IE Vulnerabilities Page Removed

Henry V .009 writes "PivX Solutions has removed its (in)famous Unpatched IE Vulnerabilities page. Is Microsoft really getting better? From the site: 'Given Microsoft's recent positive actions together with the current rise in attacks against IE we have agreed to give Microsoft a good faith reprieve and have taken down our 'Unpatched' page. This was done in both a spirit of cooperation and for the good of the internet as a whole. As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH!'"

Google to the rescue...

[wo1verin3]

Google cache

Re:Google to the rescue...

[PepsiProgrammer]

Something tells me this was accompanied by the greasing of palms.

Re:Google to the rescue...

[AstroDrabb]

I think you hit the "nail on the head". Their blurb sounds just like someone who was paid. I bet MS even wrote it. From their blurb:

As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH!'"

This doesn't sound like it came from a security specialist. Usaully security guys want to find EVERY hole to make the system better. It is also funny how they put in the part about crackers, crooks and deviants. I guess anyone that wants to find security holes fall into this category? That part of the blurb is what makes me think some MS drone had a part in writing it. Oh, and "we all depend on IE too much"? What is up with that? Like MS didn't put that in there? I guess there are not a bunch of better browsers out there like Mozilla, MozillaFirebird, Opera, etc.

This can't be serious

[yanbusa]

As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much...
Who, exactly, is we? And have this "we" ever heard of any alternate browsers such as Mozilla and the like? For those in the loop, it's just nice to know there is some light in the darkness of the internet browser.

Re:This can't be serious

[DotNetGuru]

Uhh, check out Google's Zeitgeist. It includes browser usage stats, and just about everyone is using IE. I'm sure you're aware of this and were just trying to be pedantic, but you're just being stupid.

Re:This can't be serious

[Davak]

"We" is the Average Joe using the computer--obviously not the slashdot crew.

The world would be a much better place if everybody who used a computer knew as much as we did.

However... I'm sure people in the mechanic websites make fun of people like us all the time too because we phuck up our cars all the time.

Most of us know computers... most of them or at least the "we" in the quote above... do not really understand computers and computer security. That's why putting pressure on microsoft to fix its damn browser is such a good idea!

Of a side note...
Even though the website I have in my sig is mainly a solaris/unix based site... 80% of the people who visit my site from slashdot report as IE.

Re:This can't be serious

[Condor7]

I expect that most of the sites that track this use the browsers identifier string to compile statistics.

I use Opera, and it comes preconfigured to misidentify itself as IE 6.0 - probably in response to the websites that check the string and won't let you in if you aren't using Netscape or IE.

Re:This can't be serious

[The+Man]

However... I'm sure people in the mechanic websites make fun of people like us all the time too because we phuck up our cars all the time.

I'm sure they're justified in doing so, too. When I need something done to my car, I take it to a mechanic so that the work is done right. Likewise, when someone needs a web browser, I expect them to rely on software written by people who know what they're doing. I might ask a mechanic for reference customers, and consult the Better Business Bureau or local car club to make sure his work is of good quality. A sensible mechanic who needs a browser might check the Internet for references on a particular browser, also to make sure the work is of good quality.

See any parallels here? There's no excuse for not doing one's homework. There are plenty of articles available and accessible to the lay computer user that describe the some of the many problems with IE. There's no reason for an intelligent user not to read them and make an informed decision. Quite frankly, as an expert in the field of software, I do not believe any intelligent user could make an informed, good faith decision to use IE. Therefore I conclude that most users are not intelligent, are not acting in good faith (ie they don't care about the quality of the products they use), or are too lazy to spend five minutes gathering information. Since the latter two are just subcases of the first, it's safe to assume that 90% of computer users are not very intelligent. This is independent of any expert bias - their use of IE is not foolish because they're expected to understand the problems with IE on a technical level, it's foolish because there's no need to understand those details in order to see that IE is not a quality product and is in fact unsafe to use. I don't need to understand intimate details about strengths of materials, bending moments, and energy absorbtion to know that a car is unsafe if its gas tank is likely to explode in a collision. In the same way, I don't need to understand the details of exploiting a buffer overflow to know that a browser which is known to compromise a user's personal information is unsafe.

Flamebait? Call it whatever you like, but if people spent 1/10 as much effort making sure they had a safe, effective, reliable computing environment as they spend to ensure the same about other aspects of their lives - such as their cars - there wouldn't be an IE as we know it today.

Re:This can't be serious

[Nicopa]

Hi, I'm the average user. I have 1,7 brothers and I'm 34% woman.

Re:This can't be serious

[steve_l]

In a way it is extra pressure: if they don't think MS is doing enough then they can bring the site back. I'd also note that in Win2003 server, IE is locked down a lot more than ever before, to the extent of disabling ActiveX download outside of the trusted zone, cranking back the rights to sites in that zone and then adding *microsoft.com in. That way windows update works but most other active X support is gone. However, they have a lot to do, in ways that may break some things but would make the systems less vulnerable, not just to classic IE hacks but email scams

1. Stop interpreting those spam-friendly http://2343455/ urls
2. Stop interpreting scam-friendly http://ebay.com:url@123456/ urls
3. Stop whining when browsing to a site that has AX disabled. A small icon is ok; a dialog box 'you are getting a worse experience is not.
4. Make it possible and easy to fully uninstall outlook express. you cannot even delete this on XP; system recovery brings it back. Ugly manual hacks last until the next critical upgrade gets forced on the machine, at which point it reappers.
5. Crank up the security settings for everyone who isnt using win2k3
6. Rebuild IE with VS.net 2003 and set the 'check for buffer overflows' flag in the build.
7. Stop integrating Windows Scripting Host with IE. Every IE install forcibly adds .js, .vbs and .wsh file extensions to the path and enables their execution. I have to rebind these to notepad on my machines.
8. Give us a no-images options for the email zone.

There are probably lots more of these things to do. All I see for the current user base is after-the-fact bug fixes rolled out intermittently, not attempts to address fundamental problems.

Re:This can't be serious

[GreyPoopon]

'We' is the vast majority of the Internet. I don't know figures (anyone?) but I know of no-one who uses anything but IE if they're on Windows. Tragic but true.

Hi. I just wanted to let you know that I use Windows, but most of the time I browse with Mozilla. Personally, I *would* use IE for browsing on Windows, but I prefer only running Adaware or Spybot Search & Destroy only once a month or so. If I were to do my daily browsing with IE, I'd have to run them every day.

Yeah, I know... I'm not the average user. At least now you can say you know of somebody. Frankly, I'm surprised ANYONE that is aware of ad-ware and spy-ware continues to use IE.

Re:This can't be serious

[ProtonMotiveForce]

Dude, you're an ass. Despite all the mountains from molehills ranting that you've apparently bought into, IE is a fine browser.

What kind of jackass actually composes a sentence like: "...I do not believe any intelligent user could make an informed, good faith decision to use IE."? Truly asinine.

That's about as valid as someone saying "I do not believe any intelligent user could choose a Chevy over a Ford.". i.e. you're just an idiotic fanboy.

Re:This can't be serious

[pebs]

Wrong. The point is 95% is a bullshit statistic. Its overblown by proxy servers and faked browser strings. The average user is in touch with the alternatives whether you think they are or not. I'm talking about people, for example, who bought a Dell with WinXP Home Edition to browse the web, chat/e-mail, write documents, play games, etc. If they understand how to install software, chances are they have replaced IE with something else because it is common knowledge that IE is a sucky-ass browser.

One person I know switched from IE to Netscape because she found that IE had a lot of trouble with Hotmail!

Another got sick of popups and switched to Mozilla and never looked back (yes, yes I know you can block popups in IE).

Everyone is using alternative browsers these days. Get with the times...

Re:This can't be serious

[pHDNgell]

Does ANY of the other browers somehow render web pages better or worse?

Well, yeah. Find anything with even CSS1 that does a remotely complex layout. For example, some guy put up a page describing how to do rounded corners on boxes in css. At least half of the css included in that thing is made up of IE workarounds. Some of those workarounds exploit IE CSS parser bugs in order to get different stuff in the engine to get it to render like everything else.

I use two different browsers with two different engines regularly (Mozilla mostly, Safari (kHTML) sometimes). They *usually* give me similar web pages from the same HTML. IE usually requires workarounds if you do anything remotely complex. Sometimes, it just goes bad.

Re:This can't be serious

[The+Man]

Chevys and Fords both have to meet basic engineering standards and pass various safety, reliability, and performance specifications to be street-legal. Therefore, while each has its adherents who will argue as to superior performance, construction, or durability, both are fairly sure to be reliable, competently engineered, and safely built.

There are no such standards for computer software. The few standards organizations that do exist (in this case, W3C would apply, as well as IETF and perhaps a few others) do not have the power to enforce their standards. One cannot make any assumptions about the quality, feature set, reliability, performance, or safety of a piece of computer software. Even toasters, to which computers have been compared, are subject to testing in UL or similar lab environments to ensure at least that the product does meets minimal safety standards (though there is no guarantee that it will actually toast anything). Therefore the software market is more wide-open than any other, and caveat emptor is the order of the day.

Risk in software selection is minimized by reading impartial product reviews, performing evaluations in isolated test environments, closely following known issues and patches, and in the case of large customers, purchasing support and warranty contracts. For the individual user, a simple survey of the product landscape and frequent attention to security issues will suffice. Even a casual evaluation of web browsers by the most novice computer user will show that IE has, by a huge margin, the most security problems, both in number and severity. A look at a few reviews will show that it offers no significant feature advantages over other products in its space, and in fact lacks some features its competition includes. Worse still, the manufacturer has a history of ignoring, downplaying, and denying security problems in its products; thus, the actual number of known vulnerabilities is probably much greater than the number publicly circulated.

This type of information is easily gathered by a nontechnical individual in a matter of a few minutes. It seems only prudent that someone who is about to entrust a piece of software with his or her personal, financial, and professional information (and run it on a computer for which he or she is wholly responsible) would take the time to gather this information.

General Motors and Ford operate in a tightly regulated industry with a history of significant legal judgments and market punishment against manufacturers of inadequate products. Therefore all products, while differing in various aspects of performance, aesthetics, and quality, are guaranteed to meet certain minimum standards and have a certain level of manufacturer backing. Microsoft and its competitors operate in an unregulated, uncontrolled industry with little history of product liability litigation and a sales structure which heavily favours them in the event of such litigation. Compliance with any standards which may apply to their products is wholly voluntary, and warranties are nearly always explicitly disclaimed.

In the former environment, even ignorant buyers are unlikely to find themselves with a grossly inadequate vehicle. However, ignorant buyers of computer software are virtually certain to end up in the unenviable position of owning a license to use a defective product, with no ability to recover compensation of any kind, including for damages caused by the software.

Chevy and Ford have fanboys. It may well be that browsers do also. But nowhere in this discussion have I advocated any particular product as an alternative to IE; in fact I have explicitly avoided doing so. There are numerous options, and each buyer is encouraged to seek the one they believe is most likely to function properly. As someone familiar with the field, I do not believe that anyone can honestly form the opinion that IE is that option.

Don't worry folks, Microsoft isn't a monopoly!

[Infonaut]

we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods.

Any time one piece of software from one company can be responsible for such negative impact on our lives because of how poorly it was designed, while still remaining far and away the dominant product in its category in spite of superior software being readily available, that's a sign that the ill effects of monopoly power are at play.

Re:Don't worry folks, Microsoft isn't a monopoly!

[zangdesign]

that's a sign that the ill effects of monopoly power are at play

And that the competition has no marketing ability. Not to harsh on your mellow or anything, but do you really believe technical superiority is what wins over the masses? Drop a billion or so per year on marketing and then see how your favorite browser does in terms of marketshare (or any software for that matter).

It is not enough to tout the technical advantage. You have to have someone who can translate into simple terms so Ma and Pa Walmart can understand that. Advertising is not about telling the truth, per se, but rather about making things look good regardless of any other factors. That's what Microsoft excels at (well, that and backroom deals).

The point of all this is: Microsoft may be a monopoly, and they may wield that power ham-handedly, but the competition let them get their by making assumptions that weren't true, namely that technical ability would actually mean more than it does to the public.

Re:Don't worry folks, Microsoft isn't a monopoly!

[NanoGator]

"while still remaining far and away the dominant product in its category in spite of superior software being readily available, that's a sign that the ill effects of monopoly power are at play."

No, it's a sign that Mozilla needs a PR firm.

Face facts: Lots of stuff that has been popular over has had a superior alternative. Newton/Palm. GameBoy/GameGear/Lynx/Nomad. Beta/VHS. USB/Firewire. Etc. You don't need a monopoly for that situation to be created.

Now, in this case, we do have a monopoly that puts IE in front of the users. Worse, IE does the job quite well. If you asked the average user out there what could be done to make IE better, the answer would not be "Tabbed browsing!". Why? Because they've never heard of that!

Cripes people. There are no commercials on TV about Mozilla or Opera. There are very few (if any) hints to Mozilla's existence on the mainstream news. You have to visit Slashdot to be blasted with Mo's zealotry. So tell me, how's anybody even supposed to know it exists?

Spare us the MS blame game. There are things that competing browsers can do that they simply aren't. When those avenues are exhausted, you can draw one of two conclusions: 1.) Microsoft has an impenetrable monopoly on the browser market. or 2.) The market has decided they like IE better. In the first case, you can bitch and moan. In the second case you can improve Mozilla.

Re:Don't worry folks, Microsoft isn't a monopoly!

[nathanh]

Would you say the same if store bought computers with Lindows had Mozilla by default?

How about we wait until Lindows and Mozilla have 93% of the desktop market before answering that.

Or does your rant only apply when MSFT is in question?

MSFT is the only convicted monopolist with a known insecure desktop that I can see.

And btw, integrating the browser with the OS [this particular OS] *makes sense*. Similar to KDE the file browser/explorer re-uses the codebase as the web browser.

Integration is irrelevant. The case was about monopolist behaviour. You are focussing on the technical but MSFT did not get convicted because of purely technical decisions.

Re:Don't worry folks, Microsoft isn't a monopoly!

[Crayon+Kid]

Why hasn't anyone thought of making a very cool looking series of "Looks Best With Mozilla" buttons?

Because usually the likes of the crowd behind Mozilla is also usually supporting Web standards. "Looks best with browser X" goes very much against that.

So, to paraphrase...

[thecampbeln]

Microsoft is never going to make these change, so our experiment of embarrassing them into patching hasn't worked, so we might as well give up so that we don't benefit hackers. I can't say I fault their logic...

What were the reasons against a monopoly that my economics teacher tested me on again?

bravo pivx!

[Davak]

We all should give pivx a huge hand!

First, they applied the pressure to help force microsoft into fixing the software.

Second, they are now giving microsoft some slack (negative reinforcement?) for trying to fix its browser.

Bravo guys!

Plus, these guys are hiring!

Wow, great! The internet as a whole thanks you!

[vistic]

How fortunate this is for the internet community! Imagine if IE were open source like this Mozilla thing! Keeping every working detail and possible vulnerability all very hush-hush is what makes IE the great browser that it is! How does Mozilla survive? I mean, come on... Bugzilla? They should follow these guys example and shut down.

For the good of the internet as a whole!

Re:One of my favorites

[Phroggy]

It's not really valid HTML though. I assume that IE looks in comments and parses stuff inside them ([If IE]...[endif]).

Yes, I cheated so I could pass W3C validation. They're called conditional comments. If I wasn't using conditional comments, the code would not validate, but IE would still crash, and other browsers would not crash (although they would show a form field, defaulting to type="text").

A Larger Problem

[wingspan]

So, the page that kept track of unpatched MSIE holes is gone. That means that MSIE is now treated like any other software; the vulnerabilities are reported, but no one keeps track *publicly* of what is unpatched.

Why aren't other pages keeping track of unpatched vulnerabilities in other software? Well, have you ever tried to match up the CVE database with patches? It's difficult. I don't know anyone who can answer how many unpatched vulnerabilities are present in W2K, XP, and the like. Has to be boatloads.

Vulnerability disclsoure doesn't create pressure on MS, however. Malicious code creates pressure. Consider the MSIE vulnerability that led to QHosts. That one was old -- in August MS said that the patch they produced should have correct the Object Type vulnerability, but didn't. Yet the patch wasn't corrected until October, and that was only after QHosts exploited it. The exploit, however, raised MS's concern so much that they issued the patch on a Saturday instead of their regular Wednesday schedule....wow, the vulnerability is known for two months, then suddenly a patch appears AFTER the exploit is released.

What are the lessons?
(1) Apparently ALL MS software has unpatched vulnerabilities
(2) Apparently vulnerabilities are not priorities for MS unless exploits become newsworthy, (3) Trusting on MS patches to correct vulnerabilities is a recipe for disaster.

A short history of IE vulnerabilities:

[Futurepower(R)]

A short history of vulnerabilities reported by PivX:

• June 18, 2002: 18 vulnerabilities
• August 8, 2002: 22 vulnerabilities
• September 9, 2002: 19 vulnerabilities
• November 19, 2002: 32 vulnerabilities
• December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but two new ones were found.)

(From my article: Windows XP Shows the Direction Microsoft is Going.

"Good-faith reprieve"

[dbarclay10]

I sincerely hope that if Microsoft doesn't fix each and every valid vulnerability that was listed on that page, within six months, that the page gets restored.

It has been proven time and again and again and again that vendors, especially monopoly vendors, will not fix their systems in a timely manner unless they're pressured to. And by "timely manner", I mean within four weeks.

The last five or six MS security bulletins I've seen had lapses of between SIX AND NINE MONTHS between the reporting of the problem and the release of the patch.

So two things:

1) If Microsoft doesn't fix all the currently-known vulnerabilities within six months, somebody should take it upon themselves to start tracking them again
2) If Microsoft can't get their act together and release patches for new vulnerabilities in a timely manner (instead opting to waffle for six months while real people's systems are getting exploited because MS is _never_ the only entity to know a vulnerability, and it's almost guaranteed that somebody with nefarious intentions does), then somebody should take it upon themselves to start disseminating as much information as is required for *real* preventative measures to be put in place

I'm all for giving them one more chance, but I'm not willing to sacrifice my clients' systems by changing my standards for this "chance". They either do what they should do, or they have to deal with me telling my clients exactly what they need to do to protect themselves from a given vulnerability - and that information would almost certainly be enough for a black-hat to use if it ever got leaked.

If you think my standards are too high, consider that other vendors whose software is used on systems which literally control life-or-death systems often release fixes within hours and days, not weeks and months.

Re:"Good-faith reprieve"

[dbarclay10]

How can 4 weeks be considered a reasonable amount of time to fix a bug and issue a patch when IT people who merely DEPLOY the frick'in patch complain that 4 weeks isn't enough time to deploy a patch?

Most of my clients have a few hundred computers. When it's important, they'll usually get a patch deployed on every machine in a few hours (work split between a halfdozen people).

There are tools that scale very well. One of my clients has 4,377 servers (just looked that up), and somewhere around 14,000 workstations. These guys aren't particularily good, and yeah, it takes them months to get even a single patch reasonably widely-deployed, and 9 times out of 10 there are still a few thousand machines which don't have it (but which they think do :).

That's an expertise problem, though - there are tools they could be using which they aren't, tools that are provided at no cost from Microsoft, which could make it much faster. They also don't standardise their software installs, almost each and every machine is unique in some way - that's a truly hellish situation.

If my experience isn't the general experience (with most of my clients being able to deploy patches in hours), then I might suggest that the problem is that it's such a god-forsaken risk, installing MS patches. Sure, 97 times out of a hundred they don't cause any problems, but it isn't "97 patches out of a hundred", it's "97 installs out of a hundred". That usually means days and days spent fixing and tweaking and poking the machine which broke. This is another area where Microsoft could improve - it's one thing to have a fix, it's quite another to have a fix which breaks things.

All that being said, however, I'd like to point out that it doesn't matter how long it takes some people to install the patches. I'm demanding Microsoft to do what it can. It's got 30 or 40 billion in the bank, it can afford to hire people who are specialists on specific pieces of code, such that if a problem ever occurs they can get a *GOOD* patch right out the door.

Maybe you don't care if your systems are vulnerable to exploits which were being traded around the black-hat communities six months ago, but that's not my choice, nor is it the choice of my clients.

P.S.: Four weeks is extraordinarily generous. Except for all but the hairest vulnerabilities, the fixes themselves are generally finished within hours, and with a proper lab and staff they can be tested on hundreds of different configurations within the next few days.

Normal people have never heard of Mozilla

[QuantumG]

Unless you're a geek, you don't know about Mozilla. You might know about Netscape and think 4.1 was about the end of the line. You may even have tried one of Netscape's releases of Mozilla and thought it sucked (which, let's face it, it does). Most users of IE think that installing a different browser on their computer will break IE. They fear losing their bookmarks and their history. All that's really needed is a good public education program. Most of which can be achieved by each of us sending our non-geek friends to www.mozilla.org.

Am I the only one

[Pan+T.+Hose]

Am I the only one who read "IE Vulnerabilities Removed"? I knew it was to good to be true...

That's funny, but jokes aside,

I believe this is what Microsoft should be doing, id est removing the vulnerabilities themselves, not merely the discussion about them. Those greedy bastards have so much cash that patching IE should take them less than 6 weeks. So I am asking: why aren't they doing that? Is there any Microsoft employee reading this who could answer my question? I surely hope so.

Re:But you can get Moz to crash with it

[Necroman]

Huh, I don't know. It crashed it when I clicked straight through this time. Maybe different versions of Moz? I am running Mozilla 1.4 on both a WinXP and Linux, and it crashes on both.

Re:Why isn't the most important reason given?

[NanoGator]

"So why was that left out? Reading the summary I just thought that these people were being nice guys to Microsoft, and not that Microsoft actually addressed and fixed many issues with IE.

One sided journalism?"

Ah, new to Slashdot?

This is exactly the reason that so many 'Microsoft Apologists', as they're affectionately called here, argue with popular opinion. Simply put, you really have to RTFA with stories about MS because they ALWAYS have the worst possible spin here. As a result, people come out and say "Microsoft isn't really assymilating the world here..." and nobody else wants to believe that so they are ridiculed.

It'd be nice if Slashdot's MS reporting was a little more balanced. The way it is now, seriously, it's like watching Jerry Springer sometimes.

Re:Why isn't the most important reason given?

[carlfish]

The patch "renders several IE vulns obselete". Most software vendors release patches for their software, and it's nice to see Microsoft continue to do so. That's not really news, though. The news is that the service that tells us what vulnerabilities remain has gone.

That releasing a patch removes the need to know about the outstanding vulnerabilities is simply nonsense.

Which IE vulnerabilities are rendered obselete by the patch? Which remain? "Several" is not "all". It's quite likely not even "most". Which ones are still there? Well, suddenly pivx aren't going to tell us.

It's dark. You are likely to be eaten by a grue.

Charles Miller

Re:But you can get Moz to crash with it

[rsheridan6]

I did too, and it crashed. (Mozilla 1.4, Linux).

This is a mistake

[rossz]

Unless there is bad publicity surrounding a security hole, Microsoft does nothing. Keeping the security problems public and well known give us (the internet community) several things.

1. Incentive for Microsoft to fix the problems.
2. Warnings to the community of just how common these problems are.
3. Fun ideas to implement in web pages to mess with idiots who insist on running IE instead of anything else.

Re:Obligatory sell out reference

[wasabii]

I will run my own "IE Unpatched" list.

Hopefully it'll be up in a few days. No URL yet. This knowledge must be available to people.

Re:"A billion here, a billion there...

[IM6100]

It's a long and twisted story.

Netscape wanted to 0wn the net and they riled up Microsoft and now Microsoft sorta 0wns it instead.

I'm not sure either would have been a good thing, but I know there wasn't anybody involved who was a nice guy.

Referring to MS right?

[Fatal]

to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods.

Now that's gotta be the most fitting description of Microsoft that i've ever heard!

It's not that I'm lazy

[Bobb+Sledd]

"See, Bobs, it's not that I'm lazy, it's that I just don't care."

I am a web designer, and I am fully aware of the problems with IE - security and otherwise. But personally, I really don't care about its vulnerabilities. My job is to make my web pages look correct in maybe this version and a few versions back of IE, but that's really it.

Ok. So you can take over my computer with a web page. Well, I'm not going to YOUR web page.

My email filters out spam. Not going. I don't look for warez, don't check out pr0n, don't download any hip new software.

I DO go to my bank's web site and look at my balance, read /., check for updates for Trillian or some other software I might use, or update a driver. Yes, I'm a boring user. But I really don't have time for much else, and since I don't think my bank nor any of those other sites I visit have an interest in doing malicious things to me... I just don't care, plain and simple.

I know it's not a safe way to live, and I think that if my computer were destroyed right now I'd shrug and say "meh." And then build another one.

Maybe others feel the same?

Re:It's not that I'm lazy

[Admiral+Burrito]

Ok. So you can take over my computer with a web page. Well, I'm not going to YOUR web page.

That doesn't help much. The recent QHosts malware (which used one of the 31 unpatched IE holes to install itself) was distributed via a banner ad. You don't have to visit $badguy's web page if $badguy has hacked into one of the web sites you do visit, or if he can use the commercial banner ad network to serve up his exploits.

Be a part of the solution: use Free Software.

[jbn-o]

From the site:

We appreciate your interest and your support of our security research efforts over the past several years. Please join with us in being part of the solution.

Try Mozilla or Konqueror instead--two fine free software web browsers (and there are many others). Then consider switching to a free software operating system so you don't bump into holes in other applications and have to wait for the proprietor to fix them for you. If you want to inspect, copy, distribute, or modify free software programs you can do so (or get someone else to do so for you). Freedom is really worthwhile.

Re:One of my favorites

[AstroDrabb]

Was that supposed to crash Mozilla? Id didn't do squat with MozillaFirebird 0.6.1. Maybe that only worked on some old 0.x version of Mozilla?

Re:The Obligatory "Safari/Mozilla/Opera Wins" Post

[jovlinger]

That's quite disingeneous.

It shouldn't be ubiquitous because people should put more value on quality and less on convenience. Ultimately, it is this laziness which lets slipshod products (in any market, not just browsers) ride the tide of marketshare.

Re:One of my favorites

[_xeno_]

Actually, I've succeeded in crashing it in both Mozilla 1.4 and Mozilla 1.4.1. So it happens in the latest Mozilla build, with the latest bug fixes - just a single click away, and the browser dies. I haven't tried 1.5RC2, but right now I don't want to play around with beta software as my main browser.

This is both under Windows, but it shouldn't matter. The important part is new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) which, obviously, shouldn't crash the browser. I think this is really a problem with the Java plugin, but I can't guarentee that. (So this may really be a plugin problem, not a Mozilla problem. Or it may be a Mozilla problem with the Javascript/plugin interface. I don't really know.)

Another PR effort at the expense of business

[SgtChaireBourne]

I think this is a continuation of the attempt to squelch technical discussion especially regarding (embarrassing) security issues, and in particular agains full-disclosure. Microsoft would like to move to releasing patches once a month rather than once a week on wednesdays and a prerequisite for that is keeping the public out of the loop. In order to stay in business, MS must hinder customers from figuring out that Windows is not ready for the Internet, and won't be for years.

As Schneier predicted, for Microsoft, the threat is bad publicity, and they are going to produce a security system that deals with the threat. Without some kind of disclosure, sysadmins cannot take stop gap measures to secure their systems. This is just another instance of rather than working on securing its products to a level needed for the Internet, the issue is being handled as a PR problem.

Time to upgrade if you haven't already.