Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
And people wonder why viruses are so prevalent on windows boxen...
Now that anyone can spoof not only the url, but the file type, who will know what they are downloading.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
; [ln];833786. Remember, type, don't click.
Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.
This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.
A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."
If they ran the file, it sent me a message with their computer name, username and other details.
About 80% of the users ran it.
I lost all faith in the human race that day.
"Live Free or Die." Don't like it? Then keep out of the USA
the ie has been so full of holes, and there's shitloads of unpatched ie's out there as well, that nobody who wants to have any control over their computer is using it anymore(unless they're stupid enough to trust some middlesoftware like nortons, or simply don't know why their computer is getting less usable by the day. "hey I just wondering why am I getting popups even when I'm not browsing?? it really gets in the way of my spreadsheet work").
if you have a stock ie and you browse around with it you WILL GET infected with some spyware or another, sooner or later. this is how it has been for the past few years(!) so a new hole hardly changes anything(it has not been trustworthy enough for years to use on random urls from irc/forums/whatever, so another bug is unlikely to change anything).
world was created 5 seconds before this post as it is.
Theres a couple other inconsistencies - if you do use "Save as" the filename appears to be PDF, but the filetype pre-filter (which is set to the type of file that you're downloading) is "HTML files". Interestingly, in the "open or save" dialog, the file type is blank.
I'd just like to take this time to slap microsoft for adding yet another way of associating files with applications to piss us all off. We already had enough issues with contradicting file extensions and mime types.
It appears that Mozilla is only partially safe from this type of bug. When I went to the test page it still showed up as being a pdf in the filename field but identified as a html file. It then asked me what I wanted to do and defaulted to "open with mozilla firebird". This bug may be bigger than reported.
Ok, I've been following this stuff for years now. For years I've asked "what will it take for people to switch?" I thought maybe the next big MS bug. Then I got sick of waiting and went straight into frustration.
Why do people stay with MS software? Users have been lied to, let down, pushed around (licensing tactics), and even left hanging -- their systems wide open as vulns remain unpatched. If this were a social relationship, people would call it abusive and advice you to get the heck out of it faster than not!
I keep hearing "this year will be the year MS goes down" over and over again, year after year. I'm frustrated and I believe so are a lot of other people. They are neither improving nor are they visibly dying...and I'd like to know why people are still so tolerant of them even after all they've done.
Is that so virus writers won't have to wait days or weeks before releasing a new version?
Tim
Yeah, I didn't really buy it either (and I LIKE conspiracy theories)
Where's my lobbyist? Right here.
This is just another opportunity to check and make sure. If you are still using IE, switch to Firebird. Now. If you don't see the obvious benefit, something is wrong with you. If anyone who still insists on using IE reads this post, please tell me why you wont switch. I really want to see what people are thinking who are still using IE. There is really no excuse anymore in my eyes.
Really, I'm genuinely interested in reasons IE users are still using IE. I just can't comprehend what you're thinking.
The GeekNights podcast is going strong. Listen!
I know this isn't an ask slashdot topic, but does anyone have any tips for how to get people to switch from IE to Mozilla/Firebird? I just don't understand why I can't get people to change, and Lord knows I've tried.
I don't understand it, I really don't. I've seen people complain about viruses, bugs, pop-ups, and ads, and yet when I suggest that they go with Mozilla, they don't want to switch. Why? "Because IE's there." Or "because Mozilla takes too long to load." "Using quickstart isn't worth it because IE starts when the system does, so why run two browsers at the same time?" But yet they'll complain about a 5 second load time for Mozilla, when they'll spend more time than that closing pop-ups and resetting their homepage from where someplace changed it. I've even come across the situations where people won't switch because Mozilla had a different print screen (even though I used an IE skin so the rest looked the same), and one didn't want to use it because when you opened a "new" window, you didn't get the old window in it. Even after I showed them the clone window extension (which is pretty close to the same functionality), he didn't switch. It's just frustrating.
It's sad, Microsoft has people so brainwashed that they'll complain until they're blue in the face that IE sucks, and yet they won't switch unless you put a gun to their head. So does anyone have any suggestions for just how to make them switch? (without actually putting a gun to their head)
-Through the server, over the router, off the firewall... Nothing but 'Net!
Even if your company won't let you install Mozilla, even if you need IE for some portion of your work assignments, there is really no reason why you can't do all of your normal web surfing with a web browser that functions properly.
for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.
Yeah... now tell me how I get the sysadmins in the computer lab at school to go to mozilla.org. "But, then we'd have to *support* it!" which would be oh-so-hard... it would cut into their smoke breaks something awful. (and they'd have less to clean up than with IE.)
These are the same folks that just "got rid of" profiles on all computers, because they were "too much hassle..." so every time I log in, it's three clicks to get started ("Click Start to begin!" "Take a Tour of Windows XP!" "Clean up your desktop!") Four or five clicks to get through the browser prompts ("You're trying to send data... are you sure?" "Would you like me to remember this for you and send it without your knowledge?" "Ok, I know I asked you if you wanted to send data already, but this site is secure..."). And so on.
Not everyone has control of every computing environment they use. So, yeah, until IE crashes and burns hard enough that people really will stop using it, some of us will complain.
Don't you wish your girlfriend was a geek like me?
Amen, brother! The worst part is if you do help someone (say a good friend), then they casually overhear that one of their good friends has a computer problem, you're going to be tapped to help that person, too. If I had a dollar for every friend-of-a-friend-of-a-friend's computer I had to un-fsck-up, I'd be rich.
The worst part is that all these people are getting their kit fixed through that one friend as a proxy, and since you didn't charge them (because you were just being nice, really drunk, trying to get *ahem* "On her good side", etc.), you can't charge their social network of unwashed masses either.
PERL:
All of the power of Voodoo with most of the understandibility!
It is easy to be less than serious about this issue but...
Spam pretty nuch killed newsgroups, it is its way to doing the same thing for email.
Microsoft is on track to kill the internet because it cannot deliver a product that can look after your average user. The problem is that unlike newsgroups and email, the internet is a significant contributer to world economy.
It is near impossible to educate users on how to be carefull, either the products must be secure, or we take a giant step backwards as users desert the internet because they cannot trust it.
And all because one company with adequate resources does not care. If they did care we would not be faced with this sort of stupidity.
On the end user.
:D Fortunately, he still uses OS 9 and I can answer just about all of his questions from memory. The only time I've ever had to do serious tech support for him was when his preferences folder somehow got moved out of his system folder.... that was interesting.
:-)
I've done work for free for some people, and they're quite happy. They make me dinner or take me out for a few drinks or something.
I've also done work for free for some people, and they're never happy- to the point of hassling me every time they see me because they need help with some piece of software (that has extensive documentation, installed), they did something I told them not to do and broke something, or, in general, are too thickheaded to learn for themselves and want me to do their thinking for them.
I much prefer the former type of person to the latter. Of the seven field users I support (people whom I've given computers to over the years), five of them only contact me when something is seriously broken, and the other two can't even find the help key on the keyboard unless I come to their house and phyiscally show it to them. Multiple times.
Then there's my dad.
Family's obviously a different matter than friends- I've minimized the damage to my sanity by only supporting OS 9. I patently refuse to deal with Windows in any capacity (it took several people a very long time to realize this), I don't support linux (I tell people how to get answers the same way I get them- google, a notebook, and a printer), and everyone I know running OS X is a self-sufficient operator.
All in all, refusing to deal with Windows has saved me countless hours of free time (and work time!), and has even switched a couple of people over to Macintosh. Go figure.
I'm going to have to pull a weekend at work soon installing a new version of our database client on every PC. I'm going to put Mozilla on all the machines at the same time. Won't make it the default or anything, but if anyone starts to have problems with IE, my first solution will be to switch to Mozilla. I've had enough of this crap.
You're exactly right.
When enough people get to know you as the local computer guy, you'll get phone calls, visits, you name it. People will expect it to be free by default unless you set a price. Make it fair but worth your time.
Anyone on here bitching about 'feeling obligated' to provide 'free support', stop bitching. It's your own fault it's free. Charge a price. Believe it or not people are willing to pay their friends a reasonable fee, even if it's not cash. Tell them to rent a movie for you and bring it over, or bake a cake, or get a six pack of Guinness, whatever. I have a big box of Krispy Kreme sitting here from a friend of mine that needed spyware removed yesterday.
Once you get people trained to think that indeed, your time and expertise are worth something, you won't even have to make requests. People will open their wallets or bring you stuff automatically.
Don't let your passive-aggressive geek nature leave you with regrets or feeling used. Assert yourself.
This thread is mostly about how IE/win users are idiots, and what to do about it.
I think in the end, we need a new system.
In part, people are not perfect, they will make mistakes, and other people will exploit those mistakes.
What we need is centralized administration. A few smart guys with ssh fixing computers for everyone on a paying list of subscribers. I think it could work.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?