Slashdot Mirror
IE Vulnerabilities Page Removed
Henry V .009 writes "PivX Solutions has removed its (in)famous Unpatched IE Vulnerabilities page. Is Microsoft really getting better? From the site: 'Given Microsoft's recent positive actions together with the current rise in attacks against IE we have agreed to give Microsoft a good faith reprieve and have taken down our 'Unpatched' page. This was done in both a spirit of cooperation and for the good of the internet as a whole. As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH!'"
Google cache
goat?
Crash
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods.
And as most of us here on Slashdot would say: That's exactly why it SHOULDN'T be the ubiquitous browser. And despite it all, it still is.
As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much...
Who, exactly, is we? And have this "we" ever heard of any alternate browsers such as Mozilla and the like? For those in the loop, it's just nice to know there is some light in the darkness of the internet browser.
What's in a sig?
Any time one piece of software from one company can be responsible for such negative impact on our lives because of how poorly it was designed, while still remaining far and away the dominant product in its category in spite of superior software being readily available, that's a sign that the ill effects of monopoly power are at play.
Read the EFF's Fair Use FAQ
Translated into english, that means "we got the cease and decist and don't want to pay for lawyers"
Yes but will Microsoft actually patch the holes :(
At least full disclosure of the problems keeps the heat on Microsoft.. The heat which has not evaporated..
Security by obsecurity isn't effective..
Simon.
What were the reasons against a monopoly that my economics teacher tested me on again?
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
The cracking/hacking underworld has its own full disclosure mechanism. Example: http://www.xfocus.org/
here
I fought the corporate America, and the corporate America bought the law.
$o, how much wa$ enough?
We all should give pivx a huge hand!
First, they applied the pressure to help force microsoft into fixing the software.
Second, they are now giving microsoft some slack (negative reinforcement?) for trying to fix its browser.
Bravo guys!
Plus, these guys are hiring!
Damn, the last browser with good VTP support.
it's nice to see companies start taking some pressures off MS, we have seen incidents when MS was pressed to issues patches which broke more things. just hope MS isn't taking this for granted and fixes things more slowly than it should be.
Did they recently read Steve Ballmers "Just Be Quiet " speech.
You think hackers aren't going to know about these vulnerabilities now? Once you publicize them,they're out there forever.
That website was a nice resource to point out "mistakes" that MS has made, and im sorry to see it go. I don't really want to go to "L33t H4ck3rs w3bs1te"
Internet Explorer has more holes in it than 50 cent & Jimmy Hoffa combined.
But unfortunately browsing will be even more tied into the OS with Longhorn according to Microsoft. IE6 sp1 will be the last standalone version of their browser.
So rather than relying upon full disclosure, as practised by Bugtraq, etc, and hoping this will shame companies into fixing their buggy products. Instead we find problems and don't tell anybody so that the bad terrorists, err, people, don't find out?
I think this is appalling, and will happily offer before the google cache expires.
There are plenty of alternatives, and I haven't come across an IE-only page in years. Let's quit the "Everyone uses IE" rubbish. Most people use IE, because it's already there on their PCs, that's very different from depending upon it.
You are not alone. This is not normal. None of this is normal.
Google Cache
I know that is a nice rock to craw under around here some where.
How fortunate this is for the internet community! Imagine if IE were open source like this Mozilla thing! Keeping every working detail and possible vulnerability all very hush-hush is what makes IE the great browser that it is! How does Mozilla survive? I mean, come on... Bugzilla? They should follow these guys example and shut down.
For the good of the internet as a whole!
At the waste of a few more megs, I downloaded mozilla for windows and now I only use explorer for local files and downloading the weekly windows updates. This way, I don't have to worry about popups, evil javascript, ad banners, and I have better control over cookies and form autocompletion. Internet Explorer sucks, but Mozilla's free. Not a bad situation.
"This was done in both a spirit of cooperation and for the good of the internet as a whole"
Meaning we were bought off by M$.
He who knows not and knows he knows not is a wise man. He who knows not and knows not he knows not is a fool.
2 points for you... if I had them.
at least put up links to alternative browsers like mozilla and help SOLVE the monoculture problem!
pr0n - keeping monitor glass spotless since 1981.
So you bowed to MS pressure and/or are idiotic enough to believe that you taking the page down makes a difference. My professional opinion of PivX just went very low.
Get the latest version of Mozillabird. Unlike the bloated mozilla, its only a 6Mb download, and is getting smaller everyday! Its Extremly easy to use, complete with tabs, built in popup blocking and more! If you know somebody whose got screwed by a Internet explorer vulnerability, then get it installed today and save them!
And of course, if you want to take the plunge into linux, then use epiphany, easily the best browser for linux! Decent fonts, easy to use and no geeky bits!
In this Macintosh-only household the browser of choice is iCab!
The ONLY time I use IE is for the few times I have to access my bank's website and mess with my accounts online. As my bank is stupid beyond words, their website is IE only.
For everything else, I use iCab.
Guaranteed! This comment 100% Anthrax free!
Smart people use mozilla though.
I went to a site just yesterday or the day before, which listed a bunch of vulnerabilities. One managed to delete wmplayer.exe! And I had a fully patched IE at the time. A couple other tricks managed to load their own javascript while I was at a banks website!
Bad move, guys. I'm sickened.
This is fallacious. Obscuring the flaws of IE would be useful only if there was no other browser available. The page should stay up as a warning for people, so they can use any of the other perfectly suitable alternatives out there.
anyone which wants to do just a little bit of research could create a similier list, that list would be of very little use for crackers. But pointing out flaws in widely used products is an important service to society.
I give thumbs up to full disclouser.
and a big thumbs down to PivX for going the wrong way.
Me.
Normal people don't give a fuck about security! (only in-secure people do!)
They just want to get stuff done.
in the real world people shouldn't need to have a PHD in programming or whatever in order to surf the web,
so quite frankly who fuckin' cares?
This story is boring, and isn't news at all.
Since the crooks and social deviants don't have any way whatsoever other than that page to find out about Microsoft's internet vulnerabilities.
Anyway, IE is too much a part of our lives for it be easy for us to know exactly what risks we are exposing ourselves to by using it. Enough negative PR is enough.
Ignorance is strength!
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Could it be that M$ put some pressure on them, either directly or indirectly, through their government/business contacts?
Any time Balmer screams 'uncle' it makes me want to turn the screws tighter - not let off...
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Many people run Internet Explorer in Wine, and with such horrendous virus vulnerability it is no doubt that several win32-base virii are contaminating linux files unnoticed. This happens because many Wine or WineX configurations have a setting for a Network drive to point to ${HOME} and this is where all the user's files are located! Run a win32 program, receive a virus, and the virus will no-doubt propogate to whateve resource available including whatever is write-enabled in ${HOME}! Now we can say Microsoft's shit stinks less, but that still doesn't remove the smell.
"we have agreed to give Microsoft a good faith reprieve and have taken down our 'Unpatched' page."
Fuck! Lawyers! Quick - roll onto your backs and do anything they say!
"we all depend on IE too much"
Speak for yourself - this message was posted via Firebird.
Not posting useful, factual information is a good thing? Hey, thanks! Next we can close the whole Internet, then get to work on those pesky libraries.
---
SCO is weenies
Gator is Spyware
Microsoft is thugs
Translation: The Cease and Desist letter arrived in the mail today. And let's face it, we don't have the money to fight these guys. Score 1 for the DMCA.
how much the check was for, and if they waited for it to clear before taking down the page.
Stupid sexy Flanders.
After the second read I still couldn't decide if he was trying to be tongue in cheek or if he actually meant all that crap about good will and social deviants.
What a load of shit, and what a way to lose one's credibility.
...was they couldn't afford the 3 full time web programmers to keep the page up to date.
See www.litepc.com
"Of course we werent 'asked' to take it down, It was suggested, and encouraged with large ammounts of money from M$"
"The United States has no right, no desire, and no intention to impose our form of government on anyone else." - Bush 05
After reading this post, I read PivX's name as something else. Whoops!
I just looked at the google cache of this page and it looked like Microsoft had a ways to go before receiving a "good faith reprieve" from this site. This sounds like the voice of someone with the corporate pistol pointed at his head.
At first I saw "IE Page Vulnerabilities Removed" - it's about time. It's always tough finding that right balance between security and right-to-know. On the one hand, we need to know what's wrong with the software we use, and on the other, it's critical that the manufacturers are given an appropriate amount of time to repair the vulnerability before someone has a chance to form an exploit.
I think some of the new anti-hacking laws prohibit anyone from disclosing such vulnerabilities, as a warning or not. Someone may have called these guys and told them to take it down or face Federal prison.
Try again, dipshit.
The Ravenous Bugblatter Beast of Traal is a mind-bogglingly stupid animal. It has almost no capacity for learning from experience and is therefore surprised by virtually everything that happens to it. Here is an example of how stupid it is: it thinks that if you can't see it, it can't see you. Its behavior would be quite endearing if it wasn't spoilt by this one thing: it is the most violently carnivorous creature in the Galaxy. Avoid, avoid, avoid.
I want the fire back.
(C'mon, guys, you have to say it more often to really get the "mantra" feel...)
What is exactly why it shouldn't be the ubiquitous browser?
That we depend on it? That logically follows from the definition of ubiquity.
That there are crooks, social deviants, malcontents, and crackers? That's a part of life.
Either you pasted the wrong quote, or you (like most of us here on Slashdot) don't back up your anti-Microsoft rhetoric. It's not hard to make a logical case against IE, this post is just sans fact.
--- What
I myself recently changed over from IE to Firebird, as I was just too fed up with the system slowdowns, the lack of feature advancement, and the glaring holes IE has. I had to learn about these issues the hard way. How do you expect Mr. and Mrs. Average User to make any sort of informed decision about their situation and vulnerabilities?
Sadly, it seems we've entered the don't ask, don't tell portion of the story. We all know what a success that policy has been elsewhere.
...tizzyd
I don't know about you, but I trust bugtraq.
Recent posts have confirmed that IE is *still* vulnerable to a range of exploits (quite interresting read too) even patched up to the latest ms release.
TODO: 753) write sig.
Not to burst your bubble or anything, but Bugzilla hides all the vulnerabilities as well. They're marked as security confidential and you have to be a member of the security team or on the CC list to be able to view them. You'll get an error page if you try to access one, they don't show up in queries, and the summary information is censored so you can't guess about the bug by the description. These bugs only get unmarked once they've been fixed and released or there is some public disclosure of the bug by a third-party.
we all depend on IE too much
It was a long while coming, but a faster, more secure, less bloated browser that actually adhered to internet standards..
As you may have guessed, I'm refering to Mozilla Firebird (not plain old Mozilla). It's the first time I've given up IE when working under Windows in years..! (Read about my reasons here)
But why take down the page?? Sure M$ might be working to fix the bugs, (they ought to!!) but we need sites that *do contain* this information. We, as IT Managers and other "technical" people, need to point out the vulnerabilities in IE to others.. Both to promote other browsers, and also to get them to patch their copies of IE..
Bravo gentlemen!
Are they kidding me? The good of their soon to be exploited by MSFT lawyers arses -- that's for sure. The good of the Internet as a whole -- no way. That's security through obscurity in the most obvious and insulting form. It's a good thing that since they removed the information no one is going to know it... *sigh* I think they are insulting the intelligence of every Slashdot reader. What next? Are they going to remove the security focus articles they linked to as well? Is this madness ever going to stop? OK, I'll stop now. I guess I've read to many books about security to stay calm while being insulted this way. I'm sorry.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Why aren't other pages keeping track of unpatched vulnerabilities in other software? Well, have you ever tried to match up the CVE database with patches? It's difficult. I don't know anyone who can answer how many unpatched vulnerabilities are present in W2K, XP, and the like. Has to be boatloads.
Vulnerability disclsoure doesn't create pressure on MS, however. Malicious code creates pressure. Consider the MSIE vulnerability that led to QHosts. That one was old -- in August MS said that the patch they produced should have correct the Object Type vulnerability, but didn't. Yet the patch wasn't corrected until October, and that was only after QHosts exploited it. The exploit, however, raised MS's concern so much that they issued the patch on a Saturday instead of their regular Wednesday schedule....wow, the vulnerability is known for two months, then suddenly a patch appears AFTER the exploit is released.
What are the lessons?
(1) Apparently ALL MS software has unpatched vulnerabilities
(2) Apparently vulnerabilities are not priorities for MS unless exploits become newsworthy, (3) Trusting on MS patches to correct vulnerabilities is a recipe for disaster.
Enough is enough. We shouldn't allow crooks to mess up with our lives. Therefore, we should all remove IE from our systems.
Now they just need to fix their CSS support which disgaceful and is giving web-designers headaches all around the world. Looking at the specs you can see how easy life would be if IE supported even half a dozen more css properties and fixed a few bugs. It almost makes CSS useless. No browser has got it perfect, but IE takes the piss, sometimes they dont even bother supporting something in their own way let alone to W3C specs!
This comment does not represent the views or opinions of the user.
If you click on the link straight through, it works fine. But I have ctrl-click open in a new tab in the background, and that will crash Moz.
Its not what it is, its something else.
A short history of vulnerabilities reported by PivX:
- June 18, 2002: 18 vulnerabilities
- August 8, 2002: 22 vulnerabilities
- September 9, 2002: 19 vulnerabilities
- November 19, 2002: 32 vulnerabilities
- December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but two new ones were found.)
(From my article: Windows XP Shows the Direction Microsoft is Going.One word...Firebird! (it even rhymes)
Do people *really* depend on IE, when they also have Netscape/Mozilla, Opera, etc.? I find it a constant source of amazement that people simply put up with the flaws in IE. A very large number of people, particularly in the corporate world, know what a disaster that piece of software is, but still they don't shift. What are they waiting for? Permission from Microsoft?
Then again, I suppose I fail to take into account how my suckers have built intranet and Internet sites using embraced and extended protocols that lock them into using IE. Well, it's not like they had any way of knowing this kind of thing could happen, could they?
Not all security holes in Bugzilla are public. For example, bug 217195, which I reported, is marked as security-sensitive. Bugs that are marked as security sensitive usually aren't made public until after a release (such as 1.5) that includes the fix.
On the other hand, the code and information about changes to the code are public. For example, you can search bonsai to find out that this checkin was associated with bug 217195. I'd be impressed if you could construct an exploit based on that patch, though.
The shareholder is always right.
It shouldn't take much effort to pick up where PivX left off.
...or perhaps this already exists & I'm not finding it?
To make it even better, the known security vulnerabilities of other browsers could be added for comparison and quick review for those (mostly everyone) who don't have the time/inclination to scour the web looking for all the disparate info on browser insecurities...
For those who still use IE, you have can check your browser for security vulnerabilities here, http://browsercheck.qualys.com/, though I don't use IE & cannot vouch for the effectiveness of their scanning/detection.
So, who's gonna step into PivX's shoes?
Because it is not the best browser.
--jeff++
ipv6 is my vpn
I am terribly sorry for the typo. It should be "Internet as a whole" not "Internet as a hole" of course. But one has to admit that in the context of the arse anal ogy the "hole" sounds kind of disturbingly appropriate, to say the very least... One only has to wonder if what we see here is not "Internet as a whore" -- MSFT whore that is.
Speaking about security, I'd like to point you to my recent articel on the topic. I hope you all find it informative.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
I sincerely hope that if Microsoft doesn't fix each and every valid vulnerability that was listed on that page, within six months, that the page gets restored.
It has been proven time and again and again and again that vendors, especially monopoly vendors, will not fix their systems in a timely manner unless they're pressured to. And by "timely manner", I mean within four weeks.
The last five or six MS security bulletins I've seen had lapses of between SIX AND NINE MONTHS between the reporting of the problem and the release of the patch.
So two things:
1) If Microsoft doesn't fix all the currently-known vulnerabilities within six months, somebody should take it upon themselves to start tracking them again
2) If Microsoft can't get their act together and release patches for new vulnerabilities in a timely manner (instead opting to waffle for six months while real people's systems are getting exploited because MS is _never_ the only entity to know a vulnerability, and it's almost guaranteed that somebody with nefarious intentions does), then somebody should take it upon themselves to start disseminating as much information as is required for *real* preventative measures to be put in place
I'm all for giving them one more chance, but I'm not willing to sacrifice my clients' systems by changing my standards for this "chance". They either do what they should do, or they have to deal with me telling my clients exactly what they need to do to protect themselves from a given vulnerability - and that information would almost certainly be enough for a black-hat to use if it ever got leaked.
If you think my standards are too high, consider that other vendors whose software is used on systems which literally control life-or-death systems often release fixes within hours and days, not weeks and months.
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
That quote sounds like Ballmer words put into Larholm's mouth.
Unless you're a geek, you don't know about Mozilla. You might know about Netscape and think 4.1 was about the end of the line. You may even have tried one of Netscape's releases of Mozilla and thought it sucked (which, let's face it, it does). Most users of IE think that installing a different browser on their computer will break IE. They fear losing their bookmarks and their history. All that's really needed is a good public education program. Most of which can be achieved by each of us sending our non-geek friends to www.mozilla.org.
How we know is more important than what we know.
I think its safe to say that if they cant manage after 6 generations and god-knows how many years to properly implement a standard that like HTML and CSS*, which lets face it is not exactly quantum physics, then their security is probably not going to be rock solid.
I wish they had lost this market to someone else like they lost the web-server market, because frankly they cant make IE work. How many years do you need to implement a text based information formatting language? Its still riddled with the most irritating bugs because they do not understand the standard and they dont understand CSS and what it could potentially do if it was supported by them. Mozilla or Opera both rock and i havnt used IE as my default browser for 3 years.
*Their CSS support is making me pull my hair out
This comment does not represent the views or opinions of the user.
I've opened it in a background tab, worked fine...
You don't like IE because it is full of holes. You care about people so much that you want them to switch to a safer and better browser, yet you fully support the disclosure of information that is useless to anyone else back hackers. In other words what you want is not the well being of users, you just want them to switch to your software.
That page is useless to just about anyone other than hackers or microsoft.
did you forget to take your meds?
10-1 says the lawyers got involved and someone mention the DCMA
The whole point of Microsoft's conviction under the anti-trust laws is that that statement is false. People bought other products and the browser was strapped to them (shafting SpyGlass systems en passant).
Microsoft claim(ed) that Bad Things would happen if you used a different browser with Windows (kind of like a car manufacturer saying "if you run your car on any other oil, it will blow up") and even forged a video in support of that, to present under oath - which is slap-bang centred on my idea of "anti-trust"; they've breached trust with the Court, their customers, enemies and allies impartially without fear, favour, warning or quarter.
Got time? Spend some of it coding or testing
Very funny!
...tizzyd
Am I the only one who read "IE Vulnerabilities Removed"? I knew it was to good to be true...
That's funny, but jokes aside,
I believe this is what Microsoft should be doing, id est removing the vulnerabilities themselves, not merely the discussion about them. Those greedy bastards have so much cash that patching IE should take them less than 6 weeks. So I am asking: why aren't they doing that? Is there any Microsoft employee reading this who could answer my question? I surely hope so.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Huh, I don't know. It crashed it when I clicked straight through this time. Maybe different versions of Moz? I am running Mozilla 1.4 on both a WinXP and Linux, and it crashes on both.
Its not what it is, its something else.
Speaking as someone whose Win 2K install was thrice raped in the last month, PLUS I didn't use Exploder, being a Mozilla fan from way back, all I can say is "TOO LITTLE TOO LATE."
Frankly I'm just fed up with the update treadmill. Everytime M$ patches something, it breaks the installs for a half a dozen EXPEN$IVE programs.
I mean just forget about EXPLODER for the moment, what about all the other holes, buffer overflows and INTENTIONAL BACKDOORS M$ builds into it's useless product?
Frankly I did the only sane thing a person could do. I ripped all M$ products off my systems and now run a LINUX-ONLY SHOP.
Sure it's ugly, and it's a pain to recognize hardware and I may have to write my own applications to get it to do what I need it to, but at least it won't be TROJANED WITHIN 24 HOURS OF A TOTAL REINSTALL!!!
The upshot is, after three weeks of reinstalls and other nonsense, watching my system's files disappear and registry change and finally my Ebay Password change, (All while invisible to NAV, HOUSECALL, TDS and Trojan-Hunter) I have ended up closing every e-commerce account I had on the web and now use the net only for surfing the net and retrieving my email and listening to Netradio.
M$' "secure computing initiative" makes me want to puke. Unless they redesign the OS from the ground up, WITHOUT ANY BACKDOORS, E-commerce is gonna go the way of the buggy whip and the hula hoop.
I was lucky enough to be tipped off by the hacker "playing" with my files in the beginning. I feel sorry for all of you out there, running Win machines, even with Zero Day Patches, who probably have already been hacked and don't even realize it.
Frankly my feeling is that anyone who tries to do business on the net with M$ software, INCLUDING VENDORS, are in for a really nasty wakeup call unless M$ gets its act together and designs a secure product from the ground up without any backward compatiblilty.
Death to Micro$haft!
"Security is not Job #1"
Got time? Spend some of it coding or testing
The folks at mozilla keep their security bugs hush-hush in the name of compromise:
- bugs-policy.html
http://www.mozilla.org/projects/security/security
What the summary DIDN'T include...
As you know Microsoft has just released a new patch MS03-040, which renders several IE vulns obsolete. We are presently testing the efficacy of the vulns reported to be fixed and we can report that MS03-040 is doing the job it was intended to.
So why was that left out? Reading the summary I just thought that these people were being nice guys to Microsoft, and not that Microsoft actually addressed and fixed many issues with IE.
One sided journalism?
I wonder if the site was just hacked by Microsoft. I don't think they could have issued a better press release if they tried. If it wasn't hacked (which I really don't think it was), it sure seems like they're trying to kiss M$'s ass on this one.
today is spelling optional day.
we have agreed to give Microsoft a good faith reprieve and have taken down our 'Unpatched' page.
They don't give a timeline for how long it will take for Microsoft's complete lack of action in fixing its crappy software before they become so pissed off that the put the page back up.
All together now: Mod Parent Up! (-:
Got time? Spend some of it coding or testing
If you've tried Safari on OSX, I doubt you'd go back to IE.
Just in case not all of you already know that, I, as probably most of Slashdot readers, don't allow Windows on my network. Period. But it doesn't mean we don't have to pay for the Microsoft virusii bandwidth constantly hitting our firewalls. It is killed on the first level of firewalls, the intruders' hosts are being instantly counterattacked, but before they are down their packets has to travel to our routers somehow, and we have to pay for them, even if we don't want and don't need them.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Didn't crash Firebird on Linux
After this, expect an encryption hand-shake / key-exchange exchange with IE only servers to make sure that you're actually using IE. A circumvention will be punishable under the DMCA. Microsoft will say, "OMG, U'r ga|ning unaUthoriz3d @cce$s to bAnk[ng inf0rmat]oN!!!"
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
And what exactly have you solved by taking "Unpatched" down? The sellability of you company to Microsft perhaps? Sure.
Less is more !
I did too, and it crashed. (Mozilla 1.4, Linux).
Don't drop the soap, Tommy!
-- Will program for bandwidth
I only depend on IE to patch Windows and IE through windowsupdate.microsoft.com. There is no other reason I can think of that one "depends" on IE, that better browsers can't handle.
Eh, it was hidden, but I meant for the interpretation to be that IE is too easy for such crooks, social deviants, malcontents, and crackers to abuse for their own gain.
Fortunately, Google can remember the past. Long live history, down with big brother!
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Translate: "It was a condition of our settlement with Microsoft that we make it sound like we took this down of our own volition".
I find your ideas intriguing and I wish to subscribe to your newsletter.
Need I say more.
What a bunch of pussies.
Ignorance is bliss.
They should be patching their piece of shit IIS to make it more secure. I can not believe why anyone would voluntarily run that piece of swiss cheese.
Karma means nothing to me, so suck it...
and their brother are now using IE to create huge botnets and make revenues from stupid users...
;-)
I'm sure some of them are going to sue MS for not letting them own a leaving
This reprieve will allow MS to develop and review their test cases, patches and Service Packs in a more normal, predictable and unforced manner.
Whaaa?
When did a monopoly did _anything_ which doesn't involve getting richer, in an unforced manner???
I, for one, want 30grams of whatever they're smoking.
That or 1/3 of the money they just got from MS.
I'm a chainsmokin' alcoholic sociopath, so-ci-o-path
Who the hell depends on IE?
IE could vanish from the face of the earth tomorrow and it wouldnt hurt me one bit. In fact, if it did, and everyone finding themselves suddenly without a browser were force to actually look at the various choices, and CHOOSE one based on its suitability to their needs, instead of just accepting the malware that comes with the OS they are spoon-fed, it would do a lot to increase security, interoperability, and enjoyability of the web overall.
Didn't Ballmer recently say something about wishing all the sites/organizations like this would just "shut up"?
I'm not one to believe in conspiracy theories, but it's not my perception that IE has been doing much better. I do wonder what part, if any, Microsoft had in this.
~Dalcius
Rome wasn't burnt in a day.
I keep getting "500 internal server" errors from slashdot -AND- it very much looks like this page is very much active...
This page was made public to put pressure on Microsoft, in the hope that they may patch the listed security holes. Vulnerabilities listed on this page work (among others) with the latest versions of Internet Explorer, with all patches installed. Until proper patches have been provided, the only fix is to disable scripting.
This page is, and always will be, a work in progress. This is not a definitive list of vulnerabilities.
See www.litepc.com
You can remove IE from 98, Me, 2000 and XP -- along with many of MS' other "features."
I used the trial version of 98lite a number of years ago and found it to be pretty cool. I will be purchasing a license for the 2k/XP version.
to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods.
Now that's gotta be the most fitting description of Microsoft that i've ever heard!
Variety is the spice of life. And I much prefer "working" to "fancy but broken".
Oddly enough, IE for the Mac (a completely different beast to IE for Windows) is about as close as you'll come to standards-compliant and feature-complete... BoC Microsoft is dumping that.
Got time? Spend some of it coding or testing
"See, Bobs, it's not that I'm lazy, it's that I just don't care."
/., check for updates for Trillian or some other software I might use, or update a driver. Yes, I'm a boring user. But I really don't have time for much else, and since I don't think my bank nor any of those other sites I visit have an interest in doing malicious things to me... I just don't care, plain and simple.
I am a web designer, and I am fully aware of the problems with IE - security and otherwise. But personally, I really don't care about its vulnerabilities. My job is to make my web pages look correct in maybe this version and a few versions back of IE, but that's really it.
Ok. So you can take over my computer with a web page. Well, I'm not going to YOUR web page.
My email filters out spam. Not going. I don't look for warez, don't check out pr0n, don't download any hip new software.
I DO go to my bank's web site and look at my balance, read
I know it's not a safe way to live, and I think that if my computer were destroyed right now I'd shrug and say "meh." And then build another one.
Maybe others feel the same?
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
don't these guys a pivx know anything? I'm sure if they remove they're page. no one else will continue to post the vulnerabilities. Oh yeah. & then there's always Google's cache
Don't see the point. unless they've bowed to pressure from MS.. that or they're getting kickbacks to stay silent.
You tried your best, & you failed miserably,
The lesson is:
Never Try
From the site:
Try Mozilla or Konqueror instead--two fine free software web browsers (and there are many others). Then consider switching to a free software operating system so you don't bump into holes in other applications and have to wait for the proprietor to fix them for you. If you want to inspect, copy, distribute, or modify free software programs you can do so (or get someone else to do so for you). Freedom is really worthwhile.
Digital Citizen
I'm sorry but your logic is flawed. If the patch fixed most if not all of the vulnerabilities on that web page indeed, then the page should be updated instead of removed, id est they should add "update: this is already fixed" where appropriate. But no, they stopped informing the public about any (patched or otherwise) vulnerabilities and look like a classical example of becoming a Microsoft prostitute. (Note that I'm not saying they are (but it should be obvious at this point anyway), I'm only saying they look like one.)
And in your opinion it is good that we don't know which of those "a *lot* of stuff" is fixed already? Don't fool yourself. It may look not so important to you or me, since no sane person uses IE anyway, but we have to remember that sometimes people we work with are stupid enough to use Windows, and implicitly trusting their systems integrity may cause a disaster. Therefore there is absolutely no excuse to have unpatched vulnerabilities in any software. Now we have to thank this supposedly famouse Pix Solutions for making it easier for Microsoft to hide their flaws. I'm sure "Internet as a whole" (read: good uncle Bill) will thank them indeed.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
And the beast shall be made legion. Its numbers shall be increased a thousand thousand fold. The din of a million keyboards like unto a great storm shall cover the earth, and the followers of Mammon shall tremble.
from The Book of Mozilla, 3:31
(Red Letter Edition)
It's like having a 14 MB image load everytime you go to /. except it's text.
"we all depend on IE"
speak for yourself. i never use the crap. what i dont get is why that guy "depends" on IE when he has a site devoted to unpatched IE vulnerabilities. wtf
The spoiler:
Why should we be glad that Pivx decided that we don't need a single convenient place to catalog the remaining unfixed old IE vulnerabilities? Why should we give them a hand when they are helping Microsoft slack off again and shirk their responsibility to the people who are duped into using the software and later become a victim of an international identity theft?
PS: A job posting doesn't mean they're hiring. An offer letter means they're hiring.
--- Nothing clever here: move along now...
...the fools got addicted.
In Soviet Russia, Internet Explorer gets addicted to people.
Karma: It's all a bunch of tree-huggin' hippy crap!
Internet Explorer might be a pretty good operating system, but to really compete with Linux and Windows it needs a better web browser.
Karma: It's all a bunch of tree-huggin' hippy crap!
It shouldn't be the ubiquitous browser because it's riddled with long-standing security holes, is irrevocably tied to a ubiquitous operating system that is plagued by those same holes, is not standards-compliant, employs proprietary extensions of standards that have forced people into using it simply to maintain compatibility, gives its company an unfair advantage in the market, lacks basic features that most modern browsers consider essential (ad blocking, pop-up blocking) and simply just isn't that good of a browser. Against all good market sense, Internet Explorer has prevailed because it has a monopolistic mongrel of a company behind it. This is why monopolies are generally illegal. They allow shitty products to become dominant.
I don't know about you guys, but most of my livelihood depends on these crooks. Ah the wonderful world of techsupport.
Rev 13:
16 - Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead,
17 - so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name.
Get the Hell off my planet, you slimy mobster Bush!
We're not "normal people", we DO give a fuck about security.
We want to get stuff done without people hacking into machines and making the poor user have to call us to fix it.
in the real world people shouldn't need to have a PHD in programming or whatever in order to surf the web, so quite frankly who fuckin' cares?
Everyone with two braincells to rub together. If the browser is secure, you don't have to worry about people exploiting holes in it. If it isn't, it takes a PHD to set it up to be safely usable.
Your post is boring, go back to your AOL chat room. Who gave you this site's address anyway?
If they wanted to take the page down, they just had to submit this story, then we would have taken care of it!
Open Source Java Web Forum with LDAP authentication
"MS Dissatisfaction High, Users Consider Switching", Slashdot.org front page, Sunday October 12, @03:41PM
"IE Vulnerabilities Page Removed", "...Given Microsoft's recent positive actions...", Slashdot.org front page, Sunday October 12, @06:23PM
Is it just me?
Must-not-watch TV!
uh, dudes, you forgot the Microsoft logo on your client page..
... against IE we have agreed to give Microsoft a good faith reprieve ...
...and have taken down our 'Unpatched' page.
...
....
...
Excellent. They've been under such tremendous pressure lately, plus fighting the war against open source - hell where does the day go??
Don't blame you. Fingers must be killing you typing up those new vuln reports twice a day..
This was done in both a spirit of cooperation and for the good of the internet as a whole.
Removing problem reports? Good thinking. There you go again, trying to improve the integrity of the Internet - just like it says on your home page.
As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers
Crackers? Put that crack pipe down for just one second and rpm -ivh mozilla-1.0.1-35.i586.rpm
This reprieve will allow MS to develop and review their test cases, patches and Service Packs in a more normal, predictable and unforced manner.
Exactly! you sure can't put your best foot forward if you're running ragged trying to patch thousands of security holes in a sinking Titanic of a monolithic bloated piece of shit architecture. You grant reprieves? Gee, can I have one?
In addition, PivX Solutions has a two fold approach to assisting with the realities of the current situation. First, we are available to consult
Ah now I get it, the sales pitch for you.
Secondly, we are developing a mitigation utility tool that will act as a "Qwik Fix" to many of the IE vulns that MS is working on patching presently.
Well I hope you patented "Quik Fix". A ring to it. Like it man!!!
This utility will buy Microsoft more time to develop, test and release
the successors to XP and Windows 2003 Server, while not fixing their broken ass insecure software, and continuing on the path of thumbing their nose at the user, IT, and Security communities while continuing on the thousand day march toward fucking the American public.
..how much did they get?
The whole question of when to put pressure on a company to fix bugs and when to back off is cluttered with irrelevancies. Even MS's past behavior is not really relevant. What would be relevant is a reasonably accurate answer to one question. "In what percentage of exploits did the cracker know about the vulnerability independent of the public report?" Note that that's different from knowing before the report came out, or whether the cracker ACTED before or after. If you think you have a good idea of what the chances are your vulnerabilty report will trigger a hack instead of just pressuring the company, then report as you think appropriate, but if you're not confident in that estimate, just maybe you should err on the side of caution. There won't be a halfway good answer until enough convicted crackers are forced to eloqute on that question, and some education oriented legal types add up the information to get the kind of data the FBI uses in profileing other more established crimes. Maybe some of these sites publicising vulnerabilities are guessing right by sys-admin's intuition, but that's about the best we can hope for. Most of us techoid types seem to do better when it's a matter of logic than intuition, right? My hat's off to a site that seems to recognize this and backs off on occasion.
Who is John Cabal?
i'm using a recent nightly build of mozilla (2003101004) under win2k, and it doesn't crash
That's quite disingeneous.
It shouldn't be ubiquitous because people should put more value on quality and less on convenience. Ultimately, it is this laziness which lets slipshod products (in any market, not just browsers) ride the tide of marketshare.
I use mozilla because it's better. You've seen the other posts stating why, so I wont go into the reasons. This weekend I reinstalled windows due to a registry error (no recent erd, uninstalled a driver on win2k, rebooted, hosed registry)... then, mozilla wouldn't start. I deleted everything relating to mozilla that I could find. It was downright tramatic. I was FORCED to use IE for a whole day. Eventually I found the problem: delete the mozilla directory in "\program files\common files\".
Oh, and btw, Dear MS, I hate the registry. It reminds me of disk compression under windows 95. Luckilly, a few of the programs that I use don't use the registry -- they use config files -- and I won't have to reinstall them (hint hint hint).
Yeah, it's a rant post. But so many parts of MS software seem to be designed by someone living in a make believe world full of fairies and magical mushrooms where nothing goes wrong.
Brought to you by the local microbrew on a sunday night.
Avant *is* IE, genius. It's just an alternate interface.
Besides when have you ever used something that needed the speed of firewire which was not videocamera
There exist well-known types of devices other than video input devices that require the higher throughput of a FireWire or High Speed USB serial bus. How about an external hard drive or an external DVD recorder? Internal doesn't always cut it on a notebook computer, and Samba-in-a-box network-attached storage isn't yet on the shelves of Best Buy.
Will I retire or break 10K?
Palm had the battery life, simple OS, and bettery life that Newton lacked. GameBoy had the good game and long battery life that games wanted. VHS could record way more on to a tape and had more movies available. And if USB is better than FireWire, why does Apple use USB for it's mice and keyboards?
Whatever technical characteristics those technologies might've had, they had better characteristics in the areas that were important to their customers.
I don't know how much any of that applies to the browser market. But IE has the benefits of being simple, fast, and built into the system. Don't forget, most people don't even use "open in a new window", never mind the complication of tabs; and pop-ups can easily be blocked through a variety of third-party tools, such as the Google toobar.
1) Setup IE unpatched list.
2) Wait for Micro$oft to come knocking.
3) ?????
Get the Hell off my planet, you slimy mobster Bush!
You know, it still stirkes me as rather interesting that so many of these vulnerabilities (and even most of the spyware/ad-ware problems of late) are centered around Active-X technology.
I think many people have forgotten (or never paid attention in the first place) when Active-X was first announced, and quite a few industry pundits warned of all the impending security problems it would cause.
It seems to me MS has been fighting a losing battle ever since Active-X was introduced to convince people they finally made it safe enough to use. Now, they've finally reached a point where their tactics (defaults in Windows Server 2003) are to disable Active-X in most situations.
This is a poorly thought out and implemented technology that I feel wasn't ever needed in the first place. If MS really cared about improving security, I'd suggest they eliminate Active-X completely, proclaim it "obsolete", and move on.
(Of course, they won't do so, because they already invested too heavily in using it to embed their Office applications into web pages, etc. etc. But ultimately, there was no good reason they couldn't have just supported Java all along - and even licensed other 3rd. party plug-ins if need-be, to accomplish all of their goals more safely and securely. Citrix has nice plug-ins to embed applications inside web pages, for example.)
The award for random crashes? At least IE stays up on the same 3 year old Windows 2000 Server installation and SSL certificate management works properly. Opera does a better at this but I don't appreciate it disappearing randomly. Mozilla doesn't even work with ssl like I need to use to....it's just awful. Firebird is better I guess for a strippo browser but I NEED SSL TO WORK RELIABLY WITHOUT F#!@#$ING UP!!!! So until you get your beloved open sores browser functional or knock off the howling every time there's an IE bug.
If they made IE for Linux I would pay money for it.
"Normal" people who don't care about security also get backdoored and have their cc# stolen.
They want to get stuff done, but it's kind of tough to get anything done when your computer keeps rebooting itself.
In the real world people who treat their computers like their toasters tend to get pwned. So unless they want to become victims they had better start caring.
Your troll is boring and I fucked your mother last night.
I'd be curious how many /.'ers take pause to reflect who *really* is using the Web, population-sample-wize? The large majority have never heard of SSH, OSDN, PHP or Gentoo and probably think of Lucy VanPelt's little brother when they hear the word "Linux" and think of condoms, ancient history or USC when they hear the word "trojan". They are the masses, and they don't give a rat's ass about GNU, RMS, the Debian .vs RedHat discussions or which filesystem is better than the other; all they want to do is shop for Hummel figurines on eBay, share cookie recipies via email and get pictures from relatives. They don't want their experience on the Internet to be clogged-up by 1-byte GIFs, browser hijackers, trojan programs or buffer underflow/overflow.
It's too bad that the rest of the so-called "security experts" are more interested in getting their ya-yas off by telling the world how to make everyone's experience on the Internet a living hell instead of following PivX's lead and taking the higher-ground. I think it would be very comical to have these yutzes's systems compromized by the same idiots they pander to when they make these exploits readily available - too bad that no one is up to THAT challenge and willing to give these security-whores a taste of their own medicine.
To the moderators: If you think this is flamebait, by all means rate it as such, because i'm just getting started on this issue.
FWIW: eEye and the rest of these publicity-grubbing slimeballs can kiss my hairy butt.
ScottKin - mad as hell, and I'm not going to take it anymore!
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
Read the EFF's Fair Use FAQ
Did I miss something? Have I been in stasis for the last 3 million years? Has the world changed totally?
Or are those guys just totally clueless about "alternative" browsers? Sad. Real sad.
If a train station is a place where a train stops, what's a workstation?
Windows here. Also IE.
Why? Because I'm a lazy bum who can't be arsed to install myself a real operating system.
And, more to the point, I'm a broke college student and no one's written a Linux driver yet (as of the last time my girlfriend and I checked) for the DSL modem that came free with signup to the service, and I'm not skilled enough to write one myself.
Until I do swap entirely over to Linux, I'm using what's easiest for me at the moment. And, at this moment, that's IE. It has been Netscape from time to time, usually when IE's been flaky.
The average user is more concerned about performance and convenience than security, sadly. (Again, guilty as charged.) A few minutes locating, downloading, and installing, plus the trouble of migrating bookmarks, is more trouble than dealing with slight IE flakiness. (I'm such a dumbshit.)
(I've also been drinking, or I wouldn't be idiot enough to admit that I use IE on Slashdot.)
would be a cool tool. Why don't you code one up?
How we know is more important than what we know.
(Sure, can be that something else was important, etc. But failure to manage business systems as a pattern is grounds for replacement.)
Caveats aside, there is a serious difference between developers and admins. You appear to have a problem with the difference. To quote:
How can 4 weeks be considered a reasonable amount of time to fix a bug and issue a patch when IT people who merely DEPLOY the frick'in patch complain that 4 weeks isn't enough time to deploy a patch?
Well, for starters, the people producing the patch have many, many more engineers than your average small business. They also sold the software in question, which at least hints at what it should do, and when it doesn't hints at how the producer should, if it wants to preserve a good faith, behave. See, when a company sells software for a given function, they tend to be asserting that they have some idea about the area they're covering.
On the other hand, Admins have to run around waving hands not only for dumb things, but whenever a patch is released. One can say "Oh, just patch". Try that in a plucky small business context.
Sorry. Point is, don't assume that admins can patch as soon as something is released. Many times, you can't. Sometimes, you won't. Conflating engineering time with admin time is silly.
--A former admin, thank dog I'm not doing that now.
I forget what 8 was for.
The directors of PivX Solutions have just retired to live a life of luxury in Redmond.
"As a writer / novelist you might want to spellcheck your sig.
I am anti Microsoft, but that's only because they make my life so hard for such little gain.
Everyone knows they should be running Alphas.
I forget what 8 was for.
I disagree, people should place value on whatever they perceive to be valuable - "experts" in a field should not be allowed to decide for end users what is and is not "valuable".
A little history on Active X:
Active X came out as a response to Java (Applets).
In the beginning, Sun thought that Java Applets were some sort of silver bullet. Netscape + Java could completely replace the desktop and render M$ obsolete. All Java development at Sun at the time was focused on applets - server use was an also-ran back then.
M$ believed this, too. As a response, they came out with their own "executable code embedded in HTML pages" - Active X.
AX was better because it had access to the whole system - no sandbox. AX was a lot worse because it had access to the whole system.
The rest is history.
If i had to venture a guess regarding the future: Applets go away because they have been bogged down by poor specifications / poor implementations / M$ resistance (ok - maybe this has already happened). And AX goes away because it's one big gaping security hole that can not be patched - almost by definition.
As Schneier predicted, for Microsoft, the threat is bad publicity, and they are going to produce a security system that deals with the threat. Without some kind of disclosure, sysadmins cannot take stop gap measures to secure their systems. This is just another instance of rather than working on securing its products to a level needed for the Internet, the issue is being handled as a PR problem.
Time to upgrade if you haven't already.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Well, by we I mean you (well, some of you, actually) id est those who have no access to the underground "scene" and don't know about unpublished vulnerabilities and private "exploits." I myself couldn't care less about pix.com (or any other security website for masses for that matter -- masses who should stay away from software like IE in the first place) but unfortunately I have to deal with people, who are incompetent enough to use such a software and who need to be constantly told about its vulnerabilities. Those people couldn't find a private exploit on IRC or Freenet even if their life depended on it, so they need websites like this one. Too bad Microsoft knows that knowledge is power and managed to shut their mouths.
I am always more concerned about incompetent good guys, as those are sadly in the majority.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Too bad. The removed content was useful. Perhaps the wayback machine or google cache can salvage some of it. I welcome creative misuse of IE exploits and advocate the scattering of disruptive, dangerous, annoying IE bombs all over the web. The browser is a buggy piece of garbage. When you're surfing the web with IE you're wide open to savage attacks through unpatched holes the size of barn doors.
Microsft don't give a shit. The sooner people wise up to these facts and start experimenting with alternatives, the better.
Right now IE users are like frogs in a pot slowly brought to the point of boiling. Because the comfort level keeps sliding gradually, they just sit tight while getting shafted in the ass, many of them oblivious to the availability of nice and secure standards compliant browsers.
Microsoft security is laughable. Apparently their 'increased focus' on this matter has been targeted exclusively on marketing. There keeps surfacing new exploits of all their network products all the time - IIS, IE, MSSQL, RPC, object exploits - it's ridiculous even contemplating this amateurish crud for use in the harsh conditions of public data networks.
Removing the IE vulnerabilities page just helps Microsoft and keeps the IE victims in a state of complacent ennui without the necessary motivation for changing, thinking themselves secure now the exploit publication is gone. In best case inept microsoft programmers will have patched half of them by christmas time. However, twice as many new bugs and exploits will have surfaced by then.
Here you've got a situation where the wonders of modern technology throw a big bright spotlight on the classical evils of monopoly. One company that not only participates in the market but for all intents and purposes is the market, in fact, a crucial, ubiquitous market will inevitably not only fix prices in ways that avoid the scrutiny of the regulatory organs of industry and the state, but will actually buy or replace the regulators with the machinery of its own advantage.
There is no surprise in watching yet another Microsoft critic going silent in the face of pressure, threats, lawsuits, stock-buys or whatever the hell else it was this time. Theory, experience and history all say that giant companies will offer less-than-optimal performance to the societies that play host to them; there will always be something visibly better and money, prestige or 'clout' will always blind those at the top from seeing it. This is no surprise.
What is surprising however is that we can go through so much, so regularly with the consequences limited to a ritual sacrifice of only a few billions every year to fix problems caused by Microsoft's bloated sloppiness--call it the second Microsoft tax.
Really, the only surprise is that the bill or the comeuppance haven't been bigger. In today's world, with Western European nations suddenly finding themselves with real, determined, well-hidden enemies, it's a good thing that the U.S.S. Ronald Reagan is going to be a gigantic military rubber duckie instead of a real target in a world filled with real conflicts.
As the first United States vessel with information systems built from the ground up around Microsoft technology, and one with a crew of three-thousand, the potential for tragedy would be stunning.
Of course, by the logic that led to the closing of the Microsoft Vulnerabilities page--with crackers and script kiddies having no information sources whatsoever but what MS-critics reveal--my writing this is an even greater disservice to the military than its using software that is as secure a sieve with a hole in it.
I'm deeply ashamed.
To mail me, remove the 'mailno' from my email addy.
"Yeah. It smells, too..."
Altogether now (mimicking one of the samples from the Addams Family flipper game): - GREEEEEEED!!
Not that IE for Windows is so much better at SSL/TLS anyway. (-:
Got time? Spend some of it coding or testing
If you don't listen to the experts, you end up with security mechanisms using only "secret" information like your social security number or mother's maiden name to secure your financial assets.
I think you're right in many instances, but in security, the customer should not be king. Unfortunately, this ends up with a bit of a prisoner's dilemma, which can require the help of courts; either by proscriptive law (via mandatory certification, as for cars) or product liability. Neither of which we currently have for software.
Then consider switching to a free software operating system
I have considered it, and I have tried it. However, it's much harder to install drivers for not-properly-autodetected hardware such as my ATI Radeon 9000 video card and my Microtek ScanMaker 4850 scanner under recent Mandrake Linux releases than under a properly patched Windows 2000 system. If I had the money to replace all my hardware with well-supported hardware, I'd have the money to buy another computer to run Linux on, but I don't.
Will I retire or break 10K?
Those should be left up until they're all fixed.
Safari's marketshare is equal to the number of Macs. My guess is that Apple caught on to the whole "including the browser with the OS" and replaced IE with its own. Not to say that it's a bad thing. It's only anti-competitive if a monopoly is doing it.
Zodiac Survey
Tell me about it...
I think they've been too dangerous since MS-DOS...
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
The underling technology behind AX, predates Applets -they are OCXs, OLE Custom Controls, that are descendents of VBXs, Visual Basic Extensions.
.NET does that. Actually Java Web Start goes back to the ActiveX model -signed code is given total rights to the system, which is dumb. But at least JWS also runs unsigned code in the sandbox :)
Originally they were just DLLs that you would use in form design in your VB (then C++ app); you'd redist the libraries with your app. (The original JavaBeans model is sun's response to this design). OCXs worked very well for their limited role.
ActiveX was, as you say, a response to applets -and presumably netscape plugins. They modified IE to host OCXs, then added dynamic download of signed code.
But code signing says 'I am not malicious', not 'I am competent, there are no security holes, if there are I will pay the finder $100,000'. Actually they could; enough of a fiscal penalty would stop buggy AX controls shipping, primarily because nobody would run activeX.
The only way to fix that is to run the code in a sandbox. Applets do that;
If we kill off activeX -which is a good thing, IMO- windows update is the true victim. Flash and Java can ship with the browser. But that would give MS an opportunity to do a better update mechanism than windows/office update. One that lets you roll back updates. One that doesnt delete IE during a patch (it is very hard to recover from that BTW). The good thing is that by eliminating ActiveX, you eliminate a whole insecurity vector into a PC, so the number of patches needed should fall.
Now all of us nerds who are tasked with due diligence against possible vulnerabilities have lost a resource. Thanks a lot.
In this case, it was what you would expect, since PivX was presenting a database. Microsoft would fix some bugs, but there would be new ones. Microsoft fixed only a few bugs at a time.
Pivx spent half a year trying to secure code auditing business contracts from Microsoft. No doubt they finally succeeded in getting such a contract.
It is all about the Benjamins as they say
WELL DONE MR. CLEVER!
You, my friend, are a fucking moron.
It was entirely our decision at PivX to take Unpatched down. Based on the state of affairs, notably the 25 days it took to create LovSan/MSBlaster as compared to the 295+ days or so it took to create Code Red, the 200+ days for the creation Nimda, and the 100 days it took to develop Slammer (see a pattern here?) The time that it takes for people to develop exploits against IE vulernabilities has declined significantly over the last year or two. This gives vendors like MS even less time to develop and distribute patches and for sys admins to deploy them before the exploit's attack. What surprises me is the same theme of uninformed conspiracy theories (like MS being a contributing editor of our website and them paying us to shut up) that continue to appear on some of these boards. Plus, the fact that if anybody cares to look at facts: we have been anything but an apologist for MS for the last two years. Google ('Pivx Microsoft' for proof). You would think that our constant pressure on MS, plus our free and constantly updated page would make a few people stop and think that perhaps we deserve some credit for our objective approach to developing a solution to a problem that is increasing in severity versus those that are so compelled to simply scream at the problem and vilify us for taking down our free research. For those of you who have thanked us since the page was taken down, we thank you for noticing what we have done, the significant investment our company has made to provide this information gratis for years and our continuing contribution and committment to a solution. The fact of the matter is 'Unpatched" has served it's purpose, it has raised awareness of a problem and has ushered in many solutions, workarounds and a review of the status quo. Furthermore, MS has patched or is in the process of fixing those vulns that remain. Based on Microsoft's communication which included their willingness to create meaningful solutions and their recent actions to fix the current problems, we have given them a good faith reprieve, nothing more nothing less. Sorry it is not any juicier than this. If you have a better idea I'd sure like to hear it. If you are sincerely interested in keeping up to date on the latest in internet security from our perspective you can subscribe to our newsletter which can be found at http://www.pivx.com/larholm/unpatched/ Most Secure Regards, Founder PivX Solutions