Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
A little demo for those still using IE...
Other good reasons to use Linux:
* It's incredibly easy to script and build new applications by tying together existing ones via pipes. The results are fast, reliable, and professional -- unlike AppleScript or VB-produced results. This is only relevant to tech users, but it's a big one.
* It's free. Okay, for a professional with a decent salary, the cost of Windows vs Linux itself -- the base package -- really isn't significant. A hundred or two hundred bucks is not a big deal. However, to purchase commercial equivalents of all the Linux apps I use would be extremely expensive. Compilers (think Visual Studio), editors (think Visual SlickEdit), mail clients (think Eudora), system monitors (think all manner of shareware apps), sound editors (think Cakewalk), image editors (think Photoshop), web servers (think IIS), code checkers (think Gimpel Lint), graphing programs (think Visio), math/statistics packages (think MATLAB), and all the rest, there is a *lot* of money involved. Sure, you can pirate it, but that's not an option at work, and pirating software is less and less trivial with the surging prevalance of phone-home features.
* It's secure. Traditionally UNIX (and its apps) have had tighter security design than Windows, especially WRT local security. A couple of Microsoft apps are phenomonally insecure (MSIE, Outlook), and most Windows apps don't have the same emphasis on avoiding attacks.
* It gives better performance. My workstation runs a large set of servers in the background. I don't notice. I have a friend that runs a Windows FTP server that he kills off when he wants to take all the CPU time on his system.
* I can fix bugs that piss me off. If I have an issue, I happen to be a coder, so I can run out and fix it without just complaining to a company's forums and hoping that something happens. I can add features that I want. Obviously, this benefit isn't nearly as good if you aren't a coder, but it's something to consider.
* I can actually see what's going on. Linux has a strong tradition of talking about and letting you see what's *actually* happening on your system. The startup system is just a bunch of scripts that are quite readable. In contrast, if you pick up a book designed for a Microsoft administrator, you'll get a bunch of Microsoft-invented terms ("Enable a service"...am I starting a process listening on a port or what? What the hell is happening?) This also makes troubleshooting much better.
* A richer toolkit. For at least coders, network admins, and security types, good tools exist that have no Windows equivalent. (The reverse tends to be true when it comes to office workers.)
* Choice. If I use Windows, I also must use Explorer, like it or not (and I don't). I can't use the kernel or Windows software without also using the expected file manager (yes, there have been a few hacks to try "replacing" Explorer, such as LiteStep, but they're flaky...more neat toys than pratical tools). On Linux, I have more window managers available than I have fingers. I have a whole collection of file managers. I have docks galore. I can choose my favorite from each category and use that.
* Better design. The fact that Linux uses better file-locking semantics, the fact that Linux uses symlinks instead of shortcuts, the fact that it's easier to write a reliable Linux driver than a reliable Windows driver, all have strong trickle-down effects to the user in the form of fewer reboots, more flexibility in file system layout and control, and a more reliable system.
CMDRTACO CHECK YOUR EMAIL!
Anyone noticed similarities between MSIE and Swiss cheese ?
And people wonder why viruses are so prevalent on windows boxen...
Now that anyone can spoof not only the url, but the file type, who will know what they are downloading.
Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?
Would you like some more pie, Bill?
Looks like we have run across another internet exploiter bug, wonder if they plan on patching this. Then again they might not release january's patches due to the chinese new year. Really we cant expect for Micro$hit to do their job right the first time much less the second time.
Everyday You see me is the worst day of my life -Office Space
DON'T use IE!
--Keeping the flame wars alive, one post at a time
Here's a safe demo of the exploit.
A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.
Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp
Another reason to use Mozilla, maybe.
Not only this, but according this article in Netcracft, Microsoft is deprecating the use of "@" in URLS. In the next upgrade, any URL with "@" in it will return an "invalid syntax error". Let's hope they also fix many other bugs many times reported...
I wonder how well I can navigate the internet with out clicking on any hyperlinks.
makes me think of goatse....
i miss that guy....
IE? Nobody here use IE :-P. I think these problems with GAIM is more of a concern for the slashdot readership.
I hear they've been fixed in debian. (no link, so you better check for yourself)
Belief is the currency of delusion.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
; [ln];833786. Remember, type, don't click.
Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
From the article text:
Doom worm currently reeking havoc across the globe.
So it's a smelly worm? Or are they trying to say that Windows stinks?
Where's my lobbyist? Right here.
When I've got 70 MB on the partition that has Windows, and plenty of space elsewhere, I should be able to patch, right? Just install IE on another partition. Turns out IE wants to install only on _that_ partition. As a result, I'm stuck with IE 4.
Mozilla
Pass it along...
How else am I supposed to distrbute the latest virus? E-mail it? That's so 90's! Sheesh...
... that Windows is far more secure than Linux or OSX because it gets tested so many more times out there in the wild..
[Editors note: replace 'tested' with 'tested and found wanting']
Simon.
Physicists get Hadrons!
As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.
This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.
A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."
If they ran the file, it sent me a message with their computer name, username and other details.
About 80% of the users ran it.
I lost all faith in the human race that day.
"Live Free or Die." Don't like it? Then keep out of the USA
the ie has been so full of holes, and there's shitloads of unpatched ie's out there as well, that nobody who wants to have any control over their computer is using it anymore(unless they're stupid enough to trust some middlesoftware like nortons, or simply don't know why their computer is getting less usable by the day. "hey I just wondering why am I getting popups even when I'm not browsing?? it really gets in the way of my spreadsheet work").
if you have a stock ie and you browse around with it you WILL GET infected with some spyware or another, sooner or later. this is how it has been for the past few years(!) so a new hole hardly changes anything(it has not been trustworthy enough for years to use on random urls from irc/forums/whatever, so another bug is unlikely to change anything).
world was created 5 seconds before this post as it is.
Slashdot hasn't posted my story yet....
We detected MyDoom.B around 15:00 GMT today - ClamAV (opensource rules), McAfee 4319 DATs didn't.
Preliminary analysis at Internet Storm Centre.
Most AV vendors have new patterns out now.
Phil
I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.
Cyde Weys Musings - Scrutinizing the inscrutable
Yeah, I know, that's just what Microsoft said at the trial. But this bug may force them to choose between:
- leaving their software unfit for use on the Internet, and
- proving to everyone that they lied in court.
Not a good situation for Microsoft. Of course, it's just (somewhat informed) speculation that Microsoft can't fix it...
"I'll be Grateful when they're Dead"
this is pure slashdot!
Maybe someone will write a shitty OSS patch for it. Wouldn't be the first time.
There are times when I wonder if Microsoft isn't purposely trying to get everybody on the Net own3d.
I mean, what kind of frikkin' bug would make an executable link pretend to be something else? If I believed in conspiracy theories, I'd swear it was deliberate.
Gifts for Geeks - Stuff that really matters!
Konqueror under linux is also vulnerable... so it is not just windows IE
"There's no set architecture in Linux. All roads lead to madness" -Microsoft
Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
I was so sure that Thursday is Microsoft Hate Day.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
in fact it is an HTML executable file.
Maybe I'm behind the times, could someone explain precisely what they mean by an HTML executable file? That doesn't make sense to my "HTML is plain text" portion of knowledge.
...is anyone still using IE? Hasn't all of Slashdot moved to something else yet? If you haven't, WHY NOT? If everyone has, then this ceases to be news for nerds.
Hell, if I can get my Mother to favor Mozilla Firebird over IE, I'm sure that you can all switch.
Javascript + Nintendo DSi = DSiCade
My mailbox is already full anyway.
Sheesh, evil *and* a jerk. -- Jade
I'll say.
I'm dissapointed, I totally thought that link was going to shaft me and take me to some goatcx type website, that opened up multiple popups, used javascript to move them around so i couldn't close them, then infected my computer with MYdoom. All i got was a link to a microsoft flaw. Someone please correct this link!!!
Veramocor
...never to trust a press release issued on April 1st.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Considering its use of embedding a CLSID into the file name, and the similarity to this flaw, you would have thought Microsoft would be able to sort out a fix soon enough.
Well, maybe.
whereas in fact it is an HTML executable file.
wtf is an "HTML executable"?
Jim, you saw my book! Jim! I can't!
http://www.uggr.com - i'm surprised to discover this site is down... ok, then
http://www.imdb.com/title/tt0104348/
At least those are *fixxed* bugs... AND instead of Sendmail i would have the option to use exim.. or postfix.. or.. something :)
The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)
I really can't agree with the notion that this is really the fault of Windoze. I blame the stupid users that still open attachments that they are not expecting. As IT people, we really need to repeatedly beat this into the users on our neyworks. If they continue to be stupid, I say we take away their computer, and give them a pad and pencil.
This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.
after all if they did, you could plan for them, etc., but Murphy's Law doesn't work in reverse.
besides, bugs from MSIE don't come out that rarely - if there's only serious flaw in MSIE found in a week, you'd have to say that it is actually a good week for MS users.
What else is new? Why do people insist on using Internet Explorer when there are better alternatives elsewhere?
Mod "Overrated" instead of replying "I disagree with you," you coward.
for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.
...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.
I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done,
It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.
All governments should adopt Linux, the issue is far too sensitive to entrust to Microsoft.
I don't know the meaning of the word 'don't' - J
It appears that Mozilla is only partially safe from this type of bug. When I went to the test page it still showed up as being a pdf in the filename field but identified as a html file. It then asked me what I wanted to do and defaulted to "open with mozilla firebird". This bug may be bigger than reported.
How the fuck does Microsoft keep getting away with this bollocks? I'm serious; if any other company fucked up security as royally and as repeatedly as Microsoft has nigh-on continuously for the last half decade, then they quite rightfully would've gone out of business.
For fuck's sake, Bill Gates, get your goddamn act together.
FloodMT: crapflood Movab
Serious Microsoft holes, or serious Microsoft a-holes?
They build this active object BS into their GUIs and then direct you to ignore them.
Next: "Microsoft recommends you execute programs from the command window, or better yet, get an OS with a proper shell."
illegitimii non ingravare
Infoworld should have posted a link to mozilla.org.
I find it humorous that so many people get into a flame-off over something so basic as a browser. There is only one thing that M$ cares about and that is $$ - Quit buying crap software and the people making it will either change or become executivis obsoletus. Mozilla makes IE look like the second rate crap it really is...
You Americans are always behind the times ...
Sure, you might be able to trick someone into clicking on a PDF where they wouldn't trust an exe, but if the page is convincing enough you can probably get the user to just run the exe directly anyhow.
If you're using Internet Explorer, you should definately upgrade as soon as possible!
455fe10422ca29c4933f95052b792ab2
BEHOLD!
You've always been able to do this in Windows, if you change the extension of the file it changes how windows treats it.
.exe and then executes it later there could be a problem.
Since windows doesnt change the extension from what it thinks it is the problem is moot. Ie. if I convince windows that an executable is an HTML document and it saves it as an HTML document and subsequently opens it with an HTML viewer then there is no problem. If it saves it with
Windows doesn't use magic bytes to choose file type it uses file extension. Thus as long as Windows saves the file with the extension it thinks it is and continues to operate in such a fashion everything is fine. All that happens is when you double click the executable it opens it with a PDF viewer. BIG DEAL.
Mozdev has some tips about completely disabling IE, even in other applications.
Excellent - I was trying to find out if Linux browsers are vulnerable too. He he he stupid Microsoft haters...
D CE0B}Secunia_Internet_Explorer%2Epdf.htm
BTW, this news is total bullshit - my IE isn't vulnerable - I opened the link in a new window
C:\Documents and Settings\Administrator\Local Settings\Temp\ie.{3050f4d8-98B5-11CF-BB82-00AA00B
I run Win2KPro+IE latest
2 where 1 is the uri and 2 is the text you want displayed.
learn it, love it.
I must be missing something really obvious - what' the problem with this 'vulnerability'? It's all about faking an extension and making the browser execute it instead of the desired app (e.g. acrobat), isn't it? What do you expect your browser to do when you send it a mime header text/html? It can be called .pdf, .txt, .whatever-you-like, but if the mime type is text/html, I'd expect the browser to do its best in running it. I'd say that is expected behaviour.
.pdf extension and a file download dialog. The only good thing is it'll also inform you about what MIME type the file claims to be (which IE doesn't do), but then how many people even know what a MIME type is?
If you do the same thing in, say, mozilla, you can get the same result - the
Jobs? Which jobs?
What's left: "MSIE Hole".
Still left: "MSIE"
As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:
Ok, I've been following this stuff for years now. For years I've asked "what will it take for people to switch?" I thought maybe the next big MS bug. Then I got sick of waiting and went straight into frustration.
Why do people stay with MS software? Users have been lied to, let down, pushed around (licensing tactics), and even left hanging -- their systems wide open as vulns remain unpatched. If this were a social relationship, people would call it abusive and advice you to get the heck out of it faster than not!
I keep hearing "this year will be the year MS goes down" over and over again, year after year. I'm frustrated and I believe so are a lot of other people. They are neither improving nor are they visibly dying...and I'd like to know why people are still so tolerant of them even after all they've done.
Mozilla Firebird reports the download as an .html document.
In light of the most recent security exploits found in Microsoft's Internet Explorer application, the company has announced that the next release shall be code-named "Swiss Cheese". "This will ensure that users of our software are not confused on the level of excellence, or lack thereof, that we put into each and every program we make" noted one previous employee. Other names that were voted down for the next release included Purposely Obnoxious Software (POS) and AOL 9.0.
2 where 1 is the url and 2 is the text you want displayed.
there.
I'm shocked (Score:-1, Redundant)
When being shocked is considered to be just plain redundant, I think it's time Microsoft does something.
Anyway, you're talking about the virus. The article is talking about downloads from web sites, where you can't tell what type of file you're downloading - you think you're getting a .pdf, and you're really getting an executable. And you gave it permission to download, because you knew that the file was of a safe type! The type you approved was safe, it just wasn't the type of the real file.
Combined with another (not yet fixed) bug that lets web sites spoof which domain they are in, and you have all kinds of fun - downloading a trojan when you think you're downloading a .pdf or even .txt from a trusted site...
But you really can't blame stupid users for this one. If the browser lies to you about what site you're really visiting, and lies about what type of file you're downloading, there's no $&%^$^%$ way that it's the user's fault. The blame lies exactly with Microsoft.
I wonder if Microsofts press release will contain something to the effect of "The most effective step that you can take to prevent yourself from malicious files is not to download them" as they did with the URL vulnerability a couple of months ago. In that vulnerability they realeased a statement saying: "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them" Taken from The Register article: No relief from Microsoft phishing bug
There should be some sanctions agaist MS for this blatant stupidiy, I mean a BUG is one thing, it happens.
BUT not to FIX a bug thats been out for almost 2 months.
in the file download dialog, the true file type (HTML) is displayed.
it is true - in IE, if you click the 'save' button, it'll show you its a HTML document.
The problem is that the standard dialog with the 'open' button doesn't explicitly say that the file is html - it only looks like pdf, the behaviour of the browser is still to perform the mime type in executing the link (that you ran when you clicked 'open').
Infoworld claims the result could be 'devastating'"
I claim the result of MS on the world to be 'devastating'.
There. The 'cut-to-the-chase' summation of where this thread should eventually go.
How many times to do we have to be reminded of the vulgarity that has seeped out of Redmund since the beginning?
hi/HELLO/Error/Status/The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Make this guy an editor!
Linux is teh fuxin roxor on my boxor!
whore.
www.mozilla.org The bugfix of choice for me.
This is just another opportunity to check and make sure. If you are still using IE, switch to Firebird. Now. If you don't see the obvious benefit, something is wrong with you. If anyone who still insists on using IE reads this post, please tell me why you wont switch. I really want to see what people are thinking who are still using IE. There is really no excuse anymore in my eyes.
Really, I'm genuinely interested in reasons IE users are still using IE. I just can't comprehend what you're thinking.
The GeekNights podcast is going strong. Listen!
I know this isn't an ask slashdot topic, but does anyone have any tips for how to get people to switch from IE to Mozilla/Firebird? I just don't understand why I can't get people to change, and Lord knows I've tried.
I don't understand it, I really don't. I've seen people complain about viruses, bugs, pop-ups, and ads, and yet when I suggest that they go with Mozilla, they don't want to switch. Why? "Because IE's there." Or "because Mozilla takes too long to load." "Using quickstart isn't worth it because IE starts when the system does, so why run two browsers at the same time?" But yet they'll complain about a 5 second load time for Mozilla, when they'll spend more time than that closing pop-ups and resetting their homepage from where someplace changed it. I've even come across the situations where people won't switch because Mozilla had a different print screen (even though I used an IE skin so the rest looked the same), and one didn't want to use it because when you opened a "new" window, you didn't get the old window in it. Even after I showed them the clone window extension (which is pretty close to the same functionality), he didn't switch. It's just frustrating.
It's sad, Microsoft has people so brainwashed that they'll complain until they're blue in the face that IE sucks, and yet they won't switch unless you put a gun to their head. So does anyone have any suggestions for just how to make them switch? (without actually putting a gun to their head)
-Through the server, over the router, off the firewall... Nothing but 'Net!
Bill said that Windows 98 was over 15% faster. He was about to say it had better access to the internet when he got shot in the head.
Man, shouldn't that South Park general be the Slashdot mascot?
To remove this IE exploit, download this TXT or PDF. Um, it contains the instructions to remove it. Yeah...
I tried the demo in Opera 7.23. :-)
Glad to see that nothing happened when I ran the demo...
SO, don't use IE nor Mozilla but switch to Opera (www.opera.com)
Your nick's my root password. At least it was until a second ago - I've changed to something properly random now.
Was I stupid to use that? Is it commonly known for some reason? Does anyone besides me know what it stands for? Is that phrase used anywhere except a Radiohead song? So many questions...
after all, MS security holes can safely be called the bas%^&d spawn of stupidity and monopoly. Stupidity might have been culled from the gene pool much more quickly - monopoly helps to assure us that their stupidity won't go away no matter how hard we try.
Considering how many spawn there are, I'd have to say that MS is going for Wilt Chamberlain's record of achievement in procreation (or attempts thereof).
Thank you so much for the wonderful idea of fully integrating your web browser into your very secure and stable operating system! Windows XP is simply a joy to work on. I absolutely love it when I'm browsing the web and Internet Explorer crashes, which causes all open windows, including those that have nothing to do with your wonderful little browser, to close as well. What a well thought out idea it was to integrate the browser into the operating system!
Firebird 0.7 is great.
Quote from the article:
"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."
They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.
Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)
This is just another reason why integrating lots of high-level applications into a OS-Application hybrid is a bad idea. Every application you integrate becomes another source of security flaws.
They can be quite good - especially when they pretend to be in a glass cage.
Sigs are bad for your health.
i love when i try out an MSIE security hole on firebird and it fails... heh heh heh...
https://www.accountkiller.com/removal-requested
Except that if you have the Acrobat plug-in, the "Open" dialogue warns you that it's not really a PDF, since the plug-in would open a PDF for you.
All's true that is mistrusted
834489 of 12,645,231 Microsoft plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update: http(s)://username:password@server/resource.ext
This issue is a bit more complicated than you think.
You can buy real turds. At least Moose Nuggets from here. "The droppings of the moose are turned into many craft items for sale as novelty gifts. The dried pellet is shellacked before it is utilized. Most gift shops in Alaska carry at least a few items made from moose droppings. It may seem disgusting, but many of these products are bought by visitors to Alaska and are kept as mementos or given away as gag gifts."
President Bush to Liberate Alaska!
Q: How many Microsoft engineers does it take to change a light bulb?
A: They don't, they just redefine darkness as the new standard.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
>Guninski informed Microsoft in April 2001.
I was just studying industrial safety engineering to see if had lessons applicable to computer security. It does.
One lesson is that you need to have a well-oiled process for collecting problem reports and fixing them. Every disaster that's been studied carefully came with warnings beforehand.
Microsoft does take bug reports and does fix vulnerabilities, but they should figure out why this report fell between the cracks and make sure it doesn't happen again.
Another lesson is to switch management focus from "who's to blame?" to "who can prevent this?". In a moral sense, Microsoft is right to blame the malware writers. In a practical sense, Microsoft is well placed to make life less easy for phishers, worm authors and similar scum.
I know that some of my clients, who are larger organizations with an IT Admin Staff, prevent employees from saving files to their computer from the internet. However, you can open the file from location and view it.
If this did become a major problem and users started accessing infected files like crazy, organizations, such as the ones I mentioned, would be subject to a launch of the virus/worm immediately.
Another Silly Software Hole.
"The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file's true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem."
Or you could use another browser...
Programming is simply the application of logic to creativity
The URL spoofing bug is fixed in XP SP2 FWIW. Not that that helps much right now.
Gee, here I am testing out Mozilla and what do you know it pops up the *SAME* thing as IE. This is not another *IE* bug. It's a Windows Explorer bug, so you should have said: "Don't use Windows!".
It's even worse. The filename doesn't have to be in the hyperlink - it can also be in the headers. So, the url could be http://someuniversity.edu/~somestudent/exam_answer s.txt
C LSID}"
.exe files... even MS wouldn't be *this* stupid. For all intents and purposes it doesn't.)
The header could then have "Content-Disposition: attachment; filename=Exam_Answers.txt{INSERT_executable_file_
The CLSIDs are under "HKEY_CLASSES_ROOT.MIME.Database.Content Type"
The example above would secretly have the file type of your choice but would be known as Exam_Answers.txt. You won't see the CLSID unless you look at it from the command prompt. If you click on it, it executes whatever file type you wanted.
You can't use a machine code executable file (.exe) directly, however, because it doesn't have a content-type/CLSID pair in windows. (well, it does, but there isn't one just for
AND HERES PROOF!
I did the little spoofing test with Firebird. It has a PDF, but instead of a .pdf, it's %2E.pdf. Anyway, when I go to open it. It says it wants to open with Links, instead of xpdf, like pdf's usually do. Don't know what links does with it, as I don't actually get to see what it does.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This is exactly the reason why I use Mozilla. Granted, Mozilla can have bugs too, but at least they patch them right away. They don't find out about them in December and still not have patches as of almost February as Microsoft does.
Just wait til someone deviant mixes the ideas here with a nice new IE exploit. It probably won't be all that long before a virus really does cripple the internet.
So, does Sir William know how many holes it takes to fill IE? -2 Stupid
What?
isn't that also window.status used by many p0rn sites to hide the true url?
well...it doesn't matter....IE IS the security hole anyways; it's nothing new.
There for things will never change, people will not switch. I show poeple how Mozilla is vastly better, and only handful are interested. The rest are content on putting up with IE and it's millions of issues, then bitch when thier machine is riddled with spyware. Boggles the mind I tell ya.
Ubuntu- Linux for human beings.
While browsing the network at college, I discovered a folder with r/w permissions. So I placed in the folder a little "do not run this.exe" that made some autoexec.bat changes, and poorly so. It included recovery instructions and backed up the file.
A few months later, my friend has trouble starting his computer. Guess who had to fix it...
In the program security department of a Redmond based company, a team of developers are all sitting at their desks with their hands over their ears going "La La La La I Can't Hear You! La La La!"
Different day, same piss poor products.
-Goran
Carpe Scrotum - The only way to deal with your competition.
From that page:
the file will be executed as an HTML executable
So HTML is executable under MS-Windows??!?!
Well, this certainly explains a lot.
"Non clickable hyperlinks"
;-)
Sometimes big businesses manage to go so far forward they actually break the space-time continuum and move backwards!
WOW!
Quack, quack.
"..did you actually read the article??".
If he did, it wouldn't be Slashdot.
Sig it.
More and more I'm seeing comments that would have been modded Flamebait a few months ago getting +1 Funny ratings. Maybe it's Ghandi's old mantra in reverse?
First we fight them,
Then we laugh at them,
Then we ignore them,
Then they're gone.
Last post!
If you weren't such a dumbass you'd patch sendmail permanently with, oh, I dunno - qmail. I don't know what you're talking about with SSH. It's certainly had problems, but it's far from comparing to Microsoft's issues. Maybe you should have said, perhaps, BIND. Again, if you're such a dumbass that you're running BIND: patch it permanently with djbdns and stop whining.
Noticing a pattern here? On Microsoft systems, it's Microsoft's fault that your system is in a constant crippled state due to bugs and/or security holes. On a UNIX/Linux/BSD system, it's your own damn fault if the thing's fucked up - especially with the last two.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
"A web app that requires a single brand of browser is not a web app... it's a client/server app".
Remember, IE isn't part of the Windows operating system (its just additional software). Linux isn't required to run Mozilla. Mmmmmmm.
Quack, quack.
They haven't patched it yet...big freaking deal. None of the people who'd get sucked into this exploit are ever gonna patch their computers anyway. Come on.
slashdot, news for crazed liberal socialist zealots
I call bullshit. I just tested it on Win32 Mozilla and it tells me the file is an HTML file. IE tells me it's a PDF.
That was the first time I'd used IE to look at a web page in months and already I'm remembering why I hate it so much...
All's true that is mistrusted
you included a hyperlink in your post. Why does no one else seem to see your humor?
Thanks for the heads-up! I used IE6 to follow the article's link to InfoWorld, then downloaded a pdf of the article so that I could share it with others.
Uh oh.
Giving Bill Gates an honorary knighthood, then immediately deciding Microsoft is a monopoly and should be fined up to $3.2 billion? Which is it: Microsoft good or Microsoft bad?
"Freedom means freedom for everybody" -- Dick Cheney
And let's see, security advisories/patches this week:
sendmail: none
openssh: none
Okay, how about the WHOLE YEAR OF 2003:
sendmail: 3
openssh: 5
And most of those were very obscure and not exploitable under default configurations, or for already-obsolete versions which people refuse to upgrade. And patches were available almost immediately.
Those stats are way better than even the Linux kernel (sorry Linus).
Now, want to go pick on somebody else? (MS????)
I was trying the DEMO PAGE, and noticed a minor work-around. The article says to save the file to disk before believing what it claims to be, which is sound advice, but you don't have to get that far to see something is wrong. As soon as you click on the link a "File Download" dialog is presented asking what to do with it. If you click on Open, based on the fake file extension displayed... your're screwed. If you click on Save, the next dialog box shows the true file type in the "Save as type" box.
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
Oh well, time to de-optimize my system a bit and re-enable some of those services I guess ....
"However beautiful the strategy, you should occasionally look at the results" - Winston Churchill
In some incidences it truly is cheaper to run Windows vs *nix.
Yea... Windows is like the bubble boy of the computer world - the second it comes in contact with anything outside of a highly protected, closely monitored, totally sterilized area the shit hits the fan.. but as long as it stays in its bubble and no disks, network connections, or phone lines ever touch it... hey - TCO is great.
You ain't kiddin'! Hell, my company is, at this very minute, looking for some MCSE-holding kissass morons to tell the upper management folks that we need to upgrade to Windows 2003 and XP. I never really understood why we need to hire kissass morons to come to the conclusion the management has already come to.. but I guess that's just because I don't understand the intracacies of management and Windows system admin...
Maybe you should apply?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
It always does. We've been thru dozens of these 'devestating' quality issues and the victims just queue up at Local Computer Store to buy another one. That's why they keep legions of hungry microsoftie out there to clean up after the latest worm de jour, meanwhile the gazillionair will be awarded a Nobel Peace prize or something.I mean, cheezus, it's only software - it's not like people are getting killed in poor quality cars or anything. Everybody knows you should backup important data anyway so just chill out and obey old your pc overlords.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
My advice is the same it was three years ago: don't use IE. It is an accident that already happened, and will keep happening until it takes your computer down with it. Use a browser that time and again is immune to these sad IE hacks. I use Opera, and I make all my relatives use it.
IE had it's time, now it is dead. It's the end of an error, I mean era.
Possibly.
I nternet_Explorer%2Epdf which means Windows would probably ask you what application to open it with.
I just tried it with Mozilla 1.5 under Linux and the file's name is
ie.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}Secunia_
Mielipiteet omiani - Opinions personal, facts suspect.
With Slashdot, I don't even need Windows Update anymore! I just wait for the next MS patch to show up in the news here and boom! Just like that I am alerted about having to download the next update.
In response to flaws recently exposed in it's software Microsoft has suggested that customers stop using hyperlinks -- the core feature of the World Wide Web. The bugs, which were exposed in the last few weeks, allow scammers on the net to make their website links to look like a legitimate site (e.g. Microsoft, Ebay or Visa), where they can then ask for identifying information, card numbers and passwords, or cause you to launch executable programs that Internet Explorer describes as more innocuous types (e.g. PDFs).
Rather than immediately releasing a bug fix, Microsoft is now suggesting that users no longer click on web page hyper-links. Their suggested solution is that users manually type in any web address they want to visit in the menu bar.
.....
Other web browser providers (e.g. Mozilla) claim that their browsers are not susceptible to these bugs, and claim that users surfing the web with their browsers are not subject to these problems.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
this is quite a simple thing to do.
especially when dealing with idiots.
and guess what! it works in mozilla too!
http://www.happy.com/happy_image.gif
ta-daaa
Ofcourse the only way to fix things like this is too move to a locked down TCPA/DRM platform. Call this a troll, but thats exactly what Microsoft is trying to pull here "oh know those evil spammers, everyone lock up your childeren, the end of the world is here, unless! we could just use our little TCPA thing we have going here - it will solve all our^H^H^Hyour problems."
Which is similar to whats going on with terrorism - its hyped and FUD is spread about how America is under attack, that way people are more willing to accept patriot acts. Out-side America no-one gives a shit, and theres no "alert level red" flashing on the tv news channels all day.
This comment does not represent the views or opinions of the user.
Isn't a browser that comes with the computer, or comes with the operating system kinda like a radio that comes "stock" with a car? And we know what sort of quality those are...
FLR
Helevius
We want to get patch deployment down from days or weeks to hours."
Of course that'll solve all the problems! We patch a hole 1 hour after it's discovered (not like that ever happened) and then it takes three months (also overly optimistic estimate) for the average user to actually download a patch with the next service pack, if ever. The result? The end user is just as vulnerable as he has ever been. But we can now blame the end user for not patching their system in time, because the patch was available early on. The bottom line? The user feels like M$ software is as insecure as it's ever been, and rightfully so.
You can say whatever you want about the advantage of releasing patches fast. It's great to release them fast. In fact, a lot of open source developers take pride in being able to do just that, and this is something worthy of admiration. But quick patching process is no replacement for code that is secure to start with!!! And while M$ can speed up their patch development, they can do nothing about the fact that their existing software sometimes closely resembles swiss cheeze - it's already out there, and it breaks often.
Jobs? Which jobs?
is that it only runs on Windows.
Maybe wait for some verification prior to moding up. I've tested, no go, and apparently a few others have tested it with Konq.....no go!
I'm not trying to troll here, but when I click that link in Mozilla, the file is treated as a text/html document, not as a PDF. So I assume you could put up an exe posing as a pdf, and Mozilla (on windows) would swallow it as an executable just like IE.
Granted, Mozilla pops up a dialog stating the real file type. But isn't it still too easy to just click 'OK'? Especially when you 'know' you've clicked a PDF?
Clicking the link in MozFB pops up the following dialog box:
e cunial _Internet_Explorer%2Epdf.html"
o ad _spoof/
...Secunia_Inernet_Explorer.pdf
.html extension
The site has suggested that
"ie.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}S
be handled as an attachment. It is of type text/html (HyperText Markup Language) and
located at:
http://secunia.com/internet_explorer_file_downl
What should Mozilla Firebird do with this file?
( )Open it with the default application
( )Open it with [ ]
(*)Save it to disk
-----
Clicking the link with IE (6) pops up the following:
Some files can harm your computer. If the file information below
looks suspicious, or you do not fully trust the source, do not open or
save this file.
File name:
File type:
From: Secunia.com
Would you like to open the file or save it to your computer
[open][save][cancel][more info]
--
Saving the file from each browser:
MozFB - saves a file with the
IE - saves a file that looks like it has the PDF extension and gets the PDF icon.
Mod me Flamebait, I don't care...
How is it this story is ok, but when MS announces a fix that will be coming shortly that story is rejected outright?
Hey, mods...take your head outta your ass. Your anti-MS slant is showing (again.)
Wouldn't copy and paste work just as well?
I'm the one who submitted the story that Timothy posted.
Microsoft damn well deserves some bashing. They didn't fix the phishing bug in their monthly patch set, and the phishing bug was reported very close to the beginning of that monthly cycle, and only 1 week after it was discovered, scammers started making heavy use of it in their attempts to defraud people of banking details. So Microsoft had 3 weeks to witness the phishing bug being abused in the wild, and still they did not patch it almost a full month.
This all comes on the heels of a bunch of PR Microsoft spewed not long ago, claiming a study (they paid for) found that Microsoft issues patches faster than Redhat.
I call them a bunch of lying hypocrites who only care about money and not the security of their customers. You call me a Microsoft basher. You are right, I'm saying Microsoft sucks and the lie. I believe I am right too, they do suck and they do have little regard for honesty, as can plainly be seen.
In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH.
In fact, the last security patch for sendmail was on September 17, 2003. That's over 4 months ago. There have been zero sendmail security patches this week, not 35. The previous patch was released March 29th, 2003. Not the same week, but 5.5 months earlier.
OpenSSH doesn't have the same web pages with patch info as Sendmail... so looking at Redhat's update history on OpenSSH, I see new RPMs published on the following dates: 17-Sep-2003, 16-Sep-2003, 04-Jul-2003, 14-Feb-2003. It's not clear if these are security updates or other less serious updates. But only once did two patches appear in the same week. On average, it's over 2 months between updates.... hardly 54 in one week.
Now compare that the MSIE. Microsoft's customers complained that multiple patches were required every week, so they recently switched to a monthy patch schedule. But there was news coverage that shortly after the switch, they still had to break that schedule and release patches more frequently because of very critical security bugs discovered.
And remember that Microsoft doesn't even bother to fix things like this phishing bug, which makes it easy for scammers to direct people to false banking login pages and have them appear to be the legitimate websites of the banks people trust! Contrast that lack of concern for customers getting ripped off against some of the openssh patches, which fix timing problems where the sub-milisecond delay changes could theoretically leak info if probed repetitively probed over a low-latency LAN.... but virtually impossible to attack over the internet, and no known exploits in use.
It's pretty clear which software has a good security track record and which software has more holes that swiss cheese. It's quite clear who deserves to be bashed.
PJRC: Electronic Projects, 8051 Microcontroller Tools
On the end user.
:D Fortunately, he still uses OS 9 and I can answer just about all of his questions from memory. The only time I've ever had to do serious tech support for him was when his preferences folder somehow got moved out of his system folder.... that was interesting.
:-)
I've done work for free for some people, and they're quite happy. They make me dinner or take me out for a few drinks or something.
I've also done work for free for some people, and they're never happy- to the point of hassling me every time they see me because they need help with some piece of software (that has extensive documentation, installed), they did something I told them not to do and broke something, or, in general, are too thickheaded to learn for themselves and want me to do their thinking for them.
I much prefer the former type of person to the latter. Of the seven field users I support (people whom I've given computers to over the years), five of them only contact me when something is seriously broken, and the other two can't even find the help key on the keyboard unless I come to their house and phyiscally show it to them. Multiple times.
Then there's my dad.
Family's obviously a different matter than friends- I've minimized the damage to my sanity by only supporting OS 9. I patently refuse to deal with Windows in any capacity (it took several people a very long time to realize this), I don't support linux (I tell people how to get answers the same way I get them- google, a notebook, and a printer), and everyone I know running OS X is a self-sufficient operator.
All in all, refusing to deal with Windows has saved me countless hours of free time (and work time!), and has even switched a couple of people over to Macintosh. Go figure.
Followup:
In the parent post I was testing on one system that was running MozFB 0.6.1
On my other system, running 0.7 the dialog is different, but it is still correctly identified as an HTML file and saves with the correct extension.
In the article it says that popular opinion is that microsoft can't fix this bug (or the previous %01 in the URL one).
What is so hard about scanning a string for %01 and truncating? I don't get it. No one needs %01 in a URL for any legitimate reason, just TRUNCATE.
-- Having a Creationist Museum is like having an Atheist place of worship
So, why hasn't anyone ever written a benevolent worm that would go around closing security holes?
"I am shocked, shocked I say!
to find such security flaws in an otherwise flawlessly integrated system!"
To all you Mozilla users, don't think that you're safe simply because you use Mozilla. I just tried the demo with Firebird 0.7 and it essentially does the same thing as IE6. Click on the demo link on secunia's site and you get an "open/save as..." window. Sure it says that the default program type is "htmlfile (default)" and the file name shows the CLSID which should make you think if you are supposedly downloading a pdf, but let's face it, the average Joe isn't going to be thinking (or actually reading the file name). If you just go ahead and click "open," you get the same end result as if you had used IE (in fact IE opens if it's your default browser). Even if Firebird is your default it will still try opening the file as an html document. This isn't an IE flaw as much as a Windows flaw, so just switching browsers really won't save you.
Your best bet is to THINK BEFORE YOU CLICK!!!!
to be disdainfully helpful and push mozilla/linux/whatever and bash ms/outlook/whatever.
Try this:
"Well I don't have that problem because I use mozilla."
"In all the years that I've been on the net, not once have I been infected with a virus because I use Linux."
Not that I'm a condescending, anti-social geek without a girlfriend or anything like that...
I'm feeling guilt over using OS X, and having my mom use it too. I mean, that's one less excuse for her to call me up and have a nice conversation. She must be feeling pretty lonely about now, what with no virus to call her son to fix.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
The seemingly simple interfaces we have today lead less computer litterate people
That would be "literate" not "litterate".
People, as a whole, do not expect a constent
That would be "constant" not "constent".
4/10 for both of you, please pay attention in class next time.
Try WRECKING, guys. Although this worm does stink...
-jls
Techno-pagan
until someone sets up an html page that downloads a linux automatically installed distro? Might as well be helpful. :D
The cesspool just got a check and balance.
The best counter arguement to the 'but its only because MS has a bigger market share than your luser OS' is Apache. Apache is much more popular than IIS (as you can verify with a trip to netcraft), but SANS has more IIS incidents than Apache incidents. Both servers have vulnerabilities and sites can be defaced with either server. But IIS is the more vulnerable. Why is that?
Think global, act loco
A little converion system that even attacks IE replacing MSHTML with mozilla gecho(I hope I got this right). Basicly mozilla team is working on a way to rip it all out. Reason I know I run wine and Mozilla Control is used as a drop in replacement for MSHTML is most places. Now I just have to write a urlmon replacement. Nice little back door for you add placement people all url call go threw it also a good door for hackers and add men even about:blank get to go there. Note Mozilla Control even works on IE.
I will guive kudos to MS when the patch ships, not before. I have waited too long over too many years and IE problems have been getting beyond a joke.
Infoworld claims the result could be 'devastating'
;)
True. We are extremely lucky that destructive worms are (so far) only being written by morons, idiots, losers and wannabe hackers.
I've shown last year that it's possible to destroy (as in: wipe the disk) millions of machines with a worm in less time than the AV companies need to update their patterns.
Why isn't it happening? Because the people with both the skills and the criminal energy to do it all work for the spammers and other crime syndicates and have other uses (read: Zombie networks) for the victims.
Too bad. 40 mio. pissed windos users might be what it takes to get some fundamental changes done. Like, say, safe defaults and no automatic execution of downloaded code.
I mean, it can't be that hard. In an hour or two, there will be at least a dozen replies in here from people who say they run windos and have never gotten a single virus. Just copy their config and make it the default.
Assorted stuff I do sometimes: Lemuria.org
It's been known for a very long time you can rename JPG files to .txt on Geocities to get around their hotlinking rule.
.txt on the end of a file the OS should open it like a plain text file.
Why is anyone shocked it works for exe's as well?
This is simply a problem with OSes that don't care what an extension is. If I put
I thought that was the whole concept behind extensions.
Ben
Work Safe Porn
you've got more security updates^H^H^H^H^Hgrades to write.
Monopolies don't maintain themselves after all - you got to go out there and spread the FUD while giving your money to such up-and-comers in the computer world as SCO. So GET BACK TO IT!
I think the only way people are going to get clued in on how bad microsoft software is is if we put the equivilant of the Evil Toilet out there to demonstrate to IE users just how vulnerable they really are.
Create an executable that will take over the entire screen. It will display as text, as well as have a voice come on the speakers taunting the users that they are 0wned. Pull up fake progress bars that say stuff like "Searching for Credit Card numbers.... Transfering credit card numbers to 3l3t3 h2k0r5.... Searching for pr0n visited.... emailing everyone in address book a list of pr0n sites visited.... deleting everything on harddrive."
While all this is going on it just has a sample of Mandark from Dexter's Laboritory playing over and over "Ha ha ha! Ha ha ha ha ha!"
And finally, a message saying that it is just a hoax, but it is just as easy for 3v1l h@x0rs to do all those things as long as they continue to use IE. It will then pull up the websites for Mozila and Opera.
(Actually, this probably wouldn't be a good idea because it would give some people a heart attack.)
File this under "If the thought of something makes me giggle for longer than 15 seconds, I am to assume that I am not allowed to do it."
This signature used to contain a cute kitty virus with ansii art. Please set the slashdot editors on fire. Thank you
This thread is mostly about how IE/win users are idiots, and what to do about it.
I think in the end, we need a new system.
In part, people are not perfect, they will make mistakes, and other people will exploit those mistakes.
What we need is centralized administration. A few smart guys with ssh fixing computers for everyone on a paying list of subscribers. I think it could work.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I mean really. "Fixing" stuff by taking out the functionality. That's a bad sign.
This is why you dont' surf as a root users, or as any user with the ability to install stuff, or in general do anything but surf. Oh wait, this is on windows, and your always root (sorta speak).
It isn't a lie if you belive it.
TCO is rediculous when you consider small offices with no real computer staff. They don't have someone on salary to install patches and work on crap, so they must pay hour-minimum service charges to get anything done.
Click here or here.
Your nick's my root password. At least it was until a second ago - I've changed to something properly random now.
Was I stupid to use that? Is it commonly known for some reason? Does anyone besides me know what it stands for? Is that phrase used anywhere except a Radiohead song? So many questions...
Google can't find it anywhere online except here on Slashdot and a couple other forums as (presumably) this guy's moniker.
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
There was a small IE team for Windows XP / IE 6.0 (circa 2000-2001) to add support for privacy features (P3P) so that Microsoft wouldn't get sued/regulated by a bunch of state attorney generals who were on a crusade over consumer privacy concerns related to cookies. But most of the team (networking, HTML rendering) was disbanded or reassigned. Most of the browser folks either moved to the MSN Explorer team or to the Longhorn Avalon team. Other subteams were disbanded altogther.
Over the last year, Microsoft has been slowly reforming a new team, primarily focused on fixing security problems. But we have not seen much or any results of this work; bringing up a new team on a complex codebase will take a long time.
Basically, IE is going to rot for a long, long time. Sure, IE 6 for Windows XP SP2 will include a pop-up blocker, but whoop-de-doo on that. I wouldn't expect any new functionality (like better CSS support) even for Longhorn.
I'm finding that more and more websites only work with IE. For example, Ebay refuses to accept my password from Opera7 and works fine with IE.
I went to a site yesterday to research a sound box. (Applied Research Technology of Boston, MA) When I clicked on a list box, I was always sent to the Adobe Acrobat download site (the Acrobat icon was near the list box).
I wrote a message to the people who did the website and they wrote back that they couldn't repair the site for browsers that only had 2-3% of the market.
Huh? Why shouldn't a list box work correctly? Why should Ebay of all people not work with Opera 7?
There really is no excuse for this nonsense.
The best thing about IE is that you can use it to download Mozilla!!!!
do you whine the same when you discover that you can actually get run over when crossing the street without watching? it's life, d00dz.
Okay, I'll quit running IE 6 on my Linux boxes. Can't be too careful.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
The servers you mention as being buggy both together have had fewer security holes in the past year than MSIE.
To point out that an app you are forced to use at work is not "hate mongering" in any way. It is however "hate mongering" to misrepresent the intent and motivation of those who are simply pointing out the foibles of a company you seem to have a misguided sense of commitment to.
Much like the Israeli government attempting to stick thier own soldiers with the label "anti-semetic" whenever they criticise thier own government.
Or like the American Justice department accusing those who question the current administration's motives for enacting the "Patriot" act.
Or like the die-hard Republicans who label critics as liars for pointing out that Rumsfeld, Cheyney, and Poindexter were called under suspicion and found guilty of breaking the law for thier involvement in the Iran-Contra Affair.
These are attempts to deflect any honest criticism by creating the illusion of unfairness where there is none (Scientology is well known for this.) using charged terms (such as "hate mongering" which is a specific term that instructors with "The Landmark Forum" are taught to use whenever someone mentions that Erhard's methods are similar to those used in cults) to cast doubt on the motivation of the speaker.
As you can see by my examples, you need not worry much, as you are in good company whenever you use this technique, but the truth is that it grows old fast, becomes easily recognisable, and is not very convincing even to casual observers.
Okay, that's it for me. After years of using MSIE, I am downloading the Mozilla installer as I type this, and hopefully will be disabling IE this evening. Enough is enough.
Bill Gates was just saying the other day that Windows was the most secure OS on the planet. So this must be a mistake, right?
I presume that you emerged from your mother's womb (under rock?) completely skilled and computer-proficient?
You never had to be taught anything relating to computers?
You're truly a legend that will last a lunchtime.
For all that 1337ness and snobbery, you still have all the natural charm and grace of a thalidomide baby.
We could shorten it to MSIE Hole or MSHole and lump them all under one general category of Suck instead of Articles. Then we could sub-divide into SCOSuck and MSSuck.
Man, I just realized how often SCO and MS are mentioned in the same context. Suck. What company they keep. And MS has nothing to blame but their own greed and avarice. At least SCO can claim too much inbreeding in Utah.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
McAfee AV actually traps the virus when downloading the file via IE and reports it as a "trojan". That helps I guess.
is not the same as being more secure. IIS does way too much which is why I don't use it. Apache does one thing really well.
If Apache could do everything IIS can do and was still secure, then it would be a valid comparison.
Ben
Work Safe Porn
I think we have long passed the point where logical conclusions can be beaten down with suggestions of weak-mindedness. Suspension of disbelief should be relegated to works of fiction.
If you stop to think logically about the history of Microsoft, it is just too much to swallow! It just isn't possible that such a team of intelligent engineers and scientists, run by the richest man in the world, could possibly have missed these things. Sheer human bloody-mindedness just can't answer for such a long-running history of security breaches intertwined with a history of utterly unethical monopolistic behavior!
Don't even start wondering about why all these worms are suspiciously un-malicious. It is way off the bell-curve.
For those not used to applying lofgic to the news, this means all these things were intentional and expected. Discovery of a backdoor and exploit by a worm is equivalent to the planned end of a product lifecycle. Guess what the product really is.
I mean, these guys must really get steamed when they have to act like bumbling idiots every time one of their "security holes" (ha-ha) makes the news! Whether or not they are due to attempts to secure ground for their corporate clients, or to directives by U.S. security organs, is quite moot as we end up at the same point. So wouldn't Microsoft stand to gain in the end by admitting these things were all intentional, and cleaning up their image as a bunch of totally incompetent nicompoops? Sheesh, how many nincompoops do you know who are laughing all the way to the bank like Microsoft does so routinely it is predictable?
I think it is only fair to Microsoft employees to exercise a bit of cold logic on their behalf. It's not like they haven't figured it out, mostly, I mean they are a bunch of smart cookies! But they are only human and probably most have families to care for, and so I think they deserve to be recognized as not total incompetents (at least half of them) but probably mostly just wage-slaves who have been bound hand and toe, just pounded into submission, to protect the image of the monolith that generates the income of the richest man on the planet. So here's to all you victims!
let them hang themselves. Then charge the idiots your going consultant rate to de-worm their boxes afterwards. After a few years of spyware, worms formatting their hard drives after emailing their porn collection to everyone in the address book, they MIGHT get a clue. In the mean time remember its ALL billable hours.
i know, some of you are saying "i cant bill them, its my brother, wife, dog's accountant, etc". Fine, tell them that with free support you retain the right to refuse servicing any fundlementally (sp) flawed product that is not fixable. (which is how i got my parents to switch to mozilla, i told them i outright refused to deal with IE as it was completely unsecure).
Lawyers, MBA's, RIAA? A jedi fears not these things!
By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site
Maybe we should all go one step further and just start doing a telnet to port 80.
Simply because the content-type returned in the header is text/html. It ignores the extension. It ignores any CLSIDs embedded in the filename. It adheres to standards. Now if someone saves the file, CLSID intact, then clicks on it... that is a windows hole that is out of the browser's realm. It wouldn't be a bad idea if Mozilla would shield windows from files with this in it to protect stupid users. Similar to other security sensitive windows bugs that have recently been fixed in Mozilla. (which I will obviously not discuss here...)
You aren't even paying attention to what he's saying. Anderson is AGREEING with you. The Patch deployment he's referring to shrinking IS the time it takes "the average user to actually download a patch...." That time is what Microsoft is working to reduce, not the "time until a patch is released."
If you look at recent exploit history, Anderson is exactly right. Blaster, Slammer, etc... All of the exploits came out AFTER the patch was released. The primary reason they were so destructive is that users did not patch, and the patch itself advertised the hole to the exploit writers like a green lighthouse on a clear night. I'm glad that MS is focusing on the right problem in that respect: user deployment of patches.
Of course not. But keep in mind that even the Linux kernel needs to be patched and updated! There have been two security holes in the 2.4.x kernels over the past 6 months. Each one required a new or patched kernel to fix. How many n00b linux users do you think actually did that?
It's the same problem for both sides. Problems will be found in all software. Patches are absolutely necessary to fix those problems. The hard part is getting those patches deployed. If patches aren't deployed promptly, what was a simple coding error can easily become an enormously expensive nightmare.
From my experince most Mechanical Engineers would call someone to change their tire for them.
Can't say that I blame them. It's dirty, messy, and there's no sense of accomplishment. Further, there's stuff any grunt at a service station knows that is not taught to Mechanical Engineers, particularly if said Mechanical Engineers do not like to "get their hands dirty".
Why anyone would use anything from Microsoft remains beyond me.
That is the old namda eml file exploit, which has been fixed in IE and Outlook. This exploit is harder to fix. This has to do with Windows COM and that components contain a class id or guid that identifies what type of file it is. Also in this case it is an html executable or .hta file not an exe, IE can't run an exe as a component. It has nothing to do with the mime type.
Of course you would get this from reading the article. Now how you got the high rating is the another issue. I guess it is true nobody here actually reads the article. Hell I'm going back to fark.
#!/usr/bin/lynx
<html> <head> <title>You're Infected!</title> </head> <body> You have the HTML worm. </body> </html>
Save that as worm.html. Then: ./worm.html
$ chmod +x worm.html
$
So all you Linux weenies can shut up now, because on Linux you make executable HTML files too! Throw in the goatse image and you have malicious code just like Windows users have to deal with.
(I've tested this and it actually works, assuming the path to lynx is correct. I was unable to prevent lynx from displaying the she-bang line, but oh well.)
Gates' Law: Every 18 months, the speed of software halves.
I remove automatic system file restore and delete few IE and Outlook files. I shut down and disable every service windows doesn't need to work (msoffice might not work but hey, they can use that openoffice I installed for them) leaving only 10 or less running.
You could also block ms messenger and update apps, etc. In essence, if all things microsoft are stripped to the point that they do only what ms (originally?) set out to do, to make a operating system then everything you do with computer go so much smoother. No ms offices, ms utilities, ms patches, ms licenses(haha), ms servers, ms deployments or ms supplements. ONLY ms os for games and other such small useless time wasting shit that it's made for. 98lite was great help for accomplishing this and I hope something similar comes out for XP so that I don't have to do everything manually.
Preserve old classics: copy your collection onto all hard drives.
COM has really been an thorn in the side of windows. ActiveX is dangerous and insecure because it has no sandboxing and it can execute without your knowledge or permission. DCOM listened on port 135 and that allowed worms like Blaster and Welchia to wreck havoc. This latest exploit has as the article mentions,"resurfaced". And COM is at the center of it all.
Indeed. This seems to be quite a coincidence.
If you're curious, it stands for "When I am king you will be first against the wall", which is a line from one of the songs on the album "OK, Computer" by Radiohead ("Paranoid Android", I think). I had it all in lowercase, so it's not technically quite the same as the password, but still.
Ho-hum.
"The Milliard Gargantubrain? A mere abacus - mention it not."
Ok, I'm sure it's not a huge secret to people that actually want to use these exploits, but does every single hole found in a piece of software have to be publically released for the whole world to see and possible exploit? I think they shouldn't be talked about until they are fixed. Call me logical :)
1. You can disassemble Swiss cheese layer by layer
2. Holes on Swiss cheese do not come by surprise
3. The holes of a Swiss cheese emerge once you disassemble it
4. Swiss cheese source code is public information
5. Swiss cheese manufacturers tolerate also other brands of cheese and do not aim for monopoly
6. The whole world is full of Swiss cheese clones, which are almost as tasty as original Swiss cheese
7. The Swiss victual officials do not get pissed off if someone else attempts to manufacture cheese as long as trademark rights are not violated
8. You can slice Swiss cheese with any cheese slicer.
9. A cheese slicer used for slicing Swiss cheese can be used for other brands of cheeses as well
10. You do not need to have Swiss sausage or Swiss ham on your bread if you have Swiss cheese
11. Swiss cheese can be used in other meals as Swiss sandwich
12. You can put other brands of cheese on the same bread as Swiss cheese
13. The older the Swiss cheese is, the more mature and solid it is.
14. Swiss cheede requires no continous updates.
15. You can slice Swiss cheese in parts and inspect each part separately.
16. Every time you buy a new Swiss cheese, you do not need to buy a new refridgerator
17. Holes on a Swiss cheese do not harm anyone
18. Swiss cheese fits on any bread - it doesn't even need to be Swiss
19. The end user does not need to pay licence fees to Swiss cheese manufacturers
20. Swiss cheese leaves a good aftertaste
Any others?
Believe me when I tell you that many people actually do deserve the trouble they have with their systems (including myself from time to time ;-).
I feel so sig.
Heh. I've ended up doing free techsupp for my immediate family and in-laws ever since they figured out I knew more than nothing about computers. Until recently, I'd be nice and do their bidding, maintaining their beloved win95 boxen and whatever. Nowadays, I just do a Knoppix HDinstall, make sure their kppp, mozilla and OO.o setup is good, then do whatever maintenance I need to do via ssh. And because they're all the same kit, I can just write a script for it...
...
More work in the short term, but far, far less in the long term. And you know what? They're even HAPPY with it
L
ah...you got me.
...and that's the way the cookie crumbles.
Who is surprised by this latest hole in IE?
no hands go up
Who thinks this is the last hole in IE?
no hands go up
Who still uses IE?
many, many hands go up
Why?
some hands up, some dowm... all right, it was a trick question!
By only supporting a dead OS with minimal marketshare- an OS I can troubleshoot from memory over the phone without even having a machine around for reference- I both greatly reduce the annoyance in my life, and greatly increase the value of the tech support I do give.
You should have a secure repository that can be accessed through an encrypted connection using a browser (the web server should be in an unusual TCP port so it is easy to create firewall rules).
email should be not a means to share executables, the age of innocence is over and things should be done in a professional way to avoid problems.
IANAL but write like a drunk one.
HyperText Markup Language was created in part to *link* documents quickly (i.e. so the user doesn't have to type in the document location manually). If we're supposed to just give up hyperlinks, why not just kiss the World Wide Web goodbye?
That's exactly what Microsoft has done. They have admitted that their browser is not useful as a browser. Nothing new here.
The choice really is:
The correct answer is 3.
Friends don't help friends install M$ junk.