Three New Microsoft Bulletins

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

Quick?

The extremely critical exploit was listed on 2004-10-20! It took nearly three months to fix.

Re:Quick?

[Jugalator]

On the other hand, Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

Re:Quick?

[Jugalator]

Sorry, I can't count, it seems more like 8 or 9 days.

The workaround is in KB Article #888534.

Re:Quick?

[lucabrasi999]

Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

For those of you that haven't seen the workaround, here is a link.

Yeah, I know, I know. But it was TOO easy, I couldn't resist....

Re:Quick?

[Jugalator]

That's darn expensive switch if you're already sitting on x86 hardware, which I have a feeling Windows uers do. :-)

I suggest another OS in that case.

Re:Quick?

[bonch]

I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

LinuxSecurity keeps a running list of daily vulnerability announcements from all the distros. Just click on a distro and be amazed at all the buffer overruns, root exploits, code execution, and more that never get reported on this site.

"Three New Microsoft Bulletins?" Try 13 new Debian bulletins in the past week. Gentoo has announced 12 since last Sunday alone.

Why aren't these things announced like Microsoft bulletins are? Because Microsoft articles generate more page hits...which is great for the banner ads. They're using you guys.

This attitude of the flawless Linux is really, really dangerous, because Linux distros are just as ridden with software holes as Windows systems are accused of being, but you'd never know it if all you did was visit Slashdot...and we all know what a false sense of security leads to...

Of course, Slashdot shouldn't stop posting about Microsoft vulnerabilities. But snide comments like "security-is-number-one dept." make this place seem like a site of nothing but flamebait for Linux fanboys. There's more to security than just hating Microsoft and ignoring Linux security flaws.

I know I risk karma for this post, but I'm really shocked at the illogic and immaturity displayed on Slashdot, compared to when it began in the 90s. Laughing about Microsoft bulletins in some weird schadenfreude doesn't make the Linux kernel any less imperfect (see yesterday's article) or its distros (see LinuxSecurity any given day for pages of bulletins all collected together).

Re:Quick?

[Blue-Footed+Boobie]

Mod parent up.

Good to see someone with their head OUT of their ass for a change.

Re:Quick?

[lucabrasi999]

What? Attacking Linux Security?!?! Come on moderators! Let's crush this heretic!

That is a joke. Personally, I agree with him...

Re:Quick?

[j.bellone]

Agreed.

Definately mod this parent up; I would if I had the points. He brings a great point to the table that is aways swept under the carpet because of the bullshit explained above. If we really want a true community; shit needs to change not be kept away.

Re:Quick?

[1010011010]

Microsoft's response regarding the availablity of IE security enhancements and fixes for non-XP versions of windows was, "buy a new computer".

So, buy a new computer like you were told!

Re:Quick?

[MarkByers]

You are referring to errors in non-optional non-admin applications in Linux. Gentoo has 7000 packages, but very few of them are required. This fix is for a required, unremovable application which is embedded into the OS and allows a root of a machine simply by visiting a webpage (since like it or not, most Windows users run with admin priveleges). Imagine if a popular website was defaced with an exploit. This is what makes it newsworthy.

Re:Quick?

[prisoner-of-enigma]

You know, every single time there is a security-related article on Slashdot, some troll pops up to warn us that Linux isn't perfect. And you know what? I have never, ever seen somebody claim that it is.

Nor have I. However, every time there's a flaw in Notepad, all the Slashdot faithful come out with that smarmy, holier-than-thou attitude of "weeeeeee don't have those kind of problems with oooouuuuurrr OS!" Yet when similar issues crop up in Linux, you never hear about it. Or, worse, you hear about it but everyone excuses it by saying it's not really serious, it doesn't affect my custom kernel (therefore it's not a problem), or some other it-gets-a-pass response. While this isn't verbatim saying Linux is perfect, it's pretty much the same thing.

If you point out flaws in something (or someone) else, you had best be willing to stand tall for those very same flaws in what you,/i> use as well, otherwise you're just a hypocrite. Linux fanboys need to quit drinking the Koolaid and admit it when their pet OS has problems instead of trying to act like it never happens.

Re:Quick?

[r00zky]

I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes.
I love it too.

What if Windows allowed arbitrary code execution just from viewing a PDF file?
Actually Windows should allow that too... if you were running the not-latest version of xpdf in Windows somehow.

The differences are that the xpdf vulnerability was fixed in a day, here we're talking about a issue that took 10 days to work around and 3 months to fix.

And also xpdf isn't a crucial part of the OS.

2 huge differences for you, KTHX

Re:Quick?

[donnz]

I'll call bullshit. Here's the evidence. Nice troll though and "karma burning" comments seem to be loved by mods.

Re:Quick?

[Daengbo]

I'm not going to comment about how secure or insecure Linux is compared to WindowsXP, but, living in S. Korea, I receive about 20 targeted attacks per day, based on my logcheck, snort, and portsentry reports. Sshd gets hammered every night, as well as my web services.

I seem to be holding up fine, though. I'd hate to have an MS webserver deirectly on the internet, considering the number of IIS vulnerability-based hits my webserver gets every night.

I did almost have a heart attack the first time that I ran chkrootkit after intalling portsentry, because I came up as being infected with BINDSHELL. Luckily, that's answered on the chkrootkit site and being a false positive.

Re:Quick?

[Idaho]

What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

Your reasoning is flawed.

The PDF viewer most people use on Windows (Acrobat^WAdobe Reader) is not a Microsoft app, but is made by Adobe. So if this happened, we would have to blame Adobe, not Microsoft. Many people don't even install a PDF viewer, e.g. on server machines (or just because you don't use PDF's).

A similar thing is true about xpdf: it is not at all part of a 'core' linux system, it is just an app programmed by...I don't even know who. Many people won't even have it installed, especially not on servers. We could blame don't_even_know_who for causing this bug, but probably it would not make a really interesting story.

However, Microsoft has tried to convince us over and over again that YES, IE really is a critical part of their OS, so much so that they can't take it out without breaking Windows (DoJ trial). IE is a part of *every* Windows installation, whether you want it or not.

So YES, I would consider one or more 'critical flaws' where random sites can execute arbitrary code on basically every Windows machine out there without any user interaction whatsoever (apart from visiting a compromised website) newsworthy - more so than a bug in xpdf.

But that's just me ofcourse.

Re:Quick?

[thequux]

They can't tell you to use Linux, I guess. That's the obvious choice, right?

Re:Quick?

[bit01]

"weeeeeee don't have those kind of problems with oooouuuuurrr OS!"

Bullshit.

Yet when similar issues crop up in Linux, you never hear about it.

Bullshit.

True zealotry

I for one want some balance against the river of crap coming out of M$ every day. When M$ stops those bullshit TV spots, stops branding most PC keyboards with their idiotic Windows keys and stops using it's monopoly power to kill competition then I think we can revisit the question of whether /. is balanced or not.

You're either in marketing or you've bought the M$ marketing drivel hook, line and sinker. If you're in marketing then I suggest you get a real job. You know, one where you contribute to the community instead of being a parasite. You'll have more of the things that matter. If you've just bought into their marketing line then I suggest you make a point of reading a variety of viewpoints and learning to think critically rather than uncritically accepting the self-serving crap put out by companies like M$.

---

It's wrong that an intellectual property creator should not be rewarded for their work.
It's equally wrong that an IP creator should be rewarded too many times for the one piece of work, for exactly the same reasons.
Reform IP law and stop the M$/RIAA abuse.

Re:Quick?

[prisoner-of-enigma]

Bullshit

OK, you've found one article taking note of the increasing number of holes found in Linux.

Point #1: Did you bother to read the comments on the article? If you did, you'd note a disturbing number of posts (out of the 475 present) centered around pretending the problem really isn't a problem. Pay no attention to that bug behind the curtain, especially when the Koolaid tastes so sweet.

Point #2: You found one Linux-critical article regarding security holes. Now, do your due diligence and find how many Windows-critical articles have been published. You'll find the ratio decidedly slanted against Microsoft. And don't try to paint it as "well Windows has far more holes than Linux." Secunia.com reports 32 advisories for the 2.6 Linux kernel since Jan 04, with 15 remaining unpatched. During that same period, Windows Server 2003 (released in roughly the same period as the 2.6 kernel) has only 25 advisories, with 4 remaining unpatched. Yep, a veritable "river of crap" coming out of Microsoft, ain't it?

You're either in marketing or you've bought the M$ marketing drivel hook, line and sinker.

Ah, I see. Since I don't parrot the "Linux good, Windows baaaaaad" mantra of obvious fanboys like yourself, I must be an empty-headed marketdroid or in the spell of the Great Satan Microsoft itself. In your addled mind, that's the only possible explanation since you've convinced yourself it's impossible for Windows to be a worthwhile OS. Which is more than merely idiotic when you consider the vast number of desktops running paid for Windows when there's such a fantastic, free, nearly-perfect OS like Linux out there for anyone to glom onto. Gee, could it be Linux isn't the best thing since sliced bread for everyone? Nah, that'd destroy your precious fantasies immediately, wouldn't it? So you support your house of cards by simply convincing yourself that the world is insane and you're the lone voice of reason. You suddenly see so credible to me...not.

If you've just bought into their marketing line then I suggest you make a point of reading a variety of viewpoints and learning to think critically rather than uncritically accepting the self-serving crap put out by companies like M$.

Since immitation is the sincerest form of flattery, I'll pay you a compliment: If you've just bough into your own self-delusional visions of grandeur, I suggest you make a point of reading a variety of viewpoints and learning to think critical rather than uncritically accepting the self-server crap spouted by Linux fanboys with no obvious grasp on reality.

Oh, and just a little note, the initials for Microsoft are "MS" not "M$". It's a common thing for children to engage in a form of wordplay making fun of an antagonist. If you are unable to rise to the level of maturity where you don't have to resort to specious namecalling, please don't bother replying; I don't care to read drivel written by infants. You'll just earn a nice, neat spot on my Foe list.

XP SP2

[Rolan]

It should be noted that those with XP SP2 are only affected by MS005-01.

Re:XP SP2

[bonch]

Isn't it funny how Linux kernel versions affected are explicity mentioned in Slashdot's articles on the subject? You'd think the fact SP2 fixed the other two vulnerabilities already would have been an important point to state. It's not like SP2 just came out or anything; what is it, over half a year now?

RCE via Active-X, again

[Lindsay+Lohan]

Microsoft Security Bulletin MS05-001 addresses the cross-domain vulerability with their HTML Help Active-X control. Microsoft mentions that it's "newly" discovered, but see the proof-of-concept at Security Focus--posted into BugTraq almost a month ago.

Incidentally, if you're one of those rare Windows users running IE in restricted (ESC) mode, your vulnerability is mitigated... suprise, suprise.

Re:RCE via Active-X, again

[redmond_herring]

"posted into BugTraq almost a month ago"

Aren't MS releasing updates monthly?
Wouldn't 'almost a month ago' = newly discovered?

Just my two cents...

Extremely Critical Vulnerability

[kneel]

Did anyone else think that sounded like something out of one of the Lemony Snicket books?

What I find more interesting..

[MrP-(at+work)]

It would also seem microsoft released "Malicious Software Removal Tool" on WindowsUpdate

It finds and fixes some common worms.. They plan on releasing a new version every second Tuesday of each month, and each new version will continue to clean worms from the previous versions.

Wonder what the antivirus companies think about this

Re:What I find more interesting..

[dewke]

I think this sums it up nicely.

Re:What I find more interesting..

[Anonymous+Brave+Guy]

I'm glad that they explicitly state (in the description of the tool that pops up if you've got automatic updates on) that its presence on the list doesn't imply the presence of any malicious software.

The last time I got something like this popping up, some time in mid-'04, the message seemed to imply that I probably did have something unpleasant on my system. My anti-virus software hadn't found anything, though, so I had a couple of nervous days monitoring things to look for signs of any unusual activity. I don't know whether the text supplied with that update was just poorly edited, or something was misdiagnosed by part of Windows Update. Maybe there's still something lurking even now... :-/

Re:What I find more interesting..

[TheGavster]

*gasp* ... customer service. And I thought they took that $200 license fee and used it as toilet paper in the executive washroom ...

Re:What I find more interesting..

[DarkHelmet]

It finds and fixes some common worms.

You mean like that dreaded Firefox.exe that keeps spreading like mad?

Re:What I find more interesting..

[RAMMS+EIN]

``Wonder what the antivirus companies think about this''

Microsoft made anti-virus software before. I used it, but I have no idea if it was any good. It sure didn't make the anti-virus companies go under, though.

Re:What I find more interesting..

[MrP-(at+work)]

yes, i also used it. MSAV.exe i think.. back in DOS (there was also a windows version).. but as far as i know there was no way to update definitions or anything so it couldn't compete with nortom/mcafee.. but this new thing is going to be regularly updated.. and right now it just does the major worms but i wouldnt be surprised if microsoft is just trying to sneak in slowly so it can eventually release a complete virus scan suite

Re:What I find more interesting..

[RAMMS+EIN]

From TFA at the Reg:

"Microsoft should spend more time, energy and money addressing its own security weaknesses inherent in its products, which are exploited by virus writers and hackers, and less time trying to erode the businesses of existing security vendors."

It's an interesting statement, coming from someone who produces software we wouldn't need if Microsoft followed his advice...

Re:What I find more interesting..

[IceFreak2000]

IIRC, MSAV was nothing more than a rebadged Central Point Anti-Virus (CPAV) that was bundled with MS-DOS 6.2

Re:What I find more interesting..

[JohnyDog]

They plan on releasing a new version every second

would be more appropriate.

Nice to know...

[bonch]

Nice to know that all software is flawed, because it is made by flawed humans. Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article. Just a friendly reminder before the regularly scheduled Microsoft-bashing...now have at it. :)

Re:Nice to know...

[Doctor+Crumb]

When is the last time you saw an "Extremely Critical vulnerability" for linux?

Re:Nice to know...

[bonch]

Yesterday.

Re:Nice to know...

[lucabrasi999]

January 7th. Ok, maybe not extremely critical, but there are vulnerabilities....

Re:Nice to know...

[maskedbishounen]

I'll give you the inherently flawed part, but at least with Linux, you get what you pay for.

(I know, I know. There actually are people/businesses who shell out money for it, but one could just chalk that up as "distribution" and/or "support" costs more oft than not.)

Re:Nice to know...

[Doctor+Crumb]

"Extremely critical" being what I was trying to emphasise. Even the local kernel exploit , while dangerous, is not "extremely critical"; it can only be exploited by users who already have accounts on the system. I agree wholeheartedly that there are indeed vulnerabilities, but you also have to consider the magnitude.

Re:Nice to know...

[Attitude+Adjuster]

Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article.

Insightful my ass! This relativist "all views are equally valid" philosophy you've fallen into (along with the main stream media) is complete BS.

Nothing is perfect, and you should use the right tool for the right job (games == XP, work == Linux for me), for sure, but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there. That doesn't mean that Linux or OSX is perfectly secure, but they're much better than any MS product. Whether you measure it by dollar cost to companies, or number of actual (not theoretical) exploits, MS products are more insecure than any *nix. Don't you even remember the millions of USD damage viruses and worms caused last year on MS systems alone?

The truth of the matter is that Linux is by default, even without hardening, vastly more secure than XP. And the security gap is increasing, not decreasing.

If you mean the grsecurity nonsense on ./ yesterday, the only story there is about some big-mouth egotist sounding off and the desperate MS apologists eagerly believing what they want to believe. See this and this .

In case you were also thinking about the uselib ./ nonsense of Jan 07th (here), Fedora core 2 had the patched kernel available on Jan 03. The public announcement of the problem was after it was fixed and had made it way into distribution updates (unless I'm totally misreading the changelogs). Wasn't the advisory this MS update fixes was released months ago. Bit of a difference perhaps?

Re:Nice to know...

[stevey]

Four days ago, how about you?

All admins should subscribe to bugtraq, and their distribution's security announcements sites - no operating system is bug-free.

But I'd still choose Linux over Windows for security as there is a better record on timely updates, and a much cleaner seperation between the kernel and the userland applications, something which isn't true in Microsoft's world.

Three months is quick?

[MarkByers]

Yes nice and quick. Only took nearly three months!

Release Date: 2004-10-20

http://secunia.com/advisories/12889/

Re:Three months is quick?

[superpulpsicle]

Well the bulletin is really a mistake. So those fixes won't cut it. The 3 real bulletin goes...

- It's official, our Windows XP IS a vulnerability.
- It's official, our Internet Explorer IS a vulnerability.
- It's official, our Windows media player IS a vulnerability.

Microsoft's Quick Move

[Mr.Ned]

"Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS."

Michael, are you kidding me? Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

Re:Microsoft's Quick Move

[turnage]

Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

No, Microsoft was notified at the beginning of October and has only now gotten around to being so sure of their fixes that they're comfortable releasing the patches to tens of millions of computers. There's a big difference.

It's about remediation...

[danielrm26]

...nice to see a quick move from MS.

My thoughts exactly. The focus for many on the anti-MS side of things is not the fact that there are vulnerabilities, it's how they are handled. Grats to MS for tackling this one.

Re:It's about remediation...

[Rolan]

You're joking right? The information was given the Microsoft 10/21... I wouldn't call 2.5 months fast... Check that release date.

Re:It's about remediation...

[danielrm26]

True, but it wasn't a huge issue until the exploit code went public. They jumped on it once that happened and that's better than not at all.

Re:It's about remediation...

[freakmn]

Yes, when your expectations are that low, taking a dump would be an everyday, positive surprise.

More information...

[MrP-(at+work)]

This page has more technical information about the tool.

Also: Malicious Software Removal Tool

[Rolan]

They also released the "Malicious Software Removal Tool":

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any variants found. You should also use an antivirus product to remove other malicious software that may be present. This tool helps maintain your computer, and its appearance does not indicate that your machine is infected with malicious software. After you run this item, you may have to restart your computer.

Looks like they're finally getting tired of the most common viruses running rampant.

Re:Also: Malicious Software Removal Tool

[Rolan]

More information on the "Malware" can be found at this link that was in the EULA.

They're looking at these with this version:
Win32/Berbew
Win32/Doomjuice
Win32/Gao bot
Win32/MSBlast
Win32/Mydoom
Win32/Nachi
Win 32/Sasser
Win32/Zindos

Re:Also: Malicious Software Removal Tool

[CodeArtisan]

MS Removal Tool ? I wish...

Spite

[FortKnox]

nice to see a quick move from MS

MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?

I'm already a comment wading in the anti-MS sludge. Will people see MS is trying to do the right thing?

Re:Spite

[RAMMS+EIN]

``How many will reply to me saying I'm out of my mind?''

At least one. The vulnerability was updated on 2004-10-21. That means it existed at least about 3 months before the fix. I don't know about you, but I don't call that quick.

Re:Spite

[Mr.Ned]

"nice to see a quick move from MS

MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?"

You _are_ out of your mind. Microsoft was notified in October. Sitting on an "extremely critical security vulnerability" for over three months isn't quick by any definition.

Re:Spite

[EvanED]

Read other comments on this page. MS released a workaround for the flaw 8 days after it was originally posted. At that time, it was not known how critical it was, so MS didn't push a full fix. Now that it is known (Secunia increased the rating 4 days ago), MS has responded quickly.

Re:Spite

[FortKnox]

The workaround was available 8 days after the original notification. But it wasn't labelled as critical. It was upgraded to critical 4 days ago, so MS released the patch right away.

Pretty fast for a security flaw, eh?

Re:Spite

[RAMMS+EIN]

Ok, two things:

1. Either you take security seriously, or you don't. If you take it seriously, you fix the flaws when you become aware of them; not 3 months later when people increase the rating, because they're running out of options to get you to fix it.

2. We're talking arbitrary code execution here. There's virtually no limit to the damage this can do. I'd say that warrants a somewhat quicker fix. And this was already known 3 months ago.

So, basically, I don't agree that they didn't know how serious it was until Secunia increased the rating, and even if that were the case, it would have been a lousy excuse at best.

Re:Spite

[prisoner-of-enigma]

If you bothered to read the whole thing, you'd see Secunia didn't find it "extremely dangerous" until just recently itself. Originally, Secunia didn't put this one very high on the totem pole, so neither did Microsoft. There was a workaround in place within days, and only now that Secunia has elevated the problem is there a patch being issued.

Icons

[spac3manspiff]

the handling of Icon and Cursor files

Heh, now only notepad hasnt had a vulnerability yet.
Nevermind that did too.

IE: Zones are a broken concept

[Tackhead]

Good policy: Deny all, permit selectively.

Bad policy: Accept all, but let people turn things off.

Worse policy: Accept all, but let people turn fewer things off depending on four arbitrary "zones" something falls into.

Worst policy: Make sure the "zones" in question have nothing to do with TCP/IP, netmasks, DNS, or any other networking concept, but make sure they're supported by a proprietary application you've embedded deeply into the OS to facilitate an embrace/extend/extinguish business model.

Then act all surprised when everyone ends up running at least one of these "zones" (namely the "local" one, which ought to be the most trustworthy) with their proverbial pants down, thereby creating a guaranteed 100% available target for Worm/Spyware/Virus authors.

Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

Re:IE: Zones are a broken concept

[adamruck]

ah but you forget the most important point... useability.

The goal for whoever came up with zones was probably something along the lines of, "lets make security as easy as humanly possible". Adding options in IE that actually relate to real networking would be out of the question then. Then users would start thinking to themselves, "what does this all do, I dont understand this, im fustrated, I dont like this". Something which microsoft would never permit.

Re:IE: Zones are a broken concept

[RobertB-DC]

Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

I heard the last person to implement such a mind-bogglingly dumb Windows "feature" had to marry Bill Gates.

Maybe Bill would take on the developer of the Internet Zones "feature" as a mistress?

Re:IE: Zones are a broken concept

Zones are actually a good idea; it's just that Microsoft did them wrong.

A reasonable analogy for surfing the Internet is sticking your hand into a trough of water. The section of the trough that represents the Internet is murky, full of parasites and fecal material, and has piranhas in it. You can still stick your hand in there, but you put on your shoulder-length rubber glove first, and put on a chainmail glove & sleeve on top of that. Other parts of the trough have clear water suitable for drinking or enema purposes. You can just dunk your face into that water, eyes open and everything. Other parts vary between those two extremes.

There are two absolutes that fall out of that model. The first is that the regular Internet is, as a whole, the worst part of the trough. It's not just warez.ru that you have to worry about; you have to worry about cnn.com or bbc.co.uk as well. They are equally dangerous. For one example, suppose someone hacked bbc.co.uk and added a malicious script to it? It's somebody else's computer, and so you cannot trust it. The second absolute is that whatever security measures are in place must partition the trough into discrete zones, with no bleeding across boundaries. If someone on a trusted site has a frame to an untrusted site, and the browser doesn't pick up on that, then the security model is busted.

Microsoft's zone model doesn't work for a number of reasons. They went about it in their usual ``security last'' way, and assumed that every website in the world would fit nicely into only four zones, and that those should come prenamed with deceptive names. If there's a site on my Local Intranet that I don't trust, then Microsoft's zone scheme works against me. Also, even if they're divided into zones, you're still using Microsoft's braindead security options. IE doesn't have a setting to turn off ``Javascript'' by name. It has several radio buttons for ``scripting,'' but I know what Internet technologies exist as well as the Microsoft guys do. Not listing Javascript by name is deceptive. Also, cookies are a large part of Internet security. I've not used IE since version 4, and it doesn't have a dialog to mark which cookies I want to accept and which I don't. I believe that it does have that now, but I don't know if it's considered a part of the security zones. In short, because it's Microsoft's idea of security, you have to double check to make sure that you force it to line up with real world security.

IE's approach is more akin to how people browse, though. When I'm configuring my browser, I don't start by saying, "I want all of these sites to store cookies, but none others," then say, "I want all of these sites to use Javascript, but none others." You typically arrange things by site, and those typically fall into several good categories (or zones). At the most extreme, you could need a zone for every site you visit, _plus_ a way to extend that zone to cover IP addresses, for some companies who have unnamed servers doing their eCommerce sites.

Re:IE: Zones are a broken concept

[SunFan]

If they started to make security easier, then why didn't they finish the job? That's like putting seat belts in a car but forgetting to bolt the seats to the floor.

Re:IE: Zones are a broken concept

[someonewhois]

Definitely. I can't think of how many exploits I've seen allowing execution of code in local zone. It's ridiculous. The zone idea should get merit points for the GENERAL concept. The idea of being able to add "Trusted" sites is ideal. But not in an implantation that by default has the Trusted sites wide open.

I had a friend (real tech guy, too, which blew my mind apart), who turned JS off. Why? CNet or someone warned people to. That's the stupidest thing I've ever seen... killing functionality for security, when most of the JS vulnerabilities coincide with stupidity/carelessness (phishing is all the JS exploits do, really). On top of that, he had the "Trusted" and "Local" zone having EVERYTHING on. I showed him a handful of Secunia links to vulnerabilities that let people execute in the local zone, he didn't care. He said it was flawless security that way. I wanted to punch him in the face. (But I just linked him to Firefox instead.)

Icons and cursors, oh my!

[FirstTimeCaller]

I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

Re:Icons and cursors, oh my!

[fienna]

it's interesting cause most windows flaws are from limitations in C++, not from bad coding. damn buffer overflows...

on another note, i can't wait till tomorrow when i get to update 50+ machines with this weeks patches! yippee!

Re:Icons and cursors, oh my!

[Jugalator]

If we're speaking of flaws in graphics files, this one was of course not as bad since it wasn't limited to Windows, right? ;-)

Re:Icons and cursors, oh my!

[temojen]

A few weeks ago there was a "critical update" because one of the dingbats fonts had "unacceptable glyphs" (I'm guessing it was swasticas or inverted pentagrams). It's probably something similar... someone was offended by one of the icons or cursor shapes.

Re:Icons and cursors, oh my!

[chiagoo]

It's even funnier/more disturbing that the resolution to this is a patch for the kernel. From MS05-002 bulletin:

File Information:
Cmd.exe
Kernel32.dll
Win32k.sys

Re:Icons and cursors, oh my!

[evilmousse]

hey, don't knock it--security holes in mere font files made xboxen nice and soft-moddable. ^_-

Re:Icons and cursors, oh my!

[ThosLives]

Argh, I can't resist: buffer overflows are not a limitation of programming language (all languages boil down to assembly anyway, right? Didn't someone write something about how all computer languages were equivalent or something - Turing I think?) but a direct result of coding practices (either ignorance, management pressures, or some other non-technical factor).

I'm a firm believer in the fact that, if it's possible to write one line of bug-free code, it's possible to write one more line of bug-free code, and so on, until you have an arbitrary number of bug-free lines (proof by induction). Granted, it becomes more difficult, but it's not impossible as many would think. If I had enough money, I'd try and prove it...

Anyway, sorry to rant...I'm in a strange mood today.

Re:Icons and cursors, oh my!

[bonch]

I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

No, security vulnerabilities in the libraries that handle them, just like the libpng, imlib2, and Mozilla XMB vulnerabilities. It happens (even if it's not on the Slashdot front page...).

Re:Icons and cursors, oh my!

[JanusFury]

It's not all that suprising. Quicktime's BMP loader had a buffer overflow until around version 6. (I found it when I was testing out the quicktime API). The trivial stuff seems to be the stuff that often doesn't get checked thoroughly for security holes.

Re:Icons and cursors, oh my!

[Tough+Love]

It's mindnumbingly pathetic that Microsoft's kernel actually loads cursor files, let alone gets itself crashed/compromised by them.

Re:Icons and cursors, oh my!

[Twanfox]

Actually, if I recall seeing it right, I believe they removed the jewish 'Star of David' symbol from the wingdings font. I did a comparison once I saw it change some font on one of my two machines.

Re:Icons and cursors, oh my!

[fienna]

I don't think it's possible to "prove" code is correct at all - it's all so arbitrary you'd pretty much have to boil down to the assembly language and specific processor model to prove anything works - otherwise you're just relying on your compiler working correctly and who's to say that it's without bugs itself?

Re:Icons and cursors, oh my!

[Kymermosst]

I don't think it's possible to "prove" code is correct at all - it's all so arbitrary you'd pretty much have to boil down to the assembly language and specific processor model to prove anything works - otherwise you're just relying on your compiler working correctly and who's to say that it's without bugs itself?

It is possible to prove that code is correct for specific data, because a computer program is simply a mathematical algorithm, and any algorithm can be proven to be correct for any particular input. Now, the difficulty of the proof is hard to determine, and only valid input can be considered. (Note that once your program tests for "invalid" input and does something predictable, that input is now technically valid, though unreasonable, input.)

For an example of proving certain code correct, this is an example proving the correctness of a loop using loop invariant theorem (which follows mathematical induction).

You are right, however, that a particular implementation of an algorithm on an actual machine is subject to problems with the machine itself, including design flaws and environmental effects. You may be able to prove your code is correct for a given input set, including all possible user input, but what happens when a bit gets flipped in a state register due to cosmic radiation?

Icon and Cursor files?

[stupidfoo]

which correct vulnerabilities in the handling of Icon and Cursor files

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Amazing.

Re:Icon and Cursor files?

[Thundersnatch]

How? The same way those vaunted open-source developers managed to work widespread security flaws into TIFF images, PNG images, and even file names.

"Malicious software Removal Tool"

[kittenthief]

I personnally like the "malicious software removal tool" windows update is in the process of installing... along with the other security patch of course :)

Re: "Malicious software Removal Tool"

[E+IS+mC(Square)]

Nevermind. In the end, your machine is as compromised - "malicious software removal tool" removes malicious softaware, while the patches install other vulnerabilities so that the hackers can install more and new malicious sofwares.

Re:"Malicious software Removal Tool"

[quarkscat]

ATTENTION!

This new Microsoft tool is broken. I tried
it, and it WILL NOT REMOVE IE6!

I don't know if Microsoft is aware of this
problem yet, so I am going to fire off an
email to them ASAP.

Re:Don't blame michael

[spac3manspiff]

I dont think he even uses windows.

Either way, windowsupdate was slashdotted and that's all that matters.

It's not that interesting

Wonder what the antivirus companies think about this

Probably very little...

McAfee already publishes a similar tool called Stinger which is periodically updated to cover new worms.

Nothing is inherently better than the other

[missing000]

Have fun with your Yugo chump, nothing is better, Yugo or Lamborghini, so I'll take the Lamborghini, you go prove the concept.

Re:Nothing is inherently better than the other

[lucabrasi999]

uhhhm you missed his point

Totally OT, but you missed the repliers point. When you disagree with someone, you have at least two options. You could:

1) Submit a post that provides an argument, preferably backed up with some data.
2) You could call the original poster a "chump" (or some other disparaging remark) and use a meaningless comparison as your discussion point.

Guess which of these two options is better?

It should read ...

[ph4rmb0y]

Fixes available via Windows Media Player ...

MS05-003 on Win2K

[chiagoo]

I find this part of the security bulletin especially interesting:

"Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update."

The old adage usually goes "if it ain't broke, don't fix it". Why would they ask people to patch something that isn't broken? Does this indicate that they expect to find a similar flaw in the indexing service on Win2K?

Re:MS05-003 on Win2K

[m50d]

I think they mean the patch changes security policies on win2K without actually patching anything. Which is something they still want happening on as many machines as possible.

Re:MS05-003 on Win2K

[ilikedonkeykong]

Even if you use Windows XP you are not affected unless you downloaded SP2. That is exactly why I haven't yet. The MS AntiSpyware is better than AdAware or Spybot though. The only thing it didn't fix was the hijacked favorites folder in IE.

Re:On the Plus side...

[cepler]

But what does it say when it finds Alexa?

Some clarifications and important notes

[Jugalator]

First, Secunia released the advisory for Windows security update 890175 (MS05-001) back in 2004-10-20. Secunia linked to a workaround for the flaw 8 days after this, that was posted by Microsoft. Secunia increased the severity rating in 2005-01-07, and 4 days later, Microsoft has now posted an actual fix.

Now, the story, unfortunately for Windows users, and fortunately for e.g. open source evangelists, it seems like there is some things to be aware of if needing to uninstall the fix, for example due to possible problems caused by this fix, which are mentioned here, under the "Known Issues" heading.

In other words, we're talking about one issue that may appear as a direct consequence of installing this (my first link) and another one if you then decide to uninstall this fix (my second link).

Of course, if you aren't subject to the first problem, you don't need to do a thing and you are indeed living in the environment Microsoft was crossing their fingers for that you would be in.

Indexing Security Issue

[Matey-O]

I had to deal with an Indexing Service security issue last week.

Seems the guy that handles the website content got upset when Indexer, well, Indexed the website, finding some content that was a little more sensitive then he wanted out there.

(It's what happens when your contractor migrates your data, then neglects to remove the temp data when the migration is done, I guess.)

Yes, but...

[rewt66]

Why, exactly, should I have to reboot my machine after installing a scanning tool?

Re:Yes, but...

[Rolan]

It appears that the scan occurs at startup. There's no UI to the tool that I've been able to find. So you have to reboot so that it can do it's initial scan.

Re:On the Plus side...

[Paiway]

MS Anti-Spyware? Doesn't that classify as an oxymoron?

At least

[bonch]

At least it's not in the kernel...

I've seen plenty of weird things in Linux distros, like privilege escalation in MPlayer. MPlayer, a video player! People really need to start paying attention to LinuxSecurity and witness all the monthly vulnerabilities for their distros. They rarely get mentioned on Slashdot (for whatever reason).

Random sampling from Gentoo's advisory list:

Gentoo: HylaFAX hfaxd unauthorized login vulnerability
Date: Tuesday, 11 January 2005
HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.

Gentoo: o3read Buffer overflow during file conversion
Date: Tuesday, 11 January 2005
A buffer overflow in o3read allows an attacker to execute arbitrary code by way of a specially crafted XML file.

Gentoo: imlib2 Buffer overflows in image decoding
Date: Tuesday, 11 January 2005
Multiple overflows have been found in the imlib2 library image decoding routines, potentially allowing the execution of arbitrary code.

Gentoo: Kpdf, Koffice More vulnerabilities in included Xpdf

Date: Tuesday, 11 January 2005
KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code if a user is enticed to view a malicious PDF file. ...and these were announced on one day! Notice Slashdot is silent.

Re:At least

[bonch]

I'm labelled a "troll" for pointing facts out.

Re:At least

[mattyrobinson69]

the problem with mplayer, my guess, would be that it runs with a very low nice value, so it is probably either suid root or spawned from such an application.

For those who dont know, a nice value is like a priority, the lower the value, the higher the priority, and you need root to decrease a nice value to prevent DOS attacks

And the winner is...

[revery]

vulnerabilities in the handling of Icon and Cursor files

Wow! As tough to beat as that is, I think Apple still wins the day.

Tough call.

--

Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.

zerg

[Lord+Omlette]

Can anyone think of any replacements for MS HTML Help? Something I can use to read the MSDN docs that isn't slow as hell or full of bugs?

Thanks in advance...

Sure, why not?

[Anonymous+Brave+Guy]

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1, ref 2)

Or the same sort or way the Mozilla XBM vulnerability arose? (ref)

This isn't a new thing, and it's not unique to Microsoft, either.

Good, now they can start work on the one from 2003

[sjonke]

Maybe now they'll find some time to fix the highly critical flaw in IE 5 & 6 that was reported on 8/14/2003 that allows a malicious web site to execute arbitrary code on the hapless victims machine. Timeliness is next to godliness!

Malicious Software Removal Tool + Steam?

[titzandkunt]

I ran windows update, and got the full package including the Malicious Software Removal Tool.

During the update, the Steam icon on my desktop flickered.

Sure enough, steam.exe appears to have been removed, presumably by the aforementioned removal tool.

Am I the only one out there who's had this happen? (in which case, I'm hallucinationg, and all will be ok by morning)

SP2 Security Center

[ObsessiveMathsFreak]

I think all of us should pause for a moment and thank the Gods for XP SP2's security center's automatic download and installation over BITS feature. At least know we know that these updates stand slightly more chance than a snowball in hell of being installed on a friend/neighbours/relatives machine that's been seen to by helpful slashdotters over christmas.

SP2, well yeah, hardly perfect I know. But you've got to love the fact that (l)users are now forefully made aware of possible(read inevitable) security problems as they arise.

Beware of favicons...

[Chief+Typist]

Many websites include a favicon.ico file in the root directory of the site. This icon is used in favorites to display the site's logo, etc.

Now, without knowing too much about this vulnerability, it seems possible (likely?) that any Windows app that displays icons would be at risk since the rendering of icons is handled by the OS.

In theory, Firefox would be as much at risk as IE -- both display favorite icons. And neither has a way to block the display of these icons.

(The CAN notice is "under review", so I can't be much more specific than that.)

-ch

Re:Beware of favicons...

[zerblat]

neither has a way to block the display of these icons.

Actually, in Firefox, set browser.chrome.favicons and browser.chrome.site_icons to false, and you shouldn't see any favicons.

Malicious Tool

[RAMMS+EIN]

Let's hope it's not a truly malicious software removal tool.

word grouping?

[martyb]

Hmmm, word grouping makes a difference!

Given reports that the Malicious Software Removal Tool has identified benign programs (e.g. VNC) as infected, maybe BOTH of the following groupings apply!

Is this a:

• a Tool that performs the Removal of Malicious Software?
  i.e. (Malicious Software) (Removal Tool)
  
  OR
  
  
• a Tool that looks around and Maliciously performs the Removal of Software?
  i.e. (Malicious) (Software Removal Tool)

Freudian slip?

I give up

[21chrisp]

Right after I switch my entire environment from linux to windows due to the amazing overwhelmingly dangerous linux kernel exploit from a few days ago and the huge number of linux security issues that were said to be listed this year... this happens. Now my Win2003 server uptimes will get all jacked up.. and they just booted for the first time 2 days ago. Now I'm going to have to switch to OS/1337 in order to preserve my sys admin ego flames.

Don't use windows. Don't use linux. They both suck. OS/1337 has not once had a single crack or exploit discovered. Plus.. it has never crashed. Not once. OS/1337 will rock your world.

Application vs. OS

[obsid1an]

You need to make the distinction of application vs OS. With MS, IE is part of the OS. Something that exploits IE also exploits the OS. Now look at the Xpdf flaw you presented:

An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

Re:Application vs. OS

[prisoner-of-enigma]

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

So, by your logic, if I run Firefox and don't use Outlook, Windows is a great OS to have, eh? You wouldn't know it by the scorn everyone heaps on Windows, but then again this is /., where no good deed of MS goes unignored and no flaw of Linux goes unburied.

Nobody says you must use the stuff Microsoft gives you. IE can be bypassed without much difficulty, and Outlook is far from the only mail client available for Windows.

Re:Application vs. OS

[Sexy+Commando]

With MS, IE is part of the OS

And you believe everything Ballmer said?

The phrase "part of the OS" is in the sense of sh is part of Linux distribution. IE code runs in Userland. There is nothing magical about it. IExplorer.exe is jsut a tiny piece of frontend-like program that calls this huge MSHTML library, which many windows applications depend on. And they are all user land applications.

If you said something about most people run IE as Admin, I would believe you. But that's not really the issue here because most spywares and viruses and mass mailers can be installed in the home directory without any problem. ("PREFIX=~ ./configure" anyone?)

Re:Application vs. OS

[bonch]

The problem is that Slashdot never makes that distinction and rarely do the posters. When a Microsoft shell vulnerability is announced, someone asks, "When was the last time Linux had a vulnerability like this?", and it seems most people rarely bring up that Linux is just a kernel and so the comparison doesn't apply.

Re:Application vs. OS

[prisoner-of-enigma]

I can't help but thing the error is intentional. The childish, immature brat zealot fanboys who love Linux so dearly would rather have an eye gouged out with a rusty spoon than admit Linux has flaws as bad as, and sometimes worse, than Windows. And no amount of truth, even when spoken by Linus himself, will sway them.

Re:Application vs. OS

[Daengbo]

But the point is that you can't bypass it. It's hooked into so many services and programs that a flaw in the IE renderer affects the entire OS. That's dangerous. Firefox doesn't hook to anything. If it did, you'd be in similar danger.

If I move X into the kernel to gain speed, then move most of the rendering for the screen to xpdf, the xpdf vulnerability becomes a scary thing indeed. I hope that Linux stays as modular as it always has, and I'll sacrifice a little speed for safety. Please don't tell me that I deserve neither!

Re:Application vs. OS

[Daengbo]

/dev/hdb2 /home ext3 noexec 0 2 should handle that.

Re:Application vs. OS

[Sexy+Commando]

That would cause major inconvenience to the users. And you forgot the more dangerous places such as /tmp

Re:Application vs. OS

[Daengbo]

I didn't forget, just answered the point that was brought up. Marking various partitions noexec is really important. Do the users compile all the time? You can set up a shared resource for that on another machine...

Re:Application vs. OS

[Sexy+Commando]

I am the only user on the machine and I compile things everyday. So I use nosuid instead of noexec. It suits my need better.

Re:Application vs. OS

[strider44]

Nope, you have to use IE. It's integrated into the OS so tightly that there's nothing you can do about it. For example, if you use Half Life 2's Steam application, that uses IE quite frequently, and if you install Firefox it wont change engines for displaying the data suddenly. That is a bad example (you can't use the IE shell to browse to non-trustworthy sites), but other examples like in Kazaa you have a fully functioning IE shell operating.

But anyway, if you actually read the post that he wrote, I think you'll find that his logic didn't say if you run Firefox and don't use Outlook then Windows is a great OS to have.

Re:Application vs. OS

[Daengbo]

As long as you are aware. I personally think that noexec should be standard in tmp and home, so that those who need to change it will be the ones who know that risk because they develop for a living or compile source constantly. The standard user has no use for it.

Thanks for the nosuid recommendation, though.

Re:Application vs. OS

[Ambassador+Kosh]

There is a difference though. If firefox screws up I can use konqueror instead or opera in my debian kde setup and neither are integrated into the system. If mpg123 has a problem I can use mpg321 (stupid name) and it will perform all the same stuff and is even transparent to the other apps on the system using it. However if there is a major hole in IE I can't remove it until the problem is fixed, I can't even disable it.

If there is a hole in IE then stuff like quicken, stream, city of heroes updater and all kinds of other apps are effected by that and there is no way I have seen to change what those apps use.

How tight the coupling is changes how severe a problem is. At least on a business level if app x has a problem I can choose to disable app x and redirect the stuff to app y instead which can do all the same things but doesn't have that problem.

Re:Application vs. OS

[ClioCJS]

"My god, he's full of shit!"

Re:Application vs. OS

[ClioCJS]

Full of shit. There are tons of pages detailing how to remove IE. For the most part, you just delete the binary while booted to a floppy (or knoppix) disc. There are pages for every version of windows since 95. It's harder for later versions, obviously. And you don't get rid of the libraries, but other programs use those too, and don't even get me started on linux libraries.

Re:Application vs. OS

[prisoner-of-enigma]

I found this and, seeing how it reminds me of you, I figured I'd share it with you:

One entry found for pedantic.

Main Entry: pedantic
Pronunciation: pi-'dan-tik
Function: adjective
1 : of, relating to, or being a pedant
2 : narrowly, stodgily, and often ostentatiously learned
3 : UNIMAGINATIVE, PEDESTRIAN
- pedantically /-'dan-ti-k(&-)lE/ adverb

Re:Application vs. OS

[prisoner-of-enigma]

While I'm at it, I'll address some of your statements:

You said: ...if I run Firefox and don't use Outlook, Windows is a great OS to have, eh?

This can be transcribed as:

!App(embedded) -> !problems

This does not logically follow.

Please explain why does it not logically follow, taking into account the parent poster's intent. His statement, distilled to essentials, was that embedded apps like IE are security problems. The logical solution to his objection is to use non-embedded applications, with the inferred result being fewer security problems. Therefore, he was indeed stating

App(embedded) -> problems

while simultaneously inferring

!App(embedded) -> !problems

To infer something like

!App(embedded) -> problems

kind of destroys the posters point, so it's fairly safe to assume that's not what was intended. After all if both embedded apps and non-embedded apps result in equal security problems, why bother complaining about IE's deep integration? It serves no purpose to complain unless the intent is to convey the idea that non-embedded apps offer superior security, ergo

!App(embedded) -> !problems

does indeed logically follow his argument.

In other words, if using an embedded application results in problems, then the non-existence of problems implies a non-embedded application.

I never said this, diagrammed it, or even inferred it. I stated that if the parent poster thought embedded apps were exclusively the root cause of Windows security problems, then removing them and relying on a non-embedded application must remove the security problems associated with Windows. Note that I personally don't believe this (IIS exploits alone accounts for a larger percentage of successful hacks), which is why I was using the illogicality of the parent poster's argument to demonstrate that.

Re:Application vs. OS

[prisoner-of-enigma]

But the point is that you can't bypass it.

Hmmm...what's this then? Or this? Or maybe even this?

Aw gosh, I've gone and broke your argument. Hope you kept the receipt.

Re:Application vs. OS

[strider44]

Let me make this clear, you can't fully remove IE *INCLUDING THE VULNERABLE LIBRARIES* from Windows XP or 2k without destroying your system. When I'm talking about Kazaa and Half-Life and Outlook etc, they don't use Iexplore.exe at all, they only use the libraries. Iexplore.exe is just a shell and does almost nothing but link to its libraries and add a few toolbars. The libraries contain the vulnerabilities, not Iexplore.exe.

Re:Application vs. OS

[Daengbo]

OK, so tell me how any of those remove the renderer, mshtml.dll from the system, which is what my post talked about. Good luck getting a usable system without that.

I used 98lite to remove it some years ago for a rollout in a university, but it required the 95 dlls to do the job. I doubt you can wedge NT's dlls into XP the same way, but maybe I'm wrong.

Get some reading skills. Thanks for wasting my time...

Re:Application vs. OS

[prisoner-of-enigma]

OK, so tell me how any of those remove the renderer, mshtml.dll from the system, which is what my post talked about. Good luck getting a usable system without that.

O ye of little faith -- and apparently even less intelligence. You needn't remove MSHTML.DLL from your system. Indeed, trying to do so is a royal pain because of the automatic restore of Windows File Protection. What's far easier (and well documented if you use that funny thing called Google) is to just remove all file permissions to MSHTML.DLL. There. Done. This does have the side effect of breaking HTML rendering in Outlook 2003, but if you're concerned enough about security to kill IE, you shouldn't be using Outlook either.

So, far from me wasting your time, you're wasting your own time by being an uninformed, smarmy, self-righteous fool. Try using Google sometime before you shoot off that silly hole you call a mouth.

Re:Application vs. OS

[Daengbo]

I love you, too. You wasted my time by giving me wonderful links to "How to remove the IE executable," "How to disable the IE executable," and "How to run multiple instances of IE" for me to read when the point of the thread was to eliminate the holes introduced by mshtml.dll.

So, I guess that you have removed permission on it on your system? What percentage of your system works? Want to use any of the subsystems which rely on it? Too bad. How many of your programs that require it just broke?
Tard. Learn to read what Google gives you before you post it. Try a book, sometime. You might get confused by the big words, but that'll pass, and eventually you'll be able to follow the intelligent discussions on Slashdot. IHBT

Re:Application vs. OS

[ClioCJS]

And I'm sure unix has never had any vulnerable libraries, right?

Re:Application vs. OS

[strider44]

How did you read that my argument had anything to do with unix?

Your post seems to miss my point in two ways: Firstly I was talking about Windows, not about any other operating system. I wasn't saying "You should use *nix because Internet Explorer has a vulnerable library!"

Secondly, now that you have brought unix up, Linux at least places no restrictions on the libraries that it uses, and has no absolutely mandatory libraries. You can disable or rewrite any library you want as long as you resolve dependancies. Though it might rule a few programs out you can always remove a library. I detest that in Windows you can't. That they are vulnerable or not has nothing to do with my argument - all I am saying is that you can't remove the libraries.

Re:Application vs. OS

[prisoner-of-enigma]

You wasted my time by giving me wonderful links to "How to remove the IE executable," "How to disable the IE executable," and "How to run multiple instances of IE" for me to read when the point of the thread was to eliminate the holes introduced by mshtml.dll.

Compare and contrast your last phrase with:

OK, so tell me how any of those remove the renderer, mshtml.dll from the system, which is what my post talked about. Good luck getting a usable system without that.

Umm, it seems you asked a question quite clearly but don't seem to remember asking it! Otherwise, why would you state the "point of the thread" as a defense? Oh, could it be that your point was shot down, and you're just trying to deflect criticism elsewhere? Nah, that would require you to be unintelligent, unprincipled, and a total idiot. Wait a sec...perhaps you are trying to deflect criticism!

So, I guess that you have removed permission on it on your system?

I haven't on my personal system because I use IE to access certain sites using ActiveX (namely Exchange 2003's excellent webmail client). However, I have done it for other systems, particularly a few in University settings.

What percentage of your system works?

The systems in question functioned perfectly, although they were not running Outlook (the University uses an IMAP4 setup for user mailboxes, and we use Netscape for that). There were no malfunctions. Sorry to burst your ego bubble. Try again next time.

Want to use any of the subsystems which rely on it?

Since you're a big fan of "the point of the thread," perhaps I'll point out the point of the thread: you can remove IE threats to your system if you know how. Removing or restricting IE is the first step. You are either too stubborn or too stupid to figure this out.

Tard.

Sticks and stones...

Learn to read what Google gives you before you post it.

Since you're the one blatantly disregarding the actual content of the Google results, I think the "learn to read" applies much better to you.

Try a book, sometime.

Just finished "How To Talk To A Liberal...If You Must" by Ann Coulter. Oddly enough, the principles contained therein on speaking to someone obviously equipped with an inferior intellect apply quite well to you.

You might get confused by the big words, but that'll pass, and eventually you'll be able to follow the intelligent discussions on Slashdot.

I'll leave the use of big words to you, since you seem adept at making things up out of thin air to support your unsupportable argument.

IHBT

Not being a member of your uber-geek circle jerk squad, the meaning of this acronym escapes me. If you wish to use plain English (something you're disturbingly ill-equipped to do, it seems), perhaps your insult or comment would make more sense.

In the meantime, remember this maxim: if you can't beat 'em, pretend you beat 'em and go stoke your self esteem. Oh, wait, you've already got that one down to a science.

You've been foelisted, so go away and pester someone else. I tire of pointing out your deficiencies.

Vulnerability alerts via RSS?

[cuban321]

Semi-offtopic, but could anyone recommend a good RSS to follow to alert about vulnerabilities? It doesn't even have to be MS or Linux specific. I tried following CERT, but theirs is behind (they don't even have this posted).

Thanks,
Daniel

Re:Good, now they can start work on the one from 2

[prisoner-of-enigma]

This isn't a Windows flaw, it's a Visual Studio flaw.

Hey, you guys like to say exploits in Linux widgets like XPdf aren't Linux flaws, so it cuts both ways. All bad things seem to be lumped under the heading "Windows," but let a flawed RPM come to light and it's a "that's not Linux" buffet for all.

Make the same standard apply to both or not at all. Double standards are lies masquerading as virtue.

Not a problem if you don't run as administrator

[xswl0931]

Yes, some apps don't run nice when you're not admin, but you don't have to run as admin. Thus any IE exploits would only be running under your credentials, not Localsystem, and thus the risk is the same as xpdf.

Re:Firef.. well..

[E+IS+mC(Square)]

Nope... the point is that earlier MS used to take its own good time to fix any IE bugs. It's much faster (at least for IE) now as FF is gaining a bit of momentum.

Re:Good, now they can start work on the one from 2

[psyon1]

This plugin is part of Visual Studio version 6. However, since the plugin is digitally signed by Microsoft, it may be silently installed through Internet Explorer by any website. The user doesnt have to have Visual Studio installed, they only have to visit a page using the control. And like it states, the control is digitally signed, so its supposed to be safe, right? "Always allow content from Microsoft.com" is one of the funniest things Ive ever seen on computers.

Umm... Bulletins don't correct vulnerabilities.

[JessLeah]

The patches they announce do.

Re:Good, now they can start work on the one from 2

[bit01]

Hey, you guys like to say exploits in Linux widgets like XPdf aren't Linux flaws, so it cuts both ways.

Bullshit. /. has 1000's of readers. Some refer to Linux-the-OS, others refer to Linux-the-kernel. No double-standard, just a variety of opinions. As you'd expect on a discussion site that isn't a lying marketing tool.

---

Commercial software bigots - a dying breed.