Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
I think the real news is not the fact that there is a new vulnerability, but that (from the second link) there are still 12 unpatched vulnerabilities allowing remote or arbitrary code execution found by one organisation. The oldest of these was reported in March.
I am TheRaven on Soylent News
This has been discussed before and seems to start flamewars.
Yes there is a way to remove the IE engine from Windows 2000's installation files (and indeed integrate IE6 into them, since 2000+SP4 comes with IE 5).
The method of doing so is here. However it breaks things such as Windows help, Windows Update and lots of miscellaneous parts of the OS. For me atleast, it made the OS almost unbareable, introducing alot of annoyances. Although to be fair, I followed the post-install instructions...in theory, pre-install removal should be smoother.
Is this supposed to be news at all???
come on...sun rises in the east...magnets point N-S...u dont publish that as news...
note to mod: delete this discussion...
You should consider the Microsoft Baseline Security Analyzer. It will scan your computer (hell, it will remotely scan all the computers on your domain if you want), tell you what you have or don't have, and give you links to the download.
funny munging
Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw.
This is mostly true. Usually people who exploit such security flaws find about about them by reverse engineering security updates. Windows is such a large system (Tanenbaum says millions of lines of source code went into Win 2k itself), that it will be very difficult for many not-so-bright-hackers to look for exploits without, ironically, some help or hint in the form of patches from M$.
I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.
I'm a pretty experienced computer user, EX-Windows developer (networking now), MCSE and while I can install Linux and get around it, I don't have a clue of an idea how to do a lot of things, including at times, install software (though I've figured that out with yum and rpm haha!). Either way... until Linux offers the eyecandy that OS X does, with the compatibility that Windows offers... it will still be the DESKTOP choice of nerds.
I'm waiting for the next version of KDE for some improvements but in reality, I think there's a lot more to be done at even a kernel level to make some things more idiotproof.
The price is always right if someone else is paying.
Turn off ActiveX, infact turn off everything in IE (scripting, install, etc) in the "internet" zone.
Now, the easy part: add microsoft.com to the "trusted sites". In fact, if you surf to the windowsupdate site with activex turned off you get the message of exactly what to add to "trusted sites".
Sleep easy knowing that (a) windows update works (b) nothing else works. Happyily use Mozilla for your web browsing.
Indeed. The proper title would be: "IE puts Windows at risk".
Ditch IE, and all the spyware and other crap stops being an issue. I see so much people arguing over which spyware scanner is the best, like if it's a normal thing to have to scan your system for spyware everyday in the first place. Just like people arguing over the best tire repair kit, seemingly thinking it's normal to have a flat tire everyday.
Don't use IE (lots of alternatives, including firefox and opera), and all these scanners will find is cookies (unless you run those hot_naked_girls.jpg.exe attachment everytime you get one or such).
Even IE on XP SP2 fully locked down or on Win2003 (and without MS' crappy JVM) gets nailed pretty bad if you visit a bad site. Sometimes the flaws are left unpatched for all too long, which forced us at work to block all IFrames on any webpage at the firewall for a long time, rendering a lot of entire websites useless (you'd only get a blank page).
And don't give me the "I never get nailed for I only visit reputable websites" - because even those can, and it has happened before in various ways, like infected ad carriers, which are displayed on hundreds of reputable sites.
Most MS products aren't quite as bad as most people tend to make it here on slashdot, but IE is definately the worst piece of shit I've EVER used from any company - ever. If you use it, you're guaranteed it'll trash your PC - have fun reformatting every week!
Of course they're not going to tell you what it is, it's quite possible that they've either entered into a mutually beneficial agreement with Microsoft to keep this information under their hat, or they know it's nothing to be overly concerened with, but are trying to sell protection anyway, so they're making it out to be bigger then it is.
Whatever the reason (if it isn't both), they're profiting from people's fears and Windows's insecurities.
Secunia has very informative pages about the relative security of IE and firefox.
Firefox
IE
The problems with firefox compared to IE are:
IE bugs are more frecuently critical
IE critical bugs take longer to patch
Fully patched IE is less secure than Fully patched Firefox
Okay, let's get this one out of the way. First, let's define OS. If you are a computer scientist, the OS is the program that is responsible for interfacing directly with the hardware. If you are a marketing person, the OS is the bit responsible for talking to the hardware, and anything else that the vendor decides to put in the same box. To avoid confusion, we will call this the Operating Environment (OE).
IE is part of the Windows OE, not part of the Windows OS. It is not tied into the kernel in any way. Making it part of the OE was a logical move. Microsoft provides libraries for doing all sorts of things as part of the Windows OE - things like drawing common controls and common dialog boxes, APIs for rendering video, etc. These are convenient for developers, because they can assume that they are present on all Windows boxes, and not have to check for them.
Apple does something similar. Safari is a thin layer around WebKit in the same way IE is a thin layer around mshtml. It is possible to delete Safari, and for other apps to still be able to use WebKit to render HTML - and a good thing too, it's a useful ability. The only difference is that Microsoft use mshtml in quite a lot of places throughout the Windows system, so removing it breaks a lot of things. Removing WebKit from OS X, in contrast, might break Mail.app and some third party software, but little else.
The reason IE is such a security problem is twofold:
- Windows doesn't encourage privilege separation or privilege escalation, causing most people to run with administrator access.
- A number of `enhancements' were added to IE to combat Java, allowing access to non-browser parts of the system to enable richer web apps. These `enhancements' were designed quickly, and without much thought to security.
Neither of these is a result of it being bundled with Windows.I am TheRaven on Soylent News
Also, and this is quite important, all recent exploits I have seen have had nothing to do with running untrusted ActiveX controls. On the contrary, it's very frequently been buffer overflows. And this isn't a design issue, really, it's a matter of bugs in single lines of code. The only design issue there is the fact that it's written in C(++) by a sloppy coder.
Can't say I ever noticed a particular degree of slowness with SP2 installed. Disable NX and disable the Security Center service and you've got Windows XP SP1 with all updates applied. :)
[insert witty comment here]
Lets take the problem of offering access to irc from your website to those who don't have a special client installed and look at the options. The reasoning here should apply to anything where realtime updating is desired not just irc char.
.net .net framework installed which is not on all windows systems at this stage. Also locks out most other operating systems/browsers.
1: java applet
This is by far the most common method and works pretty well. However unfortunately windows does not ship with a jvm as standard anymore.
2: activex
Works on any windows/ie system, but doesn't really work anywhere else. However it has to be signed which puts people off. Also locks out most other operating systems/browsers.
3:
Technically very similar to java although more windows biased, needs the
4: Refreshing
works but there is some delay and the flicker can become highly annoying. The higher you make the refresh rate the worse the flicker and the higher the server load.
5: streaming into a frame
Works with any browser that supports frames and incremental rendering but is pretty ugly and inflexible. Also breaks with some proxies though that can usually be worked arround by using https. The only implementation i know of (older versions of cgiirc) also requires a huge ammount of server side rescources.
6: streaming javascript.
This can give far nicer results than streaming into a frame but needs javascript enabled in the browser and browser detection is probablly needed to make everything behave right. As with the one above the only implementation i know of (newer versions of cgiirc) requires a huge ammount of server side rescources.
NONE of theese options clearly beats the others in every respect.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register