Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
That the bigger problem is the platform IE resides on.
A security flaw in Internet Explorer! Stop the presses! Oh my God! This is such BIG NEWS!
Currently hooked on AMP
Luckily I didn't install SP2!
"It's too bad that stupidity isn't painful." - Anton LaVey
I am TheRaven on Soylent News
So try to look at this site http://www.thelovesearch.com/ using Microsoft
Internet Explore. It will try to convince your to use Firefox using
sex appeal.
If we could convince all porn sites to only support Firefox the battle
would be won in a few weeks.
Or am I dreaming now ??
At least according to slashdot anyway.
IE is unsecure, and it's insecurities are compounded by how much it is tied in with Windows.
Issuing patches is just playing catch-up in a game that Microsoft will never win. However addressing the fundamental problems (such as how much IE is tied into the operating system, not preinstalling every Windows installation with IE) IE's problems will always be larger.
... they'll have patches next patch Tuesday!
2b || !2b =?
Download the patch here.
This just in: using Microsoft Windows and Internet Explorer puts you at risk! Film at 11!
Please correct me if I got my facts wrong.
The bigger problem is how to neatly remove IE from Windows systems. I continue to believe that open source geeks can find a way to do this. Heck, so much has been done by open source programmers without M$ support at all. Do not be surprised when some geek releases a tool/utility to do just that.
Does it work on Windows Server 2003?
A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.
What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
I think the real news is not the fact that there is a new vulnerability, but that (from the second link) there are still 12 unpatched vulnerabilities allowing remote or arbitrary code execution found by one organisation. The oldest of these was reported in March.
I am TheRaven on Soylent News
Doesn't Microsoft demand you use IE to patch Windows? Sure you might make it a bit more secure by getting rid of IE, but you'll still need those updates (but I guess you can illegally download those off p2p, just have fun trying to avoid the viruses as well).
Ntlite does just that. I have a windows installation (XP Pro Corp SP2) that fits on a minidisc.
Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...
95% of all sigs are made up.
- releasing a patch after the report of said vulnerability
- buying an antivirus company
- buying an anti-spyware company
Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?
Ok, so now we get the news on the latest security vulnerabilities in Windows and other Microsoft software. Great. How about vulnerability announcements in popular software for *nix? I personally don't have any use for announcements for Windows vulns, because I don't use it anyway.
So can we please get equal time share for *nix vulnerabilities, or, better yet, provide a way to filter out vulnerability announcements for software we don't use?
Please correct me if I got my facts wrong.
But in all seriousness... How could Microsoft have NOT noticed that there could be security issues with integrating their browser so closely with their OS? I'm not saying that they should have caught every bug in their software, but the overall idea is kind of boneheaded when you think it through from a security standpoint. And I'm assuming that the same sort of lovely integration is going to be available as a feature in Vista. Woohoo...
Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.
Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.
The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.
If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.
One up for Mozilla
This has been discussed before and seems to start flamewars.
Yes there is a way to remove the IE engine from Windows 2000's installation files (and indeed integrate IE6 into them, since 2000+SP4 comes with IE 5).
The method of doing so is here. However it breaks things such as Windows help, Windows Update and lots of miscellaneous parts of the OS. For me atleast, it made the OS almost unbareable, introducing alot of annoyances. Although to be fair, I followed the post-install instructions...in theory, pre-install removal should be smoother.
No. You need IE to use windows update, but all of the patches are downloadable as .exe or .msi installers. The problem is that when you use the files, there's no good way of knowing which one's you've installed and which ones you haven't. That's what makes windows update so useful.
Is this supposed to be news at all???
come on...sun rises in the east...magnets point N-S...u dont publish that as news...
note to mod: delete this discussion...
The fundamental problem is not how much IE is tied into the operating system. The fundamental program is that, as another poster has said, the operating system it is tied to violates the principle of least privilege repeatedly in a way that more secure systems do not, and security is layered onto it instead of being built into it, making securing it an eternal effort consisting of filling holes that never go away. A big part of this is the whole concept of ActiveX.
If IE were not tied into the OS, MS would find another way to force "remote administration capabilities" on users without their actively enabling them, which is what most of the problems stem from, I think.
Currently hooked on AMP
You should consider the Microsoft Baseline Security Analyzer. It will scan your computer (hell, it will remotely scan all the computers on your domain if you want), tell you what you have or don't have, and give you links to the download.
funny munging
Has anyone here actually run their software? Thoughts?
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
What is big news is that memories are so short that every time such a problem is publicized, it is quickly forgotten and we all go back to bleating the mantra "All you need to do is patch or buy the upgrade". Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
I'll parlay it by saying that when Firefox has 'vulnerabilities' (as the genious in this article pointed out... at least it doesn't give the ability for an attacker to "enable a remote attack on systems running Windows XP with Service Pack 2".
So I'll stick with my more numerous, less invasive, and quickly fixed Firefox 'vulnerabilities' instead of my IE's less in number, more damaging and slower to be fixed 'vulnerabilities'.
Yup... IE sucks.
The price is always right if someone else is paying.
Homer: OK, Start the presses.
Editor: That takes four hours...
Homer: Whatever, I'll be at Moe's.
So what exactly is the nature of the attack? All I see is "IE vulnerable" and "here buy this product and you'll be more secure". Gee thanks.
I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.
I'm a pretty experienced computer user, EX-Windows developer (networking now), MCSE and while I can install Linux and get around it, I don't have a clue of an idea how to do a lot of things, including at times, install software (though I've figured that out with yum and rpm haha!). Either way... until Linux offers the eyecandy that OS X does, with the compatibility that Windows offers... it will still be the DESKTOP choice of nerds.
I'm waiting for the next version of KDE for some improvements but in reality, I think there's a lot more to be done at even a kernel level to make some things more idiotproof.
The price is always right if someone else is paying.
Weee Micros~1 Genuine Advantage REQUIRED to download the tool.
Fucking nosy bitches at Micros~1, when is it enough?
Turn off ActiveX, infact turn off everything in IE (scripting, install, etc) in the "internet" zone.
Now, the easy part: add microsoft.com to the "trusted sites". In fact, if you surf to the windowsupdate site with activex turned off you get the message of exactly what to add to "trusted sites".
Sleep easy knowing that (a) windows update works (b) nothing else works. Happyily use Mozilla for your web browsing.
Reality, however, is quite different from how MS and MS fanbois would like it to be. Vulnerabilities can be exploited "by hand" though MS would like people to believe that only automated attacks like MS worms and MS viruses count. They must have truly constructed a really bizarre little shared reality there. Much of the defense of MS only makes sense if you stop looking at it as a common business or technology and more like a political movement and ideology.
How about a slashdot quiz: Which of these things is not like the others?
"The flaw is not wormable but allows for the remote execution (of code) with some level of end-user intervention,"
Microsoft's Windows XP with SP2 is designed to make it more difficult for attackers to run malicious software on users' computers.
"some level of user intervention" can mean anything. I can mean they have to download a executable disguised as an image and change its filetype. I can mean the user has to click an "OK" button. They're basically telling you nothing about how much you are at risk. "You're at risk, but we're not telling you why, how, and to what degree."
And when they tell you that SP2 made it more difficult for arbituary code to be run on your computer, they're probably talking Windows Firewall. And for those of us who (unfortunately) downloaded SP2, we can all testify that Windows Firewall is useless, and it was the first thing I disabled in services.msc when I got SP2.
The Blood-blagger-Beast-of-Trawl defense has been scientificly proven.. That is if EVERYONE was as bad at coding as Microsoft.
Mods, Please add "Circle Jerk" as a new /. section. Then people who want to avoid the "OMG, Microsoft's programs have vulnerabilities!!! O GNOES!!!11!1" sarcasm can skip articles with the new "Circle Jerk" icon. Email me if you'd like me to start Photoshopping said icon.
Thanks,
Lars
Security is after all about restricting access. Most extreme way to keep a computer safe is to make it impossible to access. Want a safe websurfing session? Easy just take out that little cables in the back of your computer, the power, the network and the keyboard one would do for starters.
But that kinda security doesn't work because we want things to be easy. What is an often heard complained about windows vs unix security? That by default windows has the user logged in as root, the defence being that users don't want to have to type in a password just to install software.
MS could easily introduce unix like root-user seperation, they used to be a unix company after all. Some linux distros make it very clear when you run your desktop as root and some IRC proggies even flatly refuse to run when you are the root user. MS could easily do the same, refuse to access the net when running as root, force the user to get software under their normal account then install it from the root account, this would force the user to think for a second.
But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.
I don't think MS isn't aware of the risk this poses, I think they view this as the same way as credit card companies view the risk of how easy it is to abuse their card system. Or how easy it is to learn a 4 digit pin number. Would be very easy to make these multi billion dollar payment systems more secure. But it would also introduce a lot more difficulty that might reduce their usage.
So MS probably has people who have a solution to this but it would make windows a lot harder to use, marketing might have a thing or two to say about it. Hell support might too, would MS really want to deal with all of its users suddenly having to learn the concept of user vs admin?
In a way the public has the final say in wether windows ever becomes secure. The same public that buys SUV's wich are the most lethal vehicle on the road 4x times more likely to kill if you hit a pedestrian then other cars. The same public that flies with cutrate airlines offering flights at prices cheaper then the ride to the airport. The same public that still buys each new version of internet explorer after a decade of security alerts.
So from a business perspective why doesn't some big-wig at MS does this? Because the big-wig wants to keep his job. Insecure windows sells, slightly more secure linux does not. It is not greed, it is common business sense. You give the customer what they want. MS is very good at that. Compare it with McD, they used to sell lard with flavor. They only added a few salades after customers started demanding them with their dollars. McD did not fight this, there had to be no legal battles. As soon as they noticed demand, they supplied. Sure they didn't supply it in say the 70's because a few leftie protestors does not equal demand. A bunch of guys at slashdot complaining does not equal demand to MS.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Secunia has very informative pages about the relative security of IE and firefox.
Firefox
IE
The problems with firefox compared to IE are:
IE bugs are more frecuently critical
IE critical bugs take longer to patch
Fully patched IE is less secure than Fully patched Firefox
You can download the patch below. They've done, actually, an impressive job with it because, by way of a "peace offering" to the Web community, they've incorporated quite a large number of features from IE7 and future releases far earlier than expected.
The changes are actually pretty dramatic, with even some significant alterations to the UI and a number of fixes to the bookmarks system. Enjoy.
http://www.mozilla.org/products/firefox/
Chr0m0Dr0m!C
IIRC, one of the things the Wine project is working on is replacing Internet Explorer with the Mozilla engine (so that you don't need to install IE to view HTML Help under Wine, for example). Depending on how well that works...
Does that work without IE?
It looks like it uses IE for rendering to me.
Why do people even bother to use IE or even Windows for that matter? The best web browser is Konqueror. It has lots of protection against the lamers. And why do people leave their shields down? "The bottom line is that on the computer technology and Internet side, if you want to protect yourself against identity theft you must not allow your Internet browser or your e-mail to accept cookies or to allow scripts to run. You must not allow HTML e-mail. Do not use Microsoft Outlook. Even better, switch from the MS Windows operating system to the GNU-Linux operating system." (Solutions for Identity Theft, Credit/Debit Card Theft, and Personal Information Theft)
"To learn why Linux is so much a better choice than is Microsoft Windows, please . . . Gaël Duval Tells Why Mandrake Linux Is Better Than MS Windows"
while(1)
{
fprintf(stdout, "New IE Vulnerability puts Windows users at risk!");
sleep 86400;
fprintf(stdout, "New Firefox Vulnerability, is Firefox as secure as it say?");
sleep 86400;
}
Cats hunt mice!
> the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.
Why do we want a Linux breakthrough to the desktop market? The only thing the GNOME attempts to do that have done for us is to dumb down applications by eliminating some features and making access to others annoyingly difficult.
I'd rather see the Linux desktop evolve as a power-user desktop than as a competitor in the mass-market desktop.
Sheesh, evil *and* a jerk. -- Jade
Don't care about -1. Not being a troll, just repeating what many of my friends and co-workers, neighbors and relatives who are in IT or use a computer feel. Hell! if it makes you feel better I'll give myself -5 more!
Also, and this is quite important, all recent exploits I have seen have had nothing to do with running untrusted ActiveX controls. On the contrary, it's very frequently been buffer overflows. And this isn't a design issue, really, it's a matter of bugs in single lines of code. The only design issue there is the fact that it's written in C(++) by a sloppy coder.
And just when IE was officially the safest browser ever! What's happening?
-- Cheers!
Just wondering, whuch idiot modded this +4 informative? It should be funny, obviously he is making fun of IE and saying that Firefox is an upgrade. Wow people, sometimes I wonder how people get mod points.
All your base are belong to Wii.
A security flaw in IE, you must be kidding :P
Is this still news?
If you give me 1 dollar for eatch security bug in an MS product i would be richer then bill gates by now.
I'm pretty sure someone told me SP2 is secure... so don't worry about it, you'll all be fine.
Stop! Dremel time!
Why are people still using IE! I only use *cough* windows *cough* when it's the only option. Damn monopoly
If you don't like GNOME style use another desktop. Do not blame the kernel (Linux)!
Looking the kind of grips you have with GNOME, I'm sure you'll love KDE. Try it.
Just a reminder as the FF vs. IE flame wars rage:
...
Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.
I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.
Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history
You do know what COM is, don't you? Because of COM, IE is used in almost every commercial, shrink-wrapped application sold today. It's impossible NOT to use IE unless you simply don't use your computer.
I don't respond to AC's.
Water wets.
how Firefox has more security problems than IE...
It is appropriate that this surfaces a day after some moron tried to make that argument stick.
Microsoft: Give...it...up!
You've lied so often that nobody but your shills believe your FUD anymore -and I'm not even sure THEY do - they just support it for their own moronic reasons.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I have more than 20 licenses to XP (2 concurrent MSDN subs, not to mention the ones that came with the laptops)... I'm not stealing anything.
I used to do the registration thing, until it started being randomly refused, so I gave up on it. Slipstreamed a corporate version and installed off that.
This worked fine until the 'genuine' advantage bullshit, now I have to break that too to get some of the upgrades... which slows down the already glacial windows install time quite considerably.
From TFA, "Because the details of the vulnerabilities have not been made public, users are NOT at risk of an exploit being developed to take advantage of the flaw", the representative said.
What kind of crack are they Smoking at Microsoft?
This has to be the most ignorant missguided Pr fool at MS.
No I totally disagree... I've made this statement before and I'll make it again, the issue is that people run their desktop under an administrative account... which means when rogue code enters your system it has free will to do anything.
/. there's so much utter cr*p posted when it comes to the topic of security.
Firefox/Mozilla has had some recent security issues... and if you run an administrative desktop, which um, 99% of SOHO users do, then Mozilla can be just as bad a proxy for malicious intent.
The reason Mac OS X users have been able to enjoy a life free of viruses is because Apple doesn't have users running as "root" aka "Administrator" in the Windows world. I read "security guru" morons saying how "One day the Mac OS X people are going to get it!!!" There indeed may be an incident, probably small, on account of perhaps some hole... in the OS, but it won't be on account of Apple's browser, Safari.
And given the track record under Mac OS X, the lack of viruses, spyware et al, it underscores what I'm saying now and what I've said before, running a Windows admnistrative desktop and browsing the Internet is like going into a brothell after a "busy night" and screwing everything under the sun without protection.... yeah, you're likely to "catch something."
Not sure why I bother saying any of this... for all the tech people on
If you don't like MS, just say it, don't pretend to know anything about computer security.
-M
PS: Die hard Mozilla user (this message typed in through LINUX)
The CNet News article mentions that the flaw is not wormable and that exploiting it requires some user intervention (probably executing or downloading some content).
What is the big deal?
Users need to be careful in the first place.
For starters, don't download crap from goofy Web sites and download porn only via P2P.
(they have to link statically against the Gecko code, right?)
Nope. Gecko is available as an ActiveX control whose API is the same as IE's.
Its not so much about that, in the working environment its your job to clock in and out. Meet deadlines and report on your progress, thats all programmers in the working world do.
:) now thats an os that deserves more media mype not vista (PUKE)
Development is a like technological sweatshop (not saying microsoft is as ive never worked there) but in the development industry is not the greatest of jobs. While you have executives with half the technical knowledge as a developer earning 3 4 times as much.
Making a good point why not invest in people for security. They do, they get people to build patches. To actually do it at the development stage means to holds back progress, why? because it brings it back a stage everytime whenever there is a security issue to fix. MS definatly doesnt want that considering how long it takes them to get their next versions of operating systems out...
2nd problem, hackers make the security issues why because they sit infront of the pc all day reading phrack and testing stuff. Most university qualified programmers dont even know what "phrack is" moreso what to do with it...
Another problem, windows kernel, piece of trash cant get anything more insecure with unsafe virutal memory and lacking process protection. Put that against an OS like OpenBSD and there cant be a comparision.
The only way windows will be secure is if it was thrown out and rebuilt, mac os was on to something using a bsd base, too bad ms has too much pride to do this. They can keep trying to steal techniques developed by open src and try and make them as good but at the end of the day they cant even do that right.
Ohhh slackware 10.2 is out
oztiks.
Credibility? Aw, c'mon...
There is a difference between not publicizing the vulnerability and having your PR-droid say "We have not publicized the details of the vulnerability are not public so there is no fear of attack".
One is questionable prudence, the other is just downright lying. If one white hat security firm can figure it out, how hard can it be for hundreds of black hat exploiters and spammers to figure it out?
To wit, I wouldn't have bothered posting if Microsoft had just said, "We are aware of the problems and are working on a fix and won't tell you the details". That's SOP by practically all software vendors these days.
Certainly I was not trying to imply a zealot war between browser makers and which one is more secure.
"These aren't the droids you're looking for... Move along... move along..."
Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
Oh, come on, why can't you just patch or buy the upgrade?
You are in a maze of twisty little passages, all alike.
I've heard that after reading that article, Steve Ballmer has been throwing another chair around the office, claiming that they "must close the insecurity gap with Open Source"
So they put a couple of DEVELOPERS DEVELOPERS DEVELOPERS DEVELOPERS on it (freshly pulled of that Vista thingy), in the hope to have IE once again become market leader in security flaws.
Looks like they are catching up quickly.
Laziness and sloth is no substitute for skills and knowledge.
*VB (.NET or otherwise) programmers excluded
Yeah, right.
From TFA:
BZZZT! Wrong!
If one person can discover a flaw, so can another one. Maybe not immediately, but given enough time it will happen. Microsoft's unwillingness to patch any of their garbage unless flaws are publicized speaks volumes about their commitment to "trustworthy computing."
Yeah, right.
Hurrah, I passed everything according to the tool. But did I really pass...I'm not sure I sleep any more soundly knowing that MS thinks I am secure. As Reagan used to say "trust, but verify".
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
Smoking causes lung cancer. Who would have known?
the issue is that people run their desktop under an administrative account... which means when rogue code enters your system it has free will to do anything.
Running under a non-admin account may save some time reinstalling but unless you are prepared to split yourself into multiple users for different tasks (which is more of a pain than i suspect most users will bear) thats about all it will do.
and remember on a linux system if someone comprimises your user account its fairly easy to set you up with a local binary dir and put a fake su binary in there (which records the password and then passes it to the real su). Again there are things you can do about this but they are almost certianly more pain than most will bear.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
It's not normal to get raped, but if you walk down the street in a bad neighborhood wearing a skimpy leather outfit and assless chaps (male or female), and a t-shirt over the top that says "I do anal", you takes yo chances.
It's still the fault of the attackers, but come on. Put some damn pants on and use Firefox.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Lets take the problem of offering access to irc from your website to those who don't have a special client installed and look at the options. The reasoning here should apply to anything where realtime updating is desired not just irc char.
.net .net framework installed which is not on all windows systems at this stage. Also locks out most other operating systems/browsers.
1: java applet
This is by far the most common method and works pretty well. However unfortunately windows does not ship with a jvm as standard anymore.
2: activex
Works on any windows/ie system, but doesn't really work anywhere else. However it has to be signed which puts people off. Also locks out most other operating systems/browsers.
3:
Technically very similar to java although more windows biased, needs the
4: Refreshing
works but there is some delay and the flicker can become highly annoying. The higher you make the refresh rate the worse the flicker and the higher the server load.
5: streaming into a frame
Works with any browser that supports frames and incremental rendering but is pretty ugly and inflexible. Also breaks with some proxies though that can usually be worked arround by using https. The only implementation i know of (older versions of cgiirc) also requires a huge ammount of server side rescources.
6: streaming javascript.
This can give far nicer results than streaming into a frame but needs javascript enabled in the browser and browser detection is probablly needed to make everything behave right. As with the one above the only implementation i know of (newer versions of cgiirc) requires a huge ammount of server side rescources.
NONE of theese options clearly beats the others in every respect.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Yes you are right... it's more than what people will bear... but life's a bitch. I sure as hell don't run processes that talk on the Net with administrative credentials.
And it's trivial to run programs with admin credentials on a non-admin desktop. Truly trivial. It's just that users don't know how to wipe their a**, nor want to learn.
Unlike a TV or a toaster, you hear many analogies about how a computer should be easy to use like them, a computer runs software systems that are highly dynamic and require active participation on behalf of the user.
A TV allows you to turn yourself into a vegetable.
When the price of ignorance is too high, users will adjust their behavior.
Microsoft is planning NOT to have users running on admin accounts with Vista.
I assure you when this happens, all these stories about IE flaws and viruses will go WAY DOWN.
Hurray,
-M
Because very few people know how the exploit actually works, I don't think we'll see a security issue in the very near future.
If you have Automatic Updates running in Windows XP (which the Security Center in Windows XP wants you to do), once Microsoft releases the IE patch it will be automatically installed on your system (or at least notified automatically of the update).
I expect the patch to be ready probably with the next week or so, since Microsoft takes browser security very seriously nowadays; the company has a number of times released new security patches outside of their normal second Tuesday of every month release dates if the security issue is a serious one.
You are an experienced Windows user. Thats not the same as an experienced computer user. An experienced computer user has been around long enough to have used most systems on the market and that includes unix.
I can understand that some people find linux hard to use but im pretty confident that its mostly because they are used to do things "the MS Windows way". Surely linux could mimic Microsoft Windows down to the last pixel but that isnt really what most linux users want.
According to my perception of things many MS Windows users would like Linux to be a completely free Windows. Well, thats not really the goal of most Open Source. If all you want is a free MS Windows then Linux cant help you. If you on the other hand is sick and tired of doing things the Microsoft way linux is a kicker. It allows you to tailor your computer to any possible whim and gives you complete freedom to do whatever you like.
Ill repeat, Linux aint no free MS Windows clone and will never ever be. If you take your time and get to know it you will be rewarded tenfolded. In the hands of a knowledged computer user it can be a vicious tool.
This is on the unmanaged desktop ofcourse. On a companys managed desktop i can easily make it much more usable than any current MS offering.
HTTP/1.1 400
"I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE."
But, Linux isn't difficult to use. It's actually quite easy to use.
It is perhaps difficult to comprehend the vast magnitude and take in every single aspect of the entire linux phenomenon, but that's a separate matter.
And it may be difficult to install linux from scratch, or even, to understand the relationship between the operating system to hardware. Again, that is not a consideration for the user.
There are some application domains where Linux is not a good fit, due to a dearth of software support and hardware compatability (such as audio/video production), but that's also beside the point.
OpenOffice is not more difficult for the user on Linux than it is on Windows. For that matter, the bash shell is not more difficult on Linux than the command.exe shell on Windows.
What is this "ease of use" argument but misinformation? Is Windows easy to use? I don't believe it is.
-fb Everything not expressly forbidden is now mandatory.
Exactly, even Ada has a Goto statement.
BTW, I write all C applications using this memory manager http://www.hpl.hp.com/personal/Hans_Boehm/gc/
Using that, eliminates a whole slew of potential problems.
Oh well, what the hell...
Actually, I have started to do dual booting Windows/Linux installs for my customers. "When Windows screws up - reboot into Linux and carry on working till I can get here..."
Oh well, what the hell...
Yes you are right... it's more than what people will bear... but life's a bitch. I sure as hell don't run processes that talk on the Net with administrative credentials.
but do you run them with the credentials to access your important data or do you go to the pains to partition your computer usage into different user accounts for different tasks?
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
At the moment it seems that FF is a bit more secure than IE. FF might however not be as secure as it possibly could be. Maybe FF developers should do security audits just like OpenBSD team does. I think audits and emphasis on overall code correctness would be a great competitive advantage against IE.
This worked fine until the 'genuine' advantage bullshit, now I have to break that too to get some of the upgrades... which slows down the already glacial windows install time quite considerably.
Yeah, that's incredibly stupid. There's an easy way to get around it though. Get genuinecheck.exe (remove that activex control if you already have it and the MS page will give you that option). Then run it on either some pre-windows-xp computer, or set it to run in compatibility mode for like windows 98. It will spit out a code you can put in the MS web page, and proceed to download the file. Save this file, it's the real deal and will work perpetually. And if you make your own slipstreamed install discs, you can easily hop it on there. Good stuff.
funny munging
It's the bear joke all over again but you make a valid point. You don't have to be faster than the bear, just faster than the masses of ignorant MSFT users.
I don't surf the internet with Windows, except at the customer site where it's their problem to manage the virus of the day. At home the only machines that see the internet are Linux. No, it's not bullet proof, but I sure sleep better than Windoze users.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Applications only run with additional privileges if the administrator explicitly chooses to do so and provides the necessary authorization.
What they don't say is that it's a royal fscking PITA to run as a home user without Admin privs.
"I don't know, therefore Aliens" Wafflebox1
Remove IE (or whatever else) from Windows 98,Me,2000,XP:
LitePC
Get all your patches for Windows 2000,XP,2003 (Microsoft and otherwise) on one handy autopatching CD:
AutoPatcher
I am not affiliated with either product, however, I use both and would say they both work well. A machine running Windows98 with the MSHTML Engine removed is a thing of beauty. I used LitePC (then 98Lite) to run Windows98 with the Windows95 Explorer for several years until LitePC for XP came out. A note about the AutoPatcher. It have EVERY IMAGINABLE patch. Don't just check them all, just check the ones you actually want/need, otherwise you could create a mess.
If the "user intervention" involves "clicking YES, rape my computer now" on a dialog box, then this is a real problem. Because people are being systematically trained by legitimate websites, including Microsoft's Windows Update to click "YES" in response to routine security dialogs.
Popping up a dialog bex before doing something potentially stupid is not a lot better than going ahead and doing something stupid. DON'T IMPLEMENT THE DANGEROUS CAPABILITY IN THE FIRST PLACE.
The only fix for the problems with "Security Zones" is to get rid of "Security Zones" and have separate applications for trusted and untrusted sources... with no mechanism in the untrusted applications (Internet Explorer) to use the capabilities of the trusted one (Windows Explorer, Software Update, etc).
...right along!
That's the problem with Windows. It's only $199 if you don't value your time.
Yes, Windows should be brought to task for its higher rate of problems. But its quality isn't so bad that it's legally actionable.
There are too many factors here to consider.
Lightspoke Web Based Database
That wording you speak of is just eEye's wording of "remote code execution exploit". Firefox has these too. There's no difference.
Well, there is a difference, eEye makes money selling people fixes/workarounds for security problems. So eEye wants to make this look like as big a deal as possible.
I have to say I'm really disappointed with slashdot for running this story. This story doesn't have any actual information in it, it just says a company alleges IE has a vulnurability. Well, they already said it had 11, is one more that big a deal? Personally, I don't think it warrants a story with no other actual info.
http://lkml.org/lkml/2005/8/20/95
I was running Office 2000 on XP.
After service pack 2, slide sorter became dog slow, like nearly hung in anything with 10+ slides.
Luckily, things work fine in Codeweavers wine.
I have to develop / creat powerpoint on linux, then just use XP to display the crap.
Isn't that a rather pointless activity. Windows help for years unless you are a real beginner is completely useless (how many times do you have to read "go speak to your system administrator" before you give up even trying to use it). If you want the real windows help file you have to pay for the resource kits or use the best windows help file "GOOGLE" (now you know why they want to crush google, free windows help). I wonder if google will cease providing free support for windows - every time you search for a way to solve yet another problem with windows it brings up a list of Linux distributions instead.
Chaos - everything, everywhere, everywhen
Whoever has the source code can compile it, and if you can compile the source code to a commercial product, anyone can. And if anyone can, then its value decreases substantially for your corporation, since you are selling something that is freely available by other means. The open source system simply doesn't work for a for-profit corporation that holds such a huge market share of the software industry. How can there be that much competitive pressure against them when the value of the competiton is intrinsically of less value due to the nature of its availability? From what I have seen the system does work quite well, however, for the few people at the top of the open source movement: doing interviews and getting great job offers on the backs of the millions of people under them contributing code on their spare time, but that is just a subjective observation.
They're referring to Vista, in which it'll be much easier to use with a non-admin account. In fact, the default account is non-admin.
-- "I never gave these stories much credence." - HAL 9000
> but it won't be on account of Apple's browser, Safari
Why do you say that? Have you seen the code for Safari? No?
Try visiting data://<h1>crash</h1> in Safari. It crashes solid and dies in <b>memcpy</b>. Doesn't that worry you... arbitrary data from the Internet causing problems with memcpy!?
I wish I had the code so I could evaluate the risk, but instead I have to wait until Apple feels like fixing it.
My other car is first.
This is trivial to do.
.vbs script easily.
Change the NTFS ACLs such that Users and SYSTEM has an explicit Deny Read.
There you go, 30 second fix, can be packaged into a
For a closed source s/w like IE, normally knowledgeable people report flaws after exploiting them or if they know of better flaws to exploit or if the flaw is not worth exploiting. Or if they have more complex corporate politics to do. Then there is the question of the M$ strategy " It is easy to sell utterly worthless s/w so long as you know how to sell. To sustain it you must keep it in the news...as 'ever improving'". Now how does this stand up against activeX and the IE build ?
Prof(Miss) A Mani CU, ASL, AMS, ISRS, CLC, CMS, IEEE HomePage: http://www.logicamani.in Blog: http://logicamani.blogs
Windows Help is totally useless, but many application help files which use HTML Help aren't - hence why Wine needs support for it.
I guess if you use the Blue-E this could be a really big problem?
seeing as you're more than mildly rude and obnoxious, my guess is that your friends and relatives 'use' computers for data entry and are as incompetent as you are dumb.