Slashdot Mirror
Unpatched IE Flaw Extremely Critical
Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."
The biggest blip on the slashdot radar over the Thanksgiving holiday was the realization by the editorial community that a slow news problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a short blip of news vulnerability now also allows for execution of arbitrary stories as portraid by Beatles Beatles. The realization caused CmdrTaco to issue a rare 'Extremely Dupical' advisory.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Does anyone think that a very handy Firefox add-on would be a button attached to this kind of dialogue that would instantly kill all Javascript scripts stone dead for the page? Once an OK/Cancel dialogue is up, you can't interact with Firefox's UI until you've responded to the dialogue and let the Javascript do something, which I think is poor design.
and still be vulnerable? I am shocked and appalled. As is well known, any reputable software vendor would release flaw free code that could not possibly cause hidden attacks such as this. Clearly they are the scum of the earth and should be shunned for foisting such shoddy products off on the public. And if you believe THAT, I have this bridge for sale in a ratehr profitable location of a well known American city.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
Or is it just my imagination that a Microsoft security flaw was discovered at one point in time?
He who knows best knows how little he knows. - Thomas Jefferson
is "IE" the shortented version of the screaming sound that I make when I realize my machine has been compromized?
"iiiieeeeEEEEEEEEE!"
Its so rare that most other things never see the light (or lack thereof) of this rating... I dont think firefox ever got an Extremely Critical rating for any of its bugs :P
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.
Here is a link to the Proof of Concept page, which will launch an instance of calc.exe if you're vulnerable. AVG Free caught the exploit in the cached page, but calc.exe ran anyway, even after I deleted the file.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
http://it.slashdot.org/article.pl?sid=05/11/22/135 2212
Turn on "Data Execution Protection" for all programs and services. Instead of allowing full execution it will limit it to a DOS (crack IE).
Control Panel -> System -> Advanced [Tab] -> Performance Settings -> Data Execution Protection [Tab] -> Turn on DEP for all programs and services except those I select -> Ok -> OK.
Racism exists primarily in the minds of the left to give them relevance. The rest of us just get along.
In case anyone wonders why the parent was moderated "Flamebait", this was the guy's sig just five minutes ago.
Although it's not as severe.
3 4
https://bugzilla.mozilla.org/show_bug.cgi?id=3173
The roots of education are bitter, but the fruit is sweet.
--Aristotle
Perhaps they should have maintained double secret disclosure on this one. At the very least an ultra secret bulletin should have been issued.
The SANS Internet Storm Center has a counter on their home page showing how many visitors to their site are vulnerable to this particular problem. At this time, looks like it is 43%! (and I assume that people checking the site are more security concious then the average). Also see MSIE 0day exploit.
---- join dshield.org Distributed Intrusion Detec
On my W2K box, McAfee warns me of a threat, then as soon as I close the window, the code executes anyway.
"Made up/misattributed quote that makes me look smart. I am on
I read the article, and there was a link to a page that demonstrates the exploit. Now, am I the only one who is afraid to click such a link? There is something about seeing a link that basically says "click here to see how we can take over your machine" that sends chills down my spine. I don't know about you, but I never click those demonstration links on *MY* machine.
The more you regulate a company, the worse its products become.
They just copied half the story from this site:
http://www.security.ithub.com
The Proof of Concept didn't load calc.exe for me. Instead, it crashed my IE windows on WindowsXP SP1.
I run Ad Muncher, so that might have caught and foiled the malicious javascript.
[Fuck Beta]
o0t!
My virus scanner seemed to stop it on the proof of concept page. McAfee sees it as JS/Exploit-BO.gen
His name points to an url and he is trying to use slashdot to boast his google pagemark. Move the cursor over the name? His site pops right up.
Just yesterday a famous spammer did the same thing and posted here. The slashdot editors should stop accepting such stories that are fabricated in order to boast his advertising revenue.
http://saveie6.com/
This is simply more paid propaganda from Microsoft. They release this new and exciting flaw on the same day Firefox 1.5 is supposed to be released, simply as a way to steal the Mozilla foundations thunder(bird). It won't work, though, because among the many new and exciting features in FF 1.5 is a whole host of new security bugs, two of which will even be rated 'Megasuperultra critical' which is two whole levels above the 'Extremely critical' rating of the flaw in IE.
Try out fish, the friendly interactive shell.
More and more I'm coming to think that down-moderation just doesn't work here any more. It should be eliminated. People get down-modded for their sigs, not to mention: -1 conservative, -1 mature response, -1 voice of actual experience, -1 raw data I don't like, -1 uncomfortable real life example. We should only allow up-mods. Or at least make a down-mod cost 3 mod points or similar.
The lack of critical thinking skills here is a sad commentary on modern society.
Yeah, but your Grandma is senile. She just heard about it this morning!
I just saw that the same link is in the original secunia article so I can assume it is real.. Sorry for posting too soon :)
"before I start e-mailing all my friends with links to this wonderful new feature in Internet Explorer."
Who needs enemies when you can have such a unique feature full friend...
The average unpatched-IE joe is surfing the net when he comes across a site. As soon as he opens up the site...there's a sexy blonde dancing:
:)
[pop-up]
Sexy Blonde: Do you want a piece of me? (with a "Yes" "No" button)
Joe: (Thinking this could be it) Clicks "YES"
Immediately, big bang of BSOD with all lights flashing then normalcy returns...
Joe: (thinking this was usual) tries to resume surfing...only to notice that he no longer has the mouse or keyboard. He sits there watching while "sexy blonde" takes over.
Oft-repeated story...hardly a surprise.
Lots of people have recommended NoScript, and it works great, but still it is stupid that an accidental error in a Javascript can disable the entire program!
Even links has this feature!
Please, please add this in Firefox too! Javascript is not so important that it should take control over the whole user interface. Is there a bug filed on this already, I want to vote for it to be fixed.
I'll probably be modded down for this...
Is there a related security bug for Safari? I tried the demo code on it and it does not crash Safari, nor does it run any executables, but ti does put Safari into a pretty unusable state after opening a javascript window full of Chinese characters, I could not find any way to kill just that window and had to quit and restart the application. It looks better than the response of IE or Firefox, but still not the proper way to handle the code.
1. make article
2. mention all the sites you own on the article or link to them
3. submit to slashdot when fatass Taco or Zonk is around
4. ???????
5. PROFIT
6. bash Microsoft in the comments
Under IE6SP2: SymantecAV catches the threat
Under FireFox 1.0.7: Crashes.
Huuuuuuh...
-everphilski-
This is a prime example when disclosing vulnerabilities to the vendor first doesn't work. Things need to change.. Then again maybe you could agrue MS is at fault for not fixing this 6 months ago when they first heard of it. Class Action Suit?
Not to start a flamefest here, but why is it that most of the time any IE article is mentioned, the firefox folks have to come out in force to claim it's some kind of conspiracy by microsoft?
come on guys... could it possibly be that the "browser wars" are fought by the users far more than the developers?
The world according to SComps
IE 5.something (which I don't "use") and Avast Antivirus on Win2K gives me:
-Launches javascript dialog box and I hit Okay.
-"memory cannot be read" error and closes the browser window.
-No calculator
Avast antivirus appears to do something because the tray icon spins, but might/might not prevent it. It's unclear.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Come on and listen to the music, people. No one uses DoS Internet Explorer. I'm afraid about it still existing!! I don't know why everyone doesn't just jump the band wagon and upgrade to KDE. Or at least Mozerella Firefox.
Linux has never had any security issues like this. Thats because whenever you buy Linux it has a built in firewall because Linux uses NAT and MAC authentication. However, this is something that M$ is unable to do and Apple is too dumb to do but since no one uses Apple's anyway, they never have to worry about security because no one would bother porting IE to the Apple or bother hacking it with such a small user base. I'm sorry, I'm okay, but please, this can't work, it won't work, it never has worked, and it will not work! Plain and simply stated. No one uses DoS Internet Explorer, er...Exploiter.
=Chad=
From 2005-09-20: Firefox Command Line URL Shell Command Injection
I'll probably be modded down for this...
I like your ideas. Do you have a newsletter I can subcribe to?
I didn't realise 120 characters could piss you off so easily... good to know about the left...
-everphilski-
Can anybody explain me why it was modded off-topic? (Not that I care a lot, i mean, I could've perfectly accepted a "redundant" mod).
It may not be the same link, but it's the same vulnerability we're talking about. So, yes, technically, it's a dupe.
I call dupe :)
The grass is always greener on the other side of the light cone.
Or my favorite
-1 Not quite Off Topic, but not what I feel like you talking about
I was quoted out of context in my autobiography...
That is not a 'popup', it is a flash ad.
Install Flashblock. Use it for a week and you will not know how you lived without it.
When I loaded up IE to test it, AVG detects the virus in IE's temp files. Then IE hangs a while and then finally calc loads. But if you kill IE while your waiting it doesn't get a chance to execute. Not a solution but at least it buys you some time to possibily stop it.
Either way MS needs to get off their ass and fix the problem. Oh and as if everyone didn't already know, you should be using anything but IE for web surfing.
If you wanna get rich, you know that payback is a bitch
Before you all jump on the microsoft hatewagon, I just tried it and the code, while not opening calc.exe (yay!), crashes Firefox 1.5 rc3, making it a DoS vulnerability. :(
It's not just here, it's society in general that has lacked critical thinking skills, going back time immemoriam, and THAT gets reflected here on slashdot.
Slashdot attracts a lot of anti-social geeks who are good with computers, or maybe only Linux, but that surely doesn't mean that ANY of them have critical thinking skills. Go read any Apple topic and see the stupidity being bandied about. But that's because factual statements here get modded down, while wild-haired speculation is modded up.
It doesn't mean much now, it's built for the future.
ok ive read the artical and it is quite disturbeing to me the fact that microsoft would not even simply fix a flaw in one of there programs yes in it microsoft is a thing called job security but with one simple patch they could fix this flaw why dont they? to me it just seems like these flaws are getting bigger and bigger what is microsofts problem lately ya know.
let your life be a counter friction to stop the machine.
Funny how so many of the responses in this thread mirror the response of someone who's just been exposed to Snow Crash: "weird - the screen just went all static-y. But I'm fine... aren't I???"
Care to post a link to one of those remarks? Because I read every single one and not one said anything remotely like that. In fact, some firefox devotees came up and said it affected their browser too, although not as severely.
What division of Microsoft do you work for? The "online astroturf division?"
You God damned corporate shills piss me off. Please die.
(Not Quite MRC="terming" (WTF is "terming" anyway?))
The fact that there are lots of critical bugs wouldn't be an issue, if the vendor patched the bugs *before* the exploits are made public. They were aware of the bug for a long time, long before this exploit was developed.
I'll probably be modded down for this...
The URL is http://www.ocremix.org/
...or maybe /.'ers need to stop being so effing hyper sensitive about certain things.
And here's the submitter's user page http://slashdot.org/~Durinthal
I think you mistook the submitter for **Beatles-Beatles
This Beatles guy is really getting out of hand.
He manages to taint stories he isn't even submitting.
[Fuck Beta]
o0t!
Honestly, a "Force Quit: Javascript" menu item (with associated hotkey) would be an extremely useful addition for Firefox. The ability to shut off the Javascript interpreter would be nice for malicious popups and poor code in general.
And to the 4 posters above who don't understand the request, the goal here is not to premptively block the execution of javascript code by blocking it. The goal is to be able to (immediately) stop the execution of any currently running javascript.
I don't agree at all. Let's look at the post that got downmodded:
Yawn... IE is vulnerable and this is news, why? Seriously, people, if you're using IE to actually surf the Web I would argue you're probably already vulnerable because your system is running Windows, all your settings are probably default, and you probably don't care.
The post adds nothing to the discussion, says this article isn't newsworthy and does a broad ad hominem attack on all users of IE. How is that not flamebait?
I probably wouldn't have wasted a mod point on it, but -1 flamebait is fair. If you want to think critically, don't just believe someone who says the downmod was only about the sig.
I believe posters are recognized by their sig. So I made one.
On the proof of concept site, my Internet Explorer blocked a pop-up and did nothing else. Firefox launched another window and then crashed. Why am I supposed to be switching again?
Ultra critical?
Heck, let's just get the UT4K announcer in on the action too, I can hear it now...
Does anyone think that a very handy Firefox add-on would be a button attached to this kind of dialogue that would instantly kill all Javascript scripts stone dead for the page?
You mean like the NoScript extension? I know MSIE could definitely use this feature.
Yeah, I was worried when the DoD locked down it's facilities to only allow connections to .mil sites, and eventually to none at all for 5 days. Frightening to say the least.
That's just Firefox crashing as it does normally, unrelated to this issue ;)
-- 'The' Lord and Master Bitman On High, Master Of All
I checked out the proof-of-concept site, and McAfee VirusScan threw a fit.
Good to know, I guess. *yawn*
"Currently, the only work-around is to temporarily discontinue the use of Microsoft Internet Explorer and use another browser, such as FireFox, (this can be downloaded for free at www.mozilla.com) until Microsoft can issue a patch."
Anyone else's bank send out a warning like this bluntly stating that if you use IE, there is nothing the bank can do to protect you?
You dig?
You're trying to ask for reason from a bunch of overstimulated, chai-sipping, underworked Java programmers. All they care about is you not toeing the party line, so OFF WITH YER HEAD! Take a -1, MATEY!
"Not to start a flamewar", but why is it that any time that phrase is used, it is followed by something inflammatory? Um, oh yeah inflammatory ... don't blame me - I use the GOOD browser.
.. paranoid crackpot leftover from the days of Amiga.
Check out vmplayer - it allows you to run live CDs in a seperate virtual machine, runs on linux or windows, and it's free. They even have a pre-built virtual machine which runs Firefox in Ubuntu.
If I have to use Windows, I run Slax in a virtual machine (use DamnSmall if you're short of RAM - they have a very compact version on their site which runs with QEMU).
If I have to use Windows and IE, I use Slax KillBill, WINE, and install IE (check out the sidenet installation for IE - it's slick and it works). Then I complain to the website administrator.
Using plain ol' text since 1968
Read the part of my post about Firefox promising two even bigger exploits? It was a JOKE, and a comment on just the type of behaviour you mention. Seeing how I got moderated to oblivion for my post, you don't seem to be the only one who missed the point, though.
:(
I still think my OP was funny, though.
Try out fish, the friendly interactive shell.
accusatory yes, inflammatory no. In fact, I thought it was pretty diplomatic. I didn't use the words zealot or evangelist even once.
The world according to SComps
Same with AVG. Says it found the file, I click Delete, and calc opens anyway.
Slashdot solicits you to put in a URL associated with your account. His name isn't a search term, unlike "beatles-beatles", who obviously wants a search for "beatles" to turn up his site. There's absolutely nothing to indicate he's trying to exploit Slashdot's pagerank. Slashdot ASKS you for a URL, and they automatically attach it to your name when you submit.
Also, it's "boost", not "boast".
And it's PageRank, not "pagemark".
Tried the site in firefox just to see what would happen and it opens a window, locks up the computer, then crashes.
Seriously, while I can't speak for the other million plus firefox users, I do get irritated when I see the shills contorting logic out of all recognition in a folorn attempt to make a browser crash (firefox)sound worse than arbitary code execution (IE). I mean who cares if SymantecAV catches it? It shouldn't need to be caught in the first place!
Probably I shouldn't feed so many trolls.
could it possibly be that the "browser wars" are fought by the users far more than the developers?
Ummm... you missed out "marketing departments" as an option.
MS at any rate has a vested interest in retaining cntrol of the browser market and an history of deception and of dubious marketing practices. The Mozilla corporation doesn't have quite the same incentive being a non-profit, and certainly doesn't have the budget. Or the history either.
Don't let THEM immanentize the Eschaton!
If you take what some people say seriously, you expect firefox/linux/any open source microsoft alternative to be perfect. That simply isn't true. I opened the link in Ubuntu, running firefox and it crashed.
What does give open source the advantage is that you can download the bug fixes/updates for nothing, and you know there will be one (if there isn't an update, hell, at least you're allowed to write your own).
This is how the loudness war is killing music.
There is no "extremely critical" Something is either critical, or it's not.
I just tried it using the FF extension IETab to open the proof of concept in an Explorer tab and calc.exe never popped up.
"featureful" you stupid son of a turd
The proof of concept crashes firefox 1.0.7 (as reported in this thread by numerous others).
I'm not surprised that IE hasn't been patched, but as this vulnerability has been known for some time (this post is a dupe - not that there's anything wrong with that), but why hasn't firefox been patched yet?
Another IE security fault? It executes arbitrary code? Wake me when some news comes in.
Rename calc.exe. Job done!
The realization caused Secunia to issue a rare 'Extremely Critical' advisory."
I'm still waiting for the even more rare "quickly unplug it and step away from the computer" advisory.
It's pretty simple.
1. I.E. is far and away the most used browser in the world.
2. Microsoft has consistently had zero-day exploits available for their software.
3. Many of these exploits, once found & announced, have sat unpatched for a considerable time.
4. Anyone "in the know" of said zero-day exploits, e.g. government agencies, terrorist organizations, organized crime: they've all had an easy way of taking over the majority of personal computers in the world.
5. The US Government hasn't bothered to react to thisNational Security risk by forcing corrective action on Microsoft. You don't see the Senate ordering a proactive security review of the software being used for billions of dollars of transactions this holiday season.
6. Today, once again, we hear that IE users have been vulnerable for quite some time.
7. Silence from US DOJ.
To me, that equals conspiracy. The federal government has the authority to do something here, and it isn't, when clearly action is needed. So if you're sitting in another country, or worse yet, a government of another country, and you're using Microsoft Internet Explorer: the CIA appreciates your loyalty to Microsoft.
(Before anyone jumps in about how Firefox has had zero day exploits, or bugs that have gone unpatched, or could be infiltrated by spys, etc.... that's all well and good, but firefox isn't the 70%+ market share browser, requires a download to install on any new PC, has the complete source code available to the world, and above all else: isn't run by a group of convicted criminals who were spared any punitive action by the US DOJ in part because they collectively are the wealthiest people in the world.)
Enjoy. And remember, computer crime is now more profitable than drug crime, so you can bet your ass the organized crime syndicates of the world aren't going to any happier about the idea of a security-audited IE than they would be about legal marijuana and cocaine.
Is already on the mirror servers...
l eases/1.5/win32/en-US/
I downloaded it from here myself
http://ftp.mozilla.org/pub/mozilla.org/firefox/re
Macafee caught this as a virus and blocked it.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Great yet another IE security flaw. Go get Firefox 1.5 people. It's out.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
(yes I use windows because I'm at work)
The vulnerability does not affect IE7 beta. It does crash it though.
You may want to check out Fasterfox. It blocks some pop-ups Firefox doesn't by default.
Internal MS memo: "By popular demand of you, the customer, we regret to inform you that we will be releasing a patch, but only on the second Tuesday of next month. Again, we are sorry for the inconvenience you caused yourself."
Blame the user, not the software.
iiiieeeeEEEEEEEEE!
It crashed both my firefox 1.0.7 and my mozilla 1.7.6 tux
PD: not a joke
Comment removed based on user account deletion
. . . a sufficient excuse to force users at work to use Firefox. Thank God!
avast! does absolutely nothing here. After a while the JavaScript prompt pops and, without any action on my part, disappears (along with IE) and calc.exe fires up.
People will pass up steak once a week, for crap every day.
Details: Attempted Intrusion "HTTP MSIE JavaScript OnLoad Rte CodeExec" against your machine was detected and blocked
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
Yes it has. The vulnerability was found by me, Paul from Greyhats Security, and disclosed responsibly to Mozilla. However, a mistrusted individual leaked the vulnerability details, which quickly made their way to security websites. Secunia rated the flaw as Extremely Critical, but later dropped the rating to Highly Critical due to that fact that Mozilla changed their servers in order to render the proof of concept ineffective, even though the core vulnerability was still in the browser, and in theory could have been updated to work again.
:)
The bug details can be found either at Secunia or at my site. The URLs for the advisory are posted below.
Secunia: http://secunia.com/advisories/15292/
Greyhats Security: http://greyhatsecurity.org/firefox.htm
Just wanted to clarify that for you
It's only a matter of time before Firefox and Opera both get nailed by attacks like this one. As far as I can tell, these guys have opened up a whole new set of vulnerabilities (similar to when HTTP response splitting attacks were invented and when people realized you could exploit one-byte stack overruns).
All you need to exploit this is to have some kind of scripting engine and DOS attack that results from a call through a register whose value is relatively constant.
McAfee stopped the exploit dead in its tracks.
No, I will not work for your startup
You're not the only one. I'm at work, so I'm *REALLY* not about to click on it. At home, I might click it on my junk Windows box, just for giggles. It's my 5-year-old's machine, so I've given him a non-privileged account to run with, and I reinstall it periodically on the assumption it's got nasties.
:-)
I've actually been considering ReactOS. I booted it up in QEMU, and it looks pretty neat. Anyone try Firefox and Flash under ReactOS? That's all he needs for Noggin.com and Reader Rabbit.
I went to the test exploit w/Konqueror-3.2.3 and it just sat there, not taking up any unusual amount of memory or CPU. No JS prompt, nothing. After closing the test exploit window I noticed a blank window popunder.
BTW - does anyone else find Konqueror to be far more stable than Firefox in general?
"Oh. No mister lawyer. I wouldn't dream of fixing my browser and make my computer work better. That would be a violation of the DMCA."
I'm not a Windows programmer, so could someone help me out here?
In the Unix world, most daemons that start as root do whatever work needs to be done as root, and then promptly drop the privileges -- usually, I think, by switching to a non-privileged account. QMail, pumped as the most secure SMTP servers out there, makes *extensive* use of this technique.
Is this type of thing difficult to do in the Windows world? Does FireFox/Opera do it? If not, and it's possible, why not? How difficult is it to create a 'Firefox' user with NO privs, and have the bulk of the browser run under that ID? Maybe some small part would need to retain privs to write to the user's download area (maybe it can even chroot() to the user's Documents and Settings area?), but most of the browser drops to a non-privileged state.
Wouldn't this contain most "critical bugs" by allowing the OS kernel (not IE/Firefox) to do the security context checking, instead of the app? Isn't that what kernels are good at?
I guess the concept I'm looking for is the idea of assuming that there are hundreds of code execution bugs and sandboxing the app as much as possible. It seems this is the way to go for apps written in C/C++, since re-writing them is a definite waste of time.
Just curious how feasible this idea is.
\We should just re-write FireFox in PERL and be done with it.
\\Slashdot doesn't do Slashies.
\\\Go figure. SlashieDot.
then there are just another well-known 48 critical security holes to fix until we can even consider to turn on IE for surfing. Still it will clutter websites and be totally uncomfortable.
Wouldn't it be better to simply let it die?
And this is at work. I haven't tried it at home yet.
I'm amazed that people who don't have the attention span to read as far as the third sentence still feel qualified to moderate, or even respond!
Good joke. I'd have modded you up, but you'd probably just lose more karma on the way back down.
------
For the last time, it's losing, not loosing! What a bunch of loosers.
This is news?
You feel like it's better for you because of how it tastes.
No problems with Opera 8.5... Just a pop-up window that's perpetually "loading". Nothing happens. (And yes, calc.exe is in the right place.)
Go Opera. Woot.
Why would you want Javascripts to do any of those things? I can do them just as easily with the built-in functions of my browser. Back = back button, refresh = refresh button, new window = right click - new window/tab. And using a script to open a new window is a little excessive, as I recall it's been possible to make a link open in a new window since roughly the time the Earth's crust was cooling by doing TARGET="_blank".
I hate those little scripts most of all, since they're nothing but unnecessary bloat. The most common use I've seen of Javascripts is creating popup windows that lack the proper controls across the top, which I find infuriating and is probably the number one reason I browse with it disabled.
I understand there are probably situations where doing something like that with scripts is necessary (GMail, for instance), but I'm sorry to say that they're horribly overused and rarely do anything for the viewer.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Linux also doesn't have an online hall of fame of Worst-Designed Dialog Boxes Ever.
The kicker: despite the fact that the author of the site is ostensibly a Mac user (by virtue of the host), all of the dialogs appear to be Windows. Guess Apple isn't on par yet either.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Or is this not working for other people? I have tried it on three machines and it doesn't work right. They all have been tweaked out a bit, but it doesn't seem to work at all. Instead however, they all crash :(
Still, crashing is better than running programs :(
did you notice that Firefox 1.5 is crashing as well on this exploit?
Oh no! We certainly wouldn't want our web browser crashing on a web page that was trying to take over our computer, would we.
Hrm, did you notice that Firefox 1.5 is crashing as well on this exploit?
No, I haven't noticed that. Can you back up the claim? Or are you just blowing smoke?
--MarkusQ
You mean like this?
I've come up with a couple ways to interestingly combine this with the sony rootkit that could produce all kinds of mayhem. And I have one idea that might be used to cause all kinds of interesting trouble.
Of course, I'll not mention details here.
http://www.zdnet.com.au/news/software/soa/Danger_l evel_rises_for_Perl_flaws/0,2000061733,39225008,00 .htm
/. ;-)
I would have thought this is bigger news being that it is reported to be possible on Linux as well as M$
Oh wait, I forgot I was on
Blessed are the 1337, for they shall pwn the earth.
In the wild, Linux root-kits/worms/virii last about two to three weeks? But for the misunderstood of Redmond; We have a different unit of measure...
And that was my sig for quite awhile. I change it occassionally. Unfortunately, when you change it all of your past posts as well.
However, why mod it as flamebait? My sig has nothing to do with my post. Perhaps my post didn't contribute much either, but I'd still argue IE vulnerabilities are just too commonplace, which was my point.
As for my views on racism, it primarily applies to the U.S. It's a general statement and certainly there are exceptions. I do not wish to convey that racism is non-existent, nor is that what I said. Rather, racism doesn't exist on the scale in the U.S. that the left would have you believe. Furthermore, the very definition of racism is being changed by the left to help keep them in power. The "N" word is a big no-no, as it should be, but pelting a black politician with Oreo cookies and calling him an "Uncle Tom" is acceptable by the left. Selective racism, which is my point. The vast majority of people on the street just get along. My point. You can disagree if you wish. My point isn't dependent upon your believing it. It stands on its own just fine. I can't speak for other countries because I don't live there.
I do find it typical that rather than contemplate the statement for a moment, you wish to attack it and me. Hopefully more object readers will take note.
How exacly did you make the link to the webmin exploit?
Webmin is a very specific management tool that will most likely get it's own posting soon. The difference between a browser that around 90% of clients use and a management interface that perhaps 5% of admins use is quite apparent to me.
But thank you for bringing the perl exploit to attention.
'featureful' is not a word.