IE Download.Ject Exploit Fixed

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

FYI

[arieswind]

This configuration change to the Windows XP, Windows Server 2003 and Windows 2000 operating systems improves system resiliency to protect against the Download.Ject attack.

In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections for our customers.

Please note that this isnt a fix, it is only a configuration change to help defend against the problem and nullify the threat from the known places it is spreading from. No doubt that within a short time, whoever is behind the virus will find other places to have the virus attack from. This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

Re:FYI

Nope:

Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)
Adodb.stream provides a method for reading and writing files on a hard drive.

Quick Info
File Name:
Windows-KB870669-x86-ENU.exe

Download Size:
104 KB

Date Published:
7/2/2004

Version:
870669

Overview
Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

It has nothing to do with known threats.

Re:FYI

[quadra23]

This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

I think I lost count at about 1000 when it comes to these "this will help for now..." When it comes to IE most fixes end up as patches that can actually break more than they fix. I think the Dept. of Homeland's Security recommendation of not using IE speaks loud and clear to this.

Microsoft could start but not allowing web sites to automatically run malicious code, just as Outlook has the same tendency with emails (which incidently, most email viruses spread rapidly with).

Re:FYI

[Tackhead]

> This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ).

Ah, once again, "Security Zones" rears its ugly head. Wasn't integrating the browser into the operating system a brilliant move?

Ah, once again, the assumption that users are using Web-based apps in a trusted environment such as the office LAN, rather than the Real World(tm), rears its ugly head. Services listening on 135? 137? 139? 445? 5000? But how will you share files, printers? Doesn't everyone want to share every file with every other user on their network segment? Doesn't everyone want to automatically sniff out and configure their machine to work with every network-attached peripheral?

Open Letter to Windows design team, in monosyllables so you get the fucking point, because you sure as fuck haven't over the past nine years

Code. Code belong on hard drive. Code tell a C.P.U. to do stuff. You get code, you save code, you tell box to run code! O.S. do what code say, so if you get owned, is your fault cuz you tell O.S. to run code! This just fine!

Web Pages. Made of H.T.M.L. You get by click link. to make words and pics on screen. You got H.T.M.L.? I.E. for turn the H.T.M.L. into pics on screen. I.E. good for show text. I.E. good for show click link. I.E. good for show boobs.

Heap Big Clue: I.E. MADE OF CODE. I.E. CODE RUN ON LOCAL MACHINE. THEREFORE ALL ZONE ARE LOCAL. You no grok? Here two by four. Hit self in head until you grok, dumb ass.

This isn't chocolate and peanut butter. Executables and Web Content are not two great tastes that taste great together. Just because you can do something, doesn't mean you should.

Security "zones" are one of the dumbest fucking ideas ever to come down the pipe.

Re:FYI

[dasmegabyte]

You're making claims that are untrue and short sighted. I call FUD.

First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done. If there is a change to an existing setting that can defray the effect of the vulnerability and give you more time to test, it would be remiss of you not to inform customers of it. Would you rather they ask customers to wait a few days until the patch is thoroughly QA'd?

Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would. The fix might cause problems with IE, but it wouldn't cause my machine to send spam email against my will. And the VAST majority of IE fixes have had no ill effects whatsoever. On the other hand, emerging the latest from gentoo causes something to break a substantial percentage of the time.

I do agree that IE isn't the best browser ever, but this doesn't excuse you from putting blame where it doesn't belong. If you're going to fault Microsoft for anything, fault them for not being up front about the patch process. They should let us know at every step of the way what the problem is, how to patch it for now, when a fix will be ready and how to defray such bugs from allowing exploits in the future. That's one cue from OSS they'd be smart to heed. All software is buggy. Pretending it's not is tantemount to pretending you aren't going to fix it.

Re:FYI

[geekopus]

to release a patch to a commercial application...(you've) got to make sure you test it thoroughly because...unlike Open Source, the liability is on YOU if people can't get their work done

I agree with most of your post, but I haven't seen many manufacturers care a whit about liability. In fact, the EULA specifically absolves MS of any liability. Most OSS licenses do the same, of course, but you imply that MS can be held liable, which they cannot.

Re:FYI

[orcus]

You're making claims that are untrue and short sighted. I call FUD.

First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done.

You must have different version of MS's disclaim-all-EULA.

Re:FYI

[dasmegabyte]

The difference is not culpability -- obviously, if MS can write "No warranty expressed or implied" and have it mean butkiss, it has no meaning in the GPL, either -- but potential damages. Sue Microsoft, your class stands to make a pretty penny. Sue Eugene Rodriguez, Guatemalan CS TA, and you're not going to make squat.

Re:FYI

[Pieroxy]

The EULA is one thing. Getting a lawsuit on your back and trying to make it stand is another.

They ARE liable, and they know it. That is why they try to disclaim so much in the EULA. They know that wouldn't stand water if there was a clearly indentified wrongdoing from their side that would generate gazillions of good old $$$ loss someplace willing to go to court.

Re:FYI

[chimpo13]

I mostly agree with you, but there's a problem with "First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done."

I don't think Microsoft is scared of liability issues or even needs to be. Who's going to sue them and how is it going to be settled? So far, the monopoly suits worked out in their favor. Far easier on Microsoft than the US phone company in the 1970s.

Re:FYI

[geekopus]

True enough.

I've always wanted to see what would happen if a business went after someone hiding behind one of those EULAs.......

Re:FYI

[1010011010]

Maybe if ".exe" on the end of a filename didn't imply "chmod +x" ... things like that would be less of a problem. Not no problem -- just less.

Re:FYI

[dasmegabyte]

If the click-to-continue EULA on a spyware program is meaningless, the click-to-continue EULA on IE is just as meaningless. It hasn't been tested in either direction...but I guarantee you that if Microsoft knowingly released an IE patch that fucked the whole internet, there would be lawsuits.

Re:FYI

[RealityThreek]

While your post was funny, MS is hardly the only people who have been doing code within web content.

Agreed on zones though.

Re:FYI

[studerby]

Sue Microsoft, your class stands to make a pretty penny.

So far as am aware, the only lawsuits wherein someone has (potentially) "made a pretty penny" from Microsoft have either been IP infringement cases (e.g. Eolas), or unlawful busines practice cases (e.g. Dr. DOS). If you know of *ANY* cases where MS has lost on a product liability issue, please share with the rest of the class.

Personally, considering that you would be suing someone with over a billion dollars cash on hand, who would have strong incentive to litigate to the death, I'd say your class more likely stands to piss away great sums in legal fees, with the prospect of zero return on investment. This and the "no warranty" hurdle is why, despite being one of the "deepest pockets" in the U.S., MS does not draw very many product liability nuisance suits. There's just no return it; MS won't settle, and it's very very very hard for the plaintiff to win.

Re:FYI

[Cboyd0319]

I've personally used this story as fodder for my most recent of e-mails to my family memebers PRAYING that they switch over, or at least give the alt browser a try. Unfortunetly, this will be 50+ over the course of a lifetime that I have sent to them all hopeing they get the hint.

'Support Free Speech, Free Software, and Free Doughnuts on Thursdays!'

Re:FYI

[nate1138]

the liability is on YOU if people can't get their work done

Now I call FUD on you. MS's EULA clearly states that they aren't liable for ANYTHING that their software does or does not do. Face the facts, IE is broken by design, and the only realistic alternative is to switch to another browser.

Re:FYI

[Kent+Recal]

because unlike Open Source, the liability is on YOU if people can't get their work done.

Oh, really now?

So where do I have to send my bill on lost work hours due to MS exploits to get a refund?

Re:FYI

[Vilim]

Thank you, this is great, you have just made my day. One of the most humerous things I have seen in a while. :)

Re:FYI

[afidel]

Or if there was the option to chmod -x say the IE Temporary directory, but NO, read AND execute have to be the SAME DAMN ACL in NTFS for folders. This is the one thing that pisses me off about securing windows, the design makes it inherintly difficult to do =(

Re:FYI

[o_kenway]

but I guarantee you that if Microsoft knowingly released an IE patch that fucked the whole internet, there would be lawsuits.

I thought they already had - three in fact - Internet Explorer, Outlook Express and IIS. They seem to be getting away with it so far :-)

Re:FYI

[Vancorps]

Erm, you are mistaken, read and execute is a permission yes, but you can also just allow read. You may allow just allow write, or just allow change. Don't for a second think that chmod is anywhere's near as powerful as a full ACL like NTFS or even better, every netware volume in the last 15 years.

Novell knows ACLs!

So in short, you can chmod -x the IE Temporary directory, especially if you use Microsoft Services for Unix. Otherwise you have to do the equivalent of turning off execute permissions which is all point and click, so surely everyone can do it. Although if you'd like you can do it from the cli as well.

The difficulty of Windows is that most features are hidden, some well documented, some poorly documented, and some that just plain don't work. Fortunately for security purposes this is one feature that does work.

Re:FYI

[afidel]

No, if you deny read and execute it automatically checks list folder contents, if you uncheck read folder contents then it unchecks deny execute. If you go into advanced properties you can deny JUST traverse folder/execute file but it still screws you up if you have multiple subdirectories where you want to apply no execute to the root folder. Windows unfortunatly considers traversing a folder and listing its contents as the same thing as executing an executable. Like I said the model is inherintly flawed. An ACL system that works (like NDS) is definitly the best system available, I just hate this one glaring flaw in the NTFS/Windows model.

Re:FYI

[Vancorps]

You don't need to Deny access to execute, it won't execute unless you specifically enable it.

There's nothing wrong with listing the contents of a directory if they don't have access to the contents. Besides that you can even disable their ability to see files they don't have access to. The only trick is for users that don't use Windows.

I agree the NTFS model isn't perfect but I think it definitely gets the job done most of the time. Although it is still no where's near as close to the level of granularity Novell with Netware achieved more than a decade ago.

Also, if you remove the ability to execute on a root folder then all files and folders beneath it would have the same permission since by default inheritence is turned on. I most always break inheritence initially so that I can setup proper access rights but once I establish file structure I use inheritence everywhere that is reasonable. There are a few places such as ntds and sysvol folders where its not a good idea.

Re:FYI

[Temporal]

Are you trying to suggest that web sites should not be allowed to contain scripts? Or that sandboxing code with different levels of trust is not a useful ability? Or what? Because either of those assertions is pretty dumb. Microsoft's problem is that their API's are a mess and security checks aren't always performed or performed correctly. There's too many places in the API where security checks need to be performed, so it's hard to test them all. If they had said from the start that any API component which wanted to access protected system components (the hard drive or whatever) had to go through some unified security module (rather than performing its own security checks then using OS-level API calls), it would have been a lot easier to prevent security problems. I'm guessing they weren't so organized, though. Point is, this is a case of bad implementation, not bad concept. It is certainly feasible to implement sandboxing (such as IE's "security zones") securely.

Re:FYI

[NineNine]

So where do I have to send my bill on lost work hours due to MS exploits to get a refund?

You have your attorney send it to their legal department, dumbass. As someone whose successfully sued giant companies, I can tell you that it's very doable. They have an entire legal department that do nothing but handle lawsuits.

Re:FYI

Guy make joke. You too serious. Here two by four. Hit self until grok.

Ian

Re:FYI

Worry not. He no see boobs but from I.E..

Re:FYI

[Temporal]

His post appeared to be a serious message presented in a joking fashion. The joke half was funny, sure, but the serious half didn't make any sense.

Re:FYI

[Tackhead]

> Are you trying to suggest that web sites should not be allowed to contain scripts? Or that sandboxing code with different levels of trust is not a useful ability?

Yes to the former. No to the latter -- but with the caveat that the thing that should be sandboxing code is the operating system, not the web browser.

A web browser is not an operating system. It has no business doing anything other than turning HTML into boobies.

> Microsoft's problem is that their API's are a mess and security checks aren't always performed or performed correctly.

Remote execution of untrusted code is bad. Tools that enable untrusted code to run in an unsandboxable environment are bad. Tools that enable untrusted code to run in an unsandboxable environment, but that assume the sandbox's integrity is intact, are unforgivable.

Given this -- and it's not like it was a big secret, even at Microsoft -- was it, or was it not, Really. Fucking. Stupid to base the operating system's patch delivery mechanism (windowsupdate.microsoft.com), all locally-stored online help (.chm), email client (outleak), web browser (IE), on a set of assumptions that its developers knew to be patently false at design time, let alone implementation time?

Answer: "We don't care how fucking stupid it is, we got scared into thinking Netscape might do the same sort of stupid thing on Solaris using Java applets on thin clients to talk to an Oracle database, which would have jeopardized our desktop monopoly. It's been six years since the market rejected that paradigm, but have no fear, we're still designing the same stupid into Longhorn."

Re:FYI

[FlyingOrca]

"...and have it mean butkiss..."

The word is bupkis. It's Yiddish for "nothing".

That being said, I almost like your version better. Cheers!

Re:FYI

[maximilln]

First, to release a patch to a commercial application used by millions of people is inherently troublesome.

sed s/commercial//

apt-get seems to work just fine for me.

Re:FYI

[Temporal]

Remote execution of untrusted code is bad.

Not if it's sandboxed.

Tools that enable untrusted code to run in an unsandboxable environment are bad.

What makes an environment "unsandboxable"? We're not talking C code here, where you can access any object in memory if you know where in might be likely to reside. We're talking about scripting languages where you can only access the functionality provided by the API.

No to the latter -- but with the caveat that the thing that should be sandboxing code is the operating system, not the web browser.

An implementation of a programming language or even an API for a pointer-safe programming language is a perfectly good place to do sandboxing. Are you against Java's sandboxing? That's not part of the OS, is it? And yet Java applets are supported by every major browser. Why is it only bad when Microsoft does it?

I'm no IE fan -- I actively encourage my friends to switch to Firefox -- but I believe that it can be very useful to mix code with data, and I know for a fact that it can be done securely. Microsoft just doesn't know how to do it right.

Re:FYI

[Shardis]

Sorry for the short novel here, but I see a lot more FUD in your arguments than his. Granted, the 1000 number is exaggerated, but then again, that's pretty obvious...

Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would.

Funny, I've seen "fixes" come down the pipe and break things quite a few times. Not often true, but enough that I think it's quite a dumb idea to autoapply patches even on a home "play" machine.

And the VAST majority of IE fixes have had no ill effects whatsoever.

A ringing endorsement... too bad they still can't get it right.

The fix might cause problems with IE, but it wouldn't cause my machine to send spam email against my will.

The fix might cause problems with IE, the kernel, once or twice some filesystems, net and memory drivers, just plain destroy config and preferance files and other files totally unrelated to IE... ad nauseum. And, by the way, except for the IE part, NONE of these should even be touched by the code running under IE. :P

You are right about the spam sending part, but that's usually only an annoyance factor when compared to the destruction and leakage of important or potentially confidential information.

On the other hand, emerging the latest from gentoo causes something to break a substantial percentage of the time.

Careful, now you're just showing your ignorance. There's different build profiles that you can use, generally grouped around kernel versions and flavors. If you run any of the development sources, of course things are going to break sometimes. And if a mistake does slip through, a fix for the problem and any secondary problems the first problem caused is usually hot on it's tail.

"a substantial percentage of the time" though is a pretty silly statement though, if you're running a "regular" kernel type. Have a little bit more awareness of what you're emerging/installing. ;)

Personally, for my home machine that "just has to" stay up 24/7, I run "development-sources" which, contrary to what the name suggests (and only real instance of this type of misnomer), is built around the 2.6 kernel and stable as hell - meant for production.

On this set I will pretty much blindly emerge stuff from the stable app lists. Have been for almost 2 years, and have had very very few problems.

"I do agree that IE isn't the best browser ever"

Ya, I'll agree to that. Have gotten almost all of my friends that use the net regularly running firefox cause they just got sick of IE running arbitrary code on their machine just by visiting a web site.

"but this doesn't excuse you from putting blame where it doesn't belong.

Where did blame get put, I must have missed that part... If on Microsoft, for not taking care of such bugs when they're known to exist and causing problems, then I'd agree though. I'm confused, this is as it should be...

"If you're going to fault Microsoft for anything, fault them for not being up front about the patch process. They should let us know at every step of the way what the problem is, how to patch it for now, when a fix will be ready and how to defray such bugs from allowing exploits in the future."

Agreed.

That's one cue from OSS they'd be smart to heed.

Yup.

All software is buggy. Pretending it's not is tantemount to pretending you aren't going to fix it."

Yup, but there are many many things you can do to improve your odds. Relying on security through obscurity as MS tends to do more often than not is NOT the answer.

PS:

By the way,
http://www.gentoo.org/doc/en/gentoo-kernel.x ml has the different kernels and their relative merits and shortfalls if you're interested.

Re:FYI

[Blackbrain]

Actually, the literal translation for bupkis is "goat shit". The word is used to mean "worthless" or "nothing", because what can you really do with bupkis?

/My favorite piece of Yiddish triva.

Re:FYI

[J+Isaksson]

Yes!

Idea for all OS vendors (not good from the publicity but probably security point of view) Please put up a _single page_ with your currently outstanding security problems so people can actually protect themselves!
Right now bugtrack and various other security lists don't cut it. I really don't want to browse a number of mailing lists to do my job, so could you please do your job and tell people what to protect themselves from in a comprehensive way?

(Windows update is a good idea once things are finally "patched", but before that I'm out in the cold)

Re:FYI

[J+Isaksson]

Or, even better, fix windows update to - if there is a requirement to disable active scripting to be safe - have an update that fixes this until the real fix is available. I want my mother to be safe, not just the average slashdot user that will know to do this once the s**t hits the fan.

Re:FYI

[dasmegabyte]

By the way,
http://www.gentoo.org/doc/en/gentoo-kernel.x ml has the different kernels and their relative merits and shortfalls if you're interested.

I'm not. The subtle differences between Linux kernels does not hold my interest; in fact it is about the most boring thing I can think of at the moment. I am certain the time wasted learning the different kernels and experimenting with them will be far greater than whatever perfomance increase is gained by selecting the right one over the entire life of the machine. It's bullshit knowledge.

Re:FYI

[Shardis]

Ouch, must have touched a nerve so I'll not correct your assumptions... Was just throwing that out there for the general crowd anyway. Some actually do like knowledge for it's own sake.

But I'm afraid "bullshit knowledge" it's not, as it can mean having a machine run... or not - as you found out. ;)

Re:FYI

"What makes an environment "unsandboxable"?"

follow along, because perhaps you're a clueless MS programmer and don't get it.

1) IE really is integrated into windows. Sure, delete that icon on the desktop, but the entire help system is based around IE, the email client is based around IE, in fact every feature of the GUI is based around IE. You can't swing a memory mapped file without hitting a couple of IE API's.

2) IE itself contains provisions called BHO's and ActiveX controls that let you add new functionality to IE.

3) Therefore if IE is part of the operating system, and IE can be significantly altered either in advertantly ("Hey buddy, click here to win 1 million dollars!") or through a buffer overflow or similar trick, then you've given untrusted code a relatively easy path to alter the core OS.

4) Lets go through this again, because you're slow.

5) IE is core to OS, IE can be easily corrupted by executables on the web, therefore, the core OS is subject to security breaches simply by a user browsing the web.

I don't know how to make this clearer. The things I've seen IE do to Windows XP in the past 4 weeks make my hair stand on end. A simple click by a friend, who tried to close a popup, missed by 1/4" and basically allowed an ActiveX control to run rampant, cost us an entire two days work.

* The virus protection saw the problem but wasn't fast enough to fix it
* Spybot S&D 1.3 with latest patches was *BLIND* to this infection
* SpySweeper was able to kill things off, but only after we disabled system restore because guess what, every new piece of malware hijacks system restore and the system continuously reinfects itself.

Lets step by and see what's happening.

By design, IE has set up the entire Windows OS so that one inadvertant click in a user process can completely corrupt the OS.

*AND ITS DONE ON PURPOSE*

Honest to god, if someone told me that MS was that stupid 10 years ago, I'd laugh. But I've seen it with my own eyes. IE is so awful that it should not be used. The US government now recommends you shouldn't use it.

I like Windows XP, but IE is fatally flawed and must be rewritten. But hey, its so integrated in the OS that guess what... you have to rewrite the OS.

Holy cow, open your eyes. Its BAD out there!

Re:FYI

[Temporal]

Nice troll.

Re:FYI

[ebyrob]

moron not think that user be dumb and not know how to make code run

Man, this notion that users can't figure out what a file is, what a directory is, or how to click on a file and run it is just ridiculous. I've seen more quality projects torpedoed by managers with this kind of idea stuck in their cramped skull. Users can do this. It may be a nuisance for some things, but they CAN do it.

Bottom line - There are always decisions to be made. Good software should emphasize the important ones and help them be made properly, not try to make every decision for every user. And no, popping up a yes/no dialog is not a good way to emphasize an important decision.

Take email for instance. Whenever I get a non-text email with possibly infected attachments, I consider it a rather impolite, and even gross, invasion of my space. It's much like having someone breathe in my face. If users can understand a dislike for being breathed on, programmers should be able to code up software that makes them aware of when their system is being "breathed on", so they can make their own decision. The fact you used to have to save attachments, or at the least double-click on them to open them was an imposition to users that was helpful because it highlighted this exposure.

In certain instances this made for a lot of heavy breathing. Microsoft's solution was to hand out blindfolds and breathe mints. A better solution seems to be taking a step back and talking from a safer distance.

Re:FYI

[LO0G]

I've never received a fix from Microsoft that's required me to reformat my hard disk. Worst case I had to reinstall Windows and install the patches up to the one that messed me up. A major pain in the neck, but not the end of the world.

I've gotten infected by viruses. Whenever you're infected with a virus, you realistically have no choice but to reformat your hard disk. Because the virus might have contained a root kit. And once you've been root kitted, that's all she wrote, it's reformat time. As an alternative to reformatting you could remove the infected hard disk from the infected machine, virus scan it on a known good machine and then use it, but even then you're not 100% sure you're safe (maybe the root kit was hidden in one of the system restore partitions, which aren't accessable from Window (it's happened))

I'll take the patches over the reformat anyday.

Re:FYI

[Temporal]

I despise IE. Never said otherwise. Only said that the concept of allowing web content to contain code was not inherently wrong (as the original poster had suggested). The other AC's argument had absolutely nothing to do with anything I said, but contained numerous ad hominem insults, probably designed to evoke a nasty response from me. Either he was a troll or a complete moron. ::shrug::

Re:FYI

[Temporal]

The parent post did these things:

• State the obvious (IE is crap)
• Claimed that I support IE (I don't; IE is crap)
• Insulted me

The parent post did not:

• Address anything to do with sandboxing.
• Address anything to do with separation of code and web content.
• Say anything relevant to the discussion whatsoever.

Why is it modded insightful?

This is why I filter out everything except "funny".

Re:FYI

[Jon-o]

I'd say that client side scripts actually SHOULDN'T be in web pages. THey're a pain in the ass, frequently have problems, and very rarely do anything that couldn't be done with either plain html/css or with a server side script.

The basic fault is that scripting is designed to make a web page behave in a non-standard manner. I don't want that to happen! I want control over my web browser and how it displays things, and how many windows it opens, and how controls (forms, etc) work. Anything else, IMHO, is broken.

Re:FYI

[Temporal]

I agree that scripts should not allow a web site to open new windows or move the existing window. But I think scripts which do things like implement a tic tac toe game can be fun. For fateofio.org, I used Javascript to encrypt passwords on login; it's not "true" security but it can help. Doesn't that seem like a good use? I also plan to write a chat client script completely in javascript at some point, allowing users to join a sitewide chat room by just going to a web page. I think these are very useful abilities.

So, yeah, if it were up to me, I would never have put window management functionality in Javascript, but with the popup stopping options in recent browsers I think that problem has been mostly solved, and the rest of Javascript is pretty useful IMO.

NOT an actual fix

It's a "configuration change" to work around the problems that are still there. Many users won't do what they recommend (ie high security) because it'll be inconvenient or "hard."

Re:NOT an actual fix

[Scorchsta]

That seems to be a typical Microsoft thing to do. It's temporary until they implement some tracking code into the fix.

Re:NOT an actual fix

[Lehk228]

when you set high security you cannot even use windows update, and putting windows update into trusted sites does not work right

Re:NOT an actual fix

[SynKKnyS]

Works fine for me using Windows XP Professional.

Re:NOT an actual fix

[gnu-generation-one]

"when you set high security you cannot even use windows update"

So this fix had better be permanent because it's the last?

Re:NOT an actual fix

[Lieutenant_Dan]

Nope, XP and 2003 have windowsupdate.microsoft.com as a trusted site. Unless you remove it manually, no setting will affect that.

Mind you, that still leaves the door open for someone clever to put an entry in the HOSTS file and do some nifty DNS man-in-the-middle trick, sending the unaware user somewhere else and trusting that "fake" windowsupdate.microsoft.com .

Which is nice.

Re:NOT an actual fix

[LO0G]

Think this case in terms of M&M security. M&M security has a crunchy outside and a soft inside.

Up until today, Microsoft was relying on M&M security - they spent all their time on the crunchy inside, while ignoring the soft inside. They kept on trying to fix problems in the things that called ADODB.Stream.

With this patch, they're making the soft inside go away by killing the ADODB.Stream object.

It might break some intranet applications, but the alternative is leaving holes that someone might find a new way of exploiting.

It's called Defense-In-Depth. You apply multiple layers of defense to ensure you're safe.

The ADODB.Stream was a dangerous object. You could constantly patch and patch and patch to make sure that everyone that called it was safe, or you could just get rid of it.

Microsoft chose to get rid of it. Makes sense to me.

Defense-In-Depth it the same reason you should remove strcpy and sprintf from the C runtime library (or at least from your code) - they're dangerous APIs, it's VERY hard to write code that correctly calls these APIs. If you use a safe version of them (one that checks the length of the buffer), you're not as likely to have buffer overruns in your code.

By turning off ADODB.Stream, the hackers now need to find a different way in. Maybe they will, maybe they won't. But this door's been shut and locked.

Re:NOT an actual fix

[WuphonsReach]

Mind you, that still leaves the door open for someone clever to put an entry in the HOSTS file and do some nifty DNS man-in-the-middle trick, sending the unaware user somewhere else and trusting that "fake" windowsupdate.microsoft.com .

Um, if they have access to the machine so that they can rewrite the HOSTS file... isn't the game already over?

Now, breaking into the DNS server, or doing a DNS spoof attack would work well.

Re:NOT an actual fix

[Lehk228]

well I've got a fully patched copy of XP pro and it does not work for me, I followed MS's instructions completely including unchecking require https, and it still doesn't work.

That reminds me...

[DaHat]

That assumes I remember to run Windows Update... Why do I have to do it myself Microsoft! I want automatic and forceful patch downloading and installation! Sure, you could throw in an extra DRM patch here or there... but I don't care, I'm lazy!

Re:That reminds me...

[Eu4ria]

But as soon as a patch comes out that is autoinstalled on systema and breaks something there will be even bigger complaints. Installing of patches should be the system administrators job or the owner and if you dont know what you are doing then you should be reading and finding out about these things. I know most ppl wont/dont do this but as more and more problems like this emerge ppl will have to become more security savvy.

Re:That reminds me...

[WoodstockJeff]

I know your post was taken as FUNNY, but I lost several hours last week installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server. Had it been done automatically, the server would have simply stopped working for unknown reasons, at some MS-selected random time...

I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

Re:That reminds me...

[Embedded2004]

Do not know if your joking or actually being serious. But having microsoft automatically install things is probably not a good idea. I definitely would never run windows update when I am in the process of doing something important. A couple of times it has broken many apps. One time, probably the worst one, was one update which broke my video card drivers. Luckily I have a triple monitors, so my two ati video cards still worked, I managed to boot, and get newer nVidia drivers which worked after the MS update. Had I only had a single display setup, I would of been screwed.

Re:That reminds me...

[Dizzle]

I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

Shouldn't that read "I, for one, do NOT welcome our mandatory auto-patching overlords"?

Re:That reminds me...

[Nurseman]

I want automatic and forceful patch downloading and installation!

Are you serious about wanting forced, automatic downloading ? Do you REALLY want to give Microsoft full control to change things without your permission ? What happens when you log on and MS "Fixed" IE by not letting Mozilla/FF load ? How about "fixing" MS Office, by blocking Open Office ? I am not a tinfoil hatter, or and MS hater, but I like to decide what/when gets updated on my machine. As an example, I have an old, DRM free version of Media Player. It trys to auto update itself after every use. It fact it defaults to "We will automagically update you in 15 seconds UNLESS you click here". No Thank You.

Re:That reminds me...

[blindbat]

I was helping a fellow (via phone) repair his Windows installation that had a couple of viruses (at least), blaster and another worm. He even has the auto download of updates running so he thought he would be safe.

Problem: he is a dial up user and is never connected long enough at home to keep his system current.

So Windows will have to hi-jack the internet connection in order to get the downloads or half-knowlegdable users like this guy will still be victims.

Re:That reminds me...

[LoadWB]

Several hours to roll-back a patch, as opposed to a day or better of complete down time because the system was ravaged by a virus or worm, then spread to other computers on the network.

Choose your battles; it's the lesser of two evils.

Re:That reminds me...

[WoodstockJeff]

No, I try not to indulge in tired, worn-out phrases, like "tired, worn-out"... B-)

Re:That reminds me...

[Zapman]

"Several hours to roll-back a patch, as opposed to a day or better of complete down time because the system was ravaged by a virus or worm, then spread to other computers on the network. Choose your battles; it's the lesser of two evils."

I completely disagree. With proper measures, it can be done.

MS will never have a true 'forced patch upgrade' in 'thou shalt' terms. Enterprises will run away screaming. There are reasons you have development, and test environments for serious pieces of enterprise infrastructure (and exchange would qualify). Roll the patches to dev, then test. Pound on them for a while. See what happens, then apply it to production.

We all know that exchange bare on the internet is a bad idea. It can be done, and it can be done moderatly securly, but a border gateway is almost a requirement. [1]

If you have a reasonable antivirus product infront of exchange, you'll be able to run it unpatched for a the few hours you need to test a true, critical patch.

[1] For a great product, hit www.ciphertrust.com. Their 'ironmail' product is awesome. Great anti-spam, wonderful anti-virus, good content filtering, OWA proxy for webmail. Email appliance. We use it at work, and are blocking 180,000 spam messages/week for 1700 mailboxes.

Re:That reminds me...

[Anonymous+Writer]

I must remember to run Windows Update too, so I can get this patch. Oh wait a minute... I don't have to! I'm on a MAC!

Re:That reminds me...

[AKnightCowboy]

Had it been done automatically, the server would have simply stopped working for unknown reasons, at some MS-selected random time...

You mean the random time like 3:00am that is listed in Automatic Updates by default, or some other random time that's selectable from the drop down box on when to check for and apply critical security patches automatically? I've been using this since it came out and have no problems, but then again, we don't really do anything complicated or mission critical with Microsoft software.

Re:That reminds me...

[WoodstockJeff]

When chosing between two evils, I try to chose NEITHER.

Had the patch been automatically applied, it might be hours discovering WHY the system stopped working, then time spent figuring out whether or not the patch could be rolled back (remember, some MS patches are ONE WAY!), then rolling it back... Assuming it didn't corrupt your data along the way.

Autopatching is likely to become the wave of the future, but I hope Microsoft allows you to manually override it. Maybe they can make it pop up a modal dialog box to confirm that you're ready for them to corrupt^H^H^H^H^H^H^Hpatch your system...

Re:That reminds me...

[vspazv]

The only reason i like the automatic download and installation of patches is because it means i have less customers coming to me for virus removals. I work in a retail store and average 30 virus removals a week because most of the customers have never installed a single update. I always find it funny/sad when I startup the computer and find 20 critical updates that have been downloaded but never installed because they just closed the popup window. Now if antivirus programs would just start blocking spyware programs I would be happy... I currently have to use 4 seperate programs on most computers to completely clean them.

Re:That reminds me...

[Oliver+Wendell+Jones]

Or you could come work where I work.

We're completely locked out of Windows Update, and every time something like this hits, our core IT group will struggle to throw together an emergency patch that they'll remotely distribute WITHOUT ANY WARNING and REBOOT OUR PCs REMOTELY, and did I already mention WITHOUT ANY SORT OF FUCKING WARNING WHATSOEVER?

Bitter? Me? No, cause I get paid the same whether I'm writing the document for the first time or re-writing it a second time because my PC just REBOOTED FOR NO APPARENT REASON WITH NO FUCKING WARNING AT ALL...

Re:That reminds me...

[SynKKnyS]

No matter what version of Windows Media Player you install, mplayer2.exe will always be there waiting for you to enjoy a cheap, light-weight, DRM-free experience.

Re:That reminds me...

[afidel]

Wow, tell your IT guys to use psshutdown from systinternals with a 30 second shutdown flag. Works wonderfully for me and if the user can't be bothered to save in 30 seconds the document isn't that important.

Re:That reminds me...

[Vancorps]

Last I checked Apple had an update service too ;)

Yes there are security patches up there waiting for you. Sorry but you're not immune either. No one is

Re:That reminds me...

[LoadWB]

I meant to address only the point the original poster made about patching. At least twice a week I hear from some admin or IT pro that he/she does not allow auto updating because of the potential of a bad patch.

In fact, I agree with YOUR point, and I will expand with my own views below.

When the last couple of worms made their way through systems I got asked by someone how much I had made because of this worm. My answer was that I did not profit from this worm; my client sites were all updated shortly after the update was released. Forced updates are not the solution for everyone, and I cannot imagine that Microsoft should allow such a schema on everyone.

I have worked with Windows servers on the Internet in the past, and am back in the position again. Other than the two Windows servers I manage sitting right on the Internet, all my client sites are behind NAT and/or some kind of firewalling.

I would never support the idea of leaving an Exchange server naked on the Internet, and that was not my intention in my post.

My job is to maintain small offices and installations which do not have server redundancy and cannot afford downtime, and I cannot afford the resources necessary to individually test each site. There is a lower probability that serveral sites will have a problem with a given patch, and higher that, if any, only one or a couple will have problems and I can fix that with a minimal amount of down time. For these offices, and for what I do, our best defense is automated, updated services -- be it server/workstation OS, email, antivirus, maintenance, etc. -- and site monitoring.

For a larger installation, something better than a single-server SUS solution is appropriate. I have not had the chance to use it in production, but I believe SMS can selectively push updates. That is a potential solution to help segregate test machines from production. This is expecting that a larger installation has the resources necessary to allow for testing before rolling to production. I can invision a partitioned network in which multiple SUS or SMS servers are available to segregate the installation into smaller portions whish would allow an admin to work with each unit as a smaler installation.

Blah blah blah...

There is a lot of work involved in what we all do, but the best medicine is the ounce of prevention.

Does anyone have a valid reason for not using some form of birth control -- the pill, condoms, pull-out, personality -- or is it better to just deal with the consequences? Protection from STD's? Beacuse really, when you have a network or a system that has any kind of Internet access, you're hanging your pecker out the window, just waiting to see what happens.

I wish I had time to pretty this up, but the girl friend is home. Play time is over :)

Re:That reminds me...

[innocent_white_lamb]

if the user can't be bothered to save in 30 seconds the document isn't that important.

30 whole seconds, eh? What if I'm writing the document and took a moment to walk across the room to the bookcase or filing cabinet to consult a reference of some kind? Or someone just walked in and asked me a question. Or the phone rang. Or...

30 whole seconds?

Re:That reminds me...

[Flower]

Don't get me started on Windows Update. My PC at home just got a trojan and after cleaning it up I found the following. Windows Update said I was up-to-date on all patches. I wasn't. MBSA said I was up-to-date and I wasn't. Trying to get the patch I was bounced between the advisory and the page saying I should use Windows Update to download the patch. What a farce.

This is the first time I've ever been tempted to buy a Mac. I'd go straight to Linux if I could but my wife's working on her Master's and the programs she requires are only available on Windows or MacOS.

Re:That reminds me...

[Flower]

Oh come on. A little aerobic exercise break during the day is good for you. Get the blood going as you sprint to the PC, stretch those fingers out with some manual dexterity exercises... Oh and don't forget the primal scream therapy those IT guys are providing you for free.

Admit it. Those updates just let you know IT is looking out for you!

Re:That reminds me...

[aastanna]

Um...actually anyone running a Mac, Linux, or even windows with a browser other than ie is immune to this problem. Also, no other platform performs OS upgrades through a web browser, so no other web browsers need permission to write random crap to the hard drive then execute it, therefore no other platform can get a virus simply from visiting a website.

Re:That reminds me...

[NaDrew]

30 whole seconds, eh? What if I'm writing the document and took a moment to walk across the room to the bookcase or filing cabinet to consult a reference of some kind?

I know you're being facetious, but you could get into the habit of saving every time you get up. Many text editors/IDEs also have autosave options, which would at least let you come back to something fairly recent.

Re:That reminds me...

[NaDrew]

MBSA said I was up-to-date and I wasn't.

I often see MBSA reporting "not up to date" because the key file it's looking for is newer than what it thinks is current! Amazing that it's checking "equal to" rather than "greater than or equal to"--or maybe not that amazing, since many installs (not mine but many) fail horribly when the OS is newer than the "minimum" required.

Re:That reminds me...

[Werrismys]

You can make it fully automatic. I did, and it automatically fscxxored my laptop totally and terminally last May.

Patch, and you're screwed. Don't and you're worse off. I solved this by getting a crossover office license and just booting to debian only -> problem solved for now.

It's the office suite and not much else that keeps businesses from migrating. Wonder when MacroCrap will include something like "Can only be ran on top of M$ win32 implementation" in their license.

One down, ??? to go

[rjune]

For the others, Microsoft has provided customers with prescriptive guidance to help mitigate those issues.

Um

You can have Automatic Update download and even install things on Windows XP.

Re:Um

[Zed2K]

You can make it completely automatic on 2000 also.

Re:Um

[ViolentGreen]

You can have Automatic Update download and even install things on Windows XP.

While this is great for most home users, a lot of people (including myself) do not do this. I want to know exactly what is being put on my system. I don't need the Euro conversion utility. I don't need windows media player 9. Right now there are 8-10 things that it has wanted to install for over a year that I refuse to put on.

Re:Um

[DaHat]

Bah! That assumes I ever got around to installing XP (which I haven't).

I'm a 2000 fan myself... maybe one of these days I should install a SP or two to get the auto update features a later ones brought.

In all seriousness I should say that I use Windows Update religiously and do not have the auto update feature running (I despise it)

Re:Um

[sid+crimson]

I don't need the Euro conversion utility. I don't need windows media player 9.

Autoupdate only installs "critical" patches. WM9 and the Euro tool are not such updates.

-sid

Re:Um

[Sexy+Commando]

FYI, The items you mentioned are not in the Critical Updates section, which means they can only be installed manually.

And you can always check the installation hisory on the Windows Update website, that is, if this can satisfy your desire to "know exactly what is being put on my system."

If not, many people prefer glueing their eyeballs to the monitors to read every single compiler outputs from Gentoo emerges.

Re:Um

[TheSHAD0W]

You can set Automatic Update to ask whether you want the updates installed or not. Right-click My Computer, Properties, Automatic Updates tab, check "Keep my computer up to date", and select "Notify me before downloading any updates". (Note that this is for XP; there's a similar setting for 2K. Not sure about 98/ME.)

Re:Um

[strictnein]

First post:
That assumes I remember to run Windows Update... Why do I have to do it myself Microsoft! I want automatic and forceful patch downloading and installation!

Second post:
I use Windows Update religiously and do not have the auto update feature running

Are you an idiot? Seriously.

Re:Um

[lythotype]

Microsoft marked a font update as critical because the font contained characters that may offend some people/class/group. Don't think they are above marking things as critical just to get it installed. How a font update is critical, I don't know.

Re:Um

[Sexy+Commando]

It's critical beause somebody might get sued/fired/lynched.

Re:Um

[Sexy+Commando]

Hate to reply to my own post, but theis link explains the danger of having offensive materials in an OS default install.

I myself enabled the offensive USE flag, of course, so that I get all the quotes from emerge fortune-mod-all .

Re:Um

[lythotype]

While I understand your point (and agree with it) about inappropriate material in the office space, I still don't agree with Microsoft's decision to mark the font update as critical. I always took the level of 'critical' to mean critical to the operation of the OS.

Re:Um

[jmichaelg]

Sarcasm appears to elude you.

The parent was pointing out that automatic updates, the obvious solution to having to install updates manually, open the door to installing patches the user may not want installed. It's one of those fucked if you do, fucked if you don't situations.

And all because Microsoft thought automatically downloading and executing code would be a good idea. At least Sun had the sense to make Java applets execute in a sandbox.

Re:Um

[kni52]

It was a swastika and A Star of David.

Got it, but..

[Dynamoo]

Got it, but in the meantime I switched to Mozilla Firefox and I honestly don't see any reason to go back to IE apart from a handful of aggressively IE-only sites.

Re:Got it, but..

Sadly you are Slashbotting. Three of the five sites that I visit most frequently do NOT render correctly with Firefox. Each and everytime I visit Slashdot I have to refresh to get the leftbar to stop entroaching on the main story blurbs. Everytime I visit the other sites I must change font sizes. Each site I visit looks different than it was intended to look on IE and thus I cannot read some text and some text is so large that it is uncomfortable.

We won't even get into the fact that my online banking instantaneously loads on IE yet takes several /MINUTES/ to load in Firefox.

Re:Got it, but..

[drkhwk]

We won't even get into the fact that my online banking instantaneously loads on IE yet takes several /MINUTES/ to load in Firefox.

Then you should switch banks, not browsers.

Re:Got it, but..

[Lehk228]

troll? are you using .7?

Re:Got it, but..

[Sargondai]

You mean like Windows Update?

:)

Re:Got it, but..

[jumpingfred]

You know that firefox 0.9.1 does not render /. as well as ie. Firefox which I am using often has the posts overlap the links on the left of the page.

Re:Got it, but..

[MisanthropicProgram]

No, I don't think you're a Troll. It sounds like you're using an older version of Firefox. Try getting a newer one at Firfox's site
As far as your back is concerned, they may actually be using something that does expose some sort of problem with Firefox. There may be some things to note. Like - Is it an ASP site? (It may have nothing do with it.)

Lastly, don't let some people discourage you from using Firefox with their condescending attitude. I for one like having new users join the fray :-)

Re:Got it, but..

[MisanthropicProgram]

I meant bank NOT back.
Nobody's perfect!

Re:Got it, but..

[no+reason+to+be+here]

i still have 0.8 on this machine, and it renders fine. it must be a new bug in 0.9.1.

Re:Got it, but..

[Anonym1ty]

aggressively IE-only sites

What? Like sites that do not function if they can't open a thousand windows? or can't force you to agree to download and install something without crashing the browser? (insert zillions of other annoying or dangerous exploits here)

If a site REQUIRES Internet Explorer perhaps you shouldn't go there. I mean now that the Department of Homeland Security is urging people not to use IE, Your bank better think real hard about requiring you to use it.

Re:Got it, but..

[Kanon]

It's not a new bug. It's been doing it occasionally in Mozilla for ages. As a previous poster said clicking reload generally fixes it.

Re:Got it, but..

[nick0909]

My university has a stupid portal that requires IE. I send them emails, they say this is the portal they bought and there is no money to buy another (it is CA). So, for that site I am forced to use IE or not get my homework. Sometimes you actually just have to take the chance I guess, even with the overlords saying terror will come from my (limited) IE use. KG6NMP

Re:Got it, but..

[Cecil]

It is a new bug in 0.9. I have both versions. I'm using 0.8 now. I don't know what people were babbling about 0.9 being more stable and solid, I found it to be buggy and broken.

I keep all my versions of Firewhatever around, since most of them are broken in one way or another. Although admittedly 0.8 is one of the most stable versions so far.

Re:Got it, but..

[jesser]

What are the URLs of the sites where the font sizes are different in IE and Mozilla? What is your "Text Size" setting in IE's View menu?

Re:Got it, but..

[jazzmans]

I've noticed, that if you have cookies blocked from doubleclick, the mozilla/firefox browser will sit on a web page for up to 2 minutes before loading. This is especially noticible on financial web sites, and news web sites. Doubleclick is causing this, not an error in the browser.

jaz

Re:Got it, but..

[Anonym1ty]

It's a university, isn't it? Why not ask them to have their computer students build another one?

Re:Got it, but..

[cft_128]

What? Like sites that do not function if they can't open a thousand windows? or can't force you to agree to download and install something without crashing the browser? (insert zillions of other annoying or dangerous exploits here)

If a site REQUIRES Internet Explorer perhaps you shouldn't go there. I mean now that the Department of Homeland Security is urging people not to use IE, Your bank better think real hard about requiring you to use it.

My girlfriend is a real estate agent and needs access to the local MLS web site to see info on homes for sale. That website doesn't say it requires explorer, the java applets just don't work with firefox. They come up but are not actually functional and the page layouts poorly to say the least. Not using their site is not a choice - that is THE site you need to go to if you want to be an agent and make any money.

I'm sure they should spend the money to make their software better at handling other browsers but until they do all the real estate agents in this area have no choice but to use IE.

Re:Got it, but..

[MsGeek]

As for myself, I find that Mozilla 1.6 (I know 1.7 is out, but this is doing me just fine) can go just about everywhere IE does.

The only time I use IE is to run this retarded courseware I occasionally have to use for College, or going to Windows Update to patch things. Like this damn fool 'sploit. Thank you very much, MS. Fix your fsckn OS, already, k?

Re:Got it, but..

[Anonym1ty]

The only time I use IE is to run this retarded courseware I occasionally have to use for College, or going to Windows Update to patch things. Like this damn fool 'sploit. Thank you very much, MS. Fix your fsckn OS, already, k?

Well Don't use Windows then. ---I know it's so simplistic but as for the patches, not using Windows fixes that really quick.

As for your College, last I looked you have a choice of where you go to school and truth be told, What kind of education are you getting if an institution refuses to take simple safeguards. You can change things, go to a different school, or as a real shocker, why not motivate your school to make the change. When we have the Department of Homeland Security telling us we shouldn't use IE, it should send a wake-up call to these colleges, banks and other institutions about the flaw in what they are doing

I realize you mayhave reasons for attending the school you do, and they may outweigh the dangers of using IE, but that's life. And sometimes life sucks ass

Re:Got it, but..

[Anonym1ty]

My girlfriend is a real estate agent and needs access to the local MLS web site to see info on homes for sale. That website doesn't say it requires explorer, the java applets just don't work with firefox. They come up but are not actually functional and the page layouts poorly to say the least. Not using their site is not a choice - that is THE site you need to go to if you want to be an agent and make any money.

Well I can say it again though, Stop using sites that use IE. Ho much is your income really worth? At some point (And I Agree we may not be there quite yet) The dangers of running IE may be more of a problem then the income you receive using it as a tool.

Like I said ---it may not be THAT bad now, but at the rate we are going it will be and then what?

The time to start shouting is now, not after the whole system breaks and we're all screwed - Asking for help from Microsoft has proven to not work. What happens to your income when your computer and all its records are lost, or worse stolen?

You girlfriend does have a choice, the problem now is the choices you see other than not using IE are not pallatable. IE leave the taste of shit in my mouth now, keep eating, you'll taste it too.

Re:Got it, but..

[ccady]

Instead of disallowing DoubleClick cookies, edit your hosts file to change the address for the DoubleClick sites. These are the relevant ones that I've got in my hosts file--YMMV.

127.0.0.1 doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ln.doubleclick.net

Re:Got it, but..

[transact]

Threaten their federal funding with the Dept of Homeland security recommendation. That should get them to change.

Re:Got it, but..

[ssstraub]

Good reasons.

Re:Got it, but..

[nick0909]

Up there in EN-62 that might work, but CM-99 being in litigous CA we probably couldn't build our own system, as it wouldn't pass all the privacy and other stupid regulations and certifications. Being a university doesn't mean they do things smart, it is still run by the State, which currently is being driven by the Govonator.

Someone tried to make a database as a Sr. project that needed some sort of info from the official enrolled student database, I forget exactly what but it wasn't even anything specific, just the number of students enrolled in each college or major, but they wouldn't release it because of privacy concerns. I stopped trying to figure out why they do things and just accept it as a government agency and change will take 20 years. This portal that was bought by the state for every CSU in the system (29 campuses) I have heard is the worst portal system there is on the market. But hey, we got it cheap!

Get the fix early here.

[Saeed+al-Sahaf]

The press statement says that it'll hit Windows Update later today...

O get the fix early, HERE.

Re:Get the fix early here.

[buchan232]

Its already Showing in Windows update. I just finished installing and updating a new machine half an hour ago. Then just went back to discover one more update!!!! Ever notice it takes longer to update than it does to actually install?

Re:Get the fix early here.

[supmylO]

I definitely agree with you. I switched a few weeks back and I really have no reason to go back to IE. Except for a few passwords I have stored in IE that I have no idea what they are... grrr!

Re:Get the fix early here.

[Saeed+al-Sahaf]

Actually, I'm suprised at the mod score, this one really needs to drop into the "over-used lame joke" department. But I couldn't help myself.

Re:Get the fix early here.

[nizo]

this one really needs to drop into the "over-used lame joke" department

I don't think there is such a department on Slashdot, since we still see people posting "Beowulf cluster", "In Russia", and "3. Profit!" comments all the time. Then again even I am gulity now and then so I can't really complain.

Re:Get the fix early here.

[KarmaMB84]

If it isn't installed, it isn't updated...

Re:Get the fix early here.

[Anonymous+Writer]

I really have no reason to go back to IE. Except for a few passwords I have stored in IE that I have no idea what they are

You may not know them, but apparently some Russian organised crime gangs may.

Re:Get the fix early here.

Yes.

Re:Get the fix early here.

[bryhhh]

I really have no reason to go back to IE. Except for a few passwords I have stored in IE that I have no idea what they are... grrr!

You have no excuses now.

Re:Get the fix early here.

[supmylO]

That's awesome. However, it didn't have the one password I was really interested in. I am confused.

Re:Get the fix early here.

[kubrick]

No more Glorious MEEPT! any more, though, and very little evidence of Natalie Portman naked and petrified. Even the AYBABTU jokes have mostly died down.

Just got my WindowsUpdate popup a minute ago

[ramk13]

Just got my WindowsUpdate popup a minute ago. No restart. Yay!

What's still frustrating is the amount of time between the identification of a vulnerability and the time a real patch is released. A real patch, not just some KB article telling you to edit the registry.

Re:Just got my WindowsUpdate popup a minute ago

[WoodstockJeff]

A real patch, not just some KB article telling you to edit the registry.

The really unfortunate part of all this is that you can run a configuration like I do - treat all of internet as "restricted", disallow all scripting, don't trust any downloads - and not be vulnerable to something like this. My system's configuration requires that I tag windowsupdate.microsoft.com as a "trusted" site in order to get updates!

But it means that hundreds of common websites stop working. Microsoft decided to join the control of ALL scripting under a few settings. In order to stop the execution of untrusted Active-X controls, I end up disabling the execution of Adobe Acrobat, for example. And some versions of IE don't separate Javascript from Active-X when it comes from disabling scripting.

This isn't to say I'm really happy with how Mozilla does things. I would MUCH prefer it if I had the "trusted sites" concept in Mozilla/FireFox, because I could universally disable Javascript, yet have it come back on when I visit my own servers, or those vendor sites that need it. FireFox, at least, will allow quick access to the toggle-Javascript button, but Mozilla requires far too many mouse clicks to do it.

Opera has nice, fast access to scripting controls. If it didn't have problems rendering some pages I need to visit properly, I'd use it for more than verifying our websites look right on all browsers. I generally like Opera...

Re:Just got my WindowsUpdate popup a minute ago

[dasmegabyte]

So what would you prefer? Vulnerability hits and some program in the Microsoft catacombs releases a 0 hour patch that breaks some essential part of IE?

This is a web browser used by close to 90% of internet users. You might say that the internet economy DEPENDS on IE, for better or worse. When you've got that kind of albatross hanging from the neck of a product you're purposely trying to deprecate, you had better make damned sure you properly QA the patch, which even with an army of testers could take weeks.

In the meantime, you can obviously release a quick fix, but even that needs to be QA'd to be sure people can still access their bank records, stock market info, and the government's tax payment system.

Re:Just got my WindowsUpdate popup a minute ago

[the_crowbar]

Mozilla does not have the per site Java/JavaScript controls, but Konqueror does. I don't have a Mac, but I would guess that Safari has the same controls. If you are running on Linux (or some *nix) Konqueror is an option.

Cheers,
the_crowbar

Re:Just got my WindowsUpdate popup a minute ago

[TWX]

"This is a web browser used by close to 90% of internet users. You might say that the internet economy DEPENDS on IE, for better or worse. When you've got that kind of albatross hanging from the neck of a product you're purposely trying to deprecate, you had better make damned sure you properly QA the patch, which even with an army of testers could take weeks."

I was pissed off back in 1996 or 1997 when they started bundling IE with Windows 95 OSR2, and when they made the installer use it for the default shell in Windows 98. It was a crappy browser then, and it's a crappy browser now. It installs spyware, crashes, and locks people into proprietary "features" that try to give Microsoft more sway. Microsoft as a company doesn't cater to the community, it rapes the community for its own benefit and leaves people with things broken.

Fuck 'em if their product is vulnerable and their attempt to fix it live breaks nearly everyone's browsers. Let 'em deal with what happens then.

Re:Just got my WindowsUpdate popup a minute ago

[jonadab]

> This isn't to say I'm really happy with how Mozilla does things. I would
> MUCH prefer it if I had the "trusted sites" concept in Mozilla/FireFox

It is possible to do this sort of thing with custom capability policies.
There's admittedly no UI for most of it though.

Obvious link missing

[nizo]

Fix can be downloaded here.

In Other News...

[Snagle]

The Department Of Homeland Security said it is safe to go back to using Internet Explorer as your main browser...for about 10 minutes, when the next exploit will be released.

Re:In Other News...

[chris_mahan]

I notice that MS releases a "fix" of some sort when DoHS says: use another browser.

Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?

Another question: Are there enough of those high-flying MS developers still working on the IE codebase to make the changes in a timely manner or is there an aging skeletton crew to fix the vulnerabilities, not too motivated since they were passed up for work on .NET?

I wonder.

Somebody probably lit the proverbial fire under their bums this morning.

(They know how hard it is to get people to switch browsers. It took a while (2 years) with Netscape, and NS Communicator was a POS). I guess they are at the edge of the cliff and realized there's nowhere but down.

Re:In Other News...

[WindBourne]

While you meant this to be funny, the sad thing is that Homeland went to MS and has been with it since its inception. By doing so, they proved that "Security is job 1" is not true. Now they are saying to stop using MSIE, but nothing about SQL server, IIS, Exchange, or outlook, of which the vast majority of cracks come from.

It is this very reason why I am so opposed to the patriot act. It gave to Homeland and to DOJ most of the same capabilities as NSA and CIA had together. NSA/CIA are far less political than either DOJ or Homeland.

Re:In Other News...

[argent]

If CERT was doing their job right, they would have recommended against using IE back in the mid-'90s when Microsoft first created the basic design flaw that this is just the latest instance of.

That's when I banned IE and Outlook at work. Did wonders for our security, and made me look really good when other groups and companies got hammered by Melissa and her zombie children.

Re:In Other News...

[johnnyb]

"the sad thing is that Homeland went to MS and has been with it since its inception. By doing so, they proved that "Security is job 1" is not true."

Kind of. It actually proved that it is difficult to function as a government. You see, as a government, you CANNOT just have biased opinions, even if those biases are based in experience. It has to run on fact, or at least what qualifies as fact.

The "fact" is that Windows has much better government certification than Linux. We know that government certifications mean jack squat, but a government person, even if they know that, can't really act on it for procurement purposes. There are other factors, such as price and service.

Without these controls, it is pretty easy to get some people in key positions and simply control government with a mafia outfit. These controls prevent that, but they mean that government cannot make use of the best asset when making decisions - people.

Now, I do think that Microsoft should have been phased out when declared a monopoly maintained by illegal tactics. But other than that, government does not have good decision-making capability, because it has no competition.

Which is why conservatives want limitted government.

Re:In Other News...

[CheechBG]

what are you using for corporate mail, Lotus? I hav had nothing but frustrations with Domino/Lotus Notes.

Not to say it's not woking out for you, just venting pent-up frustrations ;)

Re:In Other News...

[Anonymous+Writer]

Actually, CERT gave the announcement on June 10. What you have noticed is that Slashdot has decided to post a story about the announcement on the same day the patch is made available.

<conspiracy> What you should be wondering is if this has anything to do with the fact that Slashdot receives revenue from Microsoft advertising. </conspiracy>

Re:In Other News...

[argent]

Our mail server runs Postfix for SMTP transport, WU-IMAPD for client access, and most of our users are using Mozilla or Thunderbird as mail readers. We have an Apache webserver and run the other junk Microsoft seems to think belong in a mail program on there.

It's being officially borged into Bloatus Goats. There is much reluctance to let go.

Re:In Other News...

[nion]

Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?

How about we take this a step further and have the DoHS recommend switching to another OS? That might get some of the fairly grievious bugs fixed tout de suite. ;)

Re:In Other News...

[Vancorps]

In other words you weren't using Outlook as Outlook nor Exchange as Exchange. You were using a simple mail client and mail server.

This seems to be something a lot of people forget. The fact that I can check my voicemail from Outlook, the fact that my boss can schedule a meeting and if I'm not at my desk; I will be paged to inform me the meeting will begin in 15 minutes.

The problem isn't Outlook or Exchange, its being lazy in your initial configuration of both. Guess what, by default Outlook 2003 doesn't even load embedded images in an email. It provides a link so the user knows where to go if they need to see the image. You've been able to configure Outlook to do this since 1997.

Attack IE all you like, I've disabled access to IE on most machines here in my network and installed Firefox 0.9.1

Tis nice not having to deal with all the spyware. The only problem is that there are occasions that I need ActiveX which is why IE isn't universally disabled here.

Re:In Other News...

[argent]

I wasn't using Exchange at all.

Of course I was using a simple client and mail server. I'm doing mail. I'm not trying to cram the whole world wide web into email, I'm using a mail program for mail and other programs for other purposes.

OK, then... first:

I understand why Microsoft and Lotus crammed the whole world wide web into a mail program... when they started they didn't have the web, they didn't even have TCP, the only networking protocol they could depend on was email. The same is true of Groupwise.

HOWever, it's not the only way to do things, it's not the only way to divide up these responsibilities, and it's not... in my opinion of course... the best way.

Second:

The Microsoft HTML control is inherently insecure. It is not in principle possible to fix it, because the basic design is wrong. It uses a single set bindings for all applications, so that rather than having IE or Outlook call up "Word Viewer" and Windows Explorer call up "Word" (for one example), you have to let the same application serve for both trusted and untrusted environments.

This is why I banned all programs that used this control, back around '95 or '96... almost a decade ago. NOT because I wanted to bash Outlook, but because Outlook was using an inherently dangerous component.

Third:

Being lazy in the initial configuration? I'm sorry, that shoudln't be a problem. It shouldn't be a problem both because we ALL suffer if ANYONE is "lazy", and it shouldn't be a problem because the application should not even implement a mechanism whereby an untrusted document can do dangerous things. Not "it should be off" or even "it should be off by default", it simply should not be there. You shouldn't be able to turn on "let an external webserver run local code outside a sandbox".

And so, finally:

No application that uses the Microsoft HTML cntrol can be trusted. It is inherently too difficult to find and block all possible holes in its "default open" configuration for it to be worth the risk, even if some users find it more convenient.

You choose to accept that risk, that's your responsibility. I don't, and I don't think anyone should without some business-critical reason. You disagree, that's fine, but don't imply that I'm lazy because I don't consider the use of an inherently dangerous tool an acceptable risk.

Re:In Other News...

[Vancorps]

You call Outlook a mail application, it is not. It has features for mail but first and foremost it is a collaborative tool.

You are right, if you are not using any of the collaborative features then you should indeed ban Outlook because it is a bloated mail client. If you actually use all its features then the bloat is actually pretty minimal considering the functionality.

Second, outright banning html content is being lazy. It's like closing port 80 because you don't want exposure. If it is a required service then you take the time to secure it rather than just banning it. Fortunately for you your situation doesn't not require those services and so you are using due diligence as providing unnecessary services is well, unnecessary.

Server side virus scanning evaluates all incoming email so this malicious code being run from an untrusted source is quite irrelevent, the code never makes it to the client whether they use Outlook or not. Of course, all email is deemed trusted because the code was evaluated and determined to not be either malicious or against company policy. I can control what types of attachments they are allow to open, or even if they can open any. I can do this for individual or groups of users.

We are obviously in very different computing evironments that's for sure. Of course, there is a simple solution for all the html crap that goes on. Make the mail server, whatever it is, convert everything to plaintext. Its easy in Exchange, its relatively easy in Sendmail and Postfix, you can even do it with smaller apps like iMail or Merak.

Re:In Other News...

[pyrrhonist]

Of course, there is a simple solution for all the html crap that goes on. Make the mail server, whatever it is, convert everything to plaintext.

Outright banning html content is being lazy. It's like closing port 80 because you don't want exposure. If it is a required service then you take the time to secure it rather than just banning it.

I'm not sure where I got the above advice from, but it seemed appropriate.

Re:In Other News...

[argent]

Where did I say I banned HTML content?

Let's check... no... go back and read what I wrote again. I didn't ban HTML content. I banned the Microsoft HTML control. There are plenty of other HTML rendering engines that don't have the inherent flaws of the Microsoft HTML control, and by using them instead you get security without giving up the convenience of rich text email.

As for virus scanning... that's a slipshod approach to virus protection. It won't protect you from new viruses. It won't protect you (as the developers of Half life found) from directed viruses. It won't protect you from malicious software that the vendors of the A/V software don't consider viruses, like adware and spyware.

Your approach is Microsoft's approach, then. Trust everything that hasn't explicitly been found to contain dangerous content. That's the approach that Microsoft has been using for a decade, and that's the approach that has been failing for a decade. For my part, I've been using the opposite approach: don't trust anything that hasn't been determined to be safe, and that approach has been successful over the same time period.

Finally, "convert everything to plaintext"? Why? if you use the right tools, HTML isn't dangerous. And if you use the wrong tools, plaintext can be a killer.

Twenty five years ago, people were hiding "terminal hacks" in plaintext files and messages that did things like reprogramming the terminal's function keys to run commands as the local user... but only if people used the fancy HP terminals with the programmable function keys.

I used the adm3a "dumb terminal" instead.

This is an old old problem, it's not something that's just been discovered this year, this decade, this millennium. It's one that had a clear solution back in 1979... do you think it'll take Microsoft *another* 25 years to catch up, or do they have too much ego tied up in their ill-advised browser integration to *ever* abandon it?

Re:In Other News...

[smash]

He didn't say he was banning html.

He was banning any program that uses the microsoft html engine.

There's a difference.

smash.

Re:In Other News...

[Vancorps]

Heuristic scanning can do a lot more than you give credit it for. The virus does not have to be known in order for a system to be protected. Also, proper permissions will prevent most viruses from performing most any functions. Obviously the system is not impervious to attack. You seem to discount the fact that in many situations it is logistically impossible to whitelist everything that users will need access to. Start with a base policy, enforce it at the server level to prevent the more stupid mistakes, the rest can be handled through minimal training of users.

Second, spyware and adware more often than not occur in the web browser. I already acknowledge IE is broken but it is the extended functions which cause the security problems. ActiveX, javascript and vb script controls and the likes are where the problems lay.

I tend to think that you need some html rendering engine built into the GUI, but you can completely disable IE, delete the shdoc.dll along with iexplore.exe and Windows will quite happily continue its existence in a less feature rich environment. You won't be able to thumbnail or create filmstrips on the fly but it will work.

I could definitely be wrong but it sounds like you are in a much smaller computing environment. When you start dealing with thousands of clients or more you have to start making policy because it is an administrative nightmare to create whitelists, Policy is key.

Re:In Other News...

[Vancorps]

Perhaps you misunderstood or chose to ignore the entire point of the post. The simple solution is inherently the lazy one because you are breaking functionality to achieve security.

Re:In Other News...

[argent]

You seem to discount the fact that in many situations it is logistically impossible to whitelist everything that users will need access to.

I'm sorry, where did I mention 'whitelisting'? You keep jumping to conclusions based on your installation, and I'm trying to explain that there's other ways to achieve the same goals without using Microsoft's "jam everything into one tool" model.

For example, you shouldn't need to whitelist, blacklist, or filter to keep malware in foreign documents from auto-executing: the tools (browsers, mail readers, etcetera) shouldn't include a mechanism that allows it to happen. Executable content should be distributed through a separate channel that's not accessible to the outside.

Yes, we run antivirus software, but it's a second layer of defense... if it needs to deal with malware to keep the malware from executing then there's already a problem. The software shouldn't be designed such that anything can be launched over any channel accessible to untrusted sources without the user explicitly requesting "download this file and save it" and "open and run this saved file".

proper permissions will prevent most viruses from performing most any functions

If you tighten the permissions to the point where the user is running in 'kiosk' mode with no local file access at all, a virus can still propogate and damage your network... if there is a mechanism in the tool that lets it run.

spyware and adware more often than not occur in the web browser

The Microsoft HTML control *is* a web browser. Any application that uses it *is* a web browser.

I tend to think that you need some html rendering engine built into the GUI

That's the second time you've said something that implies you think I'm talking about HTML as being the problem, so for the second time I'll say "the problem is not the HTML rendering, it's the binding of HTML rendering, file access, network access, and so on into a single component that uses a single list of bindings for all applications".

The HTML control should not contain a mechanism to resolve URLs. It should not contain a mechanism to execute content outside a sandbox. No application should use the same list of bindings for protocols or file types on both internal and external content.

Apple breaks the third rule in Webkit/Webcore, and it's been exploited, once. Microsoft breaks all three rules in in the HTML control, and it's a veritable Typhoid Mary. BOTH companies need a good hard clout with the clue-bat.

Policy is key

Policy is *a* key. Selecting the right tools is *another* key. Defense in depth is a *third* key.

Tools built around the MS HTML control share a common design flaw. This flaw means that Microsoft is always going to be in a position where they're responding to threats after people have been hit. It's like an immune system that waits until symptoms show up before reacting, when it's too late and the damage (Melissa, Code Red, Blaster, ... whatever's next) has already spread too far to be contained. The immune system doesn't work that way, it simply doesn't accept anything that's "not self". It's not perfect, but it's orders of magnitude more effective than the alternative.

Re:In Other News...

[pyrrhonist]

Perhaps you misunderstood or chose to ignore the entire point of the post.

It was a joke, so the latter one is probably correct.

The simple solution is inherently the lazy one because you are breaking functionality to achieve security.

Like converting HTML to plain text? :)

Re:In Other News...

[johnnyb]

Conservatives rigging elections?

I don't know about other places, but here in Oklahoma the Democratic party is fighting like mad to keep people from having to produce ID in order to vote.

The Vulnerability

[lousyd]

the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

So, the vulnerability will hit Windows Update later today? How do they know? (Other than the fact that Microsoft is running security at the Windows Update site, of course.)

Re:The Vulnerability

[stienman]

How do they know?

Such problems are always timed to coincide with 3 day weekends.

Always.

-Adam

Re:The Vulnerability

[wyluli]

Windows Update cant get Download.Ject, its running on Windows Server 2003 with IIS6. Only vulnerable servers are IIS5 and below.

All right!!!

[k4_pacific]

That means all the sys-admins will have to work late on a Friday night making sure its installed.

Excellent timing.

Re:All right!!!

[colonslashslash]

Yes. Those poor MCSE's.

/me sheds a tear

Re:All right!!!

[thedillybar]

>That means all the sys-admins will have to work late on a Friday night making sure its installed.

The update is already available and I've already pushed it out to all of my machines without issue.

Re:All right!!!

[Deathlizard]

Not me.

After Blaster I said Screw that and built an Software Update Server on our network here. All I had to do was forcibly sync it, approve the update and away it goes.

All I have to do is wait, and check the logs (using suslogvewer) on monday to make sure that they updated.

Re:All right!!!

[sevensharpnine]

Nope--I can't update machines until I know a patch is out. This sys-admin is covering his ears and humming showtunes until 4 p.m. Lalalalaaala...

Re:All right!!!

[ch-chuck]

built an Software Update Server

Leave it to Msft to sell yet another server license just to patch bugs. I seriously admire their ability to consistently turn defects into revenue streams.

suggested moderation: -1 troll

Re:All right!!!

[LoadWB]

::nods in agreement with you and thedillybar::

All of my client sites running 2000 or better have SUS running, along with a script which auto-approves updates. I've never had a problem.

Even though the update is due to push out tonight, I pushed the registry changes out today with group policies. On systems (still, though I'm pushing them to update) running NT Server, a login script and a .reg file does the trick quit nicely.

In the end, it takes much less time to roll-back a bad patch than it does to clean a system or entire network raped, ravaged, and left for dead by a virus or worm. Both of which are, unfortunately, part of the game we play and, fortunately, what we get paid to do -- REGARDLESS of your operating system.

Re:All right!!!

[demaria]

Software Update Server is free. As in, doesn't cost any money.

Re:All right!!!

[Zigg]

Unless you have to build another machine to run it.

Re:All right!!!

[DA-MAN]

All of my client sites running 2000 or better have SUS running, along with a script which auto-approves updates. I've never had a problem.

I'm not sure I understood this. Am I to take it that you install IIS/SUS on each client (2000 or better) or that you point all your (2000 or better) to an SUS Server?

Even though the update is due to push out tonight, I pushed the registry changes out today with group policies. On systems (still, though I'm pushing them to update) running NT Server, a login script and a .reg file does the trick quit nicely.

Do you have your regular users running as Administrator? If not, how do you get your "regular user" accounts to modify HKLM?

In the end, it takes much less time to roll-back a bad patch than it does to clean a system or entire network raped, ravaged, and left for dead by a virus or worm. Both of which are, unfortunately, part of the game we play and, fortunately, what we get paid to do -- REGARDLESS of your operating system.

I agree with that policy for client machines, but on servers I'd never do that.

I'm Not A Religious Person But...

I'd recommend a little prayer before every time you click on a link in Internet Explorer.

Loaded terminology...

"Late last month"

vs.

"A week or so ago"

I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

Re:Loaded terminology...

[brilinux]

"Late last month"

vs.

"A week or so ago"

May I remind you that this is July 2, making "late last month" "three days ago". While in the computer world that may be a long time, in real life, that is less than a week. Of course, if I used Windows regularly, I would want those fixes as soon as possible anyway.

Re:Loaded terminology...

[pipingguy]

I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

To steal an oft-used cliche of the "Linux fanboys":

You must be new here.

Oh, and I figgered I'd not be a looser and mispell something just two make it offishul:Nataly Portman.

Re:Loaded terminology...

[RAMMS+EIN]

Wasn't the vulnerability something like 10 months old? Or is that another one? If it's another one, does that mean the 10 month old one still goes unpatched?

I don't know the answers myself, because I have given up caring about MSIE security holes. The thing _is_ a security hole.

Re:Loaded terminology...

[arcade]

Well, it was published on bugtraq 'late last month'.

Re:Loaded terminology...

[linuxelf]

Yeah, I totally agree. I read that and thought "But, wasn't two days ago late last month?" Maybe they are taking notes from Fox News or Michael Moore.

I have a feeling

[Punboy]

that MS doesnt care about security, only publicity. They don't care until it affects their marketshare, THEN they fix it.

Everyone switch to Linux! Then MS will fix Windows!

Re:I have a feeling

[Mishkin]

Well take a look here and see the blog of a windows developer. He really does get upset when people say that MS doesn't care about security.
I am sure you are all aware that windows is a fairly large OS that is designed to be easy to use for novices but allow Power Users to do their thing as well. I think it accomplishes that fairly well. They provide automatic updates to every computer now (if you are not too lazy to turn it on). I realize that this option is turned off by default but this is more because of the people (*cough* slashdotters *cough*) that say that MS will somehow steal all their secrets if you let them install updates automatically. I think MS does a good job updating system.


Also, if I see one more reply to an IE article with the line "Download the patch here" rated as "Funny", I will kill myself.

Re:I have a feeling

[Gabrill]

Download your personalized patch here.

Re:I have a feeling

[imroy]

It's worse than that. MS only appears to care about big customers, typically large corporations, institutes, and government departments. i.e places that are behind a firewall and have (nominally) competent IT staff to keep the network running smoothly. Just look at the number of TCP/UDP ports they keep open. That sort of behaviour is ok on a safe intranet, but it's sheer negligence for home users connected directly to the internet. I'm constantly seeing incoming requests to the "windows networking" ports (137, 135, 445) on my ADSL connection. Those ports just should not be open to the wider internet. And lastly, witness the number of error dialog boxes in windows that simply advise the user to seek help from "the network administrator".

It's the big customers that MS cares about, not the home users. And we're all worse off when the latest round of worms clog up the internet.

Yup...I got it...

[JarrodMJ]

and sync'd my SUS server for the LAN here...no problems so far.....

What about ActiveX?

[jZnat]

They might've found one way to prevent the auto-download, but there are still plenty of ways to force a download using ActiveX. Even with that, there are still a few ways to run them too; methods that are still unknown to most assholes trying to get you to buy their pills that give you bigger penis-breasts-ego-wallet-spyware-car-wife-mom-WMDs .

late last month means

[Zed2K]

Late last month actually means June 25th. Which by my count was only 1 week ago. But it wouldn't be a bash microsoft topic without a little twisting and manipulation.

Re:late last month means

[LtSmith]

IMO - 'late last month' references a time between the middle and end of the previous month, with emphasis on the last week of the month.

Re:late last month means

[WoodstockJeff]

Unfortunately, that "one week ago" was the second story announcing the problem, and it was heralded as "redundant" for being a week old at the time...

Why Ject?

Why is it called Ject? Is the virus writer or the AV firm some kind of closet Final Fantasy X fan? Seriously? Why Ject?

Re:Why Ject?

[stienman]

" Why is it called Ject?" he interjected
"Is the virus writer," he conjectured," or the AV firm some kind of closet Final Fantasy X fan?"
"Seriously?" he objected
"Why Ject?" he said dejectedly.

Probably because you weren't projecting your rejection at the time. But more likely due to the fact that it feels uncommon in the English language, but practically falls off the tongue and so is easy to remember. (sorry, I couldn't easily inject abject)

-Adam

I think my brain just exploded.

[Ira+Sponsible]

This is completely incomprehensible. I'm using Mozilla Dangerphoenix, and ms let me get the download with no hassles at all. Of course it's not one of their usual updates, but I still find it hard to believe that they haven't broken the link for non-IE browsers like they do for the rest of their site. Unless the "Configuration Change" is really just an extension to "fix" my Mozilla Pornopony to behave just like IE. DAMN YOU MICROSOFT, WHEN CAN I TRUST YOU!!!

Coming soon...

[sleighb0y]

Download.Ject.A
Download.Ject.B
Download.Ject.C
Download.Ject.D..............

Re:Coming soon...

[DarkMantle]

Should've been moded insightful... we all know it's true

I Suspected As Much

[ackthpt]

E Download.Ject Exploit Fixed

After years of seeing the tricksy titles of spam for installing worms, I've skeptical enough of anything which claims to be a fix, even when it really comes from the product company. This is the 'Executive Band-Aid', meant to trick decision makers into a false sense of security.

"There, see? They've fixed it already. Nothing to worry about."

Where is the notice?

[Danathar]

Can somebody point me to where the ACTUAL official notice from US-CERT is that recommends NOT using IE? I would love to forward it to the head of my agency, but forwarding a link to slashdot is not going to hack it.

I looked on the US-CERT website but could not find it.

thanks

Re:Where is the notice?

[beezly]

There's a copy at http://www.kb.cert.org/vuls/id/323070. Right down at the bottom under "Use a different web browser".

Re:Where is the notice?

[jufineath]

http://www.kb.cert.org/vuls/id/323070

the very last suggested solution states:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.

i'm no web journalist, but i'd hardly call that a recommendation or urging to use a browser other than ie.

Re:Where is the notice?

[Anonymous+Writer]

Perhaps you missed the title of that paragraph that reads "Use a different web browser".

Re:Where is the notice?

[jufineath]

Perhaps you missed the title of that paragraph that reads "Use a different web browser".

certainly not. however, the title is just that, a title. the first title is 'install a patch'; the point being you have to read the paragraph to get the actual information. 'install a patch' is meaningless unless you read the paragraph. 'use a different web browser' is meaningless unless you read the paragraph.

if you read the paragraph, and take it in context (noting it is the sixth and final suggested solution) you will see that they are wording it very cautiously.

'It is possible to reduce exposure to these vulnerabilities by using a different web browser... Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE...'

it's one of several mitigation suggestions mentioned, it's the last one mentioned, and it's hardly proposed as a general best practice, as the original poster seems to have been misled by the slashdot posting to believe.

IE Features

[johnhennessy]

What use are IEs extra features if they have to be turned off by default.

ActiveX should never have been embedded into a browser in the way it has been. Yet most of the sites that I have to use IE for is because of ActiveX controls.

Microsoft tricked a lot of the world into using ActiveX and now they're paying the price.

I can hear the support conversations already -
"Yes, if your security zone is set to high your computer won't be vulnerable. But if you want to view anything with ActiveX (read: multimedia) you'll have to turn these vulnerabilities back on."

Does anyone else find this mildly insane ?

Re:IE Features

[simetra]

...and now they're paying the price.

Actually, WE'RE paying the price.

Re:IE Features

[KarmaMB84]

If a website requires ActiveX, you can add it to the trusted sites zone. You should probably move that slider up to medium if you have a lot of sites in there though. The internet zone can probably do with most of the dangerous stuff turned off using the customize button rather than going all the way to high.

Re:IE Features

[BinaryOpty]

That's exactly what today's Windows Update did was force that regedit onto everyone. I never did that regedit before and I just checked and it was already done, so Microsoft had to have done it for me.

Microsoft released a fix a long time ago

[Sheepdot]

Ever wondered how IE exploits get a whole executable to your computer?

Wonder no more. 11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change. The problem that MS has isn't that they are incompetent, it's that they insist on leaving default features that are used by 1% of administrators like myself.

98% of spyware released since January 2004 can be avoided with the above registry fix. If you think that statistic is outrageous, I challenge you to find one piece of malware installed without using ADODB.Stream in one way, shape, or form. Be forewarned, I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

Re:Microsoft released a fix a long time ago

[retro128]

I believe Spyware Blaster is a program that adds this key, as well as several others that will protect your system.

The bonus about this program is that it doesn't run resident in memory. It just changes some regkeys and the hosts file to confuse/prevent spyware from running. Installing/uninstalling changes are just a click away, too.

Re:Microsoft released a fix a long time ago

[egarland]

Isn't this exactly what he current fix is doing? I checked my registry after applying the fix and that key listed on that page seems to have been added.

Re:Microsoft released a fix a long time ago

[jesser]

11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change.

The registry change you point to only affects the ADODB.Stream object. While holes involving ADODB.Stream may have made up a large porportion of successful exploits by spyware (as you claim), there have been other arbitrary-code-execution vulnerabilities in Internet Explorer during the time period you mention.

I'm guessing that there have been several zone-jumping holes, and ADODB.Stream makes all zone-jumping holes into arbitrary-code-execution holes. Is that what you mean by "using ADODB.Stream in one way, shape, or form"?

I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

I find and fix Mozilla security holes as a hobby and I think you're making stuff up.

Re:Microsoft released a fix a long time ago

[archen]

one simple registry change

you know, that's what I like about Microsoft; everything is so easy. I mean stoping sites from accessing my hard drive by entering
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA 4}
is totally intuitive. Hell I'm surprized at some point I didn't open regedit and enter all that by accident =P

Re:Microsoft released a fix a long time ago

[aardwolf204]

Can I get a second opinion on this. I've been really weary on installing anti-spyware. The only 2 programs I trust are Ad-aware and Spybot Search & Destroy (And half the time the users I point to it find something posing at it that actually contains more spyware). Anyone else use this program, I'm looking to build up my toolkit (read thumb drive inoculizer ;)

Anyway, looks like its going to be another fun weekend for us sysadmins

Re:Microsoft released a fix a long time ago

[twigusa]

Hmm, I've just installed the update and that key is now present in my registry. Just checked on another machine (without the update) and it's not there. Is the windows update simply this registry entry?

Re:Microsoft released a fix a long time ago

[Flower]

Well seeing that people have confirmed that the fix you link to is implemented by the current patch I went to the Internet Storm Center and read the handler diary. Some site has exploit code which will work even after the patch is applied. Now just have to figure out what's being exploited now. And once again, I must break out into song...

"There's a hole in the browser. Dear Liza, dear Liza. There's a hole in the browser. Dear Liza, a hole!"

Re:Microsoft released a fix a long time ago

[Sheepdot]

there have been other arbitrary-code-execution vulnerabilities in Internet Explorer during the time period you mention.

Fair enough. Now name one that doesn't use ADODB.Stream to get its payload to the client. There are two that I know of, but I'm sure you don't, so I'll let you go Google for a while. The reason they aren't that huge of a deal is because they aren't nearly as dynamic and flexible and still have the problem of the compromised machine not having the payload. (unless the payload is an executable under 2k)

I find and fix Mozilla security holes as a hobby and I think you're making stuff up.

I'm glad you were wholly unable to find one example, cause it makes your assumption of BS pointless. The onace is still on you to prove me wrong.

Re:Microsoft released a fix a long time ago

[jesser]

ADODB.Stream only works in combination with a site incorrectly (or through social engineering) being treated as a "trusted site". Here are two other ways a "trusted site" can own you:

* Shell.Application
* Signed ActiveX (doesn't even prompt for "trusted sites")

As long as those exist, the patch that turns off ADODB.Stream is pointless.

I don't understand what you mean be "aren't nearly as dynamic and flexible". Do you mean it takes a few more minutes to code a worm that uses them instead of ADODB.Stream? That a worm using them would necessarily be much larger and/or propogate more slowly? Or do you mean that they're actually harder to exploit programatically?

Re:Microsoft released a fix a long time ago

[jesser]

Here's another arbitrary code execution hole in IE. This one doesn't involve "zones" at all. And it hasn't been fixed yet.

Re:Microsoft released a fix a long time ago

[Sheepdot]

Yes. I am stating exactly that. Well, with the exception of Shell.Application, which wasn't even an option until Jelmer introduced it a few months back. Arguably, it is still not feasible to do. The "feasible" way to abuse Shell.Application is to use mshta.exe to call an ADODB.Stream capable file.

Basically, if you want to arbitrarily call any .exe, the ideal method for the last 11 months has been to abuse the ADODB.Stream object. Spyware will adapt now, but it will adapt by using Shell.Application to either try to load a file via tftp, ftp, or just hack the registry to revert the kill bit on ADODB.Stream (which is how it is inevitably going to happen).

I don't think the patch that turns off ADODB.Stream is pointless, because it kills 98% of Spyware deployment as we now see it. IMHO, that's a good thing, even if it is relatively short lived.

It's too bad MS made it a public thing though, several security "professionals" have been making money off of scripts that do this one registry hack.

Re:Microsoft released a fix a long time ago

[Sheepdot]

While an avid browser will most likely notice the dialog box and do a spyware check, what you are proposing is actually a really interesting way of duping the user. I would highly suggest you pose these issues to Full-Disclosure mailing list. They will accept any email submission, even if it involves some GUI trickery to exploit.

I don't know of any spyware that currently uses this method to install, but I have seen plenty that continually load after you've clicked no and say "YOU MUST CLICK *YES* IN ORDER TO DOWNLOAD THE PR0N!".

Yippee!

[callipygian-showsyst]

Despite all our whining and moaning, (and the fact that this bug was the straw that broke the Camel's Back and I switched to mozilla and thunderbird) Microsoft did act pretty fast here. It was less than a week, wasn't it?

And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!

Re:Yippee!

[nyekulturniy]

But I did switch to Mozilla and as soon as I can ditch IE 6 from my XP box (burned in) I'm never going back to MS.

Re:Yippee!

[Anonymous+Writer]

It was less than a week, wasn't it?

Nope

Re:Yippee!

[eples]

This wasn't off-topic.

It can be.

[Benanov]

You may have to put multiple sites into the trusted sites. Add: http://v4.windowsupdate.microsoft.com Add: http://windowsupdate.microsoft.com WU works fine for me.

Re:MOD PARENT UP.

The first poster made it seem like it will only protect against threats that MSFT knows about. This patch seems to prevent IE from writing/read to/from the disk via scripts.

Heap Big Clue: Bug Fix.

[Tackhead]

> Heap Big Clue: I.E. MADE OF CODE. I.E. CODE RUN ON LOCAL MACHINE. THEREFORE ALL ZONE ARE LOCAL.

My bad. Forgot to monosyllablize the heap big clue; there's no one-syllable word for "local internet zone", so...

"I.E. made of code. I.E. code run on your box. Since I.E. code run on your box, all zone known to I.E. are "SELF"!"

Obligatory Monty Python quote

[harley_frog]

I think this quote best reflect the state of denial that Microsoft is currently in:

Black Knight: Have at you.
King Arthur: You are indeed brave, sir knight, but the fight is mine.
Black Knight: Oh, had enough eh?
King Arthur: Look, you stupid bastard. You've got no arms left.
Black Knight: Yes I have.
King Arthur: Look.
Black Knight: Just a flesh wound.

I'm already patched!

[SnarfQuest]

Microsoft e-mailed me the patch some time ago, like they do with all their other security updates. I install them all as they come in, and keep my system virus free!

Is this just coincidence?

[Anonymous+Writer]

It was only mentioned two posts before this that CERT advised people to stay away from IE, even though CERT released that advisory on June 10, and it was even reported on BBC on June 14. Now this story comes along mentioning the patch will be available later today? The CERT advisory could have been published on Slashdot nearly a month ago, but conveniently is published on the same day as the fix is released. Was it intentional to keep information about the CERT announcement off of Slashdot until the fix was released?

Re:Is this just coincidence?

[fscmj]

It was reported on Slashdot the day after it appeared in this June 26 edition of the Washington Post

Re:Is this just coincidence?

[Anonymous+Writer]

Oh. I forgot that Slashdot repeats stories. My mistake.

If parent is true, please mod up!

[gphinch]

Can I get confirmation from a second source before I go modifying my registry? It sounds nice, but I don't know what exactly is going on when I fuck with the registry and I just want to make sure this isn't some prankster. No offense intended to the author, but not everyone here has honorable intentions.
g

Re:If parent is true, please mod up!

[Sheepdot]

No offense taken.

I'm not exactly the most trustworthy person anyway, I've been compromising computers for the last 5 years.

Re:If parent is true, please mod up!

[Hobophile]

For those of us faced with the prospect of a mass corporate rollout at short notice, do you have any thoughts on the impact of this registry change on non-spyware apps?

In other words, is the ADODB.Stream functionality in widespread use, such that it will break many ActiveX applications, or is it mainly abused by malware and IE exploits?

Re:If parent is true, please mod up!

[Sheepdot]

It is used by IE exploits and, to a lesser extent, some ActiveX applications. It is also used by Admins. But the ActiveX use has never been very straightforward. It's been abused from day one by malware authors.

I Demand the Editors Change the Title...

[maggeth]

"Fixed" is a strong word, I suggest an alternate title for this article:

"Microsoft Kind of Does Something Vaguely Related to Download.Ject Exploit"

Help if I give the right URL

[Skiron]

http://secunia.com/multiple_browsers_frame_injecti on_vulnerability_test/

not a troll

[tjw]

troll? are you using .7?

Actually, I've seen this too (screenshot). It just started noticing it when I started using 0.9. That's also the same time I started using AdBlock too, so I suspect AdBlock may be to blame.

Hitting reload a couple times fixes it.

Re:not a troll

[jesser]

The slashdot rendering bug (bug 217527) can happen even without AdBlock. It's fixed on the trunk, so if you switch from 0.9 or 0.9.1 to a trunk nightly, you won't see the problem any more.

Re:not a troll

[garcia]

Oh and this is an acceptable fix to a serious bug? Upgrade to an unstable version? Why not have it immediately merged into the stable tree and release 0.9.2 and have one less site that renders like shit?

Re:not a troll

[bheerssen]

Look, Firefox IS NOT READY for prime time. That's why it has a sub 1.0 version number, and why it is considered a 'technology preview'. In this context, some serious bugs are to be expected. Have some patience. The bug has been fixed in develepment and will make it into the normal builds in due time.

If you want to complain, complain about Seamonkey. It suffers from the same bug, yet is at version 1.7.

Oh, and btw, [Ctrl +] (optionally, followed quickly by [Ctrl -]) will cause the page to re-render and display correctly. It's an easy work around until the fix makes it into the official builds.

Re:not a troll

[jesser]

Oh and this is an acceptable fix to a serious bug? Upgrade to an unstable version?

Would you have been happier if I had just said "It will be fixed in 1.0"? With Mozilla, you can use nightlies, but you don't have to.

Why not have it immediately merged into the stable tree and release 0.9.2 and have one less site that renders like shit?

Two reasons:

* This bug isn't serious enough to be a reason for a subminor release. It may annoy you a lot because you read Slashdot, but most users don't see it at all and there is a workaround.

* The fix for this bug is risky. It's generally good to avoid putting risky fixes on stable branches.

Re:not a troll

[callipygian-showsyst]

I've seen it too. With .9. On Windows. And I don't have "Ad Block.

I put a screenshot of it here

It's funny, because /. is the only site I've seen so far that has any sort of a problem with Mozilla! You'd think that /. would look best with it.

As an aside, Thunderbird is *MUCH* better than Outlook for POP email. I'm sorry it took so long for me to switch.

Re:not a troll

[ssstraub]

Except IE isn't ready for prime time either, and it's at 6.0.

M.S. claims exploits happen AFTER patch is issued

[sybarite]

I work for a consulting company that is a Microsoft Parter. Recently we had a Microsoft sponsored security seminar where the MS guy said that most exploits occur when hackers reverse engineer Microsoft security patches. This is what he defined as a "0-day exploit". I was pretty disgusted by this twisted propaganda. Any regular subscriber to BugTraq is aware of many vulnerabilities in fully patched Microsoft systems that are not corrected for months.

Re:48 Hours

[savagedome]

Stupid Mods. If you don't know what the poster is talking about, don't mod it. Just leave it and go to the next post.

He is referring to this Security Focus article

From the article,
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

I already posted link to this article here

What about the *keylogger* though?

[_14k4]

I keep hearing there is a keylogger embedded within this. What about that? This *patch* fixes the hole, but does it remove the crap already on machines? Is the keylogger still running, sending God-knows-what to God-knows-who.ru?

Can anybody post a link to somewhere telling me how to make *sure* everything is removed? The symantec site still says this is hardly found in the wild...

Dear Microsoft,

[stienman]

Dear Microsoft,
I am writing concerning downloading the most recent Windows Updates. I am unable to obtain them as your site requires IE, and the government recently suggested that users cease use of IE.

Please help!

-Adam

Re:Dear Microsoft,

[liquidsin]

Dear Microsoft,

I tried to download the latest security patches from windowsupdate.com but when I got there it said to click the link to see what needed to be installed and you just finished warning me not to click links.

Please help!

Fix not available yet

[mabu]

Talk about damage control... they don't have the fix on their site at the time of this writing... so it's vaporware for now.

I know of at least two very large companies who have moved to Firefox in the wake of this latest episode. I suspect many people are finally fed up, which has prompted MS to announce patches before they're even available.

Considering a recent patch to fix a vulnerability broke the complaince of IE as it relates to embedded uids/pws in URLs, I wouldn't be surprised if this "fix" ends up crippling something else.

We should start collecting wagers on what new problems this upcoming "fix" introduces. Otherwise it would probably be online by now.

Re:Fix not available yet

[AgntOrnge]

I just got it from Windows Update. Maybe they don't have a package ready for you to work with but it is available.

HERE Re:Where is the notice?

[holy_smoke]

http://www.kb.cert.org/vuls/id/713878

"Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML)."

Re:it's as simple as this ...

[ColdCoffee]

Geeze...Where are mod points when I need them!?!

Attack and solution known since Aug. 2003

[weld]

See Full Disclosure list for an attack that used same technique back in Aug. 2003:

FullDisclosure: ADODB.Stream object

Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.

-weld

It took MS 23 days to provide some relief for this

[mangancha]

According to the US-CERT announcement (Vulnerability note VU#713878), this problem was first published on july the 9th.... so it took MS 23 days to provide some "configuration changes" for a serious and critical problem.

So where is that Forrester report on how fast are linux distros to provide fixes to know problems vs MS. On average it seemed that MS is faster...

That report, like other "Windows vs linux" reports, has some methodological issues. There is a joint response from the distros... that in brief states that "Not all vulnerabilities have an equal impact on all users.", and that "For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience."

It seems to me that a security flaw that let people install key loggers in your machine, without you doing anything, and then sends tha info they harvest to some server in russia is a pretty BAD AND SERIOUS flaw!.

IE Patches no worse than viruses?

[MooseByte]

"Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would."

Hmmm. Well THERE's a ringing endorsement....

IE Download.Ject Exploit *not* fixed

[yeremein]

... this update is actually just a configuration change that disables the ADODB.Stream object from within Internet Explorer.

The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone.

No security vulnerabilities have actually been fixed here; all that's happened is that some functionality (which exacerbated existing security holes and was probably a bad idea to begin with) has been disabled.

Re:IE Download.Ject Exploit *not* fixed

[csk_1975]

Supposedly a simple rewrite of the exploit code allows it to work even after the patch is installed. Here is a link to a proof of concept exploit that was posted by "Jelmer" to the full disclosure list.

How about reading the link?

[Phil+John]

it links to microsoft which explains what this does.

Re:How about reading the link?

[gphinch]

so you're saying microsoft is trustworthy in this issue? i think the past week or two have proved this otherwise. ^^

Re:How about reading the link?

[KarmaMB84]

The patch just automates the modification. Just install the patch and it's done.

Re:Who to believe?

[Whyzzi]

you mean eXtra Problems * 2

Comments from NTBugtraq

[bastardadmin]

The NT Bugtraq list has been discussing this patch today, focussing on it's poor timing of release (there are indications that it could have been pushed earlier than the Friday before a major US holiday). Russ Cooper, owner and maintainer of the list had some good points, about the patch itself. Definitely worth a read if you have to maintain Windows systems.

Security and MS "Getting it"

[geomon]

Okay, everyone has had a great deal of fun at Microsoft's expense today with the stories of Dept of Homeland Security dumping IE, and Microsoft taking nearly a month to fix a BIG exploit in IE. But I wonder if Microsoft's problems are less a function of them 'getting it' as much as it is a case of them being a 'victim of their own success'. Follow along with me for a minute.

When MS started its rise to the top, they hired as many of the brightest minds as they could to make their software the best of class. While many of us probably find the corner-cutting a bit too much to take, it is possible to have both world-class software while meeting a marketing deadline. It happens, but less frequently than MS or its defenders/supporters would like to think it does (lightning striking the same point twice *without* a lightning rod).

They continued to compete heavily in the OS market despite the fact that they initially wanted to be nothing more than a computer language business. The OS was to be the cash cow that would allow them to be a more effective language business. But now they own the OS business and are driving their business model into other ventures (consoles, entertainment centers, telephones, automotive brainboxes, etc). They just follow the same formula that lead to their smashing success in moving into the OS and office app market: buy the best brains in the field and use their project management skills and VOILA!, they are the new masters of the [insert market segment].

But consider the sandbox their bright minds play in: a homogeneous computing environment with computer scientists guarding the facility from outside intrusion. As has been noted in another slashdot article, Microsoft's products work wonderfully inside of Microsoft's campus.

They have extremely talented people working with the highest-end equipment in an environment where everything works nearly 100% of the time. Is it so surprising that they do not view the world the way we do?

After all, most of the companies that I have worked for are staffed with (largely) computer-illiterate people and whose firewall is maintained by a PFY with a high-school diploma.

Perhaps it would be better for Microsoft if they force their developers to create their products in environments that their customers use. In fact, maybe they should send their developers to test their products in the heterogeneous environments of their customers for a month or two.

Let them work the bugs out on their time for a change.

registry changer

[eMilkshake]

Well, if you mean by "fix" an executable that changes a registry key that might have been set a certain way for who knows what applications. Don't think this actually changed any part of Windows.

Windows 9x and Windows ME users still vulnerable?

[prandal]

According to SecuritiyFocus. Windows 95, 98 and ME users are also vulnerable. So why is this patch only for Windows NT, 2000, XP, and 2003?

It does NOT run on Windows 98.

Oh, I remember, Microsoft only produces patches for "supported" (if that's what you can call it) products.

Re:M.S. claims exploits happen AFTER patch is issu

[Ytsejam-03]

Recently we had a Microsoft sponsored security seminar where the MS guy said that most exploits occur when hackers reverse engineer Microsoft security patches. This is what he defined as a "0-day exploit". I was pretty disgusted by this twisted propaganda. Any regular subscriber to BugTraq is aware of many vulnerabilities in fully patched Microsoft systems that are not corrected for months.

Agreed, this type of statement is dishonest to say the very least. How do they know how many boxes were exploited before the vulnerabilities are discovered by white hats and posted to lists like BugTraq? They don't. No one does.

I find it hard to believe that defects like the RPC vulnerability, which was first introduced into NT4 back in 1996, were not in active use by some of the black hats out there for several years. These guys are not going to create a worm before a defect is made public because that would get the vendor's attention, and therefore likely get the defect fixed.

A more correct statement would be to say that these vulnerabilitys are not openly exploited until after the patch is released. In other words, they don't become a widespread problem until the script kiddies find out.

What's the problem?

[RAMMS+EIN]

``installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server.''

So, didn't the patch do exactly what it was supposed to do? You applied it, and it took down a piece of Microsoft software, undoubtedly full of security holes waiting to get exploited.

Legendary Microsoft efficiency.

[RustyTaco]

It only takes one 104k "I don't know what it posibly does" executable for MS to deliver a
- RustyTaco

Re:It took MS 23 days to provide some relief for t

[mangancha]

Sorry, it should say june the 9th.

Not here either

[Skiron]

Been screwed too many times with the patches installing other shit that really breaks things.

Luckily I am sysadmin in a very large WAN, so all I need do really is keep AV up-to-date and M$ servers working (a bit oxyimoronish, but you know what I mean).

Nick

Re:Windows 9x and Windows ME users still vulnerabl

[prandal]

Chuck this into a .reg file and import.. The bit in square brackets is one line only - substitute a space for any linebreaks...

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA 4}]
"Compatibility Flags"=dword:00000400

Re:Windows 9x and Windows ME users still vulnerabl

[prandal]

That isn't the point, surely? It would have been so easy to produce an executable which would have worked on 9x/ME too to set the registry key, and make it available to everybody via WindowsUpdate.

At the risk of repeating myself, Microsoft STILL hasn't got it.

Is security really a priority at Microsoft?

[Ytsejam-03]

Well take a look here and see the blog of a windows developer. He really does get upset when people say that MS doesn't care about security.

I have no doubt that there are developers at Microsoft who care about security. For all I know, this might even be the majority. Any developer who takes pride in his work will make security a priority. A few of the best developers that I've worked with in my career have taken jobs with Microsoft because of the pay and career opportunities available there.

That being said, I question how committed their management is, or how much they even understand the problem. When you have the MS Security Chief making comments like this, it tells me that either he does not understand the problem, or he is more concerned about bad publicity than security. I have yet to hear anyone from Microsoft state exactly how they know how many machines are compromised before a patch is released. There are lots of very bright black-hat types out there, and it seems likely that many of them discover and exploit problems before they are widely known. It seems equally likely that these guys would also know how to cover their tracks.

Problems of this nature should be discovered through the design review/code review process, assuming that Microsoft even conducts these. And if they don't, then how serious are they about security?

Re:48 Hours

[StormReaver]

Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

And in a matter of only a few years after that, Microsoft releases the fix that fixes the things the original fix breaks.

Get the patch without using IE or going to MS

[hetairoi]

see The Software Patch

Re:Get the patch without using IE or going to MS

[raind]

Thanks! from a win me pc.....

in az fairy kingdolm

[jeisc]

THE KING IS DEAD!
LONG LIVE THE KING!

"Hey who is the new king anyway" said a blind guy.
A business dude heard this and replied "ME!".

Uhhh - thems is billable hours, dude...

[mosel-saar-ruwer]

I know your post was taken as FUNNY, but I lost several hours last week installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server.

Uhh, don't know about you, but out here in flyover country, thems is what we call "billable hours".

Of course, rumor has it that youse big city guys perform your "favors" for free...

what happened to their 48hr turn around again?

[shaitand]

Didn't microsoft say something about having patches within 48hrs of vulnerabilities being discovered... it's interesting that while most were patched before exploited (and caught being exploited) they were known about for at least 6months before microsoft patched them.

Re:Not for MSIE 5.5

[prandal]

They only list "currently supported" products, so yes, they don't give a damn.

Bupkis

[FlyingOrca]

That's brilliant! And I can't think of any uses for goat shit, except those that involve trolls or spammers... although I kind of wonder whether it burns when dried. Cheers!

Re:Bupkis

[chrispatch]

It has no use. It burns when dry. Don't ask.

IE this IE that

[script_scorpion]

Always something wrong with Ie it seems. Am i right every1. Whhy dont we just stop using IE all together and just use Firefox it is so much eazzzier

Post the truth and get modded down!

[Orion+Blastar]

40% Troll
30% Redundant
30% Interesting

30% who modded Interesting have good taste. 40% who modded troll still use IE. 30% who modded redundant wished that they would have made the post first.

As usual there is a third party patch to fix this.

[SB5]

There is a third party patch out to fix this problem and some other general IE problems. It can be found here: IE Third Party Patch

Coolwebsearch?

[Beryllium+Sphere(tm)]

>I challenge you to find one piece of malware installed without using ADODB.Stream

Leaving out all the social-engineering Trojans that install through normal channels, what about Coolwebsearch? That exploits a vulnerability in Microsoft's JVM. Does it use ADODB.Stream later in its bootstrapping?

Re:Coolwebsearch?

[Sheepdot]

Coolwebsearch has used multiple vulnerabilities over the last year or so all exploiting ADODB.Stream. One method it used early on did involve the MS JVM. In fact, many of the malware for the time previous to a year ago used other vulnerabilities. Around September of last year there was a huge amount of attention given to ADODB.Stream, however, including the release of a payload delivering PERL script of my own design. I figured it'd get MS to rethink the object, but they didn't until lately. My guess is that a real patch for the newest vulns is a ways off and this latest one is just to alleviate that fact.

Saw it advertised on bootup this morning...

[dave1791]

and patched...

Now if only I can convince my wife to dump windows for linux, I would no longer be on this "patch, update antivirus, clean spyware" treadmill

Per-site security in Mozilla/FireFox

[WoodstockJeff]

Thanks, AC, for the hints on using user.js to configure per-site security.

(the parent needs to be modded up, for those of you with moderator points!)

Good article

[Cato]

See this eWeek article which says IE is too dangerous to keep using. Strong stuff from a mainstream publication - the bit about people potentially losing online banking and stock trading passwords is probably teh most effective at getting people to switch.

A focus problem here

[cheros]

The problem appears to be MS not focusing on customer needs, but on MS needs. Thus follows spin instead of action.

I agree with your observation that MS has a serious amount of brilliant people working for them, but if they collectively manage to produce something that in the future requires a dual core processor with 1 TB of storage and 1GB of RAM (Longhorn spec) to run a bloody simple word processor than I think we're entitled to ask a couple of hard question with respect to value for money and their understanding of what efficiency actually represents for them.

And their security focus didn't arrive until it started to cost them customers.

If they focused on client needs and thought about some fundamental quality things could improve. Given their addiction to spin I don't see this happen soon.

So I vote with my wallet and run Linux. Simple. Easy - and it does what is says on the tin ;-).

It's just stupid.

[mrmeval]

No foreign code period.