Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
I am TheRaven on Soylent News
At least according to slashdot anyway.
IE is unsecure, and it's insecurities are compounded by how much it is tied in with Windows.
Issuing patches is just playing catch-up in a game that Microsoft will never win. However addressing the fundamental problems (such as how much IE is tied into the operating system, not preinstalling every Windows installation with IE) IE's problems will always be larger.
Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...
95% of all sigs are made up.
I don't think that's the real issue; after all, I'm sure you can probably find bug reports older than march in the firefox/mozilla code. The real issue, as has been pointed out, is that because of how closely IE is tied into the OS (unlike firefox), any bug in IE becomes a security risk.
I too have not yet installed SP2. I was about to the other day, but now i'm glad i didn't. I'll wait a few more months till they've released a few more patches for the patch in the swiss cheese OS.
What is big news is that memories are so short that every time such a problem is publicized, it is quickly forgotten and we all go back to bleating the mantra "All you need to do is patch or buy the upgrade". Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
Security is after all about restricting access. Most extreme way to keep a computer safe is to make it impossible to access. Want a safe websurfing session? Easy just take out that little cables in the back of your computer, the power, the network and the keyboard one would do for starters.
But that kinda security doesn't work because we want things to be easy. What is an often heard complained about windows vs unix security? That by default windows has the user logged in as root, the defence being that users don't want to have to type in a password just to install software.
MS could easily introduce unix like root-user seperation, they used to be a unix company after all. Some linux distros make it very clear when you run your desktop as root and some IRC proggies even flatly refuse to run when you are the root user. MS could easily do the same, refuse to access the net when running as root, force the user to get software under their normal account then install it from the root account, this would force the user to think for a second.
But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.
I don't think MS isn't aware of the risk this poses, I think they view this as the same way as credit card companies view the risk of how easy it is to abuse their card system. Or how easy it is to learn a 4 digit pin number. Would be very easy to make these multi billion dollar payment systems more secure. But it would also introduce a lot more difficulty that might reduce their usage.
So MS probably has people who have a solution to this but it would make windows a lot harder to use, marketing might have a thing or two to say about it. Hell support might too, would MS really want to deal with all of its users suddenly having to learn the concept of user vs admin?
In a way the public has the final say in wether windows ever becomes secure. The same public that buys SUV's wich are the most lethal vehicle on the road 4x times more likely to kill if you hit a pedestrian then other cars. The same public that flies with cutrate airlines offering flights at prices cheaper then the ride to the airport. The same public that still buys each new version of internet explorer after a decade of security alerts.
So from a business perspective why doesn't some big-wig at MS does this? Because the big-wig wants to keep his job. Insecure windows sells, slightly more secure linux does not. It is not greed, it is common business sense. You give the customer what they want. MS is very good at that. Compare it with McD, they used to sell lard with flavor. They only added a few salades after customers started demanding them with their dollars. McD did not fight this, there had to be no legal battles. As soon as they noticed demand, they supplied. Sure they didn't supply it in say the 70's because a few leftie protestors does not equal demand. A bunch of guys at slashdot complaining does not equal demand to MS.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
IIRC, one of the things the Wine project is working on is replacing Internet Explorer with the Mozilla engine (so that you don't need to install IE to view HTML Help under Wine, for example). Depending on how well that works...
Actually, I don't agree with that at all. Windows XP has a complete, robust security model. However, Microsoft made some bad choices, like letting the default account on XP Home have administrator rights; and granting execute permission by default (without having to explicity have an admin set the execute bit) to newly downloaded files. Most of the problems XP has are at the application level, not the core OS level. I can't remember ever seeing a privilege bug that had to do with core OS functionality.
Best Buy can have you arrested
Laziness and sloth is no substitute for skills and knowledge.
*VB (.NET or otherwise) programmers excluded
Yeah, right.
Actually, I have started to do dual booting Windows/Linux installs for my customers. "When Windows screws up - reboot into Linux and carry on working till I can get here..."
Oh well, what the hell...