Slashdot Mirror
IE Flaw Puts Windows XP SP2 At Risk
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
A security flaw in Internet Explorer! Stop the presses! Oh my God! This is such BIG NEWS!
Currently hooked on AMP
Luckily I didn't install SP2!
"It's too bad that stupidity isn't painful." - Anton LaVey
I am TheRaven on Soylent News
So try to look at this site http://www.thelovesearch.com/ using Microsoft
Internet Explore. It will try to convince your to use Firefox using
sex appeal.
If we could convince all porn sites to only support Firefox the battle
would be won in a few weeks.
Or am I dreaming now ??
At least according to slashdot anyway.
IE is unsecure, and it's insecurities are compounded by how much it is tied in with Windows.
Issuing patches is just playing catch-up in a game that Microsoft will never win. However addressing the fundamental problems (such as how much IE is tied into the operating system, not preinstalling every Windows installation with IE) IE's problems will always be larger.
2b || !2b =?
true... true.
A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.
What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
I think the real news is not the fact that there is a new vulnerability, but that (from the second link) there are still 12 unpatched vulnerabilities allowing remote or arbitrary code execution found by one organisation. The oldest of these was reported in March.
I am TheRaven on Soylent News
Protection for the said vulnarability is already provided by eEye : Blink Endpoint Vulnerability Prevention. hmmm...
95% of all sigs are made up.
- releasing a patch after the report of said vulnerability
- buying an antivirus company
- buying an anti-spyware company
Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?
Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.
Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.
The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.
If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.
This has been discussed before and seems to start flamewars.
Yes there is a way to remove the IE engine from Windows 2000's installation files (and indeed integrate IE6 into them, since 2000+SP4 comes with IE 5).
The method of doing so is here. However it breaks things such as Windows help, Windows Update and lots of miscellaneous parts of the OS. For me atleast, it made the OS almost unbareable, introducing alot of annoyances. Although to be fair, I followed the post-install instructions...in theory, pre-install removal should be smoother.
The fundamental problem is not how much IE is tied into the operating system. The fundamental program is that, as another poster has said, the operating system it is tied to violates the principle of least privilege repeatedly in a way that more secure systems do not, and security is layered onto it instead of being built into it, making securing it an eternal effort consisting of filling holes that never go away. A big part of this is the whole concept of ActiveX.
If IE were not tied into the OS, MS would find another way to force "remote administration capabilities" on users without their actively enabling them, which is what most of the problems stem from, I think.
Currently hooked on AMP
You should consider the Microsoft Baseline Security Analyzer. It will scan your computer (hell, it will remotely scan all the computers on your domain if you want), tell you what you have or don't have, and give you links to the download.
funny munging
What is big news is that memories are so short that every time such a problem is publicized, it is quickly forgotten and we all go back to bleating the mantra "All you need to do is patch or buy the upgrade". Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).
I'll parlay it by saying that when Firefox has 'vulnerabilities' (as the genious in this article pointed out... at least it doesn't give the ability for an attacker to "enable a remote attack on systems running Windows XP with Service Pack 2".
So I'll stick with my more numerous, less invasive, and quickly fixed Firefox 'vulnerabilities' instead of my IE's less in number, more damaging and slower to be fixed 'vulnerabilities'.
Yup... IE sucks.
The price is always right if someone else is paying.
Homer: OK, Start the presses.
Editor: That takes four hours...
Homer: Whatever, I'll be at Moe's.
I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.
I'm a pretty experienced computer user, EX-Windows developer (networking now), MCSE and while I can install Linux and get around it, I don't have a clue of an idea how to do a lot of things, including at times, install software (though I've figured that out with yum and rpm haha!). Either way... until Linux offers the eyecandy that OS X does, with the compatibility that Windows offers... it will still be the DESKTOP choice of nerds.
I'm waiting for the next version of KDE for some improvements but in reality, I think there's a lot more to be done at even a kernel level to make some things more idiotproof.
The price is always right if someone else is paying.
Weee Micros~1 Genuine Advantage REQUIRED to download the tool.
Fucking nosy bitches at Micros~1, when is it enough?
Turn off ActiveX, infact turn off everything in IE (scripting, install, etc) in the "internet" zone.
Now, the easy part: add microsoft.com to the "trusted sites". In fact, if you surf to the windowsupdate site with activex turned off you get the message of exactly what to add to "trusted sites".
Sleep easy knowing that (a) windows update works (b) nothing else works. Happyily use Mozilla for your web browsing.
Security is after all about restricting access. Most extreme way to keep a computer safe is to make it impossible to access. Want a safe websurfing session? Easy just take out that little cables in the back of your computer, the power, the network and the keyboard one would do for starters.
But that kinda security doesn't work because we want things to be easy. What is an often heard complained about windows vs unix security? That by default windows has the user logged in as root, the defence being that users don't want to have to type in a password just to install software.
MS could easily introduce unix like root-user seperation, they used to be a unix company after all. Some linux distros make it very clear when you run your desktop as root and some IRC proggies even flatly refuse to run when you are the root user. MS could easily do the same, refuse to access the net when running as root, force the user to get software under their normal account then install it from the root account, this would force the user to think for a second.
But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.
I don't think MS isn't aware of the risk this poses, I think they view this as the same way as credit card companies view the risk of how easy it is to abuse their card system. Or how easy it is to learn a 4 digit pin number. Would be very easy to make these multi billion dollar payment systems more secure. But it would also introduce a lot more difficulty that might reduce their usage.
So MS probably has people who have a solution to this but it would make windows a lot harder to use, marketing might have a thing or two to say about it. Hell support might too, would MS really want to deal with all of its users suddenly having to learn the concept of user vs admin?
In a way the public has the final say in wether windows ever becomes secure. The same public that buys SUV's wich are the most lethal vehicle on the road 4x times more likely to kill if you hit a pedestrian then other cars. The same public that flies with cutrate airlines offering flights at prices cheaper then the ride to the airport. The same public that still buys each new version of internet explorer after a decade of security alerts.
So from a business perspective why doesn't some big-wig at MS does this? Because the big-wig wants to keep his job. Insecure windows sells, slightly more secure linux does not. It is not greed, it is common business sense. You give the customer what they want. MS is very good at that. Compare it with McD, they used to sell lard with flavor. They only added a few salades after customers started demanding them with their dollars. McD did not fight this, there had to be no legal battles. As soon as they noticed demand, they supplied. Sure they didn't supply it in say the 70's because a few leftie protestors does not equal demand. A bunch of guys at slashdot complaining does not equal demand to MS.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Secunia has very informative pages about the relative security of IE and firefox.
Firefox
IE
The problems with firefox compared to IE are:
IE bugs are more frecuently critical
IE critical bugs take longer to patch
Fully patched IE is less secure than Fully patched Firefox
You can download the patch below. They've done, actually, an impressive job with it because, by way of a "peace offering" to the Web community, they've incorporated quite a large number of features from IE7 and future releases far earlier than expected.
The changes are actually pretty dramatic, with even some significant alterations to the UI and a number of fixes to the bookmarks system. Enjoy.
http://www.mozilla.org/products/firefox/
Chr0m0Dr0m!C
IIRC, one of the things the Wine project is working on is replacing Internet Explorer with the Mozilla engine (so that you don't need to install IE to view HTML Help under Wine, for example). Depending on how well that works...
> Which of these things is not like the others?
- IBM
- Microsoft
- Scientology
- Amway
- Herbalife
Amway. It's the only one that doesn't have an 'i' in it.Sheesh, evil *and* a jerk. -- Jade
And just when IE was officially the safest browser ever! What's happening?
-- Cheers!
Actually, I don't agree with that at all. Windows XP has a complete, robust security model. However, Microsoft made some bad choices, like letting the default account on XP Home have administrator rights; and granting execute permission by default (without having to explicity have an admin set the execute bit) to newly downloaded files. Most of the problems XP has are at the application level, not the core OS level. I can't remember ever seeing a privilege bug that had to do with core OS functionality.
Best Buy can have you arrested
Just a reminder as the FF vs. IE flame wars rage:
...
Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.
I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.
Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history