Slashdot Mirror
Microsoft Patches Fix IE, Sony Flaws
An anonymous reader writes "Microsoft issued two security updates today, one of which fixes at least four flaws in its Internet Explorer browser, including one for which an exploit was released over Thanksgiving that is now being used by a handful of porn sites to install spyware, etc. According to Washingtonpost.com, the IE patch also removes a component left behind by a patch from Sony BMG designed to remove some of the more dangerous features of anti-piracy software installed by Sony BMG music CDs. Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."
Wow...Microsoft cleaning up after Sony? It's like oil companies issuing nicotine patches to clean up after tobacco companies. The big fight this winter is evil vs. evil. Wooo!
An old-timer with old-timey ideas.
you know, the one which stops the Zonk slashdot article exploit in my /. browser. How do I remove that shit? Permanently...
Microsoft taking responsibility for their own faults and Sony's? I wonder what's up in their boardroom nowadays. Or there could be pigs flying somewhere, I don't know.
I don't mind Microsoft, but I don't think they need any help in leaving their systems vulnerable. I don't agree with Sony's DRM bullshit, and I do believe that they need to be smacked like a little bitch for including their 'anti-piracy' crap. I just want to listen to MUSIC, not get more annoying software installed on my computer that does absolutely nothing other than piss me off to a greater extent than XP rebooting my computer for no reason. Thanks guys, can't wait for the PS3..Is it going to have software to keep me from playing my PS3 games on my PC?
Ever hear of QA?
'mmmmmmmmm.... forbidden donut'
Re the Sony spyware saga, it's also worth checking out Ed Felten's latest article on XCP's eviller twin, Suncomm Mediamax. Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.
Now I can go to porn sites again without having to worry...
If Microsoft released a patch right away, administrators would complain they are patching too often and forcing them to test internal software more.
If Microsoft waits for the patch cycle, slashdotters complain Microsoft is purposely holding out so that they can sell anti-virus
And normal computer users, they don't patch so it really does matter
gut reaction is troll, then I scroll down the front page almost all articles posted by this guy are flamebait or corportae shil. CmdrTaco fairs not much better, infact ScuttleMonkey seemes to be the only one posting anything other than Slashvertisements and Flamebait. Perhaps a new poll, which Slashdot Editor is less of a tool.
This is the first update in ages that requires a reboot, is the Sony rootkit that destructive?
Same way you can modprobe something into the kernel under Linux. If you run as an administrator, then the programs that get run can do whatever the hell they want, including patching the kernel tables for syscalls, altering drivers or loading new ones, etc. The only difference is that Linux users generally aren't stupid enough to regularly use the system while logged in as root.
Open Slashdot->Preferences, then go to the "Homepage" tab, then look under "Customize Stories on the Homepage"
You can disable Zonk right there -- his posts will never reach your browser again. (This is compatible with all web browsers I've tested, though you have to enable cookies. But then cookies are such delicious delicacies, you have to wonder why anyone would want to disable them other than being on a diet.)
There's only one problem, though: This patch requires you to register with Slashdot. One wonders how responsible it is to require personal information (I hear they actually want a username and a password! At least you can use a throw-away email address) in order to use this valuable functionality.
It's not about linux users being smarter. it's about Linux being built smarter. Running as root you are constantly reminded that you are doing a bad thing by a few programs here and there. And most distros set it up so that logging in as a regular user is the logical thing to do when faced with the login prompt. Windows, on the other hand, barely even suggests the possibility.
What's a "sig"?
One of the biggest complaints about Windows security is that it's hard to not run as administrator because so many programs require it to install, yet this is a guaranteed "feature" of Linux: WTF?
This is just a good occasion for MS to say "hey look how Sony software suck so much we need to clean the mess for them".
After the HD DVD delay and the xbox failure in Japan, MS needed to do some anti sony PR to make it up in their little war against Sony.
The True FOSS Skype Replacement
Sony can fix this for good:
apt-get remove media-max
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
You have this wrong on both ends.
First, the big problem with windows is not that you have to be an Administrator to install software. The problem is that you have to be one to use it. Lots of software doesn't actually work properly, once installed, if you are not an admin. Other software doesn't work if you don't run it as the user who installed it!
Second, you can install mode software any place you want on a Unix system, including your home directory or /tmp or any other place it will fit, because for the most part Unix utilities are not irrevocably tied to a specific directory, whereas just about every Windows program looks in a specific location for something.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
... or so you think... having a linux box on your desk isn't necessarily a badge of common sense and intelligence
and besides, switching to administrator to install something in windows is MUCH more of hassle than in linux. maybe it's cause i'm used to it, and i'm always using the shell, but it's just a matter of su and then my password, which flies off my fingers cause i'm using it so much :).
i'll give you this much though, the very first time i installed linux, oh so many millenia ago, i ran only in root for the first couple of days while i figured out what on earth i was doing. 'su' simply eluded me! it's one of the main reasons why i switched back to windows.
but running in administrator mode is habit people need to get out of. because that habit is coupled with the habit of not using a password for your one and only - administrator - account, because it's annoying to have to type it in when you log in. i'm glad i got out of that habit. it was pretty stupid of me.
What's a "sig"?
This came along with the Automatic Update bundle today:
"Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service. After you install this item, you may have to restart your computer."
Sweet irony. At least that's refreshing from the attacker that could compromise my computer - I'm really tired of this guy.
How come I *may* have to restart my computer - haven't you tried it on one of your box beforehand or do you really have no clue?
It's yet another article that totally forgets about the upcoming Nintendo Revolution!
Oh, wait... this is a different Microsoft vs. Sony hissy fit?
erm, i like having to type in my password, that is
What's a "sig"?
Microsoft should now have released a patch to Microsoft Antispyware and also have their monthly Malicious Software Removal Tool (which customers running XP Automatic Updates will have automatically run) detect and delete the Sony rootkit. IMHO, very cool (if they did it, can someone confirm?)
;^)
I submitted an article about this a few weeks ago, it was rejected for some reason. Probably too many Sony stories already.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Why would you want to let ordinary users install packages? Isn't that what leads to Sony rootkits etc.?
Package installation probably should have a warning like old newsreaders had:
"Please be sure you know what you are doing."
In fact, any software installation should have it. Some malware gets on Windows machines instantly through Outlook or IE exploits, but great deal of it gets there because non-tech-savvy users see a "Click OK to install the UltraCoolSlickLinksToolBar plugin" dialog and don't know the difference between that and a "Click OK to install the Macromedia Flash plugin" dialog.
Users should be made aware that installing software is like tinkering with your car's engine: it's important to know what you're doing.
Requiring someone to enter a mode of operation specifically designed to modify the system seems like a strength to me.
The Internet is full. Go away.
### Second, you can install mode software any place you want on a Unix system, including your home directory or /tmp or any other place it will fit, because for the most part Unix utilities are not irrevocably tied to a specific directory,
/proc/self/exe or different means to find out the location of the binary, that however is sadly not standardized across different Unixes, which is why very few actually use it. The 'spread everything across dozens of directories' approach of installing software in Unix makes relocation also quite a bit more complicated, since it gets ugly if one tries to keep a software in its own directory (useless foo/share/foo/ directories and such).
That is however only true for source, binaries under Linux have quite often their location hardcoded, moving them to a different directory is impossible without either ugly hacks (hex editor) or less ugly hacks (envirorment variables, command line parameter, etc.). Binaries that are truly relocatable are pretty seldomly under Linux, some of the big packages (Mozilla and the like) provide it, but even they often only via install scripts that install some startup script that sets the right command line arguments. True relocation would require to use
Will people remember this farce and say thanks but no thanks to Blu-Ray because they're not sure what the drivers will do to their computer? And if you can't trust Sony's Blu-Ray drivers, who's to say the HD-DVD drivers will be any safer?
It would be ironic if somebody at Sony who was worried about selling a few copies of a country-western CD ended up jeopardizing a billion dollar market.
Second, you can install mode software any place you want on a Unix system
That's not true for any of the package systems I've used. Sure, you can do it if you download the source (or a binary tgz, etc), but the majority of users (as opposed to admins) won't be doing that.
It's official. Most of you are morons.
Yes, there are a lot of sucky developers who make windows apps. There are also plenty of sucky developers working on *nix software. I've installed plenty of stuff off sourceforge that was badly written.
This is a developer issue, not a windows issue.
I suggest trying OS X.
You can move an application any where you want and it is likely it will not complain. Delete a user... no complaints. It asks you for a root password when you install software or make system changes and that is about it.
Of course Microsoft wants to appear as the Knight in Shining Armour who saved us from the Evil Sony.
No, it doesn't. Sony broke Microsoft's web browser. Microsoft is responsible for fixing their web browser. Therefore, they did. And "armor" doesn't have a "u" in it. :-D
DATABASE WOW WOW
Neat!
So, since MS is keeping Sony from installing their "DRM" spy^H^H^Hsoftware, you can say they are circumventing Sony's DRM software, PLAINLY against the DMCA. The only question is.....who do we cheer for when evil sues evil over evil with evil laws?
-mix
Does anyone know about any lawsuits or class-actions against Sony. It seems to me that to install trojaned rootkit on a machine, then apologize while at the same time issueing a patch which causes other security vulnerabilities would show obvious malicious intent.
"Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."
So according to these researchers, one could logically assume that it is indeed not as much of Microsoft's fault for lots of viruses and spyware people have been getting over the last year or so, but more of Sony's fault for bad DRM software opening holes in people's browsers?
It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally holding water.
Actually, if you use the low-level package installer (rpm or dpkg, usually), you can almost always specify the prefix ("root directory") to use for installation. In Debian, for example, you can run "dpkg --instdir=$HOME/usr -i package.deb" to install a package into your home directory. That still requires administrative priviledges though, because it's using the system package database. If you want to avoid root altogether, then you can use --root instead of --instdir after setting up your own package database. This is typically used by the Debian installer to install .deb packages into the newly-created root directory, but you could use it to install things locally. Or you could just use "dpkg --unpack file.deb" to extract all of the necessary files. Of course, you'll have to set up $LD_LIBRARY_PATH if you install any libraries outside of the system directories, and some programs are sensitive to the paths that they were configured with.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Working as a user is getting easier in Windows now. With XP SP2, the "run as..." command has been added to the right click context menu, so you can be logged in as user and still install or run software that requires administrator priviledges. Its not perfect, but its better than running in root/administrator and getting infected by all sorts of nastiness.
My Sysadmin Blog
"WinNT/F4IRootkit is a kernel-mode rootkit used for copy protection on certain Sony BMG audio CDs. There are several versions of this rootkit. The rootkit hides certain Windows system resources, including files, processes, and registry settings. The rootkit can be used by attackers to hide malicious content on the computer." -Microsoft
http://www.microsoft.com/security/malwareremove/fa milies.mspx
http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=WinNT%2FF4IRootkit
An article about Microsoft and Sony has been up for 2 hours and only has 75 comments?
This has got to be a first.
I'd just like to point out the fact that Microsoft fixing a 6 month old problem was newsworthy...
And, the gratuitous open-source post:
There was a browser security issue and Sony could install a root-kit? Weird, never even noticed.
"Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
Why would you want to let ordinary users install packages?
You're assuming that every non-root user has exactly the same permissions. This is not the case. Allowing some users in a special group to install software without running as root might be a good idea.
It's exam week.
Another major difference that you forget is that, whilst Linux also generally requires root access to install most packaged software, it makes it easy to get single-command or temporary access. Windows does not. This makes it very inconvenient to install anything if you're not running as admin.
The habit of many programs of not correctly installing for all users makes this worse. And that's without adding in the programs that REQUIRE admin access.
i wonder if microsoft will invoice sony for this..
-- lol pwned
Did anyone else with XP Home SP2 notice that the IE update does some really weird stuff with IE's ability to open up pages?
Like, best way to explain it, you can launch IE and it will go to your home page, however, when you type a URL in the address bar it opens up a new window as if you pressed ctrl-n and typed it in there?
Also rears its ugly head if you have another browser set as default. Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?
I've seen this behavior on two XP Home machines, while a third was perfectly fine (all running SP2)
Brielle
1. the "move an application anywhere" refers to Carbon/Cocoa .app applications. Try and move something out of /usr/bin and you'll have the same issues Linux (or an *Nix) does.
/Users/Deleted\ Users. Very nice.
2. It's technically an admin (user is member of sudoers) password, not a root password. Some few drivers must be installed from an admin account (Xerox/EFI, I'm looking in your direction).
3. Better than "no complaints" when you delete a user, the system will offer to create an image of the deleted homedirectory and place it in
Quibbles aside, try OS X.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
> Researchers found that the Sony patch changed settings in IE so
> that any Web site could install software on those machines."
Wait. So, Sony is setting IE back to its default security settings?
That hardly seems newsworthy.
Do daemons dream of electric sleep()?
I think you misspelled "chairs".
That's "stool."
Friends don't help friends install M$ junk.
No, because no one here uses IE, remember? Where have you been?
What would be the obstacle to doing that on Linux with permissions or ACLs on the required files?
Does a Christian soccer team even need a goalkeeper?
It's mostly doable already. linuxfromscratch lists one possible way. I suppose one big problem for other distros is that a generic package manager which can handle any package will require root permissions, because some programs have a legitimate reason to be installed setuid root. For obvious reasons, non-root users can't install setuid root programs.
* oztiks gives bejiitas_wrath his spoon back and tells him to stop dribbling all over his placemat.
.. aww arnet you a cute linux bubby :-D
Suze & Mandrake
I actually like Taco's posts best because he adds commentary to the end of the submitter's blurb that makes it look like he actually reads slashdot. When I read Taco's journal I get the feeling that he is a slashdotter... where the other editors just seem like slashdot is their day job. (Actually michael used to know what's going on but I haven't seen him around lately.)
Yes, I know Taco started the site and is user #1. It's nice to know that he still cares after such a long time.
My other car is first.
Due to a security flaw in your browser, some links on your computer have been damaged and are now pointing to the wrong websites, such as those that install spyware and adware. To correct this problem, Microsoft wishes to inform its customers that the correct link to Windows Update is actually this one. If you are a Windows user, we recommend that you update to the latest version immediately.
I am supprised about the fact nobody seems to be worried about the fact that if you put a CD in your tray, while thinking it is just a music CD, a rootkit can be installed. It seems as if everyone is just accepting this?
IMHO this should not be able to happen..
MS should disable the autoplay feature, or at least make it a lot more safe.
Actually, scuttlemonkey just grabs the articles by author in alphabetical order. If it's not * * Beatles Beatles, then it's someone whose nick begins with "a".
Am I the only one wondering why it's p0rn sites that are using the hole to install spyware? I mean, why not other businesses and/or government agencies? Surely Sony isn't the only company to believe they have the right to do whatever they want to a customer's computer.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
I don't remember how much power that group gives you, so I'm not sure. If it's not too much -- if it keeps the core system protected -- then yes, like that.
Unfortunately, in Windows 2000/XP the Power Users group gives you read/write to %SYSTEMROOT% and HKEY_LOCAL_MACHINE in the registry. So you can install software, drivers, etc. And also completely hose the system with a virus, trojan, or root kit.
About the only significant things a Power User cannot do by default are "Security Account Manager"-related. That is, a Power User cannot create new users, remove other users, delegate rights, etc. on the local the machine. Also, a Power User cannot typically do a few other common tasks, like set up new virutal hosts in IIS (because that requires user rights delegation privileges).
Finally, all of this is very granular, and of course you can choose to add or remove certain rights and permissions from the default Windows user classes. Nobody really does that much, of course, at least for workstations (we do it a lot for servers). But you can change most of this with command-line scripting, Active Driectory's Group policy, or the GUI.
After cutting out all my cookies and java, I dropped 40 pounds! Bad part is, I hear someone baking up Krumpet v1.0 and Teacup Runtime Environment v0.8_04 in the background.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
Yeh but you could still give certain users rights to update the package db, the security of trying to do stuff like ldconfig or modifying /etc would still be handled as any attempt to install stuff that requires root privileges would crap out with a security message. I'm not sure what I'm missing as to the difference between doing it that way and how Windows does it.
Does a Christian soccer team even need a goalkeeper?
The main difference, I think, is that Windows installers are much more often poorly written, refusing to run as a limited user. That one's not really a problem with Windows itself anymore.