Slashdot Mirror
Another Critical Microsoft Hole
gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another
related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
"can make IE and IIS to run any code in the system"
Noooooo!
Minesweeper WON'T stop coming up!
--This girl at the library the other day
Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)
Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy
``Don't trust Microsoft'' is just a good security principle in general. Finally they realize it. :-)
Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"
Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.
I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.
Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.
Difficult to read this post is, hmmm?
This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.
Reality is defined by the maddest person in the room
Interestingly, that page doesn't render properly in Opera 7 Beta unless you identify as MSIE - when it works fine.
Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.
*flame retardent jacket on*
That is all.
Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?
Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...
The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?
Slashdot reports on pretty much anything security related. Besides this is not a little problem it's something that is pretty damn serious if you ask me.
All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.
"Don't trust us"
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
Reproduced for your enjoyment:
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:
1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.
From the article:
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.
"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"
An Eye for an Eye will make the whole world blind - Gandhi
Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.
I read the internet for the articles.
I didn't beleve this was true at first but this is actually what it says in the Security Bulletin:
--
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
--
According to the MSTECH bulletin:
Why isn't it feasible to set the Kill Bit in this case?
The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.
Conclusion:
-Microsoft refuses to kill itself.
how does this relate to: the story Microsoft on Security: We'll Break Your Apps
Hey... linus refused to change the behaviour of kill -9 -1 also
Because there are still quite a few of us
who still use Windows...
I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.
This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.
And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.
Do you?
I like you, Stuart. You're not like everyone else, here, at Slashdot.
but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.
I miss the Karma Whores.
...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.
How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...
25% Funny, 25% Insightful, 25% Informative, 25% Troll
People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.
Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.
Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.
Avantslash - View Slashdot cleanly on your mobile phone.
Probably because a lot of us are sysadmins with companies stuck with Windows, and with this sort of news, we can take steps to protect our computer systems from MS-induced death, including convincing the PHBs to switch to Linux. ;-)
Also, Windows is more popular, so this sort of thing affects more people, especially clueless ones, the ones we need to educate to switch to Opera (ohokay, Mozilla then)
What time is it/will be over there? Check with my iPhone app!
I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.
.NET Framework Security -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.
.NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...
.NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?
.NET: Enforce Code Access Rights... .NET Framework
Looking forward, I recently picked up
Mobile code that runs in the
Frustratingly, you can't run
Anyway... here's some additional links to M$ references on mobile code:
Security in
Security in the
"He wrested the world's whereabouts from the heavens And locked the secret in a pocketwatch." - Dava Sobel
The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.
To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.
Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph
or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it
pm
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
Here's a URL for you, even...
MDAC 2.7 Refresh
Keeping Windows secure is hard, but it's easier if you install the recent components...
According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.
Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?
It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...
So Microsoft says to not trust them. Ok, I will not trust. But then I don't believe in this request. So I should trust MS. Ok, I'll trust'em. But then the request is true, and I should not trust...
Prescriptive grammar:linguistics
While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.
Windows XP Shows the Direction Microsoft is Going.
Here's a theory I've long held regarding the excessive number of buffer overrun security holes in MS software:
The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.
What do you think?
I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
Security and utility are two contestants in a zero-sum game.
Which is not to say that <insert browser here> isn't a technically superior product...
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
From MS02-065:
So, who want to bet that the e-mails we will soon see circulating will have something like:
From: billg@microsoft.com
Subject: You can safely trust me
<html><body> Please read this e-mail carefully and make sure you download the provided control.
Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...
Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
...you could run it on Solaris too.
Somewhere in the heavens... they are waiting.
Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?
I don't think so.
Money for nothing, pix for free
Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?
I guess the same reason that...
Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3
Trojan Found in libpcap and tcpdump
Bind 4 and 8 Vulnerabilities
and
Vulnerability In Linksys Cable/DSL Router
were posted?
i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system
. . .or is it because we're always trying to make windows look bad??
You know, I don't think that's fair. The slashdot community dogs out everything they think is controlled by 'the man'. Just look at how much BIND and sendmail get bashed. Granted, these things have proven to be significantly less problematic.
3cx.org - A truly bad website.
1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.
2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?
My beliefs do not require that you agree with them.
The folks that are out there converting people to free software are the people that read slashdot. Keeping the slashdot crowd informed of the latest security holes in Windows, Microsoft's most recent snafu, and the best new open source project allows Slashdot readers to spead the word more effectivly. New information and new arguments are key.
Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes talked about at too many places. Why I don't know. They are certainly vicious.
However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?
"If you think education is expensive, try ignorance" - Derek Bok
If this doesn't affect XP, why can't Microsoft just issue a patch that installs the Windows XP components which aren't vulnerable? And also... why the hell isn't XP vulnerable? maybe they knew about this for a long time...
"The simplest way is to make sure you have no trusted publishers, including Microsoft."
So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?
It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?
Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?
Oh, if we can't run anything we want on your system, nobody else should either. pfft.
oktay
---------------
Founder of the The Free Linux CD Project
Because in a recent /. story there is reference to a recent /. poll which shows 47% of those who responded still use a Windows operating system.
/. users use Windows.
/.
Nearly half of
This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on
Current Microsoft story on CNN Tech news:
"Microsoft innovates"
With a nice little sponsered by, Microsoft icon right under the headline. That is why..
Hello, today when browsing the site, I found an error (probably typographical) on the site. I would appreciate it if you could correct this: The story "Another Critical Microsoft Hole" should be reposted under the "It's Funny. Laugh." category. Thank you for your time.
Were the public to follow their suggestion, this would be a big deal. They would basically have deprecated ActiveX controls as a dynamic content strategy (you can use what you have, but you won't get any more). You could argue that this has been done for them over the last year or so, but this is the first time I've seen them admit it.
However you look at it, having a bug that causes even a temporary strategy change is big news, regardless of how you feel about MS.
What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.
Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Yes.
Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.
autopr0n is like, down and stuff.
Aberdeen Research Group has this to say about open source and Linux security:
Open Source and Linux: 2002 Poster Children for Security Problems
November 12, 2002
Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.
Read more here
beowulf cluster of yoda there are.
karmasuicide2k2
world was created 5 seconds before this post as it is.
Depending on how you define "rich feature set" I would suggest PHP or perl or some other server-parsed scripting language. PHP in particular, when combined with MySQL, makes a *great* web development combination. Java code can be fairly secure to run, but it's run locally.
"Alcohol, Tobacco, & Firearms" should be a convenience store, not a government agency.
Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..
--note to self--
Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
I've read that critique of Dilbert before and it is utter crap.
I've also read "The Dilbert Principle" by Scott Adams as well. It is an insightful and honest book about business.
What the author criticizing Dilbert does is say that by stating and exaggerating some of the bad things business does, he is condoning them. What a load of crap.
As for Microsoft, there are actions that they have taken that I do not like. But I have to use Microsoft products at work and have to know a lot about them. It doesn't mean that I can't also totally disagree with their licensing schemes. And while it may not seem like a big deal to you, my decision at work is whether to let users run Active X controls or not. There are big implications here, this story is absolutely not trivial and Microsoft made a major screw up in allowing this security hole to exist in this particular product in the first place.
It's not about anger, it's about vigilance and fairness. I may run Linux, but - like many here I imagine - I'm also the de facto Windows Support guy for family members and non-technical friends. So I want/need to stay informed of severe Microsoft vulnerabilities.
To tell you the truth, it's been a while since I've no longer needed stories such as these to convince me that Linux is more secure than Windows...there's no "anger" left (I don't thing there ever was - outrage and disdain, yes, but no anger), just a desire to be informed so that I can better protect my windows-using loved ones...
Reminder: find a new sig
So, to fix this particular little problem needs a hardware replacement "upgrade" :-(
Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.
I'll feed the troll. The issue is for users of IE, not IIS admins. Every single person who runs Internet Explorer is vulnerable. How many of those do you suppose keep up with security advisories? Even if they use the Windows Update system, how many of them do you suppose will read advisories and clear their trusted providers list?
So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.
Reasonable for a home computer is to do nothing, actually. I'll probably get railed for saying this, but for most people, security isn't really that big of a deal. They pick shitty passwords, leave tons of security holes open, don't bother patching, and don't even know what they're doing is unsafe.
Granted, this vulnerability is considered critical, but few people will ever encounter it. Someone has to hit upon one of these malicious sites with IE after having trusted Microsoft by default and must have MDAC 2.7 (comes with Windows XP, I believe). The chances of this are very low.
You asked what you would do for your mother's PC and I would say do nothing. My dad browses all the time, but he pretty much sticks to the same big-name sites, reads the news, keeps up on a few messageboards, and sends email. I'm not going to give him a confusing list of things to worry about -- I'd be calling him every day for things to watch out for, trojans to be wary of, and websites to avoid. Most people won't encounter the problem, so I'm fairly comfortable with not having to panic about it and call everyone I know.
(...)
"The simplest way is to make sure you have no
trusted publishers, including Microsoft. If you do
that, any attempt by either a web page or an HTML
mail to download an ActiveX control will generate a warning message."
(...)
We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!
This message doesn't need a signature
This message doesn't need a sig
From the MS Technet article:
Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?
A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.
Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.
$8.95/mo web hosting
In no event unless required by applicable law or agreed to in writing will any copyright holder
Indeminification of software writers is standard practice. There are tons of better things you can use against Microsoft than this lame argument.
Linux users know all about their bugs. They are the ones fixing them. Bugs in proprietary software are more interesting/important because they acknowledge commercial vendors inability to get working code out the door before profiting from it, a despicable but almost always necessary evil (if you're commercial and proprietary, that is).
1. Get an idea for useful softwaree
2. Write a lot of working but buggy code
3. ??????
4. Profit
Then later when you can rest assured that the investors or collectors are happy...
5. Fix bugs
And if you're a monopoly...
6. Release bug-free "Upgrade" and charge more money.
A fool throws a stone into a well and a thousand sages can not remove it.
So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.
Some drink at the fountain of knowledge. Others just gargle.
Wasn't that the rationale for the existence of "certification authorities"? If one must make one's decision about trusting a software or not based upon the site where it seems to be, then there is no need at all for security certificates. Speaking for myself, if it says "Signed by Microsoft", I don't trust it at all, no matter if it was in a cracks site or not.
Watcha gonna do when something like this happens, and the airtight MS security system is burned into your hardware?
Comforting thought, huh?
Why doesn't Microsoft wake up and just apply the "mozilla patch"?
Seriously? Because this would work against the goal of creating a seperate Microsoft Internet that requires Microsoft platforms to run on. The enticement to lock yourself in is the additional features. Like a narcotic. It's the easy solution. No more pain. Surprise, you're addicted. Installing Mozilla takes you a step in the wrong direction. The direction of being more platform neutral and standards compliant. From this standpoint it would be better to keep you off of Mozilla and just do whatever embarrasing thing is necessary to fix IE.
I'll see your senator, and I'll raise you two judges.
I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.
What will happen when people start treating Microsoft's security lapses like the epidemic they are?
This is not my sandwich.
Does Windows Update require signed ActiveX controls?
If so, I presume the default action would be to trust Microsoft controls? Will this mean that the majority of users will be exposed to this problem?
Actually, I think more realistically, this would mean that Windows Mozilla would become the next hot bugtraq item. Mozilla running on Windows is not the same as Mozilla running on any other OS. Mozilla is guilty of using Windows-specific stuff too (like the JavaScript interpreter).
While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.
Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).
Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).
However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.
No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.
In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.
Okay, maybe that analogy doesn't work either, but I think you get my point.
moto411.com
It sounds like the same one that runs on every other Mozilla platform.
If that were true, then the behavior of the following would be the same across platforms:
document.forms.FORMNAME;
document.forms["FORMNAME"];
Note: the first statement works in all versions of IE that support JavaScript on both the WIndows and Mac OS X platforms. The first statement doesn't work in any version of Mozilla except the Windows versions. Several conclusions might be drawn from this:
- The Mozilla JavaScript interpreter is different for its Windows binaries
- Mozilla running on Windows is borrowing the built-in JavaScript interpreter
- The Windows loader/linker (or equivalent) is forcing Mozilla to use the wrong JavaScript interpreter (though this is pretty unlikely)
If someone knows/finds out, please let me know. I'm dying to find out.moto411.com