Slashdot Mirror
New IE Holes Discovered
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.
I just downloaded the latest IE patches this morning and now IE wouldnt even start....its doing nothing. Time to move my bookmarks to the firebird....tonight.
the millions of people who are forced to use Microsoft products
I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.
Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down. They didn't want to spend the money and didn't want to deal with integration on the network. I doubt the number of people being "forced" to use Windows numbers in the millions though. Besides, there was a benefit to the Windows box that the company certainly never intended - a wider variety of LAN games to play head-to-head against my office mate.
i installed fedora core 1 on her machine on thanksgiving... everything's been great, and her p4 1.8ghz is actually behaving like a machine with that sort of speed, not the slow as poo windows she had before... she was nervous at first, but all her banking/mail stuff works just fine under mozilla.
maybe it's stuff like this that we need, and more people should get their families exposed to it...
momentum, people, momentum.
On Windows XP.. stock up to date installation... these remote EXE exploits he posted don't seem to do anything.
What irks me is that MS did not discover these themselves. After all, the closed source, security by obscurity, we can do it all ourselves model of software development is so superior, that we can only draw one of two conclusions. Either their superior technicians found the problems already, but the management decided not to put in the resources to fix it, or their superior technicians did not find the bug, in which case they need to not only fix the problem, but understand why their process so routinely fails.
This is not an issue of hating MS, any more than the other recent alert was an issue of hating Apple. It is an issue of knowing there is a problem out there, but having no power in the official process to correct the problem. The only power the might be had is that of public relations. This is very different from OSS, in which one can potentially affect the development process and at least see that something is being done.
This whole issue of course assumes that dozens of other people have not already found the bug and are exploiting it on small scales not easily detectible by the common methods. And of course does not take into account the ability for people to switch browsers. Just imagine how many lives would have been saved if people had been fully aware of the incompetent design of the Explorer and bought other cars instead.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
hey folks, this was posted to bugtraq some two months ago.
That is why I don't understand what all the hoopin' and hollerin' is all about. Microsoft has known about this for quite some time. In addition, two months ago when the demonstration/exploit was make publicly available the author clearly stated that one of the exploit techniques had been documented for over 2 years.
I'm curious for those here who think this should have been reported to MS first, please post the email addr or website where one would report this -- that would be a public service. I dont have a lot of faith they would have acted even if told -- but for future reference.
These big companies have their mouth full of punishing people that tell they found holes in applications.
Also I find that MS is so bold and arrogant to ask money for everything and tells others to stop doing things for nothing...
Let them pay for the info on security problems...
No payment, no bug reports, period.
They can take care of themselfs? ok let them solve their own problems...
I believe the current "best practice" is to wait at least 1 week for the vendor to initially respond... and to give them at least 1 month to create a patch if they (privately) acknowledge the problem.
But giving them ZERO hours is about as bad as it gets.
PJRC: Electronic Projects, 8051 Microcontroller Tools
I agree with you in theory, but if you look at it from the perspective of "how do you get the average user interested in alternatives?" angle, this might be the way to go.
Consider that people use IE because "it's there," and not generally for any other reason. These people are going to continue to do so until the consequences are too high. Really, the same should apply to corporations too. The more often they get bent over, and the rougher those encounters are, the more the point gets "driven" home...I've been on a campaign lately trying to get people to switch from IE. I've been pushing Netscape 7.x instead of Mozilla though, as I find explaining the difference is tedious to say the least. I'd prefer if they used the AOL-brand free version, but Netscape is better than nothing.
Really, this should go for all MS products with shoddy track records. Any time you have to explain why "the computer was infected with another virus, even though you had AntiVirus software," be very _blunt_ about the reasons. Internet Explorer was designed to kill Netscape, not be secure..."Yes, you're virus signatures were up-to-date (not likely), and you still got a virus." That's because MS knew about the problem 3 months ago but it wasn't made public so they didn't fix it. It's not Norton/McAfee's fault. This virus didn't exist until yesterday...
Now, I'm not saying I think every use should immediately switch to Linux, but I do recommend Mac OS X quite often. I know that nothing is perfect, but it's time people started using _anything_ other than Windows and IE. Don't hide the flaws of the other systems. Yes, Mac OS X did have a problem recently. Nothing is perfect. Most things just happen to be more perfect than Windows and IE.
-Ben
http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/
There used to be a bigger list at: http://www.pivx.com/larholm/unpatched/ but hey MS didn't do anything about it.
So might as well just report it directly to the public and skip all the MS BS.
Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up.
Have you seen what happens to people who report security issues to MS? Follow the full-disclosure and bugtraq lists sometime; you will be astounded. MS repeatedly ignores reports until there is an exploit. They have gone so far as to lock hotmail accounts of people reporting issues.
They have repeatedly demonstrated a knee jerk reaction to deny problems until they're public, at which point they announce that they've been working been on it all along.
Honestly, with their resources, they could give Linux a serious run on patch speed, but only if they change their mindset first.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Guess you would've preferred that he either:
a) keep it to himself and use it to root your box
b) tell M$ about it, who will as usual drag it out for a few months before even acknowledging that he found a problem.
If you were reading any of the security mailing lists, you'd know that the general experience researchers have with M$ is that it's a big waste of your unpaid time to contact them.
Frankly, if they neither pay you nor treat you with some courtesy, then why exactly should you bother?
Assorted stuff I do sometimes: Lemuria.org