Slashdot Mirror
IE Flaw Utilizes Google Desktop Search
abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."
Which do I believe?....
I am shocked to learn of this, shocked and dismayed.
It wouldn't surprise me if Microsoft sued Google (or vice versa) for this. If not, they might start blocking Google's search bar like they blocked msn.com from Opera.
[sig]
Will this be the flaw that breaks the patch cycle's back?
Puh-lease. This ridiculous question could be asked of any flaw. How about from the 'its 5pm lets leave early so we accept any sensationalist submission' department?
I can see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?
I want to delete my account but Slashdot doesn't allow it.
Here is the easiest way to stop this from hurting you:
Turn off your computer.
P.S. Okay, seriously, use Firefox.
Dashboard Widgets
Google should know they're developing on the Microsoft Windows platform. Duh. Take some responsibility... will ya?
So it's finally happened. Microsoft's first salvo against Google. What else could it be?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This makes me wonder if Ballmer's chair throwing scream was actually "I will f##king end Google Desktop!" instead of "...end Google on the desktop."
Hmm...
Of course, Google contends that this is a flaw with IE, and not their search software.
And why shouldn't they?
I've read TFA, according to the article it's a design flaw in IE. No one seems to be blaming Google anyway?
(Well at least not yet.)
If they make these things look like security holes no-one will suspect.
Google: Help Help, Microsoft is trying to run us out of business...
Anti-M$ Cr3w: What seems to be the problem?
Google: Well, there's this security hole
Anti-M$ Cr3w: So, What else is new... *Goes quietly on their way*
Shots: A Populist Parable
This could potentially become a problem not only for IE and google, but ALL browsers and plug-ins ("extensions"). It seems that not only do companies need to keep their browser secure, but 3rd party developers need to make sure the interaction between the browser and the plug-in needs to be locked-down. Not an easy task, considering company A doesn't have company B's source code to check against. Of course, open-source would solve this problem ;)
All is prevelant in the world...
I wish I knew of this sooner
Who's who?
You are all a bunch of idots.
This is a complex technical issue. I can easily imagine that users of the Google software will say to themselves:
Google Toolbar allows badguy to get data -> Google software bad
But on the other hand, perhaps the users will say to themselves:
Oh -- MicroSoft made yet another security mistake. Rats!
But normally I've seen people blame the additional software -- but as software folks, we know that if you have to add a feature (in this case, the IE plugin) on a crappy foundation, normally you see the faults in the addition, and not necessarily in the main software.
It will be neat to see how this plays out.
http://www.thebricktestament.com/the_law/when_to_
of course it's a microsoft only problem. all of the articles did mention google's role, though - so i don't think it's a submission troll
does anyone know if this can be exploited to execute arbitrary code? or can it only work with things like google desktop search, which integrates itself with IE?
see, if the exploit can only work on things integrated with IE (yes, yes, the whole OS is, blar blar), then the fact that google search integrates itself with IE makes stealing personal data a lot easier.
spyware gets access to your computer's resources. Doh.
The bug is that it uses IE in the first place.
--The universe will not be altered by forum threads, even those which are very wry. --Tycho Brahe (Penny Arcade)
From the vulnerability description:
But what happens when a web page imports a URL that is not a valid CSS file? It appears that IE's lenient CSS parsing allows this to happen and in the "cssText" property one can read snippets of html code from the remote site that were mis-parsed as CSS rules.
Now can everybody who complains that the Acid2 test uses invalid CSS to test error handling please be quiet?
[...]However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape.
Go Brian Krebs !!!
On a more serious note, it's nice to see somebody post an article clearly promoting [generic non-IE browser], but IMHO security shouldn't be the only reason why FF is chosen over IE. If it turns out that FF is safer "only" because it isn't targeted by hackers/phishers/terrorists, then everything falls apart. We shouldn't lose sight of the initial raison-d'etre of FF, which is to be an open-source browser, not a "more secure" browser (which is an added side benefit).
And it's really quite interesting how he lays it all out. It seems IE's CSS @import (or more specifically the "addimport" jscript function) doesn't block access to outside domains. So essentially, I can import any stylesheet I want from the web. This also means I can import _anything_ that is mal-formed as a css rule. Javascript comes to mind with it's curly braces. with classic injection attacks, you can inject anything you want, including jscript. Scary stuff. I think I'll go look at everyone's hard drives now.
All is prevelant in the world...
Both are playing the blame game. Why oh why can Google's Desktop Search program be exploited from a CSS file?
To be honest with you, I think Google should quickly fix this and publish a patch fast.
Before everyone goes posting about MS vs Google rubbish, please RTFA. This has very little to do with Google.
"This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.
In other words, this flaw is just loading files from Google Desktop's internal http server. It could load the internal http server of hundreds of different programs (particularly administration tools).
You know where my house is?
Ok, so the FA is a bit long, so here you have a three sentence summary:
The google desktop was only cited as an example. But basically any protected web page could have been targetted (a webmail site such as hotmail, any other password-protected page, intranet server not accessible from outside,This is the type of scenario we kept in mind when we decided to ban the use of the tool on our corporate PCs. It would have been nice if (at least at that time) Google had provided more than just a slight clue as to how to easily block the installation.
r entVersion\Policies\Explorer]
r entVersion\Policies\Explorer\disallowrun]
Of course, it didn't take too long and isn't incredibly tamper-proof, but it's kept the average user from really sitting down to find a way to get it installed.
This is a simple registry file that we run as part of the setup. Like I said, not too high-tech, but so far noone's spent enough time to figure out how to install it. All it does is block the filenames specified from executing. Anyhow, here's the reg code:
-start-
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur
"disallowrun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur
"1"="GoogleDesktop.exe"
"2"="GoogleDesktopSearchSetup.exe"
"3"="Troubleshoot Network.exe"
"4"="GoogleDesktopIndex.exe"
-end-
Save everything between the start and end notations to a text file, rename it to whatever_you_want.reg. There you go. It's been tested on Win2k and Xp.
Don't sue my ass for this. You're assuming the risk. In a perfect world corporate employees wouldn't have administrative rights, but the world isn't perfect.
when your code sucks, blame the code it depends on.
I'm sick and tired of all the /. google fanboys...
No, the problem isn't the Windows platform, it's the insistance of Microsoft to use Internet Explorer for every web application on the Windows platform.
Why doesn't Google just use Mozilla's engine to render the content? (They are putting money into its development) They *would* have more control.
Get your Unix fortune now!
Anti-Semitism this exaggerated, I thought, could only be a twisted attempt at irony. Then I read some of your other comments, which range from the vaguely hostile towards Jews to the circumstantially Buchananesque.
Moderators, putko's intolerant, ignorant filth is an embarrassment to us all. Check his posting history and drive him to -1 where he belongs.
It shouldn't matter whose fault it is. That's for lawyers to decide.
What Google should do is immediately patch their software to block that attack, and if an attack does get into the wild, shut down their service until it is patched. In the future, maybe not integrating with IE would help.
That's how it works all of the time in the real, physical world. Automobile Manufacturer negligently builds a car. Driver "A" negligently drives said car into innocent Driver "B". At common law, Driver "B" sues both Automobile Manfactuer and Driver "A" and can collect all of his damages from either (e.g., in case driver "A" is bankrupt). The innocent party is made whole, and his claim isn't delayed or thwarted because because Manufacturer and Driver "A" want to point fingers at each other to the end of time. There are statutory limitations, but the general idea is that the innocent should be compensated even at the risk of the negligent (or even more guilty) bearing some risk of paying more than their fair share.
Of course that is what occurs in the physical, real world.
[ Not, for course, that software vendors are financially responsible for any of the financial harm of damages they cause. -- ed.]
Only Women Bleed (Sex, Sharia remix)
Vulnerability allows for young, gay, interracial married couples to burn the American Flag
Apologies to Family Guy (To Live And Die in Dixie)
"Sure there's porn and piracy on the Web but there's probably a downside too."
"Evil Empire vs Company making great products"
You should have more respect for Google sir!
Yahh, hiii haaaaa! -Major Kong, from Dr. Strangelove
Finally a reason to switch from IE...
err...wait a minute...
edit: Finally ANOTHER reason to switch from IE...
I'm not sure whether that's meant to be a face or something else I'd rather not know...
no one fucking cares. your attempts to make him look stupid in front of his peers only makes you look like a whiney bitch.
After the next security update, all cookies created by IE will be prefixed with $sys$.
Well, the idea is that once they're "in" the system, they can basically do what the hell they like. Desktop Search is just a convenient index of data that is used by a large number of people — the only flaw pertaining to Google's product here is that it's good at its job.
Its an awesome feature for Developers! Developers! Developers! - This feature has been in IE at least since IE 6 came out. That means Microsoft is again leading the field when it comes to AJAX and Web2.0 products.
Think of the awesome client-side applications people will be able to come up with now that they are no longer restricted by pesky cross-domain security policies!
The answer is not so simple. Sit down for a second a think.
The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.
Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.
Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.
Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.
And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?
> Re:Can it, Jew
Is calling somebody a "jew" supposed to be an insult or something in your book? If ones calls a human a "human", or an american an "american", isn't this just simply stating the obvious? Calling a person who isn't a jew, a "jew", simply because they find anti-semitic comments offensive, would be an ignorant and silly thing to do. "Human", "american", "chinese" and "jew", neither of these are insults.
... the hack works because IE does not properly parse cascading style sheet (CSS) files, a Web design language used by thousands of Internet sites.
Yeah, this was already discovered by that kid 'samy' when he thrashed MySpace. Microsoft hasn't patched it.
But yeah, it's Google's fault. Right.
This is practically a troll against Google.
Wouldn't it be even worse if they accessed your banking info? I don't see anybody complaining about Quicken!
How could they?
The fault is in Microsofts software MS IE, not in Googles. And I understands it that Google doesn't have the source to fix that bug in MS IE.
And IF Googles try to fix it in there software, who else will get a hit by this bug in MS IE?
To Google to fix it's software would to give a wheel chair to one who broke his leg, and not fix the broken leg.
So, fix the root to the problem, and not one symptom (which could show up in Googles software, among many others).
My wife was in the habit of using saved passwords in IE and I have Google DT on it, good thing I stopped her doing banking through IE! Now she just uses firefox and makes sure she never saves the passwords and account info, we keep them separate. It takes a few seconds longer to log in and we have to keep things written down but the extra security is well worth it. I advise all my friends and neighbours that use online banking to do exactly the same thing. It almost makes you consider switching to linux!
Therefore, my advice to Google: be prepared for those lawsuits where M$ points the finger at you due to a flaw in their architecture.
Let the finger pointing games begin!!
By using the process of elimination, we know that MicroSoft can't be the "Company making great products" so they must be the "Evil Empire".
- These characters were randomly selected.
Shouldn't that be "_we_ are all a bunch of idiots" since you're here too?
I reserve the right to be wrong.
Just read what people write, it isn't very hard to work out what they are saying if the spelling or grammar doesn't match your local usage or even BBC English.
A plague on both their houses.
Great minds think alike; fools seldom differ.
The flaw is in IE not google desktop. Google desktop was just the program he used to test his findings. From the origonal article (http://www.eweek.com/article2/0,1759,1895579,00.a sp?kc=EWRSS03129TX1K0000614):
Gillon used the Google Desktop utility to prove his findings, but in theory, any domain or application that depends on the IE cross-domain security model is vulnerable.
"Thousands of Web sites can be exploited, and there isn't a simple solution against this attack at least until IE is fixed," Gillon said.
Great webhosting, cheap rates! Enter code SlashdotDiscount
you know, it's very sad that after all these years of variouspatches and fixes being availible for people's computers, people still use inferior software more inherently prone to flaw.
Didn't read the article, did you? Just spouting the same talking points over and over again. Microsoft didn't write the web application involved here (Google did), nor does the exploit have anything at all to do with Microsoft's use of IE for other purposes.
Now after reading the article, you'll see the issue being exploited involves the fact that css files are designed (by *all* major browsers) to be the one exception to the cross-domain rule, meaning that a page on site A can get the contents of a css file located on site B.
However IE can be exploited so that any file is a seen as a CSS file, just a very badly formatted one. Of course there are big limitations - namely that only valid css "data" from site B can be read by site A, so anything not formatted in name{stuff}; is invisible to site A.
This particular hack takes advantage of the fact that a person with Google Desktop installed will send a special cookie when they request most pages from Google. That cookie will cause a "desktop" link to be sent back to them somewhere on the page. This desktop link contains a secret password. As soon as you know that password, you basically have full access to that persons computer through Google Desktop uris, regardless of what browser (as long as that browser supports javascript, which IE, FireFox and Opera obviously do). In simple terms, if you gave a site this password that Google sends to you, they'd have full access (this misfeature of Google Desktop also creates a big proxy server/man in the middle attack vector against a persons PC, regardless of what browser they use).
The attack vector to obtain the password in this case is the IE css bug. A specific page on Google, Google News, puts the desktop link in such a place that if you provide a specific search query, it will end up making a section of the page around the special desktop link look like a valid css value. Because of this, site A can read the data inside that value, including the Google password. Once it has the password from that random junk of "css data", it can start accessing Google Desktop at will.
Oh well. I hope Microsoft is paying you good money to make OSS proponents look like idiots by spouting this kind of completely uninformed bs. The sea of white noise helps to hide any real, intelligent points brought up against Microsoft or its products.
Even if it was Google's fault, I doubt anyone (except Microsoft staff) would blame them. Google is the hero and Microsoft is the villain, it's always been like that. Nobody would blame the goverment if the terrorists had a valid reason.
There's ample evidence that plenty of people on this board will blame the person at fault. They may react differently to a minor problem in Firefox than a recurring bug in IE but the blame will get laid where it belongs.
Your second point (first non-sequitor) is partially true. Google is the hero and MS the villain. It has not always been that way nor is it likely to always be that way. MS has worked long and hard to earn their villain rep: many of us have worked in the industry for long enough to remember when MS was a reasonably honest small company. I, for one, learned a lot early on about assembly language and systems programming by studying the source code for MS TRS-Basic (yes, MS was an open source company once). Through college and university I saw them get larger and gradually transition to become the industry-crushing monster they are today. I've given almost every MS tool and paradigm it's chance: eventually, I saw that everything they didn't steal or buy was half a bad solution to a problem someone else had already solved well.
Your third point (2nd non-sequitor) is just incoherent. I'm pretty sure you meant the opposite of approximately what you said but there's still the matter of a missing reason for the blame. I haven't heard anyone imply that the government committed the terrorist attacks (if they had, they probably would have targeted a poor ethnic neighbourhood rather than a military and economic target filled with friends and associates). You may have also meant (perhaps in the context of the British bombings) that if the bombings provided no apparent benefit to anyone but the government, people would blame the government. Except for a few tinfoil hat jobs, this is obviously not the case.
Google has done nothing so far to earn our distrust.
They have begun to scan several thousand books cover to cover, without the permission of the author or the publisher, and arguably in violation of copyright law.
That's enough for me to be wary of trusting them. Granted, their record is better than Microsoft's, but it still leaves something to be desired.
Firefox will also show "file:///C://<path>/<asciifile>" contents...
This issue is a bit more complicated than you think.
Google is the next Microsoft... give it a year or two or when any of their products are not beta...
Google is bringing them down, one warez, porn and Virus search at a time.
:).
thats gotta be the best news i read in a while
CH
reject any requests for pages on any of their sites from IE...and force the masses to utilize those browsers superior like Firefox and Opera...
Wanna see how many machines would have Firefox if they blocked all IE browsers?
"Just Smile and Nod." --Huck
Maybe you should step back and think about this. I know some people as a knee-jerk reaction will accuse Microsoft off the bat. However, why doesn't anyone ask the obvious question of why Google chose to run their Desktop Search in a browser, especially IE? Obviously, they were aware of the fact that IE has a huge installation base and isn't known for pristine security. You're obviously asking for problems off the bat - and now we have some. Notice that MSN Desktop Search doesn't have this issue.
Note: I use neither MSN or Google Desktop Search. I much prefer Copernic Desktop Search because it doesn't run in a browser and has better preview and more refined search capabilities. And the stale Google Desktop Search links really pissed me off - I've never had that happen in CDS.
This sig donated to Pater. Long live
"Google has done nothing so far to earn our distrust. Micro$oft, on the other hand, has done NOTHING BUT deceitful, anti-competitive shenanigans since its inception (list is too long to reproduce here). THAT is the difference!"
How old are you, twelve?
-- "I never gave these stories much credence." - HAL 9000
One thing I've never really gotten.
Though Firefox and other browser supporters (of which I am one) would like to push that the way to solve this is to switch, a lot of larger companies aren't at the point where they're ready to do so.
You make it sound as if it's a major systems overhaul that has to be done, with methods and practices being restructured and files reformatted and babble babble babble. We're not talking changing Word Processors here, where you might have a sudden incompatability between the reports and records and etc. In theory a browser switch should be pretty damn transparent.
I repeat, it's not like you're using IE to create any files, it's just a passive browsing system with which to interact with online information and objects . . . unless your company has some sort of foolish web-app they use internally that is based heavily on something quirkily Microsoft-made like ActiveX, then I'd think using a browser that complies better with, yaknow, the standards (among all the other issues, like security) would be an easy simple change with non-trivial benefits.
Sorry, I must be bordering a bit on sardonic. I really don't mean to be, I'm curious. Incredulous, yes, but not mockingly. I just can't quite fathom it, what the hell is the big apocalyptic deal?
I remember sigs. Oh, a simpler time!
I wonder how you can completely ignore the fact that Google is supporting censorship in china. Yes, they are a company so seeking profits, but since the IPO, the "6. You can make money without doing evil." might have changed a *little* bit.
It certainly isn't Google, as I don't know of anywhere I can purchase anything they've "made".
A product is a thing for sale. If not for sale, then it merely is a thing.
Every one of google's products runs in a browser. That's the way google does business. They create "Web Apps" which pretty much means accessed by browser. They just don't do things any other way. sorry, that's just life.
so... the problem is that they insisted on using IE as the platform for their web-application despite the fact that (as you pointed out in detail) IE has basic flaws that MS seems very reluctant (or just is too lazy) to fix?
So one possible solution to this problem (as the plethora of problems that always seem to crop up anytime anything uses IE) is to build the application on another foundation... maybe one who's development google happens to be funding in some capacity.
Sorry... I'm just pointing out that you are saying the same thing (in much more detail) that the grandparent said. No need to squabble amongst those on your side.
Google's on first.
And again, a friend of mine sent this in two days ago and the editors missed it :-(
I've never seen the OS that didn't have some kind of search capabilities, and in Linux we have excellent tools which can even be combined and scripted from the command line into the custom algorithm of your choice. Why exactly, would anybody want a web site to crawl their hard drive in the first place? When I first heard of that, I thought it sounded a little risky.
> Didn't read the article, did you? Just spouting the same talking points over and over again. Microsoft didn't write the web application involved here (Google did)
.. IE ?
..
I'm sorry maybe I'm reading a different article that the one you are. The exploit description specifically says this:
"This definitely looks like a flaw in IE and not a Google bug". [Steve Manzuik, eEye Digital Security]
"Thousands of web sites can be exploited and there isn't a simple solution against this attack at least until IE is fixed. That means millions of IE users are affected by this design flaw".
"The proof of concept works on a fully patched IE browser (default security and privacy settings) with Google Desktop v2 installed. It will not work on any other browser unless the browser is derived from IE".
If browser A can be uses as a vector to attack google desktop search and browser B can not. By what logic can you say the exploit has nothing to to with browser A, er
> nor does the exploit have anything at all to do with Microsoft's use of IE for other purposes.
What school of logic are you using here. Allow me to translate: Because of Microsoft design intentions regarding IE for other purposes the current IE hack involving Google Desktop Search has nothing to do with defects in IE. Despite the fact that Firefox and Opera are immune.
It *is* Microsofts specific decision to bury the HTML rendering engine in the OS that has directly lead to this situation. The current virus/worm/spam infestation.
> This particular hack takes advantage of the fact that a person with Google Desktop
"You can bet we will see this one being used to steal users' Quicken data, database files, etc." Tom Ferris
The new religion among IT admins is to ban any software from being installed on users' PCs. So instead of having small fast interactive secure application-specific clients, everything has to go through the browser.
The fact that anything that goes through the browser is vulnerable to any attack launched on the browser - and can potentially expose all the organization's confidential data to whatever browser vulnerability the attackers choose to exploit - is ignored because it would sully the purity of the doctrine.
any guesses on when we will see the headline Microsoft Releases 'highly critical' patch on here?
Never fear, Google-lovers! This might help you survive the terrible crisis ;-)
Google's already introduced a 'quick fix' patch -- the proof of concept doesn't work, and there's a bit of HTML* in the Google News page http://news.google.co.uk/ that seems to be aimed at stopping this hack.
I'd say that's pdq in the business for fixing a problem that's not even your fault.
* For those of you who can't be bothered to find it: '<!--"/*"/*-->' before the desktop link, causing it to be read as a CSS comment and preventing it being picked up in the 'css-text' property.
I blame Gucci for not making my wallet more secure.
That's not how it works. Go back and read the article again, they use a browser plugin to rewrite the web page as it's downloaded - probably a BHO.
That cookie will cause a "desktop" link to be sent back to them somewhere on the page. This desktop link contains a secret password. As soon as you know that password, you basically have full access to that persons computer through Google Desktop uris, regardless of what browser (as long as that browser supports javascript, which IE, FireFox and Opera obviously do).
GDS also has protection in that by default only localhost can access the GDS server, which means that for outside access, I generally have to make an SSH tunnel.
GDS security would be much more effective if it required you to log on each session and allowed you to connect from anywhere.
I agree, CSS cross-scripting is a problem, and i'm quite certain this exploit works on most IEs.
But I've been lowering the security on my IE all the way for the past 15 minutes and I still can't get this damned thing to become exploited! It's only worked when I placed hacker.co.il on my trusted sites list. I suspect that it's because I've fixed up a lot of the default security settings in IE ("navigate sub-frames across different domains", almost blatantly a CSS "feature" that's left enabled on IE by default) and the settings only get updated if I restart my computer (which I'm too lazy to do right now).
Whenever I test this exploit, it only returns a JavaScript error saying "access is denied" for the line where the exploit tries to access the cssText property.
I'd bet most of you right now are reaching for that mod +funny button, but I'm serious here. For those three other people on slashdot who still use IE, fix your internet zone settings so that all the weird options in "miscellaneous" to "disable", restart, and see if the exploit still works.
If it doesn't, well, looks like we've caught microsoft shipping IE with XSS turned on by default. If it still does work, then ignore this post. I've seriously f***ed up my IE beyond its normal set of exploits and bugs.
FYI - you're wrong when you say "every one of google's products runs in a browser". There's this fancy thing called Google Earth. A stand-alone download-required application that runs only on Windows. Amazing.
mcox.com - Useful Information re: IT, Running, Fitness, Finance, or Ann Arbor!
So it has everything to do with IE, just like we both said. Only I was right and you were - oh, so wrong.
Get your Unix fortune now!
Nope... I am excluded. :)
You are all a bunch of idots.
Is calling somebody a "jew" supposed to be an insult or something in your book? If ones calls a human a "human", or an american an "american", isn't this just simply stating the obvious? Calling a person who isn't a jew, a "jew", simply because they find anti-semitic comments offensive, would be an ignorant and silly thing to do. "Human", "american", "chinese" and "jew", neither of these are insults.
Shut up, fag! And what's wrong with Chinese, are you racist?