreakaz0id]

right, that works if people use COM correctly by using say ado.recordset instead of the GUID {!S2a, whatever) ... then you could just put out a new version. I agree with the parent post.. why should Microsoft coddle these folks? why would you hard code the objectID of an MDAC component? My user could have any number of versions installed....

Re:WTF ?

[Chazmyrr]

Q: why would you hard code the objectID of an MDAC component?

A: because your code has been tested against and works with that version. because you haven't completed testing against newer versions. because the newer version behaves differently and would require a significant rewrite that hasn't been completed. some or all the above. take your pick.

Re:WTF ?

[iabervon]

Since this is Microsoft we're talking about, the reason is probably that your user could have any number of versions installed, and your code will only work with one of them, so you really do need the same version.

All this means is that MS should have had a way of producing bugfixed versions of objects with the same GUIDs. Given MS's attitude toward specification, hard coding the objectID is using COM "correctly", because it works (and nothing else necessarily does).

The problem is that there's no way of specifying that you need an object compatible with a certain interface; you either get an object for the same general purpose, or you get exactly that object.

Why don't people use something else?

[Mr_Silver]

See this comment followed by my response.

People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.

Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.

Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.

Re:Why don't people use something else?

[fferreres]

There will be a sept 11 for communications. That day, a bastion of the IT industry will be just destroyed (not infected, but deleted, formated). That will be a simple and effective way to push Microsoft's any everyone else trying not to profit from this market, but to control our communications and daily lives.

After that day, Palladium (or something similar) will be mandated, encription will be banned (goverment provided encription will be the only legal encription, with the due unlock key in their hands). P2P will be banned.

Or does anybody still think they will care what a bunch of "anarchists" have to say about the freedom to trade porn movs or mp3?

So it is VERY important that people patch their systems. If they don't, they dumping fuel on what will benefit "cyberterrorists" and "anti privacy, pro control" organizations. It is indeed crucial, the fate of the information era depends on taking care about security BEFORE anything important has happened. For as when something important has happened, you will have no freedom so as to enjoy the "added _security_"....

Re:Why don't people use something else?

[marauder404]

You're exactly right. People don't protect their privacy until they've lost it. They don't protect their car until it's stolen. They don't protect their home until it's been burglarized.

This bug is tantamount to someone being able to break into your home, secured by a Microsoft lock, if they use a certain kind of paperclip and you left the door locked in a particular way. It's not going to cause a mass panic and people aren't going to suddenly fix their locks, let alone swap the whole lock out for something else (like a Mozilla branded one). Even if your neighbor's house gets scored, you're not even likely to get that lock fixed. Human nature is fun, ain't it?

Re:Why don't people use something else?

[Reziac]

Back in the DOS era, we had boot sector viruses and file infectors. Some of them did cute things like slowly encrypt all your data. Eventually the majority of users got the message and started scanning everything with a good antivirus program. But remember, in that era computer users were a tiny minority. It's a lot easier to teach security habits if you don't have to reach the farflung masses.

Since then we've had a whole generation of new users who never heard of boot and file viruses. There was a spasm of awareness in the early days of the macro virus scare, but it seems to have died out, likely in part because now the overwhelming majority of computer users are relatively NEW at the whole thing, and are still struggling with basic concepts and everyday use. There really isn't any good solution to that, unless you propose restricting computer use to only the select few.

One of the contributing reasons, IMO, is the usual lame (and unnecessary) recommendation to "reformat and reinstall" every time there's a problem. This promotes ongoing ignorance as to causes and cures for daily issues, as well as to various hazards and security issues.

Re:Why don't people use something else?

[Mr_Silver]

Eeeewww, formatting your hard disk when you visit an evil web page, as described in a previous alert, won't cause damage to personal files? For most people, that is about 90% of computer users, who store everything in the 'My Documents' folder, this IE exploit will cause a lot of data loss.

(I normally don't bother with replying to AC's because they generally never get the point I'm making, but I'm bored...)

Theres a subtle difference between an exploit that can do a lot of harm and an exploit out there that is doing a lot of harm.

One has the potential to harm you, the other is actually harming you. Until Joe Blow experiences the latter, he's just going to discount it as someone elses problem and carry on as normal.

Re:Why don't people use something else?

[DickBreath]

Or does anybody still think they will care what a bunch of "anarchists" have to say about the freedom to trade porn movs or mp3?

I dare say that those in power are not going to give up their freedom to trade porn.

Seriously.

Re:Why don't people use something else?

[fferreres]

Mh, maybe they will make us give up our freedom, so that they can get OUR pron :) Imagine, all the FBI, CIA, whatever servers set up with keywords "lez, chloe, ..." with -20 priotity ...

Bush: "all your pron belongs to us, for GREAT JUSTICE"!

Re:why?

[netsharc]

Probably because a lot of us are sysadmins with companies stuck with Windows, and with this sort of news, we can take steps to protect our computer systems from MS-induced death, including convincing the PHBs to switch to Linux. ;-)

Also, Windows is more popular, so this sort of thing affects more people, especially clueless ones, the ones we need to educate to switch to Opera (ohokay, Mozilla then)

FWIW: .NET may help this...

[Kanagawa]

I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.

Looking forward, I recently picked up .NET Framework Security -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.

Mobile code that runs in the .NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...

Frustratingly, you can't run .NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?

Anyway... here's some additional links to M$ references on mobile code:

Security in .NET: Enforce Code Access Rights...
Security in the .NET Framework

Re:FWIW: .NET may help this...

[0x0d0a]

allow only internal ActiveX publishers

Does anyone have any reason to allow ActiveX at all? It seems to pretty consistently be a low-benefit recipe for trouble...

Re:FWIW: .NET may help this...

[tshak]

.NET common language runtime (read: M$ JVM)

I hate it when people say this. Please, go pick up a book on the CLR by a "CS academic type" who hasn't worked for MS or Sun. The book I chose was "Compiling for the .NET CLR" (or something close to that). I learned a lot about the CLR, and because the author has a lot of experience with abstract stack machines (the JVM being one of them), he compared the CLR to many of them. Although there are similarities, and although the CLR was a reaction to the JVM, there really are some fundamental differences.

Re:Typical slashdot crap

[evilpenguin]

The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.

To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.

Time to upgrade

[Hasie]

The solution is to upgrade to Windows XP because it doesn't have this problem. This is the best news Microsoft has had in years!

Does no one realize its a TROJAN PR MOVE

[peculiarmethod]

Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph

or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it

pm

Install MDAC 2.7

[Brazzo]

Yes, there are still bugs with MDAC 2.6; install MDAC 2.7. You'll note at the bottom of the security update that MDAC 2.7 is not affected by this issue.

Here's a URL for you, even...

MDAC 2.7 Refresh

Keeping Windows secure is hard, but it's easier if you install the recent components...

Re:Install MDAC 2.7

[stefanb]

Yes, you need to install the patch.

However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.

Sheesh, now /.er don't even read the blurb anymore?

Re:Install MDAC 2.7

[stefanb]

Sorry, my bad. And the "sheesh" bit was meant to be funny.

Anyway, after reading the bulletin again more carfully, I make the following of the situation:

• Installing MDAC 2.7 will make your server invulnerable;
• Installing the patch will make your server invulnerable;
• Installing the patch will make your client secure as long as you don't visit a malicious site or read a malicious email, which could restore the vulnerable version of the ActiveX control.

I can't find information in the bulletin about the chances of having a malicious page load a vulnerable version of the ActiveX control on a system with MDAC 2.7 installed. The bulletin only states that Windows XP (due to it having 2.7) is not vulnerable.

So I assumed that it's still possible. Is my assumption wrong? Quite possibly. I'm sure quite a number of people will check this ;-)

Use separate certificates for each control?

[virtcert]

According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.

Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?

It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...

Re:Use separate certificates for each control?

[zbuffered]

I say they revoke the certificate anyway, and re-issue the other controls with new certificates. Inconvenient? Yes. But it would fix the problem, and that's job #1 for them. If, as others have said, heads are rolling over this one, I think revoking the certificate is the least they could do.

Re:Use separate certificates for each control?

[Animats]

Agreed.

Microsoft created this problem, when they developed a technology that allowed web sites to download "trusted" code onto customer's platforms. They should be liable for that mistake.

Downloaded controls should run in a jail. Microsoft could make that work.

Wait A Minute....

[Tsali]

I thought we were all critical Microsoft 'holes.

Oh.... I misread it....

J.

A bit of fuzzy logic

[leoboiko]

So Microsoft says to not trust them. Ok, I will not trust. But then I don't believe in this request. So I should trust MS. Ok, I'll trust'em. But then the request is true, and I should not trust...

Re:Typical slashdot crap

[SirSlud]

Sure there is.

Bigger issue: If 'trusted' sources can be shown to turn out untrustable code (like the Active X control in this case), there isn't much use in trusting them in the frist place.

Its cute tho; 'trustworthy' computing from Microsoft involves not trusting them. I don't see how you could possibly not find that funny unless you were employed by MS.

A mountain of sloppy code?

[Futurepower(R)]

While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.

Windows XP Shows the Direction Microsoft is Going.

MS buffer overrun theory

[bfrog]

Here's a theory I've long held regarding the excessive number of buffer overrun security holes in MS software:

The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.

What do you think?

Re:MS buffer overrun theory

[ChaosDiscord]

The lack of an snprintf method in the DevStudio standard C lib...

From my time as a Windows developer, I have alot of grudges against Microsoft. (I've even publically aired some of them.) But I can't complain about lack of a snprintf. It's right here, and has been for at least five years. If an obvious function appears to be missing, look for a version prefixed with an underscore. (Of course, it seems stupid to me that it's prefixed with an underscore, instead of conforming to other systems, but that's a different issue.)

Re:MS buffer overrun theory

[J.+Random+Software]

Yeah, ISO/ANSI didn't define it until C99. (In C++ you should have been using stringstreams anyway.)

While it's fun to pile on his Majesty Satanic...

[smittyoneeach]

I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
Security and utility are two contestants in a zero-sum game.
Which is not to say that <insert browser here> isn't a technically superior product...

Feeding this to port 25...

[KjetilK]

Oh well....

From MS02-065:

After emptying the Trusted Publishers list, if I do see a warning saying that a web site or an HTML mail wants to download a control, how can I decide whether to let it proceed?

The best criterion to use is whether you trust the web site or the sender of the HTML mail. If you don't trust the web site offering the control, cancel the download.

So, who want to bet that the e-mails we will soon see circulating will have something like:

From: billg@microsoft.com
Subject: You can safely trust me

<html><body> Please read this e-mail carefully and make sure you download the provided control.

Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...

Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)

Re:Feeding this to port 25...

[Tony-A]

Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster.

I've got something for you. I won't tell you what it is, but you know me. Trust me.

Methinks the first thing I've got to know is *what* it is that I'm supposed to be trusting.

Not true...

[Ford+Fulkerson]

...you could run it on Solaris too.

Migrate away

I don't know if I'm karma whoring, but this last security hole gives me the creeps. In all honestly, I kinda ignored them up until now -- I don't know why, but I think it was because "they" could not delete my data (nothing scares me more than losing my documents (read: not "My Documents"). This security hole that allows people to "format my hard disk" (quote from the original /. article that I cannot be bothered to find) has me burning My Documents to CD-RW which I'm going to (finally) migrate to my Linux laptop which I previously used only for programming.

I know we've seen a million security problems from MS before, but this one (for me at least) is the last straw.

Comic Shop guy:

[LinuxHam]

best... article... ever

Re:why?

[GnomeKing]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

I guess the same reason that...
Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3
Trojan Found in libpcap and tcpdump
Bind 4 and 8 Vulnerabilities
and
Vulnerability In Linksys Cable/DSL Router

were posted?

i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system

Re:why?

[kir]

. . .or is it because we're always trying to make windows look bad??

You know, I don't think that's fair. The slashdot community dogs out everything they think is controlled by 'the man'. Just look at how much BIND and sendmail get bashed. Granted, these things have proven to be significantly less problematic.

Re:why?

[gosand]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.

2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?

Preaching to the Choir

[DeadSea]

I have seen several posts in the last few days questioning why the Slashdot editors are posting a particular story. The complaint usually runs along the lines, "Everybody on slashdot already knows this, post it somewhere that will do some good."

The folks that are out there converting people to free software are the people that read slashdot. Keeping the slashdot crowd informed of the latest security holes in Windows, Microsoft's most recent snafu, and the best new open source project allows Slashdot readers to spead the word more effectivly. New information and new arguments are key.

Re:Preaching to the Choir

[walt-sjc]

While this may be a new vunerability, lack of security in Windows is not a new argument.

Frankly, the only thing that is going to wake people up is a continual barrage of REALLY nasty viruses / worms that wipes out their entire system (or at least all their important files.)

Then again, there are people SO loyal to MS that they won't leave a burning house.

And while where at it...

[Theodore+Logan]

Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes talked about at too many places. Why I don't know. They are certainly vicious.

However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?

Re:And while where at it...

[ottffssent]

You're sick and tired of Microsoft stories? Well, quit bitching about it and make them go away. Click the little box on Your Preferences page and shut up.

Re:And while where at it...

[Theodore+Logan]

There's a difference between saying all are unnecessary and that there's too many of them. I think some are good, but not all. Do you know how to uncheck only the bad ones? If not, I suggest you shut up.

Also, there's no reason to be rude. Especially not when you're wrong.

Re:And while where at it...

[mangu]

I think some are good, but not all. Do you know how to uncheck only the bad ones?

No, nobody knows that. So, the only way is to publish all of them, and let the readers decide. And why so many stories about M$ security problems and bugs? Maybe because there is so much to write about? AFAIK, every single OpenBSD security exploit is also mentioned in /. Do you think there are too many stories about OpenBSD exploits?

Re:And while where at it...

[1010011010]

Yes. There are a *lot* of MSFT systems out there, and the more people who know about the problems, and the fixes, the better.

Re:And while where at it...

[Tyreth]

When it generates 600+ comments every time, I'd say there's enough interest in seeing it :)

I don't understand...

[awptic]

If this doesn't affect XP, why can't Microsoft just issue a patch that installs the Windows XP components which aren't vulnerable? And also... why the hell isn't XP vulnerable? maybe they knew about this for a long time...

Re:I don't understand...

[Fizzlewhiff]

XP isn't vulnerable because XP uses a newer MDAC and you can't install an older MDAC on XP. Non XP users can download the newer MDAC and I'll refer you to the rest of the thread for the issues with that. I seriously doubt this is a conspiracy. If you are looking for conspiracies, try looking at why trojans occasionally slip into OSS releases.

If I were Microsoft

[teamhasnoi]

I would *gasp* follow Apple's lead. Give up on windows. Start from stratch, with a new operating system that is well documented and code reviewed. Run windows virtually, just like Classic. Faze it out slowly. No backwards compatabillity .

I've acually thought that MS would buy out Connectix just as a bargaining chip against Jobs (apple).

OT - Why would Connectix *not* make a Virtual PC for Linux? Do they have a deal with MS? It seems to me that they could rake in the dough, hand over fist.

Virtual PC is great for 'trying out' untrusted software. It's too bad that Windows itself now fits that catagory. Run with it Bill!

Oooo! He card read good!

[Codex+The+Sloth]

Since probably a million people submitted this, maybe we could pick the post that actually doesn't read like an entry from the Yoda diaries?

brain hurt make!

Apologies if the poster suffers from dysphasia.

Re:Oooo! He card read good!

[gl4ss]

beowulf cluster of yoda there are.

karmasuicide2k2

why remove *ALL* certificates?

[oktaya]

"The simplest way is to make sure you have no trusted publishers, including Microsoft."

So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?

It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?

Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?

Oh, if we can't run anything we want on your system, nobody else should either. pfft.

oktay

Re:why?

[_bug_]

Because in a recent /. story there is reference to a recent /. poll which shows 47% of those who responded still use a Windows operating system.

Nearly half of /. users use Windows.

This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on /.

Re:why?

[pooh666]

Current Microsoft story on CNN Tech news:
"Microsoft innovates"

With a nice little sponsered by, Microsoft icon right under the headline. That is why..

ATTN: Slashdot Editors

[Jucius+Maximus]

Hello, today when browsing the site, I found an error (probably typographical) on the site. I would appreciate it if you could correct this: The story "Another Critical Microsoft Hole" should be reposted under the "It's Funny. Laugh." category. Thank you for your time.

Re:why?

[kalidasa]

It's getting tiring to see all this sarcasm, like open source is so free of bugs or something.

Sarcasm directed at success can be quite healthy for those who wish to motivate themselves to compete against and surpass that success - and to make sure that they do not repeat the mistakes of that success.

Better fix

[Java+Pimp]

1. Open Control Panel.
2. Select Add/Remove programs.
3. Select Microsoft Internet Explorer.
4. Select Add/Remove...
5. Download Mozilla.
6. Run the mozilla installer.

Re:Better fix

[murgee]

Well, actually it does... Start->Run->cmd->ftp ftp.mozilla.org :)

It sucks, though. but you didn't say anything about the FTP client needing to be good..

Re:Better fix

[Royster]

Get a command line, type (this is the hard part, I'm sure you've forgotten how to type a command) ftp ftp.mozilla.org and press the big enter key.

Re:Better fix

[Lizard_King]

[yaaaawn] The 'ole hackneyed "Fix windows by installing (insert your favorite oss tool here)" gripe.

Come on... It shows *some* integrity for a company with historic ethical issues to come out with a recommendation such as they have (remove MS from trusted partners). Either grow up or try and come up with something original for once.

This type of shit is exactly why I think the "News for Nerds" slogan is misused. This isn't news for nerds, this isn't educated discussion, this is a bunch of babies cracking the same boring jokes and bitching about how *everything* sucks.

Re:Better fix

[Java+Pimp]

Nice come back. "Grow up." You obviously don't get it.

It was supposed to be a facetious attempt at sarcasm directed at this discussion group. I was debating on wether or not to put 7. ??? 8. Proft! but I thought that was enough for most to get the joke.

BTW, I haven't had any rogue ActiveX controls even attempt to infect my system since I started running Mozilla.

Yes, Micro$oft has some real issues, and yes it's still fun to laugh at them. Get over it.

Re:Better fix

[derF024]

I'll play along... Let's say I delete IE... now I have no web browser, how am I going to downlad Mozilla?

actually, you can't uninstall IE (unless you use some 3rd party app like win98 lite), you can only remove the shortcuts to it and remove it from the "default browser" list. when MS said that IE was part of the OS, they weren't joking. all you need to do is pop open a windows explorer window after "uninstalling" IE, type http://www.mozilla.org/ in the address bar and you're back in an IE window.

Re:Better fix

[Lizard_King]

I understand the joke. The problem is that its just not funny anymore... (although it used to be three years ago)

I haven't had any rogue ActiveX controls even attempt to infect my system since I started running Mozilla
yeah, me neither.

Re:Better fix

[Tony-A]

Well, last time I checked, there was a ftp client included in Windows
Still is.
XP Professional
C:\WINDOWS\SYSTEM32\FTP.EXE
Copyrig ht (c) 1983 The Regents of the University of California.
All rights reserved.

Re:why?

[Jucius+Maximus]

"Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?"

It's because a lot of slashdot users (47%) still use windows.

Re:why?

[pwtrash]

This is not just a security breach. In their tech bulletin, MS advises users to completely eliminate downloadable ActiveX controls. If you recall, ActiveX was their strategy for dynamic web content. In other words, their suggested solution for dealing with this problem is to completely refute their own strategy. True, they have .NET as a replacement, but it is not quite cooked nor is it accepted publicly.

Were the public to follow their suggestion, this would be a big deal. They would basically have deprecated ActiveX controls as a dynamic content strategy (you can use what you have, but you won't get any more). You could argue that this has been done for them over the last year or so, but this is the first time I've seen them admit it.

However you look at it, having a bug that causes even a temporary strategy change is big news, regardless of how you feel about MS.

Don't blame Microsoft...

[Neutron+Zenith]

It's all Eolas' fault :)

You can download a patch here

[shodson]

http://www.mozilla.org

More design flaws

[SgtChaireBourne]

Actually, the bias seems to be pro-Microsoft. If any other project had the same severity and quantity of compromises as MSIE, it would be history.

What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.

Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.

Re:More design flaws

[tshak]

I love Opera. I'm testing Opera 7 B1. It's very promising. It's small, fast, and IMHO better then Mozilla. However, although it's features beat out IE, it's rendering doesn't. I'm hoping the final release of Opera7 can allow me to use it full time, but it's just not there yet.

Re:More design flaws

[Mr_Silver]

Microsoft is falling further behind in technology every month.

Can I have a credible source for this? I'm interested to read it.

Rather than trying to catch up, they've been trying to hold everyone else back.

And one for this too?

It's time for them to get out of the way and stop hindering economic growth in the IT sector.

Oh go on, give us one for this too whilst you're at it.

Or is this just plain and pure FUD?

Re:More design flaws

[SirSlud]

Just as there are folks out there who will defend telemarketers, for the simple reason that most people dislike them and they feel compelled to defend them as individuals.

When people rail against telemarketing, they're railing against telemarketing (although people will often personify and channel their agnst towards the industry using the person that last called them, of course.) Similarly, when people diss MS, they're dissing what MS has made, not the people within MS. IE, you dont have to believe the pope is flawed to believe that christianity is flawed.

But why people jump in for MS is beyond me. With their kind of money and legal might, they have absolutely no need for anybody to defend them in the court of public opinion. I always wonder why folks waste their breath .. regardless of whether or not they have a legitimate point.

Re:More design flaws

[Mr_Silver]

Well if it is, it doesn't make you look any more intelligent by quoting his little unprovable bits and saying 'please sir, can I have some more?'

Actually I asked if I could see some facts to back up his assertions. It's all very well saying MS is dragging the industry behind, but unless you've got credible sources then it's pure speculation. Give me facts, good solid facts.

So, yea, congratulations, you've made yourself look like a bumbling idiot for picking only the parts of the post you disliked and putting them on the chopping block, while ignornig the point.

Go read his post again. I quoted EVERYTHING. That was the ENTIRE post. I didn't dislike the post, I just wanted some facts.

I don't dispute that MS is a bad thing - but when people start making claims that they drag the industry back then they need to quote some sources otherwise people will just bash it as mindless FUD.

If you can cite a source that backs up your comments, you'll find people are very ready to believe you more. It's all very well screaming "MS is eeeeeevil" till you're blue in the face - but it doesn't exactly help change peoples minds.

That's really lame of MS

[Tenebrious1]

Interesting- seems like they're telling you to remove all certificates, not just those from Microsoft.

So What's The Real Answer?

[airrage]

I don't think the question revolves around whether open-source or closed-source is better or worse. Honestly, they both have their pros and cons. As for this issue, ActiveX Controls were a good way (way back when) to get a rich feature set onto a web-browser. But eventually it was realized you needed some security around this, so they started to digitally sign them, now it seems this might have a hiccup in this logic as well. So what's the real answer? How do I get a rich feature set to the web without running anything local (the most secure way)? When you really start to understand the challenge you understand how difficult the problem is. Think about it: people who don't download ActiveX controls also are the same people who download MODs to their favorite games and those dlls don't have to play in a small sandbox! I think people are accustomed to lots of snazzle with their web pages and we, as technical folks, should find a way to do that securely. Good luck.

Re:So What's The Real Answer?

[jlanthripp]

How do I get a rich feature set to the web without running anything local (the most secure way)?

Depending on how you define "rich feature set" I would suggest PHP or perl or some other server-parsed scripting language. PHP in particular, when combined with MySQL, makes a *great* web development combination. Java code can be fairly secure to run, but it's run locally.

Your answer...

[13Echo]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

Yes.

I realize most /.ers use IE, but...

[autopr0n]

Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.

Re:I realize most /.ers use IE, but...

[Dog+and+Pony]

Because Opera is not evil, just Norwegian? ;-)

I just noticed that Opera 7 is out in a Beta. I think I'll go give it a spin right away...

Don't trust Linux either...

[Cpt_Corelli]

Aberdeen Research Group has this to say about open source and Linux security:

Open Source and Linux: 2002 Poster Children for Security Problems

November 12, 2002
Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.

Read more here

Re:Don't trust Linux either...

[walt-sjc]

It's interesting, but a rather useless statistic. Go read up on what others in the security industry are saying about this study.

If you look at the DETAILS of many linux advisories, you will find that many of them have no known exploits but rather a POTENTIAL that it MAY be possible to exploit the flaw. Also, 2002 is not over yet, and we have had several REALLY nasty MS flaws come to life. Aberdeen may have to restate the results :-)

If the study looked at the severity of advisories on some sort of scale, the results would be quite different.

Note the WORDING of this press release: Open source software is now the major source of elevated security vulnerabilities for IT buyers.

Excuse me? IT buyers? What, do I BUY vunerabilities for linux now? From who, Microsoft? Anyone with a little intelligence can see right through this crap. WHen you use the word "buyers" you are dealing with marketing. PR. Spin. By the way, who paid for this study?

Anyway, what's that old saying again? There are lies, damn lies, and statistics.

Re:Don't trust Linux either...

[derF024]

Kind of a silly statement, since they're comparing every piece of software that runs on a linux platform to only microsoft applications. what would happen if you compared the "Linux security flaws" to flaws in every single piece of software that ever ran on Windows..

in addition, i think you'll find that since applications and libraries can be used by 3rd party applications more easily on open source systems, you have more code re-use. thus, 1 vulnerability, such as the one in OpenSSL, turns into 10 when you count in all the packages that use OpenSSL's SSL libraries. since MS closes the ssl libraries that they use with IIS, you'll find that there are probably 10 different ssl implementations on any one MS based system.

a third point is that this study counts advisories from each vendor regarding the same application as seprate advisories. so you have the following situation:

1 bug in OpenSSL affects 10 applications that use the OpenSSL libraries. advisories for those 10 applications are reported by 10 different Linux vendors. therefore, 1 bug in a piece of linux software generates 100 vulnerability reports. according to this logic, there are still roughly 100X more bugs in microsoft software alone then there are in every piece of software that is capable of running on Linux based OS's. that number is somewhat inflated, however my points are still valid, this study is turning 1 bug into many and comparing apples to oranges.

Re:Don't trust Linux either...

[Atryn]

OK, So you are saying that the combination of all open source projects from all developers in the OSS and Linux communities COMBINED had more vulnerabilities that MS ALONE had... Wow.

We could look at vulnerabilities per line of code... But then MS has bloated code too... hmmm...

Re:Don't trust Linux either...

[Tony-A]

Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories.
With no analysis of the severity and impact of the vulnerabilities, and more important, any analysis of the difficulty of discovering the vulnerabilities. That's Research???
The count for Open Source and Linux vulnerabilities may be greater, but that is really the count of vulnerabilities *fixed*. This years crop doesn't seem to be able to do much or go very far. Next years crop will have an even harder time. Microsoft seems to have plenty of low-hanging fruit left.

Re:why?

[Kierthos]

Some of column A and some of column B.

Okay, let's face it. The average /. reader (which is different from the average /. poster), when reading from work, is probably using a Windows box. Sure, in certain fields, the likelyhood of a /. reader not using a Windows box rises dramatically, but let's stick with the "common perception".

And in that "common perception", Windows has one hell of a large chunk of market share. No amount of /. posting on the sheer wonders of "insert your distro here" brand of Linux is going to change that overnight. Therefore, news about yet another "gaping hole" in Windows, especially in the "browser that cannot be separated", is going to be news.

Also, who doesn't like seeing the big dog getting taken down a peg? It's "American" nature to root for the underdog, and that means wishing all kinds of nasty things to happen to the big dog. It just so happens that Microsoft does so many things to shoot themselves in the foot, or at least wing themselves, according to the editors here.

And no, Open Source is not free of bugs. But you know what? It sure seems to have a damn sight less, and they seem to get fixed faster.

Kierthos

infinite loop

[3k9]

ok, so Microsoft says "You can't trust us".

Anybody see that this resembles the following situation:

"I am a pathological liar,
Everything I say is a lie,
you can trust me on this."

Now what are ya gonna believe??

RTFM : lol... Try Runas..

[bored]

Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

Yeah, the drivers/setups are getting better as they migrate to a system where user privileges are involves (as opposed to 9x), but it's still a joke. I have a scanner that won't FUNCTION under win2k unless you are in the admin group. The manufacturer seemed to not care "run as admin", they said. So I turned on auditing, and found the specific files it needed to have access to (and didn't). Emailed them the result six months ago. No response and no updated drivers or even and KB article describing the workaround. Lovely.

Re:RTFM : lol... Try Runas..

[dboyles]

I'm far from being a bigshot Windows admin (or Unix admin, for that matter), but this seems to be a huge problem in Windows. I work at a university, and in my department we end up having to give nearly all users administrator rights because they have to run programs that require them. In the searching I have done, there is no way to fine-tune these rights. For example, in Unix I would either set permissions/ownership appropriately, or if something truly needed root, I'd set up a command alias in sudo to allow it.

Can anything like this be done in Windows (2000 Professional)?

Re:RTFM : lol... Try Runas..

[Whibla]

What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

I think that this is due to the fact that these installs are modifying the registry. But, you say, Win2k has a user portion of the registry that the user can edit. Well, yes, but this does not allow for dependancies and global file extension settings. Basically, when a "dependant" program is installed it increments a counter in the registry branch for the program that it is dependant on (if that makes sense :-)), so that if you try to un-install the 'higher-level' depenency, or run a disk clean up, Windows knows not to remove it. Anyway, to get back to the point, you need the admin rights to be able to make changes to the non-user portion of the registry. I do agree though - bloody stupid.

Intelli-sync for Palms is one program like this. Their solution - install / run as Administrator. Just make sure that when you do this you only make the user a LOCAL adminstrator. I made this mistake once - and spent most of a night putting one of our servers back together. Never again!

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

well, the way to do it is to turn on security audiiting and log "failed" accesses (you don't want to do this permanently, turn on, run software, turn off). then look at the log. You want to do this for registry as well. Sometimes it is a physical file, sometimes a registry key you need to give the "users" group permission to.

It pisses me off, because I am doing the company's job. You can usually figure it out and write a script or bat file with cacls to apply the permisions the user needs.

Re:RTFM : lol... Try Runas..

[Rich0]

Unless of course you have XP home edition... No ACLs there - at least not editable ones...

Re:RTFM : lol... Try Runas..

[Rich0]

Ironically, MS Flight Simulator 2002 Professional is in this class. You'd think that at least MS would get this right.

I have kids that I let play games on my PC. However, I'm hesitant to give them admin rights. While I know how to be on the lookout for spyware when I download junk from the web, they don't...

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

that's because xp home is a steaming pile of shiat.

I'd really, really, like to understand why the upgrade to xp pro costs the same whether you have 98, me, 2000 pro, or xp home...

Re:RTFM : lol... Try Runas..

[Amazing+Quantum+Man]

Yeah, but you can setuid pppd. To use "Run As...", you have to give out the administrator password.

What if - it were not a security hole at all ...

[dudemaster]

What better way for the US Gov to get some spyware into all M$ installations, than to have M$ issue a major warning like this. I'm sure they're considering using M$'s monopoly to exploit eavesdropping on some of Al Qaeda's employees.

Click...refresh...huh?

[CodeShark]

'xcuse me -- thought I'd pulled a Rip Van Winkle and woke up just in time for a Malda & Co. April Fools Joke.....Microsoft admitting that that content from Microsoft can't be trusted?

--note to self--

Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.

Re:Want some cheese with that whine?

[JWW]

I've read that critique of Dilbert before and it is utter crap.

I've also read "The Dilbert Principle" by Scott Adams as well. It is an insightful and honest book about business.

What the author criticizing Dilbert does is say that by stating and exaggerating some of the bad things business does, he is condoning them. What a load of crap.

As for Microsoft, there are actions that they have taken that I do not like. But I have to use Microsoft products at work and have to know a lot about them. It doesn't mean that I can't also totally disagree with their licensing schemes. And while it may not seem like a big deal to you, my decision at work is whether to let users run Active X controls or not. There are big implications here, this story is absolutely not trivial and Microsoft made a major screw up in allowing this security hole to exist in this particular product in the first place.

Re:why?

[Archie+Steel]

It's not about anger, it's about vigilance and fairness. I may run Linux, but - like many here I imagine - I'm also the de facto Windows Support guy for family members and non-technical friends. So I want/need to stay informed of severe Microsoft vulnerabilities.

To tell you the truth, it's been a while since I've no longer needed stories such as these to convince me that Linux is more secure than Windows...there's no "anger" left (I don't thing there ever was - outrage and disdain, yes, but no anger), just a desire to be informed so that I can better protect my windows-using loved ones...

Re:funny

[Blkdeath]

microso~1

<NIGGLE>
Actually, it's "micros~1". First six characters, tilde, then number to allow it to fit with in the "8" of the 8.3 file format.
</NIGGLE>

Unsafe at any release?

[geoff+lane]

For those of us still running Win95 on hardware that cannot support '98 or XP there is no fix for the recent critical IE security problems.

So, to fix this particular little problem needs a hardware replacement "upgrade" :-(

Re:Unsafe at any release?

[tswinzig]

Well, you could do one of these things:

(a) Use Mozilla instead.

(b) Change IE to browse in high security mode for all internet sites, except those in your Trusted Sites zone.

(c) Spend $100 and get yourself a computer that can run something beyond Win95???

(d) Stop surfing the internet. You don't need porn THAT badly.

In other news...

[pixelated77]

Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.

Re:Typical slashdot crap

[evilpenguin]

I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?

So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.

Re:why?

[christopherfinke]

The average /. reader [...] is probably using a Windows box.

I, an average Slashdot reader (methinks), can trace my maturation through the versions of DOS or Windows that I was using. The earliest I remember is MS-DOS 3.0, but I may be wrong. I came through Win3.1, 95, 98, and now I have XP. I love working with computers, and I hold a strong interest in Linux, OSS, and all that other good stuff. The thing is, I don't have the time to implement Linux, nor the patience to learn it right now. So, in the meantime, I like to know about all the bugs in Windows so that my system (and my extended family's systems, for that matter) can be as secure and reliable as possible. It's a good thing.

Re:I found it amusing...

[marauder404]

Reasonable for a home computer is to do nothing, actually. I'll probably get railed for saying this, but for most people, security isn't really that big of a deal. They pick shitty passwords, leave tons of security holes open, don't bother patching, and don't even know what they're doing is unsafe.

Granted, this vulnerability is considered critical, but few people will ever encounter it. Someone has to hit upon one of these malicious sites with IE after having trusted Microsoft by default and must have MDAC 2.7 (comes with Windows XP, I believe). The chances of this are very low.

You asked what you would do for your mother's PC and I would say do nothing. My dad browses all the time, but he pretty much sticks to the same big-name sites, reads the news, keeps up on a few messageboards, and sends email. I'm not going to give him a confusing list of things to worry about -- I'd be calling him every day for things to watch out for, trojans to be wary of, and websites to avoid. Most people won't encounter the problem, so I'm fairly comfortable with not having to panic about it and call everyone I know.

Re:Typical slashdot crap

[cscx]

Which is funny, because the Slashdot article keeps citing "IIS." Maybe someone forgot to edit the "canned microsoft submission.txt" file before submitting the story.

Great solution, what about SPAM?

[insac]

(...)
"The simplest way is to make sure you have no
trusted publishers, including Microsoft. If you do
that, any attempt by either a web page or an HTML
mail to download an ActiveX control will generate a warning message."
(...)

We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!

This message doesn't need a signature

Score one against DRM !!!

[Anonymous+Custard]

From the MS Technet article:

Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.

Re:Score one against DRM !!!

[Anonymous+Custard]

huh? what's the connection?

Microsoft's digital signature system is a type of DRM (although the user is still in control of his own system with this type). ActiveX controls can be very powerful, and can execute commands on your computer. You wouldn't want to download a malicious activeX control to a windows computer, it could do virus-like damage. Digital signatures allows files such as activeX controls to be 'signed' by a 'trusted' company that has been registered with MS (i think). So if you're dl'ing an activeX control that has been officially signed by Macromedia, you can assume it's safe as long as you trust Macromedia. On activeX controls signed by Microsoft, it means the activeX control has been developed by MS and has not been changed since development, and most importantly that you can trust it not to cause any damage to your pc.

But now there is an MS-signed activeX file (see article) which has proven to be a security hazard. Plus, MS can't kill it, as it does have a valid MS digital signature (and other reasons). Most people have IE set to automatically trust Microsoft-signed activeX controls. So malicious webmasters can distribute this old activeX control to a user who has no way of telling that although it is signed by MS, it has a severe security flaw. So MS's early effort at trusted computing has proven vulnerable.

Actually, I suppose it is more a case of trusted-computing than of Digital Rights Management, but the two are related concepts in the sense that they both aim to label software or hardware as safe in order to be used. This situation shows that although something is labeled as safe (digitally signed by MS), it is actually not safe. DRM is more restrictive and less under user-control; the only thing that users can do at the moment is exercise the control that they have and remove MS from the auto-trust list.

What if something like this happens in a future DRM situation (palladium?), where the user isn't able to decide what's trusted and what's not, and MS can't fix it?

Re:remember when...

[vinsci]

You mean this? The quote below is from this article in The Age.

"In the United States, certification authority VeriSign failed spectacularly in its role when, in early 2001, it accidentally issued a key pair to someone - it doesn't know who, or isn't saying - under the name "Microsoft Corporation". This allowed the mystery hacker to sign software under this name.

Anyone installing this software was assured that the software originated from "Microsoft Corporation", which, of course, it didn't.

The only way Microsoft could fix this blunder was to patch the operating systems of all its customers to deliberately reject anything signed with this key."

did you read the eula?

[leuk_he]

did you read the EULA?

You just sold your soul! 1 d (e)"indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorneys' fees, that arise or result from ...."

Re:did you read the eula?

[marauder404]

did you read the EULA [microsoft.com]? You just sold your soul! 1 d (e)"indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorneys' fees, that arise or result from ...."

Did you read the GPL? (lameness filter requires changing to lowercase letters -- it comes in screaming caps)

In no event unless required by applicable law or agreed to in writing will any copyright holder ... be liable to you for damages, including any general, special, incidental or consequential damages arising out of the use or inability to use the program (including but not limited to loss of data or data being rendered inaccurate or losses sustained by you or third parties or a failure of the program to operate with any other programs), even if such holder or other party has been advised of the possibility of such damages.

Indeminification of software writers is standard practice. There are tons of better things you can use against Microsoft than this lame argument.

Re:why?

[SEWilco]

Well, like someone else in the /. apache section said... "Apache bugs never make the front page"

Didn't I recently see on the front page an article about unpatched Apache servers? Wasn't this Apache OpenSSL Worm article on the front page last month?

Windows Update V4

[fwr]

Hmm...

I just got a prompt to update to Windows Update V4, signed by Microsoft. Should I trust this???

Re-exposing vulnerability

[flanker]

There is really no need to have Microsoft be a trusted publisher of ActiveX controls. The "complete fix" for this problem, removing Microsoft from the trusted publisher list, is a standard part of securing IE.

Re:Why MS bugs so publicised?...

[foniksonik]

Linux users know all about their bugs. They are the ones fixing them. Bugs in proprietary software are more interesting/important because they acknowledge commercial vendors inability to get working code out the door before profiting from it, a despicable but almost always necessary evil (if you're commercial and proprietary, that is).

1. Get an idea for useful softwaree
2. Write a lot of working but buggy code
3. ??????
4. Profit

Then later when you can rest assured that the investors or collectors are happy...

5. Fix bugs

And if you're a monopoly...

6. Release bug-free "Upgrade" and charge more money.

Re:why?

[gosand]

Just wondering, why can't you run Quake under Linux/*BSD/WhateverYouUse. I ask this because I'm a total Linux idiot, and even I can get it working.

Cause I am lazy. :-)

Seriously, because I haven't been able to get my scroll mouse to work under Redhat 7.3. I have tried to get imwheel to work, but it just doesn't. I need my wheel when I play Quake (I play the old Team Fortress, not that fancy-pants new one). I have a zoom cfg file that uses the wheel mouse to variable zoom. Quite handy.

Ahh, what the heck - here is where you can get my my zoom cfg file...
SuperflyTNT's Quake Page

.NET has similar design flaw

[goombah99]

From what I have read .NET has a similar design flaw. Where java uses rigorous theorem proving approach to making sure that code cannot exceed its authority, .NET once again trusts code that has been signed rather than attempting to check it. The reason for this apporach I believe is 1) the potential for speed by distirbuting compiled binary rather then VM code 2) the ability to take quick shortcuts, call undumented APIS and the litiny of other very handy but bad programming ideas that make MS what it is.

So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.

Re:.NET has similar design flaw

[pavera]

Its still faster than reinstalling/reconfiguring windows after the virus reformats your hard drive.

Re:.NET has similar design flaw

[pavera]

lol. good point.
unfortunately my clients don't have that option (I run linux and OS X everywhere on my machines, but lots of my clients are dependent on windows... sad but true...) I don't really mind the viruses actually, more money for me... but hey whatever.

Re:why?

[walt-sjc]

Agree, but you only had one little error. In this particular flaw, you don't get a pop-up. It downloads automatically and silently. You have no idea that you have been penetrated.

Hmm. Reading the above sentance, I just KNOW some karma whore is gonna make some comment about "penetration" and "MS"... Sigh.

Re:Install MDAC 2.7 (what about JET?)

[Insightfill]

Yeah, but if you rely on JET to provide any functionality, 2.6/2.7 don't provide it. If you're working on a non-WinNT kernel machine, you have to install 2.5, then install 2.7 to get JET and be secure. Or, there's a sep. D/L for JET.

Yeah, I know, you shouldn't be using JET anymore, but sometimes it's the hand (or product) you're dealt.

What a pain...

not all Unixes use Sendmail & Bind

[DrSkwid]

whereas almost all windows boxes have IE installed

half of /. users use Windows. the below avg half

[DrSkwid]

wheeeeeeeep

IE has root on win98, thats a huge number of users

[DrSkwid]

so it's a huge piece of news

like the one on today's front page?

[DrSkwid]

this one

Because.

[artemis67]

Opera isn't running on 90% of all computers out there. I'm not even sure that Opera is running on 10% of all computers out there.

Opera could have a big gaping security hole, but the impact is still going to be marginal because of the (relatively) small size of the installed base.

Re:Hey great

[mangu]

Just because it says "Signed by Microsoft" on the pop up at the cracks site, are you going to go ahead and click Yes?

Wasn't that the rationale for the existence of "certification authorities"? If one must make one's decision about trusting a software or not based upon the site where it seems to be, then there is no need at all for security certificates. Speaking for myself, if it says "Signed by Microsoft", I don't trust it at all, no matter if it was in a cracks site or not.

Think Ahead to Palladium

[serutan]

Watcha gonna do when something like this happens, and the airtight MS security system is burned into your hardware?

Comforting thought, huh?

RTFA

[captainstupid]

I'm sorry, but it doesn't appear that anyone read the freaking article.

From the MS TechNet article:
* Customers using Windows XP, or who have installed MDAC 2.7 on their systems are at no risk and do not need to take any action.

* Web server administrators who are running an affected version of MDAC should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability.

The "fix" to this vulnerability is installing MDAC 2.7 which is available on all versions of Windows back to 98.

Other than the fact that this is the 50,000th security patch that I have to install on all my machines, what's the big deal?

What company?

[Amazing+Quantum+Man]

So whos scanners should we avoid? (my money is on UMAX as the culprit).

Re:What company?

[Pfhreakaz0id]

BING! BING! BING! excellent answer.

Tell him what he's won bob!

Re:He's right about the fonts

[DickBreath]

Why doesn't Microsoft wake up and just apply the "mozilla patch"?

Seriously? Because this would work against the goal of creating a seperate Microsoft Internet that requires Microsoft platforms to run on. The enticement to lock yourself in is the additional features. Like a narcotic. It's the easy solution. No more pain. Surprise, you're addicted. Installing Mozilla takes you a step in the wrong direction. The direction of being more platform neutral and standards compliant. From this standpoint it would be better to keep you off of Mozilla and just do whatever embarrasing thing is necessary to fix IE.

CNN

[theonetruekeebler]

CNN's headline for the story is: Microsoft: Yet another security flaw. The story describes it at the 65th alert MS has issued this year and notes that MS has dumbed down its security alerts to the point that the people affected by them (e.g. darned near everybody) can read them.

I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.

What will happen when people start treating Microsoft's security lapses like the epidemic they are?

Good Gods NO!

have you not noticed that virtually _all_ of the Mac exploits ever published involve IE and/or Outlook?

I refuse to put Office X on my system, and only use IE to verify why a poorly coded page won't display in Mozilla or OmniWeb

Bias and the 'solution'

[mythosaz]

The problem is not that Slashdot is picking and choosing bug reports in an attempt to make M$FT look bad. They're reporting bugs from all the "major" OSs. The problem is the bias in the reporting and by the upwards modded comentators. Take this example from the article (and the note which it closes on):

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

NO! The 'solution' from Microsoft is that you just patch your MDAC to include the component from 2.7 or that you just update your MDAC to 2.7

For Christ's sake people, if this were a *nix bug, you'd all be beating your "we know how to update our machines" drum complaining that only stupid Windows users don't use updates.

Or perhaps it would be the "at least fixes are available immediately for *nix" argument. MDAC 2.7 isn't new, kids.

Just report the bug, and report the CORRECT fix.

You disagree with me. Mod me down.

Windows Update

[Captain+Large+Face]

Does Windows Update require signed ActiveX controls?

If so, I presume the default action would be to trust Microsoft controls? Will this mean that the majority of users will be exposed to this problem?

Does - Not - Compute

[duck_prime]

Well yes, but now you run in the horrible paradoxal loop !! Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !

[Blinkenlights machine shudders and dies in a cascade of sparks and clouds of billowing smoke]

Evil Space Scientist: You win this time, Kirk. But I'll be back. Mua ha ha ha ha!

The recent patch fixes the earlier hole

[TrevorB]

I've not seen anyone actually state it here, but I can confirm that the most recent IE cumulative patch that came out this morning does indeed patch that rather nasty hole reported earlier this week. I now get a lovely "Permission Denied" Javascript error...

Now.. Seeing that Microsoft got off their butt and fixed the hole in just a few days, what does this have to say about releasing the exploit publicly?

Actually, nix that... the flame war was way too long last time.. :)

Re:why?

[Cro+Magnon]

Nearly half of /. users use Windows.

see my sig. :)

Re:why?

[caluml]

The thing is, I don't have the time to implement Linux,

What do you mean, implement it?!! It virtually installs itself! Head off to some mirror, and burn some Redhat 8.0 ISOs to CD, and stop using lame excuses.

Re:why?

[gosand]

I like UT for all out fragging, but I really like the old Team Fortress for the gameplay. Half-life was OK for this too, but it seems a little refined for my tastes. Kind of like driving a new sports car vs an older one - the older ones have a certain raw charm about them. Plus, I like the modding that has been done for TF, and I even created my own map. Fun stuff.

Are they trying to compete on # of vulns?

[miffo.swe]

This exploit should be known if they have fixed it in XP as another reader stated. Are Microsoft hiding vulns until they are found by others to keep the numbers on bygtraq etc. down? Heck, i understand them if they have a hard time getting less vulnerabilities than the biggest linux dists, together and with some vulns counted multiple times. Not to mention that a typical linux dist includes a couple of thousand applications more than windows.

I have a hunch that Microsoft is actively trying to downplay vulnerabilities. They probably knows about many more than they tell just to keep their numbers down.

The audit that took place at the launch of their Trusted Computer initiative hasnt made any impact. It hasnt resulted in new bugs found in any significant number. I would think that it points towards:

a) They did a crappy job and didnt find any new bugs.
b) Windows hasn't got any more vulns left (not bloody likely)
c) They found a bunch but to release them would show that windows is a schwiss cheese of code so they only aknowledge the ones found by outsiders. They hope they go unoticed until Net is ready.

Personally i vote for c since they should have found a bunch if they really did audit the code.

Ah, the irony...

[syylk]

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Trustworthy Computing!

Yeah, sure... And then they recommend to be removed from the trustworthy list...

Re:why?

[spitzak]

It's fun to see MicroSoft make a mistake, but there is serious implications behind this, that would apply to Linux or any other system, and brings into question some new ideas.

The basic idea of signing code sounds quite good until you look at it deeper. There is no guarantee that signed==good. This is an excellent example where the signed one is actually worse. Now imagine if palladium was in there, refusing to accept a patch, or cheerfully undoing any attempt to fix the system, with NO way to fix it (you would no longer be able to say "I don't trust MicroSoft").

If you think only MicroSoft does such mistakes, I seem to remember there was a design error in the new Linux capabilities where it was possible to throw away the capability of *changing* your capabilities. If a bug happened to throw this away, and then your program tried to drop capabilities (and then ignored the error return, because that would be assummed to work always) and then execute untrusted code, the code would execute at full capabilities! Suddenly a system being advertised as a big improvement in security has turned into a worse liability!

I'm afraid that there are a lot of problems like this that are going to bite people. When you start to work on security you better know exactly what you are doing and plan ahead, and write a lot of real appliations, and assumme that there could be a mistake *anywhere*.

Re:While it's fun to pile on his Majesty Satanic..

[IamTheRealMike]

Why does Java not qualify for that?

Re:While it's fun to pile on his Majesty Satanic..

[smittyoneeach]

I suppose you can define robust and arbitrary in a way that makes Java an answer. Furthermore, I've seen demos of teleconferencing/whiteboard software under Java with a 56K dial-up pipe, given righteous data compression.
Yet, Java applets are not overtaking all browsers in sight. Begs the potentially trollish question: is Java the new Betamax?, or is it just Mr. Softy playing monopoly?, or is it something else?

Well, we did it.

[Maxwell'sSilverLART]

Well, gang, we did it: we slashdotted Microsoft! Windows Update is reporting "Service Unavailable" when I try to update my boxen here at work. Yay, Slashdot!

Stupid question?

[pod]

Uh, ok, stupid question.. but can't MS just revoke the signature on the compromised applet? If not, why not? Does that mean that anything MS signs, is signed for life? What about 3rd party software/drivers? What if there is a backdoor or some other hidden malicious code?

Catch-22 is probably a better description

[Tired_Blood]

From the recommendation page:
Who could exploit the vulnerability?
...
* Web client. A user could exploit the vulnerability against a web client if he or she were able to construct a web page that would send an appropriate HTTP command, and then convince a user to open it. Typically, this would be done by either hosting the page on a web site that the attacker controlled or sending it directly to users as an HTML mail.

Also:
A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

HTTP commands are the method for exploiting this vulnerability. By default, IE trusts MS. I must use HTTP commands to visit the MS site and thereby learn not to trust MS (as advised). But in doing so, I accepted anything that may be malicious, before I knew exactly how not to.

From this point of view, it seems to be more of a Catch-22. But then, in that scenario, MS would host the malicious server, which would be horrible PR and therefore improbable.

One last thing, AFAIK it's the "Paradox of the Lie" and not the "Liar's Paradox", since the classic example is a statement (Like: "This statement is false" or my sig: "This is not my sig."), and does not refer to a person or liar. I lost points on a philosophy paper for just that reason. Pissed me off enough that I still remember it today.

Why not just Microsoft?

[Jacco+de+Leeuw]

I don't get it. If there is a bug in this ActiveX control by Microsoft, why do you have remove certificates of all other Trusted Publishers?

How did it got there?

[mentin]

I removed Microsoft from my "trusted publishers" list a long time ago ; )

How did it got there? This list is empty on clean install. To be able to remove something from "trusted publishers", you have to add it to this list first.

So you clicked "trust Microsoft" link to be able to remove it later. Are you sadomasochist? ;)

Re:He's right about the fonts

[mbogosian]

Actually, I think more realistically, this would mean that Windows Mozilla would become the next hot bugtraq item. Mozilla running on Windows is not the same as Mozilla running on any other OS. Mozilla is guilty of using Windows-specific stuff too (like the JavaScript interpreter).

While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.

Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).

Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).

However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.

No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.

In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.

Okay, maybe that analogy doesn't work either, but I think you get my point.

Re:why?

[rat7307]

At home, on the other hand, I only boot up the Windows machine if I need a Quake fix

If you'd bothered to look, id have had a Linux binary for q1,2 &3 for ages.
also Return to Castle Wolfenstein

The 'no games run on linux' argument is dead.

If only a few more games houses would follow id's example...

Total Annihilation on linux would make me happy....

Re:Typical slashdot crap

[cscx]

No, the article is wrong... the issue is IE not IIS-related.

Re:Want some cheese with that whine?

[Tony-A]

"Scott Adams entrenches himself deeply in corporate culture and has commercialized every aspect of his creative existence, by making fun of the very environment in which he thrives."
Nice bit of irony. More power to him.
It would be a bit hard for him to make fun of the corporate culture if he were *not* deeply entrenched in it.

Re:Windows specific?

[mbogosian]

It sounds like the same one that runs on every other Mozilla platform.

If that were true, then the behavior of the following would be the same across platforms:

// This is an undocumented
// IE way of accessing the
// attributes of a form
// named FORMNAME
document.forms.FORMNAME;

// This is the standard
// method
document.forms["FORMNAME"];

Note: the first statement works in all versions of IE that support JavaScript on both the WIndows and Mac OS X platforms. The first statement doesn't work in any version of Mozilla except the Windows versions. Several conclusions might be drawn from this:

1. The Mozilla JavaScript interpreter is different for its Windows binaries
2. Mozilla running on Windows is borrowing the built-in JavaScript interpreter
3. The Windows loader/linker (or equivalent) is forcing Mozilla to use the wrong JavaScript interpreter (though this is pretty unlikely)

If someone knows/finds out, please let me know. I'm dying to find out.