Posted by
CmdrTaco
on from the you-can-do-it dept.
Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."
Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.
-- Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Re:Download.Ject
by
Jim_Maryland
·
· Score: 4, Informative
If I'm not mistaken, XP SP2 includes the work around which changes a registry entry related to the exploit. XP SP2 doesn't really fix this particular problem but disables the functionality that is being exploited. In a way, users aren't at risk, but if you rely on that functionality, well your out of luck for now or you must run with the risk.
Even XP SP2 is easy to tamper with
by
mslinux
·
· Score: 5, Informative
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin;)
Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
What is unfair here?
by
revscat
·
· Score: 4, Informative
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
Re:Firing offense?
by
brickbat
·
· Score: 5, Informative
This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
So, please mod the parent down -1, Needs a Clue.
Re:Download.Ject
by
aron_wallaker
·
· Score: 4, Informative
I tried it on WinXP Pro (no SP2) IE 6.0.28 and it went through on the first try without even a warning from IE.
Poor guy is really having to struggle...
by
argent
·
· Score: 4, Informative
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
Misleading statement.
by
halfabee
·
· Score: 5, Informative
From the article: "Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
-- --
Halfabee
Re:Download.Ject
by
gad_zuki!
·
· Score: 4, Informative
Just tried it on a fresh SP2 install and it works. The kicker is even after I've closed IE I still can't delete the boom.exe file from startup because its being used by a different program. Oh well, might as well disarm it (yeah I know its a 0kb exe but what the hey) with msconfig.
The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.
Actually, you're wrong.
by
transops.net
·
· Score: 5, Informative
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
Slashdot Mirror
Download.Ject information is actually here. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Anyway, the editor (me) regrets this error. =)
Right is wrong when left is right.
Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
If I'm not mistaken, XP SP2 includes the work around which changes a registry entry related to the exploit. XP SP2 doesn't really fix this particular problem but disables the functionality that is being exploited. In a way, users aren't at risk, but if you rely on that functionality, well your out of luck for now or you must run with the risk.
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin ;)
w scsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
So, please mod the parent down -1, Needs a Clue.
I tried it on WinXP Pro (no SP2) IE 6.0.28 and it went through on the first try without even a warning from IE.
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
From the article:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
-- Halfabee
Just tried it on a fresh SP2 install and it works. The kicker is even after I've closed IE I still can't delete the boom.exe file from startup because its being used by a different program. Oh well, might as well disarm it (yeah I know its a 0kb exe but what the hey) with msconfig.
The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.