Another Serious MSIE Hole

pjrc writes "Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

In other words,...

[burgburgburg]

it's Wednesday.

Re:In other words,...

Hm, seems like Groundhog Day to me.

MS vs. Swiss Cheese

Anyone noticed similarities between MSIE and Swiss cheese ?

this will show them

[atari2600]

A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp

I wonder

I wonder how well I can navigate the internet with out clicking on any hyperlinks.

all this talk of holes

makes me think of goatse....

i miss that guy....

From the article

[nate1138]

From the article text:

Doom worm currently reeking havoc across the globe.

So it's a smelly worm? Or are they trying to say that Windows stinks?

But, but, but Bill said...

[Space+cowboy]

... that Windows is far more secure than Linux or OSX because it gets tested so many more times out there in the wild..

[Editors note: replace 'tested' with 'tested and found wanting']

Simon.

Re:Hmmmm...

[eclectro]

Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?

He was busy being "knighted"

Re:But MS is "fixing" other issues...

[poot_rootbeer]

Microsoft is deprecating the use of "@" in URLS.

The popularity of IE is about to drop sharply as the entire XXX-site-password-hacking community finds their reliable tricks no longer work.

Should knock MS's browser marketshare down 10-15% just from that alone.

If I had a dollar

[BoomerSooner]

for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.

I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done, ...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.

It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.

Re:If I had a dollar

[Stubby]

From my experince most Mechanical Engineers would call someone to change their tire for them.
Admitly I don't work in a Mechanical Eng. Field, but I haven't met one yet that does his own car maintenance.

Re:If I had a dollar

[Luscious868]

I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done, ...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.

You hit the nail on the head there brother. I'm so sick and tired of people that I barely know calling me when their computer breaks asking for help. It always turns into a friggin 2 - 6 hour event. You know the routine. Uninstalling all the crap that people have downloaded. "Hey, let's install this cool looking Bonzi Buddy thingy, what can it hurt?". The idiots should be shot. Removing spyware, removing the 80 virues that have found there way onto the system. "Hey look at this funny attachment, it's called 'Dont Open Me I'm a Fucking Virus and I'll Fuck Up Your Computer.exe' why don't I open it and see what happens. Maybe it's a funny joke or something."

I think I'm going to start telling people that I work for the post office and I'm currently taking court ordered anger management classes. That will shut them the fuck up real quick.

Re:If I had a dollar

[jostallin]

I got this frantic call last week: "I've got an e-mail virus."

Q: How do you know it's a virus?
A: Oh, I know the person who mailed it to me and she sent it to me on purpose.

Q: Why?
A: Well, I've never gotten a virus and I was curious what it would do, so I asked her to send it.

Q: And you weren't concerned about infecting yourself on purpose?
A: No, I'm disappointed because it didn't do anything! I think these 'viruses' are just a lot of Hooey.

Turns out she's using a Mac and couldn't understand why she wasn't decimated by launching a Windows virus on purpose!

Re:If I had a dollar

[cens0r]

Every time I fix a computer I get offered something in return. Be it a 6 pack of beer, a free dinner, a couple of drinks at the bar, etc, it's always something. Maybe I just have a nicer social network than you do?

Re:If I had a dollar

[GMFTatsujin]

I work for Local University (TM) at the medical library, which handles tech support for the campus. With the recent outbreak of the worm of the day, I've taken it upon myself to create a web page for our users on best computing practices. I'm still putting it together, so mostly it's just getting blocked out for structuring the content.

Here's one of the sections that I wrote more out of catharsis than actual informative intent. It certainly won't make the web, but it got my point across.

Don't Put Strange Things in Your Mouth

It doesn't take fancy book-learnin' to catch on when you recieve an emailed attachment that you didn't ask for -- especially when it starts turning up from lots of different addresses in a short period of time. Opening an unrequested email attachment is about as hygenic as chewing on a urinal cake, and you should know better. That means you, Doctor Six-Years-in-Medical-School.

Redundant headline

[DocSnyder]

"Another Serious MSIE Hole" could be shortened a bit:

• Another - unnecessary.
• Serious - less serious holes don't get any attention.

What's left: "MSIE Hole".

• Hole - what else?

Still left: "MSIE"

As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:

• ""

Re:Redundant headline

[rokzy]

"" could also stand for "SCO lies" or "RIAA acts like a dick", so I think "IE" would be best.

Re:Patches Don't matter if...

[El]

Hey, don't complain -- they also check to make sure you have enough disk space to REMOVE software, too!

Re:No more dangerous than normal.

[Napolijon]

"This is a virus, you will destroy all the data you have access to if you run this file."


Windows users knew it wouldn't work anyway. :-)

Re:I don't think MS cares anymore

[eclectro]

I really don't think Microsoft cares any more

It's called pride of 0wn3rship.

I remember when Bill said something else

[mrvis]

Bill said that Windows 98 was over 15% faster. He was about to say it had better access to the internet when he got shot in the head.

Man, shouldn't that South Park general be the Slashdot mascot?

One person's fix for this exploit.

[teledyne]

To remove this IE exploit, download this TXT or PDF. Um, it contains the instructions to remove it. Yeah...

Thank You Microsoft!

[Luscious868]

Thank you so much for the wonderful idea of fully integrating your web browser into your very secure and stable operating system! Windows XP is simply a joy to work on. I absolutely love it when I'm browsing the web and Internet Explorer crashes, which causes all open windows, including those that have nothing to do with your wonderful little browser, to close as well. What a well thought out idea it was to integrate the browser into the operating system!

Why does everyone always disparage ...

[Snork+Asaurus]

mime types?

They can be quite good - especially when they pretend to be in a glass cage.

Reminds me of the old joke

[mcc]

Q: How many Microsoft engineers does it take to change a light bulb?

A: They don't, they just redefine darkness as the new standard.

New Acronym: "A.S.S. Hole"

[tds67]

Another Silly Software Hole.

Re:New Acronym: "A.S.S. Hole"

[tds67]

Another Silly Software Hole.

A program's "A.S.S. Hole" can be defined as "a point of entry not intended for exploitation", so in this regard it is similar to the human variety.

Re:Microsoft says: Don't click URLs anymore...

[AbbyNormal]

Sorry, I have a patent on that and you'll have to pay me to NOT click on the links.

Man I knew that fly-by-night patent law degree was worth it!

A day in the life

[iminplaya]

So, does Sir William know how many holes it takes to fill IE? -2 Stupid

ye olde catch 22

[ooby]

While browsing the network at college, I discovered a folder with r/w permissions. So I placed in the folder a little "do not run this.exe" that made some autoexec.bat changes, and poorly so. It included recovery instructions and backed up the file.

A few months later, my friend has trouble starting his computer. Guess who had to fix it...

Re:No wonder

[jpmkm]

Boxen? Do you also hunt foxen?

Re:No more dangerous than normal.

[doublem]

Additional Note:

I asked the people who clicked the link why they had done such a thing.

I don't have a file with their exact quotes, but:

A couple of people thought it had to be something "funny" from the person whose address was on the message

Over half thought it was a real virus, and clicked it to see "What would happen" or "If it would work." Please note that this was only a couple weeks after "I Love You." infected half the computers on the network, and a company wide meeting about NOT opening attachments that you weren't expecting.

Half of them thought it was a real virus and opened it anyway.

This is the kind of brain dead stupidity we're dealing with here people!

We need to require a license to own and operate a computer. A simple test, NOT opening unknown attachments being one of them.

Re:Here it comes...

[AbbyNormal]

"..did you actually read the article??".

If he did, it wouldn't be Slashdot.

Ghandi in reverse?

[DahGhostfacedFiddlah]

More and more I'm seeing comments that would have been modded Flamebait a few months ago getting +1 Funny ratings. Maybe it's Ghandi's old mantra in reverse?

First we fight them,
Then we laugh at them,
Then we ignore them,
Then they're gone.

Re:Hmmmm...

[pyros]

Instead he just gets to stick KBE (Knight Commander of the Most Excellent Order of the British Empire) after his MCSE.

So when he plays air guitar, will we magically be able to hear it?

Trolling the AC Troll...

[the_mad_poster]

In some incidences it truly is cheaper to run Windows vs *nix.

Yea... Windows is like the bubble boy of the computer world - the second it comes in contact with anything outside of a highly protected, closely monitored, totally sterilized area the shit hits the fan.. but as long as it stays in its bubble and no disks, network connections, or phone lines ever touch it... hey - TCO is great.

...shut you out of a lot of opportunities in the future.

You ain't kiddin'! Hell, my company is, at this very minute, looking for some MCSE-holding kissass morons to tell the upper management folks that we need to upgrade to Windows 2003 and XP. I never really understood why we need to hire kissass morons to come to the conclusion the management has already come to.. but I guess that's just because I don't understand the intracacies of management and Windows system admin...

Maybe you should apply?

Re:Trolling the AC Troll...

[eyegone]

Hell, my company is, at this very minute, looking for some MCSE-holding kissass morons to tell the upper management folks that we need to upgrade to Windows 2003 and XP. I never really understood why we need to hire kissass morons to come to the conclusion the management has already come to.

Those "kissass morons" are properly referred to as consultants.

Some major news org needs an article:

[darkonc]

Microsoft suggests customers stop surfing the net.

In response to flaws recently exposed in it's software Microsoft has suggested that customers stop using hyperlinks -- the core feature of the World Wide Web. The bugs, which were exposed in the last few weeks, allow scammers on the net to make their website links to look like a legitimate site (e.g. Microsoft, Ebay or Visa), where they can then ask for identifying information, card numbers and passwords, or cause you to launch executable programs that Internet Explorer describes as more innocuous types (e.g. PDFs).

Rather than immediately releasing a bug fix, Microsoft is now suggesting that users no longer click on web page hyper-links. Their suggested solution is that users manually type in any web address they want to visit in the menu bar.
.....

Other web browser providers (e.g. Mozilla) claim that their browsers are not susceptible to these bugs, and claim that users surfing the web with their browsers are not subject to these problems.

Re:According to Bill, this is a good thing

[sharkey]

According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."

Then he muttered under his breath, "like Linux."

Re:No wonder

[jtosburn]

Maybe he just got done with some bagels and loxen, sitting across from some old-school girls wearing bobby-soxen, chatting about all those poor people who died from the small poxen.

Then he asked, "if you're last name is Cox, do you refer to your family as 'Coxen'?"

On the other hand, anthropomorphizing computer boxes into the one 'o' 'x' word that ends with 'en' may mean he harbors a secret wish regarding oxen.

20 reasons why Swiss cheese is better than IE

1. You can disassemble Swiss cheese layer by layer
2. Holes on Swiss cheese do not come by surprise
3. The holes of a Swiss cheese emerge once you disassemble it
4. Swiss cheese source code is public information
5. Swiss cheese manufacturers tolerate also other brands of cheese and do not aim for monopoly
6. The whole world is full of Swiss cheese clones, which are almost as tasty as original Swiss cheese
7. The Swiss victual officials do not get pissed off if someone else attempts to manufacture cheese as long as trademark rights are not violated
8. You can slice Swiss cheese with any cheese slicer.
9. A cheese slicer used for slicing Swiss cheese can be used for other brands of cheeses as well
10. You do not need to have Swiss sausage or Swiss ham on your bread if you have Swiss cheese
11. Swiss cheese can be used in other meals as Swiss sandwich
12. You can put other brands of cheese on the same bread as Swiss cheese
13. The older the Swiss cheese is, the more mature and solid it is.
14. Swiss cheede requires no continous updates.
15. You can slice Swiss cheese in parts and inspect each part separately.
16. Every time you buy a new Swiss cheese, you do not need to buy a new refridgerator
17. Holes on a Swiss cheese do not harm anyone
18. Swiss cheese fits on any bread - it doesn't even need to be Swiss
19. The end user does not need to pay licence fees to Swiss cheese manufacturers
20. Swiss cheese leaves a good aftertaste

Any others?