Slashdot Mirror
Several Critical MSIE Flaws Uncovered
An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."
Then make sure to follow up all the articles appearing saying Firefox is just is bad as IE for security and remind them of the huge gap in time to fix and who seems to get their ass in gear and sort things quickly.
Using IE as a browser is like putting your OS on the internet. Be smart, use a PROGRAM, not your OS to surf the web. Get Firefox http://getfirefox.com.
The dangers of knowledge trigger emotional distress in human beings.
I've found that most corporate sites, both internal and external, require MORE features than most regular web sites. An IE Lite that cuts down on that, would take away those flashy "features" :)
Hmmm.
Yes, it is.
The linked article with the flaws is about as useful as lipstick on a pig. So even when there's something to see there's still nothing to see. I think there's some Taoist wisdom in there somewhere.
You need to realize that there's a difference betwen public and private disclosure.
I happen to know for certain that Mozilla was aware of the vulnerabilities to which you speak at least 10 days before they were publicly disclosed.
Take your head out of the sand and realize that there's more going on around you than meets the eye.
Until your OS has a privilege escalation vulnerability and suddenly a buffer overflow allows execution of arbitrary code.
I am NaN
Sorry, browser exploits were still more common before SP2 or windows 2003. Why don't you try... y'know researching it?
Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser. Lots of people access their email through a browser, and that tendency seems to be increasing. This makes browser security absolutely paramount. It is the biggest gateway into the system.
ALL of the Firefox exploits lately? In the last two years there have been 17 reported Firefox vulnerabilities and 81 reported Internet Explorer vulnerabilities. The browser with the most recent, critical vulnerability is Internet Explorer. Do tell, where does the spotlight belong?
Making the world a better place, one psychotic episode at a time.
-
Browsers are in general extremely complex apps and complexity leads to security issues
-
Browsers generally contain parsers for a large number of file types, and parsers are notorious for security issues
-
Browsers must deal with cross domain concerns (local system vs. remote sight), which can be very tricky
-
Most browsers were initially developed during the internet boom when features ruled and security was a foreign word
IE in particular has the deck stacked against it because it was pretty much ignored in the MS security push that started in 2002. The team had already been disolved and the app was in maintenance mode. They just didn't commit the resources to dig into the code and do a thorough security review like they did with most of their apps. Instead there were some tacked on fixes like shuffling the zones, modifying ActiveX prompts, and disabling most functionality in Server 2K3. I personally have no question that they regret that decision, and we'll see what happens with IE7 this summer.I simply don't understand the policy of scheduling security patches. If a vulnerability is found, isn't the best policy to release the patch as soon as it is available (and properly tested)?
This seems akin to scheduling firefighter visits every two weeks, and if your house catches fire in the meantime, being told to wait it out.
WeRelate.org - wiki-based genealogy
Which is fine for them and MS, but that still leaves us with nothing to discuss in regards to the flaws so there was no point in posting the story.
By your logic, a program written by a first year student who didn't pay any attention to any security would have as many flaws discovered as a program written by an expert who tested for vulnerabilities
As long as both of them had the same number of users.
In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.
I disagree.
To do a proper comparison, you should rate each individual vulnerability, based on: how critical its is, if there was an exploit released, how long it took to patch, etc.
Just saying 81 > 17 is not an accurate comparison at all. How do you know that the 81 vulnerabilities in IE weren't all very minor things? Have you checked? Adding in a fudge factor doesn't make up for not knowing the facts.
Also IE has been around for a lot longer so of course there has been more time to find more exploits.
On the other hand, having a lot of vulnerabilities discovered and patched is a good thing. If a large team of enthusiastic hackers sat down and combed the Firefox source code maybe they could find and fix 100 bugs. Would you suddenly turn around and say that now IE is more secure because Firefox have patched more bugs than IE? Of course not. But your x > y rule would suggest that.
I have nothing against comparing security of different browsers, but there are better ways to do it than just comparing the number of advisories released by one company.
I happen to remember that amongst the 81 vulnerabilities there are quite a few extremely critical vulnerabilities and some of these went unpatched for months, and there is still one that is unpatched. That, in my opinion, makes Firefox more secure than IE.
I'll probably be modded down for this...
I suspect you are right about this, Microsoft is certainly tired of IE issues flogging them. This is why I suspect that IE7 will give Firefox a run for it's money of even possibly kill it. MS knows all eyes will be on IE7, and has probibly done a lot of work from the ground up on it with security spacifically in mind. I think all the FF fanboys my be dissapointed when IE7 comes out.
On the other hand, we are talking about Microsoft, so who knows...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
It also may be a good idea to compare the criticalness level of MSIE vulnerabilities to the Firefox ones that get published.
People just don't bother with minor problems in IE -- on the other hand, there is much vested interest in digging every smallest issue in Firefox, and dragging it into the press.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Familiarity is an issue, I always open firefox when on the computer of one of my friends who primarily uses Opera. One of his housmates always opens IE ;-/
James P. Barrett
Try printing from MS Publisher or editing an MS Org chart in PowerPoint; Neither will work unless you have admin privilege, because both expect to write to %systemroot%.
If MS doesn't care about the problem (and these two examples are still present in the latest version without any apparent intention of being fixed), why should 3rd party software develpers care?
Also IE has been around for a lot longer so of course there has been more time to find more exploits.
Which is countered by the fact that firefox has more transperency. You can throw automated source code validators against the firefox source, not true with IE.
It is a marketing decision, but it comes straight from Machiavelli's little book, the Prince.
If a Prince is going to distribute benefits, be sure they are annoucned singly and prominently, no matter how trivial, to maximize their seeming importance. If a Prince will announce taxes or bad news, be sure to collect them into groups and hit the people al at once, so that each has lessend overall impact.
MS has no trouble telling you about new products and features, no matter what day or week of the month. But they save the bug fixes and announcements for one day a month, no matter how critical.
They are following the advice. I'll leave it to the reader to figure out who the Prince might be.
This delay scheme is done as a "service" to all those poor admins out there, who have so many patches to keep up with. MS only tells you how wide open you are once a month. Thanks.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything.
Why don't you remove the Internet Explorer shortcuts, set Firefox to be the default browser, and set up a special shortcut to each web application that you do that loads Internet Explorer (disabling the address bar and favourites, of course).
Just because they need to use Internet Explorer for internal web apps, it doesn't mean that they need to use Internet Explorer to surf the web.
Let's pretend for a moment that this would actually work. It's not possible to get people to implement it.
It's hard enough to get any of the browser teams to commit to implementing a complete sandbox, even though that could be done without inconveniencing the users.
It's hard enough to get users to adjust the sandbox that they're already using so that it's as complete as possible, even though doing so imposes very little invenvenience.
Getting users to go through a lot of inconvenience to create a new account to run their browser in, that's really tough.
But even if you could do it, it wouldn't be effective.
A restricted account could still be used to compromise their privacy, it could still be used to destroy data they consider important... their bookmarks, information maintained on websites they connect to, and so on.
And that's assuming it would remain restricted: once I can run native code on your machine, getting out of a restricted environment is just a matter of time. It's easiest on Windows, of course, but even your typical UNIX or Mac OS X box has all kinds of mechanisms that a restricted account can use to extract information from your "real" account, or launch code (directly or through a boobytrap) into the "real" environment.
The only "restricted environments" I have used that I would consider secure enough to not treat malware running in that account as an immediate threat, apart from physically separate boxes, are FreeBSD Jails or completely emulated systems (VMware, Virtual PC, etc).
But we do know one thing that does work very well. And that's having a sandbox that has no holes in its design. That means there's no holes that the developer's reluctant to close, and no holes that users are reluctant to see closed. That means that any holes that do occur are bugs, and as such can be quickly fixed without embarassment and without discouraging users from applying them.
It's not perfect, but it works much better than a whole sandboxed account, and it's much easier to implement and MUCH more convenient.
So: the first absolute requirement for building a secure web is for the browser manufacturers to commit to a completely closed sandbox. That means there is no mechanism inside the sandbox to get outside the sandbox even as far as to see information stored about other websites. That means: no XPI installers, no ActiveX or Active Scripting, no "open safe files after download", no use of "Desktop" applications to open documents (even if you think the document is local), nothing. Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to explicitly download the document and so move it outside the sandbox, and THEN explicitly open it in the unsandboxed environment. Those two steps must never be shortchanged.
What does that mean to the user, then?
Not much, in most cases. For Firefox users that means they'll have to download XPI files and then load them from the menu or their desktop file manager. For Safari users, no more "open safe files", and no more warnings the first time they open an app because the browser won't ever be opening apps behind their back. For Windows, there would be a bigger impact: a few tools like Software Update would be separate applications, but the bigger impact is that some third-party applications would need to be redesigned to use the new safe API.
Windows, I can see their reluctance. The rest? I don't get it... they're not gaining all that much by having a leaky sandbox, and the fact that even such small leaks can be exploited is sure a good argument for having at the very least no designed-in holes at all.
I expect that Microsoft's "integration" strategy for subverting interoperability will continue to induce pain points in fresh code just as it has done in legacy code.
In a complex design which combines a tolerance for brittleness and nonmodularity with a strong preference for products to fail open rather than closed, that has to be so. It becomes that much harder to meet functional tests, let alone the nonfunctional ones related to security.
Parity: What to do when the weekend comes.
Yeah, talk about FUD -- Slashdot distributes more FUD than Microsoft ever did.
s p?kc=EWRSS03119TX1K0000594
Read the following article:
http://www.eweek.com/article2/0,1759,1815784,00.a
There are a few points to notice:
1.) The vulnerability has been PRIVATELY disclosed, meaning that the exploit is not openly known by everyone the way Firefox's was a couple of weeks ago.
2.) There is no reason to believe that it will take as long as mid June. According to the above link, "Under normal circumstances, Microsoft patches are released on a monthly cycle, but in cases of emergency, the company could release an out-of-cycle update"
This is just another case of classic Slashdot anti-Microsoft bias.
Please do not mention Lotus Notes ever again. It has been, still is, and looks like it will be, the absolute bane of my existence as a corporate drone. It sucks the life out of everyone who uses it, it destroys and maims everything it touches. It is the worst program/platform/whatever the bloody hell they think it is, EVER. It was designed to incur maximum confusion in the user, with productivity and ease of use kept to an absolute minimum. It is a vile, pestilent disease on the otherwise healthy body of my computer. I could (and am actually rather enjoying) go on about this monumental piece of excrement, but I have to go archive a few megs of mail now, and Notes is SURE to crash on me, AGAIN, then require me to reboot so I can access a puny email from six months ago. As the wise man said, AAAAAAAAAAAAAAAAAAAAAAAAAARGH
The power of accurate observation is commonly called cynicism by those who have not got it. -- G.B. Shaw
Lotus always had a horrible touch with user interfaces. It always amazed me that they couldn't hire a couple of HCI gurus for a couple of hundred thousand dollars to whip it into shape. It's a flagship product, after all.
Notes and I parted ways around R5, when it was clear where the IBM/Lotus people managing the product were headed. They were building a layer of HCI crap over the good stuff in the product, which was nearly a decade old. It was clear to me that the facade they were putting up in front of the product was shaky, and that various long standing issues that the product had weren't going to be addressed.
This, by the way, is the kind of thing that provokes a fork in the F/OSS world, and why this is a good thing.
In some ways what they were doing is completely understandable from a business perspective. It sucks to have a product that you have to educate people as to why they need it. It's a lot easier (and better for quarterly revenue projections) to slap some crappy glitz on it and try to compete for a smaller slice of an (initially) bigger pie.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.