Slashdot Mirror
IE Vulnerabilities Page Removed
Henry V .009 writes "PivX Solutions has removed its (in)famous Unpatched IE Vulnerabilities page. Is Microsoft really getting better? From the site: 'Given Microsoft's recent positive actions together with the current rise in attacks against IE we have agreed to give Microsoft a good faith reprieve and have taken down our 'Unpatched' page. This was done in both a spirit of cooperation and for the good of the internet as a whole. As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH!'"
Any time one piece of software from one company can be responsible for such negative impact on our lives because of how poorly it was designed, while still remaining far and away the dominant product in its category in spite of superior software being readily available, that's a sign that the ill effects of monopoly power are at play.
Read the EFF's Fair Use FAQ
We all should give pivx a huge hand!
First, they applied the pressure to help force microsoft into fixing the software.
Second, they are now giving microsoft some slack (negative reinforcement?) for trying to fix its browser.
Bravo guys!
Plus, these guys are hiring!
I sincerely hope that if Microsoft doesn't fix each and every valid vulnerability that was listed on that page, within six months, that the page gets restored.
It has been proven time and again and again and again that vendors, especially monopoly vendors, will not fix their systems in a timely manner unless they're pressured to. And by "timely manner", I mean within four weeks.
The last five or six MS security bulletins I've seen had lapses of between SIX AND NINE MONTHS between the reporting of the problem and the release of the patch.
So two things:
1) If Microsoft doesn't fix all the currently-known vulnerabilities within six months, somebody should take it upon themselves to start tracking them again
2) If Microsoft can't get their act together and release patches for new vulnerabilities in a timely manner (instead opting to waffle for six months while real people's systems are getting exploited because MS is _never_ the only entity to know a vulnerability, and it's almost guaranteed that somebody with nefarious intentions does), then somebody should take it upon themselves to start disseminating as much information as is required for *real* preventative measures to be put in place
I'm all for giving them one more chance, but I'm not willing to sacrifice my clients' systems by changing my standards for this "chance". They either do what they should do, or they have to deal with me telling my clients exactly what they need to do to protect themselves from a given vulnerability - and that information would almost certainly be enough for a black-hat to use if it ever got leaked.
If you think my standards are too high, consider that other vendors whose software is used on systems which literally control life-or-death systems often release fixes within hours and days, not weeks and months.
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
The patch "renders several IE vulns obselete". Most software vendors release patches for their software, and it's nice to see Microsoft continue to do so. That's not really news, though. The news is that the service that tells us what vulnerabilities remain has gone.
That releasing a patch removes the need to know about the outstanding vulnerabilities is simply nonsense.
Which IE vulnerabilities are rendered obselete by the patch? Which remain? "Several" is not "all". It's quite likely not even "most". Which ones are still there? Well, suddenly pivx aren't going to tell us.
It's dark. You are likely to be eaten by a grue.
Charles Miller
The more I learn about the Internet, the more amazed I am that it works at all.
"See, Bobs, it's not that I'm lazy, it's that I just don't care."
/., check for updates for Trillian or some other software I might use, or update a driver. Yes, I'm a boring user. But I really don't have time for much else, and since I don't think my bank nor any of those other sites I visit have an interest in doing malicious things to me... I just don't care, plain and simple.
I am a web designer, and I am fully aware of the problems with IE - security and otherwise. But personally, I really don't care about its vulnerabilities. My job is to make my web pages look correct in maybe this version and a few versions back of IE, but that's really it.
Ok. So you can take over my computer with a web page. Well, I'm not going to YOUR web page.
My email filters out spam. Not going. I don't look for warez, don't check out pr0n, don't download any hip new software.
I DO go to my bank's web site and look at my balance, read
I know it's not a safe way to live, and I think that if my computer were destroyed right now I'd shrug and say "meh." And then build another one.
Maybe others feel the same?
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
That's quite disingeneous.
It shouldn't be ubiquitous because people should put more value on quality and less on convenience. Ultimately, it is this laziness which lets slipshod products (in any market, not just browsers) ride the tide of marketshare.
This is both under Windows, but it shouldn't matter. The important part is new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) which, obviously, shouldn't crash the browser. I think this is really a problem with the Java plugin, but I can't guarentee that. (So this may really be a plugin problem, not a Mozilla problem. Or it may be a Mozilla problem with the Javascript/plugin interface. I don't really know.)
You are in a maze of twisty little relative jumps, all alike.