Slashdot Mirror
Unpatched IE Flaw Extremely Critical
Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."
Does anyone think that a very handy Firefox add-on would be a button attached to this kind of dialogue that would instantly kill all Javascript scripts stone dead for the page? Once an OK/Cancel dialogue is up, you can't interact with Firefox's UI until you've responded to the dialogue and let the Javascript do something, which I think is poor design.
I read the article, and there was a link to a page that demonstrates the exploit. Now, am I the only one who is afraid to click such a link? There is something about seeing a link that basically says "click here to see how we can take over your machine" that sends chills down my spine. I don't know about you, but I never click those demonstration links on *MY* machine.
The more you regulate a company, the worse its products become.
Sarcasm aside, yes they should be responsible for what they wrote, even though it's a lot of code, and there are going to be bugs (human nature). It is shoddy software.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
From 2005-09-20: Firefox Command Line URL Shell Command Injection
I'll probably be modded down for this...
The fact that there are lots of critical bugs wouldn't be an issue, if the vendor patched the bugs *before* the exploits are made public. They were aware of the bug for a long time, long before this exploit was developed.
I'll probably be modded down for this...
I don't agree at all. Let's look at the post that got downmodded:
Yawn... IE is vulnerable and this is news, why? Seriously, people, if you're using IE to actually surf the Web I would argue you're probably already vulnerable because your system is running Windows, all your settings are probably default, and you probably don't care.
The post adds nothing to the discussion, says this article isn't newsworthy and does a broad ad hominem attack on all users of IE. How is that not flamebait?
I probably wouldn't have wasted a mod point on it, but -1 flamebait is fair. If you want to think critically, don't just believe someone who says the downmod was only about the sig.
I believe posters are recognized by their sig. So I made one.
On the proof of concept site, my Internet Explorer blocked a pop-up and did nothing else. Firefox launched another window and then crashed. Why am I supposed to be switching again?
Although it can be "accepted" that code be released with unknown bugs (because we all make mistakes), the problem here is that the bug report is over 5 months old. It is one thing to ship buggy code, it is another thing to ignore bug reports and not fix your product once the bugs have been found. It is no longer unknown, Secunia has a release date of 2005-05-31 for that bug.
After 3 days without programming, life becomes meaningless
- The Tao of Programming
Many of the security provisions in OpenBSD cause code to crash when a security hole is encountered. I would much rather have the minor inconvenience of restarting an application than having to re-build a compromised machine. Of course, ideally it should do neither, but given the choice I'd take a crash over being 'pwned' any day.
I am TheRaven on Soylent News