Three New Microsoft Bulletins

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

Quick?

The extremely critical exploit was listed on 2004-10-20! It took nearly three months to fix.

Re:Quick?

[Jugalator]

On the other hand, Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

Re:Quick?

No, after the flaw was upgraded once people realized how truly bad it was. The flaw was listed, but not deemed as critical, since October. A smart malicious user could've been exploiting this for months.

Re:Quick?

[Jugalator]

Sorry, I can't count, it seems more like 8 or 9 days.

The workaround is in KB Article #888534.

Re:Quick?

[lucabrasi999]

Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

For those of you that haven't seen the workaround, here is a link.

Yeah, I know, I know. But it was TOO easy, I couldn't resist....

Re:Quick?

[Jugalator]

That's darn expensive switch if you're already sitting on x86 hardware, which I have a feeling Windows uers do. :-)

I suggest another OS in that case.

Re:Quick?

[bonch]

I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

LinuxSecurity keeps a running list of daily vulnerability announcements from all the distros. Just click on a distro and be amazed at all the buffer overruns, root exploits, code execution, and more that never get reported on this site.

"Three New Microsoft Bulletins?" Try 13 new Debian bulletins in the past week. Gentoo has announced 12 since last Sunday alone.

Why aren't these things announced like Microsoft bulletins are? Because Microsoft articles generate more page hits...which is great for the banner ads. They're using you guys.

This attitude of the flawless Linux is really, really dangerous, because Linux distros are just as ridden with software holes as Windows systems are accused of being, but you'd never know it if all you did was visit Slashdot...and we all know what a false sense of security leads to...

Of course, Slashdot shouldn't stop posting about Microsoft vulnerabilities. But snide comments like "security-is-number-one dept." make this place seem like a site of nothing but flamebait for Linux fanboys. There's more to security than just hating Microsoft and ignoring Linux security flaws.

I know I risk karma for this post, but I'm really shocked at the illogic and immaturity displayed on Slashdot, compared to when it began in the 90s. Laughing about Microsoft bulletins in some weird schadenfreude doesn't make the Linux kernel any less imperfect (see yesterday's article) or its distros (see LinuxSecurity any given day for pages of bulletins all collected together).

Re:Quick?

[Blue-Footed+Boobie]

Mod parent up.

Good to see someone with their head OUT of their ass for a change.

Re:Quick?

[lucabrasi999]

What? Attacking Linux Security?!?! Come on moderators! Let's crush this heretic!

That is a joke. Personally, I agree with him...

Re:Quick?

[j.bellone]

Agreed.

Definately mod this parent up; I would if I had the points. He brings a great point to the table that is aways swept under the carpet because of the bullshit explained above. If we really want a true community; shit needs to change not be kept away.

Re:Quick?

[1010011010]

Microsoft's response regarding the availablity of IE security enhancements and fixes for non-XP versions of windows was, "buy a new computer".

So, buy a new computer like you were told!

Re:Quick?

This attitude of the flawless Linux is really, really dangerous

You know, every single time there is a security-related article on Slashdot, some troll pops up to warn us that Linux isn't perfect. And you know what? I have never, ever seen somebody claim that it is.

So if you think that it is so important that Slashdot post these alerts, instead of wallowing in smug superiority, why don't you submit them to Slashdot? Or, if Slashdot is really so badly skewed, "illogical and immature", then by all means read some other website.

Re:Quick?

[MarkByers]

You are referring to errors in non-optional non-admin applications in Linux. Gentoo has 7000 packages, but very few of them are required. This fix is for a required, unremovable application which is embedded into the OS and allows a root of a machine simply by visiting a webpage (since like it or not, most Windows users run with admin priveleges). Imagine if a popular website was defaced with an exploit. This is what makes it newsworthy.

Re:Quick?

[prisoner-of-enigma]

You know, every single time there is a security-related article on Slashdot, some troll pops up to warn us that Linux isn't perfect. And you know what? I have never, ever seen somebody claim that it is.

Nor have I. However, every time there's a flaw in Notepad, all the Slashdot faithful come out with that smarmy, holier-than-thou attitude of "weeeeeee don't have those kind of problems with oooouuuuurrr OS!" Yet when similar issues crop up in Linux, you never hear about it. Or, worse, you hear about it but everyone excuses it by saying it's not really serious, it doesn't affect my custom kernel (therefore it's not a problem), or some other it-gets-a-pass response. While this isn't verbatim saying Linux is perfect, it's pretty much the same thing.

If you point out flaws in something (or someone) else, you had best be willing to stand tall for those very same flaws in what you,/i> use as well, otherwise you're just a hypocrite. Linux fanboys need to quit drinking the Koolaid and admit it when their pet OS has problems instead of trying to act like it never happens.

Re:Quick?

[r00zky]

I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes.
I love it too.

What if Windows allowed arbitrary code execution just from viewing a PDF file?
Actually Windows should allow that too... if you were running the not-latest version of xpdf in Windows somehow.

The differences are that the xpdf vulnerability was fixed in a day, here we're talking about a issue that took 10 days to work around and 3 months to fix.

And also xpdf isn't a crucial part of the OS.

2 huge differences for you, KTHX

Re:Quick?

Actually I'd think that 12 vulnerabilities in 7000 applications isn't all that bad when you consider how many applications are "toybox" utilities coded with no security in mind.

Re:Quick?

[donnz]

I'll call bullshit. Here's the evidence. Nice troll though and "karma burning" comments seem to be loved by mods.

Re:Quick?

[Daengbo]

I'm not going to comment about how secure or insecure Linux is compared to WindowsXP, but, living in S. Korea, I receive about 20 targeted attacks per day, based on my logcheck, snort, and portsentry reports. Sshd gets hammered every night, as well as my web services.

I seem to be holding up fine, though. I'd hate to have an MS webserver deirectly on the internet, considering the number of IIS vulnerability-based hits my webserver gets every night.

I did almost have a heart attack the first time that I ran chkrootkit after intalling portsentry, because I came up as being infected with BINDSHELL. Luckily, that's answered on the chkrootkit site and being a false positive.

Re:Quick?

I'm running XP? oh guess that joke doesn't work then...

Re:Quick?

[Idaho]

What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

Your reasoning is flawed.

The PDF viewer most people use on Windows (Acrobat^WAdobe Reader) is not a Microsoft app, but is made by Adobe. So if this happened, we would have to blame Adobe, not Microsoft. Many people don't even install a PDF viewer, e.g. on server machines (or just because you don't use PDF's).

A similar thing is true about xpdf: it is not at all part of a 'core' linux system, it is just an app programmed by...I don't even know who. Many people won't even have it installed, especially not on servers. We could blame don't_even_know_who for causing this bug, but probably it would not make a really interesting story.

However, Microsoft has tried to convince us over and over again that YES, IE really is a critical part of their OS, so much so that they can't take it out without breaking Windows (DoJ trial). IE is a part of *every* Windows installation, whether you want it or not.

So YES, I would consider one or more 'critical flaws' where random sites can execute arbitrary code on basically every Windows machine out there without any user interaction whatsoever (apart from visiting a compromised website) newsworthy - more so than a bug in xpdf.

But that's just me ofcourse.

Re:Quick?

Why? Because /. readers don't want the truth to interfere with their beliefs.

Re:Quick?

This was the first criticism of Linux security in a year. You're helping prove his point dumbass.

Re:Quick?

[thequux]

They can't tell you to use Linux, I guess. That's the obvious choice, right?

Re:Quick?

[bit01]

"weeeeeee don't have those kind of problems with oooouuuuurrr OS!"

Bullshit.

Yet when similar issues crop up in Linux, you never hear about it.

Bullshit.

True zealotry

I for one want some balance against the river of crap coming out of M$ every day. When M$ stops those bullshit TV spots, stops branding most PC keyboards with their idiotic Windows keys and stops using it's monopoly power to kill competition then I think we can revisit the question of whether /. is balanced or not.

You're either in marketing or you've bought the M$ marketing drivel hook, line and sinker. If you're in marketing then I suggest you get a real job. You know, one where you contribute to the community instead of being a parasite. You'll have more of the things that matter. If you've just bought into their marketing line then I suggest you make a point of reading a variety of viewpoints and learning to think critically rather than uncritically accepting the self-serving crap put out by companies like M$.

---

It's wrong that an intellectual property creator should not be rewarded for their work.
It's equally wrong that an IP creator should be rewarded too many times for the one piece of work, for exactly the same reasons.
Reform IP law and stop the M$/RIAA abuse.

Re:Quick?

Heh. On a story about three new Microsoft security patches, I click your link to the Microsoft homepage, and get greeted with the message It's that time again :).

Re:Quick?

[prisoner-of-enigma]

Bullshit

OK, you've found one article taking note of the increasing number of holes found in Linux.

Point #1: Did you bother to read the comments on the article? If you did, you'd note a disturbing number of posts (out of the 475 present) centered around pretending the problem really isn't a problem. Pay no attention to that bug behind the curtain, especially when the Koolaid tastes so sweet.

Point #2: You found one Linux-critical article regarding security holes. Now, do your due diligence and find how many Windows-critical articles have been published. You'll find the ratio decidedly slanted against Microsoft. And don't try to paint it as "well Windows has far more holes than Linux." Secunia.com reports 32 advisories for the 2.6 Linux kernel since Jan 04, with 15 remaining unpatched. During that same period, Windows Server 2003 (released in roughly the same period as the 2.6 kernel) has only 25 advisories, with 4 remaining unpatched. Yep, a veritable "river of crap" coming out of Microsoft, ain't it?

You're either in marketing or you've bought the M$ marketing drivel hook, line and sinker.

Ah, I see. Since I don't parrot the "Linux good, Windows baaaaaad" mantra of obvious fanboys like yourself, I must be an empty-headed marketdroid or in the spell of the Great Satan Microsoft itself. In your addled mind, that's the only possible explanation since you've convinced yourself it's impossible for Windows to be a worthwhile OS. Which is more than merely idiotic when you consider the vast number of desktops running paid for Windows when there's such a fantastic, free, nearly-perfect OS like Linux out there for anyone to glom onto. Gee, could it be Linux isn't the best thing since sliced bread for everyone? Nah, that'd destroy your precious fantasies immediately, wouldn't it? So you support your house of cards by simply convincing yourself that the world is insane and you're the lone voice of reason. You suddenly see so credible to me...not.

If you've just bought into their marketing line then I suggest you make a point of reading a variety of viewpoints and learning to think critically rather than uncritically accepting the self-serving crap put out by companies like M$.

Since immitation is the sincerest form of flattery, I'll pay you a compliment: If you've just bough into your own self-delusional visions of grandeur, I suggest you make a point of reading a variety of viewpoints and learning to think critical rather than uncritically accepting the self-server crap spouted by Linux fanboys with no obvious grasp on reality.

Oh, and just a little note, the initials for Microsoft are "MS" not "M$". It's a common thing for children to engage in a form of wordplay making fun of an antagonist. If you are unable to rise to the level of maturity where you don't have to resort to specious namecalling, please don't bother replying; I don't care to read drivel written by infants. You'll just earn a nice, neat spot on my Foe list.

XP SP2

[Rolan]

It should be noted that those with XP SP2 are only affected by MS005-01.

Re:XP SP2

[bonch]

Isn't it funny how Linux kernel versions affected are explicity mentioned in Slashdot's articles on the subject? You'd think the fact SP2 fixed the other two vulnerabilities already would have been an important point to state. It's not like SP2 just came out or anything; what is it, over half a year now?

RCE via Active-X, again

[Lindsay+Lohan]

Microsoft Security Bulletin MS05-001 addresses the cross-domain vulerability with their HTML Help Active-X control. Microsoft mentions that it's "newly" discovered, but see the proof-of-concept at Security Focus--posted into BugTraq almost a month ago.

Incidentally, if you're one of those rare Windows users running IE in restricted (ESC) mode, your vulnerability is mitigated... suprise, suprise.

Re:RCE via Active-X, again

[redmond_herring]

"posted into BugTraq almost a month ago"

Aren't MS releasing updates monthly?
Wouldn't 'almost a month ago' = newly discovered?

Just my two cents...

First

[Shadow+Wrought]

Vulnerability?

Extremely Critical Vulnerability

[kneel]

Did anyone else think that sounded like something out of one of the Lemony Snicket books?

What I find more interesting..

[MrP-(at+work)]

It would also seem microsoft released "Malicious Software Removal Tool" on WindowsUpdate

It finds and fixes some common worms.. They plan on releasing a new version every second Tuesday of each month, and each new version will continue to clean worms from the previous versions.

Wonder what the antivirus companies think about this

Re:What I find more interesting..

[dewke]

I think this sums it up nicely.

Re:What I find more interesting..

[Anonymous+Brave+Guy]

I'm glad that they explicitly state (in the description of the tool that pops up if you've got automatic updates on) that its presence on the list doesn't imply the presence of any malicious software.

The last time I got something like this popping up, some time in mid-'04, the message seemed to imply that I probably did have something unpleasant on my system. My anti-virus software hadn't found anything, though, so I had a couple of nervous days monitoring things to look for signs of any unusual activity. I don't know whether the text supplied with that update was just poorly edited, or something was misdiagnosed by part of Windows Update. Maybe there's still something lurking even now... :-/

Re:What I find more interesting..

[TheGavster]

*gasp* ... customer service. And I thought they took that $200 license fee and used it as toilet paper in the executive washroom ...

Re:What I find more interesting..

[DarkHelmet]

It finds and fixes some common worms.

You mean like that dreaded Firefox.exe that keeps spreading like mad?

Re:What I find more interesting..

[RAMMS+EIN]

``Wonder what the antivirus companies think about this''

Microsoft made anti-virus software before. I used it, but I have no idea if it was any good. It sure didn't make the anti-virus companies go under, though.

Re:What I find more interesting..

[MrP-(at+work)]

yes, i also used it. MSAV.exe i think.. back in DOS (there was also a windows version).. but as far as i know there was no way to update definitions or anything so it couldn't compete with nortom/mcafee.. but this new thing is going to be regularly updated.. and right now it just does the major worms but i wouldnt be surprised if microsoft is just trying to sneak in slowly so it can eventually release a complete virus scan suite

Re:What I find more interesting..

[RAMMS+EIN]

From TFA at the Reg:

"Microsoft should spend more time, energy and money addressing its own security weaknesses inherent in its products, which are exploited by virus writers and hackers, and less time trying to erode the businesses of existing security vendors."

It's an interesting statement, coming from someone who produces software we wouldn't need if Microsoft followed his advice...

Re:What I find more interesting..

[IceFreak2000]

IIRC, MSAV was nothing more than a rebadged Central Point Anti-Virus (CPAV) that was bundled with MS-DOS 6.2

Re:What I find more interesting..

I was thinking: "Not really it would like...", and realized that I can't find an analogy.

Re:What I find more interesting..

[JohnyDog]

They plan on releasing a new version every second

would be more appropriate.

Re:What I find more interesting..

Well I ain't gonna install nothin' that's macilious, I tell ya!

Nice to know...

[bonch]

Nice to know that all software is flawed, because it is made by flawed humans. Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article. Just a friendly reminder before the regularly scheduled Microsoft-bashing...now have at it. :)

Re:Nice to know...

[devbone]

Yeah, I agree. Any security human kind can think up, human kind can unravel.

Re:Nice to know...

[Doctor+Crumb]

When is the last time you saw an "Extremely Critical vulnerability" for linux?

Re:Nice to know...

[bonch]

Yesterday.

Re:Nice to know...

[lucabrasi999]

January 7th. Ok, maybe not extremely critical, but there are vulnerabilities....

Re:Nice to know...

[maskedbishounen]

I'll give you the inherently flawed part, but at least with Linux, you get what you pay for.

(I know, I know. There actually are people/businesses who shell out money for it, but one could just chalk that up as "distribution" and/or "support" costs more oft than not.)

Re:Nice to know...

[Doctor+Crumb]

"Extremely critical" being what I was trying to emphasise. Even the local kernel exploit , while dangerous, is not "extremely critical"; it can only be exploited by users who already have accounts on the system. I agree wholeheartedly that there are indeed vulnerabilities, but you also have to consider the magnitude.

Re:Nice to know...

[Dr.StrrAngeLove]

Damn right

Re:Nice to know...

[Attitude+Adjuster]

Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article.

Insightful my ass! This relativist "all views are equally valid" philosophy you've fallen into (along with the main stream media) is complete BS.

Nothing is perfect, and you should use the right tool for the right job (games == XP, work == Linux for me), for sure, but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there. That doesn't mean that Linux or OSX is perfectly secure, but they're much better than any MS product. Whether you measure it by dollar cost to companies, or number of actual (not theoretical) exploits, MS products are more insecure than any *nix. Don't you even remember the millions of USD damage viruses and worms caused last year on MS systems alone?

The truth of the matter is that Linux is by default, even without hardening, vastly more secure than XP. And the security gap is increasing, not decreasing.

If you mean the grsecurity nonsense on ./ yesterday, the only story there is about some big-mouth egotist sounding off and the desperate MS apologists eagerly believing what they want to believe. See this and this .

In case you were also thinking about the uselib ./ nonsense of Jan 07th (here), Fedora core 2 had the patched kernel available on Jan 03. The public announcement of the problem was after it was fixed and had made it way into distribution updates (unless I'm totally misreading the changelogs). Wasn't the advisory this MS update fixes was released months ago. Bit of a difference perhaps?

Re:Nice to know...

[stevey]

Four days ago, how about you?

All admins should subscribe to bugtraq, and their distribution's security announcements sites - no operating system is bug-free.

But I'd still choose Linux over Windows for security as there is a better record on timely updates, and a much cleaner seperation between the kernel and the userland applications, something which isn't true in Microsoft's world.

Re:Nice to know...

The public announcement of the problem was after it was fixed and had made it way into distribution updates

The problem with this attitude is that the flaw was obviously known about before the fix, the fact that it was not publicly released until it was patched is neither here nor there.

It is merely a form of security by obscurity.

It is still dangerous, and I still wonder whether there are more white hat lovely people looking at the code, finding flaws, compared to black hats, motivated by the potential of money in mining insecure information wells.

Who knows how long a flaw has been exploited before it was fixed?

Re:Nice to know...

"but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there."

Prove it. I contend that Linux security is equally bad. Just look at all the web site defacing.

direct download link to Windows fix

ftp://ftp.openbsd.org/pub/OpenBSD/3.6/i386/cd36.is o

Three months is quick?

[MarkByers]

Yes nice and quick. Only took nearly three months!

Release Date: 2004-10-20

http://secunia.com/advisories/12889/

Re:Three months is quick?

[superpulpsicle]

Well the bulletin is really a mistake. So those fixes won't cut it. The 3 real bulletin goes...

- It's official, our Windows XP IS a vulnerability.
- It's official, our Internet Explorer IS a vulnerability.
- It's official, our Windows media player IS a vulnerability.

Re:Three months is quick?

ya remind me to download your quick-patches so I can test em for you.. what you think they just fix it and release it?

Happy Patchday

Happy updating to everyone.

Microsoft's Quick Move

[Mr.Ned]

"Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS."

Michael, are you kidding me? Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

Re:Microsoft's Quick Move

[turnage]

Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

No, Microsoft was notified at the beginning of October and has only now gotten around to being so sure of their fixes that they're comfortable releasing the patches to tens of millions of computers. There's a big difference.

It's about remediation...

[danielrm26]

...nice to see a quick move from MS.

My thoughts exactly. The focus for many on the anti-MS side of things is not the fact that there are vulnerabilities, it's how they are handled. Grats to MS for tackling this one.

Re:It's about remediation...

[Rolan]

You're joking right? The information was given the Microsoft 10/21... I wouldn't call 2.5 months fast... Check that release date.

Re:It's about remediation...

[danielrm26]

True, but it wasn't a huge issue until the exploit code went public. They jumped on it once that happened and that's better than not at all.

Re:It's about remediation...

Shit, I'd like to have low expactations as you do! Everyday a positive surprise!

Re:It's about remediation...

[freakmn]

Yes, when your expectations are that low, taking a dump would be an everyday, positive surprise.

only three more?

Just wait another week and slashdot will post 10 more. At least they wont be dupes.

More information...

[MrP-(at+work)]

This page has more technical information about the tool.

Also: Malicious Software Removal Tool

[Rolan]

They also released the "Malicious Software Removal Tool":

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any variants found. You should also use an antivirus product to remove other malicious software that may be present. This tool helps maintain your computer, and its appearance does not indicate that your machine is infected with malicious software. After you run this item, you may have to restart your computer.

Looks like they're finally getting tired of the most common viruses running rampant.

Re:Also: Malicious Software Removal Tool

[Rolan]

More information on the "Malware" can be found at this link that was in the EULA.

They're looking at these with this version:
Win32/Berbew
Win32/Doomjuice
Win32/Gao bot
Win32/MSBlast
Win32/Mydoom
Win32/Nachi
Win 32/Sasser
Win32/Zindos

Re:Also: Malicious Software Removal Tool

http://support.microsoft.com/?kbid=890830

Re:Also: Malicious Software Removal Tool

wow, not only do you copy my first post, but now my second post as well

Double Score: -1, Redundant for you!

Re:Also: Malicious Software Removal Tool

[CodeArtisan]

MS Removal Tool ? I wish...

Spite

[FortKnox]

nice to see a quick move from MS

MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?

I'm already a comment wading in the anti-MS sludge. Will people see MS is trying to do the right thing?

Re:Spite

Every post in this thread is going to be the rationalist shit you're spouting or a microsoft bash. No need to really even view the comments eh smart guy?

Re:Spite

[RAMMS+EIN]

``How many will reply to me saying I'm out of my mind?''

At least one. The vulnerability was updated on 2004-10-21. That means it existed at least about 3 months before the fix. I don't know about you, but I don't call that quick.

Re:Spite

[Mr.Ned]

"nice to see a quick move from MS

MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?"

You _are_ out of your mind. Microsoft was notified in October. Sitting on an "extremely critical security vulnerability" for over three months isn't quick by any definition.

Re:Spite

[EvanED]

Read other comments on this page. MS released a workaround for the flaw 8 days after it was originally posted. At that time, it was not known how critical it was, so MS didn't push a full fix. Now that it is known (Secunia increased the rating 4 days ago), MS has responded quickly.

Re:Spite

[FortKnox]

The workaround was available 8 days after the original notification. But it wasn't labelled as critical. It was upgraded to critical 4 days ago, so MS released the patch right away.

Pretty fast for a security flaw, eh?

Re:Spite

[RAMMS+EIN]

Ok, two things:

1. Either you take security seriously, or you don't. If you take it seriously, you fix the flaws when you become aware of them; not 3 months later when people increase the rating, because they're running out of options to get you to fix it.

2. We're talking arbitrary code execution here. There's virtually no limit to the damage this can do. I'd say that warrants a somewhat quicker fix. And this was already known 3 months ago.

So, basically, I don't agree that they didn't know how serious it was until Secunia increased the rating, and even if that were the case, it would have been a lousy excuse at best.

Re:Spite

when will you realise that microsoft dont give a shit about anything other than their bottom line?

Wake up. They dont care about you. They care about your money.

Evangalism is rife in MS.. they are a cult of greedy l4m3rz.

Marketing is their way of life. And marketing = Bullshitting.

They will slander, lie, defame, lament, whine, and constantly not care so long as they can pull the wool over their "Stupid Users" (why else dumb down everything) eyes.

I've been in this game a long time and nothing stands up and shouts "I'm and ASSHOLE" more than microsoft does.

If you haven't seen Steve Ballmer Monkeydance.mpg I suggest you go check it out and see what kind of freaks your money is supporting.

Re:Spite

[prisoner-of-enigma]

If you bothered to read the whole thing, you'd see Secunia didn't find it "extremely dangerous" until just recently itself. Originally, Secunia didn't put this one very high on the totem pole, so neither did Microsoft. There was a workaround in place within days, and only now that Secunia has elevated the problem is there a patch being issued.

Rule of thumb...

Never ever be an "early adopter" of any Microsoft bug fix...sometimes the fix is worse than the bug...

Firef.. well..

[E+IS+mC(Square)]

I know there are a lot of anti-firefox sentiments here - but even if we assume FF is really a piece of junk WRT Opera, Safari and other browsers, one good outcome of FF popularity is quick turnaround for such fixes from MS!

Re:Firef.. well..

um. arent you confusing firefox with IE , and what does firefox have to do with making MS get a patch out?

as for anti-firefox sentiments - you`re on slashdot fs. theres not many of those around

Re:Firef.. well..

[E+IS+mC(Square)]

Nope... the point is that earlier MS used to take its own good time to fix any IE bugs. It's much faster (at least for IE) now as FF is gaining a bit of momentum.

Don't blame michael

As much as we dislike him, this was actually the submitter Jimmy M who wrote that. michael could've edited it out though.

Re:Don't blame michael

[spac3manspiff]

I dont think he even uses windows.

Either way, windowsupdate was slashdotted and that's all that matters.

Icons

[spac3manspiff]

the handling of Icon and Cursor files

Heh, now only notepad hasnt had a vulnerability yet.
Nevermind that did too.

IE: Zones are a broken concept

[Tackhead]

Good policy: Deny all, permit selectively.

Bad policy: Accept all, but let people turn things off.

Worse policy: Accept all, but let people turn fewer things off depending on four arbitrary "zones" something falls into.

Worst policy: Make sure the "zones" in question have nothing to do with TCP/IP, netmasks, DNS, or any other networking concept, but make sure they're supported by a proprietary application you've embedded deeply into the OS to facilitate an embrace/extend/extinguish business model.

Then act all surprised when everyone ends up running at least one of these "zones" (namely the "local" one, which ought to be the most trustworthy) with their proverbial pants down, thereby creating a guaranteed 100% available target for Worm/Spyware/Virus authors.

Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

Re:IE: Zones are a broken concept

They are in Marketing, which incidently is already filled with Creatures of the Night.

Re:IE: Zones are a broken concept

[adamruck]

ah but you forget the most important point... useability.

The goal for whoever came up with zones was probably something along the lines of, "lets make security as easy as humanly possible". Adding options in IE that actually relate to real networking would be out of the question then. Then users would start thinking to themselves, "what does this all do, I dont understand this, im fustrated, I dont like this". Something which microsoft would never permit.

Re:IE: Zones are a broken concept

[RobertB-DC]

Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

I heard the last person to implement such a mind-bogglingly dumb Windows "feature" had to marry Bill Gates.

Maybe Bill would take on the developer of the Internet Zones "feature" as a mistress?

Re:IE: Zones are a broken concept

Zones are actually a good idea; it's just that Microsoft did them wrong.

A reasonable analogy for surfing the Internet is sticking your hand into a trough of water. The section of the trough that represents the Internet is murky, full of parasites and fecal material, and has piranhas in it. You can still stick your hand in there, but you put on your shoulder-length rubber glove first, and put on a chainmail glove & sleeve on top of that. Other parts of the trough have clear water suitable for drinking or enema purposes. You can just dunk your face into that water, eyes open and everything. Other parts vary between those two extremes.

There are two absolutes that fall out of that model. The first is that the regular Internet is, as a whole, the worst part of the trough. It's not just warez.ru that you have to worry about; you have to worry about cnn.com or bbc.co.uk as well. They are equally dangerous. For one example, suppose someone hacked bbc.co.uk and added a malicious script to it? It's somebody else's computer, and so you cannot trust it. The second absolute is that whatever security measures are in place must partition the trough into discrete zones, with no bleeding across boundaries. If someone on a trusted site has a frame to an untrusted site, and the browser doesn't pick up on that, then the security model is busted.

Microsoft's zone model doesn't work for a number of reasons. They went about it in their usual ``security last'' way, and assumed that every website in the world would fit nicely into only four zones, and that those should come prenamed with deceptive names. If there's a site on my Local Intranet that I don't trust, then Microsoft's zone scheme works against me. Also, even if they're divided into zones, you're still using Microsoft's braindead security options. IE doesn't have a setting to turn off ``Javascript'' by name. It has several radio buttons for ``scripting,'' but I know what Internet technologies exist as well as the Microsoft guys do. Not listing Javascript by name is deceptive. Also, cookies are a large part of Internet security. I've not used IE since version 4, and it doesn't have a dialog to mark which cookies I want to accept and which I don't. I believe that it does have that now, but I don't know if it's considered a part of the security zones. In short, because it's Microsoft's idea of security, you have to double check to make sure that you force it to line up with real world security.

IE's approach is more akin to how people browse, though. When I'm configuring my browser, I don't start by saying, "I want all of these sites to store cookies, but none others," then say, "I want all of these sites to use Javascript, but none others." You typically arrange things by site, and those typically fall into several good categories (or zones). At the most extreme, you could need a zone for every site you visit, _plus_ a way to extend that zone to cover IP addresses, for some companies who have unnamed servers doing their eCommerce sites.

Re:IE: Zones are a broken concept

[SunFan]

If they started to make security easier, then why didn't they finish the job? That's like putting seat belts in a car but forgetting to bolt the seats to the floor.

Re:IE: Zones are a broken concept

[someonewhois]

Definitely. I can't think of how many exploits I've seen allowing execution of code in local zone. It's ridiculous. The zone idea should get merit points for the GENERAL concept. The idea of being able to add "Trusted" sites is ideal. But not in an implantation that by default has the Trusted sites wide open.

I had a friend (real tech guy, too, which blew my mind apart), who turned JS off. Why? CNet or someone warned people to. That's the stupidest thing I've ever seen... killing functionality for security, when most of the JS vulnerabilities coincide with stupidity/carelessness (phishing is all the JS exploits do, really). On top of that, he had the "Trusted" and "Local" zone having EVERYTHING on. I showed him a handful of Secunia links to vulnerabilities that let people execute in the local zone, he didn't care. He said it was flawless security that way. I wanted to punch him in the face. (But I just linked him to Firefox instead.)

Icons and cursors, oh my!

[FirstTimeCaller]

I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

Re:Icons and cursors, oh my!

[fienna]

it's interesting cause most windows flaws are from limitations in C++, not from bad coding. damn buffer overflows...

on another note, i can't wait till tomorrow when i get to update 50+ machines with this weeks patches! yippee!

Re:Icons and cursors, oh my!

Dang, no need to have an orgasm over it!

Re:Icons and cursors, oh my!

[Jugalator]

If we're speaking of flaws in graphics files, this one was of course not as bad since it wasn't limited to Windows, right? ;-)

Re:Icons and cursors, oh my!

Yeah, because, as we all know, all ANSI-compliant C++ compilers are required to introduce, on average, at least one (1) buffer overflow per fifty (50) looping constructs. Who WROTE that spec?

Re:Icons and cursors, oh my!

[temojen]

A few weeks ago there was a "critical update" because one of the dingbats fonts had "unacceptable glyphs" (I'm guessing it was swasticas or inverted pentagrams). It's probably something similar... someone was offended by one of the icons or cursor shapes.

Re:Icons and cursors, oh my!

[chiagoo]

It's even funnier/more disturbing that the resolution to this is a patch for the kernel. From MS05-002 bulletin:

File Information:
Cmd.exe
Kernel32.dll
Win32k.sys

Re:Icons and cursors, oh my!

[evilmousse]

hey, don't knock it--security holes in mere font files made xboxen nice and soft-moddable. ^_-

Re:Icons and cursors, oh my!

[ThosLives]

Argh, I can't resist: buffer overflows are not a limitation of programming language (all languages boil down to assembly anyway, right? Didn't someone write something about how all computer languages were equivalent or something - Turing I think?) but a direct result of coding practices (either ignorance, management pressures, or some other non-technical factor).

I'm a firm believer in the fact that, if it's possible to write one line of bug-free code, it's possible to write one more line of bug-free code, and so on, until you have an arbitrary number of bug-free lines (proof by induction). Granted, it becomes more difficult, but it's not impossible as many would think. If I had enough money, I'd try and prove it...

Anyway, sorry to rant...I'm in a strange mood today.

Re:Icons and cursors, oh my!

[bonch]

I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

No, security vulnerabilities in the libraries that handle them, just like the libpng, imlib2, and Mozilla XMB vulnerabilities. It happens (even if it's not on the Slashdot front page...).

Re:Icons and cursors, oh my!

[JanusFury]

It's not all that suprising. Quicktime's BMP loader had a buffer overflow until around version 6. (I found it when I was testing out the quicktime API). The trivial stuff seems to be the stuff that often doesn't get checked thoroughly for security holes.

Re:Icons and cursors, oh my!

I'd imagine it becomes exponentially more difficult to prove code is correct for each line you add.

Re:Icons and cursors, oh my!

[Tough+Love]

It's mindnumbingly pathetic that Microsoft's kernel actually loads cursor files, let alone gets itself crashed/compromised by them.

Re:Icons and cursors, oh my!

[Twanfox]

Actually, if I recall seeing it right, I believe they removed the jewish 'Star of David' symbol from the wingdings font. I did a comparison once I saw it change some font on one of my two machines.

Re:Icons and cursors, oh my!

[fienna]

I don't think it's possible to "prove" code is correct at all - it's all so arbitrary you'd pretty much have to boil down to the assembly language and specific processor model to prove anything works - otherwise you're just relying on your compiler working correctly and who's to say that it's without bugs itself?

Re:Icons and cursors, oh my!

[Kymermosst]

I don't think it's possible to "prove" code is correct at all - it's all so arbitrary you'd pretty much have to boil down to the assembly language and specific processor model to prove anything works - otherwise you're just relying on your compiler working correctly and who's to say that it's without bugs itself?

It is possible to prove that code is correct for specific data, because a computer program is simply a mathematical algorithm, and any algorithm can be proven to be correct for any particular input. Now, the difficulty of the proof is hard to determine, and only valid input can be considered. (Note that once your program tests for "invalid" input and does something predictable, that input is now technically valid, though unreasonable, input.)

For an example of proving certain code correct, this is an example proving the correctness of a loop using loop invariant theorem (which follows mathematical induction).

You are right, however, that a particular implementation of an algorithm on an actual machine is subject to problems with the machine itself, including design flaws and environmental effects. You may be able to prove your code is correct for a given input set, including all possible user input, but what happens when a bit gets flipped in a state register due to cosmic radiation?

Icon and Cursor files?

[stupidfoo]

which correct vulnerabilities in the handling of Icon and Cursor files

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Amazing.

Re:Icon and Cursor files?

[Thundersnatch]

How? The same way those vaunted open-source developers managed to work widespread security flaws into TIFF images, PNG images, and even file names.

"Malicious software Removal Tool"

[kittenthief]

I personnally like the "malicious software removal tool" windows update is in the process of installing... along with the other security patch of course :)

Re: "Malicious software Removal Tool"

[E+IS+mC(Square)]

Nevermind. In the end, your machine is as compromised - "malicious software removal tool" removes malicious softaware, while the patches install other vulnerabilities so that the hackers can install more and new malicious sofwares.

Re:"Malicious software Removal Tool"

[quarkscat]

ATTENTION!

This new Microsoft tool is broken. I tried
it, and it WILL NOT REMOVE IE6!

I don't know if Microsoft is aware of this
problem yet, so I am going to fire off an
email to them ASAP.

It's not that interesting

Wonder what the antivirus companies think about this

Probably very little...

McAfee already publishes a similar tool called Stinger which is periodically updated to cover new worms.

Nothing is inherently better than the other

[missing000]

Have fun with your Yugo chump, nothing is better, Yugo or Lamborghini, so I'll take the Lamborghini, you go prove the concept.

Re:Nothing is inherently better than the other

Nice, name calling. I guess you have nothing constructive to say. He is right. All software is insecure. Accept it.

Re:Nothing is inherently better than the other

uhhhm you missed his point. While it's true that all software has the potential for error since it is made by fallible humans, that does not imply that all software is equally insecure. Some systems ARE better then others.

Re:Nothing is inherently better than the other

[lucabrasi999]

uhhhm you missed his point

Totally OT, but you missed the repliers point. When you disagree with someone, you have at least two options. You could:

1) Submit a post that provides an argument, preferably backed up with some data.
2) You could call the original poster a "chump" (or some other disparaging remark) and use a meaningless comparison as your discussion point.

Guess which of these two options is better?

Re:Nothing is inherently better than the other

God.!! You nick says lucabrasi and such sensible talk ? Come on what the world is coming too...

Re:Nothing is inherently better than the other

You chump.

Re:Nothing is inherently better than the other

I've run UT2004 on Windows and Linux. Windows wins, hands down. You seem to be confused about which car is the Yugo.

It should read ...

[ph4rmb0y]

Fixes available via Windows Media Player ...

On the Plus side...

[Dorsai65]

Windows users now have MS Anti-Spyware.

Re:On the Plus side...

[cepler]

But what does it say when it finds Alexa?

Re:On the Plus side...

[Paiway]

MS Anti-Spyware? Doesn't that classify as an oxymoron?

MS05-003 on Win2K

[chiagoo]

I find this part of the security bulletin especially interesting:

"Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update."

The old adage usually goes "if it ain't broke, don't fix it". Why would they ask people to patch something that isn't broken? Does this indicate that they expect to find a similar flaw in the indexing service on Win2K?

Re:MS05-003 on Win2K

[m50d]

I think they mean the patch changes security policies on win2K without actually patching anything. Which is something they still want happening on as many machines as possible.

Re:MS05-003 on Win2K

[ilikedonkeykong]

Even if you use Windows XP you are not affected unless you downloaded SP2. That is exactly why I haven't yet. The MS AntiSpyware is better than AdAware or Spybot though. The only thing it didn't fix was the hijacked favorites folder in IE.

Re:MS05-003 on Win2K

If that's true then why are they updating a .DLL file?? You don't need to update a .DLL to just change security settings (right?).

Re:MS05-003 on Win2K

What are you talking about? The page for MS05-003 clearly lists XP SP2 in the "Not Affected" category, and lists XP SP1 in the Affected category.

And the reason why the original XP isn't listed is because MS no longer patches the original XP - only SP1 & SP2 will get patches, and when SP3 is released only SP2 & SP3, etc...

So if you're running SP1 you should install the patch (or just install SP2!).

Some clarifications and important notes

[Jugalator]

First, Secunia released the advisory for Windows security update 890175 (MS05-001) back in 2004-10-20. Secunia linked to a workaround for the flaw 8 days after this, that was posted by Microsoft. Secunia increased the severity rating in 2005-01-07, and 4 days later, Microsoft has now posted an actual fix.

Now, the story, unfortunately for Windows users, and fortunately for e.g. open source evangelists, it seems like there is some things to be aware of if needing to uninstall the fix, for example due to possible problems caused by this fix, which are mentioned here, under the "Known Issues" heading.

In other words, we're talking about one issue that may appear as a direct consequence of installing this (my first link) and another one if you then decide to uninstall this fix (my second link).

Of course, if you aren't subject to the first problem, you don't need to do a thing and you are indeed living in the environment Microsoft was crossing their fingers for that you would be in.

Re:Some clarifications and important notes

These known issues you call out are ridiculous. The 1st issue (which is the simplest) is "We turned this stuff off for remote web sites in IE. If they use this, they'll break". Here Microsoft is telling you A) What they Did and B) How to undo it (via the registry, your first link), even though they really recommend you don't.

The 2nd issue is a little more interesting. Microsoft is saying that this fix has a dependency upon another fix. That other fix touches the files: Hh.exe, System32\Hhctrl.ocx, System32\Hhsetup.dll, System32\Itircl.dll and System32\Itss.dll.

The new fix only updates System32\Hhctrl.ocx.

Microsoft is saying if you install the new fix, then install the old fix, and then uninstall the new fix (a very odd order to be doing things!) then things will break.

Rather than Microsoft crossing their fingers here their actually giving their customers the information they need to diagnose problems. Certainly the 1st isuse may cause some problems, but the 2nd one is probably rather rare. I think the fact that they identified this problem before sending out the patch and documented shows that they're thinking at least a little bit about this stuff.

OS X vuln?

[troll]
When was the last OS X "critical" vulnerability?

I think I'll pick up a Mac mini...
[/troll]

(It's a joke! :)

Important Security Bulletin!

Just released today, this exploit will be affecting millions of Windows users around Jan 22. Please advise everyone you know to stay away from this website... it seems to affect all Windows users from Win 95 up to Win XP SP2...

http://www.apple.com/macmini/

I can't believe this day is really here.. i'm ordering mine on payday! YES!!!!!

Re:Important Security Bulletin!

[Zonnald]

Looks like the store has been slashdotted.

Indexing Security Issue

[Matey-O]

I had to deal with an Indexing Service security issue last week.

Seems the guy that handles the website content got upset when Indexer, well, Indexed the website, finding some content that was a little more sensitive then he wanted out there.

(It's what happens when your contractor migrates your data, then neglects to remove the temp data when the migration is done, I guess.)

Nothing Gnew here move along..

To paraphrase a rather famous virus tag file...
"When are you going to fix your f''n OS Bill" There really is nothing new here it is just the perversion of the internet by MS extented C# style coding. The fact that the most heavily used browser can carry executables though html is the problem. Always has and always will be the cause of all these issues with IE.

Yes, but...

[rewt66]

Why, exactly, should I have to reboot my machine after installing a scanning tool?

Re:Yes, but...

[Rolan]

It appears that the scan occurs at startup. There's no UI to the tool that I've been able to find. So you have to reboot so that it can do it's initial scan.

Re:Yes, but...

[Zonnald]

Which I think the idea is that, it gets a chance to scan before the virus is loaded.

Call me paranoid but, when Linux has 2 or 3 virus protection software companies interested in Linux users, then let the games begin.

At least

[bonch]

At least it's not in the kernel...

I've seen plenty of weird things in Linux distros, like privilege escalation in MPlayer. MPlayer, a video player! People really need to start paying attention to LinuxSecurity and witness all the monthly vulnerabilities for their distros. They rarely get mentioned on Slashdot (for whatever reason).

Random sampling from Gentoo's advisory list:

Gentoo: HylaFAX hfaxd unauthorized login vulnerability
Date: Tuesday, 11 January 2005
HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.

Gentoo: o3read Buffer overflow during file conversion
Date: Tuesday, 11 January 2005
A buffer overflow in o3read allows an attacker to execute arbitrary code by way of a specially crafted XML file.

Gentoo: imlib2 Buffer overflows in image decoding
Date: Tuesday, 11 January 2005
Multiple overflows have been found in the imlib2 library image decoding routines, potentially allowing the execution of arbitrary code.

Gentoo: Kpdf, Koffice More vulnerabilities in included Xpdf

Date: Tuesday, 11 January 2005
KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code if a user is enticed to view a malicious PDF file. ...and these were announced on one day! Notice Slashdot is silent.

Re:At least

At least it's not in the kernel...

From MS05-002 bulletin:

File Information:
Cmd.exe
Kernel32.dll
Win32k.sys

They rarely get mentioned on Slashdot
Maybe, but they do get mentioned.

This is slashdot, not seecolonbackslash, troll.

Re:At least

[bonch]

I'm labelled a "troll" for pointing facts out.

Re:At least

[mattyrobinson69]

the problem with mplayer, my guess, would be that it runs with a very low nice value, so it is probably either suid root or spawned from such an application.

For those who dont know, a nice value is like a priority, the lower the value, the higher the priority, and you need root to decrease a nice value to prevent DOS attacks

Re:At least

Which facts would those be? It IS in the kernel!

Better colours

http://shit.slashdot.org/article.pl?sid=05/01/11/2 025232

And the winner is...

[revery]

vulnerabilities in the handling of Icon and Cursor files

Wow! As tough to beat as that is, I think Apple still wins the day.

Tough call.

--

Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.

zerg

[Lord+Omlette]

Can anyone think of any replacements for MS HTML Help? Something I can use to read the MSDN docs that isn't slow as hell or full of bugs?

Thanks in advance...

Sure, why not?

[Anonymous+Brave+Guy]

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1, ref 2)

Or the same sort or way the Mozilla XBM vulnerability arose? (ref)

This isn't a new thing, and it's not unique to Microsoft, either.

Thanks for the update Slashdot!

Thanks for alerting me to the fact that Microsoft released the patches for these exploits, Slashdot!

Although I could be running daily updates on my Windows Update Services machine, I usually just do it manually every week or so. Fortunately, I don't even have to worry about doing that anymore. I can just come to Slashdot and get the news right when it happens! Now all my Windows machines are even more safe (yes I still use IE, but don't have dumbass users on my network) because of you, Slashdot. Thanks again!

Good, now they can start work on the one from 2003

[sjonke]

Maybe now they'll find some time to fix the highly critical flaw in IE 5 & 6 that was reported on 8/14/2003 that allows a malicious web site to execute arbitrary code on the hapless victims machine. Timeliness is next to godliness!

Quick?

3 months is quick for Microsoft? How about fixed the day the PoC was released like the latest Linux Kernel bug.

Why is MS getting attacked and not Secunia?

Secunia decided to play up this vulnurability last weekend and create an exploit, just for some press.

And MS, who had preannounced last week this fix gets attacked by slashdot?

Secunia should be ashamed of themselves. to be honest, they should be held liable if their little headline grabbing led to attacks before this update was released.

I'm not glad MS took 3 months to fix something. But that pales next to creating an exploit just to get some press to your company.

Automatic? What the...

[AMD-lover]

What new is, is that one should use automatic update. Well MS, that is something I decide and NOT you. I want to determine if something is critical (like the char-set or the virus scanner).

So now I don't/won't/can't update and that makes the internet better for other users? Think, Redmond, Think!

Malicious Software Removal Tool + Steam?

[titzandkunt]

I ran windows update, and got the full package including the Malicious Software Removal Tool.

During the update, the Steam icon on my desktop flickered.

Sure enough, steam.exe appears to have been removed, presumably by the aforementioned removal tool.

Am I the only one out there who's had this happen? (in which case, I'm hallucinationg, and all will be ok by morning)

Impossible! Microsoft is the MOST secure!

Every time there is a Linux bug posted, the first 100 posts are all about how poor Linux' security is and how Windows is so much better. Where are those people now?

Next Advisory: The On Switch

MS announced that powering on any Windows system will most likely get yr ass 0wned.

SP2 Security Center

[ObsessiveMathsFreak]

I think all of us should pause for a moment and thank the Gods for XP SP2's security center's automatic download and installation over BITS feature. At least know we know that these updates stand slightly more chance than a snowball in hell of being installed on a friend/neighbours/relatives machine that's been seen to by helpful slashdotters over christmas.

SP2, well yeah, hardly perfect I know. But you've got to love the fact that (l)users are now forefully made aware of possible(read inevitable) security problems as they arise.

Beware of favicons...

[Chief+Typist]

Many websites include a favicon.ico file in the root directory of the site. This icon is used in favorites to display the site's logo, etc.

Now, without knowing too much about this vulnerability, it seems possible (likely?) that any Windows app that displays icons would be at risk since the rendering of icons is handled by the OS.

In theory, Firefox would be as much at risk as IE -- both display favorite icons. And neither has a way to block the display of these icons.

(The CAN notice is "under review", so I can't be much more specific than that.)

-ch

Re:Beware of favicons...

[zerblat]

neither has a way to block the display of these icons.

Actually, in Firefox, set browser.chrome.favicons and browser.chrome.site_icons to false, and you shouldn't see any favicons.

Re:Impossible! Microsoft is the MOST secure!

Patching their OS! Then look out the flames will start.

Malicious Tool

[RAMMS+EIN]

Let's hope it's not a truly malicious software removal tool.

word grouping?

[martyb]

Hmmm, word grouping makes a difference!

Given reports that the Malicious Software Removal Tool has identified benign programs (e.g. VNC) as infected, maybe BOTH of the following groupings apply!

Is this a:

• a Tool that performs the Removal of Malicious Software?
  i.e. (Malicious Software) (Removal Tool)
  
  OR
  
  
• a Tool that looks around and Maliciously performs the Removal of Software?
  i.e. (Malicious) (Software Removal Tool)

Freudian slip?

I give up

[21chrisp]

Right after I switch my entire environment from linux to windows due to the amazing overwhelmingly dangerous linux kernel exploit from a few days ago and the huge number of linux security issues that were said to be listed this year... this happens. Now my Win2003 server uptimes will get all jacked up.. and they just booted for the first time 2 days ago. Now I'm going to have to switch to OS/1337 in order to preserve my sys admin ego flames.

Don't use windows. Don't use linux. They both suck. OS/1337 has not once had a single crack or exploit discovered. Plus.. it has never crashed. Not once. OS/1337 will rock your world.

Application vs. OS

[obsid1an]

You need to make the distinction of application vs OS. With MS, IE is part of the OS. Something that exploits IE also exploits the OS. Now look at the Xpdf flaw you presented:

An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

Re:Application vs. OS

[prisoner-of-enigma]

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

So, by your logic, if I run Firefox and don't use Outlook, Windows is a great OS to have, eh? You wouldn't know it by the scorn everyone heaps on Windows, but then again this is /., where no good deed of MS goes unignored and no flaw of Linux goes unburied.

Nobody says you must use the stuff Microsoft gives you. IE can be bypassed without much difficulty, and Outlook is far from the only mail client available for Windows.

Re:Application vs. OS

[Sexy+Commando]

With MS, IE is part of the OS

And you believe everything Ballmer said?

The phrase "part of the OS" is in the sense of sh is part of Linux distribution. IE code runs in Userland. There is nothing magical about it. IExplorer.exe is jsut a tiny piece of frontend-like program that calls this huge MSHTML library, which many windows applications depend on. And they are all user land applications.

If you said something about most people run IE as Admin, I would believe you. But that's not really the issue here because most spywares and viruses and mass mailers can be installed in the home directory without any problem. ("PREFIX=~ ./configure" anyone?)

Re:Application vs. OS

[bonch]

The problem is that Slashdot never makes that distinction and rarely do the posters. When a Microsoft shell vulnerability is announced, someone asks, "When was the last time Linux had a vulnerability like this?", and it seems most people rarely bring up that Linux is just a kernel and so the comparison doesn't apply.

Re:Application vs. OS

[prisoner-of-enigma]

I can't help but thing the error is intentional. The childish, immature brat zealot fanboys who love Linux so dearly would rather have an eye gouged out with a rusty spoon than admit Linux has flaws as bad as, and sometimes worse, than Windows. And no amount of truth, even when spoken by Linus himself, will sway them.

Re:Application vs. OS

[Daengbo]

But the point is that you can't bypass it. It's hooked into so many services and programs that a flaw in the IE renderer affects the entire OS. That's dangerous. Firefox doesn't hook to anything. If it did, you'd be in similar danger.

If I move X into the kernel to gain speed, then move most of the rendering for the screen to xpdf, the xpdf vulnerability becomes a scary thing indeed. I hope that Linux stays as modular as it always has, and I'll sacrifice a little speed for safety. Please don't tell me that I deserve neither!

Re:Application vs. OS

[Daengbo]

/dev/hdb2 /home ext3 noexec 0 2 should handle that.

Re:Application vs. OS

[Sexy+Commando]

That would cause major inconvenience to the users. And you forgot the more dangerous places such as /tmp

Re:Application vs. OS

[Daengbo]

I didn't forget, just answered the point that was brought up. Marking various partitions noexec is really important. Do the users compile all the time? You can set up a shared resource for that on another machine...

Re:Application vs. OS

[Sexy+Commando]

I am the only user on the machine and I compile things everyday. So I use nosuid instead of noexec. It suits my need better.

Re:Application vs. OS

[strider44]

Nope, you have to use IE. It's integrated into the OS so tightly that there's nothing you can do about it. For example, if you use Half Life 2's Steam application, that uses IE quite frequently, and if you install Firefox it wont change engines for displaying the data suddenly. That is a bad example (you can't use the IE shell to browse to non-trustworthy sites), but other examples like in Kazaa you have a fully functioning IE shell operating.

But anyway, if you actually read the post that he wrote, I think you'll find that his logic didn't say if you run Firefox and don't use Outlook then Windows is a great OS to have.

Re:Application vs. OS

For desktop, you need more than just a Linux kernal. Anything on a normal desktop is fair game in the real world, whether it's firefox, mpg123, etc. There have been vulnerabilities reported in all these recently, BTW.

Re:Application vs. OS

So, by your logic...

Looks like somebody needs a refresher course in logic, lest (s)he continue making poor statements and claims.

The parent said:

Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

This can be transcribed as:

App(embedded) -> problems

You said:

...if I run Firefox and don't use Outlook, Windows is a great OS to have, eh?

This can be transcribed as:

!App(embedded) -> !problems

This does not logically follow. The contrapositive would be something more like:

If App(embedded) -> problems, then !problems -> !App(embedded)

In other words, if using an embedded application results in problems, then the non-existence of problems implies a non-embedded application.

But thanks for trying to play along...

Re:Application vs. OS

[Daengbo]

As long as you are aware. I personally think that noexec should be standard in tmp and home, so that those who need to change it will be the ones who know that risk because they develop for a living or compile source constantly. The standard user has no use for it.

Thanks for the nosuid recommendation, though.

Re:Application vs. OS

[Ambassador+Kosh]

There is a difference though. If firefox screws up I can use konqueror instead or opera in my debian kde setup and neither are integrated into the system. If mpg123 has a problem I can use mpg321 (stupid name) and it will perform all the same stuff and is even transparent to the other apps on the system using it. However if there is a major hole in IE I can't remove it until the problem is fixed, I can't even disable it.

If there is a hole in IE then stuff like quicken, stream, city of heroes updater and all kinds of other apps are effected by that and there is no way I have seen to change what those apps use.

How tight the coupling is changes how severe a problem is. At least on a business level if app x has a problem I can choose to disable app x and redirect the stuff to app y instead which can do all the same things but doesn't have that problem.

Re:Application vs. OS

[ClioCJS]

"My god, he's full of shit!"

Re:Application vs. OS

[ClioCJS]

Full of shit. There are tons of pages detailing how to remove IE. For the most part, you just delete the binary while booted to a floppy (or knoppix) disc. There are pages for every version of windows since 95. It's harder for later versions, obviously. And you don't get rid of the libraries, but other programs use those too, and don't even get me started on linux libraries.

Re:Application vs. OS

[prisoner-of-enigma]

I found this and, seeing how it reminds me of you, I figured I'd share it with you:

One entry found for pedantic.

Main Entry: pedantic
Pronunciation: pi-'dan-tik
Function: adjective
1 : of, relating to, or being a pedant
2 : narrowly, stodgily, and often ostentatiously learned
3 : UNIMAGINATIVE, PEDESTRIAN
- pedantically /-'dan-ti-k(&-)lE/ adverb

Re:Application vs. OS

[prisoner-of-enigma]

While I'm at it, I'll address some of your statements:

You said: ...if I run Firefox and don't use Outlook, Windows is a great OS to have, eh?

This can be transcribed as:

!App(embedded) -> !problems

This does not logically follow.

Please explain why does it not logically follow, taking into account the parent poster's intent. His statement, distilled to essentials, was that embedded apps like IE are security problems. The logical solution to his objection is to use non-embedded applications, with the inferred result being fewer security problems. Therefore, he was indeed stating

App(embedded) -> problems

while simultaneously inferring

!App(embedded) -> !problems

To infer something like

!App(embedded) -> problems

kind of destroys the posters point, so it's fairly safe to assume that's not what was intended. After all if both embedded apps and non-embedded apps result in equal security problems, why bother complaining about IE's deep integration? It serves no purpose to complain unless the intent is to convey the idea that non-embedded apps offer superior security, ergo

!App(embedded) -> !problems

does indeed logically follow his argument.

In other words, if using an embedded application results in problems, then the non-existence of problems implies a non-embedded application.

I never said this, diagrammed it, or even inferred it. I stated that if the parent poster thought embedded apps were exclusively the root cause of Windows security problems, then removing them and relying on a non-embedded application must remove the security problems associated with Windows. Note that I personally don't believe this (IIS exploits alone accounts for a larger percentage of successful hacks), which is why I was using the illogicality of the parent poster's argument to demonstrate that.

Re:Application vs. OS

[prisoner-of-enigma]

But the point is that you can't bypass it.

Hmmm...what's this then? Or this? Or maybe even this?

Aw gosh, I've gone and broke your argument. Hope you kept the receipt.

Re:Application vs. OS

[strider44]

Let me make this clear, you can't fully remove IE *INCLUDING THE VULNERABLE LIBRARIES* from Windows XP or 2k without destroying your system. When I'm talking about Kazaa and Half-Life and Outlook etc, they don't use Iexplore.exe at all, they only use the libraries. Iexplore.exe is just a shell and does almost nothing but link to its libraries and add a few toolbars. The libraries contain the vulnerabilities, not Iexplore.exe.

Re:Application vs. OS

[Daengbo]

OK, so tell me how any of those remove the renderer, mshtml.dll from the system, which is what my post talked about. Good luck getting a usable system without that.

I used 98lite to remove it some years ago for a rollout in a university, but it required the 95 dlls to do the job. I doubt you can wedge NT's dlls into XP the same way, but maybe I'm wrong.

Get some reading skills. Thanks for wasting my time...

Re:Application vs. OS

[prisoner-of-enigma]

OK, so tell me how any of those remove the renderer, mshtml.dll from the system, which is what my post talked about. Good luck getting a usable system without that.

O ye of little faith -- and apparently even less intelligence. You needn't remove MSHTML.DLL from your system. Indeed, trying to do so is a royal pain because of the automatic restore of Windows File Protection. What's far easier (and well documented if you use that funny thing called Google) is to just remove all file permissions to MSHTML.DLL. There. Done. This does have the side effect of breaking HTML rendering in Outlook 2003, but if you're concerned enough about security to kill IE, you shouldn't be using Outlook either.

So, far from me wasting your time, you're wasting your own time by being an uninformed, smarmy, self-righteous fool. Try using Google sometime before you shoot off that silly hole you call a mouth.

Re:Application vs. OS

[Daengbo]

I love you, too. You wasted my time by giving me wonderful links to "How to remove the IE executable," "How to disable the IE executable," and "How to run multiple instances of IE" for me to read when the point of the thread was to eliminate the holes introduced by mshtml.dll.

So, I guess that you have removed permission on it on your system? What percentage of your system works? Want to use any of the subsystems which rely on it? Too bad. How many of your programs that require it just broke?
Tard. Learn to read what Google gives you before you post it. Try a book, sometime. You might get confused by the big words, but that'll pass, and eventually you'll be able to follow the intelligent discussions on Slashdot. IHBT

Re:Application vs. OS

[ClioCJS]

And I'm sure unix has never had any vulnerable libraries, right?

Re:Application vs. OS

[strider44]

How did you read that my argument had anything to do with unix?

Your post seems to miss my point in two ways: Firstly I was talking about Windows, not about any other operating system. I wasn't saying "You should use *nix because Internet Explorer has a vulnerable library!"

Secondly, now that you have brought unix up, Linux at least places no restrictions on the libraries that it uses, and has no absolutely mandatory libraries. You can disable or rewrite any library you want as long as you resolve dependancies. Though it might rule a few programs out you can always remove a library. I detest that in Windows you can't. That they are vulnerable or not has nothing to do with my argument - all I am saying is that you can't remove the libraries.

Re:Application vs. OS

[prisoner-of-enigma]

You wasted my time by giving me wonderful links to "How to remove the IE executable," "How to disable the IE executable," and "How to run multiple instances of IE" for me to read when the point of the thread was to eliminate the holes introduced by mshtml.dll.

Compare and contrast your last phrase with:

OK, so tell me how any of those remove the renderer, mshtml.dll from the system, which is what my post talked about. Good luck getting a usable system without that.

Umm, it seems you asked a question quite clearly but don't seem to remember asking it! Otherwise, why would you state the "point of the thread" as a defense? Oh, could it be that your point was shot down, and you're just trying to deflect criticism elsewhere? Nah, that would require you to be unintelligent, unprincipled, and a total idiot. Wait a sec...perhaps you are trying to deflect criticism!

So, I guess that you have removed permission on it on your system?

I haven't on my personal system because I use IE to access certain sites using ActiveX (namely Exchange 2003's excellent webmail client). However, I have done it for other systems, particularly a few in University settings.

What percentage of your system works?

The systems in question functioned perfectly, although they were not running Outlook (the University uses an IMAP4 setup for user mailboxes, and we use Netscape for that). There were no malfunctions. Sorry to burst your ego bubble. Try again next time.

Want to use any of the subsystems which rely on it?

Since you're a big fan of "the point of the thread," perhaps I'll point out the point of the thread: you can remove IE threats to your system if you know how. Removing or restricting IE is the first step. You are either too stubborn or too stupid to figure this out.

Tard.

Sticks and stones...

Learn to read what Google gives you before you post it.

Since you're the one blatantly disregarding the actual content of the Google results, I think the "learn to read" applies much better to you.

Try a book, sometime.

Just finished "How To Talk To A Liberal...If You Must" by Ann Coulter. Oddly enough, the principles contained therein on speaking to someone obviously equipped with an inferior intellect apply quite well to you.

You might get confused by the big words, but that'll pass, and eventually you'll be able to follow the intelligent discussions on Slashdot.

I'll leave the use of big words to you, since you seem adept at making things up out of thin air to support your unsupportable argument.

IHBT

Not being a member of your uber-geek circle jerk squad, the meaning of this acronym escapes me. If you wish to use plain English (something you're disturbingly ill-equipped to do, it seems), perhaps your insult or comment would make more sense.

In the meantime, remember this maxim: if you can't beat 'em, pretend you beat 'em and go stoke your self esteem. Oh, wait, you've already got that one down to a science.

You've been foelisted, so go away and pester someone else. I tire of pointing out your deficiencies.

Vulnerability alerts via RSS?

[cuban321]

Semi-offtopic, but could anyone recommend a good RSS to follow to alert about vulnerabilities? It doesn't even have to be MS or Linux specific. I tried following CERT, but theirs is behind (they don't even have this posted).

Thanks,
Daniel

Re:Good, now they can start work on the one from 2

[prisoner-of-enigma]

This isn't a Windows flaw, it's a Visual Studio flaw.

Hey, you guys like to say exploits in Linux widgets like XPdf aren't Linux flaws, so it cuts both ways. All bad things seem to be lumped under the heading "Windows," but let a flawed RPM come to light and it's a "that's not Linux" buffet for all.

Make the same standard apply to both or not at all. Double standards are lies masquerading as virtue.

Risked karma?

Risked karma? Bullshit. This type of "Oh, slashdot and slashdot editors are so biased" crap always gets modded insightful. You risked very little.

The scary thing is that you probably are right about what gets picked up as a story and what doesn't. Just don't pretend you're out on a limb when you're strapped to the trunk with a safety harness.

But thanks for the insight.

Can somebody who has Win XP x64 help me?

I have tried using windows update many times but it never seems to work. Even when I switch to 32-bit IE, it still says:

Windows Update Error
Windows Update has encountered an error and cannot display the requested page

Does anybody know how to get my windows updated?

Not a problem if you don't run as administrator

[xswl0931]

Yes, some apps don't run nice when you're not admin, but you don't have to run as admin. Thus any IE exploits would only be running under your credentials, not Localsystem, and thus the risk is the same as xpdf.

rush

n\t

Hmm 3 months from detect is the reason its here.

Linux 13 faults are fixed in how many days. Hmm fault report by the time the fault report is placed patch is also placed. Ie 3 day turn in around on a hard one most cases from detect to fix to distos update ie 13 and 12 would be overlaps.

Also note the size of install Fedora core 3 fully installed is 6g plus with out addons. Yep more software more bugs normal rates so a 1.2g installed windows you would expect less ie linux sould have at least 5 times more. Please note Gentoo and Debian are even bigger than Fedora so a 10x plus alowance would not be above expected.

The point is size is a factor over all Linux is good repair times 3 days or less in most cases and from time to time with the new tools coming on line more faults are being found before they are used by the hackers. Ie Microsoft fault hacker finds it time to fix in most cases That still takes 3 months exposed.

Let ask the question how many Ms Windows faults happen in the top 6g of windows apps in the same time.

Number faults has nothing to do with its time to fix and size source code that has to be protected. The other problem is that Microsoft has a bad habit of hiding faults so no preventions can be taken. Ie hackers have a party. Most faults in linux never get exploted hackers go after Ms Window due to the 3 month time gap it is to hard to attack linux its a moving target. Just like all huntering animals hackers pick the easist target to pick off and linux is not the easist.

Re:Good, now they can start work on the one from 2

[psyon1]

This plugin is part of Visual Studio version 6. However, since the plugin is digitally signed by Microsoft, it may be silently installed through Internet Explorer by any website. The user doesnt have to have Visual Studio installed, they only have to visit a page using the control. And like it states, the control is digitally signed, so its supposed to be safe, right? "Always allow content from Microsoft.com" is one of the funniest things Ive ever seen on computers.

Umm... Bulletins don't correct vulnerabilities.

[JessLeah]

The patches they announce do.

At last!

Finally! The last 3 vulnerabilities in Windows have been fixed!

[hint] mod this funny [/hint]

what do ya know...

If I have my internet security on 'high' there's no exploit, OMG!111

Re:Good, now they can start work on the one from 2

[bit01]

Hey, you guys like to say exploits in Linux widgets like XPdf aren't Linux flaws, so it cuts both ways.

Bullshit. /. has 1000's of readers. Some refer to Linux-the-OS, others refer to Linux-the-kernel. No double-standard, just a variety of opinions. As you'd expect on a discussion site that isn't a lying marketing tool.

---

Commercial software bigots - a dying breed.

drool, drool, M$ and Linux are equal.

Wow, you found two or three problems so you then try to equate free software to M$ security. How can you reasonbly compare an OS with an average half life on any network of four minutes with an OS that runs prominant websites and vies for uptime with the best?

Congratulations on finding a few holes in free software. That's got to be the easiest thing in the world. Follow up effort would note that all of the problems have been fixed, as usual. You can compare this with known M$ holes that stick around for years and fixes that create new holes that are exploted in days!

What else would we expect from a Microsoft fanboy like Bonch. Let's go back in time and look at some of the M$ love fest, apologizing and Slashdot insulting from Bonch:

1. Blames the user for MyDoom, which distributed itself through Kazaa.
2. Begging for free software goodies to be ported to M$'s junk.
3. "Slashdot discussion--the Internet king of groupthink and propaganda." More insults, you wonder why he reads Slashdot other than to cause trouble.
4. Here he is bitching over being blacklisted for his behavior. Of course, he was on the infamous troll post.
5. "Slashdot is a bunch of kooks complaining about stuff." His way of excusing the use of M$ garbage in voting machines that were both impossible to verify and easy to manipulate.

All of the above was found by looking at two pages of google results for bonch slashdot. More than half of the results were like those.

Well, that's enough fun for me for now. Thanks for playing, Bonch. I hope your account is deleted soon. Until then, I think I'll save this post and put it wherever you show up.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Slashdot Front Page Troll? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.