Slashdot Mirror


IE Holes Not Microsoft's Fault, Says Bill

thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?

21 of 1,035 comments (clear)

  1. Uhhhh... by Capt'n+Hector · · Score: 4, Interesting

    Yes, viri, trojans and spyware tend to be third party. The problem is, IE lets you download these and execute, sometimes by just viewing a page.

    --
    Quid festinatio swallonis est aetherfuga inonusti?
    Africus aut Europaeus?
  2. Bad programming model by John+Hansen · · Score: 5, Interesting

    So, pray tell, how is making a horribly insecure third-party application model (DirectX) and then complaining about how people are exploiting it supposed to hold water? YOU ARE THE API DEVELOPER. IT IS YOUR RESPONSIBILITY TO ANTICIPATE POTENTIAL ABUSES.

    Because if I'm reading this right, then that's exactly what Gates is doing. No wonder Microsoft's products are so shitty; they think that security is something that happens to other people.

  3. Re:No thanks by mibus · · Score: 5, Interesting

    It's just a matter of scale.

    A pristine WinXP box will be compromised in 20 minutes (on average).

    I'm still waiting for my unfirewalled 'nix box to be rooted ;)

  4. Re:Antivirus is not a thing you "build in" by plover · · Score: 5, Interesting
    I want to know why Bill Gates thinks it can't be built in.

    I'm not talking pure heuristic detection, because a perfect heuristic detector is theoretically impossible. But why can't Microsoft build in a scanner that downloads virus definitions?

    Virtually all of the viruses of the last five years or so have been Microsoft viruses. (Boot sector viruses are soo last millenium, and everybody's BIOS already detects those.) Not "PC" viruses, not "MS-DOS" viruses, but specifically "Microsoft Windows" viruses. Since they seem to be at the forefront of providing the virus delivery systems, why do I have to pay someone else (like Symantec) to protect me from them? Why isn't patching these defects included in the purchase price of this obviously defective product?

    --
    John
  5. let us all remember this, then by calculadoru · · Score: 3, Interesting

    Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

    Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.


    Let us all remember the line above then. Nothing is going to change?
    I think it will

    --
    The power of accurate observation is commonly called cynicism by those who have not got it. -- G.B. Shaw
  6. whoa this stretching by radaway · · Score: 3, Interesting

    I need lessons with Bill so I improve my english, I guess its easy to learn it, if you stretch the meaning of the words as much as bill.

    Watching a website outside microsoft.com=downloading third party software.

  7. Re:Easy to assign blame by plover · · Score: 5, Interesting

    Then you should use Portable Firefox on a flash drive at school. Jack in the thumb drive. Run PortableFirefox. You get to bring your own bookmarks and cookies with you, and leave nothing like log files behind. And 32MB drives are available for about $10.00 (check the clearance bins at places like Micro Center or wherever.)

    --
    John
  8. Re:Antivirus is not a thing you "build in" by Mavakoy · · Score: 3, Interesting

    > I want to know why Bill Gates thinks it can't be built in.

    It can't be built in due to the anti-trust lawsuit MS is/was in over intergrating IE, Media Player and all the rest into Windows.

    MS don't want another suit to appear for 'trying to cripple the AV industry' by providing an AV software package with Windows. Sophos et al, would not be happy and they'd unfreee the Super-Lawyers and let them loose!

  9. Re:Easy to assign blame by Soko · · Score: 4, Interesting
    What's to stop a spyware/virus-laden school PC (those have to be the worst) from infecting your your Firefox .exe, and then having you bring that home with you?

    Ahem...
    C:\>attrib +r D:\*.exe
    C:\>attrib +r D:\*.dll
    ...assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.

    To the grandparent: Thank you for pointing that project out. It truly shows that having the source code to software open and available can lead to all sorts of interesting - and very useful - things.

    Soko

    --
    "Depression is merely anger without enthusiasm." - Anonymous
  10. Check the history of the seatbelt in the car by SmallFurryCreature · · Score: 4, Interesting
    The car industry, well mostly the american car industry, was extremely reluctant to do anything about safety in cars. Safety studies might give the audience the idea that driving wasn't safe.

    They tried everything to stop people from doing safety studies and stopping laws making safety devices mandatory. It did not fit their marketing image to have to put safety features in.

    Sounds very similar eh? Gates blames insecurity on bad users. The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).

    Until enough studies came out showing how dangerous cars were (things like the steering column being a spear aimed at your chest) and the public started to get aware and goverment was starting to take action ONLY then and very slowly did the car industry do something. That still won't do anything until laws enforce the use of seatbelts and even then you will have idiots claiming using seatbelts is unsafe. Same as I have met person (not heard about, actually talked to myself) who didn't use anti-virus software because it was reading their files.

    So don't hold your breath waiting for MS to move on its own. SP2 was already a huge achievement. Anything more will only come after a long long struggle.

    Or a very short one if you install the flippered OS. Or the horned one if your into necrophilia. Then again, that is like driving a volvo. Not cool. Sure your kids might survive an accident but who cares about that eh?

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  11. Re:No thanks by buffer-overflowed · · Score: 3, Interesting

    Software CAN kill you though.

    There have been cases where 911 systems went down due to software glitches(Windows IIRC), that can certainly put a hurt on your life expectancy(in the case I'm thinking of, the phones stayed on, but the computer systems died, so they had to dispatch the 'ol fashioned way).

    Or Medical databases, mix up what drugs someone is taking when prescribing new ones and that software glitch can certainly be hazardous to your health, if not kill you. Small risk, since there's a double check(Doctor and Pharmacist), but there.

    Or the computers in your car, big error in one of those chips and BAD things can happen. Or airtraffic control. SCADA(old crappy UNIX, being replaced by new crappy Windows) systems. Fly by wire. Etc. Etc.

    Software can definately kill you, it permeates so much of our lives a glitch in the right place can actually kill you. Don't lose sleep over it, a real gremlin has to be in the works for this to happen and for no actual person to be there to compensate for it.

    Now, your desktop software decision isn't likely to do so.

    --
    The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
  12. Re:Embrace, extend, and extinguish. by TiggsPanther · · Score: 3, Interesting
    Gates: "We're big believers in interoperability."

    I was amused by that, too. I was tempted to call bull, but technically they are interested in interoperability.

    It's just that they seem to believe that everyone else should have to pay them for the privilege of being interoperable.
    It's great from a business point of view, but not much use from a F/OSS point of view, unless projects manage to pick up a sponsor who would be willing to shell out to license the technology and manage to do it in such a way as is compatible with whatever license they're using.

    --
    Tiggs
    "120 chars should be enough for everyone..."
  13. Re:No thanks by Ilgaz · · Score: 4, Interesting

    Maybe the reason is different?

    If you would steal a car, would it be Toyota or BMW? I mean, if I was a haxor trying to steal someones CC, it would be $3000 dual G5 owner rather than $500 Taiwan OEM owner.

    Or... Something real interesting showed up when I check my Internet Plugins folder (Yes, mac IE even uses Netscape plugin arch)

    cable25-100:/Library/Internet Plug-Ins ilgaz$ ls -l
    total 72
    drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 DRM Plugin.bundle
    drwxrwxr-x 3 root admin 102 6 Jul 22:00 Flash Player.plugin
    -rwxrwxr-x 1 root admin 963 22 Jul 17:09 Java Applet Plugin Enabler
    drwxrwxr-x 3 root admin 102 22 Jul 17:23 Java Applet.plugin
    drwxrwxr-x 3 root admin 102 31 Aug 05:17 JavaPluginCocoa.bundle
    -rw-rw-r-- 1 root admin 4752 22 Jul 17:09 NP-PPC-Dir-Shockwave
    drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin
    -rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin
    -rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin.xpt
    drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin
    -rw-rw-r-- 1 root admin 856 22 Mar 2004 flashplayer.xpt
    -rw-rw-r-- 1 root admin 2394 1 Apr 2004 nsIQTScriptablePlugin.xpt

    Look which companies plugin is installed in awful insecure way?

    Microsoft!

    While at it, if you don't have "spyware" concerns, as a admin user, go to www.pcpitstop.com (in fact, they aren'T spying) and run their tests...

    See the amazing things ActiveX can do! Thats the root of problem.

  14. Sweetest Revenge: Linux Media Centers by randalx · · Score: 5, Interesting

    Gates: What the consumer wants is pretty clear: a single remote control that lets them navigate photos, music, videos, TV in a very rich way. They want to see that on any screen in the house and then have a great portable device where they can take that stuff wherever they want anytime. The full realization of that dream is still years away, but we've taken a dramatic step in delivering that with Media Center.

    I think it'd be great if we could beat Microsoft to the punch by offering all of this and more using Linux and open formats (not WMA Bill!). It seems like there is already a lot of work in the area going on (MythTV, Freevo, Mister House, VLC) but is any of this ready to be easily set up by the average Joe? Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment. Not only could a Linux based solution put anything from MS to shame it could also force Movies/TV/Music industries to support open formats if the Linux Media Center becomes the dominant player.

    Am I dreaming or can the open source community take the lead here?

  15. Re:No thanks by Shokac · · Score: 4, Interesting

    I suggest that M$ removes all IExplorer, WMplayers, CD burning etc. software from Windows, and sell them for $10. The price is reasonable becouse you don't need to pay extra developers fot this stupid programs. Then we will have free comptetition market, and choise. Maybe then M$ Windows would be on any PC.

  16. Re:No thanks by Asprin · · Score: 5, Interesting


    For what it's worth, Ubuntu actually disables the root account by default so you have to sudo everything.

    (I'm sure other distros do that too, but Ubuntu stands out in my mind because I had to wrestle with it unexpectedly over the weekend.)

    --
    "Lawyers are for sucks."
    - Doug McKenzie
  17. Re:No thanks by skraps · · Score: 5, Interesting

    That is a fringe example and doesn't have any effect on the main thrust of the argument. Making the boot media read-only in an effort to stop security holes is like cutting off your legs so that you won't accidentally stub your toe. You are right that Microsoft will never provide that as an option - because it doesn't make any sense for ordinary use.

    --
    Karma: -2147483648 (Mostly affected by integer overflow)
  18. Re:No thanks by smacktits · · Score: 3, Interesting

    I recently installed Windows 2000 on my sister's computer. For some reason I forgot to disconnect the network cable ahd before I had even started to install a firewall, it was compromised.

    In all seriousness, the time of first boot to compromisation was under three minutes.

    I daresay it was my own fault for forgetting about the network cable, but even so...

    After that, I experimented with a Unix computer connected directly to the internet instead of being behind a router, as is my normal practise. Like you said, I waited a month for it to get rooted. Never happened. Eventually I put it back behind the router.

  19. Re:How does this happen? by rben · · Score: 4, Interesting

    If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.

    I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -

    • The user using the machine doesn't have admin rights,
    • Windows and related networking software is kept up-to-date,
    • Doesn't use IE / related mail product.

    No, Windows is not just as secure. The point is that there are lots of script kiddies constantly scanning the range of ports used for cable and dsl networked computers. Once they get a response, they scan all the ports on that IP looking for open/vulnerable services. They target Windows because the vast majority of computers on the Internet are running Windows. Look at all the posts in this thread. You can find numerous accounts where Windows computers were infected within minutes of being connected to the Internet.

    It's possible that Linux/Unix would be far less secure if it received as much attention from the hacker community, but there are some good arguments that it wouldn't be. Linux/Unix has been a part of the Internet since it was first conceived and the programmers that have worked on Linux and UNIX have generally been more aware of networking and security issues.

    Linux has a much more modular design than Windows. Windows has been tightly integrated on the basis of Marketing and Legal rather than Engineering decisions. I doubt that Windows will ever be secure without substantial redesign of the entire OS. Unless Microsoft is successful at throwing up legal roadblocks, Linux is going to continue to outstrip Windows in security, reliability, and eventually usability.

    --

    -All that is gold does not glitter - Tolkien
    www.ra

  20. Re:No thanks by chongo · · Score: 3, Interesting
    > Q: Might you add anti-virus/spyware protection in Windows?
    > Gates: It's not a thing you build in.

    This is because Microsoft allows spyware to be installed as part of its critical updates!

    Last month I watched as a friend:

    1. removed his machine form the network
    2. installed Windows 2000 on a new box from CDs
    3. installed both spybot and AdAware 6.0 pro (anti-spyware tools).
    4. ran a scan of the system (no spyware problems were found)
    5. plugged in his machine behind a firewall
    6. accessed (via IE) the Microsoft OS updates and office 2000 updates sites
    7. downloaded the service packs and critical updates
    8. disconnected his system from the network
    9. installed the service packs and critical updates
    10. Reran the spyware scan
    11. looped back to step 5 until there were no more service packs and critical updates to install in step 6/7

    During the last update and spyware scan cycle, AdAware discovered a spyware issue in the registry!

    FYI: The spyware entry came into by friends system as a result of one of these Microsoft critical updates:

    • Office 2000 Service Pack 3 - English version
    • Outlook 2000 SR-1 View Control Security Update
    • Office 2000 Security Update: UA Control Vulnerability
    • Office 2000 Security Patch: KB822035
    • Word 2000 Security Patch: KB830347
    • Word 2000 Security Patch: KB824936
    • Excel 2000 Security Patch: KB830349
    • Outlook 2000 Update: December 18, 2002 - English version
    • Outlook 2000 Collaboration Data Objects (CDO) Update: Security - English version
    • Microsoft Office 2000/Windows 2000 Registry Repair Utility - English version
    • Office 2000 WordPerfect 5.x Converter Security Patch: KB824993 - English version
    • Access 2000 Snapshot Viewer Security Patch: KB826292 - English version
    • Security Update for Office 2000: WordPerfect 5.x Converter (KB873380) - English version
    • Microsoft GDI+ Detection Tool (KB873374)
    • Security Update for Internet Explorer 6 Service Pack 1 (KB833989)

    AdAware discovered:

    ArchiveData(auto-quarantine- 20-09-2004 10-33-41.bckp)
    ALEXA
    obj[0]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa0 03c157a}

    For more info on ALEXA spyware see:

    This is not the 1st time that I have seen somebody install a Microsoft critical update and receive spyware. No wonder Gates is not interested in building anti-spyware into his products!

    --
    chongo (was here) /\oo/\
  21. Re:No thanks by akh · · Score: 3, Interesting

    $ whois 63.161.169.137
    Sprint SPRN-BLKS (NET-63-160-0-0-1) 63.160.0.0 - 63.175.255.255
    FEMA SPRINTLINK (NET-63-161-169-0-1) 63.161.169.0 - 63.161.169.255

    whitehouse.gov is on FEMA's network? Interesting. Though it kind of makes sense if you think about.

    --
    Accept Eris as your Fnord and personally sate her