Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
I am TheRaven on Soylent News
At least according to slashdot anyway.
IE is unsecure, and it's insecurities are compounded by how much it is tied in with Windows.
Issuing patches is just playing catch-up in a game that Microsoft will never win. However addressing the fundamental problems (such as how much IE is tied into the operating system, not preinstalling every Windows installation with IE) IE's problems will always be larger.
Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...
95% of all sigs are made up.
I don't think that's the real issue; after all, I'm sure you can probably find bug reports older than march in the firefox/mozilla code. The real issue, as has been pointed out, is that because of how closely IE is tied into the OS (unlike firefox), any bug in IE becomes a security risk.
I too have not yet installed SP2. I was about to the other day, but now i'm glad i didn't. I'll wait a few more months till they've released a few more patches for the patch in the swiss cheese OS.
What is big news is that memories are so short that every time such a problem is publicized, it is quickly forgotten and we all go back to bleating the mantra "All you need to do is patch or buy the upgrade". Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
Security is after all about restricting access. Most extreme way to keep a computer safe is to make it impossible to access. Want a safe websurfing session? Easy just take out that little cables in the back of your computer, the power, the network and the keyboard one would do for starters.
But that kinda security doesn't work because we want things to be easy. What is an often heard complained about windows vs unix security? That by default windows has the user logged in as root, the defence being that users don't want to have to type in a password just to install software.
MS could easily introduce unix like root-user seperation, they used to be a unix company after all. Some linux distros make it very clear when you run your desktop as root and some IRC proggies even flatly refuse to run when you are the root user. MS could easily do the same, refuse to access the net when running as root, force the user to get software under their normal account then install it from the root account, this would force the user to think for a second.
But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.
I don't think MS isn't aware of the risk this poses, I think they view this as the same way as credit card companies view the risk of how easy it is to abuse their card system. Or how easy it is to learn a 4 digit pin number. Would be very easy to make these multi billion dollar payment systems more secure. But it would also introduce a lot more difficulty that might reduce their usage.
So MS probably has people who have a solution to this but it would make windows a lot harder to use, marketing might have a thing or two to say about it. Hell support might too, would MS really want to deal with all of its users suddenly having to learn the concept of user vs admin?
In a way the public has the final say in wether windows ever becomes secure. The same public that buys SUV's wich are the most lethal vehicle on the road 4x times more likely to kill if you hit a pedestrian then other cars. The same public that flies with cutrate airlines offering flights at prices cheaper then the ride to the airport. The same public that still buys each new version of internet explorer after a decade of security alerts.
So from a business perspective why doesn't some big-wig at MS does this? Because the big-wig wants to keep his job. Insecure windows sells, slightly more secure linux does not. It is not greed, it is common business sense. You give the customer what they want. MS is very good at that. Compare it with McD, they used to sell lard with flavor. They only added a few salades after customers started demanding them with their dollars. McD did not fight this, there had to be no legal battles. As soon as they noticed demand, they supplied. Sure they didn't supply it in say the 70's because a few leftie protestors does not equal demand. A bunch of guys at slashdot complaining does not equal demand to MS.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
IIRC, one of the things the Wine project is working on is replacing Internet Explorer with the Mozilla engine (so that you don't need to install IE to view HTML Help under Wine, for example). Depending on how well that works...
Why do people even bother to use IE or even Windows for that matter? The best web browser is Konqueror. It has lots of protection against the lamers. And why do people leave their shields down? "The bottom line is that on the computer technology and Internet side, if you want to protect yourself against identity theft you must not allow your Internet browser or your e-mail to accept cookies or to allow scripts to run. You must not allow HTML e-mail. Do not use Microsoft Outlook. Even better, switch from the MS Windows operating system to the GNU-Linux operating system." (Solutions for Identity Theft, Credit/Debit Card Theft, and Personal Information Theft)
"To learn why Linux is so much a better choice than is Microsoft Windows, please . . . Gaël Duval Tells Why Mandrake Linux Is Better Than MS Windows"
Actually, I don't agree with that at all. Windows XP has a complete, robust security model. However, Microsoft made some bad choices, like letting the default account on XP Home have administrator rights; and granting execute permission by default (without having to explicity have an admin set the execute bit) to newly downloaded files. Most of the problems XP has are at the application level, not the core OS level. I can't remember ever seeing a privilege bug that had to do with core OS functionality.
Best Buy can have you arrested
You do know what COM is, don't you? Because of COM, IE is used in almost every commercial, shrink-wrapped application sold today. It's impossible NOT to use IE unless you simply don't use your computer.
I don't respond to AC's.
Indeed. The proper title would be: "IE puts Windows at risk".
Ditch IE, and all the spyware and other crap stops being an issue. I see so much people arguing over which spyware scanner is the best, like if it's a normal thing to have to scan your system for spyware everyday in the first place. Just like people arguing over the best tire repair kit, seemingly thinking it's normal to have a flat tire everyday.
Most MS products aren't quite as bad as most people tend to make it here on slashdot, but IE is definately the worst piece of shit I've EVER used from any company - ever. If you use it, you're guaranteed it'll trash your PC - have fun reformatting every week!
IE is neck and neck with Outlook, with the rest of Microsoft Office lagging only because of less direct internet exposure. Speaking strictly from the IT peanut gallery, about ten years ago, after their success with macro technologies in products like Excel, Microsoft decided that their competitive edge/killer feature would be to integrate Visual Basic with their entire product line. All of those "mobile actors" (travelling software, not Brad or Liz) lighting up the CS grads would be energizing those spreadsheets and documents across the cyber plain. There was also a big push to replace legacy apps with OLE, VB, and anything else a Microsoft Consultant or Microsoft Partner could turn into a billable in the enterprise IT arena. Not that turning a dollar while providing value is not a great thing, it certainly is.
The down side has been that for too long Microsoft has been too big and insulated to care about the resulting wiped or compromised data, denial of service incidents, etcetera, arising from the abuse of all of this largess.
"We can FUD it out."
"Everybody has these problems."
"You used the default configuration settings? What a dope. I didn't know anyone was that stupid!"
(Or my personal favorite: "Just reformat and reinstall. What? Back it up?!? are you stupid?!?")
Frankly, it's a commercial software vendor thing, not just a Microsoft thing. But when you take over the world (or even just the desktop) you inevitably become the poster child for what is wrong on the desktop.
Faced with a giant code base and executives making decisions based on PC Week feature list comparisons or that have to buy Microsoft the way they bought IBM a generation ago.
But faced with the argument "those OSes aren't targeted because there aren't enough people using them," more people may use them. My non-tech relatives have begun to seriously consider alternatives, in large part because of word of mouth tales of friends who got bit by spyware or that lucky 10,000th spam.
Free Adam Smith! (Or best offer.)
Laziness and sloth is no substitute for skills and knowledge.
*VB (.NET or otherwise) programmers excluded
Yeah, right.
Actually, I have started to do dual booting Windows/Linux installs for my customers. "When Windows screws up - reboot into Linux and carry on working till I can get here..."
Oh well, what the hell...