Slashdot Mirror
Microsoft Patches Fix IE, Sony Flaws
An anonymous reader writes "Microsoft issued two security updates today, one of which fixes at least four flaws in its Internet Explorer browser, including one for which an exploit was released over Thanksgiving that is now being used by a handful of porn sites to install spyware, etc. According to Washingtonpost.com, the IE patch also removes a component left behind by a patch from Sony BMG designed to remove some of the more dangerous features of anti-piracy software installed by Sony BMG music CDs. Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."
Wow...Microsoft cleaning up after Sony? It's like oil companies issuing nicotine patches to clean up after tobacco companies. The big fight this winter is evil vs. evil. Wooo!
An old-timer with old-timey ideas.
you know, the one which stops the Zonk slashdot article exploit in my /. browser. How do I remove that shit? Permanently...
Microsoft taking responsibility for their own faults and Sony's? I wonder what's up in their boardroom nowadays. Or there could be pigs flying somewhere, I don't know.
I don't mind Microsoft, but I don't think they need any help in leaving their systems vulnerable. I don't agree with Sony's DRM bullshit, and I do believe that they need to be smacked like a little bitch for including their 'anti-piracy' crap. I just want to listen to MUSIC, not get more annoying software installed on my computer that does absolutely nothing other than piss me off to a greater extent than XP rebooting my computer for no reason. Thanks guys, can't wait for the PS3..Is it going to have software to keep me from playing my PS3 games on my PC?
Ever hear of QA?
'mmmmmmmmm.... forbidden donut'
Re the Sony spyware saga, it's also worth checking out Ed Felten's latest article on XCP's eviller twin, Suncomm Mediamax. Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.
Now I can go to porn sites again without having to worry...
If Microsoft released a patch right away, administrators would complain they are patching too often and forcing them to test internal software more.
If Microsoft waits for the patch cycle, slashdotters complain Microsoft is purposely holding out so that they can sell anti-virus
And normal computer users, they don't patch so it really does matter
gut reaction is troll, then I scroll down the front page almost all articles posted by this guy are flamebait or corportae shil. CmdrTaco fairs not much better, infact ScuttleMonkey seemes to be the only one posting anything other than Slashvertisements and Flamebait. Perhaps a new poll, which Slashdot Editor is less of a tool.
This is the first update in ages that requires a reboot, is the Sony rootkit that destructive?
Same way you can modprobe something into the kernel under Linux. If you run as an administrator, then the programs that get run can do whatever the hell they want, including patching the kernel tables for syscalls, altering drivers or loading new ones, etc. The only difference is that Linux users generally aren't stupid enough to regularly use the system while logged in as root.
Open Slashdot->Preferences, then go to the "Homepage" tab, then look under "Customize Stories on the Homepage"
You can disable Zonk right there -- his posts will never reach your browser again. (This is compatible with all web browsers I've tested, though you have to enable cookies. But then cookies are such delicious delicacies, you have to wonder why anyone would want to disable them other than being on a diet.)
There's only one problem, though: This patch requires you to register with Slashdot. One wonders how responsible it is to require personal information (I hear they actually want a username and a password! At least you can use a throw-away email address) in order to use this valuable functionality.
One of the biggest complaints about Windows security is that it's hard to not run as administrator because so many programs require it to install, yet this is a guaranteed "feature" of Linux: WTF?
This is just a good occasion for MS to say "hey look how Sony software suck so much we need to clean the mess for them".
After the HD DVD delay and the xbox failure in Japan, MS needed to do some anti sony PR to make it up in their little war against Sony.
The True FOSS Skype Replacement
... or so you think... having a linux box on your desk isn't necessarily a badge of common sense and intelligence
This came along with the Automatic Update bundle today:
"Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service. After you install this item, you may have to restart your computer."
Sweet irony. At least that's refreshing from the attacker that could compromise my computer - I'm really tired of this guy.
How come I *may* have to restart my computer - haven't you tried it on one of your box beforehand or do you really have no clue?
It's yet another article that totally forgets about the upcoming Nintendo Revolution!
Oh, wait... this is a different Microsoft vs. Sony hissy fit?
Microsoft should now have released a patch to Microsoft Antispyware and also have their monthly Malicious Software Removal Tool (which customers running XP Automatic Updates will have automatically run) detect and delete the Sony rootkit. IMHO, very cool (if they did it, can someone confirm?)
;^)
I submitted an article about this a few weeks ago, it was rejected for some reason. Probably too many Sony stories already.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Why would you want to let ordinary users install packages? Isn't that what leads to Sony rootkits etc.?
Package installation probably should have a warning like old newsreaders had:
"Please be sure you know what you are doing."
In fact, any software installation should have it. Some malware gets on Windows machines instantly through Outlook or IE exploits, but great deal of it gets there because non-tech-savvy users see a "Click OK to install the UltraCoolSlickLinksToolBar plugin" dialog and don't know the difference between that and a "Click OK to install the Macromedia Flash plugin" dialog.
Users should be made aware that installing software is like tinkering with your car's engine: it's important to know what you're doing.
Requiring someone to enter a mode of operation specifically designed to modify the system seems like a strength to me.
The Internet is full. Go away.
### Second, you can install mode software any place you want on a Unix system, including your home directory or /tmp or any other place it will fit, because for the most part Unix utilities are not irrevocably tied to a specific directory,
/proc/self/exe or different means to find out the location of the binary, that however is sadly not standardized across different Unixes, which is why very few actually use it. The 'spread everything across dozens of directories' approach of installing software in Unix makes relocation also quite a bit more complicated, since it gets ugly if one tries to keep a software in its own directory (useless foo/share/foo/ directories and such).
That is however only true for source, binaries under Linux have quite often their location hardcoded, moving them to a different directory is impossible without either ugly hacks (hex editor) or less ugly hacks (envirorment variables, command line parameter, etc.). Binaries that are truly relocatable are pretty seldomly under Linux, some of the big packages (Mozilla and the like) provide it, but even they often only via install scripts that install some startup script that sets the right command line arguments. True relocation would require to use
Will people remember this farce and say thanks but no thanks to Blu-Ray because they're not sure what the drivers will do to their computer? And if you can't trust Sony's Blu-Ray drivers, who's to say the HD-DVD drivers will be any safer?
It would be ironic if somebody at Sony who was worried about selling a few copies of a country-western CD ended up jeopardizing a billion dollar market.
Second, you can install mode software any place you want on a Unix system
That's not true for any of the package systems I've used. Sure, you can do it if you download the source (or a binary tgz, etc), but the majority of users (as opposed to admins) won't be doing that.
It's official. Most of you are morons.
Yes, there are a lot of sucky developers who make windows apps. There are also plenty of sucky developers working on *nix software. I've installed plenty of stuff off sourceforge that was badly written.
This is a developer issue, not a windows issue.
Neat!
So, since MS is keeping Sony from installing their "DRM" spy^H^H^Hsoftware, you can say they are circumventing Sony's DRM software, PLAINLY against the DMCA. The only question is.....who do we cheer for when evil sues evil over evil with evil laws?
-mix
"Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."
So according to these researchers, one could logically assume that it is indeed not as much of Microsoft's fault for lots of viruses and spyware people have been getting over the last year or so, but more of Sony's fault for bad DRM software opening holes in people's browsers?
It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally holding water.
Too right mate, too bloomin' right. Or something. Too bad neither American English nor English English seems to conform too closely to specification. In reality, we're both speaking a bastard tongue, unless you think chaucer is particularly accessible.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Actually, if you use the low-level package installer (rpm or dpkg, usually), you can almost always specify the prefix ("root directory") to use for installation. In Debian, for example, you can run "dpkg --instdir=$HOME/usr -i package.deb" to install a package into your home directory. That still requires administrative priviledges though, because it's using the system package database. If you want to avoid root altogether, then you can use --root instead of --instdir after setting up your own package database. This is typically used by the Debian installer to install .deb packages into the newly-created root directory, but you could use it to install things locally. Or you could just use "dpkg --unpack file.deb" to extract all of the necessary files. Of course, you'll have to set up $LD_LIBRARY_PATH if you install any libraries outside of the system directories, and some programs are sensitive to the paths that they were configured with.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
"WinNT/F4IRootkit is a kernel-mode rootkit used for copy protection on certain Sony BMG audio CDs. There are several versions of this rootkit. The rootkit hides certain Windows system resources, including files, processes, and registry settings. The rootkit can be used by attackers to hide malicious content on the computer." -Microsoft
http://www.microsoft.com/security/malwareremove/fa milies.mspx
http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=WinNT%2FF4IRootkit
An article about Microsoft and Sony has been up for 2 hours and only has 75 comments?
This has got to be a first.
I'd just like to point out the fact that Microsoft fixing a 6 month old problem was newsworthy...
And, the gratuitous open-source post:
There was a browser security issue and Sony could install a root-kit? Weird, never even noticed.
"Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
i wonder if microsoft will invoice sony for this..
-- lol pwned
Did anyone else with XP Home SP2 notice that the IE update does some really weird stuff with IE's ability to open up pages?
Like, best way to explain it, you can launch IE and it will go to your home page, however, when you type a URL in the address bar it opens up a new window as if you pressed ctrl-n and typed it in there?
Also rears its ugly head if you have another browser set as default. Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?
I've seen this behavior on two XP Home machines, while a third was perfectly fine (all running SP2)
Brielle
> Researchers found that the Sony patch changed settings in IE so
> that any Web site could install software on those machines."
Wait. So, Sony is setting IE back to its default security settings?
That hardly seems newsworthy.
Do daemons dream of electric sleep()?
I think you misspelled "chairs".
That's "stool."
Friends don't help friends install M$ junk.