Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
That the bigger problem is the platform IE resides on.
So try to look at this site http://www.thelovesearch.com/ using Microsoft
Internet Explore. It will try to convince your to use Firefox using
sex appeal.
If we could convince all porn sites to only support Firefox the battle
would be won in a few weeks.
Or am I dreaming now ??
The bigger problem is how to neatly remove IE from Windows systems. I continue to believe that open source geeks can find a way to do this. Heck, so much has been done by open source programmers without M$ support at all. Do not be surprised when some geek releases a tool/utility to do just that.
A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.
What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
Doesn't Microsoft demand you use IE to patch Windows? Sure you might make it a bit more secure by getting rid of IE, but you'll still need those updates (but I guess you can illegally download those off p2p, just have fun trying to avoid the viruses as well).
- releasing a patch after the report of said vulnerability
- buying an antivirus company
- buying an anti-spyware company
Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?
Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.
Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.
The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.
If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.
The fundamental problem is not how much IE is tied into the operating system. The fundamental program is that, as another poster has said, the operating system it is tied to violates the principle of least privilege repeatedly in a way that more secure systems do not, and security is layered onto it instead of being built into it, making securing it an eternal effort consisting of filling holes that never go away. A big part of this is the whole concept of ActiveX.
If IE were not tied into the OS, MS would find another way to force "remote administration capabilities" on users without their actively enabling them, which is what most of the problems stem from, I think.
Currently hooked on AMP
I'll parlay it by saying that when Firefox has 'vulnerabilities' (as the genious in this article pointed out... at least it doesn't give the ability for an attacker to "enable a remote attack on systems running Windows XP with Service Pack 2".
So I'll stick with my more numerous, less invasive, and quickly fixed Firefox 'vulnerabilities' instead of my IE's less in number, more damaging and slower to be fixed 'vulnerabilities'.
Yup... IE sucks.
The price is always right if someone else is paying.
I would advise you to read this essay. Being written in an unsafe language does not intrinsically make something insecure - it just makes it a bit harder to write secure code. Likewise, a bad coder can write insecure code in a safe language.
I am TheRaven on Soylent News
How could Microsoft have NOT noticed that there could be security issues with integrating their browser so closely with their OS?
Simply put, they don't care. They tied it in so it is impossible (for the average user) to remove. That benefit far outweighed any security issues, and still does outweigh the security issues. Microsoft will go on about how it's impossible to remove without breaking Windows, well but people have already done it and it works fairly okay (for people who haven't been able to see the Windows code that is).
There is no benefit for MICROSOFT to remove IE from Windows. Sure it will benefit it's users, but then they can't use software to check up on people as easily. When your a convicted monopolist and then been allowed to walk away unscathed, customer satisfaction isn't a very big priority. Neither's employee satisfaction apparently.
But then again, why address problems, When you can throw money at it to fund FUD.
As far as I know, the browser core is some kind of OLE/ActiveX stuff packed in a library called MSHTML.DLL, which MSIE-the-executable just packs into a normal application window. The integration, as far as I've been led to believe, is just the fact that Windows' file explorer also uses the same component to render some UI elements and so on. It's not exactly like it's a kernel module or anything.
I'm not trying to troll or anything here, the above is just what I think I know. If someone knows that that isn't the case, and there really is some closer "integration" besides that which I know of, please tell me so.
Furthermore, if I'm right, then Microsoft has just done basically the same thing that Apple has, if memory serves me. A news item for Tiger was that the modified KHTML components had been brought out from Safari and made into a library (in Objective C?) called WebCore, which Safari then uses as a widget. If you ask me, this rather obvious piece of architecturing is far better than what e.g. Gecko-based browsers do (they have to link statically against the Gecko code, right?).
So can we please get equal time share for *nix vulnerabilities, or, better yet, provide a way to filter out vulnerability announcements for software we don't use?
Your post is commendable for being one of the few that doesn't try to pass off as witty any of the cliche comments like "IE is insecure?", or "Microsoft sucks", or "They should never have integrated IE and Windows so tightly to begin with." On the other hand, if you're actually looking to Slashdot for bug and vulnerability announcements, then I feel sorry for your network.
There are many older bug reports relating to mozilla, but the security related ones get fixed quickly atleast, especially the ones serious enough to allow remote code execution.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I'm curious; what makes you say this? This may be true for the script kiddies out there, but aren't brighter hackers (of the sort that find the problems in the first place) more likely to target their attacks to more specific/profitable victims, making them far less detectable?
like if it's a normal thing to have to scan your system for spyware everyday in the first place.
It's not necessarily a normal thing to be mugged, but we have police and whatnot just in case it does happen. It's an unfortunate truth that we live in a world where we can't trust one another.
Best to take precautions, even though they wouldn't be necessary if everyone played nice.
C17H21NO4
Just a reminder as the FF vs. IE flame wars rage:
...
Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.
I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.
Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history
This worked fine until the 'genuine' advantage bullshit, now I have to break that too to get some of the upgrades... which slows down the already glacial windows install time quite considerably.
Yeah, that's incredibly stupid. There's an easy way to get around it though. Get genuinecheck.exe (remove that activex control if you already have it and the MS page will give you that option). Then run it on either some pre-windows-xp computer, or set it to run in compatibility mode for like windows 98. It will spit out a code you can put in the MS web page, and proceed to download the file. Save this file, it's the real deal and will work perpetually. And if you make your own slipstreamed install discs, you can easily hop it on there. Good stuff.
funny munging
Yes, Windows should be brought to task for its higher rate of problems. But its quality isn't so bad that it's legally actionable.