Slashdot Mirror
Java/Script Alert: Cross-Platform Browser Vulnerability
Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are
vulnerable
to remote command execution. This has been tested on Microsoft,
and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)
I'm going to stick my neck out here and say, What.In.The.Hell? Who's the editor on-duty here, an Onion stand in?
First of all, the example made is JavaScript, not Java. Second, the example shows how to bring up a page 23000 seconds after they left the page. Not good, but not new either. So what's the big deal?
A programmer is a machine for converting coffee into code.
Java is NOT THE SAME THING as JavaScript.
Come on slashdot editors, it's not hard to know the difference (this is in reference to the article title).
</rant>
- tristan
If you can't be bothered to write out entire words, don't post articles to slashdot.
It's not like you were tight on space there.
WHAT, exactly does the Java security model have to do with JavaScript--an unfortunately named, but totally different, animal?!
His anouncement is unfortunate in its proclamation that the problem is with Java. In reality the problem is with Javascript. While the names may be similar, java and javascript are unrelated. This is a Javascript problem, not a Java problem.
mp3's are only for those with bad memories
Does this mean I have to download a patch for Mozilla tomorrow to fix this? ;-)
Twenties Retirement
They are very different and a vulerability in a browser's implementation of javascript does not imply a problem "in the Java security model itself."
--
WHO ATE MY BREAKFAST PANTS?
We call it "Windows." Thanks.
The vulnerability is related to javascript and not java. The article is a little misleading!
Arf!
How his this irony?
MABASPLOOM!
That's not ironic. It's unusual, yes, but not ironic.
Can anyone who knows about this sort of stuff point to a more credible analysis?
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
There was a relevant message from Dan Veditz, of the Mozilla securitygroup, on the full discolsure list just this morning. I'd post the text but the lamesness filter doesn't like it. You can read it here.
I believe Safari is also immune to this.
Nothing from nowhere I'm no one at all
Headline says Java, writeup says JavaScript, Hemos update references both. Turning off JavaScript does not affect the Java plugins. Turning off the Java plugin does not turn off JavaScript.
So which is it?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Thats OK, I couldnt even install the java plugin on linux, because apparently the java plugin was compiled with pre 3.X gcc and mozilla 1.4 itself was compiled with gcc 3+, is there a compatible java plugin for recent mozilla somewhere?
US-UK-Israel: The real Axis of Evil
Hmmm...the first exloit didn't work, and the second took me more than five minutes to wait for the .class to download so I aborted.
Maybe I'm one of these linux admins actually patching their boxen?
konqueror doesn't show this - whatever you call it.
The coolest voice ever.
that this is a troll by the bugtraq poster to confuse people on the Java JavaScript issue?
There is no problem with the Java security model. The worst that can happen is a bad implementation of it allows applets to do something they're not allowed to.
But this isn't even about Java, it's about Javascript. Had it been about Java, you'd see a list of affected Java Virtual Machines, not browsers.
meme-boi wrote:
1 32
> Synopsis:
> --------
>
> Opera, Mozilla & Netscape with javascript enabled are vulnerable
> to remote command execution. This has been tested on Microsoft,
> and many many Unices. Macintosh may also be vuln.
The exploit example you give is not remote command execution but rather a
violation of the same origin policy. Unless there are additional details you
are withholding this same flaw was reported on Bugtraq April 15
http://www.securityfocus.com/archive/1/318777
and fixed in Mozilla 1.3
http://bugzilla.mozilla.org/show_bug.cgi?id=201
> There are many, many more issues than I have discussed. The minimal
> release is for giving the blackhats time to play.
If instead you'd like to give the whitehats time to fix them details would
be gratefully received by "security" at "mozilla.org"
-Dan Veditz
Mozilla security group member
This point is obvious, guy...
Whoever wrote this article has a third-grade knowledge of English and way too many rap CDs. "Werd"!!!
-
"This must have been posted by Microsoft as FUD to get people to stay away from superior products! It's all a trick! Don't listen!"
-
"What's up Taco? I thought April Fools had passed!"
- "Javascript serves no purpose ever, and why anyone would ever use it is beyond me!"
- "This is why we should all be using IE. I've never had a problem with IE security! Linux [l]users sux0rs!"
Did I miss any?It also means that this wont be a security problem for anyone with Privoxy installed.
But anyway, doesn't this mean that all those pr0n sites with popups can hack your computer? Oh, doh, we already knew that ;)
What is the point of the internet?
If you ask questions, one day you may disa...
if you turn off JavaScript, you turn off the vulnerability.
Man, talk about a one-liner to give the anti-Java folks.
The coolest voice ever.
I just tested with both Safari v74 (1.0b2) and v48 (1.0b), the example hack provided in the link did not work.
I was going to complain that I used that exact same text and the lamesness filter rejected it for 'too much whitespace'. But I just realized my terminal was copying the trailing white space on each line when I copy from Pine. Doh.
Let no hat, black white or grey, wander in on or about the www without fear.
...Red's up in the air, then?
So are your chances of getting laid before thirty. Time for a prostitute or a switch to the other side.
Is there some way we can mod this article as flamebait?
The AC modded as a troll has a point though. I was at a site today, won't pimp the URL (suffice to say it's a Golf related website). Anyway, I ALWAYS surf with Java off, but a friend said to check the site out, so off I go to discover no menus... I assume it's Java so witch Java on. I wait for about 20 seconds (this is on DSL) and see the craplet loading and it loads... A menu which, in a couple of places, could have been done in Javascript, and the rest with plain images and HTML. Quite possibly the worst abuse of Java I've seen.
It seems a lot of web designers need to consider the credo "Just because I can, doesn't mean I should."
Just FYI: you can get a gcc 3.X compiled java from www.blackdown.org
Obvious troll, but I'll bite:
OSS projects often have developers as users. They're much more likely to (1) recognise the problem as a bug, rather than just going "stupid computer" and restarting and thus are more likely to file a bug report and (2) are more likely to help fix.
On a completely different note, there's one important entity that IE is not secure against - Micrsoft themselves. And, given previous history, that means it's probably also not secure against the NSA and the current US Government.
Microsoft is the epitome of Soviet-style centralised control. I predict it will eventually fail, catastrophically, dragging the US software industry down with it, but not before it's done untold damage to freedom.
I do.
" The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, "
It would seem to me that the opposite is true. Mozilla goes out of their way to make it easy to report bugs and problems, while with MSIE all there is is a feedback thing buried in the Help menu that is likely a black hole resulting in nothing but spam.
Microsoft has a habit of leaving bugs and problems in place for years, while the Mozilla guys appear to be much more responsive. After all, they killed popups for their browser.
In other words, it seems to me that Mozilla has a much better and much more developed "improve the product and get rid of bugs" system going than Microsoft does for MSIE.
(I'm still waiting for MS to turn on the "bottom of the browser line that shows links, progress, etc" that they removed.)
"You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers"
The Mozilla guys are much more accountable: look at the forums they have for dealing with problems. Also, they have to be accountable or people will choose "No Mo' !". In contrast, Microsoft does not have to be accountable with MSIE: whether or not anyone likes it, they give it away as the default browser on just about all PC's.
Don't blame Durga. I voted for Centauri.
...you would probably find
int fo_sheezy;
char wassup;
double dawg;
float homie_g;
void homies(int truedat)
{
}
webpage
At first blush this seems plain wrong.
There's not really enough evidence in the post to go on, but the example exploit is pure nuisence java script, which has nothing to do with java
Reference is made in the text to ancient *java* bugs, but no detail is given as to how they might be related to the current, claimed bug.
If there's more here than meets the eye I'd like to see it, but there doesn't seem to be any meat in this announcement, it seems to be just a historical retrospective and an annoying-but-not-dangerous-or-new snippet of javascript.
Am I missing something here?
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird.
I'm still waiting to see an exploit here. I run Linux and FreeBSD Mozilla 1.4a. I don't use java.
Seems like this report may have originated from the NY TImes.
> which allows a remote site to read any file on the
> client machine
I doubt that.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
The exploit involves both Java and Javascript. It seems to involve having the user execute a Javascript program, which downloads a non-sandbox Java class file.
It would also be nice if more people coded in safer languages, or at least used safer string and maybe io libraries. The overhead of checking a damn buffer these days is easily swallowed by the ridiculously huge amount of computing power (both processor speed and memory) space available... I have seen probably about a 3000x increase in *home* computing power since my first computer (a C64...).
Actually, I'd like people to use counted strings instead of null-termination, too, but that's so not going to happen...
as reported on the full disclosure list, this doesn't let blackhats execute remote commands (or local, depending on your view point). this is "merely" (bad enough I suppose) a violation of the same-origin policy in javascript.
c losure/ 2003-June/010200.html
the same-origin policy dictates, that any code running, cannot modify anything, which is loaded from another domain. it may not even read from variables.
more here:
http://lists.netsys.com/pipermail/full-dis
Am I the only one that just read the bug and had trouble taking this guy seriously?
Basically, JavaScript is used to trick the browser into loading an unsandboxed Java applet.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability
In other news...if you knock your house down it won't get robbed.
Nice try but your "logic" (lol) fails the obvious test.
IIS has smaller marketshare than Apache Web Server, yet MANY more IIS vulnerabilities have been discovered and MS took a LOT longer to fix/patch IIS than Apache.
And to think I suffered needlessly when my friends called me paranoid for keeping Javascript disabled by default. I even went as far as getting that Mozilla extension that lets you toggle it on the bar so it's easier than digging through the prefs menus every time.
I'm obviously losing the battle here, since it's clear that most of you reading this run with Javascript enabled full time. This is how clueless sites can get away with stupid crap like using a JS redirect on their main page with no other content. A simple normal link would suffice, and a normal HTTP 301 redirect would be even better. But noooo... they have to do document.location type crap.
The one good thing about search engines is that they don't follow JS crap either, so if you aren't friendly to people like me, you aren't going to get indexed very well.
It's pretty clear that IE's problems are slowly but surely being squashed. When you have a user base as large as IE's, it is inevitable that these problems will be found quickly and exploited and then fixed. We can take this as an indication that the larger the user base of a software product, the faster bugs will be found and eliminated.
..Not to mention it flies entirely in the face of the fact that IE has the most piss-poor standards support of any modern browser. (CSS in particular).
It's pretty clear, judging by this and some of your former posts, that you work for Microsoft or at least enjoy spreading their nonsense FUD. Your assumptive argument--that a smaller user base means that OSS has more undiscovered bugs--is entirely illogical.
Now take Mozilla and Opera as opposing examples. The user base for these two browsers combined is infinitesimal compared to IE. It thus stands to reason that all of the bugs and vulnerabilities of these browsers lay dormant, waiting for someone to come along and exploit them. But without a serious user base hammering away at the product all of these problems lie wide open for any hacker to come along and abuse.
There you go again. You seem to miss the point entirely that having code open for review allows "hackers" to find security holes much faster and easier. So if a problem exists, it gets fixed much sooner than a closed source program which requires a lot more prodding and guesswork to discover the vulnerabilities. And yet IE still has historically had far more security issues than Mozilla.
Just because you don't use Microsoft products doesn't mean that you aren't vulnerable. You are probably more vulnerable, when you take into account the lack of users and lack of accountability of the OSS project developers.
Yet another patently untrue statement. Microsoft products have a far worse history of vulnerabilities than Open Source alternatives. Again your comment about "lack of users" is irrelevant. And your statement that OSS developers lack accountability is entirely baseless.
The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.
Between the awful writing in the article, the broken examples, the Java/Javascript confusion, and the contrarian IE-is-safe-but-mozilla-isn't thing; this may very well be the worst slashdot story ever.
Username taken, please choose another one.
So, with that same thinking , turn off my modem and im safe from all exploits..
Thanks for the USEFULL suggestion... seesh...
Perhaps when they start executing people that write and use exploits things will get back to normal again.
---- Booth was a patriot ----
Why keep clicking to kill pop-ups when you hands could be doing something else? :->
1) Isn't one vulnerability one too many?
2) Internet Explorer, for when you absolutely must not be affected by the 1 vulnerability found in Opera and Mozilla.
3) If you divide the number of bugs found in IE (30) by its userbase (98%) you'll find our product is only 30% defective whereis if you divide their number of bugs (1) against their userbase (2%) you'll find a product that is 50% defective. We all know that the number of bugs varies with the number of users, not the code quality. Right...... right?
Click here or a puppy gets stomped!
See Subject....
When oh when will Sun Catch a clue?
3 469
http://slashdot.org/comments.pl?sid=66433&cid=612
Dolemite
_________________________
Save the World! Use a Quote!
the problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability.
"Holy security through obfuscation batman!". JavaScript has NOTHING to do with the Java(tm) programming language, let alone the 'security model'. I'd have expected better from slashdot editors...
All your base are belong to us!
"They" didn't remove anything"
The View Menu did the trick. However, "They" did remove it: it was always on in previous versions, and it was only after recent updates on my machine that I found it was gone. I have found it missing on all other MSIE installations, and others I have talked to have mentioned this unwanted change as well.
Don't blame Durga. I voted for Centauri.
The M$ dominated world is quickly coming to an end and there's absolutely nothing you can do about it. For your own sake, wake up before you become entirely obsolete.
Duh-duh-duh...
Looks like someone forgot to get his daily allotment of bran this morning...
I can just hear the voice of Orson Welles as I read this warning me of the impending doom...or maybe one of those bible-belt you're-all-going-to-hell-faith-healers...
hehehe...
"Helping to keep you two steps ahead of the Thought Police!"
to any site that requires java and/or javascript or any damnable scripting virus to be on.
I'm sick of this shit. Mozilla needs to disallow all sites and let me pick the ones to allow script access, it's model currently sucks, same for cookies, images, etc. It's extremely difficult to block a sites java crap without killing all the stupid sites that force it's use.
Gee, if I turn off my computer completely, I am 100% immune to all the viruses that ever existed, plus all future viruses.
"Java/Script"! Catch/it! It's/hot!
This message seems very strange.
Take, for example, the commentary:
There are many, many more issues than I have discussed. The minimal release is for giving the blackhats time to play.
Furthermore, the language used is like nothing I have ever seen before.
The poster states that this is a Java problem, but then states that any browser with Javascript is vulnerable to remote command execution. He/she then goes on to give an exploit which has nothing to do with either Java or remote command execution.
The first exploit doesn't seem like much of an exploit either. Instead, it seems to that the script opens a popup, and then at some later time, changes its content. What is wrong with that?
As for the other exploits, they don't seem to have anything to do with the first exploit. They seem to be old Java exploits.
At the end, the poster recommends everyone turn off Java. But at the beginning, the poster said that everything with Javascript enabled is vulnerable, and the first exploit has nothing to do with Java.
Overall, I think it is easy to see that this poster was a troll. The general statements that are made, the lack of any specific information, and the mixing of unrelated exploits seem to make this quite obvious.
That's the spirit. Don't let words like "cross platform" and "Microsoft" (although they probably meant "windows") get in the way of a good troll.
Konqueror...
Mozilla fonts suck and I don't like that AOL has a finger or two in the pie.
Opera for M$ is nice but sucks on Linux..
No probs here.....
so... what time is the patch ready for mozilla? how about IE?
It has been reported that, by turning off your computer, you will no longer run into bugs.
Whether it's Microsoft or OSS, it's all buggy as shit.
Talking about how Mozilla and Opera show the advantages of open source software kind of blows up in your face since Opera is closed source.
You've inspired me. I audited my code like
you suggested, and found two bugs!
Thanks for rallying the troops! You're a born
leader.
Who would have thought of asking people
to audit code? How do you come up with
insights like that? THANKS AGAIN!!!
There's no telling how many remote holes
your little post has helped plug.
Oh I wish I hadn't just used my last mod point...
Quality, openness and accountability aside, I would suggest that bugs or vulnerabilities in Internet Explorer would be exploited quicker and more often because of the large user base and more importantly because of self-enflating (and militant) attitudes like the above poster. Simply put, it's more bang for your buck attacking IE, and less morally troubling if IE users are in line for a Darwinian end. (The Dodo deserved to become extinct because it was stupid afterall.)
Then there's the demographic differences between users of Internet Explorer and various open source browsers; these affect how often vulnerabilities are discovered and how quickly they are fixed. I would doubt very much that the average user of IE would look at the source code of his browser if he had access to it, just a little bit less likely than the average user of Mozilla doing the same.
Slashdot, you're like a second home to me, but please don't post stories like this any more. It's embarrasing. Try to look at the article, read it and evaluate it for validity before posting it.
;)
For the record, the Java vulnerabilities the decidedly juvenile post is talking about is the bohttpd java vulnerability that existed in netscape 4.7 browsers up to 4.76 I think it was, where the exploit enabled the jvm to turn into a http server for the whole filesystem. This was around 1999 to 2000 I think.
However, this post has nothing whatsoever to do with java. It reads far more as if some teenager has just discovered that one can do some funky stuff with javascript, such as function callbacks, crossframe clowning around and a bit of childish mischief such as opening a miniwindow with a script to track the users movements, as a lot of pornon sites do.
Congratulations, kid, next thing you know, they'll be calling you Mitnik
there would be hundreds of posts here flaming MS, IE, Windows, etc.
One of the linked pages provides a list of several vulnerabilities, one of which was announced recently.
If slashdot is going to post stories for subscribers well in advance, can it put some of its filthy lucre toward hustling some subscriptions from computer professionals of long experience, people literate in the English language, and other hard-to-find folks to fact-check BEFORE yet another elementary blunder makes the front page?
Nothing worth doing is worth doing today.
Re-read the top of the Slashdot discussion page, or see here: see here
If you know anything about java script you can see that the sample given isn't a security exploit. All it does is load up that security site's page in a popup window while counting down a timeout before redirecting to the page outputted from the javascipt. (That "werd" page). Read the article! Its bogus.
Reminds me of a the familiar anecdote: How do you keep your network completely secure? Unplug it.
This is my digital signature. 10011011001
I know Java,
and I know JavaScript,
but what the heck is Java/Script?
Can't people check before posting an article?
Last time I checked, Java and JavaScript were completely different.
You know that, and I know that, but the sorts of people on which one-liners tend to work will either conveniently forget or actually not know that.
The coolest voice ever.
1) *nix folks that aren't running the browser as root are safe from this issue, right? Assuming so, once again, *nix (and recent Wins) have demonstrated the necessary damage control of user-level code control.
2) If full-disclosure becomes frowned upon in the industry, wouldn't this be VERY BAD for non-proprietary systems? Specifically - If MSFT and Security-focus (et al.) don't disclose bugs like these, wouldn't it be an extremely powerful tool for both political and technical sabotage? I mean, what could be better for MSFT's new "trustworthly initiative" than selective disclosure? They would obviously want to distance themselves as much as possible from a security issue, and would undoubtedly (based on their PROVEN record of monopolistic activities) point the finger AWAY from their software - considering that they're a majority factor in the potentially forthcoming security disclosure realm?
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
The problem is somewhere with the Java/Javascript interface. But I wouldn't worry. It'll be fixed soon.
What is interesting is that Javascript/Java works a little different on IE (which is expected), Safari (sorta expected), and Konqueror (not expected).
I'm not knowledgeable on versions of Javascript these browsers have. Anybody want to fill in the details?
Well, there's spam egg sausage and spam, that's not got much spam in it.
I better go get a patch for my Unices system.
- Sherman
It's pretty hard for the standard to have piss-poor standards support. Or is there some other organization making standards that I'd give half a damn about? If Microsoft adds something to their browser - guess what - it's a standard. Not a "we just made up a standard and everyone should support it" standard like the W3C, but a standard that is supported by 99% of all users browsing the Internet. (And even in the W3C case, most of the useful standards see Microsoft input.)
The M$ dominated world is quickly coming to an end
And AOL openning USENET to everyone meant that the Internet would never be usable again. Uh-huh. Microsoft has never been stronger, and Linux has never been more irrelevant to anything that any desktop user has or ever will care about. Linux is useful for running a server on, but that's it. And it's not even that good at that. Once Itanium kicks into gear, watch as Microsoft Windows Server 2003 eats away all the remaining Linux server share until Linux goes back to being the insignificant little system that it craves to be. ("Someone's trying to make it so you can change the resolution without editting modelines, but that's just so stupid. I like calculating modelines! Oops, my monitor just blew up. Good thing I still have this serial terminal I threw together - I need it to restart X if I accidently leave it running over an hour.")
Some day, I dream of being able to post reality to Slashdot without having to post anonymously for fear of being labeled a "troll" and having all my posts vanish to the casual viewer. For the time being, this rebutal will have no name to it.
Er, the writer's first language might not be English- the info is there.
"Ironically enough, IE is unaffected."
Not so ironic- IE has more than enough other security holes to balance things out!
Hmmm... I just clean installed Mozilla 1.3.1 on WinXP Pro, and the bug still works.
Did I miss any?
Yes, you did. In fact, on any Microsoft bug, there are over 700 posts, with approximately 300 modded up with "Informative" saying "XXX browser/os is not vulnerable to this".
So basically I'm waiting for all those posters who post this, as well as all the user moderators to step down from their high-and-mighty position and accept there is positives and negatives to everything, and stop pushing their beliefs on others like some door-to-door Jehovah's witness.
Linux is about a choice, let people choose.
But maybe I'm in the wrong community for that...
When modding "Informative", please make sure it both has a source and IS actually informative.
Thanks! Anoter link I can direct idiots.. er.. friends to when they're saying Java and they really mean JavaScript :-)
I guess it was some scriptkiddie looking for five years for a bug in the javascript implementation, so he can tell his l33t friends how evil javascript is and everybody should disable it RIGHT NOW* and how l33t html 1.0 is and why everybody should use animated gifs instead of the hr tag. this must be the most exciting day for him... finally he can post something to bugtraq and get r33l l33t and even make it to the slashdot frontpage. His exquisite choice of various l33t wordZ speaks for his skillz. * (Note that he actually suggest to switch off Java)
Contrary to most opinions expressed in relation to this news, slashdot is a news site and not a propaganda site. If someone does not like to hear or read things they dont like to hear or read, than that person can plug his ears or close his eyes, but not try to do that for others. The reason that some unice software, like the Linux kernel, is considered secure and stable is because the developers treat all vulnerability submissions seriously, and get on with verifying and if necessary fixing them. They do not presumptiously declare that nothing can be wrong with Linux kernel, and in "good faith" accuse you-know-who of being the source of the evil.
I think that what most people miss is that software is a tool and not a religion. Do not be like that guy mentioned in the Bible who burns a piece of wood to make food and than carves out of another piece of it an idol to worship it. The problem is that idols have eyes but do not see and have ears but do not hear, likewise are those worshipping them. I think the parallel is that some, unlike some others, upon reading the article saw the writing that mozilla had a java (script), problem, but approached it like people who use it and not like those who also worship it, and did not close their eyes or try to close eyes of others.
One day (possibly thousands of years into the future) unix will be no more, neither will microsoft, but the Bible Author will be forever. Exodus 6:3,4. Chose carefully whom to worship. Joshua 24:14,15
Whether the Java VM or the browser is at fault it does not matter - the net effect to the user is the same - the JVM runs untrusted code. If your personal information was stolen would you take pride in the fact the the JVM sandbox model did not fail, per se, but its security was simply circumvented?
Why hasn't anyone moderated this as the biggest Troll ever.
look at him. he's caught all the Tuna in the north atlantic, and is moving on to the Chanel.
I don't know what's worse.
The ObviousGuy troll, or this moron.
It's a shame that all goatse links get modded down. Some are quite funny. And you'd think people would learn not to click them.
lack of accountability of the OSS project developers.
1) Many OSS developers are employed by companies (AOL/Time, RedHat, IBM, etc.) that they must be accountable to, and 2) Unlike proprietary products, when an OSS app does something wrong, people point and go "This is the schmuck that did it." There is a lot of accountability when everyone can see what you code.
And a larger codebase doesn't help much when the vast majority of that codebase does the same exact thing online. You tell me how many old ladies checking their MSN mail and ordering E-greeting cards it would take to find this vulnerability.
I'm not saying everyone using IE is dumb, or that everyone using Linux is smart. What I am saying is that thousands of users just like me wouldn't have made this problem any more visible. I would never have stumbled upon this. Moreover, I can guarantee you that many more Linux/Mozilla users are tech-savvy and fill out their bug reports compared to Windows users. Besides, it "stands to reason" that Mozilla could fix bugs faster. IE users trust a small few people to their security; if they don't fix it no one will. In the OSS world, it only takes a couple frustrated coders tired of a vulnerability to have it fixed.
We're a community, Windows users are consumers.
Ironically enough, IE is unaffected.
Wouldn't "IE is unaffected" had sufficed?
I can't see any irony here.
Bot Assisted Blogging
I went to the address the kiddie provided for his "live mild example" and it managed to . . . throw an error in the JavaScript console. Wow. Real impressive 'sploit there, kid. What's next? Cross-Platform Annoying Alert Window?
I browse with javascript off and only turn it on when I *must*. People laugh.
New browsers still don't put a nice easy 'javascript on/off' button right on the control bar. Nor do they generally provide site-specific javascript configuration.
Talking about how Mozilla and Opera show the advantages of open source software kind of blows up in your face since Opera is closed source.
Yeah, but Opera does show that even a closed-source business model does not have to be unresponsive to user feedback (not mentioning any Microsofts - ah feck) or take years to make changes. Okay, they may take a bit of hammering to understand what users want prioritised but Opera Software do implement standards support and user suggestions on a par with OSS.
Think huge monolithic corporation vs. small zippy company.
"What can I say? I'm the queen of java."
subduction.net
Dr. Spock does the baby book dude
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The problem is having a Turing-complete language that is sent to and runs on the client. We need acceptance of protocols that work well without needing TC downloadable scripting or applets.
Being TC opens up hacking risks considerably over non-TC protocols.
I have not seen much research on non-TC protocols. I have a pet GUI form protocol called SCGUI that is meant to work effectively non-TC, but there is not much for HTML-based action right now.
Table-ized A.I.
That's a slam dunk. Don't get me wrong, I'm a mozzy user myself, but this guy nails the "ironic discussion" with post that is, like another poster said, both funny, insightful and informative.
1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
"New bugs were discovered in Netscape's implementation of Java has been
found which allows a remote site to read any file on the client machine
and to set up a Java server which anyone can connect to. Brown Orifice
HTTPD starts a Java server which allows others to read files on your
machine."
Ya bunch o' n00bs.
Repeat after me.
"I will read articles fully before replying and allowing Dolemite to make you look like rank amateurs."
Hahahahahaha
Kisses
Dolemite
________________________
Save the World! Use a Quote!
Wake us when IE correctly uses HTTP Content-Types and renders PNG.
Hail! I am the great and most large in the PR Gates! For too long me and my worshippers have suffered from reports of "bugs" from you non-believers. While it is true that the majority of my worshippers ignore your attacks, I have not. SO hear me, this is a sign of things to come. If you...you.../.ers continue to attack my numerous features by labeling them bugs, I will so attack each of YOU directly. For example, I hear this Taco fellow comes up short in where it matters. You see! DO you now see the power that you contend with. You have been warned.
[Just Shut Up and Do What I say]
C'mon, who can still not make the difference between Javascript and Java ;)
:o)
By the way, should i remeber you that Java has never suffered from any flaws since his conception (security ground at least) !
I understand some ASM/C/C++ guru do not like to admit that Java has good things to bring to the IT world, but pushing such article is just a flamebait insanity.
By the way, it looks like FUD, and i would not be suprise if the author have some links with MS
Ok, to get to the point, Java freed me from OS chain and i am glad of it. I mean, i can deploy to my favorite Tux, whatever this **** of admin do not want us to run linux box on workstation. Or for instance, i can deploy to expesive unixes or old systems without having one of those machines next to me (or without having to build any kind of cross-compiling environment) ! Isn't that cool ?
Now if FSF and GNU had the nice idea to re-trigger the ClassPath project to provide us a descent GPL'ed version of Java, it would be great !
Should i remember the community that since the JSPA agreement - thanks goes to the Apache guys for getting this ! - any opensource implementation of Java can be provide by an org, and validated/certified to proudly displayed "Java compatible"! No royalties, no hack, no tricks, just legal !
Now, if nothing happen at GNU's for the next couple of month, it will only shows that it was not realy a problem of legals concern, but a matter of lobby at GNU's.
C'm'on move your mind !
Real freedom is choice enabled.
-SLK
...this means that the vulnerability poster was either a troll or just plain incompetent.
Not to mention a bad writer.
You can kill all sorts of nasty JavaScript, popups etc and lots of other crapware by running a small program called Proxomitron if you use Windows. It serves as a proxy for your browser and modifies pages before they ever get read by your browser.
.net (minus space) has a great set of filters that will stop anything!
I won't link directly for fear of the Slashdot Effect but you can go to proxo mitron.org (minus the space) if you are interested. jd5000
Highly recommended.
Quizo
Visceral Psyche Films
But who says those coders know what they're doing or if they do it in the most efficient manner because they might not see the bigger picture?
Keep in mind, too, that the OSS world is not limited to linux. I'm part of a very large Windows development community that not only uses IE (we also use Mozilla at times), but contains IE as a UI component, the same that Mozilla can *finally* do.
So, not all Windows users are consumers. This is a blatently stupid comment from a one-track-minded person. Some linux users are consumers to, albeit not as many because most consumers can't use it!
It looks like a hoax to me too.
:(
But, I wanted to try the 'live version' of this, but his host has severe bandwidth flaws which allow remote site deactivation for 24 hours! Independent of OS or browser! Even with "Java/Script" off! LOOK!!
The website you have requested has exceeded its daily bandwidth quota of 56MB and has been temporarily de-activated. It will automatically be re-activated within 24 hrs.
There are standards and then there are "de-facto" standards. An Internet standard is an open, well-documented set of criteria that coders can code
...wait there is no 3. :)
against create a standards compliant app. The reason for this is to ensure that any application that is compliant with the standard will give the same result as any other application coded to the same standard.
A "de-facto" standard is an implementation ( way of doing something ) that has become to be an expected feature of an application in a particular
market only because it is popular. The problem with this is that not everyone may implement it in the exact same way, cause unpredictable results, and in the end making the application user's experience "worse."
Anyhow, I stopped using Internet Exploder a year or so ago because Mozilla's way outclassed it as far as feature sets go ( popup blocker, tabbed browser interface, cookie management, and more ) that weren't standards at the time, but other browsers have caught on this is something we want more than features such as "mouse gestures"( which seems to be a dead idea at the moment ).
Hopefully that clears things up for you as far as standards go. As far as your other comments ( linux is irrelevant, XServer sucks, etc. First, you aren't talking about Linux as it includes only the kernel. Second, I can tell you really haven't used XServer as mine runs for months at time and actually has only stopped running if 1) I lost power. 2) I manually shut it down. 3)
I can't afford a sig!
I smell an ASP front page (l)user who thinks he's a programmer.
Now some Netscape or Mozilla user needs to tell me an exploit horror story that could have been avoided if they had used IE! We need the comic relief, don't we? Or is this, perhaps, a wakeup call?
"if you turn off JavaScript, you turn off the vulnerability."
Hell, I guarantte 100% security if you unplug all cables from the computer, including the power after wiping the HD's clean, seven times in a room with overlapping patterns.
There is a slight useability use with this method.
So, "...Linux is useful for running a server on, but that's it. And it's not even that good at that...".
.com sale), another $45 for the extra memory, and then another $160 for the extra disk). The tape drive was from a recently retired system...
Since it's not good for this, please explain to me how I can cost-effectively and SECURELY run the following on a Windows-based server. I expect uptimes to be measured in months, maybe years, and when I go out of town, I don't want a phone call about it. I'm also the only administrator (minus some account admin)...
Webserver (SSL-enabled, virtual-hosting, and PHP/Perl scripting)
Also include webaccess to email, voicemail, LDAP and SQL database administration tools, a photo gallery application, business accounting application, a few custom-built CRM apps, and web-based server administration tools.
SSH server
SMTP (email) server (includes spam and virus/.exe type filtering)
IMAP/POP server (SSL-enabled, with enterprise features such as user-controllable shared folders, quotas, and server-side filtering/sorting of emails)
LDAP server (for addresssbooks, and SSL-enabled for authentication)
SQL database server (actually two SQL server engines)
DHCP server
DNS server (authoritative and caching - plus split DNS services)
HTTP proxy/caching server
NNTP proxy/caching server
IRC (chat) server
Jabber (chat) server
Samba/SMB file and print server
iCal based calendar services
Centralized system logging server (including log monitoring/alert tools)
Systems trending and monitoring/alert tools (ie: bandwidth, disk space, processor utilization, etc...)
Voicemail server (35 mailboxes, CallerID, frontdesk-type routing, faxback, "account balance" type boxes, and general "script" mailboxes as well)
I expect centralized logins - so my users don't have to remember any more than a single username/password, and voicemail box number/password.
I also expect no downtime for the backups. Databases should dump to tools that can compress the data before it touches the disks.
I've invested $75 for the server (new, from a
Since Linux is apparently not able to do a good job at this (or so you say), please tell me how I can do all this on my existing P366 w/ 256MB of ram, and 60GB of software-mirrored disk space (about 2/3 full). As a system I manage, does EXACTLY this, and my client is quite happy with it (though for redundancy, I'd like to see it split out, they're happy...).
...and if you use IE, you're Immune as well.
What's this about modlines - I just press Ctrl-Alt-+ and Ctrl-Alt-- to change my resolution on my Linux desktops.
- You have to already have entered the modelines for that to work.
- It changes the resolution of the display, but not the area the windows inhabit - potentially leaving windows unaccessible off the screen.
- Typing CTRL-ALT-PLUS and CTRL-ALT-MINUS isn't exactly the most obvious method, is it?
- You can't adjust color depth doing that.
- You can't adjust the refresh rate doing that.
- You must go through any intermediate resolutions.
Congrats - you proved my point. Linux users seem to think that anything that makes things easier for the user must be wrong and that the strange and poor methods currently available are sufficient for everyone just because they use them.I manage 250 windows desktops, and in the past four years I've had five valid requests to change the resolution (the users are locked out of changing the setting theirselves). Let's see; 2% of my users have needed a resolution change over the course of four years... Hmm...
It's not like it's not possible - its just rarely necessary, and in such a rare event, what's the issue with having the user logout/login again? On the other hand - my desktop, which runs X11, has not needed a restart in over two months (kernel upgrade) - you cant say that about Windows desktops... I'm sorry, what was your point again?
I've NEVER adjusted the color depth of a machine - once it has been set at our system-wide standard (ie: the highest value the PC will go to). What's your point?
You're starting to sound like a Unix/OSS newbie upset that the OSS folks haven't made things to work just like windows does. Well, if we did, what would be the point - I sure don't an unstable and generally flaky desktop...
That most Linux distros seem to default to 640x480x8bit, at around 60Hz. I suppose you're suggesting that I should just have had the IT director change my resolution for me. Seems to kinda indicate why linux is doomed on the desktop. I'm so glad RedHat has a thousand-plus entry list of monitor types, so I can select my monitor and have it change the text string in the config file but not actually choose a good default resolution.
Linux can rot for all I care.
640x480x8 - huh? Where did that come from? On most distros, you're given a choice to the color depth and resolution settings when setting up the system. In addition, most distros also autodetect the maximum refresh rate that your monitor can handle, and then sets X11 to just below that value. As far as asking the IT director, maybe not, but someone at a level of authorization to make that change. Before we locked the setting down, we frequently got calls about a user's monitor that'd had been overclocked and consequently destroyed - because they changed a setting (resolution, refresh rate, or both) that they not only didn't understand, but never needed to be changed in the first place.
:-)
It's clear you haven't installed a recent release of any Linux distro in the past few years. I strongly recommend you try Knoppix - it runs completely from CD, making no changes to the disks in your system.
Linux is far from rotting - have you seen projects like LTSP? I know entire school districts, and even a few companies that have converted all of their desktop systems to that. Linux is turning out to be a great desktop OS for business environments (finally, a stable OS which is easy to centrally maintain/update, configure, and secure - and not only that, but it stays secure - minus your occasional buffer overflow, which happens on any OS anyway). Though I'd still refrain from trying to switch grandma over, it cant run her cross-stitch program, yet...
Linux and OSS are a community - products that come from the likes of Microsoft are a product, and only that. There are far too many geeks out there (me included), that will do whatever reasonably possible to keep that community alive - it's our livelihood, our hobby, and to some of us, or lives... We're not going anyway anytime soon, if anything we're still growing quite rapidly - thanks in part to the US economy, and dwindling IT budgets. Of-course, having damn good software doesnt hurt either