Slashdot Mirror
New IE Holes Discovered
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.
P.S. Is it news anymore that IE has holes?
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.
He who laughs last is stuck in a time dilation bubble.
A spokesman was quoted as saying, "It's the only way we can release a product with more holes than IE".
It is unconfirmed if StringVest will be integrated into Windows XP SP2 or if we will have to wait until LongHorn is released.
...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.
Dream world scenario:
1) Report bug to company
2) Company will announce the bug to the public
3) Company will fix the bug as soon as possible
Real World scenario 1:
1) Report bug to company
2) They don't report it to the public and they don't fix it
3) You report it to the public
4) Company sues you for IP violation or any other shit they can pull out of their asses
Real World scenario 2:
1) Report it to the public (anonymously).
2) Company will fix it
not news, this happens every day.
good news would be like.. goatse.cx and tubgirl.com went down and trolls no longer could shove a hairy fat ass dick up my ass before i go to bed and rub one off.
Seriously - AS SOON AS THERE IS A VULNERABILITY, I, as a sysadmin, want to know about it. I don't give a flying fuck about Microsoft's reputation, or whether "vendors need time to patch the hole" - while there is a known hole, I DON'T WANT MY FUCKING SYSTEM ONLINE. If a nice guy can discover it, the bad guys probably already have.
The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.
Russ Cooper made some good points.
I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.
Wearing pants should always be optional.
It seems to me a number of these vulnerabilities have been posted to some popular "Unpatched IE bugs" page for weeks and weeks, so far..... this guy just combined some of them to demonstrate seriousness.
Interesting to see how people respond when its Microsoft that has been given no notice about an exploit.
I am getting sick and tired of the Apple fanboys, remember back when /. advocated use of free software? Oh for the good old days...
I just downloaded the latest IE patches this morning and now IE wouldnt even start....its doing nothing. Time to move my bookmarks to the firebird....tonight.
the millions of people who are forced to use Microsoft products
I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.
Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down. They didn't want to spend the money and didn't want to deal with integration on the network. I doubt the number of people being "forced" to use Windows numbers in the millions though. Besides, there was a benefit to the Windows box that the company certainly never intended - a wider variety of LAN games to play head-to-head against my office mate.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Yeah, why didn't he? They could have fixed it until the next windows release.
i installed fedora core 1 on her machine on thanksgiving... everything's been great, and her p4 1.8ghz is actually behaving like a machine with that sort of speed, not the slow as poo windows she had before... she was nervous at first, but all her banking/mail stuff works just fine under mozilla.
maybe it's stuff like this that we need, and more people should get their families exposed to it...
momentum, people, momentum.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.
If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?
I can understand the desire for such vulnerabilities to be fixed before going public, but Microsoft has been known to sweep exploits under the rug for as many as twelve years. Exploits are a common fact of life with Microsoft products, and its better that this exploit was released to all as an explanation than as a virus/worm.
You can't judge a book by the way it wears its hair.
half the exploits don't work (latest WinXP), the remote exploits doesn't , and the rest require physical local access which sort of negates security on a windows box
this isnt news
at least not to those who are on the lists who see this "hackers" postings on a regular basis
On Windows XP.. stock up to date installation... these remote EXE exploits he posted don't seem to do anything.
I like this release.
Disable Active Scripting and find an alternative to IE ("use another product"). Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.
I do find that people are starting to be a lot more receptive towards MS-alternatives, especially when the mass media is now jumping on the bandwagon as well. Now techies find themselves explaining their choice of MS over and over again, to hype-induced managers.
Wearing pants should always be optional.
WE could have found out about it when our sytems started acting up.
I can understand complaining about being forced to use Windows. However, no one is "forced" to use Internet Explorer, even on Windows---Mozilla is a better alternative in Windows.
Most of my family and co-workers use Mozilla, and they haven't looked back.
I am sure many Microsoft employees are registered to receive notice.
Register here. It don't cost nuthin.
This is not like Windows-Linux, where there is a steep learning curve.
Mozilla (or Phoenix) is a slick alternative with an almost zero learning curve to pick up the same level as IE. It also takes almost no time to learn features _that aren't in IE anyway_ that help you see the internet in a much more useful way (ad blocking etc).
No one is forced to use IE with very few exceptions:
People who have it mandated at work, but that's work's problem not yours - they could change too.
People on dialup who have a very slow net connection - but they probably have it on a dial up CD.
People who use it's integrated rendering engine for OE/HTML email - but you can change that easily too.
People who _must_ access IE only websites - but there are very few of these any more, and you can always use IE just for these to lower your exposure.
Microsoft Zelots who refuse to believe that Free software can be any good - but they deserve everything they get.
Beep beep.
[i]Sure, a lot of people don't like Microsoft, but that's no reason to [b]make it worse[/b] for the millions of people who are forced to use Microsoft products[/i] Make it worse and make em' switch to a better browser. Also reporting about these holes before MS can do anything about it will get them up to speed on fixing it, rather than keeping it quiet like they normally do when somebody does report a hole to MS.
Jonathanjk.com
While my firm is a strong supporter of full disclosure, this is rather over the top.
What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.
Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.
We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.
Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .
Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.
I am sure the anti-trust judges will merely (and quite easily) remove IE from their Windows desktops and not even worry about security issues.
I'd like to know who the editor thinks are "forcing" people to use Microsoft products.
Nobody put a gun to my head and ordered me to buy Windows XP. I believe I made a rational decision based on the price, quality, and usability that I chose Microsoft.
It's a pretty arrogant attitude around here that people who use Microsoft are just too dumb, or have been coerced by dark, nefarious forces. No wonder people don't take you geeks seriously.
IE has more holes in it than a row of nerds after the firing squad got done with them.
> make it worse for the millions of people who are forced to use Microsoft products
It's bad that enough nerdy Microsoft Windows users must endure the incessant rudeness of Linux users to get their 'news that matters' on Slashdot. But for CowBoy Neal to permit a discussion topic that implies we are slaves to Microsoft is just plain offensive. Did you ever once consider we might feel liberated to use Microsoft products? It's like looking out into the ocean, seeing a swarm of sharks feeding in the surf, and then choosing to paddle out to ride the waves. It's an adrenaline rush.
Using Microsoft products is not genetics or how we were raised. It's a choice and we're damn proud of it.
Who are you kidding ? How can you even say that ? How could you possibly know that ?
It is probably safer to assume they are in fact being exploited.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
... "Microsoft is holding up compensation claims from a quarter of million Californians in order to punish Lindows.com"
In other news
Wow, I can't believe I'm the first to make this joke ..... today.
yeah, he's pratically a terrorist... we should regime change his ass!!
And do you think M$ of M$ fan boys would alert an OS project if they had a security flaw before telling the Rags. I don't, they would instead run around going "see OS is dangerous look at all the users getting cracked see see" Any one knows with a lick of sense that any development model can produce buggy software as a general rule open development is better but by no means perfect. They use the discovery of bugs to damage OS, we should use it to damage them. Fact is the more M$ hosts that get cracked the better, there is nothin g like getting burned badly to make you want to switch platforms to something with at least* fewer security bugs. In general I am not a big zelot who goes about demanding everyone switch platforms especially switching away from something they are confortable with but the OS community REALLY needs some big players to switch right now otherwise we are gonna see more problems like with DVD which commercially was only supported on WIN/MAC and for all I know still is, but getting a bios designed only to boot windows working with alternate platforms will likely be alot harder then deCSS, not to mential all the highly proprietary authentication scemes and MS-TCP, the list gones on...
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Chinese != Communist...
hey folks, this was posted to bugtraq some two months ago.
Microsoft has claimed time and again that their response times to security alerts are sterling, as opposed to the "slow" response times for OSS. They make these claims without telling consumers that they have known about the exploit for months and are publicly releasing knowledge right before they release the fix.
This is a case of people letting Microsoft's boastful ways catch up to it. If they are as fast as they have claimed, time and again, there won't be a problem for those people who are diligent in patching.
Additionally with the advent of companies using the DMCA to try and stifle this behavior, it is more important than ever to engage in it and further show the flaws with this absolutely off the wall piece of legislation. See this article.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
That's daft, to say the least. The vulnerability was there, wether you knew about it or not.
If he would've reported it to the vendor (in this case Microsoft), it wouldn't have been 'a known hole', but to the Microsoft developers. They would've came up with a patch and you could've spared your company the trouble of explaining why they had to take down their webserver for half a day, while a patch was developed/tested.
As for 'why I don't use Microsoft software anymore', that's also stupid. You think other companies don't face these kinds of problems?
Violence is the last refuge of the incompetent -- Salvor Hardin
What can this mean for ${product}?
I thought the strength of ${product} was security through complete obscurity. I've been recommended ${product} and other solutions from ${company} as an alternative to open-source software (which is inherently insecure) but now my belief in proprietory software has been shaken because of this flaw in ${product}.
Between this, and that last service worm, I'm not sure I can trust proprietory software anymore.
What should I do?
-- clvrmnky
It sounds like GameSpy backed down eventually, but here is senario #1 from early November . . .
/ 17 35212&mode=thread&tid=126&tid=127&tid=153&tid=172& tid=186&tid=99
>chowbok writes "Luigi Auriemma has found several
>security holes GameSpy software over the past few
>months. He has reported them all to GameSpy but
>never got a response... until today, when he got
>a threatening letter from their lawyers. It says
>he's violating the DMCA, he needs to
>cease-and-desist, yadda yadda yadda." Update:
>11/12 21:09 GMT by S: GameSpy has now posted an >official response from the company's
>founder, Mark Surfas.
http://yro.slashdot.org/article.pl?sid=03/11/12
How many people really get affected by IE security vulnerabilities? There aren't any massive IE viruses and stuff... It would probably be best used in some kind of corporate espionage, not against the general public. I haven't heard of anyone getting affected by one of these vulnerabilities yet. The one that allows a hole in ActiveX/Javascript to eject your CDROM is priceless though ;)
In any case, I do agree that notifying the vendor at least a week in advance is a good general policy. But releasing an actual exploit app I think is also necessary. Giving script kiddies the ability to easily abuse the hole forces the vendor to fix the hole and get people to patch; the big worms like Blaster are an example. It got so out of hand you had the television telling you where to go to patch up. Now if only they'd tell me about updated Slackware packages...
A billion dollar software giant cant even get a bloody browser right after 6 version and even when its not crashing or having security flaws it still cant render HTML or CSS properly. Hell they screwed up even on email.
And Microsoft wants to write software for cars and business servers and sell their products for 1000's and claim they are the best and that other software methods are cancer??? Go screw yourselves you fuckwits.
This comment does not represent the views or opinions of the user.
it wouldn't have been 'a known hole', but to the Microsoft developers
Prove it. Anything that can be found by a white/gray hat can be found or was already found by a black hat.
I agree with this. If there is a problem that's going to compromise my security, I'd like to know about it ASAP so I can (temporarily) stop using the software that's causing the problem, and switch to an alternative application.
Follow me
Ignorant_JackAss != American ... (I hope)
What irks me is that MS did not discover these themselves. After all, the closed source, security by obscurity, we can do it all ourselves model of software development is so superior, that we can only draw one of two conclusions. Either their superior technicians found the problems already, but the management decided not to put in the resources to fix it, or their superior technicians did not find the bug, in which case they need to not only fix the problem, but understand why their process so routinely fails.
This is not an issue of hating MS, any more than the other recent alert was an issue of hating Apple. It is an issue of knowing there is a problem out there, but having no power in the official process to correct the problem. The only power the might be had is that of public relations. This is very different from OSS, in which one can potentially affect the development process and at least see that something is being done.
This whole issue of course assumes that dozens of other people have not already found the bug and are exploiting it on small scales not easily detectible by the common methods. And of course does not take into account the ability for people to switch browsers. Just imagine how many lives would have been saved if people had been fully aware of the incompetent design of the Explorer and bought other cars instead.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
here's the actual original post from usenet:
4 3
http://groups.google.com/groups?th=f81e71bc315bd0
I think that the fact that comments like this doesn't get moderated down as flamebait says a lot about the moderation system/people who moderate this site.
Although in a perfect world, we would have companies auditing their own code and finding exploits in their own products, the fact remains that unless there is a perverable rocket aimed at their behind, nothing will be done.
The fact remains that we have an organisation here with over 40,000 employees, over $40billion dollars in cash and yet, they're making *really* stupid mistakes. I am sure most people could cut Microsoft some slack if they were a small business OR that these incidents were as rare as hens teeth, however, when it becomes "have you applied the daily patch", people lose their cool.
The unfortunate thing, however, is due to Microsofts huge marketing muscle, this approach by "exploit finders" doesn't work. Microsoft instead of taking on board the information and applogising, instead they spin the story as to make out that the person who finds the exploit is somehow linked to a grand anti-Microsoft conspiracy, and god forbid, call them a "terrorist" for "exposing" the unwashed masses to "harm".
"The difference between pornography and erotica is the lighting" - Woody Allen
remember Tianaman Square???
:^)
not all Chinese are wanting to hurt America, there are a LOT of Chinese that want to live normal lives in a normal house, and raise their familys like we do here in the USA, so forget your stupid paranoia for a while...
i would trust Chinese developers much more than i would a Microsoft sales marketdroid...
P.S. Have a nice day
What makes you think all Chinese are communists? That's like saying all Germans were Nazis during WWII, which is very very far from the truth. The problem in totalitarian regimes is that you're not allowed to say anything substantial against the government... but it's not illegal to think it (well, not yet anyway).
Yeah, it just seems like communism. Really it's a democracy. I can fly.
As if microsoft would care about said holes unless the first exploits are out there in the wild...
bye,
[L]
I'm sure it's been said before but...: Shouldn't we realize that the bugs, holes, viruses, incompatibilities and needless complexities in the computer world are providing us with well-paid work? It almost makes sense that a software giant would purposefully include errors - they have to be fixed by someone, and that someone sure as hell won't do it for free. Most of us addicted to Slashdot either run Linux or can keep MS/Apple problems at bay on our own machines. The problem hits everyone else. We are the ones that get money as a result of these "problems." My deluxe single dorm room (with a view I might add) is free because I run around on afternoons -at my own schedule- (mmm freedom is good) and fix other students' computer troubles.
Personally, as soon as I saw this report on Reuters I said to myself "HOT DAMN! More money for me!" I am gonna sit back and enjoy the ride.
If you want absolute security, please lock your machine in a vault, throw it in the ocean and it'll probably be safe.
What are the chances of it being exploited in the $time it takes developers to come up with a patch, by this black hat who knows about the bug, but didn't exploit it before the bug was reported?
Violence is the last refuge of the incompetent -- Salvor Hardin
Side one - Internet Explorer badly coded, so there's lots of vulnerabilities.
Side two - Since Internet Explorer is used so widely, there's a lot more people looking for problems with it, and the ratio of bugs found to the number of users is moderatley comparable to any other browser.
An interesting study would be a comparison between the number and kinds (garbled text to root exploit) of bugs known for each browser (what's the cut-off point? any bug from the first alpha version to the "final" version? Or just for the current revision?) versus the number of approximate users.
Given that there are web pages listing dozens of unfixed IE security holes, what difference does it make to announce another seven without telling Microsoft first?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I don't know how MS can just sit and watch this happening. Do guys at MS get paid on time? Any self-respecting developer would immediately try to remedy the situation. This cleary shows that, MS CAN stuff shit down people's throat and get away with it. Looking at the way things are going, I think MS SHOULD BE HELD RESPONSIBLE. They should start sending out CD's which contain patches to all their PAYING customers. I'm sure that the size of the CD patches will be more than the actual OS itself !!!
-- Live Long And Prosper
by about 20%. eddie bauer will be trying to google them soon? tell 'em robbIE?
We're constantly bitching about low security of Microsft products. Nothing changes - they're still as lousy as before. But Microsoft doesn't care. People still use their software. Instead of fixing the bugs they launch new zillions $$$ worth advertising campaings, showing they're much better than OS solutions.
In world of real operating systems standard answer for a bug is bugfix. Microsoft has different strategy. They release new marketing patch every time somebody discovers new security flaw.
Sure.. Full disclousure is usually a good thing (tm). But if it's about closed source, you can't always do something about it (like IE bugs - there are no ports you can block..).
Other then shutting down the net or forcing the users to switch to another platform.
Isn't it better then that nobody really knows about the security flaw until it's fixed?
Huh. From R'ing TFA, it seems there is an exploit using five new security holes disclosed on 11/25/03, not the seven originally reported on 9/11/03.
Considering the USA is the most polluting, over weight, undereducated group of people in the 1st world. Plus the rampant racism there, they might choose a better role model.
Not true, Microsoft makes it very difficult to use anything but Microsoft junk. The first level of anoyance is a barage of scary warning messages about "signed code". Then there are constant anoyance messages which require confirmation and include the option you don't want. In time, you will push the wrong button. Finally, Microsoft breaks other programs on their platform. My little brother uses XP and keeps it "up to date" by accepting whatever M$ pushes at him. It broke Mozilla. I consider that a force.
The only way to avoid all of that harassment and the insecurity that it creates is to leave M$ completely. If you still think it takes a lot of effort, you need to play with Knoppix. The only trouble you might have is with winmodems and other nastier hardware which does not work well under windblows either. It's easier for indiviuals to install and way easy for technicians. It's good for individual users and far superior for business.
There's probably someone near you who will do an install for less than the Windblows install going rate. Just google your town name with "free software", Linux and other likely terms. Hungry geeks, such as myself, will happily come to your house for $40 and set you up. Businesses will pay by the hour but save hundreds per machine and employee every year.
Friends don't help friends install M$ junk.
"The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list."
There is no requirement to notify Microsoft, nor should there be. I want to know about this kind of stuff as soon as possible. In my opinion, it is not for Microsoft to determine when I know that my computer has a security problem.
Besides, this kind of thing should show if Microsoft's boasting about response time to security vulnerabilities is the truth or just plain old anti-open source FUD.
Tell that to my bank. No IE, no internet services. No internet services, no bank services at all where I live. Yes, Mozilla is a much better alternative, I use it myself as much as I can, but I am indeed still forced to keep IE around and use it.
Oh, and I also need it to post anonymously to Slashdot (Mozilla doesn't work with
Yours in pettiness.
"there are a LOT of Chinese that want to live normal lives in a normal house, and raise their familys like we do here in the USA"
That's because there are a lot of Chinese, period.
And not so many people that live in the USA, contrary to popular belief.
Violence is the last refuge of the incompetent -- Salvor Hardin
Isn't this a term used for having to deal with the issues related to choices made? Why should anybody expect others let Microsoft sugar coat the mess they released on the world? Those who use MS products must pay the price of such a choice. Those who consider they have no choice because IT gives them no choice have to play on the theadmill Microsoft and their IT departments put them on and should make their IT staff fix the problem. IMHO.
When will Microsoft go to court for all of this crap? Can you imagine purchasing a new car and seeing a note on the seat. You open the door of your new car and read the note. It says that the auto maker has no responsibility to how the car works or if it will work.... The auto makers can't pull the kind of EUL that Microsoft gets away with. Yet no lawsuits. What gives?
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I was at one of the Apple roadshows when Jaguar was being released and they ran a demo of the you-beaut Samba connectivity straight out of the box.
It was interesting to see the PowerBook had no issues, while the Vaio had a couple of issues trying to see the PowerBook.
My own experience has been that it is easier to handle the connection and data transfer from the Mac, than it is from the Wintel box. I got so frustrated with the poor networking options on XP that I just ignored it, and let my iBook sort it all out.
InfoSec that matters, when it counts.
It's more like a blue screen of death after innumerable pop-up anoyances. Oh, the thrill of crap that does not work. Wooot. If that turns you on, you must be on Bill Gate's payroll. I prefer to get things done.
Friends don't help friends install M$ junk.
I don't understand the "forced to use Microsoft products" part.
Even when you need to work on Windows, why should you be _forced_ to use Internet Exploder?
Mozilla is the first thing I always install on Windows.
There are organizations where people are indeed forced to use a fixed set of software. In this case, if there's a security hole, the responsability belongs to the sysadmin who forced people to use broken and out of date software.
{{.sig}}
...it would have been found by the Black-hat soon afterwards. The software is as it is, if a potential or real exploit can be found by anyone, it's going to be found in the first place no matter who finds it first.
I would rather be told by a White/Grey-hat cracker even if the parties responsible for the software know at the same time than find out the hard way through Black-hat activity.
Like others that have posted, I don't care one whit about the "reputation" of a company or a group doing a piece of afflicted software. I want to know about the problem so I can offline the machine or the software- or, at the very least make an INFORMED decision about it's continued useage.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I wrote this above and I"ll post it again, using an alternate browser does not always protect you from IE holes. I cannot comment on these new holes because I'm not sure how they work, but some previous IE holes left the computer vulnerable whether or not you actually used IE at all! An unfortunate consequence of the browser integration with the OS.
So the fact that I'm using Mozilla on Win 98 right now, doe not mean I'm guarenteed immunity from these new holes.
Pop-up annoyances? Ohhhh, you mean pop-up ads. No, as a Microsoft user I have a multitude of options for killing pop-ups and any number of Internet annoyances.
And no, I'm not on Bill Gate's payroll. I'm sorry you don't feel that using Microsoft Windows is like a wild sex romp with curvacious twins on their 18th birthday. Too bad for you sailor man. As for me, the blue screen of death is the best asphyxiation sex I've ever had.
These big companies have their mouth full of punishing people that tell they found holes in applications.
Also I find that MS is so bold and arrogant to ask money for everything and tells others to stop doing things for nothing...
Let them pay for the info on security problems...
No payment, no bug reports, period.
They can take care of themselfs? ok let them solve their own problems...
MS Windows and IE are insecure and full of bugs. They will compromise your security. I suggest you stop using them now. ;)
It is a *new* security exploit, based on several new security holes that Li Die Yu found. Given Microsoft's history of rapid responses, I guess one could be forgiven for not even attempting a notification. Has anyone seen a patch from Microsoft yet? ;)
Oh, and the way to avoid potential future exploits, disable scripting within the Internet zone... (or use another browser!)
Blocking ports isn't always an answer (in my not so humble opinion, they're not an answer ever- it's a band-aid...) so you REALLY should fix the buffer overflow and other issues instead of side-stepping the problem. Of course, if the best that someone can do is block a port because of financial considerations or relative difficulty (I'd believe BOTH in the case of Microsoft...) then that says volumes to me about the company in question- and they'd not get my dollars in return.
Funny that, I use Linux almost exclusively on the computers in my house and at work...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products,
They just signed a contract with Sun for a million linux desktops. Maybe it is time _now_ for people to seriously consider whether spawning a monoculture has been a threat to our techno pool.
What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available.
Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.
that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Perhaps you misunderstood the headline paragraph, and this was just a bad attempt at sarcasm or irony from Cowboyneal? After all, the line makes no sense as it stands, since release of the information would make it worse for Microsoft users especially if the security holes already have exploits, and not when they haven't yet been exploited as Cowboyneal states.
If he meant what he wrote then he's really saying that the release has no significant impact on users.
Since the US has 2 parties, the US is twice as democratic as China. Furthermore, Canada has 4-ish parties, Canada is twice as democratic as the US.
http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/
Hmm. Looks like it's the same dude anyway.
XP, or, Linux. Linux still has the appearance to many of being complex and difficult to use, even though that's largely not the case (it's not difficult, it's different) for most distributions.
When you buy a PC, what OS is bundled with it?
XP.
When you buy software, what OS is it generally designed for these days?
XP.
You didn't make a choice other than to accept what was forced upon you- just like all the other good little consumers.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
so if they want us to let them know about problems then they should pay us for the information.
If they want us to test their stuff then they should pay us to do it; rather than charging us for the privelege of testing their stuff.
Codifex Maximus ~ In search of... a shorter sig.
What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available. Beware.
Exploit code, anyone? A simple google search or a Bugtraq archive browse over the last week should do it.
Yeah, that's nice. Spend 5-7 days waiting for the CD to arrive when you could just have easily downloaded it in 4 minutes time. Really well thought out plan there, dude.
'Standards' in computing only impress those who are impressed by things like 'standards'.
I think it's due to Adaware having removed something that MS used to track things, disabling my update ability. Nice to know given there are so many exploits. I've sent MS the error # but hold no hope of them actually fixing this. :(
If Microsoft is able to so easily piss off and alienate people in our own western cultures with their rude marketeering and downright savage business behavior - imagine what sensibilities could be imposed upon with the Chinese.
Though not usually a good idea, bypassing MS to announce these flaws openly may just be a bit of payback for good ol' MS.
These security problems were publically known in September.
What was released recently was sample exploit code.
If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.
The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.
Yes, that's right, nobody. I think we all need to be reminded that using Microsoft products is an act of free will. It's not as if they're the only game in town for personal computers (they used to be) or that you couldn't interoperate without them (that used to be the case too). Furthermore, to run a successful business these days no longer means that you have to use Microsoft products. Lots of people are doing just fine (if not better) without crap from Redmond. (And that doesn't even mean they have to use open source alternatives. There's always Apple which put out better hardware than anyone else. Of course, using open source is good too. What Windows functionality isn't provided on the server by some variety of BSD or Linux?)
So don't say that a security researcher releasing findings before alerting Microsoft is making things "bad" for Microsoft users who are "forced" to use Windows. I have yet to talk to anybody who uses Microsoft products that doesn't acknowledge the weaknesses in the platform or isn't aware of the media surrounding Microsoft's utter failure to make "security their top priority". They (Windows users) know well enough by now that the platform they've chosen is vastly inferior in terms of security to alternatives. And if they don't realize that, they're mindless zealots (who have an infinite loop blocking entry to their site). By now, they get what they deserve and the security community should no longer have to drag its feet (pacing itself with Microsoft) on their account.
Join Tor today!
Line 1: I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.
Line 2: Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down.
Reply: Your choice to use Windows was an illusion. Microsoft is a monopoly. It's as simple as that. When you went to buy a computer, and you walked into the little store, did you see a lot Macs, or a crap load of Windows PCs?
Lazy poster + lazy moderators == Insightful
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Please shut up! It's another lame browser bug, we don't need a 12 year olds perspective on full disclosure every week. Steve Ballmer now gets bitten by his own bullshit, it was posted to bugtraq Thursday and STILL no fix from Microsoft.
White/black hat this, that and lets think up some more buzzwords to make us look great while we sell security services to PHB's.
...the excuse is: [...]forced to use Microsoft products[...]
We don't get to do things our way, but the way to do it is of some snail-like, monolithic "process" which serves no purpose except to feed itself with various reports and other metrics.
You CANNOT quantify everything, nor control everything. Creative work like programming is not a process like building a car with already thought-out instructions.
And slanted in the exact manner you're WHINING about? If you don't like the sound, change the channel- or at least ignore the noise. It's not a hard thing to not bother reading further or commenting on a subject you don't agree with the editorial commentary on, you know...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
2. What amazing encouragement
Somebody get this guy off the stage.
How devastating are they?
Are they hypothetical exploits (as in doable, but in practice, hard to execute an attack with...) or are they holes big enough to pass a tractor-trailer truck through length-wise?
Many of the IE exploits, while they're proportionate to the overall userbase, are disturbingly of the "BAD" (as in Igor's sense of the term in Ghostbusters) variety.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
You know how many applications are just active script in IE? Tons of vertical market stuff, including the execrable QuickBooks. When you tell small businesses to get rid of IE, you're telling them to stop using Intuit software, no can do. There is no alternative to QB, and if there was, your CPA would never permit it (that is, wouldn't sign your tax return).
98lite.net is just a dream for us business owners. Can't get rid of IE.
And for nonprofits, the two leading mailing list managers, Results/Plus and the wretched Paradigm, run in an IE window. Life sucks.
Undoubtedly, you would look upon the history of the last few years, where virtually all attacks (manual and automated in virus/worm code) have exploited known bugs for which patches had been available for weeks or months, and say "that's not PROOF".
And in a mathematical sense, that would indeed not be "proof".
The best anyone can offer you is a "preponderance of the evidence", which might even be "beyond a reasonable doubt" that virtually all sucessful attacks have exploited known vulnerabilities for which the vendor had already created and published a patch.
If you can accept this rather obvious observation, and you can believe that the trend will continue, then it is a very small logical step to conclude that it is overwhelmingly in everyone's best interest for vendors to have a reasonable opportunity to create and publish patches before details of new vulnerabilities are publically announced.
But there is no proof, only a well established trend. So you, supposedly a system administrator, would rather see immediate public disclosure. I'm sure that will appeal to your emotional well being... not being kept in the dark. It will also mean, that as a system administrator, you will need to make temporary workarounds (which often times means shutting off the affected service), while you then wait, with a greatly increased probability of attack attempts. But it will appeal to you emotionally, making you feel better that the vendor got their "feet held to the fire". That ought to make up for the extra time you'll spend implementing the workaround and interfacing with all your users and managers and explaining to them why a service they depend upon (and consider your job to keep operational) is not available temporarily.
PJRC: Electronic Projects, 8051 Microcontroller Tools
It's down even lower on the totem pole than Linux for the same reasons. I negligently forgot about that option because it's just not used all that often around me.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Challenge for the OSS guys:
have you found a good lite browser that does not require installation into the registry?
I use putty at school, and can run it on the locked down windows 2000 stations. I just run it from a thumbdrive or zip drive. are there any browsers out there that have the same ability and some capibilities of modern browsers - tabs & no popups?
This reminds me of the old National Lampoon spoof advertisement:
Photo of a dog, eyes looking sideways, with a human arm holding a gun to its head. Captioned below it: Use Microsoft Software or the dog gets it!
Right, we're all being held at gunpoint to use Microsoft's inferior software. Pull the other one, it's got bells on.
The only reason that the majority of computer users use Microsoft software is because of the illegal monopoly tactics used to stifle their competition. Sure, there could have been choices but MS was given full reign by the government, by its lack of conviction to press the antitrust lawsuit against them, to horn the competition right out of the market. There's no force about which software you decide to use.
At any time, you could elect to download and install a copy of Linux or run Knoppix from CD or download BSD even, or try Lindows or something, *ANYTHING* but Gates's bloated virus propagation technology! Just because you're too lazy to learn anything *new*, don't blame it on some imaginary force holding you hostage to a certain OS.
Notice how I never said anything about the bugs themselves, just about the way they were reported. It doesn't matter what company we're talking about, you should give them time to solve the problem before releasing to the outside world. If they don't, it's their problem, but it's your responsability as a security 'expert' to report it to the vendor/developer _first_.
12 year olds generally are vendictive, much like yourself. And they don't like take responsability for their actions, either. Does this sound familiar?
Violence is the last refuge of the incompetent -- Salvor Hardin
you want to use inferior and crappy microsoft products ? go on
and dont cry if they're full of holes and you get hacked/cracked/whatever
you made a choice by keeping with them
you get what you deserve
Wrong, but thanks for playing.
The 1st world is Old Europe, the white one of Sartre, Isabella, and Machiavelli.
The 2nd world is the Americas, both of them.
The 3rd world is Africa, generally black Africa, although Egyptians and Libyans are Africans, too.
Asia is in its own world.
Real programmers don't write code that sees nearly ten years of general use by average people.
Real programmers only write code that supposed to last six months under narrow circumstances by professional rocket surgeons.
Real programmers design operating systems that require an inordinate amount of intervention by unnecessarily over-informed users for even the most mundane of tasks.
Real programmers require users to write their own scripts to automate even the most mundane tasks. Making using a computer like mudding without looting, levels, or explicit ascii sex.
Real programmers will frequently enter over a million keystrokes without error when planning trips to Titan.
Real programmers will scrub themselves with a rock after having sex with Uma Thurman.
Real programmers, in the history of programming, have never half assed there way through a project by just assuming that a variable could never get out of bounds.
Real programmers only smoke Marlboro, and only after banging swimsuit models into near unconsciousness, and always at least a pack a day.
Real programmers are never intrigued by the offers of ways to enlarge their penises (they always have at least two) in their e-mail, as the comments they invariably here the most of is, "There's no way. It couldn't possibly fit." and "That's no moon! It's a battle station!!"
Ummm, ok, this has gone on long enough. I thought nerds were smarter than this.
Take this kid. It's free.
Maybe he thought he would get more credit for himself this way. Maybe he thought MS would have said they discovered it themselves. That may sound selfish to some, but maybe he has a family to feed.
eat shiat and bark at the moon
Whos forced to use IE. Last time i checked
I can use whatever browser I want and when someone
or some website tries to force me from using
their product because i'm not using IE i can
always work around it. So, why is it everyone
always believes they are forced to use IE. Its
a shitty browser simple solution stop using it.
move on and be happy.
Oh, well, thank you. I'm flattered you think I'm management material.
Sombody already does know about it - we just don't know who.
In nearly every other industry you would be vilified for hiding a critical safety defect. I have seen plenty of recalls that state "Immediately stop using the product and contact the manufacturer for repair instructions." I think it is unconscionable that the software industry feels it should live by other rules.
I absolutely do want to know every defect immediately so I can make an informed choice. If my site isn't doing e-commerce and the vulnerability is low then I may do nothing or watch my server more closely. If it is a high-risk and I'm protecting millions of dollars then my best course could be to shut down. It's all about relative risks.
In this case, what's the big deal? If someone wants to avoid these bugs all they have to do is download a better browser - it's not like ceasing to use IE is a big hardship.
With the way things are going these days, hes lible to get hit with a DMCA based suit instead of being ignored..
---- Booth was a patriot ----
a greatly increased probability of attack attempts
Mildly increased, in my experience. Software, like physics, seems to operate in a "going to happen at this time anyway" realm, and when a vulnerability is found be one person, another person finds the same or similar in short order.
Attack "attempts" are basically guaranteed to succeed if I DON'T know about the vulnerability. Attack attempts should not succeed if I am competent and know about the bug.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Guess you would've preferred that he either:
a) keep it to himself and use it to root your box
b) tell M$ about it, who will as usual drag it out for a few months before even acknowledging that he found a problem.
If you were reading any of the security mailing lists, you'd know that the general experience researchers have with M$ is that it's a big waste of your unpaid time to contact them.
Frankly, if they neither pay you nor treat you with some courtesy, then why exactly should you bother?
Assorted stuff I do sometimes: Lemuria.org
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Truth. But here's the problem. Microsoft's reputation for responsiveness (that is, not!) and collegiality (that is, not!) in these situations is awful. Nor does Microsoft treat those who report such problems with any degree of warmth. Having established its Chinese wall as it has, Microsoft has lost its standing to whine about non-collegiality of the world it has created.
This is the entire point about open systems, or at least openness about security -- it leverages what happens out there. Frankly, I feel more secure knowing what are the leaks, whether they are addressed or not, than I do knowing there are secret leaks out there for someone to exploit without my knowledge.
If Microsoft had a reputation: (i) for assuring that a report of a leak would be responsibly handled and escalated promptly and without agonizing pain on the part of the reporter -- who is doing Microsoft a favor; and (ii) for responsibly, promptly and professionally addressing the problem, I would feel much more sympathetic.
The problem is that they don't. Maybe they will change as they said they would. But until they do, I'd rather hear the news in time to know for what I have to watch out than to have it buried while others who have discovered the leak exploit it.
Here's the thing, it is highly unlikely that any leak that is discovered by me was discovered only by me. Others, less responsible than I, will disover a leak, find the exploit, and either keep it in their "bag of tricks," trade it or what have you. In any case, if I find it, the exploit is likely out there in someone else's hands. I'd rather know the problem than wait for the solution.
Yes, the kiddies are more likely to play if it is readily "out there." But guys, that happens anyway, one way or the other. Beside, Microsoft seems far more responsive to public leaks than private ones -- maybe this kind of report is more likely to assure that the bug will be repaired than otherwise.
And you spend much less time on hold . . .
Seriously, you're small country has telephones but not printers?
It can even be e-mail. If you don't have a problem, most companies don't want to hear a whole lot from you. It's just not that efficient for what you're trying to communicate.
I've written letters for all kinds of things, Dear Jack Daniel's, your new pop-up ads annoy me and cause me to desire to drink something other than Jack and Coke. Dear Amazon, you guys really screwed the pooch on my order. I odered a new product, and you sent me a used product with stuff missing. Dear Playboy, I am recieving spam with your images, please sue these assholes into oblivian and sell their kids into prositution. Blah blah blah.
When you send a company a letter, they think a lot about it. Where it should go, what does it mean. Is it good, bad. Does someone deserve praise or punishment.
Call them up, their goal is to get you off the phone as quick as they can, and if that means outsourcing their call center to India, well that's just what they'll do. They don't want you mad at them, but if you hang up hating Indians, that's A-Ok with them.
Oh. And your Google-fu is ass. Thanks for not trying. I wonder how long you really looked, since my very first query turned up a couple of pages that look like they'd foreward good information to the right people. So was it thirty seconds, or did you and your pal make it a whole minute? Might consider upping the adderall dose. Or consider an extended release capsule, they're all the rage over here in the states.
Millions of people forced to used Microsoft products.... oh what imagery that conjures up. Think Indiana Jones for a second.
/. crowd, right? What is the only browser Google has developed their toolbar for?
I use IE every day of the week and I have done so for years and years without ever a problem. No one has forced me to do so, I'm well aware of alternatives, it's been my choice to do so.
Google is highly revered by the
I cannot begin where your perspective is invalid.
We'll leave it as
"You don't own your PC or Software at work, nor your work process or tools"
"The Sysadmin doesn't, and is likely not, make ANY of these decisions and is not necessarily responsible"
"Many/most places of any size/value have restrictions, sometimes complete, on what you can or can't install on your machine".
Your views are immature and simplistic at best.
"I'd like to know who the editor thinks are "forcing" people to use Microsoft products."
a sp ?doc=/content/32217.htm&pc=001/002/014/007/002&mnu =&mfp=&st=&cy=1
.doc format files (nice to be able to read all the supposedly deleted text, though), or posting Powerpoint files on the web? What are they expecting me to use?
Okay, how's this: The Australian Tax office, for online tax returns, posts the system requirements "Windows 98 or Apple Macintosh with suitable Windows Emulator software installed".
http://www.etax.ato.gov.au/Individuals/content.
So they aren't forcing me to use Microsoft if I want to file my returns online? Looks to me like they are. At least this year they're letting me use Netscape, last year it was IE only...
What about all the government and business bodies that insist on emailing
What about the numerous ISPs who handle Macintosh like a turd on a stick, or offer no Linux support at all? TCP/IP is a real standard, supported by all systems; yet finding an ISP who doesn't expect me to use Windows is uncommon, to say the least.
I'm very happy for you that you decided to use Microsoft products; the MS bashing is (if you take that chip off your shoulder for a second) not directed at you personally, but at the increasing adoption of "standards" which are not really standards. To whit: Current versions of Excel won't open Excel v1 or v2 files (a fact I know from experience). I accept that features have been added over time, but why remove the capacity to OPEN old files? The point here is that proprietary file formats have a use-by date, set only by the manufacturer with no regard to the user's needs; this is true arrogance. Anyone locking themselves into such "standards" (especially in business) could be considered dumb.
As for geeks being taken seriously...okay, fair cop.
So why submit a bug report to microsoft for free? Why be one of the many eyes, in a closed source model? Reporting a bug makes their software better, and better software is why you should pay them $$$, remember? You don't retain any intellectual rights to the bug or fix, so again it's closed source. If you believe that you're making the world better for others who use it, then you're thinking in open-source terms.
Why are we using an open-source bug reporting model to a closed source company? I say make them give you $$$ for things that will make them $$$.
Of course MS wants you to submit bug reports for free (or even make money by submitting through there tech support system), since it leads to better products with no effort on their part. But why would we, the bug finders, let MS pick and choose the components of open source that best suite their business plans, when they go to such an extent to berate it? Why compromise with MS by letting them pick the terms for dealing with bugs that result from their methods of creating and managing software?
IMHO, the world would be much nicer if instead of devoting effort to finding bugs in MS products, we simply stop using their product when a bug is found, and use a corresponding open source product.
Seriously, at this point, if you care about security, privacy, and functionality, you should be using Mozilla or one of its derivatives. It's definitely good enough to replace IE, and every sploit in IE should by right drive more users away from it, and into alternatives.
Using a Moz browser is not nearly as traumatic as switching whole OSes, so I'm a bit less sympathetic to the whole 'give the vendor time to patch' thing when it comes to IE, Outlook, and other replaceable apps.
Programmer 1: "Hey, guys, we've really got to do something about the security problems we've been having with IE lately. Any ideas?"
Programmer 2: "I've got an idea! My CS prof used to joke that you could solve any problem by adding one more layer of abstraction. In this case, it's true. Imagine how totally cool it would be if IE was just a regular application. Right now we've got it tangled up in the OS, but if you think about it, there's really no good reason for that. I mean, why does IE need special priviledges just to load files and render some HTML? If we pull it out of the OS, it'll still work fine, and it'll just naturally be subject to all the OS-level protection mechanisms we've got."
Programmer 1: "What?! You're talking madness, man! Are you saying that we should subject one of our own applications to the same forces we use to prevent third parties from gaining too much market share? Egads, that's brilliant! I'll bet we can even patent that..."
Programmer 3: "Guys, the idea certainly sounds cool, but it won't work. Bill said it's impossible. Don't you remember that Netscape trial thing? I know we're not supposed to ever talk about it, but he said it was impossible during his taped deposition. If Bill says it's impossible..."
Programmer 2: "...then it must be impossible. You're right."
Porgrammer 1: "Damn, you're right. Seemed like such a good idea."
You turned off Scripting for all but "trusted sites," long ago, right? I did. Your users run IE as restricted users, right? Mine do. You used firewalls to block SMB Messenger pop-ups long ago, and indirectly saved your company from Blaster and Welchia before the fact, right? I did.
Or you just dumped Microsoft and made all of your company's staff used Linux or BSD long before the fact, right? And you caught Ramen, Lion, Lindoze and those other dangerous Linux viruses before the fact, right?
Or were you caught with your pants down?
If one of these exploits affects one of the PCs in your care, YOU are the one to blame for letting it through. Not your anti-virus software vendor, not your operating system software vendor, not your firewall vendor. You might think it's not your fault, but will your boss believe you?
Use Evolution instead of Outlook? Bewa
for some of use the company we work for mandates the use of M$oft only products. Therefore we are FORCED to use IE. At home I use Netscape and encourage others to do so.
...where exactly do you hear about holes in Mozilla? It manages to escape the attention of the mainstream press.
built by carefully selected and screened teams of programmers working to build proprietary, secure software." -Darl McBride (on koolaid) c'mon, M$, you're the champion of the proprietary, free-enterprise system--show us that your 'carefully selected and screened programmers' really ARE better than the godless, communist 'numerous unrelated and unknown software developers' ...
I've been able to use the mozilla zip builds on fairly locked down machines. They don't have an installer, they just unzip to any given folder and run from there. I suppose this fails to meet your requirements, though, unless you have a liberal definition of light which OKs stuff >20MB.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
A whole day without problems. You must be very proud. Still live at home? Yeah. Turns out live-in tech support is even more expensive than on-call tech support. And slow, appearently you haven't seen GNOME. But I guess windows can get bogged down. Programs being so easy to install and all. Won't have a problem there with Fedora. HAHA.
Course some people might see that as a limitation. But you and your irrepressible silver linings. Yeah, my 75 year old grandparents love their computer. No one thought they'd take to it. Sure at first there was a little hand holding. But now, I don't even get a tech call every 6 months. Grandpa's installing software, uninstalling software. Grandma is buying and installing a scanner here, a printer there. Oh yeah, she burns CDs.
Who knows what's next. Maybe she'll be sued by the RIAA next year, that would be a trip.
The only downside is now there's the occasional busy signal when one of them is on the internet.
This brings up a usability trade-off with Google. By keeping their web site clean (I love that) it inadvertently encourages keyword only searches. How many people know to use this feature? Not many is my guess and I think it is a little disingenious to diss someone for not having uncommon knowledge.
This also brings up a usability problem with Microsoft. "Report a Bug" should be on their home page "microsoft.com". One should be able to report any and all bugs via one form. The URL I'm reporting below based upon your search is for Security bugs only.
Also, I typed in "report a bug" to Microsoft's search engine on their home page and did not come up with the URL below. How is it that Google runs a better search on their site than they do? If I were a typical user I would not suppose this and "give up" after trying "report a bug" on Microsoft's web site.
Report a security problem with Microsoft here:
The Microsoft Security Response Center
Thanks again! for the Google tip!
Cheers!
Mybrid
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
-- CowboyNeal, editor/sniper
The article does nothing to suggest Microsoft bashing: no motives are given for why the announcement was made to a public mailing list and not to Microsoft.
One might reasonably assume that Microsoft bashing is a possibility; one the other hand, there might be no malice involved. We don't know, and I wouldn't want to guess.
-kgj
-kgj
but that's no reason to make it worse for the millions of people who are forced to use Microsoft products
What would be a better way to get the attention of people that think "MS Windows is great! NO viruses and attacks ever!" than having a huge attack on Microsoft computers? Microsoft would be then forced to check every code fully to avoid another attack. And the users would loose confidence in them. I think that not notifing Microsoft was a good idea.
CHEERS
--RoadkillBunny
Cheers,
RoadkillBunny
Really! There's been like a thousand holes in IE over the years, they keep coming with no slowing down or eevn trending towards end in sight.
Those stupid enough to continue using that piece of garbage or any other microsoft software for "secure" applications, are getting it up the ass exactly like they asked for. The only people I see with desktops infested with bonzo and popups and spyware are retarded IE sheep anyway. The comments from the poster of the article just make me laugh. Security from obscurity isn't! The more exploits the better, the sooner people will be forced to switch.
Go open source, go with glass box solutions.
There's absolutely no reason to continue using IE, it's not as if you have to visit the few websites refusing service to other browsers. Refusal of service to other browsers only indicates incompetence - who'd make business with such a company anyway?
I feel sorry for anybody who's too clueless to download Mozilla and run the installer.
IE and Outlook are the main vectors for all the 'Net nasties. Aren't people getting a litle sick and tired of this crap.
If I was running a business, M$ would be booted out about now for being the rancid piece of crap software that it obviously is.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
.... then it's not a bug, it's a poor design failure...
Which, to the end user, is the exact same thing.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
A lot of corporations have standardized on IE. Not everyone that reads Slashdot is a College or High school kid.
Go take a statistics class. One datapoint does not a statistic make. So (to put it in words you can understand) just because YOU haven't had any problems doesn't mean that there aren't any.
Google is highly revered by the /. crowd, right? What is the only browser Google has developed their toolbar for?
Maybe Google only developed the toolbar for IE because the rest of the browsers already had the features that the google toolbar introduced. Have you even used Mozilla? Or looked at mozdev? Being aware isn't being knowledgeable. Mozilla supports google searching out of the box. Multiple toolbars are available at mozdev.org. To reiterate, say again, and maybe pound it into your skull, the Google toolbar provides some lacking functionality in IE.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
The part about this story that gets to me is that a single person finds 7 (!) holes/exploits by himself. Makes one wonder just how many things are left open simply because no one has looked at them yet. Scary.
a lot of people seem to mistakenly believe that a computer, like any other appliance, should just work, not require you to work it.
So instead of the user working the computer, the computer should just work... YOU?
please geez quiet your job that is unthinkable. quit now so you company goes out of business and its misery is put to quick end.
a quick search on google found this maybe they'll help
searched for: computer jobs
1. http://www.computerjobs.com/homepage.aspx
searched for: computer jobs linux
1. http://unix01.sac.edu/jobs.html hope this helps
Seriously, why should anyone take the time to give Microsoft an opportunity to spin this and cover it up? If Ford were making trucks that randomly explode, and some independent study discovers this, should they keep it hush-hush to save Ford's PR? Of course not. Microsoft's reputation will suffer a bit from this, as it should.
But there is another kind of evil that we must fear most... and that is the indifference of good men.
what makes you think you have to be a college or high school student to be free of IE? please my company uses gecko. we've been enlightned ;)
Get over it... the VAST MAJORITY of people use Microsoft products by choice. I do know, on the other hand, at least 2 people who are FORCED to use Linux products and hate every minute of it. One even quit his job because of it.
/. a bad name.
Uneven biased reporting like that is what gives
Will the new 'MS String Vest' have the rainbow butterfly guy? I rely on him to sterilize my telephone and sanitize my periodicals.
Sure, my computer is rooted and spends most of its time trying to infect all of my neighbors, but my telephone never smelled fresher!
While I agree with what most folks are saying about the security researcher not following proper exploit discovery etiquette, keep in mind (and this is not flamebait),
He *is* from China, the country who is so frustrated by Microsoft that it's making its own, full-scale flavor of Linux. The country who may see most of the Western, MS-using world as a competitor. A country so big yet secretive that security practices may be subtly different over there.
Disappointed? Sure, you can be disappointed in how this went down. Though it may be an apple judging an orange.
Surprised? I don't think you have the right to be surprised.
RD
I've never worked at Microsoft, so I'm just speculating here based on what I've heard and what I've read on the MS Career website, but it seems to me that the type of developer that MS is likely to hire is the egotistical, arrogant "my-code-is-better-than-your-code" type of developer. Sure, some these individuals may be extremely smart and be able to pound out thousands of lines of code a day, but the thing is, the "cowboy coder" attitude does not work well when putting together large and complicated pieces of software. In such projects, there are times that developers need to cede to the fact that there may be a better way of doing something than their way, and writing some obscure and cryptic piece of code -- while intellectually satisfying -- yields systems that are not robust and hard to maintain.
You make me laugh my ass off! Do you really "know" how many times UNIX has been written, and re-written?
... fork() ... X fonts. ... C Library (strcpy anyone?). ... NFS 3 security. ... Threads. ... Inter-application communication among GUI apps (Cut+Paste). ... /etc/passwd. ... config files everywhere. ... all the rsh, rexec, r???. ... sendmail security.
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
Yea, well thought-out
On and on and on...
Throw me a frigg'n bone here! Linux/Unix is a case of evolution in action, not something that was writ in stone. Linus needed a security blanket, but ended up with a mosaic quilt.
Mod parent down!
http://www.ipodbattery.com
While alerting the vendor first if you are a real security researcher is the right thing to do, what if you aren't a "real" security researcher, and all you want to do is piss them off and give microsoft users with a clue yet another chance to regret using microsoft products?
It seems pretty clear that this is what has happened here.
Thunderbird is a marvelous replacement for Outlook [Express]
Unlike Mozilla Thunderbird, Microsoft Outlook Express can fetch mail from MSN Hotmail accounts. However, several POP proxies that access Hotmail exist. Is the installation of Hotmail Popper easy enough to recommend it to former Outlook Express users?
"The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list." The part about the post, CowboyNeal, that gets to me is that many Slashdotters think that a Chinese researcher would have any concern for users of western products, i.e. - Americans, whatsoever. The Chinese (gov't) , generally speaking, don't consider themselves friends of westerners. As you know, they plan on dropping MS products. Like it or not, there are us ... and there are them.
Remember, the government of China is going Linux. This may be a policy move by China to start working on Microsoft's market share.
Preconfigured PC's without local administrator account. None of the web-apps work in Mozilla: expense reporting, purchase, HR,... What's really crap is that these apps are made by big software companies like SAP. You'd expect SAP could come up with something cross-browser...
10 ?"Hello World" life was simple then
First of all this guy doesn't even own a computer! Here is his impassioned please at the end of one of his posts to bugtraq.
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
[Employment]
I would like to work professionally as a security researcher/bug finder.
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract, relocate,
or telecommute.
[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at:
http://clik.to/donatepc
Can anyone tell me how someone who can't afford a computer on his own is able to stop the impenetrable security juggernaut that is Microsoft?
Actually, I'd say most Chinese are capitalists. They just love material wealth. This is based on what I have observed in my own family, and around the world in the near-universal Chinatowns. Another example is the founder of Yahoo, the youngest millionaire yet - he's Chinese, and started off very poor.
In '1984', they gradually made it impossible to think of the government in a bad way by sweeping away words, changing connontations and words with two opposing meanings when applied to different objects.
In the company where I work (a large bank, 40000 work places) the latest IE security patch caused grave problems with (client certificate authenticated) SSL connections. Many internal applications broke down at random after about 10 minutes. This is costing massive amounts of time and money.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
While I agree that all vendors, even Evil(tm) ones, should be notified and given adequate time to fix a bug before exploit code is published, I disagree that there is no reason to "make it worse for the millions of people who are forced to use Microsoft products". There are plenty of reasons.
Making things worse for MS users will lead to more people objecting to being "forced" into using MS products (the word "forced" is used loosely, as in your post). The more people that object to the monopoly, the less likihood that the monopoly will continue to thrive. Whether you admit it or not, the proliferation of MS security exploits in the form of viruses, worms and any other means, is a big part of the recent success of the adoption of open source software around the world. People are getting fed up with viruses and security problems on their PCs, and looking to alternatives. Just by looking at alternatives, the world is coming to realize that there are better ways to get software than paying a vendor for a licence to use binaries, under restrictions.
Another reason is that Microsoft itself is getting fed up with the problem, and so maybe some day they'll change their ways and maybe get a part of a clue about security. This ties in with the first reason I cited, in so far as their present solution to their security problems will only make people dislike them more than they already do. MS constantly blames the users for problems in MS software, so their solution is to remove control from the users and put it in the hands of... whomever. This is more good news for MS alternatives.
There are a multitude of reasons that stem directly from the first reason that I mentioned. Lots of good things will happen if the monopoly crumbles. After only a few crumbs have come off the edges, there are already benefits. For example, poor countries are now much more able to build up their infrastructure, thanks to the existence and advocacy of alternatives to the monopoly. The monopoly itself is bad for security: some of the world's leading computer security experts have argued that the lack of platform diversity is itself a security threat. There are many economic arguments about why monopolies are bad.
So MS users may have some pain coming their way, but in the end the result will be beneficial for society.
Hmm, Yoda thinks that you're too much of a pussy to quit your job.
In a reasonable job, I'm being paid to do the job, not to use some product the boss wants me to use. (Unless the use of the product is itself the job.)
And if I'm an expert in the domain in question, or even just a very knowledgeable person in that area, and I want to use a specific tool that will make me more productive and costs no more than the tool the boss wants, the boss is being a fool, an incompetent and a petty dictator to impose his notions of whats good on me.
I wouldn't release a public vulnerability report, myself, before contacting the developers. That's just because I'm an ethical person.
On the other hand, Microsoft is notorious for conducting itself unethically, getting what it wants by any means fair or foul: breaking standards, threatening vendors, crushing competition, spreading disinformation.
I won't lower my ethical standards one nanometer just to take a shot at Microsoft, but its conduct makes it easy for me to forgive someone who does.
Fair play? What standard has Microsoft set for fair play?
This does not prove anything. Is someone FORCING you to work at this office where they (oh my god) want to use software that works?
b)Umm, you're saying that because you have to use Windows you can't meet deadlines? OK, GOOD ONE :) Seriously LOL, you are one in a million because millions of people do meet deadlines using Microsoft products. You must be retarded.
c) Problems cause problems -- IE sux rox, so now the firewall gets tightened up to keep away all the bad things, so now the Internet becomes basically unusable for all employees. No one thinks of moving away from IE.Oh, now I know that you are clueless. IE does not stop working unless you shut off ports 80 (http) or 443 (ssl/https).
Nice try loser.1) You have no right not to be offended
2) Nobody can offend you without your consent
Now there's a metaphor that lost me halfway through. Is slashdot the ocean? In which case you imply that being a microserf on slashdot is an adrenaline rush. But then why are you whining about being offended?
Using Microsoft products is not genetics or how we were raised. It's a choice and we're damn proud of it.
"Sing it now and sing it loud, I owe soul to MS and I'm proud."
OK, so that didn't scan. Still the idea that there are these poor abused MS fans on slashdot who somehow need help to be protected from all those nasty linux/bsd/macos/... users is an amusing one.
And I'm still trying to figure out just how anyone can derive pride from having selected a specific product line (whatever that product line might be). I can see the marketing opportunities now:
"I eat Big Macs and I'm proud!"
"I shop at Safeway and I'm proud!"
"I drink Pepsi and I'm proud!".
Nope, sorry, still doesn't make sense to me. Why not be proud of an accomplishment that actually took you some work, instead of a marketing decision made for you? "I installed gentoo on a C64 and I'm proud!" (Now that would be something to be proud of.)
The headline "New Security Hole found in IE" hardly qualifies as news anymore...
Nobody is forced to use Microsoft products. Maybe this will wake them up. (We can hope...)
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
That was my initial reaction too, but then I asked myself why? Why must the manufacturer be notified first? All Linux expolits are announced publically aren't they? Or am I mistaken? If defects in Linux can be made public and fixed quickly, why can't commercial software be done the same way?
Ruby on Rails Screencast
>If he would've reported it to the vendor (in this case Microsoft), it wouldn't have been 'a known hole', but to the Microsoft developers. They would've came up with a patch...
Oh... you mean like this, this, this, and this?
Oh spare me the tears and violins. If you work for some company whose idiotic IT policies mandate the use of microsoft virusware, then the company loses.
But the point is, _nobody_ is forced to use ms ie on their _own_ time.
I submit that people who have their network setup properly will not get burned. Have you ever been burned badly because of an MS exploit? I've been running MS networks for 10 years and I've never been hit except for once when I got the NY Boot virus (when I was 17) because I left a floppy in when I booted. Then I learned how to protect myself and those I work for (and my family). Do you think Open Sores software would really be better if it was as widely used as MS products?
I'd rather have the key within my grasp than be playing carnival games with my belt.
None. I install my own OS (Windows XP Pro) and then I install VMWare so I can run Linux.
When you buy software, what OS is it generally designed for these days?Windows of course, but that still doesn't mean that I'm forced to use it. I know lots of people (my Mom) who (gasp!) *don't even use computers*! Wow, imagine that.
You didn't make a choice other than to accept what was forced upon you- just like all the other good little consumers.Actually, I choose to use Windows because it's the best Desktop OS out there, I was not forced. You *nix zealots don't try to force people to use the OS that you like though, do you? (smell the rhetoric)
I can't believe anyone can type that [Windows is more usable than Linux and cheaper than Mac OS] with a straight face.
Which of the consumer-priced scanners, printers, modems, and WiFi cards currently sold at Best Buy stores comes with Linux drivers on the CD? This is currently the biggest usability issue blocking GNU/Linux on the home desktop.
jesus man, we are talking about microsoft here. microsoft, you know, the company with their arm up SCO's greasy ass? a member of the business software alliance? a company that has plead guilty in to monopolizing in a civil court? a company that is actively trying, via drm/tccpa to make it impossible/illegal to use any other operating system? a company that has been pro dmca from the start? a for-profit corporation that has enough cash money to feed pretty much every human being alive for a good couple of years.
let them find their own security flaws, they have betrayed the populous in to many ways to count, and expecting in any way for the people out there to help them out is hipocracy, and just plain vain.
aren't these people trying to dumb down the entire computer feild? isn't this the same company that forces you to sign onimous eula's before installing any of their products, usually meaning you give up things from the ability to speak freely through your computer terminal, the one's who copyright all material, theirs or not, that falls within their servers? "microsoft: pay to suck our shit, and like it"
flaky, insecure and purposefully crippled operating systems or programs are one thing, but when the company or group that put's said operating systems, or programs out is also a group of pirates that has been called on everything from supporting frivilous lawsuits, to widespread fear, lies, and deceit...this is the where the line must be drawn.
if this is giving microsoft a hard time, then more of it is needed.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
They should at least have the chance to do it. For me, 72 hours seems like a reasonable timeframe for Microsoft to reply to his report. If they didn't, _THEN_ go public.
Violence is the last refuge of the incompetent -- Salvor Hardin
No one is forced to use their shitty products, get the crack pipe outta your mouth and talk sense.
The only things in life that I am forced to do are to shit and die. Thats it.
If I hit sites that "need" me to use java or javascript, or cookies for that matter, I go somewhere else, it's that easy. The net is a huge place and you can always find what you are looking for elsewhere. This pertains to online banking also. They require it, I go elsewhere or don't use it.
Is someone FORCING you to work at this office
"Work or die." Proof: Without working, I cannot obtain money. Without money, I cannot obtain food. Without food, I die.
"Work here or do not work." Proof: No companies have been advertising that they want help in my geographic area.
Nice try loser.
Please refrain from eating for seven days to experience what it feels like not to have income.
Will Slashdot report it if it does?
All signs point to no.
A good policy would be to:
1) inform the company first
2) if no reply in 24 hours, release information publicly
3) if reply, and clear - and reasonable - timetable for fix given, wait and see
4) if first milestone not reached for whatever reason, release information publicly.
Except for point 3, I don't see why this information should be witheld or why the person who discovers a security hole should do a corporate dance, he has already done everybody a great service by finding a security hole and not exploiting it.
As in this case, MS is now obliged to fix these issues - and a couple of them were already known for a while, so we better hope they fix it in time.
As in the case of Apple's latest exploit, there's no doubt the release of information has done more good than bad.
I was able to protect myself against something I previously was not aware of. Now I can be as zealous as any mac owner, but screw everybody who thinks this information was a "bad" thing, for whatever misguided reason. OK, so it's a feature, and certainly not a bug in the traditional sense, but it's easily exploitable and that's what counts.
Cheers
I think, therefore I am...I think.
'The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.'
Maybe he didn't know, or maybe he just didn't care, and if it's the latter, how can anyone blame him?
How long do people have to put up with MS before they finally stand up and say they've had enough?
No - no mercy for MS.
People with glass box solutions shouldn't throw stones.
DCMonkey
The Opera browser has no patch mechanism, when security holes are reported to them they have to release a whole new version. The new versions always include extra functionality, they will also disguise buffer overflow fixes in their change log as "Crash Fixes" etc.
> The only people I see with desktops infested
> with bonzo and popups and spyware are retarded
> IE sheep anyway.
One of my local computer suppliers puts IE (and no other browser) on his hand-built computers on purpose. He *wants* the customers to bring the machines back after 12 months, full of bonzo and popups and spyware. Then he gets extra money for doing a format and reload.
These customers are not retarded IE sheep. They're exploited victims who buy in good faith and find their innocence cynically used against them for private commercial gain.
To use the original Reuters link.
2 73
http://reuters.com/newsArticle.jhtml?storyID=3909
2000/XPlite is a great program. It's based on the famouse 98lite which did what Bill said couldn't be done. It removed IE from Windows. Removing IE removes it from memory which makes your system alot safer. Intrusion Enhancer (IE) is a far cry from safe. Talk about integrated exploits.
i used to have memory leak issues with my win98 box, while running IE.
i switched to mozilla, and mysteriously the errors went away.
my friend was having problems keeping his system up for >12 hours at a time when he needed it.. but was able to keep his system online for days when he wasn't using it.
i told him to use mozilla. his uptime is now 2-3 weeks between reboots (more than enough for a standard user).
my brother was having laggy computer issues. he couldn't copy/paste, his mouse wouldn't respond, his modem wouldn't disconnect, and all sorts of other things were going wrong.
i suggested some a/v, adaware and mozilla. he's now virus-free, spyware-free, and hastle-free, as mozilla has (once again) solved memory issues, stability issues and everything inbetween.
seriously. i don't know what they put in it (maybe every fresh install of mozilla is blessed before being downloaded?) but if you have _ANY_ problem on Windows, odds are you can solve it by replacing that component with a non-integrated one.
Remove IE and stop having memory problems.
Remove Outlook and never worry about a virus, ever.
Remove Windows and... what, solve world hunger?
Several open source projects are gaining steam: propolice for stack protection inserted by the compiler PaX for address space randomization, page executable protection, etc . It doesn't matter how sloppy the userspace code is - if the stack is comprimised, the process is killed before it can do damage. It won't catch every possible comprimise but it's a great start. Check out the Hardened Gentoo Project for a working implementation.
I took it to mean there were no 'sploits available. After all, if there is an exploit, someone had to at least test it. No "reported" attacks would be more likely, but who would report or even know about it right away?
I agree that this has more to do with the slashdot's slow-ass posting policy then any ignorance on the part of the submitter.
autopr0n is like, down and stuff.
The Moz and Konq teams didn't tie their browser deep into the OS. It's a stand-alone app... what could it break?
Having browser functionality in the OS is nice, but what Microsoft should have done is shipped with a 'local-only' version of IE that never runs outside code for showing all the pretty DHTML chrome in windows. They then should have had a very simple, modular, API for showing un-trusted HTML, which users could replace with Moz, Opera, whatever.
autopr0n is like, down and stuff.
And this total interdependence runs counter to just about everything they teach you about Software Engineering. Small, independent pieces, wether they are command line programs or COM objects are the way to go.
autopr0n is like, down and stuff.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
That's probably because there are a sizeable number of people who are more concerned with embarassing Microsoft than getting the problems fixed. If the researcher had at least notified MS at the same time as posting it on a public forum, the fix could potentially already be underway...
Apache releases patches for the 1.x and 2.x branches when security glitches happen, why the hell would they patch versions older then 1.3? It doesn't cost any money, and I'm sure they're not incompatible or anything.
autopr0n is like, down and stuff.
Oh for crying out loud - If this is the Liu Die Yu six-step attack, it's using holes that were reported up to TWO YEARS AGO!!
What's been done now is simply to prove to Microsoft that when security researchers report a weakness, they'd better READ THE REPORT and act on it. I have acted, I am using Windows at work when I'm paid to, but use IE strictly on intranet sites that don't work with anything else
The chinese security researcher isn't named, but most likely they are talking about Liu Die Yu. He's been finding a lot of IE exploits in the last few months. He basically took over Thor Lorham's work after MS bought off Thor. What's the point of him telling microsoft? IE exploits almost NEVER get fixed. Thor's old list had more than 20 IE exploits reported to Microsoft that were never fixed. Liu took 5 of them that ms deemed non-bugs and wrote an exploit chaining them together. Microsoft is full of crap. They only fix high publicity holes that make them look better.
That single sentence about playing nice with Microsoft probably generated a few thousand ad impressions.
/. guys for expertly trolling their reader base...
I have to hand it to the
Are you writing hardware drivers or something? Most applications for windows could be written in Java, or to POSIX or something and still work. Unless your program can't work without the undocumented behavior, then it's probably not worth the risk to use undocumented procedures. Why not just avoid the buggy stuff?
autopr0n is like, down and stuff.
If you report it immediately, BillG might get his response time down from 1.00000 year to 0.99999 year.
gewg_
Really? Can you cite a case where MS pled guilty to anything?
"enough cash money to feed pretty much every human being alive for a good couple of years"
You must be an idiot. Do you really think you can feed 6 billion people for 2 years (a total of 8.7 TRILLION meals) for $50B. That's 175 meals per dollar.
How did your stupid rant ever get a score of 1?
who is forced to use IE?. This is not a 'vertical application', there are free and non-free browsers that work much better than IE: they are much more secure and with options like tabbed browsing and pop-ups blocking.
If people is concerned about security, they should change. If administrators are concerned about security, they should (at least) advice their users to change. I don't think we should blame that researcher for his discovery. I think users should be aware of this things.
This really peeves me. Slashdot is abysmal at getting their source right. This *is not* a Yahoo News story, it's a Reuters story. One look at the article would tell you this.
um.. so you complain that the reseacher didn't inform ms first before posting it, but somehow it's okay for you to post a link to it on slashdot ?
Isn't that a bit like calling the kettle black ?
"Invalid ContentType may disclose cache directory"
My Classification: Minor
This isn't all that serious. The major threat is that a hacker could get your cache directory. The downloaded web page runs as part of the "internet" zone, meaning that there is no privelage elevation (IE has a zone system to give different pages different privelages).
"LocalZoneInCache"
Moderate/Severe
This is more serious. It allows an attacker to modify files on the system or worse. Note that this *is not* the same as a root exploit, but it could be as damaging as running an executable. Note that the user *does* have to choose "open" in the download dialog, but they are not warned about the security risks and may not consider them as the file extention is ".htm".
"MHTML Redirection Leads to Downloading EXE and Executing - Remote Compromise(requiring MYCOMPUTER zone)"
Moderate
This is somewhat less severe. It allows an attacker to download and execute an executable, but only if the user has already downloaded the page, saved it to disk, and executed it. The user might assume (incorrectly) that the file is safe.
"MHTML Redirection leads to local file parsing in INTERNET zone"
Severe (If an issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to parse the contents of a local file. They would need the absolute path. This could be used to discover potentially private information.
"HijackClickV2 - Adding a Link to Favoriate List(requiring clicking a link)"
Minor
This would allow an attacker to add their site to favorites. The user would have to click a link and would have to release their mouse button over the favorites list (which is placed under their cursor after clicking the link).
"execdror6"
Severe (if issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to run an executable on the user's system. The user would have to click "open" on an HTML file download. Security warnings would not be displayed.
"BackToFramedJpu - Cross-zone scripting(requiring a subframe in victim page)"
Moderate
This could allow an attacker to execute code in another security zone. It could potentially be used to execute code in the "my computer" zone if the attacker knows the location of a local page with frames.
I'll comment on the rest later.
I hate to burst the bubbles of all those people complaining about Liu Die Yu releasing this exploit "now," worried about all those evil people that will use this horrible exploit against the world, but Liu released a "Six Step IE Remote Compromise Cache Attack" which was composed of most of these "new" exploits almost a month ago. Those people in the security world that really pay attention have known about this for quite some time already.
Liu was even kind enough to reiterate the fact that some of the bugs he was exploiting were quite old, the oldest being 2 years. Sounds to me like Liu's "careless" approach to releasing these exploits "without contacting MS" may actually make a difference. mmmm?
"The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list."
Maybe because doing security research costs money, and Microsoft, its 70 billion plus self, has in the past used such research freely without contributing back, and has even in the past publicly defamed said researchers, refused to fix the problems, refused to acknowledge the source of the research, or secretly fixed the problems, never telling the public there even was and is a problem with older distributions.
I was on bugtrack awhile when XP first came out, and Microsoft was completely unethical. They don't deserve the light of day. Pointing out problems or offering free tech support for a bad product to end users simply enriches a greedy man, Bill Gates, who will turn around and use his corporation to call you a "hacker" for knowing without being a licensed microsoft professional. Support open source software and community efforts with bug reports and support, and you will be helping everyone, not just one man.
It costs money to test, identify, locate, describe, and report bugs.
Reporting bugs in MS products to MS before releasing the bug report to the public amounts to working for MS for free, while MS makes huge profits foisting substandard, crappy products on their customers in the first place.
Until MS demonstrates a proper respect for their end customers, their privacy and their personal data, and ceases to expose their customers through entirely unnecessary software defects, I see no reason why MS or the reputation of its products should benefit from unpaid private disclosure.
If I believed MS had made a fair calculation up front about the balance of features vs the risks devolved to their user base, I wouldn't take this position. There has to be a feedback loop somewhere in the system to punish MS for the consequences for the unfair balance they chose to pursue.
Arguments that amount to this don't impress me: "millions of people use MS products, and these people are all being held hostage by possible exploits of defects created by MS, therefore it's the messenger's fault".
When MS offers a $10K bounty for every verified bug reported ethically by a bug researcher, and fully discloses the number of bounties paid, and for which bug fixes, then I will believe that MS has regained a moral position to demand this concession from the bug research community.
My only motivation in discovering and reporting a bug in IE would be to help create a corrective force to end the business practices which created this situation in the first place. How does offering my services to MS for free accomplish that goal?
Could also be a symptom of informal economic warfare. Why should a Chinese researcher do anything differently? It's going to hurt foreign businesses more than it hurts Chinese businesses (using the official non-MS OS). In fact, I see a good niche for Chinese Intelligence. They could research new ways to take down the electronic side of the Western economy and indirectly cripple the single largest employer of US programmers.
While it may be poor practice to announce holes publically, it matters little whether or not exploits exist.
It also is irrelevant if there is a patch for it.
At some point any sane person would evaluate if there is ANY case to be made for running Internet Explorer.
Give the track record it is irrelevant if any single exploit or bug is handled properly.
If it is not this bug that gets you , sooner or later it will be SOME BUG.
Anyone still allowing IE to be on a system is essentially in a position that they WILL be exploited, sooner or later.
We waste our time and efforts discussing these fine points.
What we need to be doing is ensuring that people realize that IE is not a sane choice for ANY user.
If that means they have to get rooted before they accept this, so be it.
They WILL get rooted eventually, so why not sooner than later?
No amount of patches can prevent that simple fact.
If you own a worn out car, fixing broken components does not make the car more reliable.
If you have to take a long trip, you need a reliable car.
In this case a new car is FREE, so why waste resources trying to fix the broken one?
Maurice W. Hilarius Voice: (778) 347-9907
Hmmm who modded this troll up as Interesting, ok I'll pretend this is not a troll, and answer, what M$ has done with bimbo's and IE is not just code reuse, they have not just used some of the same libraries again, they have tightly coupled, them together, so that they cannot easily be separated, parts of windows code was put into the IE libraries, were it doesn't belong in order to legitamise their claim that the two are so called integrated, butchered would be a better term, this is why all of a sudden installing IE even without the "IE desktop", changed your system libraries. In addition inorder to further the same goals or out of shear incompetence, M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
You really don't know the first thing about coding do you, when you use a library you do not cut and paste the code into your own, you use their functions and stuff, so all that had to happen with gzip was they fixed the library, then if another project was staticly linked to the library it would have had to be relinked to the new library, but as the majority of code is dynamically these days, most programs would only need you to update the dynamic library on your system, and whala, all programs using the library are fixed next time you run them.
in my life God comes first.... but Linux is pretty high after that
Francis Smit
> The part about this story that gets to me is
> that the researcher didn't alert Microsoft
> before posting to a public mailing list.
I know many people will scoff at the following
but the "researcher" (article didn't identify
him/her) in question may be a Chinese agent
provocateur whose job is to commit economic
sabatoge against U.S. interests. The bugs may
be real and it doesn't excuse Microsoft in any
way, but I think we should all be sensitive to
such possibilities. You (a U.S. citizen) may not
like Microsoft and you may regard them as the
evil empire but malicious activity towards U.S.
companies should not be supported. What hurts
a U.S. company probably hurts you, the U.S. citizen.
Just a thought...
Besides what does he care 200 million of his mates over the next few years won't be using IE!
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
So you then submit this story to SLASHDOT?! WTF?!
Why don't we just announce the secure things we find in IE instead of all the holes. It would save slashdot a considerable amount memory.
Security Holes in IE!? Impossible! After all, Gates told us M$ is making security a priority, right? The question is, if that is so, why did it take a Chinese researcher to discover these holes, rather than a highly skilled MS security team? One hole, maybe, but seven at one shot? And as for posting it first, well, in the past MS has seemingly ignored major holes pointed out to it. Or taken weeks even months in some cases to deal with holes. Maybe some people just don't see good reason then to trust MS to act unless it is posted publically, which seems to light a fire under MS. Which is MS's fault for often seeming to only care when a hole is made public. Thankfully, the script kiddies aren't as smart as Chinese researchers.
You might want to take this clue: You didn't NEED to reply to my comment. You didn't even NEED to start the thread. You like Windows. FINE. I'm not going to berate you over it, but if you don't like the editorial slant, you CAN go elsewhere. If not, well, deal with the slant then. You don't see ME going and whining about the OBVIOUS bias on ZD Net sites or any of the Windows specific tech sites, etc. Why should I cut YOU any slack on that regard?
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Uh, dude, if you're using VM-Ware to run Linux, you're going about it the hard way. Not to mention you don't get things like 3D acceleration, etc. and it runs a hell of a lot slower.
And, NO, I don't try to force people to use Linux- but a LOT of Windows people try the other way around by way of sending Word attachments, etc.
Think about it.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Your mare always has only the old, good holes!
come on people this is no rocket science.
You use IE, you get what you deserve!!
Sprinkle a healthy dose of bugs, and scare people into paying for the software to get the patches. And if you bloat the code, it makes it that much more difficult for vigilant coders to fix the bug themselves.
If he had informed Microsoft they probably would have ignored him till he said something public then sue his arse.
So if you chop the first step and post annonymously to a public forum you relieve yourself of a bunch of hassle.
Did the senators that drafted the DMCA think of this?
The original discussion dealt with common code in the form of shared libraries. You're talking about code snippets that have been pulled from their original project and hacked for various special purposes. So what? Anybody who does this deserves what they get, including myself since I was affected. Let's stay on topic. There's a big difference between sharing source, static linking, dynamic linking, and intentionally buggering shared libraries to force an (un)favorable dependency graph.
The problem is as with many in the past that most poeple configure their Windows boxes so that every user has all priveleges. If you don't do this, IE doesn't have enough priveleges to mess up your machine.
If you make all users super users on UNIX you have all the same problems and them some as if you do it on Windows.
Moral of the story: don't run with super user priveleges if you are concerned about security.
"Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited." Are you "forced" to use Microsoft products? Even if you don't want to try the freely available Linux and FreeBSD etc.. OS's you can still use alternative browsers like Netscape, Mozilla, and Opera to name a few even if you remain in the windows environment. While your at it, ditch Outlook for a real email client too ;)
Remember, you have the freedom to chose!
RebateFX.com - Spread rebates for Forex traders
Hmmm who modded this troll up
-5 for simply a cheap intro -- you disagree with it, therefore it's a troll. I disagree with you, so I suppose that makes your post a troll.
M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
-3 for using the unbelievably dated and juvenile "M$". Secondly, you're so obviously uninformed and with nary a clue of the "Windows world" that the fact that you are so willing to proclaim your ignorance (albeit indirectly) is disturbing.
Every modern operating system (which isn't the pedantic 2nd year CS pedantic definition of operating system) has a method to render HTML. Microsoft, pursuing code reuse, took this further and utilized the shared code for elements such as the help system (which is entirely based around the IE renderer). It is integrated because the code reuse made sense.
You really don't know the first thing about coding do you...blah blah blah...most programs would only need you to update the dynamic library on your system
This was, which was stunningly obvious, exactly his point -- most code should be using dynamic libraries (which is code re-use, such as the re-use of the IE libraries that you "outed" as incompetence above). The problem is that lots of code isn't using dynamic libraries, or are reinventing the wheel. This whole issue was the question of "why would IE break 3rd party applications?" when you yourself answered the question "because they use the shared libraries, and thus are fragile if it is fragile".
You tell a company they have a bug, and give them a time limit before releasing the information, you'll get a C&D, and an order from a judge not to talk about it, and possibly get arrested for 'extortion'.
No, the best overall practice is immediate and loud exposure. While this may allow people to write an exploit, it does have benifits:
1) The company must fix it or face a PR problem
2) The company can no longer say they were unaware that the product they license you has a bug.
Yes, millions of IE users are at risk, but that is the strength in doing this, you'll get a lot of people to 'cry' for a fix.
If this type of information sta7ys quite, people will begin to think IE is fixed, and that they are perfectly seure with its use.
The Kruger Dunning explains most post on
"This magic box. all internet inside."
The Kruger Dunning explains most post on
I'm not insane enough to spend my money to report bugs to Microsoft. I've found at least 5 this past year. Some I've reported on Usenet, looking for other people to confirm, and give workarounds.
I've found that I usually get confirmation, but not generally worthwhile workarounds.
I certainly am not going to go wasting my time trying to figure out how to report them to Microsoft without costing me money. If they wanted bug reports, they'd have an easily discoverable avenue for them, such as the "Submit New Bug" links on sourceforge, that are really easy to use.
Its common knowledge in the developer community within which I work that the Microsoft site search is not worth a damn.
Searching google using the site selector keyword is far better, but, at the end of the day, Microsoft's tendency to move their pages around and obsolete all links quickly, with no forwarding links, makes it so commonly an exercise in frustration that it is a common knowledge joke that they don't want people to find information.
You make the case against product liability, I think ?
I mean to say, you make the following argument ?
**
If you use a product that was shoddily developed, perhaps by a company that tries to keep information about their mistakes from the public view, then you are responsible for any harm that comes to you (or to your family), not the manufacturer.
I thought about it. Actually no, Linux on VMWare (v4 not 3) runs great, have you ever tried it? I give it 256MB of Ram out of a total of 512MB that I have on my P3/1Ghz Vaio. I also have Windows tweaked so it only uses the most basic services, I don't use Themes, and all the "menu" effects are off, so it runs very smoothly. Furthermore, desktop performance of *nix is usually worse on the same hardware because Microsoft gets the drivers developed for them by the manufacturer, whereas Open Sores users have to depend on some backwater geek or college student to develop a video driver for them.
Besides, I don't care about 3D acceleration because I'm not using it to run games or any graphics/desktop programs (that's what Windows is for). I mostly use it to test software and keep up with *nix/bsd technology in case M$ ever goes away.
You really think people are trying to force you to use Windows because they send you Word attachments? I thought that Star/Open Office could handle those now... It doesn't matter, none of this means you're being forced to use Windows, it just makes it a little harder to use Linux. Kind of like people who *decide* to drive Diesel cars/trucks. Think about that :)
You mean to tell me Microsoft's wonder that so utterly slaughtered Netscape and all comers, their embedded wonder that can't be de-coupled from the operating system, you're telling me that its bug ridden, that it's full of holes, that they pushed this crack-baby out just to kill the competition? And now people are feeling sorry for MS because they didn't give the beast notice before announcing the bugs and flaws? To all those feeling bad for MS: GO EAT COW DUNG!
Isn't that kinda like potholes on state roads...even though you might not hit one today, you know there's alot of em out there...and boy does it suck when you find one...
Until M$ removes IE's death clutch on the OS (read never), there will always be bugs that cause havoc with the OS.
OS-Browser integration was the worse idea since Bob!!! (another M$ "innovation")
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Why should he? Would M$ show the same courtesy if it were a bug in Mozilla or Linux? What about the open source public reporting method? Hasn't that worked out? Isn't it better to let ppl know in advance that there's a bug that should be dealt with...
I would argue that just because it's proprietary software doesn't mean it shouldn't be treated the same as open source...the argument could be made that M$ doesn't have nearly as much developers as the larger open source projects, and I'ld have to agree...as a matter of fact, I think M$ should probably hire some more coders to deal with their shortage...maybe even help the job market some.
The truth is, M$ should be able to at least release info on a work around in a couple of days...and if there's no way to create a work around, maybe they need to rethink their how their code is setup...
> Sure, a lot of people don't like Microsoft, but
> that's no reason to make it worse for the millions
> of people who are forced to use Microsoft products
sorry but i tend to disagree.
yes, it's a perfect reason to make it worse for the millions of people using windows: this OS and the problems it engenders has been infecting my entire computing life for years now (and that of millions of other people).
if you choose to use windows, like most people because of complacency and inertia, i WANT you to be afraid, scared of security holes every minute you use your computer. i WANT you to hear those stories about your computer being vulnerable. and i WANT your machine to get hacked into, and for you to discover it, so maybe you'll realize at some point that it doesn't make sense to keep on using that terrible software.
sometimes i think that more instability for windows is the best way to drive the point across to the millions. you want to use windows? here's what happens, and here's an alternative if you want to avoid these problems: linux.
Here's my trick for searching. I actually usually use Microsoft's search for their own domain, I just used google because I was really lazy and didn't want to wait for crap to load.
But anyway. I try to imagine what the relevant hits might look like, particularly phrases they might have and other associated terms. The "site:" thing has been on google for more than a few months at least, maybe even a year so I'm just used to it, and used it out of well more lazyness. Microsoft doesn't seem to do that great with exact phrases, so I tend to try larger groups words that might show up in my imagined response/result whatever. They do seem to use keywords. While relatively few of their documents might refer directly to say, "malware" for example, it might improve some searches seeking tips on cleaning out certain types of it.
While the direct relevence of MS search doesn't compare, for the most part, to google, it does have the odd side effect of turning up hits that aren't very relevent to the specific query, but are interesting/useful/something I'd been meaning to look into.
But mostly I use google when I don't want to wait the 2 extra seconds for a busy page to load.
Was this person one of the Chinese who had access to the Windows Source?
Still no patch from MS for the IE holes?
What is "intellectually dishonest" with saying "hey, there is a better, safer browser that comes packaged with a good email program as well!".
Frankly some people nit pick to nauseating detail.
IANAL but write like a drunk one.
how about we start by hiring a firing squad to find you and feed you to the hungry? do your part! sign up as canibalism food today!
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
A wannabe troll, trolled by an old hand at flametrolling and flameage- kinda poetic, if you must know. Still, you're not as good as you think of yourself.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
there won't be a problem for those people who are diligent in patching.
You're right, of course.
And I'm sure a big selling point for migrating away from Microsoft will be that alternatives may require less diligence on their part.
But never underestimate just how little diligence the customer is willing to spend. Any diligence requirement annoys them.
"Provided by the management for your protection."
Actually, I use Solaris and Mozilla Firebird - not MS Windows and IE. I don't have the time required to keep applying Windows and IE patches, so it isn't something I'd consider.
Follow me
Does anyone actually know how to submit a bug report to Microsoft?
...
I've found a couple of bugs (in DirectX Media, MIDL and other developer stuff) that I'd like to report, but I can't find out how to do that. I can't blame anyone from posting found bugs on the internet instead of reporting them to Microsoft. The people in Redmond surely don't make it easy to find out how to report bugs