Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
That the bigger problem is the platform IE resides on.
A security flaw in Internet Explorer! Stop the presses! Oh my God! This is such BIG NEWS!
Currently hooked on AMP
Luckily I didn't install SP2!
"It's too bad that stupidity isn't painful." - Anton LaVey
I am TheRaven on Soylent News
So try to look at this site http://www.thelovesearch.com/ using Microsoft
Internet Explore. It will try to convince your to use Firefox using
sex appeal.
If we could convince all porn sites to only support Firefox the battle
would be won in a few weeks.
Or am I dreaming now ??
At least according to slashdot anyway.
IE is unsecure, and it's insecurities are compounded by how much it is tied in with Windows.
Issuing patches is just playing catch-up in a game that Microsoft will never win. However addressing the fundamental problems (such as how much IE is tied into the operating system, not preinstalling every Windows installation with IE) IE's problems will always be larger.
The bigger problem is how to neatly remove IE from Windows systems. I continue to believe that open source geeks can find a way to do this. Heck, so much has been done by open source programmers without M$ support at all. Do not be surprised when some geek releases a tool/utility to do just that.
2b || !2b =?
true... true.
A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.
What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
I think the real news is not the fact that there is a new vulnerability, but that (from the second link) there are still 12 unpatched vulnerabilities allowing remote or arbitrary code execution found by one organisation. The oldest of these was reported in March.
I am TheRaven on Soylent News
Doesn't Microsoft demand you use IE to patch Windows? Sure you might make it a bit more secure by getting rid of IE, but you'll still need those updates (but I guess you can illegally download those off p2p, just have fun trying to avoid the viruses as well).
Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...
95% of all sigs are made up.
- releasing a patch after the report of said vulnerability
- buying an antivirus company
- buying an anti-spyware company
Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?
Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.
Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.
The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.
If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.
This has been discussed before and seems to start flamewars.
Yes there is a way to remove the IE engine from Windows 2000's installation files (and indeed integrate IE6 into them, since 2000+SP4 comes with IE 5).
The method of doing so is here. However it breaks things such as Windows help, Windows Update and lots of miscellaneous parts of the OS. For me atleast, it made the OS almost unbareable, introducing alot of annoyances. Although to be fair, I followed the post-install instructions...in theory, pre-install removal should be smoother.
Is this supposed to be news at all???
come on...sun rises in the east...magnets point N-S...u dont publish that as news...
note to mod: delete this discussion...
The fundamental problem is not how much IE is tied into the operating system. The fundamental program is that, as another poster has said, the operating system it is tied to violates the principle of least privilege repeatedly in a way that more secure systems do not, and security is layered onto it instead of being built into it, making securing it an eternal effort consisting of filling holes that never go away. A big part of this is the whole concept of ActiveX.
If IE were not tied into the OS, MS would find another way to force "remote administration capabilities" on users without their actively enabling them, which is what most of the problems stem from, I think.
Currently hooked on AMP
You should consider the Microsoft Baseline Security Analyzer. It will scan your computer (hell, it will remotely scan all the computers on your domain if you want), tell you what you have or don't have, and give you links to the download.
funny munging
What is big news is that memories are so short that every time such a problem is publicized, it is quickly forgotten and we all go back to bleating the mantra "All you need to do is patch or buy the upgrade". Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
I'll parlay it by saying that when Firefox has 'vulnerabilities' (as the genious in this article pointed out... at least it doesn't give the ability for an attacker to "enable a remote attack on systems running Windows XP with Service Pack 2".
So I'll stick with my more numerous, less invasive, and quickly fixed Firefox 'vulnerabilities' instead of my IE's less in number, more damaging and slower to be fixed 'vulnerabilities'.
Yup... IE sucks.
The price is always right if someone else is paying.
Homer: OK, Start the presses.
Editor: That takes four hours...
Homer: Whatever, I'll be at Moe's.
I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.
I'm a pretty experienced computer user, EX-Windows developer (networking now), MCSE and while I can install Linux and get around it, I don't have a clue of an idea how to do a lot of things, including at times, install software (though I've figured that out with yum and rpm haha!). Either way... until Linux offers the eyecandy that OS X does, with the compatibility that Windows offers... it will still be the DESKTOP choice of nerds.
I'm waiting for the next version of KDE for some improvements but in reality, I think there's a lot more to be done at even a kernel level to make some things more idiotproof.
The price is always right if someone else is paying.
Weee Micros~1 Genuine Advantage REQUIRED to download the tool.
Fucking nosy bitches at Micros~1, when is it enough?
Turn off ActiveX, infact turn off everything in IE (scripting, install, etc) in the "internet" zone.
Now, the easy part: add microsoft.com to the "trusted sites". In fact, if you surf to the windowsupdate site with activex turned off you get the message of exactly what to add to "trusted sites".
Sleep easy knowing that (a) windows update works (b) nothing else works. Happyily use Mozilla for your web browsing.
How could Microsoft have NOT noticed that there could be security issues with integrating their browser so closely with their OS?
Simply put, they don't care. They tied it in so it is impossible (for the average user) to remove. That benefit far outweighed any security issues, and still does outweigh the security issues. Microsoft will go on about how it's impossible to remove without breaking Windows, well but people have already done it and it works fairly okay (for people who haven't been able to see the Windows code that is).
There is no benefit for MICROSOFT to remove IE from Windows. Sure it will benefit it's users, but then they can't use software to check up on people as easily. When your a convicted monopolist and then been allowed to walk away unscathed, customer satisfaction isn't a very big priority. Neither's employee satisfaction apparently.
But then again, why address problems, When you can throw money at it to fund FUD.
Of course they're not going to tell you what it is, it's quite possible that they've either entered into a mutually beneficial agreement with Microsoft to keep this information under their hat, or they know it's nothing to be overly concerened with, but are trying to sell protection anyway, so they're making it out to be bigger then it is.
Whatever the reason (if it isn't both), they're profiting from people's fears and Windows's insecurities.
Security is after all about restricting access. Most extreme way to keep a computer safe is to make it impossible to access. Want a safe websurfing session? Easy just take out that little cables in the back of your computer, the power, the network and the keyboard one would do for starters.
But that kinda security doesn't work because we want things to be easy. What is an often heard complained about windows vs unix security? That by default windows has the user logged in as root, the defence being that users don't want to have to type in a password just to install software.
MS could easily introduce unix like root-user seperation, they used to be a unix company after all. Some linux distros make it very clear when you run your desktop as root and some IRC proggies even flatly refuse to run when you are the root user. MS could easily do the same, refuse to access the net when running as root, force the user to get software under their normal account then install it from the root account, this would force the user to think for a second.
But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.
I don't think MS isn't aware of the risk this poses, I think they view this as the same way as credit card companies view the risk of how easy it is to abuse their card system. Or how easy it is to learn a 4 digit pin number. Would be very easy to make these multi billion dollar payment systems more secure. But it would also introduce a lot more difficulty that might reduce their usage.
So MS probably has people who have a solution to this but it would make windows a lot harder to use, marketing might have a thing or two to say about it. Hell support might too, would MS really want to deal with all of its users suddenly having to learn the concept of user vs admin?
In a way the public has the final say in wether windows ever becomes secure. The same public that buys SUV's wich are the most lethal vehicle on the road 4x times more likely to kill if you hit a pedestrian then other cars. The same public that flies with cutrate airlines offering flights at prices cheaper then the ride to the airport. The same public that still buys each new version of internet explorer after a decade of security alerts.
So from a business perspective why doesn't some big-wig at MS does this? Because the big-wig wants to keep his job. Insecure windows sells, slightly more secure linux does not. It is not greed, it is common business sense. You give the customer what they want. MS is very good at that. Compare it with McD, they used to sell lard with flavor. They only added a few salades after customers started demanding them with their dollars. McD did not fight this, there had to be no legal battles. As soon as they noticed demand, they supplied. Sure they didn't supply it in say the 70's because a few leftie protestors does not equal demand. A bunch of guys at slashdot complaining does not equal demand to MS.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
As far as I know, the browser core is some kind of OLE/ActiveX stuff packed in a library called MSHTML.DLL, which MSIE-the-executable just packs into a normal application window. The integration, as far as I've been led to believe, is just the fact that Windows' file explorer also uses the same component to render some UI elements and so on. It's not exactly like it's a kernel module or anything.
I'm not trying to troll or anything here, the above is just what I think I know. If someone knows that that isn't the case, and there really is some closer "integration" besides that which I know of, please tell me so.
Furthermore, if I'm right, then Microsoft has just done basically the same thing that Apple has, if memory serves me. A news item for Tiger was that the modified KHTML components had been brought out from Safari and made into a library (in Objective C?) called WebCore, which Safari then uses as a widget. If you ask me, this rather obvious piece of architecturing is far better than what e.g. Gecko-based browsers do (they have to link statically against the Gecko code, right?).
So can we please get equal time share for *nix vulnerabilities, or, better yet, provide a way to filter out vulnerability announcements for software we don't use?
Your post is commendable for being one of the few that doesn't try to pass off as witty any of the cliche comments like "IE is insecure?", or "Microsoft sucks", or "They should never have integrated IE and Windows so tightly to begin with." On the other hand, if you're actually looking to Slashdot for bug and vulnerability announcements, then I feel sorry for your network.
Secunia has very informative pages about the relative security of IE and firefox.
Firefox
IE
The problems with firefox compared to IE are:
IE bugs are more frecuently critical
IE critical bugs take longer to patch
Fully patched IE is less secure than Fully patched Firefox
You can download the patch below. They've done, actually, an impressive job with it because, by way of a "peace offering" to the Web community, they've incorporated quite a large number of features from IE7 and future releases far earlier than expected.
The changes are actually pretty dramatic, with even some significant alterations to the UI and a number of fixes to the bookmarks system. Enjoy.
http://www.mozilla.org/products/firefox/
Chr0m0Dr0m!C
IIRC, one of the things the Wine project is working on is replacing Internet Explorer with the Mozilla engine (so that you don't need to install IE to view HTML Help under Wine, for example). Depending on how well that works...
> Which of these things is not like the others?
- IBM
- Microsoft
- Scientology
- Amway
- Herbalife
Amway. It's the only one that doesn't have an 'i' in it.Sheesh, evil *and* a jerk. -- Jade
Okay, let's get this one out of the way. First, let's define OS. If you are a computer scientist, the OS is the program that is responsible for interfacing directly with the hardware. If you are a marketing person, the OS is the bit responsible for talking to the hardware, and anything else that the vendor decides to put in the same box. To avoid confusion, we will call this the Operating Environment (OE).
IE is part of the Windows OE, not part of the Windows OS. It is not tied into the kernel in any way. Making it part of the OE was a logical move. Microsoft provides libraries for doing all sorts of things as part of the Windows OE - things like drawing common controls and common dialog boxes, APIs for rendering video, etc. These are convenient for developers, because they can assume that they are present on all Windows boxes, and not have to check for them.
Apple does something similar. Safari is a thin layer around WebKit in the same way IE is a thin layer around mshtml. It is possible to delete Safari, and for other apps to still be able to use WebKit to render HTML - and a good thing too, it's a useful ability. The only difference is that Microsoft use mshtml in quite a lot of places throughout the Windows system, so removing it breaks a lot of things. Removing WebKit from OS X, in contrast, might break Mail.app and some third party software, but little else.
The reason IE is such a security problem is twofold:
- Windows doesn't encourage privilege separation or privilege escalation, causing most people to run with administrator access.
- A number of `enhancements' were added to IE to combat Java, allowing access to non-browser parts of the system to enable richer web apps. These `enhancements' were designed quickly, and without much thought to security.
Neither of these is a result of it being bundled with Windows.I am TheRaven on Soylent News
Also, and this is quite important, all recent exploits I have seen have had nothing to do with running untrusted ActiveX controls. On the contrary, it's very frequently been buffer overflows. And this isn't a design issue, really, it's a matter of bugs in single lines of code. The only design issue there is the fact that it's written in C(++) by a sloppy coder.
Sorry, I don't like reading comment after comment hating on MS. I use Linux too, but I don't need to come to /. to feel better about myself.
And just when IE was officially the safest browser ever! What's happening?
-- Cheers!
I'm pretty sure someone told me SP2 is secure... so don't worry about it, you'll all be fine.
Stop! Dremel time!
Just a reminder as the FF vs. IE flame wars rage:
...
Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.
I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.
Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history
Um... I really don't mean to be rude... But it is possible to use a computer and not use IE. At work I use a fine Linux distro known as Fedora Core, and at home I use a mac with OS X. C'est Voila! No IE!
"That naive cube! How long must I suffer this!" --Sheldon J. Plankton
how Firefox has more security problems than IE...
It is appropriate that this surfaces a day after some moron tried to make that argument stick.
Microsoft: Give...it...up!
You've lied so often that nobody but your shills believe your FUD anymore -and I'm not even sure THEY do - they just support it for their own moronic reasons.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
Oh, come on, why can't you just patch or buy the upgrade?
You are in a maze of twisty little passages, all alike.
Laziness and sloth is no substitute for skills and knowledge.
*VB (.NET or otherwise) programmers excluded
Yeah, right.
Lets take the problem of offering access to irc from your website to those who don't have a special client installed and look at the options. The reasoning here should apply to anything where realtime updating is desired not just irc char.
.net .net framework installed which is not on all windows systems at this stage. Also locks out most other operating systems/browsers.
1: java applet
This is by far the most common method and works pretty well. However unfortunately windows does not ship with a jvm as standard anymore.
2: activex
Works on any windows/ie system, but doesn't really work anywhere else. However it has to be signed which puts people off. Also locks out most other operating systems/browsers.
3:
Technically very similar to java although more windows biased, needs the
4: Refreshing
works but there is some delay and the flicker can become highly annoying. The higher you make the refresh rate the worse the flicker and the higher the server load.
5: streaming into a frame
Works with any browser that supports frames and incremental rendering but is pretty ugly and inflexible. Also breaks with some proxies though that can usually be worked arround by using https. The only implementation i know of (older versions of cgiirc) also requires a huge ammount of server side rescources.
6: streaming javascript.
This can give far nicer results than streaming into a frame but needs javascript enabled in the browser and browser detection is probablly needed to make everything behave right. As with the one above the only implementation i know of (newer versions of cgiirc) requires a huge ammount of server side rescources.
NONE of theese options clearly beats the others in every respect.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Actually, I have started to do dual booting Windows/Linux installs for my customers. "When Windows screws up - reboot into Linux and carry on working till I can get here..."
Oh well, what the hell...
This worked fine until the 'genuine' advantage bullshit, now I have to break that too to get some of the upgrades... which slows down the already glacial windows install time quite considerably.
Yeah, that's incredibly stupid. There's an easy way to get around it though. Get genuinecheck.exe (remove that activex control if you already have it and the MS page will give you that option). Then run it on either some pre-windows-xp computer, or set it to run in compatibility mode for like windows 98. It will spit out a code you can put in the MS web page, and proceed to download the file. Save this file, it's the real deal and will work perpetually. And if you make your own slipstreamed install discs, you can easily hop it on there. Good stuff.
funny munging
Yes, Windows should be brought to task for its higher rate of problems. But its quality isn't so bad that it's legally actionable.