Slashdot Mirror
Highly Critical Hole Found in IE
dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control.
From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"
here
Please don't post stories like this until a patch or fix has been released! I always get paranoid after reading a story about another IE hole. If you wait until the fix is released, I'll have a blissful few days.
Must be thursday.
...if researchers just identified the bits that *weren't* totally insecure?
It's a brand new hole!
--
Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95
Is it shaped like a woman's mouth? I mean, that's a highly critical hole.
Just stop using activex.
Religion for nerds. Stuff that really matters
Can't we just take it for granted that IE is just choc-full-o-holes, and these holes will always get discovered by some third party, and MS will eventually make a patch for it. Then lather, rinse, and repeat? Why do stories like this even make it to Slashdot anymore?
Man, since I only use IE to download MSFT WinXP patches for my laptop, I never even noticed there's a new version out.
-- Tigger warning: This post may contain tiggers! --
TFA: Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers
So this article updates us to the fact that they plan to update us with an article prior to the update?
Slashdot Burying Stories About Slashdot Media Owned
even better.. lets move to lynx
its the time period that sometimes makes it more panicky.
It could've been a very cynical hole in IE concerning when Windows Vista will finally be released.
With security being #1 in IE7, and numerous IE7 articles published by both microsoft and non-microsoft advocates praising the security and reliability of the new MS Browser, can we conclude that even with their upcoming browser media hype is still the best feature?
Personally, I understand if people don't want to use Firefox, it isn't the best browser either, no browser is the best across the board. I don't, however, understand why people want to continue to use Internet Explorer. It has been proven time and time again to be buggy, and patches take weeks longer than in most other browsers.
Not being a hardcore developer myself, I don't know what causes this, but might this have been avoided if Microsoft adhered to the Javascript standards rather than "tweaking it" for IE?
"Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
IE can also execute HTA files
Why do stories like this even make it to Slashdot anymore?
/.) can feel good with themselves.
So every non-IE user (probably a fairly high percentage of
Yet further evidence that IE7 and also likely Vista and all other 'new and improved' products rolling out of Microsoft will be nothing more than business as usual.
Come again?
Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
Can't... it's required for Windows Update! If you don't update, you're screwed!
Can't be secure with ActiveX, can't be secure without ActiveX... but what would happen if ActiveX didn't exist?
IE is the hole, into which are placed 'features' such as this exploit, tied to the feature called 'activex.' Remove these 'features' and all that is left is the nothingness that is a hole.
Moderation in All Things... Especially Moderation - gurutc
createText("install firefox.exe");
createTextRange(-1);
And just let the exploit install firefox. It's just that easy.
Proof by very large bribes. QED.
Why don't they just mention which part if IE is not a hole ?
here
here.
IE user, your house is on fire. Run for the hills! Go! Go!
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
And would the divorce of IE7 from Vista's Windows Explorer help? ... you perverts!) but not until my power book did one love me back...
maybe, but i still recommend divorcing windows entirely. i've loved computers before (not sexually
i don't care
Dupe!
This is my sig. There are thousands more, but this one is mine.
I thought Sun sold hardware.
-- Tigger warning: This post may contain tiggers! --
Not quite true. Mostly because of the sheer amount of lazy bastards reading Slashdot while they should be working, a high proportion of this site's visits are through Internet Explorer. Even if they will use some newfangled firebird or netcraft when they get home, this hole matters to them *now*.
No, according to InfoWorld, there are two bugs, so it's not a dupe, it's a second bug.
But, good catch!
-- Tigger warning: This post may contain tiggers! --
is at this story, so you can see it's not just the EWeek posting.
Which means it's not a dupe, it's a second bug.
-- Tigger warning: This post may contain tiggers! --
I would opine you'd get a few comments along the lines of "bad hackers" on here *if* this hole had been exploited by some kiddie scripters with no point.
/. geeks that will now have to explain (once again) to their family and friends why they should stop using IE only to have the concern brushed off.
But the Sum deal was a DDOS. Those are an annoying part of life these days, and while there are steps to take to prevent such an attack there is still no 100% full proof defense.
And you can't forget about all of the
And you people bitch about slashdot being ugly, broken, and slow.
Man, you really need that seminar!
DOS attacks are signs of vulnerability....
People who DOS sites are not hackers (they are not even crackers)....
Any fool can DOS a site if they have enough bandwidth...
Whoever moded you insightful is obviously as thick as you....
Story was on digg.com 7 hours ago.
"Highly Critical Hole Found in IE"
When does this stop being "news" and start being "the usual"?
That in the very previous /. story about a Sun product vulnerability, the hackers get ripped, but when it's Microsoft, the software company gets ripped.
The difference is that if Sun were DDosed every couple of weeks on millions of PCs for almost 10 years because of putting something as stupid as "Active Scripting" or ActiveX into a product that is coupled tightly with the operating system (no, it appears as the decoupled version even helped this one), then we would be blaming the software company as well.
So, has MS learned yet that ActiveX (I'm assuming Active Scripting is similar or the same thing) is "A Bad Thing" yet?
that this wasn't exploited, that is a difference, but only in the actions of the exploit discoverers. re explaining to family members and friends -> true /. geeks don't let friends drive IE.
Moderation in All Things... Especially Moderation - gurutc
...Jack's complete lack of surprise.
120 characters for a sig? That's bloody useless.
Also, I note that there is no mention as yet (there is another story on the way) of the highly critical security flaw found in Sendmail which also had a proven potential for remote and local exploitation and arbitrary command execution. Actually this is potentially quite interesting; with remotely exploitable problems with both IE and Sendmail announced at almost the same time, I wonder which one we are going to see exploited by the blackhats first? Admittedly there are already updated packages for most Linux distros and commerical UNIX versions, plus a new release of the software (no offical Sun patch for Solaris yet though) which is going to tip the results a little, but still...
UNIX? They're not even circumcised! Savages!
Netcraft is not a web browser.
A simple math analogy will demonstrate the formula for /. sentiment. A negative multiplied by a negative equals a positive. Hackers hacking Microsoft == good news. Hackers hacking Firefox == bad news. Any good tech company can easily turn evil simply by an association with Microsoft.
GoDaddy == Good.
GoDaddy * Microsoft == Evil
In the same vein (but totally against any mathematical logic), any company (including evil ones) that are associated with Open Source and/or Linux automatically become good.
Oracle == Evil
Oracle * Linux == Good
China == Evil
China * OSS == Good
Wake me up when there's something new to report.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Here's the difference: In Sun's case, the hackers didn't alert Sun to the vulnerability. They just DOS'd a free service that Sun provided the world, causing headaches for people attempting to use the service. Their actions accomplished absolutely nothing (the grid was not affected), and resulted in Sun pulling a previously free product behind a security wall for which people are required to subscribe. Good going!
In this case, a researcher discovered a flaw in the browser, and instead of being an a$%hat by writing yet another worm or malicious program, alerted Microsoft to the bug. Which is now in the process of being patched.
Humorless sig goes here.
So collectivist nerds can sit and giggle self-contentedly to themselves when MS looks bad.
I wish I had mod points, because you'd be -10 moron.
If DDOS is a vulnerability, it's one that all systems share, and thus, we'd have to be extremely jaded and cynical for blaming Sun for getting hit with one.
It doesn't help that the existance of vulnerabilities in Microsoft's products is probably the reason it was so easy to attack Sun.
Don't thank God, thank a doctor!
Just because its beta doesn't mean it can be swiss cheese. You can't write the browser completely wrong, and then just before its released magically add security to it. You have to write the code securely from the start, which obviously they aren't doing.
No it's not. I download all my updates using Firefox and Microsoft's Genuine Advantage validation tool that you download and run to get a verfication code. Who the hell needs ActiveX?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
no comment
Why do stories like this even make it to Slashdot anymore?
Why do they mod you flaimbait? This is a good question.
an ill wind that blows no good
A DDoS isn't a vulnerability any more than someone throwing a brick at your face.
Wouldn't we all love to see "WindowsSucks" under "Sections" in the left menu?
.. in the URL bar, all the letters are falling through .. H E L P!
I contest that the parent isn't insightful, just clueless.
That all depends, would MS still ship IE with Windows? Since they are seperate software, will MS allow you to uninstall Internet Explorer? If so, users won't be as reliant on IE and hopefully the software landscape won't reflect a "write-once-exploit-all" scenario for the average desktop anymore. In Europe, IE may not even ship with Windows at all, or at least a version of Windows without IE will exist. At least users that choose to use this version will have different configurations and be less susceptible to an attack that takes for granted certain software is available.
Is this the same vulnerability posted at milw0rm?
milw0rm advisory
IE 7, when run on Windows Vista, would not have fallen victim to this or any other exploit of this nature. The reason for this is the fact that IE 7 on Vista runs as a user with virtually no privileges, regardless of privileges of the user using IE 7.
Essentially all actions that require higher privileges, such as writing to non-temp locations on the file system, executing applications, installing plugins, changing settings, etc, will be done through the use of a broker.
The broker is very small, perhaps only a few thousand lines of code. This makes auditing the broker far easier than auditing the hundreds of thousands of lines in IE 7.
When IE 7 wants to save a file to the user's desktop, for instance, it must first "ask" the broker if it can do this. The broker is written in such a way that all actions require the user to confirm this is OK via a dialog box. If the user says it's OK the broker completes the action on behalf of IE 7.
If IE 7 has a buffer overflow or exploit of some kind and tries to do something nasty it will always fail because it is running as a user with basically no privileges on the system.
There is a video that describes this in detail on Microsoft's Channel 9 web site.
The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog.
Per the same blog, the 20 March release of IE7 Beta is not vulnerable.
Caveat emptor... I haven't tested it.
In other news, Vista has been delayed, Google launched another beta, and fire is hot. More at 11.
Only idiots are still running Sendmail so you are right on the money; it is uniquely suited for comparison with the IE userbase.
Actually that's impossible for some people. I've tried using Firefox for the administration tool (in AJAX) of the webshop at work, and the memory leaks freeze up the computer within half an hour (restarting every 20 minutes is not a viable option, no, it's ridiculous). Only browser I can use is IE, Konqueror is out since we use Windows and Opera can't handle all the features.
Point me to an open source browser (or ANY browser for that matter) which can handle everything Firefox handles but WITHOUT the memory leaks, and I'm there. Until then, IE it is.
Here. Guaranteed not to be exploited by any javascript or plugin vulnerability. Or by any site that uses frames.
I'm just wondering, how long it will take, until our vigilant IT press has to publish "newly discovered holes in other system", minimizing the significance of this problem... ;-)
shall be named "alimony"!
DEAD DEAD DEAD DELETE ME
Wrong analogy. By hiding the exploit and announcement, it is more akin to denying that the illness exists at all and therefore they will be safer. It is bogus and backwards logic that ignorance is the best course of action. Warning people about the exploit is giving them a chance to don the "level 4 contamination suit" instead of continuing to play with fire.
Highly Critical Hole Found in IE
I can see three types of jokes that can come from this title:
Let me see if I can explain a few things.
A distributed denial of service attack is usually a consumption of resources that results in the service being unavailable for legitimate users. See Denial-of-service attack for a more complete explanation.
This is in contrast to a security flaw which leads to a compromised system. See security flaw for a definition.
Security flaws can be used in denial of service attacks, but it is difficult to tell from the Grid computing article if this was the case.
Finally, repeat after me. Sendmail is not UNIX. Sendmail is not UNIX. Sendmail is a program that is shipped with UNIX. An administrator may choose to run or not run the program. An administrator may use other mail transport agents.
Here's the summary:
Didn't we just have an article about MS wanting to go after Big Blue's business in the serious computer market? That they had spend 20 billion dollars on getting Windows ready to compete with the big boys and that IBM better look out?
Some MS fan boys of course swallowed that line hook, line and sinker. The same line MS has spun since it began business. "The next version will be lots better then what our competitor offers so please buy our [inferior] product now, we promise to ship the next version on time and as promised. Honestly. Have we ever lied to you before, or failed to meet a deadline, or failed to live up to our own hype?".
So the question by the poster of how this will affect MS in the market.
Not at all.
Simple as that. MS can keep producing crap and the public will continue to lap it up. I don't even care for the reasons and excuses anymore. They start to sound more and more like what you get at an Alcoholic Anonymous meeting or a session for battered wives.
As a LAMP developer I was recently offered a position with the opportunity to grow into .NET development. Gee thanks. What is the bonus package like? Kick in the nuts?
For those wondering what IE 7 and Vista will be really be like. More of the same old crap just a lot more useless crap that nobody really uses but that adds a lot of bloat that makes it impossible to debug. IF IE 1 - 6 have been buggy security holes and IE 7 has so far had the exact same bugs and security holes as 6 then it is obvious that MS hasn't really done anything with that supposed security audit of theirs.
First WMF now this. Vista is just another re-release of the same crap code that MS has been logging around since Billy boy first stole his basic interpreter.
Business as usuall. No doubt they will make a fat profit on it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Memory leaks? What version of Firefox did you use? I've never had any problems with it since version 1.5. Try the Mozilla Suite if Firefox doesn't work for you, or maybe the W3C's own Amaya. . .
Is Opera 9 ever gonna get out of beta? I'd like to use it as my email client (WAY better on resources and responsiveness than that pig Thunderbird).
One of the funniest comments ever!
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
Except that this bug would not affect IE 7 in Vista due to the improvements in security that Microsoft trumpets and you so easily dismiss.
= 14982748
See my other post here: http://it.slashdot.org/comments.pl?sid=181121&cid
And while we're at it, shall we compare some of Microsofts newer efforts with LAMP, or whatever platform/software that you feel is so much better?
Let's compare IIS 6 with Apache. How about ASP.NET with PHP? Or event Windows 2003 Server with Linux. At the very least the data shows that there is no clear winner in some cases, and in other cases Microsoft comes out on top.
So rant all you want, but Microsoft is making progress whether you like it or not.
They keep (over a decade now) saying its going to be safe, are you a believer in ... it belongs there !
Web browser security summary
(As of March 23, 2006) "Internet Explorer has had 47 advisories. 11 were marked as moderately critical, 8 were marked as highly critical, and 5 were marked as extremely critical. There are still 36 open advisories, including 10 that were marked as moderately critical, 2 that were marked as highly critical, and 1 that was marked as extremely critical.
Firefox has had 24 advisories. 8 were marked as moderately critical, 7 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 open advisories, including 1 that was marked as moderately critical.
Opera has had 17 advisories. 10 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. All reported vulnerabilities have since been fixed."
Just one of the many reasons that I love Opera .
Did anyone notice this line in the blog that was attached to the orginal posting?
We're going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted websites, etc.
-- Technet
So, I guss we should all avoid serch engines and just stick to our bookmarks for a while, huh.
When I say we, I mean those of you still using IE...fools.
GENERATION 25: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
IE: you suck :<
<IE>
Anyone who still uses IE is living dangerously. Firefox is like a condom for the internet. If you're surfing around without, you're just asking to catch something.
http://www.hollowdepth.com
Anytime MS is in the mix the result is always evil. That's the one absolute in the /. world.
Dear Sir, We regret to inform you that you have missed the boat on this particular joke. Please contact your local Slashdot branch for details of the next availability in sarcastic jokes. We look forward to our continued business with you. Yours, Slashdot
The good news is that at least we know that IE 7 is backward compatible with IE 6 vulnerabilities.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
a remote root exploit was found in Sendmail. You can bet everyone will praise how open source programmers find and fix these problems so quickly, but will say Microsoft sucks because that's how it's done around here. I'm gradually growing more tired of the OSS community because they continue to give Microsoft grief despite the fact that they are improving their product lines. Windows Server 2003 and many of the server products released after Server 2003 are pretty decent, much better than the old NT4 and Windows 2000 Server. If you haven't *actually* used these products and know what you're doing then you simply aren't qualified to say otherwise, things are better.
Also, when Microsoft announced they would be concentrating on security everyone assumed that meant everything they had at that moment was instantly more secure. Like a failing car company (ie, GM) it takes years for new products to get to market with all the promised improvements. I think Vista will finally contain the real work towards their effort to be more secure.
This hole will complain endlessly about your banal surfing habits and tell you taht are beginning to look a little fat. It's amazingly critical.
"Your superior intellect is no match for our puny weapons!"
for sure, I don't mean to be defending IE, but according to the original bug report (copied from Full Disclosure ML):
*******
I can't find any info on this delicious IE bug, but it seems to be publicly known:
r=document.getElementById("c");
a=r.createTextRange();
It will badly access a (virtual?) pointer table, making EIP to jump at a random address. This has various effects on the system I've tested with, including crashing. It works on these versions of mshtml.dll:
XP SP2: 6.0.2900.2802 - latest
WS2003: 6.0.3790.0
*******
So EIP goes to a random address, big deal. This is not exploitable unless you can allocate a huge chunk of memory and place lots of NOPs followed by the payload, then you've got to hope the random jump lands in that region. Not likely to work.
This is bad (crash) but not remotely exploitable (no worm on the horizon)
TODO: 753) write sig.
Ok, this bugs me. Critical definition (in this usage): being in or approaching a state of crisis. You can't be HIGHLY critical. It's either critical or it's not (unless you're subcritical, supercritical or prompt critical, but that's another critical). That's like saying it's really really really important when you know it's really really important already. Maybe it could be XTREMELY AWESOME CRITICAL GAPING MAW PREMIUM DELUXE 2006 instead. If you're going to butcher a perfectly decent language/grammar, go with the best: marketspeak.
Tool.
YAHCIESH pronounced: Ya, sheesh! (to spell it out for the impaired, and i count myself among you) Yet Another Highly Critical IE Security Hole
The Internet Explorer is a not so secret remote admin tool! (aka backdoor)
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
sorry, layers and layers of security over bad code/design (uncontrolled complexity) wont ever improve anything. Financially the company is amazing but technologically its pathetic.
There is a funny symetry between "layers and layers of security" and "lawers and lawers of azz-hole-protection".
This really makes me want to download IE7, being fully aware that it contains all of the same garbage and insecurity of its predecessor and all of the standards compliance of Opera 4.0. At least the folks at Mozilla fix their massive security holes in a timely fashion.
Security is all about having multiple layers, and not trusting each layer to get it right.
It works like this :
I.E. *always has been* and *always will be* vulnerable in ways that expose your data to remote sites and get you rooted.
Firefox is the same.
YOU MUST ASSUME THIS, ALWAYS
Get used to it, get over it and do something about it AT YOUR END.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
O'Reilly's in the closet about that? And here I was thinking it was blindingly obvious...
add *.windowsupdate.com and *.microsoft.com to your trusted sites.
You gullible, gullible fool : )
You can't take the sky from me...
I'm just waiting for the time when a bug in IE gets reported on Slashdot and 0 people post on its forum.
User Usage. Error 666: Please get an alternate/another/different/[insert logical and funny option here]. Please let's remember the last time we read about holes, and the time before that, and the time before that, and the time before dinosaurs lived that IE is bloated and really a patch work of medicore ideas, that probably will never be anywhere near secure. If you are saddled with working with/for a site the is IE only, umm, err... Use IE as fast as possible, then shut it down.
Sig Hansen?
Well, technically it is. It visits web servers and parses their content. However, rather than displaying the content, it just logs and tallies which particular brand of webserver it is.
True. But just imagine if one of these users caught a nasty through one of the holes. They would rejoice at having yet another practical example to show to management to convince them that in the end if would be preferable if they were allowed to use Firefox or some other secure browser!
Here come eighty or ninety people who will: Link to Firefox, then be argued with by folks claiming Firefox doesn't have the holes found and talked about because it has such a small percentage. Then there will be the inevitable (and true) posts about how stupid the IE/Windows grafting is, someone will bring up Konqueror/KDE, that will be rebutted, and the rebuttal will be rebutted and so on and so forth, and someone will probably make a GNAA post or an ASCII goatse image. Someone'll probably complain about this story being a dupe or the grammar or something, there might even be a In Soviet Russia joke. There, I just saved everyone the time of reading this thread.
Bill O'reilly is a closet gay nazi.
He's the only news analyst on TV actually reporting on child crimes and trying to pass protective laws, while all the whining media liberals are off ranting on Bush some more and using emotive words like "Nazi" because they can't argue facts. History will remember the greater of the two.
I keep my Microsoft Windows XP SP2 desktop fully patched, combine that with my anti-spyware, anti-virus, anti-rootkit, adblocker, auto-defrag and 3rd party firewall, I'm completely safe. Bugs like this don't actually exist, and I'm protected from them anyway.
-- Microsoft Zealot
They do dabble in software, too.
Xenon, where's my money? -Borno
This is easy to verify from Microsoft's own documentation as well:
Beware: In C++, your friends can see your privates!
really? is it anything like LINUX? Linux Is Not Unix.
-- Tigger warning: This post may contain tiggers! --
why dont MS just give up and stick firefox in windows as default browser.
here you go mr. gates use this as a press release:
"we have tried for a long time now to make a browser that didnt suck but we have come up short all the time, therefore we are now gonna ship all windows versions with firefox as default browser"
What a guy, Bill O'Reilly. One for the history books, no doubt.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Is this new bug a result of using C/C++? if it is, I truly wonder why Microsoft has not made a tool to automatically search its source code for bugs like this. They produce one of the best C/C++ compilers in the industry, and their tools are top notch. I find it unacceptable for a large company like Microsoft to still have bugs that relate to the nature of C/C++ (unbounded arrays, pointer aritthmetic, non-initialized variables, etc).
Whatever they did would be limited.
I can't remember the last time I used Windows Update. Automatic Updates does most of what I used WU for, even more easily. If I want other updates, Windiz Update is very similar, but works in non-IE browsers.
A more elaborate message on the full disclosure mailing list mentions an existing, if unpublished, exploit of the remote code execution variety:
Computer Terrorism (UK) can confirm the production of reliable proof of concept (PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch is developed, we will NOT be publicly disclosing our research.
Which is going to happen first, this bug gets patched, or Vista gets released to the masses? What new bugs are going to be discovered between now and when Vista is in wide release?
iepatcher and Mozilla Control.
iepatcher has to be run on every dll and exe on the system. That uses the IE activeX.
Also some programs don't work after this. Outlook does. MSN depending on version. Ie the DOM section of Mozilla Control does not match IE activex any program use these will play up if its expecting the IE layout. http://www.iol.ie/~locka/mozilla/control.htm.
Registry patch removes the rest.
After system is fine IE can be removed to back conner of the system only to be placed back for installs.
Note a modiffered mozilla control to overlay where the IE activeX is could also be built.
When IE 7 wants to save a file to the user's desktop, for instance, it must first "ask" the broker if it can do this. The broker is written in such a way that all actions require the user to confirm this is OK via a dialog box. If the user says it's OK the broker completes the action on behalf of IE 7.
Wait, so I right click an image, choose "save to desktop", and then a dialog will come up asking me if I "really want to" do that?
You know, my usual response to dialog boxes like that is something along the lines of: "No, I was just clicking that button for the hell of it. I didn't want to actually do anything." (with a nice sarcastic tone)....
If that's really what using IE (and Vista) is going to be like, well, damn, I'm just that much more glad I bought an iBook last month instead of a Windows-based laptop.
This is very true. Don't get me wrong, I'm a die-hard Firefox user and will NEVER return to IE with my 1337 internet powers bestowed on me by Firefox, but one must remember that Firefox also has bugs. The difference between IE bugs and Firefox bugs you ask? Firefox bugs don't make the front page and are not admitted to by Mozilla. Mozilla keeps their bugs quiet and fixes them silently, without informing the end use of there existence/fix. This is why it seems as though FF has no bugs.
Difference number 2: Microsoft patches their bugs, Mozilla lets them build up instead and waits until there're enough bugs to create a whole new version. Difference 3: MS sticks a lot of their bug fixes to the platform/interface in their updates/service packs so with Firefox, even people without the latest updates to the OS get their bug fixes.
This isnt news. "Major security hole found in MSIE" should probably just be a permanent notice at the top of pretty much any site - along with a link to the Firefox dl site.
Well, actually: Microsoft is rather consequently comparing the blueprint of their next product with competitors current product. "Vista is going to be better than current Linux/MacOS/...", "Next version of word will be better than current version of OpenOffice", the next IE is going to be better than Firefox/Mozilla/Opera"... Of course, since their current version is usually vastly inferior when compared to competitors current version.
Hardly fair, but it does aparently work as magic on the masses.
Exploits for IE 7 will maybe not be able to install viruses (if the sandbox holds up to real attack, and that's a *big* if), but they will still be able to read all your history and cookies, spoof secure sites, even become memory-resident and steal any subsequently entered bank passwords or credit card numbers. You can't prevent them from doing anything that IE itself can do.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
So, has MS learned yet that ActiveX (I'm assuming Active Scripting is similar or the same thing) is "A Bad Thing" yet?
You assume incorrectly. Active scripting is what Microsoft calls VBScript and JScript/Javascript.
So Firefox/Opera/Safari/Konquerer suffers from the same "Bad Thing" by including Javascript.
meh
Disabling ActiveX doesn't help. The workaround is to disable active scripting. That will also disable everything in , , and tags. That means everything from Java applets and Flash to JavaScript (and therefore stuff like AJAX and most DHTML events).
In other words, the "fix" is to use your browser in 1995 mode.
The road to tyranny has always been paved with claims of necessity.
that's probably why I said :
"Firefox is the same"
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
As a LAMP developer I was recently offered a position with the opportunity to grow into .NET development. Gee thanks. What is the bonus package like? Kick in the nuts?
(SWITCH-NO-SNARK)A salary?
...that Microsoft aren't used to building things in a non-monolithic way.
If, with IE, they'd adopt the approach of not only putting strong barriers between it and the core of the operating system, but also making the rest of it modular as well, it would be a lot more secure.
Another thing that'd be a really big help would be to get rid of the registry. The Windows registry is by far the single worst idea I've ever seen implemented in any operating system anywhere...it completely sucks. It doesn't make life for users substantially easier than using ini files in any respect that I've observed. The only people whose lives it seems to make easier are virus writers...since they're able to store data needed for a virus to run without me being able to find it in some cases, given what a non-discoverable, semi-binary jungle the registry is.
I guess he's just shy about his addiction to skinhead porn, though it's pretty obvious. I mean, the only way to explain his behavior is suppressed homosexual urges or an addiction to prescription drugs.
The world's burning. Moped Jesus spotted on I50. Details at 11.
While the flaw in sendmail is very, very bad, it's not near as severe as IE's one. For one thing, I don't think the sendmail thing was out in the wild yet. There's already a patch. I'm guessing that most *nix computers will not be remotely exploitable out of the box, either because sendmail wasn't installed or because it was installed with a nutered config.
Also the target audience of these apps are different. Sendmail is normally installed and managed by sysadmins (indeed, the configuration is so convoluted most people can't touch it) who will be vigilant and patch this thing quickly. The target awdence of IE is a regular desktop user. They tend to be pretty clueless otherwise they wouldn't be using IE. They also tend to dislike updating because it might break things, and they probably will never hear about this new bug.
Also, IE is a far more widely deployed. What do you think is more newsworthy, a deadly disease that has infected a handful of people, or a deadly disease that has infected thousands?
Why don't you just watch the video. That's not what it's like at all.
Must be a slow news day............
Huh?
Systrace (assuming you're talking about this systrace; the link you gave me was broken) looks very impressive. I'd worry that there may be applications for which slowing double checking every system call would be a real performance hit, but the worst-case example the systrace developers benchmarked was a find command where running through ~60,000 files took 42 seconds instead of 30, and a web browser doesn't need to access ten thousand files per second.
I hope systrace gets taken up by more Unixes and Linux distributions soon, though; any sort of capability-reduction policy is best written by the programmers of the software it applies to, but that won't happen until systrace is as common as chmod. Remember my example of letting an application create a new subuser to run as? It wouldn't be hard for any system administrator to make that possible, but because it's not a standard Unix feature there aren't any programs written to utilize it.
Sigh...another IE exploit. Seems to me if a hacker really wants some bragging rights they'd start exploiting the patches. There are certainly enough of them out by now!
If Microsoft was the government of a country, I can just imagine the headlines in the newspapers: "President warns of flaw that allows terrorists to remotely blow up buildings, no plans to fix it for a few months" or something like "police, fire and rescue service will no longer be available for those owning homes built before 1950. Citizens are urged to upgrade to a new house. Please note that all building materials must be approved by the state."
LOL :-)
You're wasting your time telling them to watch the video. They're afraid to watch the video for fear that it might actually be good and they would have less to bitch about regarding IE7/Vista.
-- "I never gave these stories much credence." - HAL 9000
"Next version of word will be better than current version of OpenOffice"
Please cite even ONE example of Microsoft saying that the next version of Word will be better than the current version of OpenOffice in such a way as to suggest that they think that the current version of Word is inferior to the current version of OpenOffice. Last I heard, Microsoft was saying that OpenOffice is more than 10 years behind MS Office, saying that Open Office is about where Office 95 was. Your other points are shakey as well, but the Word vs OpenOffice point is ridiculous.
-- "I never gave these stories much credence." - HAL 9000
Or maybe I was just going by what the parent poster was saying... Sorry for assuming his description even remotely reflects reality in some manner or another.
we want a divorce!!! now!
The blog spoke about Active Scripting not ActiveX.
Not sure if the former is needed for windowsupdate though.
- Peder
Since when has any sort of security that requires people to click Ok or Cancel ever actually worked on windows? You get so inundated by bloody Ok windows, that most people I've seen working on a fairly securely set up Windows, will still just click Ok without ever reading anything (unless they can read 7 lines of text in 0.5 seconds)
Splut.
Coz eternity my friend, is a long *ing time.
"And would the divorce of IE7 from Vista's Windows Explorer help?"
Of course it fucking won't.
Vista does have things that will help (such as running IE as an unprivileged user) but separating IE from Explorer will not do a damn thing, because it's never been a cause of problems.
If I can exploit IE to run arbitrary code, or read or write files from places it shouldn't, the file manager/shell of the OS doesn't matter a jot. Consider, there is not one single IE exploit that would be mitigated by the use of a shell other than Explorer.
The whining about the "security" implications of the integration has never had any basis in fact.
agreed but the point is you cannot protect flawed code. layered design (with the inherent security) is one thing, layered protection makes no sense ...
empirical proof: all those AV have to keep changing constantly to compensate for flaws and they do impact performance
I had a highly critical flaw once... My ex-spouse.
"Highly Critical Hole" ?
http://instantbadger.blogspot.com
It's also worth noting that this year marks ten solid years (and counting) of Internet Explorer being insecure ... arguably it's Microsoft that makes itself look bad, they don't need anyone's help.
IE 6: only 1 month in the last 3 years when it hasn't had an unpatched vulnerability; 15% of holes "extremely" critical; 30% give system access; currently 4 unpatched holes.
Mozilla 1.0: no unpatched vulnerabilities about half the time; 4% of holes "extremely" critical; 20% give system access; currently 0 unpatched holes.
I know which I'd rather use.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
2. Firefox has an update system that on average every two months automatically patches bugs. Many people complain that the updates come out too often.
3. The latest version of Firefox works on Windows 95 and 98. The latest version of IE requires Windows 2000, XP, or Vista.
Oh, I see, IHBT! Silly me!
What a fool believes, he sees, no wise man has the power to reason away.
No it's not. Sendmail is installed and managed by sysadmins when required to do so by company policy or a legacy setup that they don't dare touch.
Anyone who voluntarily decides to use sendmail, in this day and age, for no reason deserves getting hit with whatever bugs still lurk in that marvelous pile of crap. Sendmail continually gives open source software a bad name with its bugs.
Use postfix, I love it. Use exim, I've never used it but I heard it's very good. Use courier, if you can get around their package-building anality. Hell, use qmail, but be sure to find a patch version.
Do not, for the love of God, use sendmail. I don't care if it's the 'standard'. The standard is walking, but I have no sympathy for people who decide to walk down the middle of the highway.
If corporations are people, aren't stockholders guilty of slavery?