Slashdot Mirror
Several Critical MSIE Flaws Uncovered
An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."
I know some people around the Mozilla camp were a bit afraid of how the media would cover their recent security problems. But, once again, Microsoft's really come through by offering problems of their own to take the spotlight off Firefox.
Is this story a dupe?
I could swear I read about security problems in MSIE before...
I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything.
Although exploits were found in Firefox, they were patched rapidly. It's not standard on all our desktops.
I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.
/me sips his coffee and ponders a new sig...
People taking advantage of Microsoft's upgrade release cycle to discover security flaws when there's a month to go to the next upgrade!
I hereby demand that everyone only look for security flaws the week before the scheduled security update so that Microsoft can continue to claim it patches all their flaws in a timely manner!
There's no rush cause we've got something to sell!
m spx
http://www.microsoft.com/windows/onecare/default.
lisa bonet ate no basil
Using IE as a browser is like putting your OS on the internet. Be smart, use a PROGRAM, not your OS to surf the web. Get Firefox http://getfirefox.com.
The dangers of knowledge trigger emotional distress in human beings.
Yes, it is.
The linked article with the flaws is about as useful as lipstick on a pig. So even when there's something to see there's still nothing to see. I think there's some Taoist wisdom in there somewhere.
Weird - the advisory doesn't mention SP2 specifically.Also, it has 'to be determined' next to Windows 2003.
who came up with the clever design idea of making eEye's slogan "Vulnerabilty Is Over" and then pasting it at the bottom of each vulnerability report as if it's a status message?
/. stuff.
reminds me of the Simpsons scene where someone is reporting a crime via a radio and says "over" at the end of the transmission. then Wiggum says "thank god that's over". karma for the first person to find the quote, but I only have the real kind not the
I have often also wondered about all those flaws that have been discovered and not declared, just quitely made use of. At least with open source the oppurtunity for discovery as well as a rapid fix has become obvious.
Chaos - everything, everywhere, everywhen
You need to realize that there's a difference betwen public and private disclosure.
I happen to know for certain that Mozilla was aware of the vulnerabilities to which you speak at least 10 days before they were publicly disclosed.
Take your head out of the sand and realize that there's more going on around you than meets the eye.
That's simply called a "deja-vu", you see, that's what happens when either: the matrix has been modified, or you've been in front of the computer tooo long, or you're dealing with a bug advisory of a ordered group of flaws, bugs and exploits conventionally named "Internet Explorer".
The solution to all these browser exploits (IE, Firefox, Safari) is simple: create a restricted user to run the browser only. This can easily be done in Windows XP/2K, Linux and OS X. Restricted users cannot affect other users or system files. As long as you don't keep important data in this account, you can just periodically erase this user and create a new one.
Browsers are easily the most common way of accessing network resources of all kinds. Virtually all ecommerce, business, data access, etc, goes through a browser. Lots of people access their email through a browser, and that tendency seems to be increasing. This makes browser security absolutely paramount. It is the biggest gateway into the system.
BG: What, Firefox has a critical flaw? They are hogging all media attention for that? Fuck that. Hey tech team, how many more IE vulnerabilities have not been reported yet?
Tech team: 349 that we know of, SIR!
BG: Good. All critical?
Tech team: ALL CRITICAL, SIR! YES SIR!
BG: Good. Hey PR team, take the first 10 of them, contact some security firm and 'leak' them.
PR: YES SIR!
BG: Now we will see what firefox is going to do about this.
(Evil laugh all around)
ALL of the Firefox exploits lately? In the last two years there have been 17 reported Firefox vulnerabilities and 81 reported Internet Explorer vulnerabilities. The browser with the most recent, critical vulnerability is Internet Explorer. Do tell, where does the spotlight belong?
Making the world a better place, one psychotic episode at a time.
Although eEyes' reports look a bit confusing (look at the "Vulerability is over" image at the bottom), I think according to this page http://www.eeye.com/html/research/upcoming/index.h tml there are 3 security vulnerabilities affecting IE and Outlook that allow remote code execution.
The oldest one is 60 days old now and still not fixed.
The remote exploit is why I use OS X.
My time is worth it.
Are you a lawyer?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.
It's called denying iexplore.exe and other apps known to embed the IE OCX the right to connect to the public Internet on port 80, using a software firewall on each machine or a proxy server that only Firefox knows about.
Then why are you so upset? :)
Or maybe they are reporting it properly to Microsoft before publishing all the details.
Almost every week I receive an email or an IM of a friend complaining their pc's are full of spywares, porn and gambling pop-ups, search bars, or: "I can't reach Google! Oh my God, it just opens porn!". I always say: "Try another browser, Firefox is pretty friendly". A friend of mine switched back to IE just because Firefox sorted her imported IE bookmarks alphabetically, instead of keeping the old order. Come on, it can't be only this.... MSIE must be addictive somehow...
"LATELY" not FOREVER. The rise of Firefoxs popularity has seen the increase of exploits and vulns. Read, dont translate.
You'd do well to take your own advice. The author wrote of taking the spotlight off all the Firefox exploits lately, implying there have been more for Firefox than Internet Explorer. For what period has that been true?
Making the world a better place, one psychotic episode at a time.
Which is fine for them and MS, but that still leaves us with nothing to discuss in regards to the flaws so there was no point in posting the story.
It should have a Javascript DOM-based moving or something. Marquees are, like, so IE3.
Better yet, be thoughtful of screen-reader users, and make it a static list that has scrolling abilities.
You can hold down the "B" button for continuous firing.
According to Secunia, Firefox has 17 advisories. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.
You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.
In Secunia's own words:
Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.
I'll probably be modded down for this...
But to say there is nothing to discuss in quite disengenous. What needs to be discussed is why these holes continue to exist in MS products.
You are being MICROattacked, from various angles, in a SOFT manner.
No, it hasn't. The rate of flaw discoveries in Mozilla's applications (Firefox included) has remained statistically level since before Firefox was called "Phoenix." Quite obviously, the Mozilla Foundation's marketshare has not remained steady since then, as you argue.
Security through obscurity doesn't work. It is a fundamentally flawed concept, which I would've thought Slashdotters realized. To suggest that an open-source project like Firefox doesn't know that is simply absurd.
The rapid response of the Mozilla Foundation, even if the ten-day hush-hush rumor is true, far outpaces Microsoft's publically announced thirty day delay after this vulnerability's announcement. And that's not counting the delay between the IE flaw's discovery and announcement.
It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
What holes? Can you explain to me just how serious these holes are? Can you explain to me what they do? Can you explain to me if threat of these being exploited is real?
I eagerly await you reponse. Because that is the information I would like to have and feel the need to have in order to discuss them. Without that information we're left to make assumptions.
By your logic, a program written by a first year student who didn't pay any attention to any security would have as many flaws discovered as a program written by an expert who tested for vulnerabilities
As long as both of them had the same number of users.
In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.
I suspect you are right about this, Microsoft is certainly tired of IE issues flogging them. This is why I suspect that IE7 will give Firefox a run for it's money of even possibly kill it. MS knows all eyes will be on IE7, and has probibly done a lot of work from the ground up on it with security spacifically in mind. I think all the FF fanboys my be dissapointed when IE7 comes out.
On the other hand, we are talking about Microsoft, so who knows...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Sorry but I need to say this..
'Mozilla 1.0.3 vulnerabilities'
That would be Firefox 1.0.3.... Mozilla Suite aka just mozilla and FireFox are two separate programs and have very different versions. Saying Mozilla 1.0.3 is very misleading. Please use the correct name or it makes your news story look very silly. Who cares if a version of mozilla from 2002 has security holes.
</rant>
Belive in Technology and AMAZE yourself. -- RIP ZDTV/TechTV
It also may be a good idea to compare the criticalness level of MSIE vulnerabilities to the Firefox ones that get published.
People just don't bother with minor problems in IE -- on the other hand, there is much vested interest in digging every smallest issue in Firefox, and dragging it into the press.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found...
Logically found? That's assuming all other things are equal, such as level of difficulty for discovering vulnerabilities in each. Clearly this is not the case. You can't go to the Internet Explorer home page and download its source code.
Making the world a better place, one psychotic episode at a time.
Is Internet Explorer still really of any benefit to Microsoft? Once upon a time, it might have been used to push ActiveX, or reinforce the Windows platform by encouraging integration. But security worries, and legal trouble, have put paid to that...
To my naive eyes, it seems that IE is more trouble than it's worth. It's earlier bugginess puts a weight on later development to duplicate previous rendering errors, and it is strongly challenged by Opera, Mozilla, and the like. Also, their developers have to take care not to break compatiability too much - or at least, to sort out how to get various plugins to work with newer versions. The whole thing is a running sore with regards to their reputation, and the number of idiots running the browser means everything has to be dumbed down.
It seems that the wise thing for Microsoft to do, simply from a selfish level, is to ditch the IE project. Open source what can be open sourced, develop a light, secure, bare-bones and idiot-proof version for bundling with their OS, and re-dedicate their resources elsewhere.
Internet Explorer has no future.
...scientists report that water is wet.
It seems like, every day, I'm reminded that my Opera purchase was a good decision.
Really, I've been amazed, for YEARS that anyone uses IE. I've been amazed for MONTHS that anyone uses Firefox. But that's just me.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.
This is a surprise to anyone?
This is Microsoft we're talking about here. Color me cynical if you want, but they've never done anything more than lip service with regards to anything other than their own bottom line.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Actually, I'd expect that each version of a piece of software has some finite number of vulnerabilities V, and I'd think that with a user base U that after an amount of time t you'd have found a number of exploits something like E = V(1 - exp(-a*U*t)), where "a" is some constant for that particular piece of software. Yes, I just pulled that out of my ass, but the point is that I'd expect diminishing returns with more users and time, since eventually you will have found all the easy to find vulnerabilities and it will take longer and longer to find the really obscure ones.
You seem to be suggesting a linear relationship E = a*V*U*t. Notice, that will be a good description of my model at very early times (t much less than 1/(a*V*U) ) or at all times in the limit a -> 0 and V -> infinity while V*a stays finite. Now it seems unlikely that we can think of IE being in the early time stage of behavior, but, admittedly, maybe an infinite number of vulnerabilities is a good model for IE; however, I wouldn't expect a linear model to work very well for most software.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
Microsoft has a vision of an integrated web desktop (or at least used to)... Eliminating IE would put a damper on that, to say the least.
Try printing from MS Publisher or editing an MS Org chart in PowerPoint; Neither will work unless you have admin privilege, because both expect to write to %systemroot%.
If MS doesn't care about the problem (and these two examples are still present in the latest version without any apparent intention of being fixed), why should 3rd party software develpers care?
Well, that I respect: declared stubbornness. But don't give me the Bookmarks bullshit...
It's just a question of marketing. By limiting the patches to once a month, it /seems/ as if the number of security vulnerabilities actually is not that big. A lot more Joe Users would start raising questions if they saw that they have a security flash popping up twice a week...
You raise a very valid point.
With a slogan that goes "It's very similar to a harem with 1001 women!"
Unfortunately... one of IE's big strongholds is the flaky ActiveX stuff. It has allowed a LOT of vendors to build browser-based apps to do stuff rather than have to build actual programs. Maybe if one of the alternative browsers magically included ActiveX support, we could ditch IE, which, coincidentally, requires an MS OS (except for Macs, which have what, 1% of business pc market?)... Since IIS gives everyone a free "development" platform, I don't see vendors rushing to use real development tools to build replacements for these IE "apps" any time soon. And hey, since we've got the MS OS, and browser, and web server, heck, let's just go all MS... ka-ching!
"Would it kill you to put down the toilet seat?" -- Maya Angelou
He said Microsoft was alerted to the first vulnerability March 16.
That bug was found in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.
Default install problem. Minimal user interaction.
According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.
http://windowssecrets.com/comp/050512/#story1
As of today, Secunia reports that there are still 19 unpatched security flaws in IE, the most severe of which is rated "highly critical." Firefox has only 4 unpatched flaws, all of which are rated "less critical" or "not critical," the lowest severity rating. Opera has none.
Oh. It's 19 now.
Sorry. You're right. Nothing for *you* to see here.
You are being MICROattacked, from various angles, in a SOFT manner.
Yes. People are still and allways will be stupid. Next question.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
And now, let's look at the next quote. So what's the administrator thinking on this one? It's pretty simple: "Okay, so now this damnable embedded application, this junk browser that has to be on my operating systems, isn't gonna be patched for a month? The way they did it before would have been acceptable if I could patch the application without worrying about it breaking the OS or making me reboot. But NEITHER of these patching methods works well for me. I've either gotta patch applications that might destabilize my systems all the time, or I've gotta give hackers the keys to my network for a month!"
So, while the point you're trying to make - i.e., that neither of the upgrading options Microsoft has provided are acceptable to admins - is a valid one, it's a situation Microsoft brought on themselves.
Others have already touched on the subject of lock-in and its obvious economic advantage. But another reason for this strategy is simply control.
Microsoft always talks about a long-term vision for computing. It's a lot easier to bring about that vision when you directly control the components used to bring about that vision. And that means controlling the implementation of protocols as well as setting defacto standards.
I couldn't see it being in Microsoft's interest to simply hand something as widely used and therefore important as web browsing over the a third party.
"Bass-o-Matic School of Persuasivist Languaging."
Like it, Centurion, like it.
Ugh, are you serious? I was hoping to deny write priviledges to WINNT and WINNT/system32 for the machines I admin to try to cut down on spyware/malware since they like to install there. Guess it could break some apps.
I suspect I'm a repeat but here goes.
MSFT's integration of their web browser into everything has backfired. You can no longer just *issue* a fix because you'd affect thousands of production level computers. Most of you who patch your workstation think...oh, this security patch will fix xyz and that's that. But they really do need regression testing as I have seen first hand the clusterFSCK an untested patch can do.
It's much easier to patch a Linux workstation because even if they have a few insecure services or applications, due to the OS design it's difficult to break the functionality or compatibility.
Once on MSFT XP Home, a prevalent patch fix broke my cousin's HP laptop and no one knew what had happened. He couldn't use the laptop for more than 5 minutes before it froze up on him. Literally, no BSODs or anything, just froze up. Since he was busy he didn't send it in for repairs or ask me for help. Almost 2 years past by before I take a look at it and fix it in 30 minutes.
It took a BIOS patch to fix it.
Turns out one of MSFT's APM compatibility patches broke it.
String handling is not not the only kind of parser attack, and buffer safe routines do not necessarily protect you from the full range of buffer issues that can occur. Integer issues in particular are a growing concern even with buffer safe libraries. Your average programmer does not have an in depth understanding of the C standard on things like type promotion and sign extension. Google on David LeBlanc's SafeInt library and look over the code for some in depth understanding of this.
Of course, there's a lot of fertile territory in parsers for all sorts of non-buffer related exploits. Cross domain context and external includes were both used in the most recent Firefox exploits. These issues are not unique to XML and HTML formats. I've seen exactly the same problems occur in binary OLE document handlers. This is why I stated that the parsers as a whole are complex issues. They touch so many areas and intermingle so many other concerns that they can be a security nightmare.
Do tell, where does the spotlight belong?
I would say Firefox. 3/4 of our machines were FUBAR'ed with the lastest Firefox update. I'm not the only one. IE at least still works. Firefox is DOA (was DOA until I had to remove it from all of our machines). Check the Firefox message boards. The latest release doesn't even *launch* successfully on many machines. I'd much rather have security problems than a browser which doesn't launch, and instead sits and chews up resources behind the scene.
I don't respond to AC's.
*sigh*
The spotlight belongs on 1) incompetent programmers 2) bloated insecure code 3) a culture of "responsible disclosure" that encourages the release of buggy, insecure code that will be patched and patched indefinitely.
I don't care how many security holes are in IE, or in Firefox. The question is, "does this program have at least one critical security problem"? The answer is yes to both products. They are both bloated and insecure as far as I'm concerned.
Don't fool yourself into thinking that an open source license will magically turn programmers into gifted developers. Firefox is huge and complex, I don't expect we'll ever see an end to the security holes.
I really don't know the solution, short of writing my own stripped-down browser that runs every module in a chroot jail (which would actually be a good idea, I think djb is working on that), but that's the world we're stuck in.
I see no value in recommending Firefox over IE or vice-versa.
When I see Firefox developes hack together & release a non-trivial fix in an hour with practically no testing, it makes me squirm.
Thanks to all who pointed out that changing the culture involves also changing the behaviour of application developers.
Does anybody know a sensible way to write a reduced-privilege application for Windows? That is, one that is launched by an administrator but runs as a non-administrator version of the same user.
It isn't a solution to run the app as guest, because the app would want to access the documents and settings of the actual user.
If this were possible, responsible application developers could use the facility to make sure that any system breaches were "not on their watch."
These are the voyages of the browser Explorer, It's mission; to explore strange new exploits and seek out new viruses and hacker civilizations, to boldly expose data not exposed before!!
*cue music*
Cake or Death? Cake Please!
Let's pretend for a moment that this would actually work. It's not possible to get people to implement it.
It's hard enough to get any of the browser teams to commit to implementing a complete sandbox, even though that could be done without inconveniencing the users.
It's hard enough to get users to adjust the sandbox that they're already using so that it's as complete as possible, even though doing so imposes very little invenvenience.
Getting users to go through a lot of inconvenience to create a new account to run their browser in, that's really tough.
But even if you could do it, it wouldn't be effective.
A restricted account could still be used to compromise their privacy, it could still be used to destroy data they consider important... their bookmarks, information maintained on websites they connect to, and so on.
And that's assuming it would remain restricted: once I can run native code on your machine, getting out of a restricted environment is just a matter of time. It's easiest on Windows, of course, but even your typical UNIX or Mac OS X box has all kinds of mechanisms that a restricted account can use to extract information from your "real" account, or launch code (directly or through a boobytrap) into the "real" environment.
The only "restricted environments" I have used that I would consider secure enough to not treat malware running in that account as an immediate threat, apart from physically separate boxes, are FreeBSD Jails or completely emulated systems (VMware, Virtual PC, etc).
But we do know one thing that does work very well. And that's having a sandbox that has no holes in its design. That means there's no holes that the developer's reluctant to close, and no holes that users are reluctant to see closed. That means that any holes that do occur are bugs, and as such can be quickly fixed without embarassment and without discouraging users from applying them.
It's not perfect, but it works much better than a whole sandboxed account, and it's much easier to implement and MUCH more convenient.
So: the first absolute requirement for building a secure web is for the browser manufacturers to commit to a completely closed sandbox. That means there is no mechanism inside the sandbox to get outside the sandbox even as far as to see information stored about other websites. That means: no XPI installers, no ActiveX or Active Scripting, no "open safe files after download", no use of "Desktop" applications to open documents (even if you think the document is local), nothing. Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to explicitly download the document and so move it outside the sandbox, and THEN explicitly open it in the unsandboxed environment. Those two steps must never be shortchanged.
What does that mean to the user, then?
Not much, in most cases. For Firefox users that means they'll have to download XPI files and then load them from the menu or their desktop file manager. For Safari users, no more "open safe files", and no more warnings the first time they open an app because the browser won't ever be opening apps behind their back. For Windows, there would be a bigger impact: a few tools like Software Update would be separate applications, but the bigger impact is that some third-party applications would need to be redesigned to use the new safe API.
Windows, I can see their reluctance. The rest? I don't get it... they're not gaining all that much by having a leaky sandbox, and the fact that even such small leaks can be exploited is sure a good argument for having at the very least no designed-in holes at all.
Note to security companies: Schedule your next flaw announcements on June 15.
Yes, everyone on the same date.
I wrote: "Any application you hand off a document to has to be one that has an equal commitment to maintaining that sandbox. If the user wants to do anything like that, they have to..."
Then I changed the sense of the preceding sentence when I was previewing it, and didn't notice that changed the meaning of this one. What I meant to write was "If the user wants to do anything more than that, they have to..."
[ActiveX] has allowed a LOT of vendors to build browser-based apps to do stuff rather than have to build actual programs.
The really interesting thing here is that the ActiveX based applications aren't any less complex than a standalone application that injected the ActiveX components as plugins inside a customized HTML control, and they're no more convenient for the user than downloading an application would be because right now it's a LOT harder for a user to figure out how to selectively grant the rights to the webpage that's running the applets than it is to download and install an application. It would be possible for Microsoft to completely eliminate the pain of locking down ActiveX simply by providing a simple conversion kit that created this application with the ActiveX plugins bundled into it, and removed the ActiveX launch capability from the common HTML control. Then the user would download the application as an application, and install it as an application, and these applets would exist IN THAT APPLICATION but they, as well as other ActiveX components out there on the web, would be safely ignored by the common HTML control everywhere else in the computer.
At the same time applications like Windows Explorer or Software Update would have to be modified to do the same thing with their custom extensions to the HTML control.
The other "extra rights" (or rather, the code that implements these capabilities) that IE gives to local pages, like running local scripts, could also be injected by the controlling applet the same way.
So long as they didn't then put in code for IE to automatically install these "Windows Dashboard Widgets", they'd be perfectly safe. This is how KDE's Konqueror handles potentially unsafe extensions (they call them I/O slaves). It's how Dashboard adds them to WebCore (well, except for Safari installing them automatically... Safari doesn't even need to know they exist). It's safe, secure, convenient, and I really expected Microsoft to come up with something equivalent SEVEN YEARS AGO after the first HTML-based malware showed up. But, no... and now it's hard for them to go back.
I might change to lynx....
Does any of the information you present answer any of the questions I asked?
No? Thank you.
Does it even all pretain to the orginal submission which is what was being discussed here. No again.
The only thing for me to see here is people like you who want to have a pissing contest.
Don't even give me the "Default install problem. Minimal user interaction." as real details.
Minimal user interacation? That could mean anything. Without the details this could be a "Who cares?" or an "OMG!". We don't know.
It's not that this stuff shouldn't be reported and run up the proper channels. It's that there's nothing this type of story can lead to expect for +funny comments, some IE vs Firefox flame wars. Some Win95 jokes, and some very generic security discussions that won't even center around the flaws in question (since people don't know enough to discuss them).
Yes, that's the kind of thing I want to implement in a large organization:
"Here, user who can barely remember their logon ID, (and continually calls the helpdesk for a reset of their forgotten complex password), here's a second logon that will allow you to violate all of the restriction on your computer"
Seriously, how can you be that stupid?
Just for a moment, grant that assumption, then let's look at where it leads...
About as soon as Mozilla/Firefox is dead, Microsoft will begin migrating people off of the IE team, most likely onto the new XBox to compete with Sony, the base OS to compete with Linux, media stuff to compete with Apple, etc. Thereafter IE will stagnate, again. There *might* be enough people left on IE to keep chugging security fixes, but more likely they'll spend more time doing IE integration things with XBox, base OS, and media stuff, etc.
Take a look at the track record. Whenever Microsoft had smashed the competition in one arena, they have NEVER kept up the advancement, there. It doesn't make economic sense to let it do anything other than stagnate.
So the simple truth is: If you want good products from Microsoft, make sure they have competitors.
The corollary: Without competitors, Microsoft's products stagnate into a mess.
The living have better things to do than to continue hating the dead.
you had me at #!
I've never had a problem with Publisher 2003 needing systemroot access. If you're running older versions, you don't need to give them root access. All you need to do is give them write permission to the directory without replacing the permissions on the files within, that way nothing alter existing files. There's nothing special about systemroot other than it's a place many system files are stored.. let the user create new files there isn't going to comprimise security any more than letting them create new files somewhere else.
If you need web hosting, you could do worse than here
I don't know what to say except that I have Publisher 2003 on locked down machines, and it won't print without admin access... and I did both KB and Google searches confirming the issue and the lack of a resolution. Since you're not experiencing the problem, perhaps your machines aren't as locked down as the ones I work with - and while it certainly is a %systemroot% issue with MS Org, it could be registry or something else for Publisher... I filed the 'resolution' in my company's support database months ago and haven't kept the details between my ears.
Anyone know where I can get the patches? I don't wanna be vulnerable.
One-line Patch: A kludge so trivial that no testing is necessary. Repaired with another one-line patch. See Recursion.
Recursion: See recursion.
Mit der Dummheit kämpfen Götter selbst vergebens.
Cute.
I would guess that maybe less than 10% of all users download XPIs from anywhere but Mozilla.org. Add to that that if you downloaded an XPI from someone already, why would they post maliciously this time, and not the previous time.
As far as I know, the speed of resolution meant that not a single machine out there suffered from an attack.
eEye? eEye! Oh...
Let me see if I got it right...
Older versions don't require systemroot access, while newer versions do?
Weren't some things called "security issues" ever thought of?
> see journal
You don't have a journal.
My other car is first.
No, you did not get that right. Reread what I wrote.
If you need web hosting, you could do worse than here
Printing? It's probably writing to the spool folder for some reason. Give the spool folder write permissions for the users. You don't need to give the users administrator privs.
If you need web hosting, you could do worse than here
if MSIE was a seperate app that didn't have ties to the actual OS, then all these security vulnerabilities wouldn't have existed in the 1st place. i'm guessing they really wanted to integrate their software and make it easier to use and allow for windows updates and etc.
personally, i think they should've made MSIE a seperate program altogether and avoid all these problems. windows update can be a seperate program that you find in accessories->system tools->windows update. but if that was the case, they wouldn't have been allowed to bundle ie with windows. i guess there were trade-offs in doing it this way.
HD Trailers
Yeah, talk about FUD -- Slashdot distributes more FUD than Microsoft ever did.
s p?kc=EWRSS03119TX1K0000594
Read the following article:
http://www.eweek.com/article2/0,1759,1815784,00.a
There are a few points to notice:
1.) The vulnerability has been PRIVATELY disclosed, meaning that the exploit is not openly known by everyone the way Firefox's was a couple of weeks ago.
2.) There is no reason to believe that it will take as long as mid June. According to the above link, "Under normal circumstances, Microsoft patches are released on a monthly cycle, but in cases of emergency, the company could release an out-of-cycle update"
This is just another case of classic Slashdot anti-Microsoft bias.
Better yet, why don't you actually try to figure out what it's trying to do. Download filemon and figure out what it's trying to access and then only give the privs necessary to make that app work.
If you need web hosting, you could do worse than here
I read the Security Bulletin; but, I see nowhere that that anybody says whether or not the vulnerabilities will be covered in this release.
My lame blog.
History repeats itself once again ... Microsoft taking the work of others and integrating it into their product, only bigger and flashier.
...Microsoft will offer a security patch for IE fairly quickly outside of their normal security patch release cycle. After all, a couple of months ago they did exactly just that for a serious browser flaw in IE 6.01 SP1.
You folks are forgetting that Microsoft does take the security alerts from Secunia very seriously, as they should be. I expect a patch to be available within 5-8 days from now.
Famous last words.
"except I would make the small corrections that there is an automatic update mechanism"
Yes, a brilliantly designed update mechanism that downloads the entire updated browser.
Allowing code to download and execute while online is absurd from a security standpoint. Anyone who thinks there is a 'safe' way to allow this is niave.
Charles Angelich
I happen to agree with parent. Shame it got modded down by some bigots. MS is getting better, and the open source community is finally starting to get a taste of the bullying MS has had to tolerate. Only MS is kinda numb to it now and does things their own way.
Here is my home page.
I suspect fuzzing a running program probably leads to finding more security holes than looking at source code.
Let's assume you are correct in that more security holes are found by fuzzing a running program than by looking at source code. That is conceding that some security holes are found by looking at source code. The source code for Firefox is freely available. The source code for IE is not. It follows that of the total number of vulnerabilities found, the percentage found by people looking at source code is higher for Firefox than for IE. So all things are not equal and it does not logically follow that the percentage of Firefox vulnerabilities discovered should equal its usage share. Or in other words, you agree. You could have just said so. ;-)
Making the world a better place, one psychotic episode at a time.
Which will also negate the need for more bandwidth so sorely lacking in the USA. Nothing quite like killing two birds with one stone.
I was referring to *his* journal, regarding his old sig. Doesn't matter now...
Igor Presnyakov stole my hat
Type about:config in the URL bar, then scroll down to a line that says "browser.turbo.enabled". Double click on that value and change it from false to true. It speeds up the start and performance somehow (not exactly sure how)
PlainOldFavorites will give you a "Favorites" menu in Firefox, which directly accesses your IE favorites. It's a bit slow, but it will provide identical-to-IE favorites inside Firefox, even if for nothing other than fixing the arrangement of the imported stuff.
... according to the eWeek article from the 13th. They also say it goes back as far as NT4, but 2k3 isn't mentioned at all.
until they fix the bug. ...
... isn't that a reasonable response?
...
What, it's what MSFT was saying about Firefox
Good thing I use Opera and Firefox
-- Tigger warning: This post may contain tiggers! --
MSFT's integration of their web browser into everything has backfired. You can no longer just *issue* a fix because you'd affect thousands of production level computers.
...
So, does this mean that the fix for this flaw is to totally replace Win every time there is an IE flaw?
Ooh, i can smell the upgrade fees
-- Tigger warning: This post may contain tiggers! --
Fanatically worded but largely true. There is no excuse for writing a buffer overflow in the 21st century. Everyone who calls himself/herself a professional knows how to routinely avoid such pitfalls.
For years, Microsoft deliberately created defective software in order to continuously sell upgrade after upgrade.
It sure seems like it. But I think you're ignoring good ol' Hanlon's Razor here. It's much more likely that they deliberately did little or no QA, and naive programmers did foolish things which went unchecked. This is even easier to believe if you've worked with "professional" programmers and witnessed the things some are doing even to this day.
The Internet is full. Go away.
I don't believe this to be literally true -- UNLESS you always start IE within the first few minutes of a reboot. MS-XP monitors your boot and some segment of time after a reboot to determine your most likely startup drivers and programs. If you always load IE, immediately on reboot, it will end up being preloaded -- if you always load T-bird, it benefits some as well (as I've noticed in my own usage). The same would go for FF, but both T-bird and Firefox are large apps, and the space on disk MS reserves for startup programs (it reserves a large contiguous area on disk that it can read into memory at boot with one big read (ideally)) is of a fixed size. I doubt all of even T-bird, let alone T-bird+FF would fit after it has stored the OS, used drivers, the login/authentication code, the "Shell (GUI)", security & other tray add-ons.
IE benefits over FF simply because of "DLL" re-use. IE and Explorer use the same HTML rendering and display libraries -- so if explorer has been loaded and asked to display HTML content (folders with "common tasks", active desktop background, probably others), those librarys are already in memory.
Firefox suffers in this area because the project "re-invents the wheel" so their "wheel" can be used across several platforms. This is most easily seen with on the HTML display panels, where FF correctly renders some pages that IE won't, but also FF's smooth scroll function isn't as smooth as IE's native/built-in. As long as FF and T-bird don't use any local-OS libraries that may already be loaded in shared memory (as Konquorer might benefit on Linux from similar effects vs. FF on a KDE desktop), they will be at a disadvantage compared to those programs that share the same code.
-l
You just stated the reason why everyone qualified to have an opinion not on the MS payroll directly or indirectly believes using IE to be more dangerous. Back when I was using Windows as a primary OS, the second thing I did after installing it was to use 98lite to remove IE completely from the OS. The first, of course, was zapping Active Desktop.
Tech Public Policy stuff