Microsoft Patches Fix IE, Sony Flaws

An anonymous reader writes "Microsoft issued two security updates today, one of which fixes at least four flaws in its Internet Explorer browser, including one for which an exploit was released over Thanksgiving that is now being used by a handful of porn sites to install spyware, etc. According to Washingtonpost.com, the IE patch also removes a component left behind by a patch from Sony BMG designed to remove some of the more dangerous features of anti-piracy software installed by Sony BMG music CDs. Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."

two wrongs

[caffeinemessiah]

Wow...Microsoft cleaning up after Sony? It's like oil companies issuing nicotine patches to clean up after tobacco companies. The big fight this winter is evil vs. evil. Wooo!

Re:two wrongs

[networkBoy]

Funny, M$ is doing something _right_ for once.
turning over a new leaf for new years resolution early?
-nB

Re:two wrongs

[TCQuad]

The big fight this winter is evil vs. evil.

Never choose the lesser of two evils because that's the one that will lose.

Re:two wrongs

You know the world is going crazy when the best golfer is black, the best rapper is white, Google fixes MS's flaws, and MS fixes Sony's flaw.

Re:two wrongs

Kool Keith is white?

Re:two wrongs

[RobertLTux]

and add "the tallest player in the NBA is chinese?" and "The French want{ed} war" and "three of the companies on the Nasdaq base chunks of profit on free software"

Re:two wrongs

[Gojira+Shipi-Taro]

Which is why Cthulhu's 2008 campaign slogan will once again be "Because Really, Look at what Voting for the LESSER Evil Got You."

Re:two wrongs

[rapidweather]

I know, Microsoft is supposed to be evil. Well they really struck the nail on the head when they figured out how to get their OS preinstalled on computers in the stores. I remember going into Office Depot, and seeing lots of machines running Windows 3.1. No internet, but lots of Paintbrush and Solitare. Yes, today I downloaded the patches,etc. for my Windows XP machine, and that took a few short minutes. Praises for XP, of course, unless you consider the magnitude of the attacks. Do I want to let XP onto the internet for anything but updates?
Getting less and less of a thing to do. XP handles those printers and digital cameras really well, so it will always have something to do. There is always someone in the family that uses AOL (gasp) so I do keep this box up and running.
Am I posting this on XP now? Nope, I'm online with my own Knoppix remaster as usual. Using Flock today...

Re:two wrongs

[slashdotnickname]

Funny, M$ is doing something _right_ for once.

Well, I've been enjoying playing games on my M$ box for years now, so unless I've totally overlooked a whole Linux-gaming world, then that can't be the 1st thing they've done right. Yes, M$ sucks for servers, browsing, anything needing security, etc... but I need a M$ box if I want to enjoy any games at home.

Sorry, but this needs to be ranted about, because I could be done with M$ forever if only the last piece of the puzzle was taken care of... and that's gaming. Why hasn't the open source community developed a strong gaming environment for *nix yet?! With all the awesome OSS software out there, I've often wondered why the gaming area wasn't kicking butt as well.

Re:two wrongs

[Trashman]

Why hasn't the open source community developed a strong gaming environment for *nix yet?!

Long Story short: Nivdia and ATI's are the roadblocks in this area. They're linux drivers are half-assed and they will not release information for their their graphics cards so that a an open source driver can be written.

Re:two wrongs

[OneArmedMan]

If you have to choose between two evils, choose the one that you haven't tried yet.

Re:two wrongs

[agm]

That makes sense if you *must* use an open source driver. What's wrong with a commercial one that does the job as expected?

The reason there is not a strong gaming community for *nix is because there aren't enough games. There aren't enough games because there isn't a strong gaming community. Catch 22.

Re:two wrongs

Whoever wins, we lose

Re:two wrongs

[Drakonite]

What's wrong with a commercial one that does the job as expected?

They're linux drivers are half-assed

Please pay more attention so we can avoid this useless posting in the future.

Re:two wrongs

[Trashman]

What's wrong with a commercial one that does the job as expected?

IMO, there's nothing is wrong with a closed commercial driver as long as the people writing the drivers didn't make it so you need to jump through hoops to get it installed. And then not fix bugs and not implement some basic features in the drivers.

The reason there is not a strong gaming community for *nix is because there aren't enough games. There aren't enough games because there isn't a strong gaming community. Catch 22.

I would say that there is a market but it's largly untapped because the hardware support is lacking. It pisses me off that I have Doom 3 and a good card to play it with, but I can't enjoy the game on my platform of choice because the drivers either don't exist (in the case of the X800, 850, 1600 series) or they don't work as well as the Windows versions (see my comment above about features not being implemented.)

Re:two wrongs

[Giometrix]

I imagine that games aren't being released for Linux because most manufacturers use DirectX, not OpenGL. I dont know ANYTHING about OpenGL, and extremely little about DirectX, but from my understanding, DirectX offers a total package (graphics, sound, input, etc) whereas OpenGL is just for graphics. I wonder if this makes things easier (and thus cheaper) for video game makers.

Re:two wrongs

[The+Warlock]

The problem is that the closed source proprietary drivers put forth by ATi and (to a lesser extent) nVidia SUCK. They're horrible, both the drivers and the install tools for them. I don't have an nvidia card, but ATi's install program hoses your xorg.conf file every time, and if you use a text editor to set it up instead (not something Joe Q. User should be expected to do), the drivers are buggy at best and unusable at worst.

Re:two wrongs

[nukem996]

Its the same thing for the windows drivers. ATI drivers suck period.

Re:two wrongs

They're linux drivers are half-assed and they will not release information for their their graphics cards so that a an open source driver can be written.

So they're keeping the ball in their own court. BFD. The drivers work just fine. I've been using both since the days they came out. They fucking work, and they work JUST the same as the Windows drivers do (and yes, ATI is a bitch in that area, extrapolate that, you whore). They're not flawless, nothing is. But they work as expected. If it weren't for the fact that they need to be installed in text mode, and that they can't be shipped with distros (because they're not willing to distribute copyrighted, non-GPL code, then they'd be all over.)

Still, as much as a Linux advocate as I am, and regardless of how much I love it, I have to say that it's just not ready. Add to this the fact that most games are written with direct-3D for one reason or the next, they're just not going to go linux because they don't consider there to be a worthy game market. Likewise, and the majority of the time, game developers don't consider Apple users a worthy target for their product.

By comparison, Apple desktops and laptops greatly outnumber their Linux kin; so if they don't want to go after Apple users--people who are used to what is arguably the single most user-friendly user interface, and computers ever brought to the desktop, why the fuck would they want to go after something that is arguably not always the easiest and straight-forward system (particularly to new users)--with half the userbase?! They wouldn't! That's why! And that's why Loki failed, even though they did port some (huge named) bitching games, in a quality manner. There isn't enough demand!

id Software is Linux gaming's best friend, simply because John Carmack refuses to use Direct-3D, and opts instead for OpenGL. They're one of the few companies around that set out to produce highly portable code (supposedly they do most of their development work on Linux) and that's why we've got DooM3, and Quake4, and the Wolfensteines, and that sort of thing. I'm sory, nobody is interested in us. You should be glad we have wine!

Re:two wrongs

[Taladar]

The libraries for Linux are there. We just don't have a Linux marketing department putting a brand on the combined package.

Re:two wrongs

Why, that's because OpenGL is for graphics, as is Direct3D on Windows. If you want to compare something to DirectX, try SDL, which happens to be in the same category.

...still waiting for service pack ZONKZonk-1.0...

you know, the one which stops the Zonk slashdot article exploit in my /. browser. How do I remove that shit? Permanently...

This is bizarre

[Eli+Gottlieb]

Microsoft taking responsibility for their own faults and Sony's? I wonder what's up in their boardroom nowadays. Or there could be pigs flying somewhere, I don't know.

Re:This is bizarre

[Spy+der+Mann]

Or there could be pigs flying somewhere, I don't know.

I think you mispelled "chairs".

(sorry, couldn't resist :P )

Re:This is bizarre

[Eberlin]

HD-DVD vs. Blu-Ray, Xbox 360 vs. PS3, and then there's Microsoft's move into the music business. Must say there's not many things more satisfying than pointing out (and fixing) the wrongdoings of the "competition" -- ain't that right, fellow slashbots?

Re:This is bizarre

[Trogre]

Of course Microsoft wants to appear as the Knight in Shining Armour who saved us from the Evil Sony.

Who has just invested millions in the launch of a games console, and who is the current leader in that arena?

Re:This is bizarre

I think you misspelled "misspelled".

Sorry, couldn't resist. :)

Re:This is bizarre

[dhakbar]

Seriously.

If there's a single word that the aspiring grammar Nazi should be able to spell upside down and backwards, in their sleep, and rot13'd, it's "misspelled."

Re:This is bizarre

If you ever do tech support for a software company, close to 80% of your longterm workarounds
are for known-issues in other peoples' products.

And until about six years ago, you didn't really have the luxury of linking to the admission of guilt.

Re:This is bizarre

[Stealth+Potato]

...and who is the current leader in that arena?

<flamebait type="fanboy"> ...Nintendo? </flamebait>

:-P

Re:This is bizarre

[Trogre]

...Nintendo?
Heh, I was waiting for that one ;-)

Re:This is bizarre

well, no, actually.

Re:This is bizarre

[odourpreventer]

used by a handful of porn sites to install spyware

Good thing slashdotters don't use IE then.

Re:This is bizarre

Nintendo?

Only in terms of quality of games, and profitability. The other two companies are way ahead in hype, which is what really matters (for paying journalists salaries anyway)!

Re:This is bizarre

[Trogre]

The other two companies are way ahead in hype, which is what really matters (for paying journalists salaries anyway)!

Plus, you know, actual console sales.

I don't get it

How can a program running in userland (autorun) affect kernel space (patch the OS)?

Re:I don't get it

[PsychicX]

Same way you can modprobe something into the kernel under Linux. If you run as an administrator, then the programs that get run can do whatever the hell they want, including patching the kernel tables for syscalls, altering drivers or loading new ones, etc. The only difference is that Linux users generally aren't stupid enough to regularly use the system while logged in as root.

Re:I don't get it

[HokieGeek]

It's not about linux users being smarter. it's about Linux being built smarter. Running as root you are constantly reminded that you are doing a bad thing by a few programs here and there. And most distros set it up so that logging in as a regular user is the logical thing to do when faced with the login prompt. Windows, on the other hand, barely even suggests the possibility.

Re:I don't get it

[IamTheRealMike]

However, Linux as a system is stupid enough that installing packaged software requires root - always. Whether you futz around at install time or first run time is a bit irrelevant really.

One of the biggest complaints about Windows security is that it's hard to not run as administrator because so many programs require it to install, yet this is a guaranteed "feature" of Linux: WTF?

Re:I don't get it

[drinkypoo]

One of the biggest complaints about Windows security is that it's hard to not run as administrator because so many programs require it to install, yet this is a guaranteed "feature" of Linux: WTF?

You have this wrong on both ends.

First, the big problem with windows is not that you have to be an Administrator to install software. The problem is that you have to be one to use it. Lots of software doesn't actually work properly, once installed, if you are not an admin. Other software doesn't work if you don't run it as the user who installed it!

Second, you can install mode software any place you want on a Unix system, including your home directory or /tmp or any other place it will fit, because for the most part Unix utilities are not irrevocably tied to a specific directory, whereas just about every Windows program looks in a specific location for something.

Re:I don't get it

[pxuongl]

... or so you think... having a linux box on your desk isn't necessarily a badge of common sense and intelligence

Re:I don't get it

[HokieGeek]

I actually like that. there's so much crap out there ready to mess up my computer, whether it be an idiotic virus or a "harmless" software update. and, to be perfectly honest, the biggest enemy my computer has is me. i'm constantly "reconfiguring this, or installing that" or whatever. Even if it's legitimate - i'm not talking about the latest freeware-cutsie-hilarious-memoryhogging-virusinfes ted-whatever that my mom and most computer illiterate students are so drawn to - i still manage to screw up here or there. so, knowing that whatever pos i've recently installed cannot do too much damage to my computer because it (usually) needs my password to really mess things up, then i'm ok with it.

and besides, switching to administrator to install something in windows is MUCH more of hassle than in linux. maybe it's cause i'm used to it, and i'm always using the shell, but it's just a matter of su and then my password, which flies off my fingers cause i'm using it so much :).

i'll give you this much though, the very first time i installed linux, oh so many millenia ago, i ran only in root for the first couple of days while i figured out what on earth i was doing. 'su' simply eluded me! it's one of the main reasons why i switched back to windows.

but running in administrator mode is habit people need to get out of. because that habit is coupled with the habit of not using a password for your one and only - administrator - account, because it's annoying to have to type it in when you log in. i'm glad i got out of that habit. it was pretty stupid of me.

Re:I don't get it

[HokieGeek]

erm, i like having to type in my password, that is

Re:I don't get it

[VGR]

Why would you want to let ordinary users install packages? Isn't that what leads to Sony rootkits etc.?

Package installation probably should have a warning like old newsreaders had:

"Please be sure you know what you are doing."

In fact, any software installation should have it. Some malware gets on Windows machines instantly through Outlook or IE exploits, but great deal of it gets there because non-tech-savvy users see a "Click OK to install the UltraCoolSlickLinksToolBar plugin" dialog and don't know the difference between that and a "Click OK to install the Macromedia Flash plugin" dialog.

Users should be made aware that installing software is like tinkering with your car's engine: it's important to know what you're doing.

Requiring someone to enter a mode of operation specifically designed to modify the system seems like a strength to me.

Re:I don't get it

[grumbel]

### Second, you can install mode software any place you want on a Unix system, including your home directory or /tmp or any other place it will fit, because for the most part Unix utilities are not irrevocably tied to a specific directory,

That is however only true for source, binaries under Linux have quite often their location hardcoded, moving them to a different directory is impossible without either ugly hacks (hex editor) or less ugly hacks (envirorment variables, command line parameter, etc.). Binaries that are truly relocatable are pretty seldomly under Linux, some of the big packages (Mozilla and the like) provide it, but even they often only via install scripts that install some startup script that sets the right command line arguments. True relocation would require to use /proc/self/exe or different means to find out the location of the binary, that however is sadly not standardized across different Unixes, which is why very few actually use it. The 'spread everything across dozens of directories' approach of installing software in Unix makes relocation also quite a bit more complicated, since it gets ugly if one tries to keep a software in its own directory (useless foo/share/foo/ directories and such).

Re:I don't get it

[Tim+C]

Second, you can install mode software any place you want on a Unix system

That's not true for any of the package systems I've used. Sure, you can do it if you download the source (or a binary tgz, etc), but the majority of users (as opposed to admins) won't be doing that.

Re:I don't get it

[LurkerXXX]

Everything you listed is a problem with *some* 3rd party applications. None are a problem with windows itself. There are also lots of other 3rd party apps that install wherever you like, and run fine as a normal user.

Yes, there are a lot of sucky developers who make windows apps. There are also plenty of sucky developers working on *nix software. I've installed plenty of stuff off sourceforge that was badly written.

This is a developer issue, not a windows issue.

Re:I don't get it

[bfizzle]

I suggest trying OS X.

You can move an application any where you want and it is likely it will not complain. Delete a user... no complaints. It asks you for a root password when you install software or make system changes and that is about it.

Re:I don't get it

[JesseMcDonald]

Actually, if you use the low-level package installer (rpm or dpkg, usually), you can almost always specify the prefix ("root directory") to use for installation. In Debian, for example, you can run "dpkg --instdir=$HOME/usr -i package.deb" to install a package into your home directory. That still requires administrative priviledges though, because it's using the system package database. If you want to avoid root altogether, then you can use --root instead of --instdir after setting up your own package database. This is typically used by the Debian installer to install .deb packages into the newly-created root directory, but you could use it to install things locally. Or you could just use "dpkg --unpack file.deb" to extract all of the necessary files. Of course, you'll have to set up $LD_LIBRARY_PATH if you install any libraries outside of the system directories, and some programs are sensitive to the paths that they were configured with.

Re:I don't get it

[masdog]

Working as a user is getting easier in Windows now. With XP SP2, the "run as..." command has been added to the right click context menu, so you can be logged in as user and still install or run software that requires administrator priviledges. Its not perfect, but its better than running in root/administrator and getting infected by all sorts of nastiness.

Re:I don't get it

[truedfx]

Why would you want to let ordinary users install packages?

You're assuming that every non-root user has exactly the same permissions. This is not the case. Allowing some users in a special group to install software without running as root might be a good idea.

Re:I don't get it

[MooUK]

Another major difference that you forget is that, whilst Linux also generally requires root access to install most packaged software, it makes it easy to get single-command or temporary access. Windows does not. This makes it very inconvenient to install anything if you're not running as admin.

The habit of many programs of not correctly installing for all users makes this worse. And that's without adding in the programs that REQUIRE admin access.

Re:I don't get it

[Maserati]

1. the "move an application anywhere" refers to Carbon/Cocoa .app applications. Try and move something out of /usr/bin and you'll have the same issues Linux (or an *Nix) does.

2. It's technically an admin (user is member of sudoers) password, not a root password. Some few drivers must be installed from an admin account (Xerox/EFI, I'm looking in your direction).

3. Better than "no complaints" when you delete a user, the system will offer to create an image of the deleted homedirectory and place it in /Users/Deleted\ Users. Very nice.

Quibbles aside, try OS X.

Re:I don't get it

[deaddrunk]

What would be the obstacle to doing that on Linux with permissions or ACLs on the required files?

Re:I don't get it

[truedfx]

It's mostly doable already. linuxfromscratch lists one possible way. I suppose one big problem for other distros is that a generic package manager which can handle any package will require root permissions, because some programs have a legitimate reason to be installed setuid root. For obvious reasons, non-root users can't install setuid root programs.

Re:I don't get it

Allowing some users in a special group to install software without running as root might be a good idea.
 
You mean like the 'Power User' user group in Windows?

Re:I don't get it

Cool. I'm glad someone else posted that "Run As..." stuff. Just to add to that, you can also take stubborn programs that require admin access and change their shortcut using "Advanced->Run with Different Credentials" to have it prompt you to login when you run the program. Unfortunately while .exe installers have the "Run As..." menu, .msi installers don't yet. So you can setup a shortcut to Windows Explorer with different credentials to install .msi's. It also works for startup programs that haven't been converted to services yet 5 years into this millenium. It's the programs' fault, but you can force it to work.

You can also use the "runas" command in CLI. Such as Start->Run "runas /user:MACHINENAME\Username cmd" to get an admin/root prompt, from which you can start any program or type: "control panel", "compmgmt.msc", etc. for all your regular administrative tasks.

Re:I don't get it

[truedfx]

I don't remember how much power that group gives you, so I'm not sure. If it's not too much -- if it keeps the core system protected -- then yes, like that.

Re:I don't get it

[Thundersnatch]

Unfortunately, in Windows 2000/XP the Power Users group gives you read/write to %SYSTEMROOT% and HKEY_LOCAL_MACHINE in the registry. So you can install software, drivers, etc. And also completely hose the system with a virus, trojan, or root kit.

About the only significant things a Power User cannot do by default are "Security Account Manager"-related. That is, a Power User cannot create new users, remove other users, delegate rights, etc. on the local the machine. Also, a Power User cannot typically do a few other common tasks, like set up new virutal hosts in IIS (because that requires user rights delegation privileges).

Finally, all of this is very granular, and of course you can choose to add or remove certain rights and permissions from the default Windows user classes. Nobody really does that much, of course, at least for workstations (we do it a lot for servers). But you can change most of this with command-line scripting, Active Driectory's Group policy, or the GUI.

Re:I don't get it

[deaddrunk]

Yeh but you could still give certain users rights to update the package db, the security of trying to do stuff like ldconfig or modifying /etc would still be handled as any attempt to install stuff that requires root privileges would crap out with a security message. I'm not sure what I'm missing as to the difference between doing it that way and how Windows does it.

Re:I don't get it

[truedfx]

The main difference, I think, is that Windows installers are much more often poorly written, refusing to run as a limited user. That one's not really a problem with Windows itself anymore.

Thank you Sony...

[digitallystoned]

I don't mind Microsoft, but I don't think they need any help in leaving their systems vulnerable. I don't agree with Sony's DRM bullshit, and I do believe that they need to be smacked like a little bitch for including their 'anti-piracy' crap. I just want to listen to MUSIC, not get more annoying software installed on my computer that does absolutely nothing other than piss me off to a greater extent than XP rebooting my computer for no reason. Thanks guys, can't wait for the PS3..Is it going to have software to keep me from playing my PS3 games on my PC?

Re:Thank you Sony...

[PsychicX]

You'll be glad to know that, due to the PS3's extensive Wifi capabilities, Sony will be able to install copy protection on every computer in your house the moment the PS3 is powered up. Sony plans to include Linux and OSX exploits for those of you who try to be clever about it. The installed software will cause any computer to crash immediately, which Sony hails as a great technological breakthrough since their last technology, which could only destroy OSX but not Windows or Linux. And as for what happens if you try to copy a Blu-Ray disc...let's just say it's not so much "managed" copy as it is "melted" copy.

Re:Thank you Sony...

That's OK: at the rate Sony keeps dropping features from the PS3, it won't actually HAVE any network connection when the machine finally goes on sale.

Everybody keeps comparing Xbox360 to the PS3 specs as-shown at E3 but THAT PS3 is not what you will be able to buy in stores. Many of the PS3 features they promoted at E3 have already been dropped from the production version.

It would be funny if they turned the network connection into an add-on part as with PS2. You'd have to pay extra for it, in a sense paying extra for Sony to come in and screw with your PS3. Hilarious.

Re:Thank you Sony...

It will also:
- cause all the milk in your house to go rancid
- impregnate your teenage daughter
- send pointed nastygrams to friends and family members from your home email
- replace your Peet's Peruvian blend with Folger's Decaf
- Drunkenly call your ex-girlfriend for a "midnite booty call"
- Log on to your Amazon.com account, order 1000 copies of Celine Dion's On ne Change Pas, and post extremely positive reviews of the album.
- Exchange your tin-foil hat with an aluminum foil one

Thanks Sony for making my system vulnerable

[CitznFish]

Ever hear of QA?

Re:Thanks Sony for making my system vulnerable

[burndive]

You have Autorun enabled?

That does it. Hand over your Geek Card(TM).

Re:Thanks Sony for making my system vulnerable

Uh, he does not have a Geek Card (TM). He uses Windows...

Re:Thanks Sony for making my system vulnerable

[HermanAB]

Sony Music listened to the playback and it sounded fine...

Re:Thanks Sony for making my system vulnerable

[drinkypoo]

I have autorun enabled. I also have enough sense to hold down shift if I insert a CD I think might be malicious - like anything from a major record label that can afford this kind of crap.

Re:Thanks Sony for making my system vulnerable

[drinkypoo]

I'm quite certain that they did QA and the software passed with flying colors. It's all in how you write your requirements...

Re:Thanks Sony for making my system vulnerable

Um no. There are two parts to QA: 1. to ensure it meets the requirements, 2. to ensure it doesn't break or cause problems in other systems. You totally missed part 2.

Re:Thanks Sony for making my system vulnerable

[meringuoid]

There are two parts to QA: 1. to ensure it meets the requirements, 2. to ensure it doesn't break or cause problems in other systems. You totally missed part 2.

By definition, DRM breaks or causes problems in other systems. If it doesn't do so, it fails to meet its requirements.

Re:Thanks Sony for making my system vulnerable

[91degrees]

I object to this. I have a geek card, and I run Windows. And Linux, BSD, BeOS, and AmigaOS from time to time. I also have FreeDOS kicking about somewhere. Windows is a nice platform for 3D graphics.

Sony

Re the Sony spyware saga, it's also worth checking out Ed Felten's latest article on XCP's eviller twin, Suncomm Mediamax. Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.

Re:Sony

[canuck57]

Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.

Now that the cat is out of the bag, any company making a CD or DVD may try this.

As a consumer I just ceased purchasing all media with software on it, this includes USB anything and CD, DVD. I will resume purchases when I see "DRM Free" labels on them. I would suggest everyone do the same. If enough people do, the industry will recoil.

ahhhh...

Now I can go to porn sites again without having to worry...

Re:ahhhh...

Safe sex available again for Slashdot users.

The Good, The Bad, and The Stupid

If Microsoft released a patch right away, administrators would complain they are patching too often and forcing them to test internal software more.

If Microsoft waits for the patch cycle, slashdotters complain Microsoft is purposely holding out so that they can sell anti-virus

And normal computer users, they don't patch so it really does matter

Re:The Good, The Bad, and The Stupid

[Brad_sk]

>>If Microsoft waits for the patch cycle, slashdotters complain Microsoft is purposely holding out so that they can sell anti-virus
And we also see comments saying Firefox fixes & releases the patches pretty fast which somehow is not a concern for internal testing!!!

Re:The Good, The Bad, and The Stupid

[oGMo]

If Microsoft released a patch right away, administrators would complain they are patching too often and forcing them to test internal software more.

If Microsoft released patches right away and didn't have a history of patches that broke everything and introduced more holes... people would complain less.

Re:The Good, The Bad, and The Stupid

[VGR]

Gosh, it's almost as if the real complaint of administrators and slashdotters is that Microsoft is putting out a lot of badly written software.

Perhaps a corollary of the complaint is that Microsoft seems to have enough money that they could afford some QA on their code. Considering their exploits result in crippling the economy, a little responsibility doesn't seem like a lot to ask.

No one can write software that's 100% bug free, but they could get a lot closer to 100% than this.

Re:The Good, The Bad, and The Stupid

Out of systems administrators and random slashdot "M$" idiots, which do you think Microsoft cares more about?

Re:The Good, The Bad, and The Stupid

No one can write software that's 100% bug free, but they could get a lot closer to 100% than this.

Frankly, nobody could get closer to 0% except by actively trying to include bugs! In fact, could anyone get as close to 0% except by trying?

Makes you wonder... [dons tinfoil hat]

Re:The Good, The Bad, and The Stupid

And the truth is, none of these complaints get to the real problem: IE is a piece of unsecure shit especially when there are alternatives like Opera and Firefox. The stupid are those who still use IE to access the internet (one supposes the intranet is clean for all those apps stupidly written specifically for IE).

Re:The Good, The Bad, and The Stupid

[deaddrunk]

I love this quote

Users of the Windows operating systems reported sluggish machines and computers that quit or rebooted for no reason.

How could they tell the difference?

Re:The Good, The Bad, and The Stupid

In my experiance the Microsoft patches haven't broken anything.... its the Third party software that gets broken, and considering our company requires that third party software there is the issue (its very crappy software to begin with, I'm even forced to install Microsoft java on some of these computers to get certain things running that there are no alternatives to). Personally I have not had ANY issue with a patch breaking the computers I'm responsible for, like twice had to change some settings when they altered the defaults but the issues that cropped up were third party related (like they were trying to do something or access something they shouldn't have been to begin with)

Re:The Good, The Bad, and The Stupid

[Anonym0us+Cow+Herd]

It seems to me that Microsoft should release patches ASAP.

If the system administrators don't like installing and testing the patches that often, they can accumulate patches and install them all at once according to their own internal corporate five-year update/patch/test cycle.

Let's see...

• Microsoft doesn't get criticized for not releasing patches
• People who need security patches right now will get them
• People who would like to apply security patches on a five year cycle are free to do so
• Everybody wins

Am I missing something?

Re:The Good, The Bad, and The Stupid

[hammackj]

#include #include #include int main(void) { srand( (unsigned)time( NULL ) ); char *_xexsd; gets(_xexsd); return rand(); } //silly code!

Re:...still waiting for service pack ZONKZonk-1.0.

gut reaction is troll, then I scroll down the front page almost all articles posted by this guy are flamebait or corportae shil. CmdrTaco fairs not much better, infact ScuttleMonkey seemes to be the only one posting anything other than Slashvertisements and Flamebait. Perhaps a new poll, which Slashdot Editor is less of a tool.

Strange

This is the first update in ages that requires a reboot, is the Sony rootkit that destructive?

Re:Strange

[DavidRawling]

Pretty much. It installs poorly coded filters on the CD drives - if installed in the middle of an IO you could get a blue screen. Mark discussed this in detail.

Much safer to remove during reboot otherwise you'd hear screams of, "The patch BSOD'd my computer!"

Re:Strange

[Tim+C]

It's not just that, it messes with the kernel's systables. At unregister time, it puts things back the way they should be, but it anything else had yielded after grabbing an affected address but before completing the call, *boom* BSOD.

(All from memory of reports here, don't shoot me if the terminology is wrong)

Re:...still waiting for service pack ZONKZonk-1.0.

[Kelson]

Open Slashdot->Preferences, then go to the "Homepage" tab, then look under "Customize Stories on the Homepage"

You can disable Zonk right there -- his posts will never reach your browser again. (This is compatible with all web browsers I've tested, though you have to enable cookies. But then cookies are such delicious delicacies, you have to wonder why anyone would want to disable them other than being on a diet.)

There's only one problem, though: This patch requires you to register with Slashdot. One wonders how responsible it is to require personal information (I hear they actually want a username and a password! At least you can use a throw-away email address) in order to use this valuable functionality.

it's just an anti sony move

[patcito]

This is just a good occasion for MS to say "hey look how Sony software suck so much we need to clean the mess for them".
After the HD DVD delay and the xbox failure in Japan, MS needed to do some anti sony PR to make it up in their little war against Sony.

Re:it's just an anti sony move

[m50d]

Of course. God knows MS would never, you know, actually help their customers out.

Re:it's just an anti sony move

[Lisandro]

Indeed. This might come as a shocker for some people arround here, but both MS and Sony have a lot more interests than merely their console buisnesses.

I think I know how

[Trogre]

Sony can fix this for good:

apt-get remove media-max

Re:I think I know how

[peeon]

emerge world

Re:I think I know how

[misleb]

make love

Re:I think I know how

[MooUK]

double click, next, agree, next, yes-please-install-lots-of-adware-and-spyware, next, next, OK

Re:I think I know how

[springbox]

emerge world

USE=door emerge world

Re:I think I know how

[Stupendoussteve]

That's USE="door" you dolt!!!

I like the other one better

[Korbeau]

This came along with the Automatic Update bundle today:

"Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service. After you install this item, you may have to restart your computer."

Sweet irony. At least that's refreshing from the attacker that could compromise my computer - I'm really tired of this guy.

How come I *may* have to restart my computer - haven't you tried it on one of your box beforehand or do you really have no clue?

Re:I like the other one better

[John+Nowak]

Because the installer *may* do certain things or it *may* not, depending on your configuration. It isn't fucking rocket science.

Re:I like the other one better

haha
thank you John, I just *maybe* have laughed so much.

good too see some intelligence in /.

Re:I like the other one better

[Tony+Hoyle]

Funny, that one. If you have the issue it's too late.. you can't download the patch.

Is this a regression? XP has that issue out of the box (before they fixed it I was always having to reinstall after windows update broke) but that was ages ago.

Re:I like the other one better

I have a Win2K box that does this. When you visit Windows Update, it basically hangs. What are you supposed to do -- go rooting around on microsoft.com for a manually-installable service pack? Has anyone actually found a quick and easy way to work around this problem (other than fsck'ing the box and installing Linux, yadda, yadda, yadda).

Dupe, dupe, dupe. Dupe of URL, URL, URL. Or is it?

Wasn't this just posted recently? Or is it yet another patch? Or is this truly a dupe? Man, my head is spinning.

Darn it!

[Guppy06]

It's yet another article that totally forgets about the upcoming Nintendo Revolution!

Oh, wait... this is a different Microsoft vs. Sony hissy fit?

Actually, it gets better

[TheSpoom]

Microsoft should now have released a patch to Microsoft Antispyware and also have their monthly Malicious Software Removal Tool (which customers running XP Automatic Updates will have automatically run) detect and delete the Sony rootkit. IMHO, very cool (if they did it, can someone confirm?)

I submitted an article about this a few weeks ago, it was rejected for some reason. Probably too many Sony stories already. ;^)

Re:Actually, it gets better

your story was obviously rejected so beatles-beatles could post some more

Re:Actually, it gets better

[Hosiah]

Probably too many Sony stories already.

Nah, heck, I can't get enough of it. I've been laughing my ass off through the whole Sony saga. I'm thinking it would be great to cut up into half-hour episodes and show on Nick-at-Nite five years down the road.

The title is left as an exercise for the witty Slashdotter.

Blu Ray

[jmichaelg]

Will people remember this farce and say thanks but no thanks to Blu-Ray because they're not sure what the drivers will do to their computer? And if you can't trust Sony's Blu-Ray drivers, who's to say the HD-DVD drivers will be any safer?

It would be ironic if somebody at Sony who was worried about selling a few copies of a country-western CD ended up jeopardizing a billion dollar market.

Re:Blu Ray

[Stupendoussteve]

Chances are nothing would be ironic... the only people that care very much are those that know more about computers than how to turn it on. Microsoft just made it so they go "Okay" and it's gone. They won't hold it against Sony in the least bit.

Re:...still waiting for service pack ZONKZonk-1.0.

CmdrTaco fairs not much better, infact ScuttleMonkey seemes to be the only one posting anything other than Slashvertisements and Flamebait.

Yes ScuttleMonkey and his favoritism towards spammer/Google-page-rank-whore * * Beatles-Beatles is much better.

Close

[geekoid]

It's an application issue, not an OS issue.

Microsoft was been known to release software with this same problem.

Also you probably shouldn't use sourceforge as if it is only non windows stuff.

Knightdom

[Z34107]

Of course Microsoft wants to appear as the Knight in Shining Armour who saved us from the Evil Sony.

No, it doesn't. Sony broke Microsoft's web browser. Microsoft is responsible for fixing their web browser. Therefore, they did. And "armor" doesn't have a "u" in it. :-D

Re:Knightdom

[quadbox]

"Armour" DOES have a "u" in it, if you speak English and not North American

Re:Knightdom

[drinkypoo]

Too right mate, too bloomin' right. Or something. Too bad neither American English nor English English seems to conform too closely to specification. In reality, we're both speaking a bastard tongue, unless you think chaucer is particularly accessible.

Re:Knightdom

[ozmanjusri]

unless you think chaucer is particularly accessible.

I trow Chaucer is sooth bet. The Slashdot janglers art sooth ful nyce.

Re:Knightdom

http://medievalmrhands.ytmnd.com/

Re:Knightdom

[Stupendoussteve]

Man, I've for years thought I spelled armor wrong because I'd always add a "u". I really do live in the wrong place...

Re:Knightdom

[Fearghaill]

Hey now. Most of North America (geography-wise at least) knows how to spell such things properly.

Re:Knightdom

[falsified]

Oh, so it's supposed to be "Armor Hot Dogs"? Please.

Wow, should MS be sued under the DMCA?

[mixonic]

Neat!

So, since MS is keeping Sony from installing their "DRM" spy^H^H^Hsoftware, you can say they are circumventing Sony's DRM software, PLAINLY against the DMCA. The only question is.....who do we cheer for when evil sues evil over evil with evil laws?

-mix

Re:Wow, should MS be sued under the DMCA?

[Lisandro]

I don't know, but i'll be damned if that wouldn't be fun to watch... the whole DMCA thing is a bomb waiting to go off, specially when it comes to issues like this between major companies. Me? I can't wait for it to happen.

    Or maybe they'll just make some agreement that benefits both parties and be done with it, but hey, i can dream :)

Re:Wow, should MS be sued under the DMCA?

[log0]

I'll cheer for evil.

Re:Wow, should MS be sued under the DMCA?

[merky1]

One could argue that Sony violated the DMCA when they circumvented the normal function of Windows.

Re:Wow, should MS be sued under the DMCA?

[Red+Flayer]

Doesn't apply, since MS isn't the end user, and I'm sure it's covered by their agreement with Sony.

I mean, Mediamax was certified by Microsoft, I'd be surprised if there wasn't correspondence between the two before the Rootkit was imprinted on those CDs. Or at least a thorough review by Sony BMG legal.

Re:Wow, should MS be sued under the DMCA?

[ozmanjusri]

One could argue that Sony violated the DMCA when they circumvented the normal function of Windows.

They didn't. They just made it slow, vulnerable and crash-prone.

Re:Wow, should MS be sued under the DMCA?

[pintomp3]

so they didn't change anything?

Re:Wow, should MS be sued under the DMCA?

[Almost-Retired]

Tee hee. As if anybody can imagine that sony is gonna sue M$ for a dmca violation? I sure as heck can't even imagine it. But then my imagination seems to have taken a vacation after 71 years, in favor of my version of common sense.

This whole fiasco SHOULD have sony backed into the far corner of their cage, with their tail tucked so firmly in its a very effective chastity belt.

Funny part is, all those cd's marked copy protected? Wally World hasn't pulled a single title off their music racks, nosiree bub. Not a one.

I asked at the counter if sales of sony/bmg music was down & the twerp said not that he could notice. He seemed to be totally unaware of any controversy regarding this, and didn't seem to have a quarter to call somebody who might care.

So this whole sordid thing has NOT made near enough noise for Joe Sixpack to understand the issues here, and thats the real problem. We're preaching to the choir, and we the choir know the words by heart. But to Joe Sixpack, were just a bunch of noise makers to be turned off.

Maybe next time we should vote for the greater evil, look at what voting for the lesser eveil got us...

--
Cheers, Gene

Lawsuits

[phorm]

Does anyone know about any lawsuits or class-actions against Sony. It seems to me that to install trojaned rootkit on a machine, then apologize while at the same time issueing a patch which causes other security vulnerabilities would show obvious malicious intent.

Re:Lawsuits

[coastin]

Yes, Texasand the Electronic Frontier Foundation both have filled suits. http://www.pcworld.com/news/article/0,aid,123668,0 0.asp/

Re:Lawsuits

[Guuge]

Just searching through stories on slashdot, it looks like the first such lawsuit reported was the California Class Action Suit. Later that month, a Texas Civil Lawsuit was filed.

The EFF and New York apparently have filed their own lawsuits, but I don't have links.

Now this is very interesting...

[emptycorp]

"Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."

So according to these researchers, one could logically assume that it is indeed not as much of Microsoft's fault for lots of viruses and spyware people have been getting over the last year or so, but more of Sony's fault for bad DRM software opening holes in people's browsers?

It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally holding water.

Re:Now this is very interesting...

[ozmanjusri]

It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally holding water.

It has always been true, just not helpful. Sony's rootkit is not functionally different from Hacker Defender or any other '3rd party' rootkit. A product which works in the lab, but not in the field is still a failure.

Re:Now this is very interesting...

[cyranix]

Saying that "Windows is fine" is almost irresponsible. A straight plain windows install with no other software and no internet connection is not fine. Windows still crashes easily... I could go on and on about it, but before someone replies with a counter argument, let me just say that if my computer reboots and I don't expect it to, that either means my UPS ran out of juice during a blackout, or else I just cooked some component on my motherboard, and its safe to say that neither of those happen too often, so basically, I reboot about once a year, for the purposes of a kernel upgrade or a hardware upgrade. Any more than that irritates me. Make that argument for a windows machine, I dare you... Sony, IE or any other single entity is not to blame. It is a failure to write stable software, point blank and period.

The patch that was 22 months in the making

It's rather interesting how long some of the fixes took.

Download dialog ... 6 months
Keyboard shortcut ... 7 months
COM corruption ... 3 months (fixed last month?)
window() code execution ... 6 months

It's like getting two years of fixes in one ...

Yes, MSRT removes F4I

[ScottCooperDotNet]

Yes, Microsoft's Malicious Software Removal Tool removes First 4 Internet Rootkit as of December 7th.

"WinNT/F4IRootkit is a kernel-mode rootkit used for copy protection on certain Sony BMG audio CDs. There are several versions of this rootkit. The rootkit hides certain Windows system resources, including files, processes, and registry settings. The rootkit can be used by attackers to hide malicious content on the computer." -Microsoft

http://www.microsoft.com/security/malwareremove/fa milies.mspx

http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=WinNT%2FF4IRootkit

Where is everyone?

[Kelson]

An article about Microsoft and Sony has been up for 2 hours and only has 75 comments?

This has got to be a first.

Re:Where is everyone?

[Javi0084]

Perhaps they were downloading the patches?

This IS news!

[OneSeventeen]

I'd just like to point out the fact that Microsoft fixing a 6 month old problem was newsworthy...

And, the gratuitous open-source post:
There was a browser security issue and Sony could install a root-kit? Weird, never even noticed.

Re:This IS news!

There was a browser security issue and Sony could install a root-kit? Weird, never even noticed.

You were probably too busy compiling a library or recompiling your kernel to get your sound working so you could watch porn with your obscure media player for Linux.

Re:This IS news!

[wkitchen]

Lots of people using the last bit of their vacation time to supplement their holiday time. Can't expect high posting on slashdot when so many aren't at work, now can we?

Re:This IS news!

[sremick]

Years ago maybe. I don't know about Linux, but on FreeBSD the sound driver is a kernel loadable module, loadable with kldload and not only does not require a kernel rebuild, but does not even require a reboot.

Exams

[bach37]

It's exam week.

who gets the bill

[tehwebguy]

i wonder if microsoft will invoice sony for this..

Re:who gets the bill

One way would be to inflate their OEM software prices ;)

dodged.

Odd problems

[bruns]

Did anyone else with XP Home SP2 notice that the IE update does some really weird stuff with IE's ability to open up pages?

Like, best way to explain it, you can launch IE and it will go to your home page, however, when you type a URL in the address bar it opens up a new window as if you pressed ctrl-n and typed it in there?

Also rears its ugly head if you have another browser set as default. Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?

I've seen this behavior on two XP Home machines, while a third was perfectly fine (all running SP2)

Re:Odd problems

[springbox]

Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?

Sounds like the security fix I've been hoping for a while

Re:Odd problems

[bruns]

Heh. Good point :-)

However, I did field a call from one of my users who only uses IE (trust me, I tried to change them over to firefox or opera, but that was a wasted effort), so I'd really like to figure out what got broke exactly.

Re:Odd problems

[JPDeckers]

Have those problems as well, and basically makes surfing using IE impossible:

Everytime I type in a URL and/or click on a link that opens in a new window, I get a new empty window, and a messagebox with "Windows cannot find '(null)'"
Sometimes, 10 empty windows are requested at the same time.

The empty page also keeps requesting the focus for some time.

Re:Odd problems

[DrPizza]

So it's not just me who's noticed that. It's completely fucked up.

Re:Odd problems

[bruns]

Anyone else who's having this problem, please e-mail me. I'm working with a XP Home engineer to investigate the issue. They are just as curious about the problem as I am (and seem genuinely interested in getting it resolved).

Re:Odd problems

[bruns]

Ahhh, got a temp fix that people can use to solve the issue until MS figures out what is the cause exactly.

From my blog:

With help and ideas from an MS guy, I've managed to narrow down the bug which is causing the issue.

The version of browseui.dll (6.0.2900.2802) from the 905915 update is the culprit.

If you disable WFP, reboot with the recovery console, and replace it with browseui.dll (6.0.2900.2753 from previous update, probably 896688 IIRC), then reboot again, behavior will return back to normal. Don't forget to delete the browseui.dll from dllcache and reenable WFP.

OMGWTFBBQ???!!!!11!!

[multipartmixed]

> Researchers found that the Sony patch changed settings in IE so
> that any Web site could install software on those machines."

Wait. So, Sony is setting IE back to its default security settings?

That hardly seems newsworthy.

Re:...still waiting for service pack ZONKZonk-1.0.

I find it funny that for ages michael was the black sheep of the Slashdot family, and he was pretty much the only one. After he got the can the editor flamers kind of spread out with no single target anymore ...

This is what to expect

[twitter]

Or there could be pigs flying somewhere, I don't know.
I think you misspelled "chairs".

That's "stool."

Obligatory

No, because no one here uses IE, remember? Where have you been?

Re: Ms Flaws.

[oztiks]

* oztiks gives bejiitas_wrath his spoon back and tells him to stop dribbling all over his placemat.

Suze & Mandrake .. aww arnet you a cute linux bubby :-D

Re:...still waiting for service pack ZONKZonk-1.0.

[jrockway]

I actually like Taco's posts best because he adds commentary to the end of the submitter's blurb that makes it look like he actually reads slashdot. When I read Taco's journal I get the feeling that he is a slashdotter... where the other editors just seem like slashdot is their day job. (Actually michael used to know what's going on but I haven't seen him around lately.)

Yes, I know Taco started the site and is user #1. It's nice to know that he still cares after such a long time.

Oblig.

[DavidHOzAu]

Due to a security flaw in your browser, some links on your computer have been damaged and are now pointing to the wrong websites, such as those that install spyware and adware. To correct this problem, Microsoft wishes to inform its customers that the correct link to Windows Update is actually this one. If you are a Windows user, we recommend that you update to the latest version immediately.

How did the rootkit get installed

[LinuxDon]

I am supprised about the fact nobody seems to be worried about the fact that if you put a CD in your tray, while thinking it is just a music CD, a rootkit can be installed. It seems as if everyone is just accepting this?
IMHO this should not be able to happen..
MS should disable the autoplay feature, or at least make it a lot more safe.

Re:...still waiting for service pack ZONKZonk-1.0.

[Pxtl]

Actually, scuttlemonkey just grabs the articles by author in alphabetical order. If it's not * * Beatles Beatles, then it's someone whose nick begins with "a".

Why is it?

[OhHellWithIt]

Am I the only one wondering why it's p0rn sites that are using the hole to install spyware? I mean, why not other businesses and/or government agencies? Surely Sony isn't the only company to believe they have the right to do whatever they want to a customer's computer.

Re:...still waiting for service pack ZONKZonk-1.0.

[http101]

Open Slashdot->Preferences, then go to the "Homepage" tab, then look under "Customize Stories on the Homepage"

You can disable Zonk right there -- his posts will never reach your browser again. (This is compatible with all web browsers I've tested, though you have to enable cookies. But then cookies are such delicious delicacies, you have to wonder why anyone would want to disable them other than being on a diet.)

After cutting out all my cookies and java, I dropped 40 pounds! Bad part is, I hear someone baking up Krumpet v1.0 and Teacup Runtime Environment v0.8_04 in the background.

BOYCOTT Fixes Sony Flaws, but GOOD!

No Sony CDs - Boycotted FOREVER.
No Sony DVDs - Boycotted FOREVER.
No Sony HDTVs - Boycotted FOREVER.
No Sony Memsticks - Boycotted FOREVER.
No Sony Digital Cameras - Boycotted FOREVER.
No Sony Playstations - Boycotted FOREVER.
No Sony PSPs - Boycotted FOREVER.
No Sony Games - Boycotted FOREVER.
No Sony Radios - Boycotted FOREVER.
No Sony MP3 players - Boycotted FOREVER.
No Sony Video Cameras - Boycotted FOREVER.
No Sony Anything, Forever.

Expand the Boycott -
Local stores selling Sony products? Write them a letter telling them you are boycotting them until they stop carrying Sony products
iTunes selling you Sony Music and Videos? Write Apple a letter - iTunes is now boycotted for threatening users computers with Sony music.
Begin returning Sony products, simply out of principle - you were saving those sales slips for just this kind of thing.

Set your mind: No longer will you do business with any company that sells Sony products.

But let them know why you, your family, your church, your company, and your school is boycotting their store - Just say No to Sony.
Same goes for anything from BMG or Sony/BMG.