Slashdot Mirror
Another Serious MSIE Hole
pjrc writes "Infoworld is reporting
another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"
A little demo for those still using IE...
Anyone noticed similarities between MSIE and Swiss cheese ?
And people wonder why viruses are so prevalent on windows boxen...
Now that anyone can spoof not only the url, but the file type, who will know what they are downloading.
Wasn't good ol' Bill just extolling the virtues of Windows Security in comparison to other 'unnamed' operating systems the other day?
Would you like some more pie, Bill?
DON'T use IE!
--Keeping the flame wars alive, one post at a time
Here's a safe demo of the exploit.
A demonstration of the hole is currently on security company Secunia's website and demonstrates that if you click on a link, and select "Open" it purports to be downloading a pdf file whereas in fact it is an HTML executable file.
Haha this will show them - i am downloading the latest patch from www.mikerowesoft.com - m defen is str..o..noo!!..hel..elp
I wonder how well I can navigate the internet with out clicking on any hyperlinks.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."
; [ln];833786. Remember, type, don't click.
Find that hard to believe? http://support.microsoft.com/default.aspx?scid=kb
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
From the article text:
Doom worm currently reeking havoc across the globe.
So it's a smelly worm? Or are they trying to say that Windows stinks?
Where's my lobbyist? Right here.
... that Windows is far more secure than Linux or OSX because it gets tested so many more times out there in the wild..
[Editors note: replace 'tested' with 'tested and found wanting']
Simon.
Physicists get Hadrons!
As MyDoom is showing, hackers don't need an exploit to spread. The social engineering is still more than enough to spread.
This is a cute vector that can be used to take in another 10% of users, but since it looks like most of them will run any attachment you send them anyway, it's a moot point.
A few years back, I coded an app and e-mailed it to all our users. The message came "from" the company owner and said "This is a virus, you will destroy all the data you have access to if you run this file."
If they ran the file, it sent me a message with their computer name, username and other details.
About 80% of the users ran it.
I lost all faith in the human race that day.
"Live Free or Die." Don't like it? Then keep out of the USA
the ie has been so full of holes, and there's shitloads of unpatched ie's out there as well, that nobody who wants to have any control over their computer is using it anymore(unless they're stupid enough to trust some middlesoftware like nortons, or simply don't know why their computer is getting less usable by the day. "hey I just wondering why am I getting popups even when I'm not browsing?? it really gets in the way of my spreadsheet work").
if you have a stock ie and you browse around with it you WILL GET infected with some spyware or another, sooner or later. this is how it has been for the past few years(!) so a new hole hardly changes anything(it has not been trustworthy enough for years to use on random urls from irc/forums/whatever, so another bug is unlikely to change anything).
world was created 5 seconds before this post as it is.
I really don't think Microsoft cares any more. They certainly don't care about the security of their customers. I supposed their objective with IE was to dominate the market by packaging it with Windows, and once that was completed, they simply stopped caring about IE. They haven't updated it in over two years, and its competitors have added all sorts of useful features in the meantime. And now that these bugs have been exposed and nothing is being done about it, it's time for people to move on to using other browsers - permanently. If people aren't convinced by the merits of other browsers, maybe they'll be convinced when their "tried and true IE" allows them to be scammed/defrauded.
Cyde Weys Musings - Scrutinizing the inscrutable
There are times when I wonder if Microsoft isn't purposely trying to get everybody on the Net own3d.
I mean, what kind of frikkin' bug would make an executable link pretend to be something else? If I believed in conspiracy theories, I'd swear it was deliberate.
Gifts for Geeks - Stuff that really matters!
Gates also explained "To say a system is secure because no one is attacking it is very dangerous," and proposed that "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
Of course, virus writers are getting lazy now. According to Microsoft software architect Chris Anderson, "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
pardon my naivette, but wouldn't that conflict with specifying a user and pass such as in ftp addresses?
in fact it is an HTML executable file.
Maybe I'm behind the times, could someone explain precisely what they mean by an HTML executable file? That doesn't make sense to my "HTML is plain text" portion of knowledge.
Beleive it or not, but many people have a use for http://username:password@domain links, especially in bookmarks. Perfectly secure on a computer used by one person :)
Microsoft is deprecating the use of "@" in URLS.
The popularity of IE is about to drop sharply as the entire XXX-site-password-hacking community finds their reliable tricks no longer work.
Should knock MS's browser marketshare down 10-15% just from that alone.
The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)
This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.
for every person who constantly bitches about "pop-ups" or something messing up my computer related to IE. I'd retire. All I say is go to mozilla.org and leave me the hell alone.
...). I try to explain I'm a $100/hour (yes, outsourcing is my fault) contract software engineer. If you want me to reinstall your OS, Drivers, Applications and backup your data that will be about 6-8 hours (assuming they have any legit install disks) and roughly $600 to $800 total. They usually quit calling after that.
I guess being a computer professional is like being a doctor. Everyone asks you anything related to your field regardless of the situation (ie, dinner, getting dental work done,
It's like calling a mechanical engineer to change your fucking tire. Figure it out, it isn't that hard.
Great, so now when I try to connect to my laptop a la ftp://name:password@laptop/ from work, it'll through me out.
Cool
Just what I needed, more MS interferance. And no, unfortunatly I can't force mozilla everywhere I go, and samba is a lot more of a pain (ftp is universal).
P.S: the server is only accessable from internal and only when I choose, so no, it's not a security risk
Ask 8 slackers a question, get 10 awnsers (a citation, but I can't remember from who)
It appears that Mozilla is only partially safe from this type of bug. When I went to the test page it still showed up as being a pdf in the filename field but identified as a html file. It then asked me what I wanted to do and defaulted to "open with mozilla firebird". This bug may be bigger than reported.
Mozdev has some tips about completely disabling IE, even in other applications.
What's left: "MSIE Hole".
Still left: "MSIE"
As most serious security problems affect MSIE, it can be omitted as well. The least redundant informative headline would be:
Ok, I've been following this stuff for years now. For years I've asked "what will it take for people to switch?" I thought maybe the next big MS bug. Then I got sick of waiting and went straight into frustration.
Why do people stay with MS software? Users have been lied to, let down, pushed around (licensing tactics), and even left hanging -- their systems wide open as vulns remain unpatched. If this were a social relationship, people would call it abusive and advice you to get the heck out of it faster than not!
I keep hearing "this year will be the year MS goes down" over and over again, year after year. I'm frustrated and I believe so are a lot of other people. They are neither improving nor are they visibly dying...and I'd like to know why people are still so tolerant of them even after all they've done.
Hey, don't complain -- they also check to make sure you have enough disk space to REMOVE software, too!
"Freedom means freedom for everybody" -- Dick Cheney
Anyway, you're talking about the virus. The article is talking about downloads from web sites, where you can't tell what type of file you're downloading - you think you're getting a .pdf, and you're really getting an executable. And you gave it permission to download, because you knew that the file was of a safe type! The type you approved was safe, it just wasn't the type of the real file.
Combined with another (not yet fixed) bug that lets web sites spoof which domain they are in, and you have all kinds of fun - downloading a trojan when you think you're downloading a .pdf or even .txt from a trusted site...
But you really can't blame stupid users for this one. If the browser lies to you about what site you're really visiting, and lies about what type of file you're downloading, there's no $&%^$^%$ way that it's the user's fault. The blame lies exactly with Microsoft.
.HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.
Cool idea in the right hands, but here it's a disaster waiting to happen.
-Hentai [in vita non pacem est]
Infoworld claims the result could be 'devastating'"
I claim the result of MS on the world to be 'devastating'.
There. The 'cut-to-the-chase' summation of where this thread should eventually go.
How many times to do we have to be reminded of the vulgarity that has seeped out of Redmund since the beginning?
hi/HELLO/Error/Status/The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
This is just another opportunity to check and make sure. If you are still using IE, switch to Firebird. Now. If you don't see the obvious benefit, something is wrong with you. If anyone who still insists on using IE reads this post, please tell me why you wont switch. I really want to see what people are thinking who are still using IE. There is really no excuse anymore in my eyes.
Really, I'm genuinely interested in reasons IE users are still using IE. I just can't comprehend what you're thinking.
The GeekNights podcast is going strong. Listen!
I know this isn't an ask slashdot topic, but does anyone have any tips for how to get people to switch from IE to Mozilla/Firebird? I just don't understand why I can't get people to change, and Lord knows I've tried.
I don't understand it, I really don't. I've seen people complain about viruses, bugs, pop-ups, and ads, and yet when I suggest that they go with Mozilla, they don't want to switch. Why? "Because IE's there." Or "because Mozilla takes too long to load." "Using quickstart isn't worth it because IE starts when the system does, so why run two browsers at the same time?" But yet they'll complain about a 5 second load time for Mozilla, when they'll spend more time than that closing pop-ups and resetting their homepage from where someplace changed it. I've even come across the situations where people won't switch because Mozilla had a different print screen (even though I used an IE skin so the rest looked the same), and one didn't want to use it because when you opened a "new" window, you didn't get the old window in it. Even after I showed them the clone window extension (which is pretty close to the same functionality), he didn't switch. It's just frustrating.
It's sad, Microsoft has people so brainwashed that they'll complain until they're blue in the face that IE sucks, and yet they won't switch unless you put a gun to their head. So does anyone have any suggestions for just how to make them switch? (without actually putting a gun to their head)
-Through the server, over the router, off the firewall... Nothing but 'Net!
Bill said that Windows 98 was over 15% faster. He was about to say it had better access to the internet when he got shot in the head.
Man, shouldn't that South Park general be the Slashdot mascot?
To remove this IE exploit, download this TXT or PDF. Um, it contains the instructions to remove it. Yeah...
Thank you so much for the wonderful idea of fully integrating your web browser into your very secure and stable operating system! Windows XP is simply a joy to work on. I absolutely love it when I'm browsing the web and Internet Explorer crashes, which causes all open windows, including those that have nothing to do with your wonderful little browser, to close as well. What a well thought out idea it was to integrate the browser into the operating system!
Even if your company won't let you install Mozilla, even if you need IE for some portion of your work assignments, there is really no reason why you can't do all of your normal web surfing with a web browser that functions properly.
Quote from the article:
"The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer's viability as a browser."
They claim that this bug appears to be unfixable while not really providing evidence to support the claim other than implying that if it was indeed fixable Microsoft would have fixed it already.
Is this just FUD?
For the love of god I'm sick of patching. Thankfully we are using Microsoft Software Update Services which I highly recommend for automating your MS patching needs. (Hey it's free and works)
That is not the nature of the vulnerability. IE displays a dialog saying "You are downloading the file:" followed by the filename. That is where the spoofed filename is displayed. The danger is that, if you are expecting, for example, a PDF which you won't want to keep, you will just click "Open", expecting it to start Acrobat Reader. However, once the file is downloaded, its real filename is that of an executable, which runs merrily away, doing whatever it wishes.
It's got nothing to do with mime types.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
They can be quite good - especially when they pretend to be in a glass cage.
Sigs are bad for your health.
Q: How many Microsoft engineers does it take to change a light bulb?
A: They don't, they just redefine darkness as the new standard.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Another Silly Software Hole.
It's even worse. The filename doesn't have to be in the hyperlink - it can also be in the headers. So, the url could be http://someuniversity.edu/~somestudent/exam_answer s.txt
C LSID}"
.exe files... even MS wouldn't be *this* stupid. For all intents and purposes it doesn't.)
The header could then have "Content-Disposition: attachment; filename=Exam_Answers.txt{INSERT_executable_file_
The CLSIDs are under "HKEY_CLASSES_ROOT.MIME.Database.Content Type"
The example above would secretly have the file type of your choice but would be known as Exam_Answers.txt. You won't see the CLSID unless you look at it from the command prompt. If you click on it, it executes whatever file type you wanted.
You can't use a machine code executable file (.exe) directly, however, because it doesn't have a content-type/CLSID pair in windows. (well, it does, but there isn't one just for
So, does Sir William know how many holes it takes to fill IE? -2 Stupid
What?
While browsing the network at college, I discovered a folder with r/w permissions. So I placed in the folder a little "do not run this.exe" that made some autoexec.bat changes, and poorly so. It included recovery instructions and backed up the file.
A few months later, my friend has trouble starting his computer. Guess who had to fix it...
So MS is breaking more standards. Lovely.
"..did you actually read the article??".
If he did, it wouldn't be Slashdot.
Sig it.
More and more I'm seeing comments that would have been modded Flamebait a few months ago getting +1 Funny ratings. Maybe it's Ghandi's old mantra in reverse?
First we fight them,
Then we laugh at them,
Then we ignore them,
Then they're gone.
Last post!
"A web app that requires a single brand of browser is not a web app... it's a client/server app".
I'm running Konq 3.1.5 on Slack -current, and I'm not 'vulnerble' (sic).
I was trying the DEMO PAGE, and noticed a minor work-around. The article says to save the file to disk before believing what it claims to be, which is sound advice, but you don't have to get that far to see something is wrong. As soon as you click on the link a "File Download" dialog is presented asking what to do with it. If you click on Open, based on the fake file extension displayed... your're screwed. If you click on Save, the next dialog box shows the true file type in the "Save as type" box.
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
In some incidences it truly is cheaper to run Windows vs *nix.
Yea... Windows is like the bubble boy of the computer world - the second it comes in contact with anything outside of a highly protected, closely monitored, totally sterilized area the shit hits the fan.. but as long as it stays in its bubble and no disks, network connections, or phone lines ever touch it... hey - TCO is great.
You ain't kiddin'! Hell, my company is, at this very minute, looking for some MCSE-holding kissass morons to tell the upper management folks that we need to upgrade to Windows 2003 and XP. I never really understood why we need to hire kissass morons to come to the conclusion the management has already come to.. but I guess that's just because I don't understand the intracacies of management and Windows system admin...
Maybe you should apply?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
It always does. We've been thru dozens of these 'devestating' quality issues and the victims just queue up at Local Computer Store to buy another one. That's why they keep legions of hungry microsoftie out there to clean up after the latest worm de jour, meanwhile the gazillionair will be awarded a Nobel Peace prize or something.I mean, cheezus, it's only software - it's not like people are getting killed in poor quality cars or anything. Everybody knows you should backup important data anyway so just chill out and obey old your pc overlords.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
In response to flaws recently exposed in it's software Microsoft has suggested that customers stop using hyperlinks -- the core feature of the World Wide Web. The bugs, which were exposed in the last few weeks, allow scammers on the net to make their website links to look like a legitimate site (e.g. Microsoft, Ebay or Visa), where they can then ask for identifying information, card numbers and passwords, or cause you to launch executable programs that Internet Explorer describes as more innocuous types (e.g. PDFs).
Rather than immediately releasing a bug fix, Microsoft is now suggesting that users no longer click on web page hyper-links. Their suggested solution is that users manually type in any web address they want to visit in the menu bar.
.....
Other web browser providers (e.g. Mozilla) claim that their browsers are not susceptible to these bugs, and claim that users surfing the web with their browsers are not subject to these problems.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Isn't a browser that comes with the computer, or comes with the operating system kinda like a radio that comes "stock" with a car? And we know what sort of quality those are...
FLR
Helevius
We want to get patch deployment down from days or weeks to hours."
Of course that'll solve all the problems! We patch a hole 1 hour after it's discovered (not like that ever happened) and then it takes three months (also overly optimistic estimate) for the average user to actually download a patch with the next service pack, if ever. The result? The end user is just as vulnerable as he has ever been. But we can now blame the end user for not patching their system in time, because the patch was available early on. The bottom line? The user feels like M$ software is as insecure as it's ever been, and rightfully so.
You can say whatever you want about the advantage of releasing patches fast. It's great to release them fast. In fact, a lot of open source developers take pride in being able to do just that, and this is something worthy of admiration. But quick patching process is no replacement for code that is secure to start with!!! And while M$ can speed up their patch development, they can do nothing about the fact that their existing software sometimes closely resembles swiss cheeze - it's already out there, and it breaks often.
Jobs? Which jobs?
The problem is that IE uses both the extention AND the mime type. It decides what to do when you click on it by looking at the MIME type. But it decides how to OPEN it by looking at the extention. So it sees "virus.exe" with a MIME type of text/html, and knows that it is supposed to automatically open html files when they are clicked on, so it downloads it. Once it downloads, it tries to open the file The routines for opening files are the same as the ones in Windows Explorer, so it sees ".exe" and executes it. The user is never prompted because IE is never setup to prompt every time you visit a new page, and Windows Explorer isn't set to prompt every time you tell it to run a program.
ASCII stupid question, get a stupid ANSI
I'm the one who submitted the story that Timothy posted.
Microsoft damn well deserves some bashing. They didn't fix the phishing bug in their monthly patch set, and the phishing bug was reported very close to the beginning of that monthly cycle, and only 1 week after it was discovered, scammers started making heavy use of it in their attempts to defraud people of banking details. So Microsoft had 3 weeks to witness the phishing bug being abused in the wild, and still they did not patch it almost a full month.
This all comes on the heels of a bunch of PR Microsoft spewed not long ago, claiming a study (they paid for) found that Microsoft issues patches faster than Redhat.
I call them a bunch of lying hypocrites who only care about money and not the security of their customers. You call me a Microsoft basher. You are right, I'm saying Microsoft sucks and the lie. I believe I am right too, they do suck and they do have little regard for honesty, as can plainly be seen.
In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH.
In fact, the last security patch for sendmail was on September 17, 2003. That's over 4 months ago. There have been zero sendmail security patches this week, not 35. The previous patch was released March 29th, 2003. Not the same week, but 5.5 months earlier.
OpenSSH doesn't have the same web pages with patch info as Sendmail... so looking at Redhat's update history on OpenSSH, I see new RPMs published on the following dates: 17-Sep-2003, 16-Sep-2003, 04-Jul-2003, 14-Feb-2003. It's not clear if these are security updates or other less serious updates. But only once did two patches appear in the same week. On average, it's over 2 months between updates.... hardly 54 in one week.
Now compare that the MSIE. Microsoft's customers complained that multiple patches were required every week, so they recently switched to a monthy patch schedule. But there was news coverage that shortly after the switch, they still had to break that schedule and release patches more frequently because of very critical security bugs discovered.
And remember that Microsoft doesn't even bother to fix things like this phishing bug, which makes it easy for scammers to direct people to false banking login pages and have them appear to be the legitimate websites of the banks people trust! Contrast that lack of concern for customers getting ripped off against some of the openssh patches, which fix timing problems where the sub-milisecond delay changes could theoretically leak info if probed repetitively probed over a low-latency LAN.... but virtually impossible to attack over the internet, and no known exploits in use.
It's pretty clear which software has a good security track record and which software has more holes that swiss cheese. It's quite clear who deserves to be bashed.
PJRC: Electronic Projects, 8051 Microcontroller Tools
On the end user.
:D Fortunately, he still uses OS 9 and I can answer just about all of his questions from memory. The only time I've ever had to do serious tech support for him was when his preferences folder somehow got moved out of his system folder.... that was interesting.
:-)
I've done work for free for some people, and they're quite happy. They make me dinner or take me out for a few drinks or something.
I've also done work for free for some people, and they're never happy- to the point of hassling me every time they see me because they need help with some piece of software (that has extensive documentation, installed), they did something I told them not to do and broke something, or, in general, are too thickheaded to learn for themselves and want me to do their thinking for them.
I much prefer the former type of person to the latter. Of the seven field users I support (people whom I've given computers to over the years), five of them only contact me when something is seriously broken, and the other two can't even find the help key on the keyboard unless I come to their house and phyiscally show it to them. Multiple times.
Then there's my dad.
Family's obviously a different matter than friends- I've minimized the damage to my sanity by only supporting OS 9. I patently refuse to deal with Windows in any capacity (it took several people a very long time to realize this), I don't support linux (I tell people how to get answers the same way I get them- google, a notebook, and a printer), and everyone I know running OS X is a self-sufficient operator.
All in all, refusing to deal with Windows has saved me countless hours of free time (and work time!), and has even switched a couple of people over to Macintosh. Go figure.
To all you Mozilla users, don't think that you're safe simply because you use Mozilla. I just tried the demo with Firebird 0.7 and it essentially does the same thing as IE6. Click on the demo link on secunia's site and you get an "open/save as..." window. Sure it says that the default program type is "htmlfile (default)" and the file name shows the CLSID which should make you think if you are supposedly downloading a pdf, but let's face it, the average Joe isn't going to be thinking (or actually reading the file name). If you just go ahead and click "open," you get the same end result as if you had used IE (in fact IE opens if it's your default browser). Even if Firebird is your default it will still try opening the file as an html document. This isn't an IE flaw as much as a Windows flaw, so just switching browsers really won't save you.
Your best bet is to THINK BEFORE YOU CLICK!!!!
Just fucking great. Instead of actually fixing the problem, they just told RFC 2396 (which is based on the ten year-old RFC 1738 and officially endorsed by the HTTP standard) to fuck itself and called it a day. And in the meantime, they recommend that users not click any links at all.
Just amazing that this is what we have to deal with.
The best counter arguement to the 'but its only because MS has a bigger market share than your luser OS' is Apache. Apache is much more popular than IIS (as you can verify with a trip to netcraft), but SANS has more IIS incidents than Apache incidents. Both servers have vulnerabilities and sites can be defaced with either server. But IIS is the more vulnerable. Why is that?
Think global, act loco
This thread is mostly about how IE/win users are idiots, and what to do about it.
I think in the end, we need a new system.
In part, people are not perfect, they will make mistakes, and other people will exploit those mistakes.
What we need is centralized administration. A few smart guys with ssh fixing computers for everyone on a paying list of subscribers. I think it could work.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Yep, but if you read the Microsoft KB article, you'll see that, as usual, they are using a full sheet of sheetrock to fix a pinhole. Instead of patching Internet Explorer 5.x and 6.x to show the full URL with the "@" sign in it, they're just removing the ability to have an http:// or https:// link with the @ completely. That's not a fix, it's a farce. If they were really concerned about what their customers need, they would simply filter the URL and remove any strange control characters before the @ sign and ALWAYS SHOW THE FULL URL.
(Of course, I'm being completely obvious here to the SlashDot crowd...)
You aren't even paying attention to what he's saying. Anderson is AGREEING with you. The Patch deployment he's referring to shrinking IS the time it takes "the average user to actually download a patch...." That time is what Microsoft is working to reduce, not the "time until a patch is released."
If you look at recent exploit history, Anderson is exactly right. Blaster, Slammer, etc... All of the exploits came out AFTER the patch was released. The primary reason they were so destructive is that users did not patch, and the patch itself advertised the hole to the exploit writers like a green lighthouse on a clear night. I'm glad that MS is focusing on the right problem in that respect: user deployment of patches.
Of course not. But keep in mind that even the Linux kernel needs to be patched and updated! There have been two security holes in the 2.4.x kernels over the past 6 months. Each one required a new or patched kernel to fix. How many n00b linux users do you think actually did that?
It's the same problem for both sides. Problems will be found in all software. Patches are absolutely necessary to fix those problems. The hard part is getting those patches deployed. If patches aren't deployed promptly, what was a simple coding error can easily become an enormously expensive nightmare.
That is the old namda eml file exploit, which has been fixed in IE and Outlook. This exploit is harder to fix. This has to do with Windows COM and that components contain a class id or guid that identifies what type of file it is. Also in this case it is an html executable or .hta file not an exe, IE can't run an exe as a component. It has nothing to do with the mime type.
Of course you would get this from reading the article. Now how you got the high rating is the another issue. I guess it is true nobody here actually reads the article. Hell I'm going back to fark.