Posted by
CmdrTaco
on from the you-can-do-it dept.
Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In case anyone is wondering about Download.Ject, check this link out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
Sadly, Firefox isn't affected.
-- Right is wrong when left is right.
Re:Download.Ject
by
Jim_Maryland
·
· Score: 4, Informative
If I'm not mistaken, XP SP2 includes the work around which changes a registry entry related to the exploit. XP SP2 doesn't really fix this particular problem but disables the functionality that is being exploited. In a way, users aren't at risk, but if you rely on that functionality, well your out of luck for now or you must run with the risk.
Re:Download.Ject
by
aron_wallaker
·
· Score: 4, Informative
I tried it on WinXP Pro (no SP2) IE 6.0.28 and it went through on the first try without even a warning from IE.
Re:Download.Ject
by
gad_zuki!
·
· Score: 4, Informative
Just tried it on a fresh SP2 install and it works. The kicker is even after I've closed IE I still can't delete the boom.exe file from startup because its being used by a different program. Oh well, might as well disarm it (yeah I know its a 0kb exe but what the hey) with msconfig.
The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.
Re:Download.Ject -- CORRECTION
by
romper
·
· Score: 5, Informative
Sorry to reply to my own post, but figured I should before the flamethrowers start in.
Download.Ject information is actually here. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Anyway, the editor (me) regrets this error. =)
-- Right is wrong when left is right.
Re:Firing offense?
by
gregarican
·
· Score: 3, Informative
I recall years ago working for the RAID manufacturing division of Conner (the hard drive/tape drive company, which was bought out by Seagate). The building right down the street from ours was responsible for tech support of their tape drives and backup software.
What did our facility use for backup software? Not Backup Exec! We used Legato Networker. I recall some tours the corporate big wigs were given every now and then. Their expressions were funny to see if they peeked in the server room!
Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.
-- Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Even XP SP2 is easy to tamper with
by
mslinux
·
· Score: 5, Informative
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin;)
Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
What is unfair here?
by
revscat
·
· Score: 4, Informative
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
Re:Missing: Interview
by
Tet
·
· Score: 3, Informative
Ok, the guy really stepped in it here when he plugged Firefox
But he didn't even do that! All he said was that
he needed to upgrade Firefox to fix a security
problem. Not that he used it as his main browser,
and certainly not that he didn't use IE every day
like all good Microsoft employees. Merely that he
had it installed on his machine, and patched it
as appropriate. In his job, I'd expect him to have
a copy of alternative browsers on his system. I'd
be surprised if he doesn't have Opera installed,
too.
-- "The invisible and the non-existent look very much alike." -- Delos B. McKown
Re:Firing offense?
by
brickbat
·
· Score: 5, Informative
This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
So, please mod the parent down -1, Needs a Clue.
Re:Firing offense?
by
GeorgeMcBay
·
· Score: 3, Informative
He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.
Somebody didn't read the article...
Re:Download.Ject -- CORRECTION
by
Davak
·
· Score: 3, Informative
I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.
If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly.:)
Re:BWAHAHAHAHAHA!!!
by
Quill_28
·
· Score: 3, Informative
> This is like discovering Bush prays to Allah!
He does.
The Jews, Christians, and Muslims are pray to the same God, the God of Abraham.
The Jews come from the line of Issac(Abram's son with Sarah) the Muslims from Ishmael(Abram's son with Hagar).
The Jews are still waiting for the Messiah, while the Christians believe the Messiah has come(Jesus Christ).
Poor guy is really having to struggle...
by
argent
·
· Score: 4, Informative
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
Re:Firing offense?
by
BryanR1977
·
· Score: 3, Informative
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
That would probably be the shell:// vulnerability, which if I recall the Mozilla dev's removed the functionality because windows handeled the call in an insecure way. BTW to the best of my kwowledge IE still accepts shell:// URLs.
Misleading statement.
by
halfabee
·
· Score: 5, Informative
From the article: "Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
-- --
Halfabee
Re:In case you're wondering... why?
by
burns210
·
· Score: 3, Informative
"qmail+unix on their hotmail"
That was from the original creators of hotmail. MS bought out hotmail... It took several years, but Hotmail was finally moved over to an NT base, which it now runs on.
Actually, you're wrong.
by
transops.net
·
· Score: 5, Informative
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
Re:are apples the same as oranges?
by
strider44
·
· Score: 3, Informative
how many different programs can you burn dvd's with in linux?
Just off the top of my head, four. There are also two major (and free) dvd movie authoring packages. Look them up.
Slashdot Mirror
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In case anyone is wondering about Download.Ject, check this link out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
Sadly, Firefox isn't affected.
Right is wrong when left is right.
Download.Ject information is actually here. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Anyway, the editor (me) regrets this error. =)
Right is wrong when left is right.
I recall years ago working for the RAID manufacturing division of Conner (the hard drive/tape drive company, which was bought out by Seagate). The building right down the street from ours was responsible for tech support of their tape drives and backup software. What did our facility use for backup software? Not Backup Exec! We used Legato Networker. I recall some tours the corporate big wigs were given every now and then. Their expressions were funny to see if they peeked in the server room!
Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin ;)
w scsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
But he didn't even do that! All he said was that he needed to upgrade Firefox to fix a security problem. Not that he used it as his main browser, and certainly not that he didn't use IE every day like all good Microsoft employees. Merely that he had it installed on his machine, and patched it as appropriate. In his job, I'd expect him to have a copy of alternative browsers on his system. I'd be surprised if he doesn't have Opera installed, too.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
So, please mod the parent down -1, Needs a Clue.
He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.
Somebody didn't read the article...
Is the "what a drag" exploit the same as the drag and drop exploit?
:)
I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.
If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly.
Should we call this one "how to skin a windows box"?
> This is like discovering Bush prays to Allah!
He does.
The Jews, Christians, and Muslims are pray to the same God, the God of Abraham.
The Jews come from the line of Issac(Abram's son with Sarah) the Muslims from Ishmael(Abram's son with Hagar).
The Jews are still waiting for the Messiah, while the Christians believe the Messiah has come(Jesus Christ).
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
From the article:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
-- Halfabee
"qmail+unix on their hotmail"
That was from the original creators of hotmail. MS bought out hotmail... It took several years, but Hotmail was finally moved over to an NT base, which it now runs on.
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
how many different programs can you burn dvd's with in linux?
Just off the top of my head, four. There are also two major (and free) dvd movie authoring packages. Look them up.
how many linux computers can play doom 3?
In a few weeks, all of them.