Slashdot Mirror


IE Holes Not Microsoft's Fault, Says Bill

thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?

20 of 1,035 comments (clear)

  1. No thanks by BWJones · · Score: 5, Insightful

    Gates: Understand those are cases where you are downloading third-party software.'

    Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates? Furthermore, I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

    Moving along: Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box? What does that tell us about the quality of your products? After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium.

    You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.

    --
    Visit Jonesblog and say hello.
    1. Re:No thanks by strider44 · · Score: 5, Insightful

      Of course the simple solution is not to run under admin. I like the way that linux actually forces (well it doesn't but severly recommends) the user not to run something under admin. Then again usually for newbies spyware can be installed as easily as

      Installation Instructions
      1. Login as root
      ...

    2. Re:No thanks by asadsalm · · Score: 5, Insightful

      Q: Might you add anti-virus/spyware protection in Windows?

      Gates: It's not a thing you build in.

      Us: But a browser is a thing you can build in ... Right?

    3. Re:No thanks by mikkom · · Score: 5, Insightful

      Most of the servers are unix boxes that are connected to internat and many of them don't have firewall. Simply because there are no services that need to be firewalled.

      Windows instead has many "default" services that you can't turn off.

    4. Re:No thanks by ajd1474 · · Score: 5, Insightful

      If MS included Anti-virus, serious Firewall software and whatever else you feel they should include to make it "secure", you'd be the first person up in arms claiming it to be another example of MS using their monopoly to push out competitors.

      Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??

      Also, motor companies do NOT make Airbags, ABS and skid control... they are usually made by third party companies (Bosch for example). So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost? Sounds anti-competitive to me. Sounds like you're another /. er who trips over their own arguments in an effort to be the first to bash MS.

      --
      I refuse to have a sig... dammit!
    5. Re:No thanks by aichpvee · · Score: 5, Insightful
      You're obviously very confused. The *nix box "can" be compromised, but probably won't be. The windows box "WILL" be comprimised, and in a matter of minutes.

      Whether things would be reversed along with the marketshare, it's impossible to say. But there's really no way anyone can do it worse than what microsoft is doing.

      --
      The Farewell Tour II
    6. Re:No thanks by tuxlove · · Score: 5, Insightful

      You're not playing devil's advocate, your point is just irrelevant. The original poster's point is that there are plenty of security holes that have nothing to do with downloading third party software. You can get compromised by reading your email, visiting websites (there are dozens of known vulnerabilities) or even having your computer sitting idle on the Internet, all of which have nothing to do with downloading third party software. A firewall is moot for the first two, and irrelevant for the third, because as soon as you take away the firewall the machine's toast w/o downloading a thing. Putting a NAT router in front of Windows doesn't fix it, it just masks the problem Bill Gates says isn't there.

    7. Re:No thanks by thepoch · · Score: 5, Insightful

      Argh I'm beginning to sound like a broken CD lately, having to always repeat myself.

      It isn't only that Microsoft doesn't even try to tell people that using Admin all the time is bad. It's also the stupid developers that never test their software with non-Admin accounts. And don't even start to talk about RunAs. That's broken as well for most apps.

      The only way for all this nonsense to hopefully be worked out is if Microsoft forced developers by making the default account a "User" account. Not even a "Power User" as that's pretty lame as well. Then every app out there will be forced to store their settings in the user's respective "Documents and Settings" folder. At this time, a lot of apps still store settings in either C:\Program Files\ or in HKEY_LOCAL_MACHINE. I'd rather have it in my own C:\D & S\username\Application Data folder and in HKEY_CURRENT_USER. This makes it more similar to *nix where it stores all settings in my /home/username in .files or .directories.

      Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.

    8. Re:No thanks by ultranova · · Score: 5, Insightful

      Unfortunately, running as a normal user won't do any good in a single-user system. After all, you have the right to access your own folders, and thus are still vulnerable to malware which installs there - you just can't pollute other users with it.

      Linux isn't immune to this problem either. It was designed to sandbox users from each other, but a single normal user will find it difficult to sandbox individual processes. Any process running at my privileges can access all my files, install cron jobs to be run automatically at machine boot, etc.

      A real solution is a fine-grained permission control. For example, a Web browser should be able to read it's configuration files and plugins/extensions, connect to any Internet address, and write to the bookmark file(s) and download and cache directorie(s). It shouldn't be able to do anything else. If there was an easy way to do this, even if the browser was compromised by a web site, there wouldn't be much that site could do. Especially if you could set the bookmark and configuration files to be stored as a "journaled" file, which would record the changes to it and allow returning to any given point in time. Obviously, you'd also need to move any downloaded files away from the download folder and check them with MD5/SHA1 checksums to avoid tampering (but how do you get that checksum, if you suspect your browser has been compromised ?)

      I'd imagine something like this could be done with relative ease with Hurd, since one of it's design goals is to allow each user to replace parts of the operating system (even the file systems) with new parts without disturbing others. So you could install a translator to control access to your home directory or any subdirectories (but of course such translators can also be removed by programs runnign with your permissions - that's one permission that should be droppable).

      An alternative way would be to allow users to build and set up "subusers" - simply add 32 bits to processes (and files) user id. The complete id would then be in the form of userid.subid. Userid.0 would have all the rights of the user, while userid.1 would be a "subuser" and have limited rights (the system would basically make userid.0 the root of his own home directory). This could also be generalized into a hierarchical authority tree, allowing individual programs to run parts of them as more restricted users (for example, a p2p-application could generate separate processes for managing file storage and network connectivity, allowing the part that touches the network to run without any access to filesystem and thus reducing the likelihood of a bug in it from causing damage).

      To summarize: the traditional access controls are designed to protect users from each other. This is not enough. A single unprivileged user needs an easy way to make sandboxes for programs to run in. If the computer is a house divided with walls to different rooms for each user, then all those users need the ability to further subdivide their own rooms with more walls, and they must be able to make/remove those walls without help from the janitor (administrator).

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  2. Rubbish! by Any+Web+Loco · · Score: 5, Insightful

    Those holes are what LETS third-party software install its freaking self.

  3. What's that I hear dying? by MoralHazard · · Score: 5, Insightful

    Sounds like Microsoft's Trusted Computing Initiative isn't getting as much executive support as it might've.

    Remember that, Bill? When you said you were going to make all the Windows computers secure by focusing all your energies on securing your code?

    Now, it's not your fault, and you won't do anything to fix it? Then why on earth did you tell everyone that you would?

  4. Ones not made by Microsoft by Anonymous Coward · · Score: 5, Insightful

    Especially the ones that you get while downloading the updates.

    So the thing the users keep doing wrong is hook it up to the internet.

  5. From TFA.. by mstefanus · · Score: 5, Insightful

    Q: What's your take on making Windows Media compatible with Apple?
    Gates: We're big believers in interoperability.

    BWWAAHAHHAHAHAHHAHAAAHHAAAA!!!!!!

    Yes yes... ofcourse, interoperability within Microsoft products

  6. Re:Blame Game by ladybugfi · · Score: 5, Insightful

    See the quote: "More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

    Money is no replacement for clue.

  7. Gibberish by gruntled · · Score: 5, Insightful

    The purpose of Internet Explorer is to download third party files (by viewing Web pages). Mr Gates's claim that vulnerabilites exist because of such downloads is therefore nonsensical; it's like saying we could end deaths due to automobile accidents by banning automobiles. Yeah, there's a certain logic to that, but it sort of misses the point. To take a recent, ongoing example: A malevolent Web page can use an image file to compromise a Windows system. This vulnerability is not created by users who have somehow previously contaiminated the local environment; it's a part of the system's design. The OS was originally built to offer features over security, and maintaining backward compatability rather than fixing those issues would make it more difficult to coax existing users into upgrading (and would also make it easier for existing users to consider alternatives rather than upgrading). I lost two years of my life covering the antitrust trial, listening to this guy and his minions cheerfully perjure themselves, and he just can't seem to stop making it up.

  8. The user's fault? We can fix that! by outanowhere · · Score: 5, Insightful

    Blame it on the user.

    Again.

    As usual.

    As always.

    Microsoft and especially Mr. Gates have both blamed the user for DOS and windows bugs, et cetera, ad nauseum, since the beginning.

    It's one of the things that really encouraged me to dump windows. Being told personally, to one's face, by Microsoft and Mr. Gates that the problems with DOS and windows is my fault made it very easy to walk away from the huge investment in microsoft stuff.

    Since the user is at fault, the user can fix it--like I did: dump microsoft.

  9. Catch 22 by The+Real+Nem · · Score: 5, Insightful

    It is kind of a catch 22. If Windows had built in anti-virus software no one would buy 3rd party anti-virus software and Microsoft would gain a monopoly in the market. They would get their asses sued and everyone would complain that they have a monopoly or they have created an unfair environment. We've seen it before. If Windows doesn't have built in anti-virus software everyone complains they don't.

    And even if Windows did have built in anti-virus software, can you honestly tell me, given their track record, that you would feel secure with it? If everyone used Windows built in anti-virus software wouldn't it be just that much easier to exploit and cause even more damage.

  10. Re:infomechanics by arkanes · · Score: 5, Insightful
    There's no such thing as "bit rot" per se - things like fragmentation can cause a gradual decrease in performance, but not failure. The term is used in software development because of the way old parts of source code don't get looked at and updated and touched.

    Simply put - the "maintenance" that we refer to with software, and that's being compared to cars above is in fact no such thing. Every patch and update that's issued is to correct a _mistake_ in the software - not something that gradually failed because of wear. Cars need regular maintaining because they're physical objects in a physical environment and the stresses and imperfections of that environment cause real physical damage that needs to be repaired. Software "maintenance" is actually incremental development - it's correct mistakes that are in the original.

    All that said, software (at least most of it) is far, far more complex than your typical car, and has had far less time to mature. The physical limits that a car operates in are well defined and well understood, and the vehicles are designed with that in mind. There are well known and well understood physical requirements and those requirements are easily tested. Software lives in a very different environment with a very different level of contstraint and a very different level of user expectation.

  11. I'm sorry, what!? by rincebrain · · Score: 5, Insightful

    Last Q/A in the article:
    Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

    Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
    [Italics and bolded sentence my own markup]

    So let me get this straight, Mr. Gates. You have thousands of people working just on Internet Explorer, and yet...a thousand or two thousand people working on Mozilla have bested you?

    Nothing is going to change, indeed, Mr. Gates. You're going to keep spewing the same old story, ignoring obvious holes in your own logic (third-party software is to blame for all security problems, true...but that doesn't mean your software should allow third-party software to install itself without the user doing a thing), denying any obvious falsehoods in your own statements (" We feel like we are pioneering an experience that to us is a clear thing most households will want." - Gates, regarding Windows Media Center PCs...I'm sorry, I didn't know you pioneered multicasting from a set-top box...I presume Linksys is paying you licensing fees for their video broadcast device, to name one alternative?), and hoping people will be stupid enough to follow it.

    The saddest part of the above discourse is, Gates is probably right. People are, until told otherwise, going to keep using bug-ridden products, until they are shown that there are alternatives...I know many users who have never clicked Windows Update in their lives, and not because they've never used Windows.

    I could be wrong, but I'm sensing a downward spiral, when M$ can announce things such as they did in their article, and not get negative feedback from the interviewer. Just my $0.05.

    --
    It's only an insult if it's not true.
  12. Critical assesment vs Belief by quinkin · · Score: 5, Insightful
    It seems to me that social gullibilty has nothing to do with detection of a lie - instead it stems from the belief of an assertion with no critical evaluation. Critical analysis over unquestioning belief is a much maligned concept in most education systems.

    Our children are being indoctrinated from a very early age to believe what authority figures (parents, teachers, the tv, etc.) tell them. Should we be surprised when a concept ingrained for 10+ years during the most formative childhood years translates to an easily misled populace?

    Do not believe anyone. Do not believe politicians, scientists, priests, your parents, the police, and please don't believe the mass media.

    Teach your children to think, not believe.

    Q.

    --
    Insert Signature Here