Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?
Would you like some more pie, Bill?
DON'T use IE!
--Keeping the flame wars alive, one post at a time
I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.
Cyde Weys Musings - Scrutinizing the inscrutable
There are times when I wonder if Microsoft isn't purposely trying to get everybody on the Net own3d.
I mean, what kind of frikkin' bug would make an executable link pretend to be something else? If I believed in conspiracy theories, I'd swear it was deliberate.
Gifts for Geeks - Stuff that really matters!
in fact it is an HTML executable file.
Maybe I'm behind the times, could someone explain precisely what they mean by an HTML executable file? That doesn't make sense to my "HTML is plain text" portion of knowledge.
Beleive it or not, but many people have a use for http://username:password@domain links, especially in bookmarks. Perfectly secure on a computer used by one person :)
This coming from the same company that broke the attachment mechanism because of pathetically stupid design decisions and instead of fixing their bad design blamed the users for actually doing what attachments were designed for, yes I do believe this.
I can click attachments without fear in Mozilla, or pretty much any UNIX mailer. Attachments weren't broken until OutLook broke them.
Mozdev has some tips about completely disabling IE, even in other applications.
In other news today microsoft reports that it windows is cheaper than Linux http://slashdot.org/article.pl?sid=04/01/28/073253 &mode=nested&tid=109&tid=126&tid=163&tid=187&tid=9 8&tid=99 The question is were any of thoose test computers attached to the internet?
It's called Total Cost of Ownership, junior. This is what happens when you get 13 year old Linux elitists all together in web forum like this - a bunch of mis-informed kiddies thinking they know what's best.
Well, get your head out of your ass and try to grasp the reality: In some incidences it truly is cheaper to run Windows vs *nix. And in some cases (*gasp*) it's the opposite.
I sincerely hope your trolling for easy karma, because this kind of attitude will shut you out of a lot of opportunities in the future. And no, junior, those 3 lines you added to the kernel doesn't really matter in the end to a possible employer. Get used to it.
There are way to many Linux elitists here - you can like Linux, you can LOVE Linux, hell you can even hate MS. But to state something which so blatantly shows how uninformed you are is embarrassing. I'd hate to have your UID.
<http://www.lsp.steelpharm64v.com/host/index.asp?I D=019102309840v0h0293jf8o998239p8valiu23nf8qoa8329 nor87fahl9w8n4fl98q2l938nf97va0283p97thrl9q274g >
Yeah right.
HyperText Markup Language was created in part to *link* documents quickly (i.e. so the user doesn't have to type in the document location manually). If we're supposed to just give up hyperlinks, why not just kiss the World Wide Web goodbye?
...and that's the way the cookie crumbles.
Quote from the article:
"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."
They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.
Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)
Why is it that a lot of people here don't know how to do a nice thing for somebody.
If my in-laws computer needs some work, next time I am over there, I'll take a look at it, or try to help over the phone, it takes all of what, maybe 20 minutes.
My uncle owns a small business, if I can save him some money by making recommendations for him or giving him some free tech-support, great.
If you're nice to somebody, they are going to be nice to you, believe me, in the end, it's a wash.
Plus, life is too short to be an asshole all of the time.
-dave
/., where "Apple and Google provide Iran with nukes" will be refuted with "But Microsoft is a convicted monopolist"
You don't get used as free tech support by a lot of people, do you? I for one know that certain members of my family, and certain "friends" of mine will probably be calling me for the first time since the blaster worm thanks to MyDoom or whatever it is. They don't have time for me except when their computer goes to hell. Surely I'm not the only one here....
And by the same logic, the cost of getting system administrators for Linux systems, or the availability of Linux software for specialized commercial needs, also both things driven purely (or at least largely) by Microsoft's market share, is "irrelevant to the actual OS". What's left then for a TCO study? The price of a boxed OS CD set? The price of necessary hardware?
It's really bending over backwards to include in a TCO study the benefits of going with the same OS most of the desktop world is running while at the same time deliberately excluding the costs of using the same system most virus/worm writers target. Lauding the beneficial network effects while declaring the harmful network effects out of the scope of the study is just dishonest.
It always does. We've been thru dozens of these 'devestating' quality issues and the victims just queue up at Local Computer Store to buy another one. That's why they keep legions of hungry microsoftie out there to clean up after the latest worm de jour, meanwhile the gazillionair will be awarded a Nobel Peace prize or something.I mean, cheezus, it's only software - it's not like people are getting killed in poor quality cars or anything. Everybody knows you should backup important data anyway so just chill out and obey old your pc overlords.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Convince the IT manager to let you demo Mozilla for them. Use the Windows skin, and whatever plugins you wish to make it as IE-like as possible.
Assuming you convince the manager, continue on with testing Mozilla for compatibility with every critical bit of software the company needs.
If that works, take the results of your exhaustive tests, add in a report on what problems you're solving by abandoning IE, and get the IT manager to sell it to the Director.
Now, once the Director makes it policy, you can force the rollout on the users.
This doesn't work with friends and family, of course, but I am involved in this very process right now at a client site where they are getting quite fed up with security advisories, but aren't ready to move from the Windows OS yet. If I win with Mozilla, I'm trying OpenOffice next.
Please. I worked tech support for 2.5 years at my university.
I'll spend 5-10 minutes trying to help someone who just randomly comes up and says 'Hey, I remember you from the help desk. I have this....' Or some friend of a friend. 'Hey, this is my buddy, his computer is...' But thats it. I hardly know the person, and I don't have time. Between my own computer issues and those I was dealing with at work, I want some time not devoted to dealing with how buggy people can make their systems.
If its a close friend, of course its not a problem. But apparently just because you don't get asked frequently, doesn't mean others don't. Don't let that stop you from making sweeping generalizations though.
Just fucking great. Instead of actually fixing the problem, they just told RFC 2396 (which is based on the ten year-old RFC 1738 and officially endorsed by the HTTP standard) to fuck itself and called it a day. And in the meantime, they recommend that users not click any links at all.
Just amazing that this is what we have to deal with.
The best counter arguement to the 'but its only because MS has a bigger market share than your luser OS' is Apache. Apache is much more popular than IIS (as you can verify with a trip to netcraft), but SANS has more IIS incidents than Apache incidents. Both servers have vulnerabilities and sites can be defaced with either server. But IIS is the more vulnerable. Why is that?
Think global, act loco
Yep, but if you read the Microsoft KB article, you'll see that, as usual, they are using a full sheet of sheetrock to fix a pinhole. Instead of patching Internet Explorer 5.x and 6.x to show the full URL with the "@" sign in it, they're just removing the ability to have an http:// or https:// link with the @ completely. That's not a fix, it's a farce. If they were really concerned about what their customers need, they would simply filter the URL and remove any strange control characters before the @ sign and ALWAYS SHOW THE FULL URL.
(Of course, I'm being completely obvious here to the SlashDot crowd...)
That is the old namda eml file exploit, which has been fixed in IE and Outlook. This exploit is harder to fix. This has to do with Windows COM and that components contain a class id or guid that identifies what type of file it is. Also in this case it is an html executable or .hta file not an exe, IE can't run an exe as a component. It has nothing to do with the mime type.
Of course you would get this from reading the article. Now how you got the high rating is the another issue. I guess it is true nobody here actually reads the article. Hell I'm going back to fark.