Slashdot Mirror
New IE Holes Discovered
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.
P.S. Is it news anymore that IE has holes?
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.
He who laughs last is stuck in a time dilation bubble.
A spokesman was quoted as saying, "It's the only way we can release a product with more holes than IE".
It is unconfirmed if StringVest will be integrated into Windows XP SP2 or if we will have to wait until LongHorn is released.
...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.
Dream world scenario:
1) Report bug to company
2) Company will announce the bug to the public
3) Company will fix the bug as soon as possible
Real World scenario 1:
1) Report bug to company
2) They don't report it to the public and they don't fix it
3) You report it to the public
4) Company sues you for IP violation or any other shit they can pull out of their asses
Real World scenario 2:
1) Report it to the public (anonymously).
2) Company will fix it
not news, this happens every day.
good news would be like.. goatse.cx and tubgirl.com went down and trolls no longer could shove a hairy fat ass dick up my ass before i go to bed and rub one off.
Seriously - AS SOON AS THERE IS A VULNERABILITY, I, as a sysadmin, want to know about it. I don't give a flying fuck about Microsoft's reputation, or whether "vendors need time to patch the hole" - while there is a known hole, I DON'T WANT MY FUCKING SYSTEM ONLINE. If a nice guy can discover it, the bad guys probably already have.
The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.
Russ Cooper made some good points.
I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.
Wearing pants should always be optional.
It seems to me a number of these vulnerabilities have been posted to some popular "Unpatched IE bugs" page for weeks and weeks, so far..... this guy just combined some of them to demonstrate seriousness.
I just downloaded the latest IE patches this morning and now IE wouldnt even start....its doing nothing. Time to move my bookmarks to the firebird....tonight.
the millions of people who are forced to use Microsoft products
I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.
Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down. They didn't want to spend the money and didn't want to deal with integration on the network. I doubt the number of people being "forced" to use Windows numbers in the millions though. Besides, there was a benefit to the Windows box that the company certainly never intended - a wider variety of LAN games to play head-to-head against my office mate.
i installed fedora core 1 on her machine on thanksgiving... everything's been great, and her p4 1.8ghz is actually behaving like a machine with that sort of speed, not the slow as poo windows she had before... she was nervous at first, but all her banking/mail stuff works just fine under mozilla.
maybe it's stuff like this that we need, and more people should get their families exposed to it...
momentum, people, momentum.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.
If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?
I can understand the desire for such vulnerabilities to be fixed before going public, but Microsoft has been known to sweep exploits under the rug for as many as twelve years. Exploits are a common fact of life with Microsoft products, and its better that this exploit was released to all as an explanation than as a virus/worm.
You can't judge a book by the way it wears its hair.
half the exploits don't work (latest WinXP), the remote exploits doesn't , and the rest require physical local access which sort of negates security on a windows box
this isnt news
at least not to those who are on the lists who see this "hackers" postings on a regular basis
On Windows XP.. stock up to date installation... these remote EXE exploits he posted don't seem to do anything.
I like this release.
Disable Active Scripting and find an alternative to IE ("use another product"). Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.
I do find that people are starting to be a lot more receptive towards MS-alternatives, especially when the mass media is now jumping on the bandwagon as well. Now techies find themselves explaining their choice of MS over and over again, to hype-induced managers.
Wearing pants should always be optional.
WE could have found out about it when our sytems started acting up.
I can understand complaining about being forced to use Windows. However, no one is "forced" to use Internet Explorer, even on Windows---Mozilla is a better alternative in Windows.
Most of my family and co-workers use Mozilla, and they haven't looked back.
This is not like Windows-Linux, where there is a steep learning curve.
Mozilla (or Phoenix) is a slick alternative with an almost zero learning curve to pick up the same level as IE. It also takes almost no time to learn features _that aren't in IE anyway_ that help you see the internet in a much more useful way (ad blocking etc).
No one is forced to use IE with very few exceptions:
People who have it mandated at work, but that's work's problem not yours - they could change too.
People on dialup who have a very slow net connection - but they probably have it on a dial up CD.
People who use it's integrated rendering engine for OE/HTML email - but you can change that easily too.
People who _must_ access IE only websites - but there are very few of these any more, and you can always use IE just for these to lower your exposure.
Microsoft Zelots who refuse to believe that Free software can be any good - but they deserve everything they get.
Beep beep.
[i]Sure, a lot of people don't like Microsoft, but that's no reason to [b]make it worse[/b] for the millions of people who are forced to use Microsoft products[/i] Make it worse and make em' switch to a better browser. Also reporting about these holes before MS can do anything about it will get them up to speed on fixing it, rather than keeping it quiet like they normally do when somebody does report a hole to MS.
Jonathanjk.com
While my firm is a strong supporter of full disclosure, this is rather over the top.
What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.
Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.
We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.
Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .
Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.
I am sure the anti-trust judges will merely (and quite easily) remove IE from their Windows desktops and not even worry about security issues.
I'd like to know who the editor thinks are "forcing" people to use Microsoft products.
Nobody put a gun to my head and ordered me to buy Windows XP. I believe I made a rational decision based on the price, quality, and usability that I chose Microsoft.
It's a pretty arrogant attitude around here that people who use Microsoft are just too dumb, or have been coerced by dark, nefarious forces. No wonder people don't take you geeks seriously.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
... "Microsoft is holding up compensation claims from a quarter of million Californians in order to punish Lindows.com"
In other news
Wow, I can't believe I'm the first to make this joke ..... today.
yeah, he's pratically a terrorist... we should regime change his ass!!
And do you think M$ of M$ fan boys would alert an OS project if they had a security flaw before telling the Rags. I don't, they would instead run around going "see OS is dangerous look at all the users getting cracked see see" Any one knows with a lick of sense that any development model can produce buggy software as a general rule open development is better but by no means perfect. They use the discovery of bugs to damage OS, we should use it to damage them. Fact is the more M$ hosts that get cracked the better, there is nothin g like getting burned badly to make you want to switch platforms to something with at least* fewer security bugs. In general I am not a big zelot who goes about demanding everyone switch platforms especially switching away from something they are confortable with but the OS community REALLY needs some big players to switch right now otherwise we are gonna see more problems like with DVD which commercially was only supported on WIN/MAC and for all I know still is, but getting a bios designed only to boot windows working with alternate platforms will likely be alot harder then deCSS, not to mential all the highly proprietary authentication scemes and MS-TCP, the list gones on...
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
hey folks, this was posted to bugtraq some two months ago.
Microsoft has claimed time and again that their response times to security alerts are sterling, as opposed to the "slow" response times for OSS. They make these claims without telling consumers that they have known about the exploit for months and are publicly releasing knowledge right before they release the fix.
This is a case of people letting Microsoft's boastful ways catch up to it. If they are as fast as they have claimed, time and again, there won't be a problem for those people who are diligent in patching.
Additionally with the advent of companies using the DMCA to try and stifle this behavior, it is more important than ever to engage in it and further show the flaws with this absolutely off the wall piece of legislation. See this article.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
That's daft, to say the least. The vulnerability was there, wether you knew about it or not.
If he would've reported it to the vendor (in this case Microsoft), it wouldn't have been 'a known hole', but to the Microsoft developers. They would've came up with a patch and you could've spared your company the trouble of explaining why they had to take down their webserver for half a day, while a patch was developed/tested.
As for 'why I don't use Microsoft software anymore', that's also stupid. You think other companies don't face these kinds of problems?
Violence is the last refuge of the incompetent -- Salvor Hardin
What can this mean for ${product}?
I thought the strength of ${product} was security through complete obscurity. I've been recommended ${product} and other solutions from ${company} as an alternative to open-source software (which is inherently insecure) but now my belief in proprietory software has been shaken because of this flaw in ${product}.
Between this, and that last service worm, I'm not sure I can trust proprietory software anymore.
What should I do?
-- clvrmnky
It sounds like GameSpy backed down eventually, but here is senario #1 from early November . . .
/ 17 35212&mode=thread&tid=126&tid=127&tid=153&tid=172& tid=186&tid=99
>chowbok writes "Luigi Auriemma has found several
>security holes GameSpy software over the past few
>months. He has reported them all to GameSpy but
>never got a response... until today, when he got
>a threatening letter from their lawyers. It says
>he's violating the DMCA, he needs to
>cease-and-desist, yadda yadda yadda." Update:
>11/12 21:09 GMT by S: GameSpy has now posted an >official response from the company's
>founder, Mark Surfas.
http://yro.slashdot.org/article.pl?sid=03/11/12
"Using Microsoft products is not genetics or how we were raised. It's a choice and we're damn proud of it."
Actually, it wasn't a choice. MS had a monopoly, and therefore, you really had no choice.
Jason Lotito
A billion dollar software giant cant even get a bloody browser right after 6 version and even when its not crashing or having security flaws it still cant render HTML or CSS properly. Hell they screwed up even on email.
And Microsoft wants to write software for cars and business servers and sell their products for 1000's and claim they are the best and that other software methods are cancer??? Go screw yourselves you fuckwits.
This comment does not represent the views or opinions of the user.
it wouldn't have been 'a known hole', but to the Microsoft developers
Prove it. Anything that can be found by a white/gray hat can be found or was already found by a black hat.
I agree with this. If there is a problem that's going to compromise my security, I'd like to know about it ASAP so I can (temporarily) stop using the software that's causing the problem, and switch to an alternative application.
Follow me
Ignorant_JackAss != American ... (I hope)
What irks me is that MS did not discover these themselves. After all, the closed source, security by obscurity, we can do it all ourselves model of software development is so superior, that we can only draw one of two conclusions. Either their superior technicians found the problems already, but the management decided not to put in the resources to fix it, or their superior technicians did not find the bug, in which case they need to not only fix the problem, but understand why their process so routinely fails.
This is not an issue of hating MS, any more than the other recent alert was an issue of hating Apple. It is an issue of knowing there is a problem out there, but having no power in the official process to correct the problem. The only power the might be had is that of public relations. This is very different from OSS, in which one can potentially affect the development process and at least see that something is being done.
This whole issue of course assumes that dozens of other people have not already found the bug and are exploiting it on small scales not easily detectible by the common methods. And of course does not take into account the ability for people to switch browsers. Just imagine how many lives would have been saved if people had been fully aware of the incompetent design of the Explorer and bought other cars instead.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Although in a perfect world, we would have companies auditing their own code and finding exploits in their own products, the fact remains that unless there is a perverable rocket aimed at their behind, nothing will be done.
The fact remains that we have an organisation here with over 40,000 employees, over $40billion dollars in cash and yet, they're making *really* stupid mistakes. I am sure most people could cut Microsoft some slack if they were a small business OR that these incidents were as rare as hens teeth, however, when it becomes "have you applied the daily patch", people lose their cool.
The unfortunate thing, however, is due to Microsofts huge marketing muscle, this approach by "exploit finders" doesn't work. Microsoft instead of taking on board the information and applogising, instead they spin the story as to make out that the person who finds the exploit is somehow linked to a grand anti-Microsoft conspiracy, and god forbid, call them a "terrorist" for "exposing" the unwashed masses to "harm".
"The difference between pornography and erotica is the lighting" - Woody Allen
What makes you think all Chinese are communists? That's like saying all Germans were Nazis during WWII, which is very very far from the truth. The problem in totalitarian regimes is that you're not allowed to say anything substantial against the government... but it's not illegal to think it (well, not yet anyway).
As if microsoft would care about said holes unless the first exploits are out there in the wild...
bye,
[L]
I'm sure it's been said before but...: Shouldn't we realize that the bugs, holes, viruses, incompatibilities and needless complexities in the computer world are providing us with well-paid work? It almost makes sense that a software giant would purposefully include errors - they have to be fixed by someone, and that someone sure as hell won't do it for free. Most of us addicted to Slashdot either run Linux or can keep MS/Apple problems at bay on our own machines. The problem hits everyone else. We are the ones that get money as a result of these "problems." My deluxe single dorm room (with a view I might add) is free because I run around on afternoons -at my own schedule- (mmm freedom is good) and fix other students' computer troubles.
Personally, as soon as I saw this report on Reuters I said to myself "HOT DAMN! More money for me!" I am gonna sit back and enjoy the ride.
If you want absolute security, please lock your machine in a vault, throw it in the ocean and it'll probably be safe.
What are the chances of it being exploited in the $time it takes developers to come up with a patch, by this black hat who knows about the bug, but didn't exploit it before the bug was reported?
Violence is the last refuge of the incompetent -- Salvor Hardin
Side one - Internet Explorer badly coded, so there's lots of vulnerabilities.
Side two - Since Internet Explorer is used so widely, there's a lot more people looking for problems with it, and the ratio of bugs found to the number of users is moderatley comparable to any other browser.
An interesting study would be a comparison between the number and kinds (garbled text to root exploit) of bugs known for each browser (what's the cut-off point? any bug from the first alpha version to the "final" version? Or just for the current revision?) versus the number of approximate users.
Given that there are web pages listing dozens of unfixed IE security holes, what difference does it make to announce another seven without telling Microsoft first?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I don't know how MS can just sit and watch this happening. Do guys at MS get paid on time? Any self-respecting developer would immediately try to remedy the situation. This cleary shows that, MS CAN stuff shit down people's throat and get away with it. Looking at the way things are going, I think MS SHOULD BE HELD RESPONSIBLE. They should start sending out CD's which contain patches to all their PAYING customers. I'm sure that the size of the CD patches will be more than the actual OS itself !!!
-- Live Long And Prosper
We're constantly bitching about low security of Microsft products. Nothing changes - they're still as lousy as before. But Microsoft doesn't care. People still use their software. Instead of fixing the bugs they launch new zillions $$$ worth advertising campaings, showing they're much better than OS solutions.
In world of real operating systems standard answer for a bug is bugfix. Microsoft has different strategy. They release new marketing patch every time somebody discovers new security flaw.
Sure.. Full disclousure is usually a good thing (tm). But if it's about closed source, you can't always do something about it (like IE bugs - there are no ports you can block..).
Other then shutting down the net or forcing the users to switch to another platform.
Isn't it better then that nobody really knows about the security flaw until it's fixed?
Huh. From R'ing TFA, it seems there is an exploit using five new security holes disclosed on 11/25/03, not the seven originally reported on 9/11/03.
Not true, Microsoft makes it very difficult to use anything but Microsoft junk. The first level of anoyance is a barage of scary warning messages about "signed code". Then there are constant anoyance messages which require confirmation and include the option you don't want. In time, you will push the wrong button. Finally, Microsoft breaks other programs on their platform. My little brother uses XP and keeps it "up to date" by accepting whatever M$ pushes at him. It broke Mozilla. I consider that a force.
The only way to avoid all of that harassment and the insecurity that it creates is to leave M$ completely. If you still think it takes a lot of effort, you need to play with Knoppix. The only trouble you might have is with winmodems and other nastier hardware which does not work well under windblows either. It's easier for indiviuals to install and way easy for technicians. It's good for individual users and far superior for business.
There's probably someone near you who will do an install for less than the Windblows install going rate. Just google your town name with "free software", Linux and other likely terms. Hungry geeks, such as myself, will happily come to your house for $40 and set you up. Businesses will pay by the hour but save hundreds per machine and employee every year.
Friends don't help friends install M$ junk.
"The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list."
There is no requirement to notify Microsoft, nor should there be. I want to know about this kind of stuff as soon as possible. In my opinion, it is not for Microsoft to determine when I know that my computer has a security problem.
Besides, this kind of thing should show if Microsoft's boasting about response time to security vulnerabilities is the truth or just plain old anti-open source FUD.
Yours in pettiness.
Isn't this a term used for having to deal with the issues related to choices made? Why should anybody expect others let Microsoft sugar coat the mess they released on the world? Those who use MS products must pay the price of such a choice. Those who consider they have no choice because IT gives them no choice have to play on the theadmill Microsoft and their IT departments put them on and should make their IT staff fix the problem. IMHO.
When will Microsoft go to court for all of this crap? Can you imagine purchasing a new car and seeing a note on the seat. You open the door of your new car and read the note. It says that the auto maker has no responsibility to how the car works or if it will work.... The auto makers can't pull the kind of EUL that Microsoft gets away with. Yet no lawsuits. What gives?
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I was at one of the Apple roadshows when Jaguar was being released and they ran a demo of the you-beaut Samba connectivity straight out of the box.
It was interesting to see the PowerBook had no issues, while the Vaio had a couple of issues trying to see the PowerBook.
My own experience has been that it is easier to handle the connection and data transfer from the Mac, than it is from the Wintel box. I got so frustrated with the poor networking options on XP that I just ignored it, and let my iBook sort it all out.
InfoSec that matters, when it counts.
It's more like a blue screen of death after innumerable pop-up anoyances. Oh, the thrill of crap that does not work. Wooot. If that turns you on, you must be on Bill Gate's payroll. I prefer to get things done.
Friends don't help friends install M$ junk.
Huh, the last time I checked, there were a number of operating systems available. I started life on an Atari 400 and since those days I've always had choice. I chose not to go Mac and I chose not to go Linux. If you're an unhappy Microsoft user, the only bonds keeping you down are in your own mind.
I don't understand the "forced to use Microsoft products" part.
Even when you need to work on Windows, why should you be _forced_ to use Internet Exploder?
Mozilla is the first thing I always install on Windows.
There are organizations where people are indeed forced to use a fixed set of software. In this case, if there's a security hole, the responsability belongs to the sysadmin who forced people to use broken and out of date software.
{{.sig}}
It's bad that enough nerdy Microsoft Windows users must endure the incessant rudeness of Linux users to get their 'news that matters' on Slashdot. But for CowBoy Neal to permit a discussion topic that implies we are slaves to Microsoft is just plain offensive. Did you ever once consider we might feel liberated to use Microsoft products? It's like looking out into the ocean, seeing a swarm of sharks feeding in the surf, and then choosing to paddle out to ride the waves. It's an adrenaline rush.
Why do you come here then? There are other places where you can get your tech news you know. Slashdot has a rather vicious anti-Windows slant to it, and doesn't apologize for it. If that bothers you, go elsewhere. Personally, I love it here for the exact same reason you hate it. I'm surrounded by idiotic Microsoft apologists in real life, so this is one place I can be comfortable.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
...it would have been found by the Black-hat soon afterwards. The software is as it is, if a potential or real exploit can be found by anyone, it's going to be found in the first place no matter who finds it first.
I would rather be told by a White/Grey-hat cracker even if the parties responsible for the software know at the same time than find out the hard way through Black-hat activity.
Like others that have posted, I don't care one whit about the "reputation" of a company or a group doing a piece of afflicted software. I want to know about the problem so I can offline the machine or the software- or, at the very least make an INFORMED decision about it's continued useage.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I wrote this above and I"ll post it again, using an alternate browser does not always protect you from IE holes. I cannot comment on these new holes because I'm not sure how they work, but some previous IE holes left the computer vulnerable whether or not you actually used IE at all! An unfortunate consequence of the browser integration with the OS.
So the fact that I'm using Mozilla on Win 98 right now, doe not mean I'm guarenteed immunity from these new holes.
Pop-up annoyances? Ohhhh, you mean pop-up ads. No, as a Microsoft user I have a multitude of options for killing pop-ups and any number of Internet annoyances.
And no, I'm not on Bill Gate's payroll. I'm sorry you don't feel that using Microsoft Windows is like a wild sex romp with curvacious twins on their 18th birthday. Too bad for you sailor man. As for me, the blue screen of death is the best asphyxiation sex I've ever had.
These big companies have their mouth full of punishing people that tell they found holes in applications.
Also I find that MS is so bold and arrogant to ask money for everything and tells others to stop doing things for nothing...
Let them pay for the info on security problems...
No payment, no bug reports, period.
They can take care of themselfs? ok let them solve their own problems...
MS Windows and IE are insecure and full of bugs. They will compromise your security. I suggest you stop using them now. ;)
It is a *new* security exploit, based on several new security holes that Li Die Yu found. Given Microsoft's history of rapid responses, I guess one could be forgiven for not even attempting a notification. Has anyone seen a patch from Microsoft yet? ;)
Oh, and the way to avoid potential future exploits, disable scripting within the Internet zone... (or use another browser!)
Blocking ports isn't always an answer (in my not so humble opinion, they're not an answer ever- it's a band-aid...) so you REALLY should fix the buffer overflow and other issues instead of side-stepping the problem. Of course, if the best that someone can do is block a port because of financial considerations or relative difficulty (I'd believe BOTH in the case of Microsoft...) then that says volumes to me about the company in question- and they'd not get my dollars in return.
Funny that, I use Linux almost exclusively on the computers in my house and at work...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products,
They just signed a contract with Sun for a million linux desktops. Maybe it is time _now_ for people to seriously consider whether spawning a monoculture has been a threat to our techno pool.
What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available.
Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.
Since the US has 2 parties, the US is twice as democratic as China. Furthermore, Canada has 4-ish parties, Canada is twice as democratic as the US.
http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/
Hmm. Looks like it's the same dude anyway.
XP, or, Linux. Linux still has the appearance to many of being complex and difficult to use, even though that's largely not the case (it's not difficult, it's different) for most distributions.
When you buy a PC, what OS is bundled with it?
XP.
When you buy software, what OS is it generally designed for these days?
XP.
You didn't make a choice other than to accept what was forced upon you- just like all the other good little consumers.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
This web site's tagline is 'News for nerds. Stuff that matters.' I'm sorry, I seem to be missing where "Linux" appears in those two sentences. I know it's six words, but please show me.
:)
Well, Windows appears quite a lot on Slashdot too. Not favourably, but hey, life's not fair
I am a nerd. I want to know about things that matter.
I reiterate, Slashdot isn't the only place for "things that matter". Have you tried zdnet? It should cater to your tastes better.
Your words reveal your extreme arrogance. You think only Linux users can be nerds.
What can I say, I'm evil and cruel. But don't take it personally, it's all part of my grand plan to become a tyrannical overlord.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
so if they want us to let them know about problems then they should pay us for the information.
If they want us to test their stuff then they should pay us to do it; rather than charging us for the privelege of testing their stuff.
Codifex Maximus ~ In search of... a shorter sig.
What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available. Beware.
Exploit code, anyone? A simple google search or a Bugtraq archive browse over the last week should do it.
Yeah, that's nice. Spend 5-7 days waiting for the CD to arrive when you could just have easily downloaded it in 4 minutes time. Really well thought out plan there, dude.
'Standards' in computing only impress those who are impressed by things like 'standards'.
I think it's due to Adaware having removed something that MS used to track things, disabling my update ability. Nice to know given there are so many exploits. I've sent MS the error # but hold no hope of them actually fixing this. :(
These security problems were publically known in September.
What was released recently was sample exploit code.
If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.
The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.
>I reiterate, Slashdot isn't the only place for "things that matter".
>Have you tried zdnet? It should cater to your tastes better.
I defy you to find anything that matters at zdnet.com. It is a place "where technology means business." It's oriented toward tier three managers who fire their IT staff and buy "editor's pick" hardware and troubleshoot network problems by reading the letters to the editor.
Yes, that's right, nobody. I think we all need to be reminded that using Microsoft products is an act of free will. It's not as if they're the only game in town for personal computers (they used to be) or that you couldn't interoperate without them (that used to be the case too). Furthermore, to run a successful business these days no longer means that you have to use Microsoft products. Lots of people are doing just fine (if not better) without crap from Redmond. (And that doesn't even mean they have to use open source alternatives. There's always Apple which put out better hardware than anyone else. Of course, using open source is good too. What Windows functionality isn't provided on the server by some variety of BSD or Linux?)
So don't say that a security researcher releasing findings before alerting Microsoft is making things "bad" for Microsoft users who are "forced" to use Windows. I have yet to talk to anybody who uses Microsoft products that doesn't acknowledge the weaknesses in the platform or isn't aware of the media surrounding Microsoft's utter failure to make "security their top priority". They (Windows users) know well enough by now that the platform they've chosen is vastly inferior in terms of security to alternatives. And if they don't realize that, they're mindless zealots (who have an infinite loop blocking entry to their site). By now, they get what they deserve and the security community should no longer have to drag its feet (pacing itself with Microsoft) on their account.
Join Tor today!
Line 1: I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.
Line 2: Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down.
Reply: Your choice to use Windows was an illusion. Microsoft is a monopoly. It's as simple as that. When you went to buy a computer, and you walked into the little store, did you see a lot Macs, or a crap load of Windows PCs?
Lazy poster + lazy moderators == Insightful
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
And slanted in the exact manner you're WHINING about? If you don't like the sound, change the channel- or at least ignore the noise. It's not a hard thing to not bother reading further or commenting on a subject you don't agree with the editorial commentary on, you know...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I defy you to find anything that matters at zdnet.com. It is a place "where technology means business." It's oriented toward tier three managers who fire their IT staff and buy "editor's pick" hardware and troubleshoot network problems by reading the letters to the editor.
:)
Like I said, you should feel right at home there
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
2. What amazing encouragement
Somebody get this guy off the stage.
How devastating are they?
Are they hypothetical exploits (as in doable, but in practice, hard to execute an attack with...) or are they holes big enough to pass a tractor-trailer truck through length-wise?
Many of the IE exploits, while they're proportionate to the overall userbase, are disturbingly of the "BAD" (as in Igor's sense of the term in Ghostbusters) variety.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Like they're not sick of having to deal with your idiotic Linux-jizzing? The door swings both ways.
Well, technically it swings THREE ways, because of the Mac people, but who's counting?
'Standards' in computing only impress those who are impressed by things like 'standards'.
Undoubtedly, you would look upon the history of the last few years, where virtually all attacks (manual and automated in virus/worm code) have exploited known bugs for which patches had been available for weeks or months, and say "that's not PROOF".
And in a mathematical sense, that would indeed not be "proof".
The best anyone can offer you is a "preponderance of the evidence", which might even be "beyond a reasonable doubt" that virtually all sucessful attacks have exploited known vulnerabilities for which the vendor had already created and published a patch.
If you can accept this rather obvious observation, and you can believe that the trend will continue, then it is a very small logical step to conclude that it is overwhelmingly in everyone's best interest for vendors to have a reasonable opportunity to create and publish patches before details of new vulnerabilities are publically announced.
But there is no proof, only a well established trend. So you, supposedly a system administrator, would rather see immediate public disclosure. I'm sure that will appeal to your emotional well being... not being kept in the dark. It will also mean, that as a system administrator, you will need to make temporary workarounds (which often times means shutting off the affected service), while you then wait, with a greatly increased probability of attack attempts. But it will appeal to you emotionally, making you feel better that the vendor got their "feet held to the fire". That ought to make up for the extra time you'll spend implementing the workaround and interfacing with all your users and managers and explaining to them why a service they depend upon (and consider your job to keep operational) is not available temporarily.
PJRC: Electronic Projects, 8051 Microcontroller Tools
It's down even lower on the totem pole than Linux for the same reasons. I negligently forgot about that option because it's just not used all that often around me.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
This reminds me of the old National Lampoon spoof advertisement:
Photo of a dog, eyes looking sideways, with a human arm holding a gun to its head. Captioned below it: Use Microsoft Software or the dog gets it!
Right, we're all being held at gunpoint to use Microsoft's inferior software. Pull the other one, it's got bells on.
The only reason that the majority of computer users use Microsoft software is because of the illegal monopoly tactics used to stifle their competition. Sure, there could have been choices but MS was given full reign by the government, by its lack of conviction to press the antitrust lawsuit against them, to horn the competition right out of the market. There's no force about which software you decide to use.
At any time, you could elect to download and install a copy of Linux or run Knoppix from CD or download BSD even, or try Lindows or something, *ANYTHING* but Gates's bloated virus propagation technology! Just because you're too lazy to learn anything *new*, don't blame it on some imaginary force holding you hostage to a certain OS.
Notice how I never said anything about the bugs themselves, just about the way they were reported. It doesn't matter what company we're talking about, you should give them time to solve the problem before releasing to the outside world. If they don't, it's their problem, but it's your responsability as a security 'expert' to report it to the vendor/developer _first_.
12 year olds generally are vendictive, much like yourself. And they don't like take responsability for their actions, either. Does this sound familiar?
Violence is the last refuge of the incompetent -- Salvor Hardin
you want to use inferior and crappy microsoft products ? go on
and dont cry if they're full of holes and you get hacked/cracked/whatever
you made a choice by keeping with them
you get what you deserve
Ummm, ok, this has gone on long enough. I thought nerds were smarter than this.
Maybe he thought he would get more credit for himself this way. Maybe he thought MS would have said they discovered it themselves. That may sound selfish to some, but maybe he has a family to feed.
eat shiat and bark at the moon
Whos forced to use IE. Last time i checked
I can use whatever browser I want and when someone
or some website tries to force me from using
their product because i'm not using IE i can
always work around it. So, why is it everyone
always believes they are forced to use IE. Its
a shitty browser simple solution stop using it.
move on and be happy.
Oh, well, thank you. I'm flattered you think I'm management material.
With the way things are going these days, hes lible to get hit with a DMCA based suit instead of being ignored..
---- Booth was a patriot ----
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Guess you would've preferred that he either:
a) keep it to himself and use it to root your box
b) tell M$ about it, who will as usual drag it out for a few months before even acknowledging that he found a problem.
If you were reading any of the security mailing lists, you'd know that the general experience researchers have with M$ is that it's a big waste of your unpaid time to contact them.
Frankly, if they neither pay you nor treat you with some courtesy, then why exactly should you bother?
Assorted stuff I do sometimes: Lemuria.org
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Truth. But here's the problem. Microsoft's reputation for responsiveness (that is, not!) and collegiality (that is, not!) in these situations is awful. Nor does Microsoft treat those who report such problems with any degree of warmth. Having established its Chinese wall as it has, Microsoft has lost its standing to whine about non-collegiality of the world it has created.
This is the entire point about open systems, or at least openness about security -- it leverages what happens out there. Frankly, I feel more secure knowing what are the leaks, whether they are addressed or not, than I do knowing there are secret leaks out there for someone to exploit without my knowledge.
If Microsoft had a reputation: (i) for assuring that a report of a leak would be responsibly handled and escalated promptly and without agonizing pain on the part of the reporter -- who is doing Microsoft a favor; and (ii) for responsibly, promptly and professionally addressing the problem, I would feel much more sympathetic.
The problem is that they don't. Maybe they will change as they said they would. But until they do, I'd rather hear the news in time to know for what I have to watch out than to have it buried while others who have discovered the leak exploit it.
Here's the thing, it is highly unlikely that any leak that is discovered by me was discovered only by me. Others, less responsible than I, will disover a leak, find the exploit, and either keep it in their "bag of tricks," trade it or what have you. In any case, if I find it, the exploit is likely out there in someone else's hands. I'd rather know the problem than wait for the solution.
Yes, the kiddies are more likely to play if it is readily "out there." But guys, that happens anyway, one way or the other. Beside, Microsoft seems far more responsive to public leaks than private ones -- maybe this kind of report is more likely to assure that the bug will be repaired than otherwise.
And you spend much less time on hold . . .
If the holes already had exploits, they wouldn't be new holes.
I think what is meant is that people can now rush off and write a whole new batch of malware, which will be released before users have had a chance to patch them.
Bottom line: Giving the patcher a head start is much more preferable than giving patchers and exploiters a head-to-head race.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Millions of people forced to used Microsoft products.... oh what imagery that conjures up. Think Indiana Jones for a second.
/. crowd, right? What is the only browser Google has developed their toolbar for?
I use IE every day of the week and I have done so for years and years without ever a problem. No one has forced me to do so, I'm well aware of alternatives, it's been my choice to do so.
Google is highly revered by the
So you do admit that Windows users are not free in their choice?!
Hell is not other people; it is yourself. - Ludwig Wittgenstein
So why submit a bug report to microsoft for free? Why be one of the many eyes, in a closed source model? Reporting a bug makes their software better, and better software is why you should pay them $$$, remember? You don't retain any intellectual rights to the bug or fix, so again it's closed source. If you believe that you're making the world better for others who use it, then you're thinking in open-source terms.
Why are we using an open-source bug reporting model to a closed source company? I say make them give you $$$ for things that will make them $$$.
Of course MS wants you to submit bug reports for free (or even make money by submitting through there tech support system), since it leads to better products with no effort on their part. But why would we, the bug finders, let MS pick and choose the components of open source that best suite their business plans, when they go to such an extent to berate it? Why compromise with MS by letting them pick the terms for dealing with bugs that result from their methods of creating and managing software?
IMHO, the world would be much nicer if instead of devoting effort to finding bugs in MS products, we simply stop using their product when a bug is found, and use a corresponding open source product.
Seriously, at this point, if you care about security, privacy, and functionality, you should be using Mozilla or one of its derivatives. It's definitely good enough to replace IE, and every sploit in IE should by right drive more users away from it, and into alternatives.
Using a Moz browser is not nearly as traumatic as switching whole OSes, so I'm a bit less sympathetic to the whole 'give the vendor time to patch' thing when it comes to IE, Outlook, and other replaceable apps.
Programmer 1: "Hey, guys, we've really got to do something about the security problems we've been having with IE lately. Any ideas?"
Programmer 2: "I've got an idea! My CS prof used to joke that you could solve any problem by adding one more layer of abstraction. In this case, it's true. Imagine how totally cool it would be if IE was just a regular application. Right now we've got it tangled up in the OS, but if you think about it, there's really no good reason for that. I mean, why does IE need special priviledges just to load files and render some HTML? If we pull it out of the OS, it'll still work fine, and it'll just naturally be subject to all the OS-level protection mechanisms we've got."
Programmer 1: "What?! You're talking madness, man! Are you saying that we should subject one of our own applications to the same forces we use to prevent third parties from gaining too much market share? Egads, that's brilliant! I'll bet we can even patent that..."
Programmer 3: "Guys, the idea certainly sounds cool, but it won't work. Bill said it's impossible. Don't you remember that Netscape trial thing? I know we're not supposed to ever talk about it, but he said it was impossible during his taped deposition. If Bill says it's impossible..."
Programmer 2: "...then it must be impossible. You're right."
Porgrammer 1: "Damn, you're right. Seemed like such a good idea."
You turned off Scripting for all but "trusted sites," long ago, right? I did. Your users run IE as restricted users, right? Mine do. You used firewalls to block SMB Messenger pop-ups long ago, and indirectly saved your company from Blaster and Welchia before the fact, right? I did.
Or you just dumped Microsoft and made all of your company's staff used Linux or BSD long before the fact, right? And you caught Ramen, Lion, Lindoze and those other dangerous Linux viruses before the fact, right?
Or were you caught with your pants down?
If one of these exploits affects one of the PCs in your care, YOU are the one to blame for letting it through. Not your anti-virus software vendor, not your operating system software vendor, not your firewall vendor. You might think it's not your fault, but will your boss believe you?
Use Evolution instead of Outlook? Bewa
for some of use the company we work for mandates the use of M$oft only products. Therefore we are FORCED to use IE. At home I use Netscape and encourage others to do so.
Well, I admit that if Windows users are not free in their own choices it is because of their own mental neuroses.
built by carefully selected and screened teams of programmers working to build proprietary, secure software." -Darl McBride (on koolaid) c'mon, M$, you're the champion of the proprietary, free-enterprise system--show us that your 'carefully selected and screened programmers' really ARE better than the godless, communist 'numerous unrelated and unknown software developers' ...
I've been able to use the mozilla zip builds on fairly locked down machines. They don't have an installer, they just unzip to any given folder and run from there. I suppose this fails to meet your requirements, though, unless you have a liberal definition of light which OKs stuff >20MB.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
This brings up a usability trade-off with Google. By keeping their web site clean (I love that) it inadvertently encourages keyword only searches. How many people know to use this feature? Not many is my guess and I think it is a little disingenious to diss someone for not having uncommon knowledge.
This also brings up a usability problem with Microsoft. "Report a Bug" should be on their home page "microsoft.com". One should be able to report any and all bugs via one form. The URL I'm reporting below based upon your search is for Security bugs only.
Also, I typed in "report a bug" to Microsoft's search engine on their home page and did not come up with the URL below. How is it that Google runs a better search on their site than they do? If I were a typical user I would not suppose this and "give up" after trying "report a bug" on Microsoft's web site.
Report a security problem with Microsoft here:
The Microsoft Security Response Center
Thanks again! for the Google tip!
Cheers!
Mybrid
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
-- CowboyNeal, editor/sniper
The article does nothing to suggest Microsoft bashing: no motives are given for why the announcement was made to a public mailing list and not to Microsoft.
One might reasonably assume that Microsoft bashing is a possibility; one the other hand, there might be no malice involved. We don't know, and I wouldn't want to guess.
-kgj
-kgj
Really! There's been like a thousand holes in IE over the years, they keep coming with no slowing down or eevn trending towards end in sight.
Those stupid enough to continue using that piece of garbage or any other microsoft software for "secure" applications, are getting it up the ass exactly like they asked for. The only people I see with desktops infested with bonzo and popups and spyware are retarded IE sheep anyway. The comments from the poster of the article just make me laugh. Security from obscurity isn't! The more exploits the better, the sooner people will be forced to switch.
Go open source, go with glass box solutions.
There's absolutely no reason to continue using IE, it's not as if you have to visit the few websites refusing service to other browsers. Refusal of service to other browsers only indicates incompetence - who'd make business with such a company anyway?
.... then it's not a bug, it's a poor design failure...
Which, to the end user, is the exact same thing.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
A lot of corporations have standardized on IE. Not everyone that reads Slashdot is a College or High school kid.
Go take a statistics class. One datapoint does not a statistic make. So (to put it in words you can understand) just because YOU haven't had any problems doesn't mean that there aren't any.
Google is highly revered by the /. crowd, right? What is the only browser Google has developed their toolbar for?
Maybe Google only developed the toolbar for IE because the rest of the browsers already had the features that the google toolbar introduced. Have you even used Mozilla? Or looked at mozdev? Being aware isn't being knowledgeable. Mozilla supports google searching out of the box. Multiple toolbars are available at mozdev.org. To reiterate, say again, and maybe pound it into your skull, the Google toolbar provides some lacking functionality in IE.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
The part about this story that gets to me is that a single person finds 7 (!) holes/exploits by himself. Makes one wonder just how many things are left open simply because no one has looked at them yet. Scary.
a lot of people seem to mistakenly believe that a computer, like any other appliance, should just work, not require you to work it.
So instead of the user working the computer, the computer should just work... YOU?
please geez quiet your job that is unthinkable. quit now so you company goes out of business and its misery is put to quick end.
a quick search on google found this maybe they'll help
searched for: computer jobs
1. http://www.computerjobs.com/homepage.aspx
searched for: computer jobs linux
1. http://unix01.sac.edu/jobs.html hope this helps
Seriously, why should anyone take the time to give Microsoft an opportunity to spin this and cover it up? If Ford were making trucks that randomly explode, and some independent study discovers this, should they keep it hush-hush to save Ford's PR? Of course not. Microsoft's reputation will suffer a bit from this, as it should.
But there is another kind of evil that we must fear most... and that is the indifference of good men.
what makes you think you have to be a college or high school student to be free of IE? please my company uses gecko. we've been enlightned ;)
While I agree with what most folks are saying about the security researcher not following proper exploit discovery etiquette, keep in mind (and this is not flamebait),
He *is* from China, the country who is so frustrated by Microsoft that it's making its own, full-scale flavor of Linux. The country who may see most of the Western, MS-using world as a competitor. A country so big yet secretive that security practices may be subtly different over there.
Disappointed? Sure, you can be disappointed in how this went down. Though it may be an apple judging an orange.
Surprised? I don't think you have the right to be surprised.
RD
Ha! I love it. First I'm modded up as interesting and insightful, then modded down as flamebait. Could there be a clearer distinction between Linux and Windows moderators? Hey Microsoft fans, grow up! I'm one of you. Learn the meaning of 'irony' and live a little.
I've never worked at Microsoft, so I'm just speculating here based on what I've heard and what I've read on the MS Career website, but it seems to me that the type of developer that MS is likely to hire is the egotistical, arrogant "my-code-is-better-than-your-code" type of developer. Sure, some these individuals may be extremely smart and be able to pound out thousands of lines of code a day, but the thing is, the "cowboy coder" attitude does not work well when putting together large and complicated pieces of software. In such projects, there are times that developers need to cede to the fact that there may be a better way of doing something than their way, and writing some obscure and cryptic piece of code -- while intellectually satisfying -- yields systems that are not robust and hard to maintain.
While alerting the vendor first if you are a real security researcher is the right thing to do, what if you aren't a "real" security researcher, and all you want to do is piss them off and give microsoft users with a clue yet another chance to regret using microsoft products?
It seems pretty clear that this is what has happened here.
Thunderbird is a marvelous replacement for Outlook [Express]
Unlike Mozilla Thunderbird, Microsoft Outlook Express can fetch mail from MSN Hotmail accounts. However, several POP proxies that access Hotmail exist. Is the installation of Hotmail Popper easy enough to recommend it to former Outlook Express users?
Remember, the government of China is going Linux. This may be a policy move by China to start working on Microsoft's market share.
Preconfigured PC's without local administrator account. None of the web-apps work in Mozilla: expense reporting, purchase, HR,... What's really crap is that these apps are made by big software companies like SAP. You'd expect SAP could come up with something cross-browser...
10 ?"Hello World" life was simple then
First of all this guy doesn't even own a computer! Here is his impassioned please at the end of one of his posts to bugtraq.
-----
all mentioned resources can always be found at UMBRELLA.MX.TC
[people]
LiuDieyuinchina [N0-@-Sp2m] yahoo.com.cn
UMBRELLA.MX.TC ==> How to contact "Liu Die Yu"
[Employment]
I would like to work professionally as a security researcher/bug finder.
See my resume at my site. I am very eager to work, flexible, and
extremely productive. I have a top notch resume, with credentials
from leading bug finders. I am willing to work per contract, relocate,
or telecommute.
[Give a Hand]
I haven't got a job as a security researcher yet and my family don't support my security work - so, I don't have a computer of my own. Please consider about donating at:
http://clik.to/donatepc
Can anyone tell me how someone who can't afford a computer on his own is able to stop the impenetrable security juggernaut that is Microsoft?
Actually, I'd say most Chinese are capitalists. They just love material wealth. This is based on what I have observed in my own family, and around the world in the near-universal Chinatowns. Another example is the founder of Yahoo, the youngest millionaire yet - he's Chinese, and started off very poor.
In '1984', they gradually made it impossible to think of the government in a bad way by sweeping away words, changing connontations and words with two opposing meanings when applied to different objects.
In the company where I work (a large bank, 40000 work places) the latest IE security patch caused grave problems with (client certificate authenticated) SSL connections. Many internal applications broke down at random after about 10 minutes. This is costing massive amounts of time and money.
I'll agree to all your GUI counterclaims: X11 was quite deadish in the old days when Windows NT4 was "the" corporate platform and linux hummed in new 486 running the initial http:// rollout. So it was and still is a bunch of sedimented un-coordinated APIs... right... true... remember, it was on the verge of abandonware... The rest? Hmm, when that stuff got developed in the first place MS was what? 3.11? DOS? Didn't even exist? Now to NFS3? Come on, when the standard was written the US called cryptoAPIs "ammunition"... you couldn't put "mandatory" tags on ammunition! Even MS had to break, cripple, unsecure, bug their domain stuff to make it exportable (I'm not shure that's the only reason but...) So NFS security became optional and developers wouldn't build anything that was patent laden would they? Sendmail... that's like firing at the Red Cross... why don't you mention Postfix ;-) ?
My point anyway is that the parent says MS has to regress the whole damn kaboodle for a couple of bugs so it's not their fault if it takes time. I challenge that: if they had done a half decent job there'd be no reason to check the whole OS for a couple of broken private methods in a web browser component class. that they should do that is a design failure... they might as well have written the whole thing in one big statically linked C executable.
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
While I agree that all vendors, even Evil(tm) ones, should be notified and given adequate time to fix a bug before exploit code is published, I disagree that there is no reason to "make it worse for the millions of people who are forced to use Microsoft products". There are plenty of reasons.
Making things worse for MS users will lead to more people objecting to being "forced" into using MS products (the word "forced" is used loosely, as in your post). The more people that object to the monopoly, the less likihood that the monopoly will continue to thrive. Whether you admit it or not, the proliferation of MS security exploits in the form of viruses, worms and any other means, is a big part of the recent success of the adoption of open source software around the world. People are getting fed up with viruses and security problems on their PCs, and looking to alternatives. Just by looking at alternatives, the world is coming to realize that there are better ways to get software than paying a vendor for a licence to use binaries, under restrictions.
Another reason is that Microsoft itself is getting fed up with the problem, and so maybe some day they'll change their ways and maybe get a part of a clue about security. This ties in with the first reason I cited, in so far as their present solution to their security problems will only make people dislike them more than they already do. MS constantly blames the users for problems in MS software, so their solution is to remove control from the users and put it in the hands of... whomever. This is more good news for MS alternatives.
There are a multitude of reasons that stem directly from the first reason that I mentioned. Lots of good things will happen if the monopoly crumbles. After only a few crumbs have come off the edges, there are already benefits. For example, poor countries are now much more able to build up their infrastructure, thanks to the existence and advocacy of alternatives to the monopoly. The monopoly itself is bad for security: some of the world's leading computer security experts have argued that the lack of platform diversity is itself a security threat. There are many economic arguments about why monopolies are bad.
So MS users may have some pain coming their way, but in the end the result will be beneficial for society.
Which is worse, being locked inside your own mind or being locked in a jail?
Hell is not other people; it is yourself. - Ludwig Wittgenstein
Hmm, Yoda thinks that you're too much of a pussy to quit your job.
In a reasonable job, I'm being paid to do the job, not to use some product the boss wants me to use. (Unless the use of the product is itself the job.)
And if I'm an expert in the domain in question, or even just a very knowledgeable person in that area, and I want to use a specific tool that will make me more productive and costs no more than the tool the boss wants, the boss is being a fool, an incompetent and a petty dictator to impose his notions of whats good on me.
This does not prove anything. Is someone FORCING you to work at this office where they (oh my god) want to use software that works?
b)Umm, you're saying that because you have to use Windows you can't meet deadlines? OK, GOOD ONE :) Seriously LOL, you are one in a million because millions of people do meet deadlines using Microsoft products. You must be retarded.
c) Problems cause problems -- IE sux rox, so now the firewall gets tightened up to keep away all the bad things, so now the Internet becomes basically unusable for all employees. No one thinks of moving away from IE.Oh, now I know that you are clueless. IE does not stop working unless you shut off ports 80 (http) or 443 (ssl/https).
Nice try loser.1) You have no right not to be offended
2) Nobody can offend you without your consent
Now there's a metaphor that lost me halfway through. Is slashdot the ocean? In which case you imply that being a microserf on slashdot is an adrenaline rush. But then why are you whining about being offended?
Using Microsoft products is not genetics or how we were raised. It's a choice and we're damn proud of it.
"Sing it now and sing it loud, I owe soul to MS and I'm proud."
OK, so that didn't scan. Still the idea that there are these poor abused MS fans on slashdot who somehow need help to be protected from all those nasty linux/bsd/macos/... users is an amusing one.
And I'm still trying to figure out just how anyone can derive pride from having selected a specific product line (whatever that product line might be). I can see the marketing opportunities now:
"I eat Big Macs and I'm proud!"
"I shop at Safeway and I'm proud!"
"I drink Pepsi and I'm proud!".
Nope, sorry, still doesn't make sense to me. Why not be proud of an accomplishment that actually took you some work, instead of a marketing decision made for you? "I installed gentoo on a C64 and I'm proud!" (Now that would be something to be proud of.)
The headline "New Security Hole found in IE" hardly qualifies as news anymore...
Nobody is forced to use Microsoft products. Maybe this will wake them up. (We can hope...)
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
That was my initial reaction too, but then I asked myself why? Why must the manufacturer be notified first? All Linux expolits are announced publically aren't they? Or am I mistaken? If defects in Linux can be made public and fixed quickly, why can't commercial software be done the same way?
Ruby on Rails Screencast
>If he would've reported it to the vendor (in this case Microsoft), it wouldn't have been 'a known hole', but to the Microsoft developers. They would've came up with a patch...
Oh... you mean like this, this, this, and this?
I submit that people who have their network setup properly will not get burned. Have you ever been burned badly because of an MS exploit? I've been running MS networks for 10 years and I've never been hit except for once when I got the NY Boot virus (when I was 17) because I left a floppy in when I booted. Then I learned how to protect myself and those I work for (and my family). Do you think Open Sores software would really be better if it was as widely used as MS products?
I'd rather have the key within my grasp than be playing carnival games with my belt.
None. I install my own OS (Windows XP Pro) and then I install VMWare so I can run Linux.
When you buy software, what OS is it generally designed for these days?Windows of course, but that still doesn't mean that I'm forced to use it. I know lots of people (my Mom) who (gasp!) *don't even use computers*! Wow, imagine that.
You didn't make a choice other than to accept what was forced upon you- just like all the other good little consumers.Actually, I choose to use Windows because it's the best Desktop OS out there, I was not forced. You *nix zealots don't try to force people to use the OS that you like though, do you? (smell the rhetoric)
I can't believe anyone can type that [Windows is more usable than Linux and cheaper than Mac OS] with a straight face.
Which of the consumer-priced scanners, printers, modems, and WiFi cards currently sold at Best Buy stores comes with Linux drivers on the CD? This is currently the biggest usability issue blocking GNU/Linux on the home desktop.
jesus man, we are talking about microsoft here. microsoft, you know, the company with their arm up SCO's greasy ass? a member of the business software alliance? a company that has plead guilty in to monopolizing in a civil court? a company that is actively trying, via drm/tccpa to make it impossible/illegal to use any other operating system? a company that has been pro dmca from the start? a for-profit corporation that has enough cash money to feed pretty much every human being alive for a good couple of years.
let them find their own security flaws, they have betrayed the populous in to many ways to count, and expecting in any way for the people out there to help them out is hipocracy, and just plain vain.
aren't these people trying to dumb down the entire computer feild? isn't this the same company that forces you to sign onimous eula's before installing any of their products, usually meaning you give up things from the ability to speak freely through your computer terminal, the one's who copyright all material, theirs or not, that falls within their servers? "microsoft: pay to suck our shit, and like it"
flaky, insecure and purposefully crippled operating systems or programs are one thing, but when the company or group that put's said operating systems, or programs out is also a group of pirates that has been called on everything from supporting frivilous lawsuits, to widespread fear, lies, and deceit...this is the where the line must be drawn.
if this is giving microsoft a hard time, then more of it is needed.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
They should at least have the chance to do it. For me, 72 hours seems like a reasonable timeframe for Microsoft to reply to his report. If they didn't, _THEN_ go public.
Violence is the last refuge of the incompetent -- Salvor Hardin
Is someone FORCING you to work at this office
"Work or die." Proof: Without working, I cannot obtain money. Without money, I cannot obtain food. Without food, I die.
"Work here or do not work." Proof: No companies have been advertising that they want help in my geographic area.
Nice try loser.
Please refrain from eating for seven days to experience what it feels like not to have income.
Will Slashdot report it if it does?
All signs point to no.
A good policy would be to:
1) inform the company first
2) if no reply in 24 hours, release information publicly
3) if reply, and clear - and reasonable - timetable for fix given, wait and see
4) if first milestone not reached for whatever reason, release information publicly.
Except for point 3, I don't see why this information should be witheld or why the person who discovers a security hole should do a corporate dance, he has already done everybody a great service by finding a security hole and not exploiting it.
As in this case, MS is now obliged to fix these issues - and a couple of them were already known for a while, so we better hope they fix it in time.
As in the case of Apple's latest exploit, there's no doubt the release of information has done more good than bad.
I was able to protect myself against something I previously was not aware of. Now I can be as zealous as any mac owner, but screw everybody who thinks this information was a "bad" thing, for whatever misguided reason. OK, so it's a feature, and certainly not a bug in the traditional sense, but it's easily exploitable and that's what counts.
Cheers
I think, therefore I am...I think.
'The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.'
Maybe he didn't know, or maybe he just didn't care, and if it's the latter, how can anyone blame him?
How long do people have to put up with MS before they finally stand up and say they've had enough?
No - no mercy for MS.
People with glass box solutions shouldn't throw stones.
DCMonkey
> The only people I see with desktops infested
> with bonzo and popups and spyware are retarded
> IE sheep anyway.
One of my local computer suppliers puts IE (and no other browser) on his hand-built computers on purpose. He *wants* the customers to bring the machines back after 12 months, full of bonzo and popups and spyware. Then he gets extra money for doing a format and reload.
These customers are not retarded IE sheep. They're exploited victims who buy in good faith and find their innocence cynically used against them for private commercial gain.
To use the original Reuters link.
2 73
http://reuters.com/newsArticle.jhtml?storyID=3909
shame you post AC... you'll never read this. Solaris payed roayalties to implement the optional crypto handshake in US versions... their NFS3 is as secure as NFS4 will be because they paid to do it. Linux hackers just wanted to mount remote points for their servers and implemented the least common denominator without getting in trouble and in any case that sufficed to scratch the itch. Of course that flies in the face of Cisco/IBM (insert fav corp) development strategy... why should they care. Now that corps want the stuff to push their linux solutions the stuff will come... don't you worry. Nobody on this earth ever claimed linux NFS is secure... hell... I'd like to get rid of root too...
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
2000/XPlite is a great program. It's based on the famouse 98lite which did what Bill said couldn't be done. It removed IE from Windows. Removing IE removes it from memory which makes your system alot safer. Intrusion Enhancer (IE) is a far cry from safe. Talk about integrated exploits.
Several open source projects are gaining steam: propolice for stack protection inserted by the compiler PaX for address space randomization, page executable protection, etc . It doesn't matter how sloppy the userspace code is - if the stack is comprimised, the process is killed before it can do damage. It won't catch every possible comprimise but it's a great start. Check out the Hardened Gentoo Project for a working implementation.
I took it to mean there were no 'sploits available. After all, if there is an exploit, someone had to at least test it. No "reported" attacks would be more likely, but who would report or even know about it right away?
I agree that this has more to do with the slashdot's slow-ass posting policy then any ignorance on the part of the submitter.
autopr0n is like, down and stuff.
The Moz and Konq teams didn't tie their browser deep into the OS. It's a stand-alone app... what could it break?
Having browser functionality in the OS is nice, but what Microsoft should have done is shipped with a 'local-only' version of IE that never runs outside code for showing all the pretty DHTML chrome in windows. They then should have had a very simple, modular, API for showing un-trusted HTML, which users could replace with Moz, Opera, whatever.
autopr0n is like, down and stuff.
And this total interdependence runs counter to just about everything they teach you about Software Engineering. Small, independent pieces, wether they are command line programs or COM objects are the way to go.
autopr0n is like, down and stuff.
Apache releases patches for the 1.x and 2.x branches when security glitches happen, why the hell would they patch versions older then 1.3? It doesn't cost any money, and I'm sure they're not incompatible or anything.
autopr0n is like, down and stuff.
Oh for crying out loud - If this is the Liu Die Yu six-step attack, it's using holes that were reported up to TWO YEARS AGO!!
What's been done now is simply to prove to Microsoft that when security researchers report a weakness, they'd better READ THE REPORT and act on it. I have acted, I am using Windows at work when I'm paid to, but use IE strictly on intranet sites that don't work with anything else
I'm sure that's easy to say if you ignore the realities of the potential consequences that come along with discovering vulnerabilities that could lead to costly exploits. While forcing Microsoft to write more secure code is potentially a long term benefit of releasing vulnerabilities publicly before notifying MS, the risk of exposing people's livelihoods to immediate loss is palpable and dramatic. And I'm sure that anyone who was to, say, lose their job due to a company's financial losses resultant to an exploit wouldn't give one half a damn about the agenda behind irresponsibly publicizing vulnerabilities before taking the more conscientious approach of privately notifying [insert vendor/developer/other-responsible-party here] so that fixes may be made while mitigating the risk of loss.
You can isolate yourself in the world of technological slingshot activism if you like. But that doesn't change the fact that countless people -- who have no knowledge of operating systems or the available choices thereof -- can have their lives and livelihoods impacted for the worse by reckless use of discoveries related to technology vulnerabilities, regardless of their nature or origin.
Publicly disclosing vulnerability discoveries without proper prior notifications is the wrong thing to do, not because of the technology changes doing so could affect, but because of the increased potential of creating avoidable and costly losses to parties far outside the responsible technology cognoscenti.
If you are "forced" to use Internet Exploiter by an employer then go explain to them how IE is a seurity threat.
By "force" do you mean the sysadmin put a gun to your head or threatened your family ?
Or are you simply not smart aenough to bypass their "security" ?
Are you writing hardware drivers or something? Most applications for windows could be written in Java, or to POSIX or something and still work. Unless your program can't work without the undocumented behavior, then it's probably not worth the risk to use undocumented procedures. Why not just avoid the buggy stuff?
autopr0n is like, down and stuff.
who is forced to use IE?. This is not a 'vertical application', there are free and non-free browsers that work much better than IE: they are much more secure and with options like tabbed browsing and pop-ups blocking.
If people is concerned about security, they should change. If administrators are concerned about security, they should (at least) advice their users to change. I don't think we should blame that researcher for his discovery. I think users should be aware of this things.
What about BSD?
But like you said, who's counting? Certainly not the majority of Windows users.
Have you tried Linux yet?
This really peeves me. Slashdot is abysmal at getting their source right. This *is not* a Yahoo News story, it's a Reuters story. One look at the article would tell you this.
um.. so you complain that the reseacher didn't inform ms first before posting it, but somehow it's okay for you to post a link to it on slashdot ?
Isn't that a bit like calling the kettle black ?
"Invalid ContentType may disclose cache directory"
My Classification: Minor
This isn't all that serious. The major threat is that a hacker could get your cache directory. The downloaded web page runs as part of the "internet" zone, meaning that there is no privelage elevation (IE has a zone system to give different pages different privelages).
"LocalZoneInCache"
Moderate/Severe
This is more serious. It allows an attacker to modify files on the system or worse. Note that this *is not* the same as a root exploit, but it could be as damaging as running an executable. Note that the user *does* have to choose "open" in the download dialog, but they are not warned about the security risks and may not consider them as the file extention is ".htm".
"MHTML Redirection Leads to Downloading EXE and Executing - Remote Compromise(requiring MYCOMPUTER zone)"
Moderate
This is somewhat less severe. It allows an attacker to download and execute an executable, but only if the user has already downloaded the page, saved it to disk, and executed it. The user might assume (incorrectly) that the file is safe.
"MHTML Redirection leads to local file parsing in INTERNET zone"
Severe (If an issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to parse the contents of a local file. They would need the absolute path. This could be used to discover potentially private information.
"HijackClickV2 - Adding a Link to Favoriate List(requiring clicking a link)"
Minor
This would allow an attacker to add their site to favorites. The user would have to click a link and would have to release their mouse button over the favorites list (which is placed under their cursor after clicking the link).
"execdror6"
Severe (if issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to run an executable on the user's system. The user would have to click "open" on an HTML file download. Security warnings would not be displayed.
"BackToFramedJpu - Cross-zone scripting(requiring a subframe in victim page)"
Moderate
This could allow an attacker to execute code in another security zone. It could potentially be used to execute code in the "my computer" zone if the attacker knows the location of a local page with frames.
I'll comment on the rest later.
I hate to burst the bubbles of all those people complaining about Liu Die Yu releasing this exploit "now," worried about all those evil people that will use this horrible exploit against the world, but Liu released a "Six Step IE Remote Compromise Cache Attack" which was composed of most of these "new" exploits almost a month ago. Those people in the security world that really pay attention have known about this for quite some time already.
Liu was even kind enough to reiterate the fact that some of the bugs he was exploiting were quite old, the oldest being 2 years. Sounds to me like Liu's "careless" approach to releasing these exploits "without contacting MS" may actually make a difference. mmmm?
It costs money to test, identify, locate, describe, and report bugs.
Reporting bugs in MS products to MS before releasing the bug report to the public amounts to working for MS for free, while MS makes huge profits foisting substandard, crappy products on their customers in the first place.
Until MS demonstrates a proper respect for their end customers, their privacy and their personal data, and ceases to expose their customers through entirely unnecessary software defects, I see no reason why MS or the reputation of its products should benefit from unpaid private disclosure.
If I believed MS had made a fair calculation up front about the balance of features vs the risks devolved to their user base, I wouldn't take this position. There has to be a feedback loop somewhere in the system to punish MS for the consequences for the unfair balance they chose to pursue.
Arguments that amount to this don't impress me: "millions of people use MS products, and these people are all being held hostage by possible exploits of defects created by MS, therefore it's the messenger's fault".
When MS offers a $10K bounty for every verified bug reported ethically by a bug researcher, and fully discloses the number of bounties paid, and for which bug fixes, then I will believe that MS has regained a moral position to demand this concession from the bug research community.
My only motivation in discovering and reporting a bug in IE would be to help create a corrective force to end the business practices which created this situation in the first place. How does offering my services to MS for free accomplish that goal?
Could also be a symptom of informal economic warfare. Why should a Chinese researcher do anything differently? It's going to hurt foreign businesses more than it hurts Chinese businesses (using the official non-MS OS). In fact, I see a good niche for Chinese Intelligence. They could research new ways to take down the electronic side of the Western economy and indirectly cripple the single largest employer of US programmers.
While it may be poor practice to announce holes publically, it matters little whether or not exploits exist.
It also is irrelevant if there is a patch for it.
At some point any sane person would evaluate if there is ANY case to be made for running Internet Explorer.
Give the track record it is irrelevant if any single exploit or bug is handled properly.
If it is not this bug that gets you , sooner or later it will be SOME BUG.
Anyone still allowing IE to be on a system is essentially in a position that they WILL be exploited, sooner or later.
We waste our time and efforts discussing these fine points.
What we need to be doing is ensuring that people realize that IE is not a sane choice for ANY user.
If that means they have to get rooted before they accept this, so be it.
They WILL get rooted eventually, so why not sooner than later?
No amount of patches can prevent that simple fact.
If you own a worn out car, fixing broken components does not make the car more reliable.
If you have to take a long trip, you need a reliable car.
In this case a new car is FREE, so why waste resources trying to fix the broken one?
Maurice W. Hilarius Voice: (778) 347-9907
Hmmm who modded this troll up as Interesting, ok I'll pretend this is not a troll, and answer, what M$ has done with bimbo's and IE is not just code reuse, they have not just used some of the same libraries again, they have tightly coupled, them together, so that they cannot easily be separated, parts of windows code was put into the IE libraries, were it doesn't belong in order to legitamise their claim that the two are so called integrated, butchered would be a better term, this is why all of a sudden installing IE even without the "IE desktop", changed your system libraries. In addition inorder to further the same goals or out of shear incompetence, M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
You really don't know the first thing about coding do you, when you use a library you do not cut and paste the code into your own, you use their functions and stuff, so all that had to happen with gzip was they fixed the library, then if another project was staticly linked to the library it would have had to be relinked to the new library, but as the majority of code is dynamically these days, most programs would only need you to update the dynamic library on your system, and whala, all programs using the library are fixed next time you run them.
in my life God comes first.... but Linux is pretty high after that
Francis Smit
Besides what does he care 200 million of his mates over the next few years won't be using IE!
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
So you then submit this story to SLASHDOT?! WTF?!
Why don't we just announce the secure things we find in IE instead of all the holes. It would save slashdot a considerable amount memory.
You might want to take this clue: You didn't NEED to reply to my comment. You didn't even NEED to start the thread. You like Windows. FINE. I'm not going to berate you over it, but if you don't like the editorial slant, you CAN go elsewhere. If not, well, deal with the slant then. You don't see ME going and whining about the OBVIOUS bias on ZD Net sites or any of the Windows specific tech sites, etc. Why should I cut YOU any slack on that regard?
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Uh, dude, if you're using VM-Ware to run Linux, you're going about it the hard way. Not to mention you don't get things like 3D acceleration, etc. and it runs a hell of a lot slower.
And, NO, I don't try to force people to use Linux- but a LOT of Windows people try the other way around by way of sending Word attachments, etc.
Think about it.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
here here..
"Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited." Are you "forced" to use Microsoft products? Even if you don't want to try the freely available Linux and FreeBSD etc.. OS's you can still use alternative browsers like Netscape, Mozilla, and Opera to name a few even if you remain in the windows environment. While your at it, ditch Outlook for a real email client too ;)
Remember, you have the freedom to chose!
RebateFX.com - Spread rebates for Forex traders
Hmmm who modded this troll up
-5 for simply a cheap intro -- you disagree with it, therefore it's a troll. I disagree with you, so I suppose that makes your post a troll.
M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
-3 for using the unbelievably dated and juvenile "M$". Secondly, you're so obviously uninformed and with nary a clue of the "Windows world" that the fact that you are so willing to proclaim your ignorance (albeit indirectly) is disturbing.
Every modern operating system (which isn't the pedantic 2nd year CS pedantic definition of operating system) has a method to render HTML. Microsoft, pursuing code reuse, took this further and utilized the shared code for elements such as the help system (which is entirely based around the IE renderer). It is integrated because the code reuse made sense.
You really don't know the first thing about coding do you...blah blah blah...most programs would only need you to update the dynamic library on your system
This was, which was stunningly obvious, exactly his point -- most code should be using dynamic libraries (which is code re-use, such as the re-use of the IE libraries that you "outed" as incompetence above). The problem is that lots of code isn't using dynamic libraries, or are reinventing the wheel. This whole issue was the question of "why would IE break 3rd party applications?" when you yourself answered the question "because they use the shared libraries, and thus are fragile if it is fragile".
You tell a company they have a bug, and give them a time limit before releasing the information, you'll get a C&D, and an order from a judge not to talk about it, and possibly get arrested for 'extortion'.
No, the best overall practice is immediate and loud exposure. While this may allow people to write an exploit, it does have benifits:
1) The company must fix it or face a PR problem
2) The company can no longer say they were unaware that the product they license you has a bug.
Yes, millions of IE users are at risk, but that is the strength in doing this, you'll get a lot of people to 'cry' for a fix.
If this type of information sta7ys quite, people will begin to think IE is fixed, and that they are perfectly seure with its use.
The Kruger Dunning explains most post on
"This magic box. all internet inside."
The Kruger Dunning explains most post on
I thought about it. Actually no, Linux on VMWare (v4 not 3) runs great, have you ever tried it? I give it 256MB of Ram out of a total of 512MB that I have on my P3/1Ghz Vaio. I also have Windows tweaked so it only uses the most basic services, I don't use Themes, and all the "menu" effects are off, so it runs very smoothly. Furthermore, desktop performance of *nix is usually worse on the same hardware because Microsoft gets the drivers developed for them by the manufacturer, whereas Open Sores users have to depend on some backwater geek or college student to develop a video driver for them.
Besides, I don't care about 3D acceleration because I'm not using it to run games or any graphics/desktop programs (that's what Windows is for). I mostly use it to test software and keep up with *nix/bsd technology in case M$ ever goes away.
You really think people are trying to force you to use Windows because they send you Word attachments? I thought that Star/Open Office could handle those now... It doesn't matter, none of this means you're being forced to use Windows, it just makes it a little harder to use Linux. Kind of like people who *decide* to drive Diesel cars/trucks. Think about that :)
Isn't that kinda like potholes on state roads...even though you might not hit one today, you know there's alot of em out there...and boy does it suck when you find one...
Until M$ removes IE's death clutch on the OS (read never), there will always be bugs that cause havoc with the OS.
OS-Browser integration was the worse idea since Bob!!! (another M$ "innovation")
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Why should he? Would M$ show the same courtesy if it were a bug in Mozilla or Linux? What about the open source public reporting method? Hasn't that worked out? Isn't it better to let ppl know in advance that there's a bug that should be dealt with...
I would argue that just because it's proprietary software doesn't mean it shouldn't be treated the same as open source...the argument could be made that M$ doesn't have nearly as much developers as the larger open source projects, and I'ld have to agree...as a matter of fact, I think M$ should probably hire some more coders to deal with their shortage...maybe even help the job market some.
The truth is, M$ should be able to at least release info on a work around in a couple of days...and if there's no way to create a work around, maybe they need to rethink their how their code is setup...
Was this person one of the Chinese who had access to the Windows Source?
Still no patch from MS for the IE holes?
What is "intellectually dishonest" with saying "hey, there is a better, safer browser that comes packaged with a good email program as well!".
Frankly some people nit pick to nauseating detail.
IANAL but write like a drunk one.
how about we start by hiring a firing squad to find you and feed you to the hungry? do your part! sign up as canibalism food today!
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
A wannabe troll, trolled by an old hand at flametrolling and flameage- kinda poetic, if you must know. Still, you're not as good as you think of yourself.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
there won't be a problem for those people who are diligent in patching.
You're right, of course.
And I'm sure a big selling point for migrating away from Microsoft will be that alternatives may require less diligence on their part.
But never underestimate just how little diligence the customer is willing to spend. Any diligence requirement annoys them.
"Provided by the management for your protection."
Actually, I use Solaris and Mozilla Firebird - not MS Windows and IE. I don't have the time required to keep applying Windows and IE patches, so it isn't something I'd consider.
Follow me
Does anyone actually know how to submit a bug report to Microsoft?
...
I've found a couple of bugs (in DirectX Media, MIDL and other developer stuff) that I'd like to report, but I can't find out how to do that. I can't blame anyone from posting found bugs on the internet instead of reporting them to Microsoft. The people in Redmond surely don't make it easy to find out how to report bugs