Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Puts Windows XP SP2 At Risk

Posted by CowboyNeal on from the double-your-pleasure dept.

Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."

10 of 227 comments (clear)

  1. Sex sells. by Anonymous Coward · · Score: 3, Insightful

    So try to look at this site http://www.thelovesearch.com/ using Microsoft
    Internet Explore. It will try to convince your to use Firefox using
    sex appeal.

    If we could convince all porn sites to only support Firefox the battle
    would be won in a few weeks.

    Or am I dreaming now ??

  2. What is THIS?! by the_skywise · · Score: 4, Insightful

    A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.

    What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"

  3. An ounce of prevention? by shoolz · · Score: 4, Insightful
    We see this cycle of exploit > patch repeat itself ad nauseum. Microsoft seems to react to every exploit or windows security failing by Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.

    What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?
  4. Open source enhances security of MSFT's customers by FlorianMueller · · Score: 4, Insightful
    I run various Microsoft programs (Windows, Office, VS.NET, but IE only when it can't be avoided), and still my biggest hope for better security with those Microsoft programs is on increased competition from open source.

    Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.

    Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.

    The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.

    If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.

  5. Re:Oh, but it's Firefox that's the unsecure browse by wealthychef · · Score: 3, Insightful

    The fundamental problem is not how much IE is tied into the operating system. The fundamental program is that, as another poster has said, the operating system it is tied to violates the principle of least privilege repeatedly in a way that more secure systems do not, and security is layered onto it instead of being built into it, making securing it an eternal effort consisting of filling holes that never go away. A big part of this is the whole concept of ActiveX.
    If IE were not tied into the OS, MS would find another way to force "remote administration capabilities" on users without their actively enabling them, which is what most of the problems stem from, I think.

    --
    Currently hooked on AMP
  6. The obligatory "IE sucks" comment... by HerculesMO · · Score: 3, Insightful

    I'll parlay it by saying that when Firefox has 'vulnerabilities' (as the genious in this article pointed out... at least it doesn't give the ability for an attacker to "enable a remote attack on systems running Windows XP with Service Pack 2".

    So I'll stick with my more numerous, less invasive, and quickly fixed Firefox 'vulnerabilities' instead of my IE's less in number, more damaging and slower to be fixed 'vulnerabilities'.

    Yup... IE sucks.

    --
    The price is always right if someone else is paying.
  7. Re:Is The Honeymoon Still Over? by TheRaven64 · · Score: 4, Insightful
    - Any software written in unsafe languages (notably C) is bound to contain vulnerabilities

    I would advise you to read this essay. Being written in an unsafe language does not intrinsically make something insecure - it just makes it a bit harder to write secure code. Likewise, a bad coder can write insecure code in a safe language.

    --
    I am TheRaven on Soylent News
  8. Re:Is The Honeymoon Still Over? by brianiac · · Score: 3, Insightful
    Usually people who exploit such security flaws find about about them by reverse engineering security updates.

    I'm curious; what makes you say this? This may be true for the script kiddies out there, but aren't brighter hackers (of the sort that find the problems in the first place) more likely to target their attacks to more specific/profitable victims, making them far less detectable?

  9. Re:You're kidding! by Xarius · · Score: 3, Insightful

    like if it's a normal thing to have to scan your system for spyware everyday in the first place.

    It's not necessarily a normal thing to be mugged, but we have police and whatnot just in case it does happen. It's an unfortunate truth that we live in a world where we can't trust one another.

    Best to take precautions, even though they wouldn't be necessary if everyone played nice.

    --
    C17H21NO4
  10. Firefox vs. IE by cpu_fusion · · Score: 4, Insightful

    Just a reminder as the FF vs. IE flame wars rage:

    Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.

    I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.

    Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history ...