Slashdot Mirror
Microsoft Releases Changelist for Upcoming XP SP2
kylef writes "As we know from independent sources, Microsoft is busy readying Service Pack 2 for Windows XP. They have published on their website a changelist document (link goes to TechNet download page) detailing the nature of the security-related fixes and updates. The document is targeted towards XP admins and covers some interesting things such as the new Internet Explorer Pop-up Manager and various security policy changes. Some other juicy tidbits from the document: Internet Connection Firewall will be enabled by default, and there will be new support for something called "Execution Protection" which allows developers to make use of the NX (no execute) page guard flag on Intel's Itanium and newer AMD processors. An interesting read."
> detailing the nature of the security-related fixes
DMCA violation.
Expert in software patents or patent law? Contribute to the ESP wiki!
Go read the doc. before you post.
IE has a popup manager in SP2
Looks like MS is finally doing somethin intelligent for once. We'll have to wait to see how intelligent though.
We tend to become like the worst in those we oppose. --Bene Gesserit Coda--
They should have reserved that term for certain email attachments...
Download Ad-Shield, it's the best app I've used to block all internet advertisements.
Have you even read the article ?
From the article on news.com:
Among the security improvements in Service Pack 2 are a beefed-up version of Windows Firewall, previously called Internet Connection Firewall, and software designed to block pop-up ads and prevent the unintended downloading and installation of software.
And perhaps you should read this article as well, titled Internet Explorer to stomp pop-ups.
Did you RTFA? (I hate saying that, it makes me feel .. like all the other assholes who say that)
...
Internet Explorer Pop-up Manager
Q. What does Pop-up Manager do?
A. Pop-up Manager blocks most unwanted pop-up windows from appearing. Pop-up windows that are launched when the end user clicks a link will not be blocked.
End users and IT administrators can let specific domains launch programmatic pop-up windows. Developers will be able to use or extend the pop-up functionality in Internet Explorer for applications hosting Internet Explorer.
Q. Who does this feature apply to?
A. For end users, browsing the Web will be less annoying, because unwanted pop-up windows will not automatically appear.
For Web developers, Pop-up Manager affects the behavior of windows opened by Web sites, for example, by using the window.open() and showHelp() methods
For application developers, there is a new user interface: InewWindowManager.
Applications that use the rendering engine in Internet Explorer to display HTML can choose to use or extend the Pop-up Manager functionality.
I tried to open the .doc in Wordpad, with the result that Wordpad crashed. Does this happen to anyone else? (I'm on Windows 2000).
I downloaded the doc file, and tried to open it with WordPad (which is supposedly compatible with MS Word (which I refuse to buy), at least up to the level of displaying the text (without tables/pics)
Guess what ? WinXPpro SP1 is very sorry for the inconvenience but decides to throw up on me (an exception that is) and bail out !
When will I end this grieving ? When will my future begin ?
"wordpad.exe has generated errors and will be closed by Windows.
You need to restart the program.
An error log is being created."
nice.
this Service Pack doesn't break anything 'useful'... *sigh*
With WinXP I got into some serious trouble with my computer and trying to play games. At first everything worked as it should then after a weekend not a single game would play, black screen on launching a game.
After A LOT of work the conclusion was that quickfix 'SP2 Q328310', which had been auto download from MS, did something which stopped a lot of games which need 3D support from working.
Now I always gets a message when I start windows, about 'new updates available': -Yeah sure! It's still buggering me to download the patch.
This really helps MS too, I'm so much more willing to download updates/patches when I know that a quickfix to lets say notepad, might break something totally unrelated; like the ability to shut down WinXP >:(
Was that the sound of the personal firewall market dying?
READY.
#
Did you mean "emulate" or "immolate" ? Just wondering...
I hope that firewall let's in other video streams than Windows Media.
Thanks again for the .doc format.
Why not put such documents in a more Portable Document Format? Even assuming I have Word Reader or Openoffice, why on earth would you dissemante information via a word processor document format?
I really wonder if there will be undocumented securityfixes included in this Service Pack. I recently heard a director of Microsoft say that when Microsoft finds a security vulnerability, they don't disclose it, but just fixed it in a service pack. I hope I misinterpreted him, but it makes me wonder if a pre SP build of some Microsoft products might have something under the hood for bad guys to use.
Use Adsense for Charity
The 32-bit version of Windows currently leverages the "no-execute page protections" processor feature as defined by Advanced Micro Devices (AMD). This processor feature requires that the processor run in Physical Address Extension (PAE) mode.
Although the only processor families with Windows-compatible hardware support for execution protection that are currently shipping are the AMD K8 and the Intel Itanium processor families, it is expected that future 32-bit and 64-bit processors will provide execution protection.
This sounds nifty, too bad x86 CPUs don't support it (barring AMD's x86-64 offerings). However, doesn't PAE mode result in significant I/O performance degradation?
Executio Protection
Old man Saddam could use feature that right about now.
Only to idiots, are orders laws.
-- Henning von Tresckow
In earlier versions of Windows, there is a window of time between when the network stack was running and when ICF provides protection. This results in the ability for a packet to be received and delivered to a service without ICF filtering and potentially exposes the computer to vulnerabilities. This was due to the firewall driver not starting to filter until the firewall service was loaded and had applied appropriate policy. The firewall service has a number of dependencies which causes the service to wait until those dependencies are cleared before it pushes the policy down to the driver. This time period is based upon the speed of the computer.
What bugs me about this is that it strikes me as a problem that was well known about when the developers were writing the original code for ICF. They knew about it, and they didn't do shit about it.
What has *science* done?!? -- Dr. Weird (ATHF)
Whenever Internet Explorer crashes, the Add-on Crash Detection program is launched. Add-on Crash Detection is an error analysis program that examines the state of the Iexplore.exe (Internet Explorer) process. It collects the list of dynamic link libraries (DLLs) that are loaded, and the value of the instruction pointer register (EIP) at the time of the crash. Add-on Crash Detection then attempts to find the DLL whose memory range the EIP lies within. This DLL is often the cause of the crash.
So instead of finding the source(s) of the crashes and fixing it, they have apparently given up on that, but now run an add-on to detect the crash and attempt to clean up after that. Way to go, M$!!
Doesn't the blocking of ads violate the terms of use of some sites? MS is very pedantic abut people obeying their own EULA, yet they create a software feature to violate someone elses. Hypocrits.
You must be new here.
What I'm hoping is that this will improve ICS DHCP, which is very primitive at present (it absolutely has to be at IP 192.168.0.1, and you can't hardly set any of the info passed out by it).
I saw the XPSP2 document handed out at the LA PDC, and it said there would be unspecified improvements in ICS, as I recall, but I don't recall exactly.
Anyone know a better solution than ICS to do NAT in XP ? (Eg, ipchains -- haha.)
This feature is a great idea, it means that if, for example, Acrobat Reader is causing IE to crash then at least I know who is to blame and can uninstall or upgrade it.
I just read through that thing - there are a lot of good fixes in there. For one, they've apparently made a lot of changes to IE that will make it less of a pain in the ass to use. Some major changes to popup windows in general - they're making it much harder to trick users with popups.
They also seem to have made a lot of changes to the firewalling stuff - firewalling is on by default, too. They also made it so that the File Sharing and Networking ports only work in the local subnet -this means people won't be able to hit you with Windows Messenger spams from the 'net anymore, or access your RPC ports... good stuff.
Maybe, just maybe, MS will eventually get security right. This Service Pack appears to be a sizable step in the right direction.
using namespace slashdot;
troll::post();
Now I can build a wall, and instead of putting holes in it to start with I will just take my War hammer (yes I have a real one) and punch them in later.
Windows Security at it's finest
i thought once I was found, but it was only a dream.
This story reminds me of Saddam Hussein's sons who didn't have what to do with their money. They lit cigarettes with $100 bils.
Hopefully this will create some political impetus for Linux to support this too... and hopefully not only on ia-64 and xp-64, but also on x86 and ppc, by adopting and perfecting one or more of various patches that accomplish this (to various extents) and have been around for a while.
and then spread it around as though it was a legitimate document.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
>Doesn't the blocking of ads violate the terms of use of some sites?
Possibly. Who cares? I don't agree with such limitations - you put a site on the web for people to read, free of restrictions. I've yet to agree to anything on my computer other than EULAs. Reading a website does not signify I consent to anything.
If you've ever used RedHat, their up2date program acts almost exactly like windows update. It even upgrades your kernel for you without ever mocking you. :) Other distributions have very similar updating programs as well. I know you're only trolling, but i felt like giving you a real response.
I wouldn't be surprised if the SP leaked, and cracks being available before the SP is actually released.
a p1 133?
No?
Well, I guess I stay with linux.
I think you misunderstand:
HTML writers - web page authors - cannot just bypass the pop-up manager changes. The new interface they reference is for applications that use IE to render HTML. This new interface is part of the Win32 API essentially, and cannot just be called willy-nilly from a webpage (just like any piece of Win32 API).
The little FAQ snippet makes this distinction bu but not very clearly. For app-developers this means that instead of using a little piece of Javascript to open a window they will have to hitch into the API to create a new window.
Basically its just a move to allow app-developers to still use the renderer in an effective way with minimal code changes. Most developers I know however do not use the HTML engine to open new windows. They instead create a new window with API or a language construct and then assign a new instance of the IE activex object to that handle. It's a much more reliable way of opening new HTML windows in applications.
No this is so developers that use the MSHTML componant can allow their own programs to display popups if they want them to.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
All of the things listed in the patch that are suppose to help security, such as the firewall, are useless. Why, you ask? Because Dell, HP, Compaq, whoever, they don't ship pre-patched like they should. Why doesn't Microsoft get off their fat ass and require that computer manf. patch with SP2? HMMM? Insert a freaking update CD into the box, setup a 1-800 number that the Windows installer contacts to get the latest updates. There's a ton of things Microsoft COULD do, patching isn't enough.
Rant over.
Fortress of Insanity
No, application developers that use the IE renderer can choose to use or extend the blocker functionality, NOT the website designers. You know, applications running locally?
Be wary of any facts that confirm your opinion.
Preferences->Homepage->exclude stories->Microsoft.
I'm sure an enterprising geek could write a script to do that for them. You could even cron job it to give MS free days/weeks.
...I can only dream of a p1-133 while I type on this 486-33. Thanks a lot.
Like, yeah, I was like, downloading this doc file, and like, I opened it in wordpad, and like, it was like beep beep beep, and it was gone. It was a really good doc file. I like, bought a mac? And now, I don't even need to read the doc file, because, like, who cares about windows anyway?
using namespace slashdot;
troll::post();
Way back in my Comp Sci days, I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed. Trying to read or write to the code area, or execute a data area would result in exceptions. It was many years ago though ...
Now, that's marketing.
As an aside, when is Windows going to include multiple desktops in their shell? I've used a number of third party pagers, but each has its drawbacks and flaws, probably because it's not written with the privilage of truly understanding the Windows code.
Who mediates your information?
the funny part is everyone who doesnt use outlook as a mail client has had safer email for years.
I wish they would fess up and tell the truth... they are making outlook safer to use.
My unix email clients never have opened and executed a virus, as it is still stupid to allow someone to execute an attachment without forcing them to save it ti a location first.
also, have they disabled the stupid "feature" to hide file extensions? this one thing is one of the worst securtiy holes in existance.
Do not look at laser with remaining good eye.
No more attachment handling ?
Each section detailed in the document has this Orwellian subheading. But I feel it's missing the appropriate emphasis...
What breaks or "works differently"?
I think I'll wait a while before applying it so other users can find all the new "features".
one word: activeX
Ie is just too insecure. Look at all the spyware that utterly rapes it. With Mozilla as mature and stable as it is, there is just zero excuse to use ie for daily surfing. Sure there are the rare occasional times you need it for crappy sites that refuse to run on standard compliant browsers, but 99% of your surfing time should be in Moz (or opera or anything else).
Lawyers, MBA's, RIAA? A jedi fears not these things!
The title of the document is "Changes to Functionality in Microsoft Windows XP Service Pack 2". The document is only about changes to functionality. There are many, many bug fixes that are not mentioned. This was true in Service Pack 1, also; there were many bug fixes that were not mentioned in the list of fixes.
To ignore it would be to ignore what this site is all about. This stuff does matter to a great many people in their everyday business environment. /. != Linux
* Winners compare their achievements to their goals, losers compare theirs to that of others.
http://cbs.marketwatch.com/news/story.asp?guid=%7B 605678E9-C043-4B7E-94C7-E693D2BBA696%7D&siteid=goo gle&dist=google
So the implication is that Intel is only supporting this security feature on enterprise servers (Itanium), while AMD is supporting security on desktops and servers.
I've switched to Firebird, finally. I got sick of finding that my HOSTS file, favourites, and start page were being rewritten by malicious web pages.
On the other hand, Firebird doesn't use the MS JVM, it uses the Sun JVM, which occasionally decideds to use 99% of my system resources. It behaved the same way when I tried to use it for IE as well.
On the other, other hand (what, three hands???) I love tabbed browsing, though I haven't yet adjusted - I keep dragging the cursor towards the taskbar looking to switch processes before redirecting to the tabs.
On the fourth hand (this is getting weird) I now see the effects of all the tiny errors in my hand-coded HTML that IE was running - and a proper browser is refusing to display. I actually like that, since forcing compliant coding on me makes my work accessible to more browsers than just IE... of course since they're just vanity pages for me and the wife, it was never critical which is why the errors were never checked for before.
I'm out of hands, now.
Towards the bottom of the document:
Most of these features are designed to mitigate against malicious attacks on systems even when they do not have the latest patches installed.
The wavy green line underneath 'mitigate' in my version of Word ('97) suggests they use 'militate'.
That's the spirit - go get 'em Word! Grrr!
Alternately:
-- They knew about it, and management wouldn't let them do shit about it.
-- They knew about it, but addressing it would take significant time and effort, so they opted to defer that to a later release. After all, a million people running a mediocre firewall is better than a million people running no firewall at all.
-- They didn't actually realize it until later on. Are you psychic, or do you just happen to have a buddy who was on the ICF dev team?
But I suppose those angles would just mess up a good troll.
Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
http://news.google.com/news?hl=en&ie=ISO-8859-1&sc oring=d&edition=us&q=amd+overflow&btnG=Search+News
This google search turns up a link "Commentary: Working with Microsoft to plug a big hole"
now the funny thing is that this morning the link was called "AMD grabs key security advantage" and that's also in the title bar of the page and in big caption. Interesting how that was replaced with the subtitle that downplays a big win for AMD. I had trouble even finding the link which was obvious this morning. Things that make you go 'hmm.
Microsoft feels the need to inform us about the changes BEFORE?
I have no good feeling about this. Excuses like "See, we told you so in our fantastic Word document!" (that couldn't be opened with Wordpad) come to my mind.
What kinds of terror, horror and failure will these changes introduce to my WindowsXP? Do I really NEED to read this? Is there a hook somewhere? I guess I'll wait for the Slashdot comments before I update, too.
Why are M$ updates are not discussed like Linux Kernel updates? Are they soo inferior in their relevance?
Here is the link to the google search that turned up the strangely renamed article. I must need sleep, making the same mistake again.
Why do I have the feeling that Pop-up Manager doesn't sound like Pop-up Killer?
Of course I haven't RTFA, but I hope it pops up a dialog box asking what to do instead of barging straight on in and changing all the (firewall) settings.
doesn't PAE mode result in significant I/O performance degradation?
No, or at least on older processors it wouldn't, I don't know much about newer processor design. This is done in hardware, and it can be done in parallel with the usual work of the processor. That means it will make the processor an insignificant bit larger, but not slower.
Since it's in MS Office format, has anyone found any intering meta info in it yet? :-)
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
And isn't it called ".section .bss"?
All's true that is mistrusted
That's only true when you're not paging. When you use PMode's paging functionality, the CPU shares the same bit for "readable" and "executable," resulting in our present mess.
Most of the existing patches to Linux and BSD work by putting "canaries" on the stack between variables and stack frames and checking at function entry/exit points whether or not the canaries are dead -- and Linus refuses to let such crap into the official kernel tree.
The NX bit is a novel approach to it -- reading the docs I just found, it looks like it could be implemented with very little to no overhead.
Who cares about pop-up blocking in IE? How about: _you_ will care, when you start seeing pop-ups in Mozilla or Opera.
The whole "IE is inferior because it can't block popups" charade existed only _because_ the dominant browser didn't block those. Most people were content to make their pop-ups IE only.
Now that IE has changed, let's think like one of those dishonest marketers. So you were making money serving on-load pop-ups. They no longer work. What next?
How about looking at a little detail: IE, just like Mozilla and Opera, will not block stuff resulting from a user click.
Does it give you ideas yet?
If still not: Want to bet how long until you'll see sites where all links are done with JavaScript that also opens a pop-up window? Where every single drop-down and button and link is accessible only through JavaScript, which incidentally also opens a pop-up or three?
But wait, surely people will start blocking pop-ups completely, right?
Again, let's think like a slimeball some more. Remember, the goal of this exercise is to think not like the user annoyed by those pop-ups, but like the slimeball who pushes them onto you.
He doesn't care if you're annoyed, nor how annoyed. He just wants to make a buck. That's all that matters. He's really got the same moral standards as the spammer filling your inbox with V14GR4 ads.
So in that state of mind: Hmm... what to do against those users still blocking your valuable pop-ups, even when they're triggered by a click?
Well, blimey, make the whole site unusable or crippled without pop-ups. E.g., if you have to log in or fill a form, stuff it in a pop-up window. E.g., all the links to other sites are surely best opened in a separate window, via JavaScript. (All in the name of convenience for the user, of course;) E.g., the site-map, search, articles, etc, surely are best viewed in a separate window opened through JavaScript.
So there you go. Now the whole site is unusable unless the user disables pop-up protection.
Fat lot of good did that pop-up blocking do, eh?
A polar bear is a cartesian bear after a coordinate transform.
Are they serious? This is the type of crap that they stick in an important SP!?! A fucking pop-up killer?? how hard could this have been to implement 5 years ago? what about fixing vb-script worms in outlook? _now_ they decide to turn the firewall on by default? why dont the older nt's have firewalls? It seems that NT doesnt stand for New Technology, it doesnt even have the technology of running water. Thats not even the tip of the iceberg that gets bashed into by corporate servers every day. If you are running an important system with Windows, your gonna get a big titanic hole in the side of your PC. Patch _that_ Microsoft!
This comment does not represent the views or opinions of the user.
Yeah this is one of the features that I am most excited about. All the upgrades they are going to do the IE. Pop up blocker is key. I can't wait for all these adware companies to start filing law suits at Microsoft, saying they are stifling their business. I hope Microsoft kicks their arss. I am glad they finally see this ActiveX problem and are going to fix it. I hate all those spyware Gator ads that pop up asking me to install them. There are very few ActiveX programs that need to be installed in the browser, actually the only one I can think of is Flash. And that is not even nessasary.
Do these people break anything they touch?
Of course, I was only blocking the user agent-header because some crappy sites block Mozilla.
> So in other words IE was a pop up blocker, that html writers .
> can bypass at their own will
No. You just made that up. Read the article.
> Damn I wish I could add security features, and then poke holes in them.
I'm glad that you can't do either of these things.
Do they say anthing about my soon being able to turn off my computer without yanking the plug out of the wall (or changing the OS)? No, I'm not kidding. Used to be you couldn't get MS software to work. Now you can't get it to stop.
So there you go. Now the whole site is unusable unless the user disables pop-up protection.
A site that broken, run by someone with that little regard for his users, is a site I have zero interest in visiting anyway. So what's the problem?
So there you go. Now the whole site is unusable unless the user disables pop-up protection
:)
:)
And hence will not be used - profit lost...
Not really rocket science tbh...
Solution: use ctrl-click to let the user to decide which pop-ups to allow.
The point is that OSS browsers can and will evolve to combat shoddy website design.
In theory, IE could too. But they lack the incentive.
it is still stupid to allow someone to execute an attachment without forcing them to save it ti a location first.
I'm sorry?
Maybe I'm being extraordinarily dense, but what is so clever about forcing a user to move an attachment from the "attachments" folder on their hard disk to the "documents" folder on their hard disk before they are allowed to open it?
well blimey, then the site owner can really go screw himself.
there's other problems with ie though, like the fact that due to it being insecure you'll start get pron ads sooner(because there's fake sites on search engines that are just filled with those, of non pron related keywords) or later pop upping on your computer(and then you'll be calling the computer guy in your family, which just as so happens to most of the time be the slashdot reading one, sound familiar to anybody?). that makes the popup problem a lot worse since you'll be getting them popups at random times even when you werent connected..
most of the popups are irrelevant anyways, or due to the fact that the site is hosted on some free system or the name is forwarded through some system. popups are annoying for most people and many of those refuse to use sites that make every page open up couple of them and then you have to browse 5 pages(that all generate 2-3 popus) to get a simple update or something, it's just so annoying the user wont come back.
-
world was created 5 seconds before this post as it is.
At which point, you go to Google and find what you're looking for at some other site that doesn't do that crap, just like many of us do today with 100% flash sites.
....
And if the 100% Javascript site sees its traffic nosedive and goes out of business, well, that's their problem, isn't it?
1. Create a great website but make it too annoying to use.
2. Watch your page-views plummet.
3.
4. Pro^H^H^HSee your site's obituary on fuckedcompany...
God, IE could really use some better CSS handling. I'm disappointed they didn't add any with this service pack.
Hear me out - if you make it to where there are more popups, then basically your entire advertising market is based off of the notion of annoying people. People are already annoyed by popups, but now they'll be really annoying since even grandma now knows she's not supposed to be getting them. Ergo, no way are they clicking on them. I'll get to the point where the average person thinks the same way most of us do - they won't click on a popup out of spite.
Remember pop-under ads? I don't remember the last time I saw one of those (actually with my popup blocker, I don't see any) but that should be a clue - that people don't want to see popup ads, so let's make them popup under what page they're on.
So now there'll be exponentially more popup ads. Now, if they hit with spammer mentality then they see this as a good thing, but most advertising companies want a good click-through rate (not the .005% spam gets) so when they see a low click-through rate (since the popups are not being blocked or clicked on), they'll bail.
Hence, the end of most popups. Crazy?
Schnapple
Never buy a Microsoft OS until it reaches SP2.
It served me well with NT and 2000.
You would be interested in Spyware Blaster it is a nifty program which will modify the registry to block all known ActiveX spyware prompts. It also has a convient update feature in the program so you can be lazy and update it at your leasure and the best part is it's free!
I read the document and apparently the pop up blocker is crap. Here's why
ustomers will still see pop-ups launched in the following cases:
The pop-up is opened by a link which the user clicked.
The pop-up is opened by software that is running on the computer.
The pop-up is opened by ActiveX controls that are instantiated from a Web site.
The pop-up is opened from the Trusted Sites or Local Intranet zones.
I sense an increased use of ActiveX by ad-ridden websites in the future. What this is really, is not a way for MS to help out the user by eliminating annoyance. It is a strategy to get everyone who wants pop up ads on their site to use ActiveX. And hopefully when they're using ActiveX they'll make important parts of their site with it. Like say, the navigation bar. I'll stick to Firebird tyvm.
The GeekNights podcast is going strong. Listen!
The other posters here have mentioned protection on current x86, well there is protection on a segment, however some security projects for Linux have implemented a hack to get per-page no-exec permissions working. This is acheived by marking the page as Supervisor.
The jury is still out on wether this is a good idea ( probably not ), but since when did that bother MS :)
On the other, other hand (what, three hands???)
It's called the gripping hand...
So what if IE crashes on its own? Will it please please please allow me to uninstall it?
My beliefs do not require that you agree with them.
When the system runs with PAE disabled, drivers for 32-bit devices never require their map registers to be backed by real memory. This means that double-buffering is not necessary, since all devices and drivers are contained within the 32-bit address space. Based on testing of drivers for 32-bit devices on x86- and x64-based computers, it is expected that most client-tested, DMA-capable drivers expect unlimited map registers. To constrain compatibility issues, Windows XP Service Pack 2 includes hardware abstraction layer (HAL) changes that mimic the 32-bit HAL DMA behavior. The altered HAL grants unlimited map registers when the system is running in PAE mode. In addition, the kernel memory manager ignores any physical address above 4 GB.
So, does this mean any benefits of extra memory that 64 bit allows is negated?
Firstly, the firewall stuff is good.
.rar file, winrar might be specified, if no applocation is registered to handle this, it wont display this option. Also, anything thats executable e.g. *.bat, *.pif, *.scr, *.exe, *.com wont be allowed to execute and must be saved to disk and/or opened with a seperate application. And, certain things like the program that runs *.vbs scripts would be banned so that they dont appear in this list and you cant say "open with this app by default")
Especially things like "by default, only local machines can talk to the windows network messenger (a.k.a. winpopup), windows file sharing and etc ports".
But, its still not a good substitute for a server-based firewall solution (e.g. a linux box with ipchains/iptables) or for a firewall box like the "firewall+DSL modem+router+switch/hub+nat+etc boxes" that are popular with home broadband networks.
Execution Protection is a good feature, I am surprised that intel didnt add support for marking pages as "execuatble" or "not execuatble" way back when with the 386,486, pentium or whatever.
Given the number of Internet Explorer addons in the lists of Spyware programs like Ad-Aware and Spybot Search & Destroy, the Add-on Manager is something thats long overdue. This should at least prevent those who are clued up enough to check it once in awhile from being hit with Spyware addons.
As for the Java stuff, I think the best thing would be for MS to modify all future operating systems and service packs to completly remove the MSJVM if it is present and to install the sun Java VM instead (I expect that as long as they were shipping it unmodified and shipping as recent a version as possible, sun would just love this)
The MSJVM is a piece of garbage that should disappear for good, along with any lame-braned sites/content/software designed to work with it and only with it.
Now, the MIME type handling stuff.
IMO, the best solution is for IE to completly ignore the file extention and contents if it has a MIME type.
Basicly, if it gets a MIME type, it uses that and ignore both the extention and the content. If it doesnt have a MIME type (e.g. local disk file or FTP server, it should use the extention only and ignore the content).
If the MIME type it has is for something like text/plain or image/png or text/html or something else that IE can handle, it should handle it.
If the MIME type is one for which a system program has regisered itself (for example, ms word could register itself for application/x-msword-document), it gets handed off to that.
Otherwise, windows will display a dialog box asking the user to select from:
1.open with the application registered to handle the extention passed in (for example, if its a
2.open with an application of the users choice.
or 3.save to disk
With an option to save this as the default action for this file extention (and the case of no mime type) and a way to remove that "save as default" and re-specify later on, this would be the ideal solution. Plus, unlike what the MS proposal says, it would actually force web-servers to do away with the "send text/plain as default for anything we dont understand" features and configuractions. The right response (IMO, I havent read the RFCs or anything) is to send no MIME type at all for files that you dont have a specific MIME type for.
As for pop-up manager, here is what MS should do:
1.turn off any features in HTML that allows the changing of the "z-order" of windows (e.g. to make a window move to the back like with a pop-under)
and 2.turn the pop-up blocker on by default
But personally, I think the fault lies with the idiot that invented window.open() in the first place. What legitimate use is there for being able to open a new browser window in this maner?
Many web-sites use links that use the TARGET attribute of the tag to create a new window with content in it and thats pefectly fine.
The only uses for window.open() that I know of are:
1.popups, popunders
really? there's a nice "attachments" folder that is magically created by outlook? where? I've been a IS/IT guy for windows NT 4.0/2000/XP and the Look-OUT! client for longer than that and there has NEVER EVER been an "attachments" folder.
It's an attachment in the email. and allowing the idiot to simply click on it to open/execute it is bullshit and you know it.
if you force the user to copy it to the computer from the email first then they have a chance at seeing that it's a trojan/outlook virus. but betting that users are too lazy to do even that the attachment will never get opened.
Lumpy is right, you need to ADD steps for the user to make them actually think instead of the standard microsoft "click and drool" mode of operation...
Run your markup through the W3C Validator or Google for any number of other free, online resources. Share and enjoy!
... is still the best. I love it when a window pops up saying "This window wants to open another window. Shall I let it?", because then I get to click on NO, while saying "Die, marketing scum!".
Also, when I'm somewhere where pop-ups are required for the site to work at all, I can let them through selectively.
To a Lisp hacker, XML is S-expressions in drag.
Why, why, why no full IE PNG support?
Argh.
May we never see th
They knew about it, and they didn't do shit about it.
Alternately:
-- They knew about it, and management wouldn't let them do shit about it.
The company is at fault. Who cares if it was the developers, the team leads, or the janitor? If management lets it through, it's still the company.
-- They knew about it, but addressing it would take significant time and effort, so they opted to defer that to a later release. After all, a million people running a mediocre firewall is better than a million people running no firewall at all.
The company is at fault.
-- They didn't actually realize it until later on. Are you psychic, or do you just happen to have a buddy who was on the ICF dev team?
They added a complex feature without an appropriate level of testing. The company is still at fault
But I suppose those angles would just mess up a good troll.
One may choose to see it that way.. I just look at it as more of the same.. try to add a feature, don't bother to make sure it works right. This is indicative of the state of quality of way too many software companies these days.
That's one thing I enjoy about embedded development.. quality actually means something.
They should have done all this 5 years ago, I'll have to rework parts of my sites to work with them, but the document pretty much says they've fixed all the internet/adware/spyware/virus related security problems we've been complaining about the most, and added popup restrictions.
Marques Johansson
Newest versions of Outlook (Express) will default to not allowing you to execute any kind of attachments.. rather annoying, as it disables images as well (probably a good thing though).
Hiding file extensions has been in there since Win95, and takes all of 4 clicks to disable.. (win2k: Tools, Folder Options, View, Hide extensions for known filetypes.. and while you're there, enable show hidden files and other nice things that m$ decided you didn't want to see).
DJ kRYPT's Free MP3s!
actually $10 says there's some sort of security bug/error that DOES let people access the pop-up manager directly from HTML.
m ag eLoader(src='/img/text.png', sizingMethod='scale');
remember, you can embed VBScript in an HTML page and set it to run on the user's end.
And then, there's my favorite hack for getting PNGs to display transparent in IE (breaks links if you're using the transparent PNG as a background, if the link is on top of the PNG...but it still looks pretty).
filter:progid:DXImageTransform.Microsoft.AlphaI
now, really, that's not even valid CSS. but place that in your CSS rule where you want a transparent background, and BAM! Transparent PNG.
So say what you will about jerkoffs writing pop-up spam not being able to access the pop up manager, i'm firmly placing myself in the skeptic arena.
They instead create a new window with API or a language construct and then assign a new instance of the IE activex object to that handle. It's a much more reliable way of opening new HTML windows in applications.
Which part of the API is that on Konqueror / Mozilla etc... The 'enhancement' of standards which are theirs to enhance is somewhat the cause of their previous legal troubles.
I wonder if anyone is auditing their code for this and if they have taken anything from iptables and not given it back to the community.
I bet they have and claim they have paid sco and so are covered.
I hope the free software luminaries are checking up on them.
Looks like they are trying to catch up to Linux.
I wish Bill and Steve would just go away and let us run IT the way it is suppose to be ran and not the way they tell the executives how it should be ran.
I set -tab to switch firebird tabs on my system. I takes a bit of getting used to, but it's very convenient.
While the execution protection idea is a good one, I can't help but wonder whether or not it is TCPA/Trusted Computing related? Is this a first step into this technology for Windows? If so im not really sure I want Service Pack 2.
I've been using Firebird/Phoenix since 0.5 now. A friend recommended Avant Browser, which I reluctantly tried. It finally got me away from Firebird.
;)
Avant's not really its own browser, but an add-on for IE. It includes a built-in pop-up blocker, tabbed browsing, and 2-click filtering for flash, java, activex, sounds, movies, images, etc. Plus, it has a built-in Google search, and renders IE immune to most of the malware crap you'd pick up just by browsing (at least, in the 3 weeks I've been using it, Spybot S&D's only found 1 piece of spyware).
It's worth a shot for anyone who's looking for a change in their browser. And while I wouldn't call Avant flat-out better than Firebird, it's definitely an equal, which puts both browsers head and shoulders above the overbloated Mozilla.
DId you read the .doc file they have?
.. you will in fact be able to see this add-in and remove/block/delete it, unlike today which requires the installer to put an uninstall mechanism in .. which isn't required and most spyware leaves that out.
It specifically makes note of IE Add-in management features.
SPECIFICALLY, referenceing Active-X add-ins and other types of spyware addins that can currently be installed in IE with little to no notice to the user. So with the new one
Who makes you Sig?
> How about looking at a little detail: IE, just like Mozilla and Opera, will not block stuff resulting from a user click.
Eventually, we'll have to migrate to a "opt-in" only model or develop pages that don't require popups at all, neither of which is a bad idea in my mind.
> I've switched to Firebird, finally. I got sick of finding that my HOSTS file, favourites, and start page were being rewritten by malicious web pages.
I think you're using it wrong. The only way for this to happen is with a malicious ActiveX control. Are you clicking yes when it asks you if you want to install it, or are your security level settings so low that it doesn't ask? Either way, I'd say it's your fault.
I do agree that Firebird is the finest browser on the market. Too bad getting Java and Flash to load with it under Linux is like drilling your own teeth. Yes, I don't really need Java and Flash is pure evil, but as a web developer, there are times when I need it.
Why not call it "changelog" instead; or is that too close to what the open source projects call it?
Anyone seeing an effect of the Eolas litigation? A way-too-quick read suggest that inline scripting may be disallowed -- what about plugin/control content like Flash, Real, QT, etc?
man/woman enough to admit it? Thanks for the feminist PC bullshit.
Is it me or are they actually beginning to shape up? I know it's blasphemy to praise MS, but after reading that document I was quite impressed. A few times I was surprised and uttered, "Wow, they actually fixed that!" to myself as I was reading.
...but what's the catch? Seems too good to be true.
Perhaps there is some remote code that manipulates pixels on your screen to subliminally flash messages to you thus making you relinquish your spiritual ownership and connection to your soul. You are now one of them.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Are you clicking yes when it asks you if you want to install it, or are your security level settings so low that it doesn't ask? Either way, I'd say it's your fault.
Yes, it is obviously the user's fault when always selecting the default option results in installed spyware.
Just like linux users become blind to the broken UI's, windows users become blind to the horrible security flaws.
"The funny part is everyone who doesnt use outlook as a mail client has had safer email for years."
Disclaimer: I absolutly HATE Outlook and Exchange...
But in the defense of MS (yikes) they have managed to cobble together enough bandaid fixes to make Outlook rather sane. In this day and age downloading stuff before you run it simply isn't enough. Of the three near virus problems I've had on the network, people downloaded something that was from someone they didn't know, didn't even have a double extension, and was labeled something suspicous ("sexyfun.exe"? If that doesn't scream virus, I don't know what does).
With the latest update of Outlook 2000, & Exchange 2000 MS simply crippled ALL "dangerous" file formats. At first I was going to re-enable them but thinking about it, I decided not to. There is no reason to send an exe file directly through email, and if you do wrap it in a zip file and save some bandwidth while you're at it.
Obviously if I didn't have to use exchange for mail I could easily filter mail at the server, but I have to work with what I've got. MS has at least taken some steps in the right direction (although it's still not a substitute for designing something with security in mind).
This page documents how you install java and flash. I agree it could be streamlined somewhat in linux.
So what if IE crashes on its own? Will it please please please allow me to uninstall it?
At least we can dream!
Some days it's just not worth
chewing through my restraints.
"Internet Connection Firewall will be enabled by default..."
About damned time. I just hope that DHCP works through it by default, because right now it doesn't, and if it blocks DHCP, all of those broadband users who connect the PC right to the cable/dsl "modem" will deactivate the firewall to get online.
Of course, what we really need is for ISPs to include a user-manageable firewall in the damned devices in the first place.
Incidentally, firebird will block popups resulting from a user click, at least in some cases. There are pages where I must consistently click the same button twice to get the popup I actually wanted to see.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What? No Ogg Vorbis?
I'm sorry, but what kind of logic is that? You "love" the fact that a pop-up window has disrupted your browsing to tell you about another pop-up window, and are then happy about having avoided the second one?
The Mozilla team is apparently working on moving pop-up error/info messages into the browser window itself, because they recognize that this sort of UI is disruptive. If I'm Ctrl-clicking (Windows) or middle-clicking (Linux) on a stack of links to load in the background, I don't want to be interrupted when one of them times out, wants to set a cookie, uses/doesn't use SSL, etc. But I still want to be made aware of these things.
With Mozilla, you can also specify sites which are allowed to use pop-ups, though not interactively.
WMBC freeform/independent online radio.
Way back in my Comp Sci days, I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed. Trying to read or write to the code area, or execute a data area would result in exceptions. It was many years ago though ...
That's how it works now, and the CPU won't execute from instructions in areas marked nonexecutable. Problem is, the stack is executable, and that's where buffer overruns happen. And a certain code technique called a trampoline, which generates asm on the stack to execute, requires an executable stack. Trampolines aren't strictly necessary, but they are fast and easy, and they're not going to be easy to get out of everything that needs it. I'm told there's ways around the nonexecutable stack as well, though I'm not certain what they are. Regardless, I'm not sure if it's even possible to make the stack nonexecutable on IA32...
I've finally had it: until slashdot gets article moderation, I am not coming back.
Those are two totally different things.
/var, to prevent any programs there from being uploaded and then run to take advantage of an exploit or other such issues.
Drepper is talking about being able to mount disks with the noexec flag, which prevents programs on that partition from being executed. This is most often used on filesystems that could possibly be written by public users, like
Execution Protection is probably referring to making the code pages of a program non-writeable. The goal is to prevent buffer overflows from allowing a script kiddie to write to the code segments and load the shell code. Take a look at OpenBSD's W^X (write xor execute) for more info.
So say what you will about jerkoffs writing pop-up spam not being able to access the pop up manager, i'm firmly placing myself in the skeptic arena.
Okay, well, we will have to see. That's going to take some time. The theory is sound. And historically you can't run API that accesses ActiveX that is not scripting safe from the IE. There have been numerous bugs, but they have all been patched as far as I can tell.
Switch between tabs in Mozilla using Ctrl-PageUp and Ctrl-PageDown. For most people with only two hands, this means not having to take a hand off the keyboard, and is much more efficient.
I can't count the number of times where I've had to use IE for whatever reason (usually someone else's machine) and found myself hitting / or Ctrl-T and wondering why it wasn't working.
WMBC freeform/independent online radio.
What the hell are you talking about?
The API in question is the Inet interface provided by Internet Explorer since IE4.0.. it isn't a "standard", nor is it published anywhere outside of MS, nor is it sanctioned by any standards body. It's just an API they created to allow developers to use IE's HTML rendering engine.
It is not covered under the settlment.
So... WHAT EXACTLY is your reference to Konq/Moz and how is it relevant?
"mitigate" is just fine, but there's no reason to say "mitigate against". "Reduce the severity of against malicious attacks"? No.
For that matter, the layout of the TechNet site is awful. Who thought it was a good idea to make the menu items on the right non-wrapping? At 1280 x 1024, I have to make the menu take up half the screen in order to read it properly.
At first I thought this was a Mozilla issue, but Mozilla is only slightly worse than IE 6 (the body text doesn't wrap either in Mozilla).
WMBC freeform/independent online radio.
so don't visit the site. what is so hard about that?
Most people were content to make their pop-ups IE only.
What are you talking about? As far as I know the Javascript "window.open" method functions the same in every browser that's matured in the past 6 or 7 years.
If I use Netscape 4.x, I get popups. If I disable blocking in Firebird, I get popups. There's very little IE-specific about it.
Now the whole site is unusable unless the user disables pop-up protection.
Good riddance to that site, then. There will always be webmasters out there who won't be willing to re-code their entire site to accomodate some douchebag marketer's desires to splatter untargeted advertising all over you screen.
Pop-up windows (as opposed to Flash ads) are a dead tool, in my opinion, because the programs available are extremely effective and allow for basic workarounds.
Under capitalism man exploits man. Under communism it's the other way around.
"Execution Protection" marks pages *in memory* as data rather than code. That helps prevent buffer overrun and stack-smashing attacks -- where cleverly arranged faulty data can be executed as though it's a program.
The "Execution Protection" is a feature of the CPU, which operating systems can add support for. If it isn't already in Linux I'd expect to see it soon.
The Linux stuff is about marking entire *disks* (mountpoints, really) as containing only data, and not programs you want to run. That prevents someone from uploading a nasty program onto your disk, then running it. (For example, you could mount your operating system / built-in programs on a read-only disk, then mark everything else as 'noexec' -- making an attacker's job much tougher).
four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
MSDN talks about this too:
Execution protection prevents code execution from data pages such as the default heap, various stacks, and memory pools. Protection can be applied in both user and kernel-mode. As execution protection prevents data execution from the stack, the specific exploit leveraged by the recent MSBlaster worm would have resulted in a memory access violation and termination of the process. On a system with execution protection, MSBlaster would have been limited to a Denial-of-Service (DOS) attack, but would not have had the ability to replicate and spread to other systems. This would have significantly limited the scope and impact of the worm. And although MSBlaster in its original form may have been less malicious, it should be noted that execution protection is by no means a comprehensive defense against all viruses, worms, and other malicious code.
The actual hardware implementation of execution protection and marking of the virtual memory page varies by processor architecture. However, processors supporting execution protection are capable of raising an exception when code is executed from a page marked with the appropriate attribute set. The 32-bit version of Windows currently leverages the NX processor feature, as defined by the AMD64 Architecture Programmer's Manual. This processor feature requires the processor run in Physical Address Extension (PAE) mode.
Although the only currently shipping processor families with Windows-compatible hardware support for execution protection are the AMD K8 and the Intel Itanium Processor Family, it is expected that future 32 and 64-bit processors will provide execution protection. Microsoft is preparing for and encouraging this trend by supporting execution protection in its flagship Windows operating systems.
This kills a whole class of worm attacks. So when your boss asks you why you want a shiny new Athlon 64 to replace your current piece of crap, you can say "See? This gear would have protected us from last month's worm infestation if it had been available. It's not that expensive and we should upgrade anyhow. Don't let Purchasing give you any static about switching to a vendor that sells AMD based machines. Unreal Tournament 2004? I know not of what you speak, sir..."
trolling on slashdot
poor substitute for a life
yet it still goes on
Yup, my HP laptop came with its XP image already patched to sp1.
It's in a vendor's best interest to do this, I don't know why someone would think they'd do otherwise.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
You're affected by Windows machines getting owned and used as spam relays or DDoS clients. You're obviously affected if you're the victim of either of these, but also take into account the increase in Internet traffic, which will affect your usage and probably increase costs in the long run.
t ml
.doc format.
m l
There's also the issue of "background Internet radiation":
http://www.theregister.co.uk/content/35/34527.h
Not to mention the fact that you probably have to deal with attachments in
For my part, I hope that they've incorporated some of what this tool does, which claims the same goal as some of their changes:
http://www.pivx.com/qwikfix/guide/usageguide.ht
WMBC freeform/independent online radio.
Postulated: A site that has every link set up as javascript, launching a popup with every click.
Concluded: A site I will not visit, a company I will not support or patronize.
Problem solved.
Windows "Execution Protection" is closer to the exec-shield feature in recent Linux kernels. Unlike the Windows technology, exec-shield exploits the existing hardware and works on all processors, but it isn't a 100% solution.
As I recall it, exec-shield maps most dynamically allocated memory in non-executable memory, and it places all the static allocations in the lower addresses that can't be represented as an ASCII string due to embedded nul characters.
The Windows feature just uses turns on a flag thats been added into the silicon for the same purpose.
Opera (6, anyway) blocks any and all popups, regardless of how it's done. It's actually a bit of a pain when you're on a site that requires some stupid popup navigation form, but there aren't many of those worth going to. Click, and nothing happens. Thankfully the status bar generally shows javascript:window.open(somepage.html) or however the syntax is, so I usually clue in.
;).
The worst any site has managed to do is attempt the popup/resize/hijack the browser thing. All they can do is un-maximize the current browser tab. I'm not sure if this is a bug or a feature, because I honesly couldn't care less - any site that tries this, why the hell would you even waste your time with them? The only reason I've even seen it was due to some "research" (it was a porn site
Go ahead. Do your worst. I'd love to see you get Opera to popup a window on me.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I'm an author, and my publisher requires everything to be written in Word.
I can't tell you how many times that piece of crap program crashes on me a week; it's gotten to a point where I have to set a timer to remind me to close the program every hour and re-open it so that I don't lose anything when it inevitably crashes.
Don't use that site anymore! That's the main reason I avoid IGN anymore. Otherwise it's your own fault.
Gosh, I hate users that go to websites just for "themes" or "religious quote of the day" when the site is mainly just spamming them but they did ask for it so it isn't really spam. It's not the bad guys its those stupid lemmings, er users.
Same thing happens to a Checkpoint firewall before the rulesbase/services completley comes up. Your point?
You'll have to wait for service pack 3 for any impact on personal firewalls.
Well.. maybe. Or Maybe not. But Definitely not sort of.
I could have sworn that when a 386 (and to some extent a 286) was running in protected mode, different areas of memory could be marked as 'code' for execution and for 'data' that could not be executed.
Sort of. You could mark entire segments as being no-execute, but not individual pages. The segmented memory model isn't as flexible as a flat, paged model, and all Win32 OS's use a flat paged model with the code segment, data segment, and stack segment being equal.
Actually, AMD64's PAE is a different feature from IA32's PAE. I think it's supposed to be used only in the 64-bit mode, although I'd need to check the reference documentation. I'm not sure why they used the same acronym. Maybe just for confusion?
It's a HUGE leap to go from shipping with a known problem to "not bothering to make sure it works right".
However, I will cheerfully agree (in general) that far too many apps are shipped with inadequate testing. I honestly think people (damn whippersnappers) don't know how to debug any more. Call it the "It compiles, ship it!" syndrome.
Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005
Yeah, it's not like Internet Explorer or the Windows Explorer ever uses up 99% of system resources.
The way I look at blocking is:
;)
There is no such thing as 'blocking ads'. What I *do* block are certain domains, image sizes, HTML, JavaScript, etc from being rendered or invoked from my browser.
Now, if your site chooses to use such elements to serve content, and if YOU happen to refer to such content as an 'ad', then yes, your ad may get blocked when I visit your site.
Sorry.
I'm inclined to say it is probably licensing or something like that since:
1)IE for Mac supports them fine.
2)IE DOES support them, but only if you load them with the DX Alpha image loader.
3)Explorer (which is just a different front end to the same components) displays them fine.
4)MS has no stake in graphics formats. They have their own audio and video format, but the only graphics format I know of they made is BMP, which is just uncompressed data.
So we know it's technically capable of doing it, know the components handle it, and know Ms knows how to implement it properly. Also, they have no stake in pushing a proprietary format.
All that makes me think it is probably licensing, patents, or something of the like. I mean we know MS loves to not use or cripple open standards in an effort to force their own, but I've never seen them do it when they have no stake in anything.
Someone released a keygen that checks against all the same thigns Microsoft does. So it ALWAYS generates a different, valid key. It was called bluelist or something and you can Google for some news stories on it. Supposing it works as claimed, banning keys does no good since people would just generate a new one. They also can't ban the whole range since it includes legit keys.
Buggy code with buffer overflows is harder to exploit if the stack is not executable -- you can't jump directly into the buffer you just filled with code (you can, however, use "return into libc" attacks, but this is another story).
However, the problem with no-executable stacks is that you cannot create them easily with memory protection alone. This is because if a page on ia32 is readible then it is executable too. This is memory protection -- i.e. the permission bits for regions of memory in the page tables.
What you are talking about is segmentation which is something else. In protected mode whenever you address memory you go through a segment selector like ds, cs, es, ss, etc... Just like in real mode the way a virtual address is formed is by segment+offset.
So when the machine is switched to protected mode the OS has to set up these segments for you in what's called the Global Descriptor Table (GDT). This thing is just a data structure in memory that the OS can use to tell the chip:
Windows (and, AFAIK, Linux w/o any tricky patches) set up all segments to start at virtual address 0 and extend 4Gb in size. That way no matter what segment you use to address memory you always see a flat 4Gb address space. In this model segments, in essence, disappear and you are left able to address memory with just the "offset" part.
FWIW, I think the way some of these cool no-execute stack patches work is by breaking this "flat 4Gb" model. You see, unlike the execute bit on memory permissions, the execute bit on segment permissions actually works. So you can set up read/write segments that are not executable. Well, if you feel like splitting your address space and reserving some of it to be "stack space" and other to be "code/data space" then you can create no-executable stacks. The downsides here are pretty apparent:
I don't know much about the other ways people have managed to get no-exec stacks. It looks like Microsoft did it with new chip features... the new AMD hammer (and Intel itanium) chips actually pay attention to the execute bit in the memory page permissions. I heard that the next P4's will too. I think Linux has a few patches that work with the cache somehow. But I don't understand these fully.
No. You only get PAE mode with advanced server and Data Center flavors though. PAE is the paging mode that allows for access above the 2GB limit. Useful for DUSs (Databases of unusual size).
Also, keep in mind that having a running firewall is going to break a lot of apps and cause a lot of pain. I predict the number of calls to MS phone support (and to XYZ company's phone support) will explode after this service pack rolls out.
Suddenly gamers won't be able to host multiplayer games, for one. People's distributed file sharing clients won't let them share anything. etc...
I suspect that this anticipated user pain is the reason the ICF was not on by default at XP ship time.
Yeah that's really fun to do on 50 different machines because the idiots in IT are too damned stupid/lazy to do this when they made their image files for the machines.
how about the OS maker removing the one stupid blatent bug/security risk on this planet?
Yes it's beenthere cince 98... get rid of it as 900% of everyone hates it.
Although attachments in email are stupid. I think all attachments should be disallowed!
There are many more things bad about outlook that lumpy doesnt cover that make it insane to use in your business....
I just made the same suggestion to my neighbor who just wired up his house for a home network of 5 PCs. You can get a switch/router with DHCP service, NAT, firewall services for under $25 bucks nowadays. One of the reps in CompUSA told him he would need to purchase a copy of Norton for every PC in his house to make sure his network is secure. fscking asshole
They say MS is including a "REAL" firewall in the SP2 release.
What odds does anyone want to lay that ZDN won't be printing a retraction about that?
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
With tabs I can see related sets of tab headers in one quick glance.
With the dreaded grouping, everything is hidden from you until you click below. While I enjoy having things wrapped for me at christmas, I would find it exceedingly annoying to have everything wrapped for me all year long, the actual contents hidden until I unwrapped them.
The grouping was the first thing I turned off in XP and the single most requested feature to help other people disable once they found it it was possible.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yay! Kernel 2.6 beat service pack 2! (if you haven't heard, kernel 2.6 was released earlier today.)
Actually, the post about Linux is more subtle, referring to both hard drive mounting and the "Execution Protection" feature (which may or may not be implemented in hardware in linux). What it says in plain English is:
If you say "no files on this hard drive should be treated as executable code" (the "noexec" mount option), and you then read one of those files into memory (the mmap() function), you should not then be allowed to treat that chunk of memory as executable code (the PROT_EXEC flag).
In other words, "Execution Protection" is already in the 2.6 kernel. The fix described (and presumably written) by drepper@redhat takes advantage of execution protection to close up a loophole that existed in the noexec mount option (i.e., that you could mmap() a file on a noexec'd partition and then execute the chunk of code from memory).
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
I never said they don't. There are a couple of known issues with Explorer that cause it to take over the processor cycles, for instance.
In this particular case, I happen to be qualified to correctly diagnose the particular process causing the problem; honestly, selecting the 'processes' tab in the task manager and sorting by CPU usage ain't that difficult. It's the Sun JVM. I have not yet looked into WHY.
What you say is true but your forgetting that the only version of IE to block pop up adds is the version in Windows XP SP2. The majority of Windows users are not running XP, therefore after XP SP2 is released even if everyone who is running XP upgrades to SP2 (which isn't going to happen), the majority of Windows users will still not have a version of IE with pop up blocking.
When you consider that, pop up ads are going to be around and remian effective for a long time to come.
From http://www.openbsd.org/34.html#new :
It's a bit of a kludge on i386 (unlike amd64 or ppc), but it can still be done."It's better to keep your mouth shut and be thought a fool than to open it and remove all doubt."
Well, it might be worth noting that Microsoft also released a freeware Word document viewer utility - so one can always use it to view one of these files, rather than feeling forced to buy a copy of MS Word to do so.
I seem to recall loading a document into WordPad once that was larger than it could handle, and it let me know by giving me a dialog box error to that effect. (After that, I believe it still let me work with as much of the file as it was able to load in, but some was simply cut off.)
He makes a very good point.
Manipulate the moderator system! Mod someone as "overrated" today.
My prediction:
As soon as MS implements the pop-up blocker, several places like doubleclick,etc will sue MS. Why? MS has the most popular browser, and with the masses using the pop-up manager that would be with IE, 95%(or whatever the browser share IE has) of their business visibility will be gone.
Hopefully, it will be laughed out of court.
This sounds nifty, too bad x86 CPUs don't support it (barring AMD's x86-64 offerings). However, doesn't PAE mode result in significant I/O performance degradation?
Too bad m$ didnt write an operating system 10 years ago that uses ring 1 or ring 2 in the cpu. Why? Those 2 rings, introduced with the 386 cpu, was designed to and also includes non-executable pages. Micro$ only uses ring 0 and ring 3: ring 3 was never designed for NX as it was already put in rings 1 and 2.
Security through design?
They have, they just haven't marketed it very loudly.
.MDI format. It is the Microsoft equivalent of a PDF file. Of course, until a free reader is available for other platforms, Acrobat won't be going anywhere soon.
It is a print driver installed with Office 2003. You can print anything (Word doc, text file, web page) using this driver to create a file in
I seem to be the bloke that's always knocking together the computers for my circle of mates & my extended family, & every time I set up the internet connection invariably the ISP documentation or tech support bloke says to make sure that 'Internet connection firewall'.
From my experiance, more often than not, computers won't even log on with that ticked (& that goes for both dial up & broadband).
So if someone has XP & they're having trouble getting their new internet commection working, they should make sure start/settings/network connections/new connection name/properties/advanced/internet connection firewall is unticked
That is absurd. Microsoft wants to kill ActiveX on the web just as much as you do.
I can't remember the last time I read an article on MSDN or any other MS developer website where it was suggested you should use a client side ActiveX component to provide a rich interface.
They have already recognized its major shortcomings (notably "all or nothing" trust of components) and are now pushing new alternatives to a rich web experience (.NET smart clients, Avalon XAML apps in Longhorn, etc).
The reason they can't block ActiveX controls is that an ActiveX control can do whatever it wants if the browser allows it to execute. There is no fine grained control over what it is allowed to do.
No conspiracy here.
I'd be more worried about the 'NX' for
'no execute' flag on the new Intel and
AMD processors. Looks like these devices
have the potential to lock out linux. To
whit: ANY software not bearing a microsoft
special code will trigger the flag to not
execute the program. So make sure all your
software carried ole uncle Bill$$$ 'WUHQ'
signature or it won't run. From the
'it ain't done til Linux won't run' department,
only this time it was done on the processor
chip itself. I suppose the new systems will
all have this, and new software will probably
have this 'signature' and a checker such
that the program will not run unless you have
one of these new 'trusted computing' or '.net'
friendly processors.
By the way, when is the last time you saw
a 'c' or c++ compiler program that runs on
microsoft systems available in a major electronics store?
The only way one is going to remain free
in this business is to stay with the old
machines. I bet there is a fix for these
as well contained in the Ivp6 internet
use rules and equipment contraints that are
being worked out without our knowledge and/or
consent. Maybe the better way is for us
computer users is become amateur radio
technician operators and set up our own
packet radio based internet with distributed
mobile encoded nodes, many outside the
Union of Soviet Oligopolist Amerika
This section provides detailed information about the technologies included in Windows XP Service Pack 2 that help inform the user about security technologies and ensure that computers have current security updates. These technologies are either designed to help provide security or have been improved to provide more security than before.
This content is not available in this preliminary release.
Conserve Oil, Recycle, Boycott Walmart
They knew about it, and management wouldn't let them do shit about it.
"They" in the context of my statement is Microsoft. As a software user, I'm unconcerned with what part of Microsoft caused this to happen.
They knew about it, but addressing it would take significant time and effort, so they opted to defer that to a later release. After all, a million people running a mediocre firewall is better than a million people running no firewall at all.
Yes, I imagine this is what happened. However, I cannot agree with your justification of it. Windows XP was released more than two years ago. And they provided what appeared to be a firewall. A firewall I have myself relied on, that purported to effectively secure the machine from external attack. It did not do this. I would have preferred that the firewall not be provided such that I could have taken other security measures to properly secure machines.
They didn't actually realize it until later on. Are you psychic, or do you just happen to have a buddy who was on the ICF dev team?
That's why I phrased my comment as "...it strikes me as...", obviously my opinion on the subject, like most everything else posted in the comments section of Slashdot. I don't believe an understanding of the paranormal is required in this case...a good knowledge of software engineering ought to suffice. I refuse to believe that these people were unaware of the lifecycle of their firewall service.
What has *science* done?!? -- Dr. Weird (ATHF)
My prediction is that there will be more intrusive ads, instead of pop ups (pop unders, etc) there will be more ads like on Yahoo where you have to wait for the timeout to be redirected to the final page. These ads are more like commercials on t.v and are easily enforceable on all browsers.
Can I get an eye poke?
Dog House Forum
Couple questions, I thought I read on one site that you can only go 4 levels down on sections/subsections. Is this true? (Hopefully using the right term...I mean itemized lists with roman numerials, numbers, letters for each part)
Also, can ya'll post some good links to a newbie learning LaTex..and some good reference sites that have all the tags layed out with good explanations?
Many Thanx in Advance...
cayenne
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
PDF???? Why not just post it in HyperText Markup Language. That way we dont have to load other viewers to view it. Come on, this is the internet people.
In Soviet Russia the insensitive clod is YOU!
This is the Internet! Use HTML or XML for documents, you fucking fags!
Karma: It's all a bunch of tree-huggin' hippy crap!
This reminds me of GeoCities where people with a GeoCities homepage (as they call it) were not allowed to put in HTML, JavaScript, or anything else that blocked or altered the adds. I have never heard of an EULA that had anything to do with agreeing to not block popup adds or add images.
Even if an EULA forbid people browsing the web from blocking the popup adds that would be very stupid because there is no way to inforce such an agreement and stop people from using Squid Guard and such software. Besides, HTML is an interpreted language. It's up to the web browser to figure out how it should look in the end.
Maybe someone could make an EULA that forbids blocking any images on the web page, altering the text size, defult font, colors, and forbids the use of text-only browsers such as lynx. If anyone does let me know so we can sterilize those people and their descendants so we can rid the gene pool of such people. :)
Losing faith in humanity one person at a time.
Regarding the usefulness of the other protection rings on the Intel, it would appear Linus doesn't quite agree with your assessment. To quote:
" I suspect that the _real_ answer is that ring 1/2 are just fundamentally useless, and it has nothing to do with x86 implementation semantics or anything else."
if the siute is unusable by default, people just won't go there, and sites that people "need" to go to won't do this.
The Kruger Dunning explains most post on
For most people with only two hands, this means not having to take a hand off the keyboard, and is much more efficient.
I think you'll find that most Slashbots keep one hand OFF the keyboard at all times. Their best chance at increasing efficiency is to eschew the monkey, if you know what I mean...
> also, have they disabled the stupid "feature"
> to hide file extensions? this one thing is one
> of the worst securtiy holes in existance.
No. File extensions are a poor way to give files a type attribute. There isn't any real reason to have the file's name and type linked, and extensions are significantly more vague than a string with the full name of the type. It isn't a bad idea, it's just not the way things are done now.
There are two problems with hide file extensions:
1. There isn't a "rename"-like way to change the extension when you're in that mode
2. Aside from Macs, there doesn't seem to be a filesytem which gives the files separate names and extensions (and, as of the last time I used a mac, I didn't really like how it was done there either)
I'm pretty sure he means "IE only" in the sense that every other major browser available gives you the option to disallow them. Therefore, only IE users are seeing them.
Of course 90%+ of the people using the web are using IE. From the marketers' perspective, there's little incentive to find work-arounds for the browsers that don't display their ads, so they haven't bothered. You can bet they will though once that number hits 50% or so.
I like my women like my coffee... pale and bitter.
True, people just don't install service packs. Look at how many Windows machines are compromised due to security holes that were patched months (if not years) ago for evidence of this. I don't see this changing any time soon.
I like my women like my coffee... pale and bitter.
With the book style you can have
\subsubsection{}
\part{}
\chapter{}
\section{}
\subsection{}
\paragraph{}
\subparagraph{}
That's 7 levels. The article style only allows from \section down.
You can make up your own style and have more if you want but I believe the above is what the Chicago Book of Style recommends. Essentially (La)TeX enforces the CBS.
I suspect that this anticipated user pain is the reason the ICF was not on by default at XP ship time.
Am I the only person out there whose ICF is enabled by default? Every time I've installed XP it's on. Is it only on by default in Pro?
Is this true about the 4 levels in section 4.1.4 of this pdf document?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
and the sad thing is that it is not much more than something like squid + ipfw (nice logging...), and it costs A TON. ::shakes head::
Fuck Beta. Fuck Dice
Firebird basically prevents all popups for a couple seconds after the page loads. This is because their normal popup killer wasn't catching everything (such as on nytimes.com).
At least it doesn't bork the Javascript interpreter anymore while doing this.
I'm curious, really... although I don't use IE, of course.
We've always been at war with Eurasia.
The small part that it had played in technology is diminishing as even Joe Six pack is figuring that Windows isn't ready for the Internet and that pretending it is is costing businesses billions, year after year, after year. Both directly and indirectly. And now that international investors have divested and that even its own emloyees have offloaded it is as irrelevant to the stock market as it is for the IT sector.
No reason to keep plugging it, if you're not on the pay roll. Doing so is not only working for free but also causing further harm and excluding other stories and even original sources.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
The further you get from the original source, the greater probability for omissions, errors or further bias. Yes, the original story had those problems, but following a lossy compression with a second lossy compression, you get less info and more garbage. That applies to any news source, or even academic research.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Another poster has answered this below..
Is this true? (Hopefully using the right term...I mean itemized lists with roman numerials, numbers, letters for each part)
If you mean "itemized" or "enumerated" lists then yes there is a limit it appears you can go 5 deep.
The following will give a "Too deeply nested" error. Due to the "sub sub sub sub sub sub item"
N.B. It it not very pretty due to having to get past the "comment compression filter"...
\documentclass{article} \begin{document} \begin{itemize} \item Item \begin{itemize} \item Sub item \begin{itemize} \item Sub sub item \begin{itemize} \item sub sub sub item \begin{itemize} \item sub sub sub sub item \begin{itemize} \item sub sub sub sub sub item \end{itemize} \end{itemize} \end{itemize} \end{itemize} \end{itemize} \end{itemize} \end{document}
As with many aspects of LaTeX however if you find it doesn't do something it probably means it's not prudent (from a structural perspective) to do it anyway. For example if you really need that level of deep reference you may well be better off with part,chapter,section, subsection, ... . . .,itemize etc... Ironically I tried posting this reply with some deep nesting, slashdot posts are limited to three levels deep! ;-)
Of course if you wish to you can always override the builtins with your own "super list" or something.
Also, can ya'll post some good links to a newbie learning LaTex..and some good reference sites that have all the tags layed out with good explanations?
Sure, below are a list places I would reccomend starting, you havn't said if you use Windows, *nix or Mac so i've added both (sorry if you are a Mac man you'll have to Google yourself).
- Other random stuff
- dvipdfm. For converting the output of LaTeX into PDF (highly recommended)
- Prof. Knuth's home page(The author of TeX).
- CTANThe Comprehensive TeX Archive Network. Here you will be able to download packages, utilities and tools that do not come by default in your LaTeX distribution.
Good luck and happy LaTeXing.-ed
Be nice to people on the way up. You will meet them again on your way down!
I suspect you meant "fiancee", with two e's. You are her "fiance", one e. (As I quickly learned when I was engaged.)
My current metamod page claims somebody modded parent Redundant, but Redundant isn't in the list of things it was modded when I look at the post itself. Is slashcode crap?