Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
Other good reasons to use Linux:
* It's incredibly easy to script and build new applications by tying together existing ones via pipes. The results are fast, reliable, and professional -- unlike AppleScript or VB-produced results. This is only relevant to tech users, but it's a big one.
* It's free. Okay, for a professional with a decent salary, the cost of Windows vs Linux itself -- the base package -- really isn't significant. A hundred or two hundred bucks is not a big deal. However, to purchase commercial equivalents of all the Linux apps I use would be extremely expensive. Compilers (think Visual Studio), editors (think Visual SlickEdit), mail clients (think Eudora), system monitors (think all manner of shareware apps), sound editors (think Cakewalk), image editors (think Photoshop), web servers (think IIS), code checkers (think Gimpel Lint), graphing programs (think Visio), math/statistics packages (think MATLAB), and all the rest, there is a *lot* of money involved. Sure, you can pirate it, but that's not an option at work, and pirating software is less and less trivial with the surging prevalance of phone-home features.
* It's secure. Traditionally UNIX (and its apps) have had tighter security design than Windows, especially WRT local security. A couple of Microsoft apps are phenomonally insecure (MSIE, Outlook), and most Windows apps don't have the same emphasis on avoiding attacks.
* It gives better performance. My workstation runs a large set of servers in the background. I don't notice. I have a friend that runs a Windows FTP server that he kills off when he wants to take all the CPU time on his system.
* I can fix bugs that piss me off. If I have an issue, I happen to be a coder, so I can run out and fix it without just complaining to a company's forums and hoping that something happens. I can add features that I want. Obviously, this benefit isn't nearly as good if you aren't a coder, but it's something to consider.
* I can actually see what's going on. Linux has a strong tradition of talking about and letting you see what's *actually* happening on your system. The startup system is just a bunch of scripts that are quite readable. In contrast, if you pick up a book designed for a Microsoft administrator, you'll get a bunch of Microsoft-invented terms ("Enable a service"...am I starting a process listening on a port or what? What the hell is happening?) This also makes troubleshooting much better.
* A richer toolkit. For at least coders, network admins, and security types, good tools exist that have no Windows equivalent. (The reverse tends to be true when it comes to office workers.)
* Choice. If I use Windows, I also must use Explorer, like it or not (and I don't). I can't use the kernel or Windows software without also using the expected file manager (yes, there have been a few hacks to try "replacing" Explorer, such as LiteStep, but they're flaky...more neat toys than pratical tools). On Linux, I have more window managers available than I have fingers. I have a whole collection of file managers. I have docks galore. I can choose my favorite from each category and use that.
* Better design. The fact that Linux uses better file-locking semantics, the fact that Linux uses symlinks instead of shortcuts, the fact that it's easier to write a reliable Linux driver than a reliable Windows driver, all have strong trickle-down effects to the user in the form of fewer reboots, more flexibility in file system layout and control, and a more reliable system.
CMDRTACO CHECK YOUR EMAIL!
Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?
Would you like some more pie, Bill?
DON'T use IE!
--Keeping the flame wars alive, one post at a time
I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.
Cyde Weys Musings - Scrutinizing the inscrutable
There are times when I wonder if Microsoft isn't purposely trying to get everybody on the Net own3d.
I mean, what kind of frikkin' bug would make an executable link pretend to be something else? If I believed in conspiracy theories, I'd swear it was deliberate.
Gifts for Geeks - Stuff that really matters!
pardon my naivette, but wouldn't that conflict with specifying a user and pass such as in ftp addresses?
in fact it is an HTML executable file.
Maybe I'm behind the times, could someone explain precisely what they mean by an HTML executable file? That doesn't make sense to my "HTML is plain text" portion of knowledge.
Beleive it or not, but many people have a use for http://username:password@domain links, especially in bookmarks. Perfectly secure on a computer used by one person :)
Great, so now when I try to connect to my laptop a la ftp://name:password@laptop/ from work, it'll through me out.
Cool
Just what I needed, more MS interferance. And no, unfortunatly I can't force mozilla everywhere I go, and samba is a lot more of a pain (ftp is universal).
P.S: the server is only accessable from internal and only when I choose, so no, it's not a security risk
Ask 8 slackers a question, get 10 awnsers (a citation, but I can't remember from who)
This coming from the same company that broke the attachment mechanism because of pathetically stupid design decisions and instead of fixing their bad design blamed the users for actually doing what attachments were designed for, yes I do believe this.
I can click attachments without fear in Mozilla, or pretty much any UNIX mailer. Attachments weren't broken until OutLook broke them.
Mozdev has some tips about completely disabling IE, even in other applications.
So are you saying that if you received a mail that stated "This is a virus. Click *here* to nuke your hard drive", in a context like that mentioned in the parent post, you would click? Because "no virus would disguise itself as such?".
Because I certainly wouldn't.
grib.
maybe
Unfortunately, HP, in their infinite wisdumb, requires me to use IE to do my job...
In other news today microsoft reports that it windows is cheaper than Linux http://slashdot.org/article.pl?sid=04/01/28/073253 &mode=nested&tid=109&tid=126&tid=163&tid=187&tid=9 8&tid=99 The question is were any of thoose test computers attached to the internet?
It's called Total Cost of Ownership, junior. This is what happens when you get 13 year old Linux elitists all together in web forum like this - a bunch of mis-informed kiddies thinking they know what's best.
Well, get your head out of your ass and try to grasp the reality: In some incidences it truly is cheaper to run Windows vs *nix. And in some cases (*gasp*) it's the opposite.
I sincerely hope your trolling for easy karma, because this kind of attitude will shut you out of a lot of opportunities in the future. And no, junior, those 3 lines you added to the kernel doesn't really matter in the end to a possible employer. Get used to it.
There are way to many Linux elitists here - you can like Linux, you can LOVE Linux, hell you can even hate MS. But to state something which so blatantly shows how uninformed you are is embarrassing. I'd hate to have your UID.
Infoworld claims the result could be 'devastating'"
I claim the result of MS on the world to be 'devastating'.
There. The 'cut-to-the-chase' summation of where this thread should eventually go.
How many times to do we have to be reminded of the vulgarity that has seeped out of Redmund since the beginning?
hi/HELLO/Error/Status/The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
<http://www.lsp.steelpharm64v.com/host/index.asp?I D=019102309840v0h0293jf8o998239p8valiu23nf8qoa8329 nor87fahl9w8n4fl98q2l938nf97va0283p97thrl9q274g >
Yeah right.
HyperText Markup Language was created in part to *link* documents quickly (i.e. so the user doesn't have to type in the document location manually). If we're supposed to just give up hyperlinks, why not just kiss the World Wide Web goodbye?
...and that's the way the cookie crumbles.
What's the backup for, then?
Quote from the article:
"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."
They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.
Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)
I thought MyDoom did use an exploit ? (Exploiting a flaw in Outlook which executes attachments when they are clicked on, getting email addresses from addressbooks, etc, etc).
Why is it that a lot of people here don't know how to do a nice thing for somebody.
If my in-laws computer needs some work, next time I am over there, I'll take a look at it, or try to help over the phone, it takes all of what, maybe 20 minutes.
My uncle owns a small business, if I can save him some money by making recommendations for him or giving him some free tech-support, great.
If you're nice to somebody, they are going to be nice to you, believe me, in the end, it's a wash.
Plus, life is too short to be an asshole all of the time.
-dave
/., where "Apple and Google provide Iran with nukes" will be refuted with "But Microsoft is a convicted monopolist"
You know, at first I thought you were joking, or that the URL was somehow spoofed as a demonstration, but Microsoft really does suggest the "Most effective step..." is to not use IE to click on hyperlinks, type in the URL instead. It's kind of like recommending people push their car around town instead of running the engine, because it might burst into flames otherwise.
Most sane people would suggest it was time to consider getting a new car (e.g., Mozilla).
So MS is breaking more standards. Lovely.
"A web app that requires a single brand of browser is not a web app... it's a client/server app".
You don't get used as free tech support by a lot of people, do you? I for one know that certain members of my family, and certain "friends" of mine will probably be calling me for the first time since the blaster worm thanks to MyDoom or whatever it is. They don't have time for me except when their computer goes to hell. Surely I'm not the only one here....
And by the same logic, the cost of getting system administrators for Linux systems, or the availability of Linux software for specialized commercial needs, also both things driven purely (or at least largely) by Microsoft's market share, is "irrelevant to the actual OS". What's left then for a TCO study? The price of a boxed OS CD set? The price of necessary hardware?
It's really bending over backwards to include in a TCO study the benefits of going with the same OS most of the desktop world is running while at the same time deliberately excluding the costs of using the same system most virus/worm writers target. Lauding the beneficial network effects while declaring the harmful network effects out of the scope of the study is just dishonest.
It always does. We've been thru dozens of these 'devestating' quality issues and the victims just queue up at Local Computer Store to buy another one. That's why they keep legions of hungry microsoftie out there to clean up after the latest worm de jour, meanwhile the gazillionair will be awarded a Nobel Peace prize or something.I mean, cheezus, it's only software - it's not like people are getting killed in poor quality cars or anything. Everybody knows you should backup important data anyway so just chill out and obey old your pc overlords.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
"But, then we'd have to *support* it!" which would be oh-so-hard...
End users always complain about this attitude without understanding the reasons behind it.
It isn't your one Mozilla installation they *really* care about. It is what allowing you to do it would mean: pretty soon people would be running IE, Netscape, Opera, AvantBrowser, and a whole host of other oddball web clients.
In a situation like that, when someone comes to you with a problem, it multiplies the number of possible reasons by so many that it makes supporting them a nightmare.
When you've helped administer an environment where your job is to make sure that hundreds or thousands of employees (or students) can do what they need to do, *then* you can complain if you still think everyone should be able to set their own standard.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Isn't a browser that comes with the computer, or comes with the operating system kinda like a radio that comes "stock" with a car? And we know what sort of quality those are...
FLR
We want to get patch deployment down from days or weeks to hours."
Of course that'll solve all the problems! We patch a hole 1 hour after it's discovered (not like that ever happened) and then it takes three months (also overly optimistic estimate) for the average user to actually download a patch with the next service pack, if ever. The result? The end user is just as vulnerable as he has ever been. But we can now blame the end user for not patching their system in time, because the patch was available early on. The bottom line? The user feels like M$ software is as insecure as it's ever been, and rightfully so.
You can say whatever you want about the advantage of releasing patches fast. It's great to release them fast. In fact, a lot of open source developers take pride in being able to do just that, and this is something worthy of admiration. But quick patching process is no replacement for code that is secure to start with!!! And while M$ can speed up their patch development, they can do nothing about the fact that their existing software sometimes closely resembles swiss cheeze - it's already out there, and it breaks often.
Jobs? Which jobs?
I second that emotion! I am always glad to help people with their computer problems. But over time they start to take it for granted that I help them for free. I don't know why that is so, but most of the time I am happy to get a thank you.
Nevertheless I still like to help people with their computer problems, because that's what I love to do.
It's not about being an asshole all the time, but one has to know when to say "No", and when it's ok to spend some of your time to help others for free.
[--- PGP key and more on http://www.root42.de ---]
Convince the IT manager to let you demo Mozilla for them. Use the Windows skin, and whatever plugins you wish to make it as IE-like as possible.
Assuming you convince the manager, continue on with testing Mozilla for compatibility with every critical bit of software the company needs.
If that works, take the results of your exhaustive tests, add in a report on what problems you're solving by abandoning IE, and get the IT manager to sell it to the Director.
Now, once the Director makes it policy, you can force the rollout on the users.
This doesn't work with friends and family, of course, but I am involved in this very process right now at a client site where they are getting quite fed up with security advisories, but aren't ready to move from the Windows OS yet. If I win with Mozilla, I'm trying OpenOffice next.
Please. I worked tech support for 2.5 years at my university.
I'll spend 5-10 minutes trying to help someone who just randomly comes up and says 'Hey, I remember you from the help desk. I have this....' Or some friend of a friend. 'Hey, this is my buddy, his computer is...' But thats it. I hardly know the person, and I don't have time. Between my own computer issues and those I was dealing with at work, I want some time not devoted to dealing with how buggy people can make their systems.
If its a close friend, of course its not a problem. But apparently just because you don't get asked frequently, doesn't mean others don't. Don't let that stop you from making sweeping generalizations though.
>Plus, life is too short to be an asshole all of the time.
Arguably, assholes are created not born. After the nth time explaining to the same people the same concepts (virus scanner, only download from download.com, etc) its time to face facts, accept the fact they will never learn, and tell them to leave you alone and buy a Mac for their next computer.
I don't mind doing small favors or explaining something, but I can only do this so many times. On top of it, once people know they can get a hold of you they will not call the people they pay to support them like Dell. At least then they can learn to help themselves. I'd much rather show people how to get their money's worth by calling the people who support their computer and showing them how to do simple searches on google or support.microsoft.com than being on call 24.7 everytime something 'funny' happens. I get enough of that at work.
It would be very nice if windows users, by default, can just run as User and have a nice GUI to do a runas Administrator with big warnings about how theyre about to install software, etc. I think that's the biggst problem in the windows world - installing stuff is seen as no big deal, when really its not something to be taken lightly.
People who just want there computer to do what they want are simply consumers.
I hate to be like this, but it's "their", not "there". Once that is said I am doomed to make at least one spelling og grammatical error, but the three/their confusion is getting to my nerves. I'm sorry.
All most people want is:
a: web forms filled automatically and easy. every time after set up.
b: easy communication with other people
What do you base this on? My personal experience is quite different. Many of my friends are computer-litterate, and thus want much more from their (not there) computers. It would seem that the goals you state are your own and you are simply generalizing based on your own desires.
People, as a whole, do not expect a constent malious attempt on there person or property. Nor should they have to.
People do not have to be careful in a world where no bad people live. Sadly some bad people live in our world. We teach our kids to be vary of strangers offering them candy. We should teach our kids to be vary of strange software offering then "candy".
I sincerely believe that all this "userfriendlyness" (is that a word?) in computers is for the worse. If we had left computers in a less userfriendly state and in stead made specialized devices for specific tasks, such as a "play with your games" device, and a "communicate with other people" device we would not see so many people fscking up their (not there) systems. Computers as we know them are simply too complex for the average person. The seemingly simple interfaces we have today lead less computer litterate people to believe that they stand a chance of understanding how their (not there) computers work.
Microsoft's market share guarantees that a disproportionate amount of viruses and worms will target their OS
Given that statement, wouldn't their market share provide them with greater income to develop better products? I can fully understand the 9x releases not being secure as they were just starting their market dominance. As they've moved to 2000/XP with the lip service of saying they are security minded, I would expect their products to be much more secure (not entirely secure as I understand no application will be totally without fault). The real problem is that we are seeing simple errors that a good code review or software tools would catch.
You must wake up to the fact that Linux is no longer a basement application. It's being looked at by many corporations thanks to the support of many people and corporations.
bud. I love microsoft so there is no need for me to try to switch to one of your geeky expiriments.
Over time, you'll go the way of the dinosaur if you can't evolve to consider all possible IT solutions. Linux is here to stay. Will it wipe out MS, maybe someday, but I see a relatively long period of mixed computing environments where the skill demand will be for people with a variety of skills. Just think about all the mainframe administrators who refused to see the future.
Just fucking great. Instead of actually fixing the problem, they just told RFC 2396 (which is based on the ten year-old RFC 1738 and officially endorsed by the HTTP standard) to fuck itself and called it a day. And in the meantime, they recommend that users not click any links at all.
Just amazing that this is what we have to deal with.
The best counter arguement to the 'but its only because MS has a bigger market share than your luser OS' is Apache. Apache is much more popular than IIS (as you can verify with a trip to netcraft), but SANS has more IIS incidents than Apache incidents. Both servers have vulnerabilities and sites can be defaced with either server. But IIS is the more vulnerable. Why is that?
Think global, act loco
Yep, but if you read the Microsoft KB article, you'll see that, as usual, they are using a full sheet of sheetrock to fix a pinhole. Instead of patching Internet Explorer 5.x and 6.x to show the full URL with the "@" sign in it, they're just removing the ability to have an http:// or https:// link with the @ completely. That's not a fix, it's a farce. If they were really concerned about what their customers need, they would simply filter the URL and remove any strange control characters before the @ sign and ALWAYS SHOW THE FULL URL.
(Of course, I'm being completely obvious here to the SlashDot crowd...)
My guess is that they'd seen how they'd basically got "time off" when the computers/network went down. And so like rats pressing the button when the light comes on, they did the same again next time the oportunity came along.
ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
You aren't even paying attention to what he's saying. Anderson is AGREEING with you. The Patch deployment he's referring to shrinking IS the time it takes "the average user to actually download a patch...." That time is what Microsoft is working to reduce, not the "time until a patch is released."
If you look at recent exploit history, Anderson is exactly right. Blaster, Slammer, etc... All of the exploits came out AFTER the patch was released. The primary reason they were so destructive is that users did not patch, and the patch itself advertised the hole to the exploit writers like a green lighthouse on a clear night. I'm glad that MS is focusing on the right problem in that respect: user deployment of patches.
Of course not. But keep in mind that even the Linux kernel needs to be patched and updated! There have been two security holes in the 2.4.x kernels over the past 6 months. Each one required a new or patched kernel to fix. How many n00b linux users do you think actually did that?
It's the same problem for both sides. Problems will be found in all software. Patches are absolutely necessary to fix those problems. The hard part is getting those patches deployed. If patches aren't deployed promptly, what was a simple coding error can easily become an enormously expensive nightmare.
That is the old namda eml file exploit, which has been fixed in IE and Outlook. This exploit is harder to fix. This has to do with Windows COM and that components contain a class id or guid that identifies what type of file it is. Also in this case it is an html executable or .hta file not an exe, IE can't run an exe as a component. It has nothing to do with the mime type.
Of course you would get this from reading the article. Now how you got the high rating is the another issue. I guess it is true nobody here actually reads the article. Hell I'm going back to fark.