Slashdot Mirror
4 New "Extremely Critical" IE Vulnerabilities
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.
So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.
surprise, surprise...all i want to know is why you need 9 patches for 4 holes. maybe the first patch fixes 1 and creates 5 more?
Sorry Funkdid, your bet of Wednesday for the next IE exploit was incorrect. However according to Price is Right rules your bet is the closest without going over, so you win!
Your prize today is 9 shiny new windows patches! And a new car!
Urge to post... fading... fading... RISING!... fading... fading... gone.
A spokesman for Microsoft said, "These are the last 4, we swear!"
I'm switching to Lynx.
Solution:
Disable Active Scripting.
Use another product.
Get Firefox!
First hit on Google:
/ black_tuesday.htm
http://mutualfunds.about.com/cs/1929marketcrash/a
"Black Tuesday is notorious for being the worst day in the U.S. stock market"...
You didn't even try, did you?
"Solution: Disable Active Scripting. Use another product."
Creative Demolition
The day the stock market crashed in 1929, beginning the great depression.
... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.
How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?
And is there anything we can do to get this in the press?
*.02c
Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
http://slate.msn.com/id/2103152
You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.
This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
Jason Lotito
From what I hear, it's when Microsoft release patches. Many Patches. In one day. Imagine rushing around, trying to patch all of your computers. *THAT* is Black Tuesday.
Been reading Snow Crash again, have we?
Dear Staff,
IE has a vew unsolved vulnerabilities to say the least. Download the latest version of Firefox or Mozilla from http://www.mozilla.org/.
Thanks,
Bill G
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
Yes I know Mozilla/Firefox is better and I use regularly. However I have to develop applications in ASP.net, basically Internet explorer as mandated as mandated for this application. Granted windows runs the majority of desktops here). Why cant Microsoft just build code that is at least semi-secure puhleeeeaaaaassseee....maybe it's time to pitch for a full out work switch to Mozilla/Open Source. Especially when it's a new vulnerability (or multiple vulnerabilities) once a week. *sigh*
Ok I'm through crying now Microsoft hear my pleas....
...in bed
This is absolutely no surprise, and seems at this point almost un-newsworthy. There are so many holes in the virtual screen door that we call IE, its becoming moot to mention them. Why not solve the problem at its base, and switch to Mozilla. I am director of IT at the company that I work for, and we all use Mozilla now, and I feel a lot better about this. I am waiting for 2 things though:
1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
and
2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).
when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
sigSEGV - doy!
I don't feel sorry for people who work at Microsoft. They are well compensated for the suffering they inflict.
Friends don't help friends install M$ junk.
Mute? Dontcha mean "moot"?
I'm not tense. I'm just terribly, terribly, alert.
[sarcasm]Secunia tells us that OS X, OpenBSD, and Linux are a cracker's dream compared to Windows! They have the statistics to prove it![/sarcasm]
52 Weeks, 52 Religions with John Hummel
When all the sysadmins start jumping out of windows, you'll understand.
Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.
*ahem*
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta).
Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.
Read the EFF's Fair Use FAQ
"An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system."
Damned either way. Run Mozilla, if you aren't already.
At this point you really have to be a 100% Grade-A idiot to run IE.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If people running windows were not so used to running as admin, this would not be a fundemental problem. If Windows was more friendly to being used as a multi user system, then only the os would be the bottleneck (although still a significant one) in making a system secure. I mean, running a browser should be a fairly secure activity, after all, it is such a basic part of every day computer use.
Built one of these, have you? Do tell, do tell.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
So everybody should just run out and upgrade to Win XP? (And install SP2 even though it hasn't been released yet?)
News Alert: Microsoft forces users to upgrade to Windows XP by releasing viruses/worms that only target earlier versions of Windows and IE.
Or does the very name of IE sound like a scream?
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?
Just imagine if cars were sold with this many problems. Or home security systems...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.
MORTAR COMBAT!
There are no windows in the basement.
"Piter, too, is dead."
It refers to the Microsoft policy of releasing security vulnerabilities on the second Tuesday of each month instead of the time they become available.
I see lots of people posting things like here's your reason to switch to mozilla or opera or firefox...well, here's my question...are all these vulnerabilities discovered in IE, just because it's the browser of choice? if firefox was the browser of choice with the largest market share, wouldn't virus writers and security experts just be finding vulnerabilities in it?...or are mozilla/firefox/opera that much more secure...it's kinda like MAC users saying how the MAC is so secure because all of the viruses are windows viruses...well, that's because no one bothers to write a virus for MACs...
"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
> I think blacktuesday has something to do with a stock market crash back in the day. 1987 maybe? I am not sure.
... "1987" ...
"back in the day"
God I feel old...
- For the complete works of Shakespeare: cat
It's skewed highly towards the web developers/more technically inclined, BUT the fact that non-IE browsers are doing so well there is a GREAT sign, as it means web designers are moving away from IE.
If you want a better general representation of the web, Google's Zeitgeist web browsers graph (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.
Google doesn't index user sigs, so stop trying to "Google Bomb" with them.
Dangit, just one day before, and my band could have had a slashdotting. I couldda been a contenda.
Just set a box of Windows XP out in the field, and the worms keep rolling in. They stopped for a moment and we were afraid we would have to go back to the old method of using shovels and a bucket. But, like magic, they kept coming and coming.
All hail the Quizatz Hadderach!
The bottom line is that IE is probably partially pre-loaded at all times, once again adding to the Windows overhead.
There is nothing to stop you running Firefox fully pre-loaded from boot-time.
Ripping an new rectum in the fabric of spacetime.
I'm not quite sure how this is, but our collective websites run on our server generate around 2 million hits per month, and i would have to say that about 97-98% of them use IE.
I've had the worst time being the only Linux guy in the office, and my cries have not completely fallen on deaf ears, as 2 of my co-workers have installed Firefox recently. But when i can talk to someone for less than 5 minutes about the pros and cons of Mozilla and open source browsing vs. IE, most of them nearly start sobbing with all their troubles.
People daily complain to me about the bot problems or spyware issues that they have. I was sympathetic and helpful for a time. But now I wanly smile and say "mozilla.org/firefox" and walk away. Those super-cool guys with browser problems can kiss my ass until they start listening to me, and the rest of the world.
Read the only personal Runyon page out there.
Wikipedia?!
Just fucking Google it.
Remember when 2000 was supposed to be the most secure ever? Then XP? Now it's Longhorn. I didn't believe them then and I don't believe them now.
I feel sorry for the poor Windows poopies. Paying big bucks to get porked like a cheap prom date. And not so much a kiss from Billy boy.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
to consider any that isn't an MS product. He is a staunch Redmond supporter, won't even concede the imporatance of Unix/Linux/Mac ever, as if they never existed. I have been hitting him with links from these stories for almost a year straight, he just called, wants to me to start having our desktop guys install FireFox on his desktops next week. Chalk up one more for the good guys...
how about "for all intents and purposes" instead, Chuck?
(double checks his post for mistakes)
The management isn't telling these guys "Write me a buffer overflow, STAT!!"
If they can't code good software, that's their own damned fault and I don't feel bad for them.
- It's not the Macs I hate. It's Digg users. -
As an IE user, I was going to respond to this with proof that Firefox is just as bad as IE. Then I realized that I have no idea how to use Firefox in place of internet explorer because it appears to be some sort of shipping company. Also, my fingers are tired from writing this post so I'm just going to stop.
I submitted this story last night, and it didn't get posted.
It's Tuesday.
It would be cool if my remote control had a moot button... But what would it do?
I guess it would be pointless, really.
The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now. Initial reports of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.
Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.
I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...
web design experiments
IE is the interface between the user and the Windows OS. It just happens to also act as a web browser. That's what they mean when they say it is integrated as part of Windows.
Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.
Life is short: void the warranty.
I'd say running Internet Explorer is more like pulling your pants down and screaming "rape me" in the middle of the exercise yard of a maximum security prison.
Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
sorry but this was fixed in firefox and mozilla a while ago. Opera was also fixed recently.
Join Team Mozilla #38050 Folding@home
IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.
When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.
Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.
A feeling of having made the same mistake before: Deja Foobar
Can someone explain to me how an IE vulnerability can lead to a Sasser like virus? I thought Sasser was a worm that spread automatically through open ports of unpatched Windows machines, whereas IE vulnerabilities seem to have to be user initiated.
It seems like somebody was jelous of a certain other browsers bug now weren't they?
I stole this Sig
Microsoft Delays Windows XP Service Pack 2
Posted by simoniker on Monday July 12, @05:02PM
MSN, Word Vulnerable To Shell: URI Exploit
Posted by timothy on Monday July 12, @07:42PM
4 New "Extremely Critical" IE Vulnerabilities
Posted by CmdrTaco on Tuesday July 13, @11:45AM
Microsoft Expects 1 Billion Windows Users by 2010
Posted by CmdrTaco on Tuesday July 13, @08:14AM
Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...
When are the masses going to learn?
That's why IT management, starting from the top down, needs to plan better.
There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.
The only significant benefit to doing IE-only development is the streamlined development tools.
This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?
.sigs are for post^Hers.
I'm a fan of Microsoft. I like most of their products. I make a living off their development tools and platforms. I'm incredibly happy with Windows 2003 Server. I typically defend Microsoft whenever I get the chance.
.8 (or so), IE was the better browser if you ignored security issues. But you can't ignore security issues. And now that FireFox is just as good (and better in many ways) than IE, I can't see any rational reason to continue to use IE.
But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.
I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.
Up until FireFox
So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...
On occasion I am forced to run the mac version of IE, how many of these exploits actually affect the mac version(which is rather old at this point)?
Here is an email that I sent to my family members, I suggest that you do something similar.
.
This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/
http://secunia.com/advisories/12048/
Andrew
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
I'd like to get my hands on an exploit that installs Firefox, with the IE theme, and then replaces all desktop and startmenu shortcuts with a pointer to Firefox. Also changes the default browser.
Anyone know of one? The terms are too generic for a quick google.
S
Its the new browser wars, but this time its not about who looks the best its about who can manage to take the simple thing that is HTML, and turn it into the most deadly virus-pushing force known to computers. I think IE is definately in the lead on this, Mozilla did have a little lead with their shell bug but then we learnt the shocking news that they had stolen the technology from windows! now IE is back in its rightful lead and on its way into victory. And lets not forget IE's secret weapon: the ability to flood the screen with pop-ups at a moments notice, really how anyone could live without pop-ups is just beyond me.
This comment does not represent the views or opinions of the user.
Like Windows users everywhere who use IE only for Windows Update, I went through the ritual of adding v5.windowsupdate.microsoft.com to my Trusted Sites list and disabling Active Scripting in my Internet Sites list today. This is a fresh[-ish] install of Windows XP SP2 RC2. I've never used trusted sites before on it. However, I noticed that there was already one entry in the list: https://free.aol.com Why was this? I don't use AOL- I don't even have it installed. I'm starting to sense some corporate brainwashing (and, a site that if cracked would give anybody full access to every copy of IE in SP2...). Has anybody else seen this?
My Systems
That's exactly the argument that Microsoft apologists have been using for years. But just because Microsoft products are more pervasive does not mean that they are just as secure as Linux, OS X, et. al..
In point of fact operating systems are not all the same. Some sacrifice security for flexibility or features (ex: Windows). Some eschew clever new features and integration in favor of security (ex: OpenBSD).
Microsoft's development methodology for years was built around increasing the featureset of the Windows OS and Office suite. Marketing drove development of the OS, and development priorities were established accordingly.
Are Yugos as safe as Volvos? Do MiG-29s carry as many passengers as 757s? Software is designed, and in any design process you have to make trade-offs. Microsoft has repeatedly shown us what their design priorities are, and the fact that Microsoft products are ubiquitous doesn't mean that some competing OSes are not inherently easier to secure.
Read the EFF's Fair Use FAQ
Insecure, but a more enjoyable user experience?
Imagine Microsoft releasing patches any day of the week/month, with no warning. Several times a month. Imagine yourself running around to each machine patching it, sitting down, and doing it all over again when a new patch comes out.
Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
You decide which is better.
A day in the life of MSIE
And bill spoke and I went into a nightmare
I heard the news today oh boy
Four thousand holes in IE, Microsoft
And though the holes were rather critical
They had to count them all
Not they know how many holes it takes
To fill the Windows XP SP2.
I'd love to turn bill off.
I say we just switch to Lynx and forget about all these vulnerabilities!
Doh, guess I'll just have to switch to ascii porn!
There's already a lot of discussion going on about "use Mozilla/Firefox/Safari/Lynx/whatever", so I won't rehash that here. If you can pull it off in your environment, great.
There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.
No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.
We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.
Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.
Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).
Thanks,
The Internet
"Schadenfreude"
The word you are looking for does not exist in English, but in German they say Schadenfreude. It is a sort of malicious glee at the misfortunes of others. It can also contain an element of "I told you so".
None of them can see the clouds; The polished wings don't care.
"Exploit yes, root exploit, no, not unless the user is running as an Administrator. IE still runs at the privileges of the logged on user."
the sad truth is that no one I know has folks set up as "Users" or "Limited Accounts" unless its a guest account. Also, any new computers that are purchased end up with XP asking for a person's name to set up an account. This account is always an account in the administrators group. 99% of XP users use this account at their primary, not understanding the difference.
In addition, those that do set up limited accounts many times discover that [insert pre-XP software package here] doesn't work with Limited accounts so they revert back, or they use the Power User account which is almost as bad as administrator.
Damned if you do, damned if you don't.
(a) folks
Is the juice worth the sqeeze?
For awhile that security bugs in non-MS browser just don't happen with the same frequency or degree. Bugs in non-MS browsers *occured*, but they tended to be much more subtle bugs with lesser payloads, as opposed to MS which tends to wind up with seemingly really obvious security holes with serious consequences on a regular basis. For every "untrusted site may gain read access to cookies belonging to another site by a contrived series of steps" in Mozilla there was an "execute arbitrary remote code by clicking a link" in MSIE, it seemed.
Then last week the shell: bug in Mozilla was reported, and I was humbled. Perhaps, I thought, perhaps Mozilla wasn't really all *that* much better than MSIE, and I was being silly by my stance that MSIE was an unsafe product and Moz was a safe product. Maybe, I thought, trusting any software vendor is just as silly as trusting Microsoft.
Then I see this news today and I don't feel so humble anymore.
One thing I found odd, though. I haven't done a close study or anything, but when the mozilla vulnerability was found last week, it was very widely reported. I saw it at least twice on news.google.com and I believe on cnn.com. But with these new IE vulnerabilities? Well, maybe it's just too soon, but cnn.com has nothing on this-- it does have a story "renewed calls for alternate browsers" which mentions in the second paragraph two IE bugs that MS fixed already-- and news.google.com has nothing. And n.g.c's top tech story?
Microsoft CEO Touts Security Push at Conference
Reuters - 55 minutes ago
SEATTLE (Reuters) - Microsoft Corp. MSFT.O is taking a big step toward boosting the security of its flagship Windows product in August with the release of a major software update, Chief Executive Steve Ballmer said on Tuesday.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Black Tuesday denotes the crash of the U.S. stock market in 1929 that started the Great Depression. There was a recession in the late 80s, but it was far from a depression.
This is why the browser wars were a good thing. Sure, web development was annoying because of all the versioning nightmares, but at least there were safe alternatives. At least there was competition driving the products to be better and better.
Payback is a bitch no? Sure they got a little paddle on the backside and a, "Don't do that again" over their monopolistic practices, but here we are, seeing the karma swing around to bite them in the ass.
Hopefully this stuff will continue to the point where we can get the ball rolling again. Yet another big moment for open source software to try to swing in and become a viable alternative. Especially considering the fact that firefox is just an application and not a whole OS, which can be a scary leap for many to attempt an install, it might really open some eyes to what could be.
RALLY!
m.
How many more years of baseless stupidity of open security holes must we endear?
How much longer is security through obsurity going to carry a clueless monopoly to its demise.
Patience has its virtue. But for the end-user, only fools would get lucky. Not this time, Bill.
I'm sticking with Firefox/Mozilla. Mozilla
Thank you open-source for opening my eyes to a better software through open-colloberation and open-cooperation. You've shatter my belief that corporation can fix after themselves.
Instead, we see tons of industries built upon MS insecurities.
Time to experience another industry bubble-burst, this time in the security sector, not I&T.
I build boxes for people when I can be bothered and one of the first things I so is to install Mozilla, provide shortcuts on the desktop and Start Menu and tell them "Use Internet Explorer and I won't provide support"... my girlfriends cousin started using IE because he found Iexplore.exe. I mean what the hell, when us techies are confronted by these kind of morons who *hunt* for the damn program what chance do we have? Suffice to say even with ZoneAlarm installed (he said yes to every connection in and outbound) he had a multitude of virii and a billion and a half spyware and toolbars... oh I also installed AVG and AdAware too. Sheesh.
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
Ok, after messing with the probably intentionally vague security settings, I have discovered that it is impossible to disable Active Scripting and yet leave JavaScript enabled. Same deal with ActiveX and Plugins (Flash being one of them).
...but I guess that's a bit too much to ask for.
Since most sites use at least some amount of Javascript and Flash (e.g. gmail), you're left with these choices...
* Turn off all scripting
* Take your chances with Microsoft's flaws
* Deal with the annoying 'prompt' for just about every page
* Manually configure the pages you want as trusted sites
Boy, I wish there was a selection that said...
"Disable all Microsoft(R) Web Technologies"
Does it hurt to hear them lying? Was this the only world you had?
Lindows 2.0 "leaked"? a version of AOL for Linux that used Netscape
http://msnbc.msn.com/id/3078317/
I hate runas, its nothing like su or sudo. Quick rant here, oracle installed with permissions so that only Admin could access the dir. I couldn't change it. Tried to do as I would in KDE and do:
runasto pop open an Admin explorer shell to change the permissions on the dir. Just doesn't work. Command ran and nothing happened. In KDE its just a simple
su root -c konqueror
or for mesudo konqueror
or even ALT+F2, konqueror, "run as different user: root" and enter the password. Had to close everything I was working on (this is my work computer with ssh sessions, code files, and RDP sessions open), log out and log back in as Admin just to simply add my user to the list of allowed users. User-Friendly my assC Pungent
> Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
> You decide which is better.
That depends on your goal..
If yoru goal is to get as many patches installed in as little time as possible, the planning oppertunities that MS gives are very nice..
When you are just interested in keeping your machines secure, and somehow you must run windows on them, then this policy is simply unusable since it will leave a much larger timeframe for exploitation.
Your boss may be interested in statistics when thigns work, but will still get pissed off about that one major security compromise regardless of those statistics.
A great many problems can be avoided simply by setting ActiveX controls to prompt for download, allow only ActiveX controls digitally signed by a trusted source to run (you can check the signature before you accept), and turn off active scripting. Yes, IE has problems, but in all fairness it probably has the dubious distinction of being the most analyzed, probed, and maliciously scrutinized software on the planet. Mod me down if you wish, but someone has to play devil's advocate.
I just called my boyfriend and asked.
The solution for Palm hotsync:
Give the user Administrative-level access.
Install the Palm software.
Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).
Remove the user from the Administrators group.
Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
This one blew me away. I went to Windows Update and installed today's critical updates. After restarting my computer, Mozilla Firefox wouldn't run! I got the "has experienced an error and has to close" screen. So, I started uninstalling the patches. When I tried to uninstall 841873, I got a message that said that, if I continued with the uninstall, Mozilla Firefox would no longer function. The really interesting this is, once I uninstalled 841873, FIREFOX WORKED!!! No a conspiracy nut at heart, but this is just too coincidental. Has anyone else experienced this yet? Running XP with all current updates (except 841873) on a P4 3 ghz with 512K. Mozilla Firefox 0.9.2
To wit -- Here's a little history lesson on why you're wrong. And when Linux starts to get the number and volume of enterprise-level applications that Windows has, these types of history lessons will prove useful. But don't just take the easy way out and say "Yeah Windows sucks" and not try to learn about the mistakes that might just be made again without some perspective.
UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.
The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.
It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.
Want to help a Microsoftie switch to Firefox? See if you can help, I'm sure once he gets it working he'll go and convert others...
[o]_O
I just got into hot water with my boss over upgrading several workstations to firefox. I believe his exact words were 'They've already put out a lot of patches, there can't be any serious problems left!'. What a bail-out!
Oh, and that last poll? -20%
What the heck is a 'sig'?
I'd rather say "Grab your popcorn!" ;-)
Honestly, anyone who is still using IE on Windows can't be in his/her right mind.
I swear, why didn't anyone else think of it before...
<email>
With the recent AOL and Intel merger, that you've all got an e-mail about before, I'm sure, both AOL and Intel (hereby refered to as Antel), have issued several warnings about your web browser, Internet Explorer.
With Bill Gates tracking all of these e-mails, he's been able to prove that there's about 96% of the world (that has a computer) using Internet Explorer. However, for the first time, Bill Gates may be wrong!
There have been several recent attacks against Internet Explorer, and these are not limited to:
If you click a link in your e-mail, IT MAY ERASE YOUR ENTIRE COMPUTER!
Just by opening up a webpage, without your knowledge, IE could install several harmful programs that read your e-mail and send your credit card number, name, and all other personal information to hackers across the internet!
Because of these possibilites, Antel has issued several warnings to stay away from Internet Explorer, and instead use Mozilla, Firefox, or Opera.
Now go spread the word to all of your friends!!one1!
Prove the power of e-mail! Forward this to everyone in your address book asap!
IF YOU DO, ANTEL WILL REWARD YOU WITH A $20 ANTEL GIFT CERTIFICATE!
</email>
I'm going to try very hard not to be mean. Seriously, did you (and everyone else who replied to the challenge to list one thing IE does better) not realize what you're saying???
These are IE-specific things!!! You're comparing apples and oranges. The only sane response is probably drag-n-drop bookmarks. Not IE-only CSS hacks! Look at it this way:
Seriously, that's what it sounds like. Next you'll say that IE is better because of Active-X. Who gives a shit if IE has some IE-only, embrace and extend version of CSS? That's not the mark of a better browser, that's MS using their market dominace to screw with standards just enough to lock-out competitors. I'm open to "participating in a creative discussion", but be creative.
Pretend that something especially witty is here. Thanks.
Imagine Microsoft making software that is so full of security holes that they are forced to release patches several times a month, every month.
Now imagine Microsoft making products that are more manageable and secure from the start, so that releasing more than one patch per quarter is an extremely rare occurance, and updating is a simple procedure that only requires rebooting your server if you're updating the core of the operating system.
You decide which is better.
I'm starting to feel sorry for IE. Everyone's picking on it. It does have some nice features:
OK, for what ever reason, you can't switch all your users to a mozilla based browser for politics or whatever reason. but YOU should switch as should anyone with domain admin rights.
Asumming you have some control, your users have "user" rights. But YOU have "Admininstrator" rights too all \\workstations & \\servers...
All it would take is YOU clicking on the wrong link and bye-bye domain.
(as if your ego would allow you to assign yourself a meager 'user' account.)