Web Site Attacks Against Unpatched IE Flaw Spike

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

Lets say it together:

[gerbalblaste]

Use Firefox

Re:Lets say it together:

[mOOzilla]

This is not enough, when you use other applications for example Yahoo Messenger or MSN Messenger (just examples, there are others) that take a dependancy on the COM components that IE also uses you are vulnerable too. This is why it is just as important to have the IE patches even if YOU do NOT run IE! Other applications that have taken dependancies on it WILL still need to be patched.

Re:Lets say it together:

[hackstraw]

Also, being that it is now 2006, maybe we should stop using usernames and passwords for authentication or at least exclusively using them.

The best I have seen passwords work is at Bank of America's online banking.

I don't know the details, but I'm guessing it stores a cookie on your machine if you tell them its your normal computer. If that cookie is not found, then the site will show you a picture and a user defined caption for the picture to prove that the bank is my bank. It then asks me one of 3 or so questions I set up to verify before going to the password screen.

I just went to the brick and mortar bank today, and showed them my bank card as my ID. No password required. Hmm...

Re:Lets say it together:

I used to use Firefox (0.7.x - 1.0.7) until the number of security flaws started spiking up (no doubt due to its popularity).

I'm now using Opera which has a much better security track-record. Thankfully, I found I like using it a lot more than any other browser. Too bad it isn't open source--it would be great if some of Opera's features got copied to other browsers like Firefox and Safari.

Re:Lets say it together:

[outsider007]

They still use passwords the same as always. The picture they show is just an anti-phishing measure that probably doesn't work very well (you have to remember that you're supposed to see some picture). Anyway it obviously won't protect you from this kind of attack.

Re:Lets say it together:

[outsider007]

Better yet, use Firefox and some Anti-virus software. Especially if you surf porn on the pc you vpn in to work from.

Re:Lets say it together:

This is really a Windows only problem. Use http://kanotix.org/ Debian based Linux :)

Re:Lets say it together:

OK here's another article regarding this problem.
http://www.theregister.com/2006/03/27/another_ie_s ecurity_flaw/
Anyone surfing the WWW with Active Scripting in the Internet Security Zone of IE turned on is an idiot. Under Tools/Internet Options click the security tab, double click the Internet Zone scroll down to the bottom of the settings and disable Active scripting. If you trust a site like /. then add it to your trusted sites with Active Scripting enabled. Did you hear that Reaz Chowdhury!
In other news many security firms have stated, Firefluff isn't any better at security than IE and in many cases is even worse. The difference is, there are to few Firefox users to merit the hassle of targeting that browser. It doesn't have anything to do with patches, because your Mom, Grandma and Uncles aren't running the latest most secure Firefluff patched browser either.

Re:Lets say it together:

>The best I have seen passwords work is at Bank of America's online banking
So, ... What are the higher standards of your data Champion?
opinion->Last time I checked, a Pin of 4 characters would only meet elementary school standards.

"What is an Access ID and what will it allow me to do? An Access ID is a code comprised of 6 to 20 numbers. A PIN is a code comprised of 4 to 7 numbers. When those codes are used together, you can do all of the following by telephone, PC or in person: (1) obtain information about your accounts (2) transfer funds between your accounts (3) obtain other services, such as stop payments, check reorders, or copies of checks and statements.
©2001 Bank of America Corporation."

Source Bank of America http://www.bankofamerica.com/accessiblebanking/pdf /91-11-2500B.pdf
This doc is webbot enabled btw: eg if you view the pdf block adobie outbound packets cause some one is watching.

Ugh

[Wizardry+Dragon]

I know this is Slashdot, but can we at least have a gramatically correct headline?

Re:Ugh

[kevin_conaway]

Whats wrong with it? I've noticed attacks against the Flaw Spike too.

Re:Ugh

[Valdrax]

Normally, I let my sig do all the griping for me, but this is really bad. It look me three tries to understand what the title was saying. Try the following for maximum clarity:

"Website Attacks Against Unpatched IE Flaw Spike"

Actually, this would be even clearer if you put the verb before the prepositional phrase:
"Website Attacks Spike Against Unpatched IE Flaw"

It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.

(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)

Re:Ugh

[dotpavan]

spelling Nazi criticizing grammar nazi :)

Re:Ugh

[MustardMan]

I don't really care for correct grammar - but for fuck's sake, can we at least have something somewhat comprehensible?

Re:Ugh

I didn't have any problems, guess I must be one of those luck people who can understand things and not just take them blindly at face value.

Re:Ugh

[hey!]

I know this is Slashdot, but can we at least have a gramatically correct headline?

That's a result of the well known TCP/IP property of out order packet delivery and a bug in slashcode. The actual title should read "Satanist geek act: balances a wife with kit pups." The article somehow got lost; it was about a company that's offering an AIBO replacement in kit form in exchange for souls.

Re:Ugh

That's why they lost WW2.

Re:Ugh

didn't have any problems, guess I must be one of those luck people who can understand things and not just take them blindly at face value.

How very luck for you.

Re:Ugh

"I didn't have any problems. I guess I must be one of those lucky people who can understand things and not just take them blindly at face value."

Fixed.

Re:Ugh

[Feanturi]

Is that where the pot calls the kettle stupid, culminating in a fist-fight?

Re:Ugh

[Sabaki]

I thought that was what grammar was for...

Re:Ugh

[patternmatch]

It's unclear because both "spike" and "flaw" can be verbs or nouns...

Since when can "flaw" be a verb?

Re:Ugh

"I didn't have any problems; guess I must be one of those lucky people who can understand things and not just take them blindly at face value."

Fixed correctly.

Re:Ugh

[Jtheletter]

Since when can "flaw" be a verb?

from dictionary.com: http://dictionary.reference.com/search?q=flaw

tr. & intr.v. flawed, flawing, flaws:
To make or become defective.

Re:Ugh

[thePowerOfGrayskull]

I know this is Slashdot, but can we at least have a gramatically correct headline?

Don't ask silly questions.

Re:Ugh

[PitaBred]

Or you just don't read well, so nonsensible and sensible things take the same amount of time for you to comprehend.

Re:Ugh

[zerocool^]

Godwin explodes. Details at 11.

~W

Re:Ugh

[CODiNE]

luk aite 2 me

Re:Ugh

[JohnGalt00]

(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)

CmdrTaco has stated explicitly that it's not the editors job, either. :-)

Re:Ugh

[cbiltcliffe]

I guess you parse English about as well as IE parses HTML, then. Seriously borked, and you'd never know it.

Don't feel bad. I didn't even notice the mistake until the GP pointed it out and I went back to check. Then I was like "How the hell did I miss that?"

Normally I'm pretty picky about speelung/ghramhur, and don't make those kinds of mistakes myself, but I guess I've read so much /., I'm immune to it, now....

Yet another thing to add to the list of "You know you read too much /. when:" :-/

Re:Ugh

[helicologic]

In English, all nouns verb.

Re:Ugh

"I didn't have any problems; guess I must be one of those lucky people who can understand things and not just take them blindly at face value."

Fixed correctly.

Was he commanding us to guess that he must be one of those lucky people? Otherwise, the "I" needs to be there.

Re:Ugh

"I didn't have any problems; I guess that I must be one of those lucky people who can understand things, and not just take them blindly at face value." Closer?

Re:Ugh

[pipingguy]

You mispelled "broked".

Re:Ugh

I don't really care for correct grammar - but for fuck's sake, can we at least have something somewhat comprehensible?

Comprehendible?

Re:Ugh

[MustardMan]

http://www.m-w.com/cgi-bin/dictionary?va=comprehen sible

Re:Ugh

[ClamIAm]

And there's a typo in your sig. OH THE IRONY.

Porn sites

[teshuvah]

That's what you get for looking at porn when you're supposed to be working!

This is becomming not funny

[zappepcs]

And still MS is not releasing patches quick enough... perhaps this will be incentive enough to change that policy?

Re:This is becomming not funny

[MSFanBoi2]

How? How can Microsoft make the changes quick enough? They have to do MASSIVE regression testing. That takes time.

Re:This is becomming not funny

[kpainter]

"They have to do MASSIVE regression testing." Ahhh, that explains it. It must be working because IE regresses with each and every day.

Re:This is becomming not funny

[mOOzilla]

Very FEW bugs are found by REGRESSION they have also Virtual PCs with various patch levels as a way to DISCOVER bugs. Most bugs are found not by running tests over and over and over its in the DISCOVERY phase. This was not REGRESSION (a bug reactivated due to a change elsewhere - a sideeffect). Since you love WIkipedia here is a link http://en.wikipedia.org/wiki/Regression (A re-introduction of a defect into a later revision of a product).

linking=vouching for

[Douglas+Simmons]

You'd think that websites would only link to sites they found interesting (or I suppose were paid to link). People just don't head for these nefarious sites unreferred. So how do these sites get hits? Are they Good sites that have just been compromised?

Re:linking=vouching for

[FooAtWFU]

Google?

Re:linking=vouching for

[delirium28]

From TFA:

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.

Re:linking=vouching for

[99BottlesOfBeerInMyF]

So how do these sites get hits? Are they Good sites that have just been compromised?

The most common scenario right now is a server is hacked, then e-mails and IMs are sent out with links to it. I don't know of any really popular sites that have been hacked to include this.

Re:linking=vouching for

[Machina+Fortuno]

You can always tell what a site is from the URL ya' know! Also... the article mentioned that this was a home computer that was infected. This of course means that along with just business, the computer is used for other things - if not even by other users (wife, kids, etc.). Google... yeah thats a big one. When people use search engines, they many times blindly except whatever link it is to be safe (hehe... I'm guilty). E-mail! A-hah! Someone or something that you trust gets infected, and sends you something automatically... and well, the rest is history. IE? Bah!

Re:linking=vouching for

[Sqwubbsy]

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked

<slashbot>Lemme guess what those sites were running...
*chortle*
*snort*
*chortle*
</slashbot>

Re:linking=vouching for

[I'm+Don+Giovanni]

Many times, anonymous posters post links to bad sites on message boards, blogs, discussion threads (e.g. slashdot) in the guise of links to something relevant to the topic being discussed.

Patch released!

[spaztik]

Download here:
http://www.mozilla.com/firefox/

Re:Patch released!

Alternate patch link here

Re:Patch released!

Ha ha ha. Amazing! That comment is both funny and original! Kudos!

Re:Patch released!

Sigh, yet another case of the cure being worse than the disease. I happen to enjoy having some free memory to use for other applications. Running a web browser that has ambitions of being an application environment just doesn't appeal to me.

Of course, you could also use the one browser that's been innovating the field. Running Opera is like seeing the features that Mozilla will steal five years from now.

Re:Patch released!

Uh yeah, except Firefox still renders better than Opera.

Re:Patch released!

[roman_mir]

Are you the same guy, who keeps doing this over and over, or are you different people? (not that the question is grammatically correct, but you know what I am saying)

Re:Patch released!

[cortana]

I hope the Firefox of tomorrow won't have its own garish skinning system and use MDI, then. :)

Legislation Needed?

[RunFatBoy.net]

I understand that there will be bugs. BIG gaping security holes will happen.

I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?

Jim http://www.runfatboy.net/ -- Exercise for Web 2.0

Re:Legislation Needed?

[teshuvah]

I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

Re:Legislation Needed?

[OmegaBlac]

I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

Maybe the U.S. Air Force needs to take the initiative themselves and find some other browser to standardize on such as Firefox or Opera. The US Air Force, I'm sure of it, has knowledge of Internet Exploiter's abysmal security yet because of the so-called benefits of ActiveX and Microsoft's lobbying efforts, the US Air Force only has themselves to blame for using such insecure software. Why wait for Redmond to get up off their asses to fix IE security problems--we are talking almost 20 unpatched/unfixed vunlerabilities for the past couple of years--when you can be using a solution (Firefox, Opera, anything but IE) that at least, at the minimum has a better security track record then IE and timely patching of their software?

Re:Legislation Needed?

[value_added]

Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

Sure. But like our Commander in Chief said recently with respect to the ports management fuss, we have to balance the interests of natonal security with those of commerce. Achieving a similar balance with individual rights and freedoms, on the other hand, I guess is out of the question.

The moral of the story is that if you're a big company or a monopoly, your interests count. Unless, of couse, you're a member of that small but increasingly vocal minority that actually bothers to vote and can exert some influence on what your elected representatives do to earn their keep.

Re:Legislation Needed?

> I work on an air force base

You've got bigger problems than just which browser you have to use, I'm sure.

Re:Legislation Needed?

[jmorris42]

> If there are over 160 million+ computers in the US alone, and 90% of those PC's use
> Internet Explorer, how can the US Gov. not justify action in insisting these issues
> be resolved promptly?

No, how about secure sites take responsibilty for their own incompetence. Both Windows and IE are licensed (and on large sites it really is a license and not a sale) on a general disclaimer of all warranties for suitability to purpose, security, etc. Add in a decade long record of having more remote exploits per year than sendmail's worst year and any IT organization using Windows in general and IE/Outlook especially should be mass terminated for cause, said cause being their choice between gross incompetence and willful disregard for national security.

From a security perspective ANYTHING would be an improvement over deploying Windows/IE/Outlook, OS/2 + Mozilla, Old PowerMacs running OS 9, anything. So any site where security is important, such as the US Military, Department of Homeland Security, etc. deploying the standard Win crap has only itself to blame. Yes saving money by buying COTS is a good thing, but only when it doesn't compromise national security, and if anyone can make an argument that buying Windows isn't risking national security I'd really like to hear em make the pitch.

Re:Legislation Needed?

[sedyn]

I view software as a contract. In open source, if you view code and find problems then you should try to have the "contract" updated. If you do not find problems on a pre-emptive basis yet they exist then you are SOL. Think that is unfair to non-programmers? If I signed a large/vital contract without a lawyer's assistance and got screwed, would I get much sympathy, let alone any legal recourse (would I even get legal recourse if I had a lawyer)?

This means that in closed source, the developers are the "lawyers" who proof-read the "contract". Though, agreeing to a secret contract may not be the best idea (not like I've read the Linux/BSD/* source), but that is another issue.

This means that we have to trust the developer's judgement. In this case, we have to trust that the developers will fix it as soon as possible. If that is legislated then rushing may occur to meet deadlines, possibly leading to more bugs.

I think we should hold companies responsible for errors, where a EULA cannot absolve them from the responsibility provide the services that they promised at the time of purchase, let alone any loss/theft of data. If managers had to factor in "cost of bugs" then I suspect developers would be given more time/resources to fix problems.

Re:Legislation Needed?

[SysPig]

Yeah, yeah...off-topic, but there's no relevant place to post this.

Mods - please don't reward the pricks who intentionally bypass Slashdot sigs, choosing instead to put their crap in the body of their posts so everyone has to look at it. It's fucking SPAM, plain and simple.

Re:Legislation Needed?

[hackstraw]

I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

Cute. The government appears to be pretty stupid about security. Lets subpoena Google and let them spy on the people for us, yet the DOE and other government agencies typically get Ds or Fs when it comes to security. Proof that they are confused:

    http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#o peratingsystem

OS X 10.3.6 is listed EAL 3, but Win 2000, 2003, and XP are EAL 4? No mainstream UNIX systems are listed.

I don't know much about security accreditation nowadays (FIPS, EAL, and others). All I know is that I know my systems and my own privacy are much more secure by staying away from Microsoft software. I've never had a compromise, virus, spyware, malware, or anything on any of my Linux, Solaris, or OS X since 1994. I did get a virus from a floppy that a roommate brought from a computer lab on Windows 3.11 back in the day (Monkey boot sector virus).

Re:Legislation Needed?

[lightspawn]

I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

So... when exactly do these scans take place? And can a job be scheduled to uninstall/reinstall automatically?

Better yet: if you just copy Portable Firefox to the hard drive, or even run it from a CD / USB drive, does it still get detected?

The big issue, of course, is why you're forced to use insecure software, but you may not be able to do anything about that for the time being.

Re:Legislation Needed?

[hughk]

In an orgnisation, I can understand the need for 'approved' applications. However, one of the more enlightened banks that I worked at had Opera and Firefox available, officially to support alternate browsers for customer access. Unofficially many IT staff installed alternative browsers and it meant that there was no monoculture thus reducing the banks vulnerability.

Re:Legislation Needed?

[couchslug]

Same here, except even Portable FF won't connect when identifying as IE.
Opera USB works fine. Sad that running an easliy exploitable browser is
mandatory. I use the internet for legitimate work such as hunting down suppliers
for adhesives, safety equipment, spill management kits, etc. No way to know if those sites are 0wn3d. Air Combat Command is pretty much taking over base network management functions. Too bad they don't blow away Windows and use Linux. It would be easy enough to mandate, just like the conversion TO Windows from the old Unix terminals.

Re:Legislation Needed?

[zbyte64]

Yes, cary a USB drive into a "high" security building.....

Re:Legislation Needed?

[tqft]

If the firewall admins are doing their job they should see a different useragent string on their logs as your traffic passes through the firewall.

Even if the program is on a CD or USB drive.

User Agent Switcher (a ff extension) may help here but is not proof againt a truly paranoid security admin.

Re:Legislation Needed?

Psst! Buddy! Grab the Firefox ZIP file from Mozilla's FTP server and a copy of the User Agent Switcher plugin. That should do you for getting FF to work past the proxies. For the ultra-paranoid, you can rename the firefox.exe file to something a little less obvious, though I'm sure they're just checking the "installed programs" list.

Disclaimer: you'll likely end up with a slightly different FF version than the public releases if you go with the nightlies. Poke around the FTP server for best results.

Re:Legislation Needed?

[Information+Architec]

Hmmm....If someone walks up to me and kicks me in the gonads, does everyone get on my back for not wearing adequate protection while walking in the street? Or do we assume the liability to prosecution weighs heavier on the asshole who kicks me?
Why in the sole area of Internet security is the onus on the user having to protect him/herself rather than going after the assholes who pollute the space with such dangerous crap?
Legislation? Yeah: making sure anyone holding rights to an operational domain is legally identifiable and liable for what they do, would be a great start...

That why I stay with #2 or #3

[jellomizer]

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE. No it is not a fixed in stone rule but I find it helps me out more then it hinders me.

Re:That why I stay with #2 or #3

[Machina+Fortuno]

Exploits, viruses, hacks, etc. are made with the intent of abuse. Why would someone waste their time finding a hole in something that 10% of the population uses when you find an easier target with 90%. It isn't that Firefox/Opera/Safari isn't 100% safe... just that people don't go after them quite as much.

Re:That why I stay with #2 or #3

[tpgp]

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software.

Indeed - I do likewise, which is why I choose to run IIS (tm) on all my webservers, having a lower profile then Apache has made it far less likely to be attacked.

Seriously - whilst there is correlation between popularity of a project & number of attacks, there is no link between popularity and number of vulnerabilities.

A well written application is a well written application, regardless of popularity (look at openSSH).

Re:That why I stay with #2 or #3

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software.

So your best security advice is to run IIS?

Re:That why I stay with #2 or #3

It's always a good idea to try and reduce your attack surface as much as possible, but what you're suggesting shouldn't be the primary concern.

The browser isn't the reason why malware gets installed onto your machine, it's the means by which is gets there. The actual reason why is that people who should know better keep using an administrative account on Windows.

Does the fact that I use IE make me more vulnerable than you because you use FireFox? The knee-jerk Slashdot opinion would be "omg! you suck!", but in reality I might actually be better off than you are since I never log on with an administrative account which means that despite all the gaping holes in IE 99.9% of malware simply won't be able to install itself because it assumes it'll have full access to the system (http://isc.sans.org//diary.php?storyid=1221 - Installs itself under the windows directory).

If I decide to visit some dubious site, I can right click on IE, "Run As" and pick the "Protect etc" option and it won't even have access to any part of the file system or the registry. Sure, it's a hassle, but it's an option that even Firefox lacks (or at least the last time I checked, Firefox wouldn't run under the restricted permission set since it assumes it'll always have write access to certain directories).

Despite my tone this isn't actually a rant against Firefox or a claim that IE is perfectly safe, but the bottom line is that security starts from the bottom up and your choice of browser is one of the last things that'll make much of a difference.

Program X might have a better track record than program Y but the odds are that sooner or later it will have an exploitable vulnerability and unless you planned and prepared for that by making sure the impact will be low to zero you're only kidding yourself as far as security is concerned.

Re:That why I stay with #2 or #3

[rabel]

Reminds me of one of the developers I worked with many years ago. Out of the blue, he announces he is getting married. Nobody was really "tight" with this guy, so this wasn't all that shocking. However, he brought his new bride into the office a couple of weeks later, after the honeymoon. She wasn't all that attractive, to say the least. Anyhow, in casual conversation he takes it upon himself to mention that, "I know she's not the most attractive woman out there, but at least I know other men won't be tempted to steal her away."

This is a true story. So, keep dating those wallflowers and using those obscure O/S's, boys! It's SAFER that way!

Re:That why I stay with #2 or #3

[Ambush]

You know, I've heard that Holden is the most popular brand of car in Australia, so I drive a Ford. I figure I have less accidents this way.

Go figure.

Re:That why I stay with #2 or #3

[bronaugh]

sshutup-theo

Anyone -else- recall the OpenSSH exploits ca v3.4?

Re:That why I stay with #2 or #3

[isorox]

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE.

Instead of Apache use IIS

Re:That why I stay with #2 or #3

[The+Raven]

Will you switch to IE when Firefox passes it in popularity, and IE falles to #2?

Re:That why I stay with #2 or #3

[bunratty]

It isn't that Firefox/Opera/Safari isn't 100% safe... just that people don't go after them quite as much.

No, it's not just that people don't go after other browsers quite as much. Most of the time, only Internet Explorer has known highly critical security flaws. From this chart you can see that IE for Windows has had a known highly critical vulnerability for over two years. Currently, the only other browser that has such a serious flaw is Mozilla, and that's been for less than two months — and that flaw will be fixed in a week or two with the release of Mozilla 1.7.13 (or you could use SeaMonkey 1.0 instead of the old nearly abandoned Mozilla).

It's true, other browsers are not 100% safe, but you're much less likely to get hit by an exploit with other browsers even if hackers go after them, because they just don't have as many vulnerabilities, they're not as serious, and they're patched faster on average. Of course, being less popular than IE means that hackers go after them less, too, but that's hardly the only reason they're safer.

You're still not 100% safe using other browsers — you still should also use firewall, anti-virus, anti-spyware, and anti-adware programs, as well as not download executables from untrusted sources and practice other common sense safe practices, to minimize your exposure to malware.

Now that's a solution!

[zubinjdalal]

FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

Sure I could guess but which ones exactly would those be?

Re:Now that's a solution!

[tinkertim]

I'm guessing Mozilla is at the top of the list ...

Re:Now that's a solution!

[thewils]

My guidelines for using IE are that if I didn't write the site myself, I use Firefox to browse it.

Re:Now that's a solution!

[moochfish]

Sure I could guess but which ones exactly would those be?

Don't worry dude, you'll know soon enough.

Re:Now that's a solution!

[Dhalka226]

Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

It's so sad. The Internet (well, the WWW) is all ABOUT unfamiliar web sites. That's how we discover and learn. We're not going to know (abstract or specifically) who runs alot of the websites we visit, and any number of them could be hosting malicious crap, or fantastic insight, or both.

It shouldn't be like that. People shouldn't have to be afraid of browsing the web. Microsoft, fix your fucking browser already. "Don't go places you don't know" is a lame solution.

Re:Now that's a solution!

[advocate_one]

Sure I could guess but which ones exactly would those be?

dunno, but siteadvisor gives me a nice green tick in google search for those that are supposedly safe... ooh you're in luck, there's an IE version as well as a Firefox one... but I wouldn't know if it was actually safe to visit them using IE

Re:Now that's a solution!

[erroneus]

That's all well and good until you visit a site that has quietly been compromised. The people who compromise web sites for fun generally deface the site in some way. The people who compromise sites for profit or other gain don't generally change the appearance of the site, but instead insert the exploit code among the familiar "safe" pages of information. So one day the page is known safe and familiar and the next it's not. That's part of the problem.

Microsoft's advice is invalid to that end.

Re:Now that's a solution!

[zubinjdalal]

Who's to say we should trust siteadvisor?

Re:Now that's a solution!

[mpe]

FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...
Sure I could guess but which ones exactly would those be?

Wonder if *.microsoft.com is on that list :)

"... said he's not sure which site he browsed..."

[UberOogie]

*cough*porn*cough*

Ugh

[ZombieRoboNinja]

I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?

*sigh*

[bigattichouse]

Hmm.. I use firefox.

I have probably made over $1000 in the past year in $35.00 incriments just running adaware, hijackthis and spybot for people around town, and then recommending firefox. Probably 10 times that amount for my commercial clients.

I used to run them on my box all the time, until I put firefox on... now I run them once a month or so - mainly for giggles and a healthy dose of paranoia. Clean.

When will they learn?

Re:*sigh*

[jacksonj04]

Because IE doesn't meet the standards. Firefox isn't perfect, but it's a lot closer than IE.

The majority of new browsers (NOT browser installations) are heading towards full standards compliance, so it is in fact IE which is the odd one out despite having the largest slice of users. Since developers get pissed at having to design specifically to work around IE's problems, MS is now seeming to make an effort to meet standards with regards to CSS etc.

Re:*sigh*

You know, silly stuff like web standards. Stuff only linux hippies care about. They will not make your life easier as a web-admin, contrary to poular belief. Keep paying us at microsoft^H^H^H^H^H^H^H^H^H^H^H^H keep using IE and you'll be fine. It's not like we^H^H microsoft is using web-developers like you to lock in people. Keep up the good work!

Re:*sigh*

[Cal+Paterson]

Because it's wrong damnit. Read up on web standards. That is what you should follow when you design a web page. If you're smart you can also use html tidy to fix your broken code in most cases.

Re:*sigh*

[MasterC]

So why don't they program firefox to render pages the same way IE does it?

I'm just flabbergasted at the thought that I'm not even sure where to begin on a reply. What you are asking...is basically asking them to...break...firefox. I'm all for demolition and breaking stuff just as much as the next guy but that's usually in the name of progress and I see little "progress" in such a proposal.

As lame and well-used as it is: what you're proposing is for the firefox developers to jump off a bridge just becuase 90% of the people are doing it...

By no means am I saying firefox is perfect, but....damn dude.

Re:*sigh*

So why don't they program firefox to render pages the same way IE does it?

You and 90% of the people who visit your website are depressingly stupid. Get off the internet.

Re:*sigh*

[Professor_UNIX]

Since over 90% of visitors use IE, I have to design the site for IE.

So why don't they program firefox to render pages the same way IE does it?

Because IE is displaying them incorrectly and is not standards compliant. Just because Microsoft's calculator application says 2.45+2.45=5 doesn't mean it's correct. The most intelligent thing you could do is write your web pages for Firefox and then have Javascript that munges the IE-specific parts so it displays "correctly" for users using the broken IE browsers.

Re:*sigh*

[Run4yourlives]

Sigh indeed.

So why don't they program firefox to render pages the same way IE does it?

Because that's not the standard. Firefox (and pretty much any other browser) follows the W3C recommendations closer than IE. IE is the crappy one. Take your frustrations out on them.

Considering IE7 will fix a good deal of bugs IE6 has, you may want to consider learing to code to standard as well... considering that "desiging the site for IE" now consitutes designing for 4 different rendering styles itself (5.01, 5.5, 6, 7)!

Re:*sigh*

[makomk]

So why don't they program firefox to render pages the same way IE does it?

To be honest, between all the bugs, quirks, and unexpected behaviour I doubt even Microsoft could program a web browser that renders pages the same as IE does. (Hell, whenever they release a new version, webmasters always seem to complain about it breaking their pages, and IE 7 probably won't be any different - but they have to live with it).

Re:*sigh*

[HUADPE]

If you are having problems rendering pages, you can use the IEtab extension to Firefox. It renders the page by imbedding IE into Firefox. See it here http://ietab.mozdev.org/

As far as "So why don't they program firefox to render pages the same way IE does it?" there are 2 reasons.

#1) IE sucks at rendering things. (Try the ACID2 test if you don't believe me)
#2) IE is proprietary, they can't get the source code (legally).

Re:*sigh*

[MMMDI]

Just because Microsoft's calculator application says 2.45+2.45=5 doesn't mean it's correct

The sad thing is, I actually had to try that. Says a lot for their reputation, I suppose.

Re:*sigh*

[BeerCat]

Microsoft's Calculator is actually 2 distinct calculators (at least the XP one is)- the order of calculation varies depending on whether you have "Basic" or "Advanced" view:

4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.

(FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)

Re:*sigh*

[user24]

oh my god. that is just....
wow.
you'd think that clicking something under the VIEW menu would, you know, change what you can see. Rather than changing the basic way in which the calculator works.
I still can't believe this.

"Hello, Microsoft Support"
"yeah, I've got a problem with the calculator"
"ok"
"yeah, sometimes when I type an equation in, it gives me one answer, but other times it gives me a different answer"
"oh yes, that's right sir, the calculator gives you different answers depending on which buttons you can see on the screen...."

Re:*sigh*

[isorox]

Since over 90% of visitors use IE, I have to design the site for IE.

Perhaps for your customers. Firefox use is higher at weekends (home computers, people have a choice rather than corporate lock in), and higher in more technological countries (Scandanavia for example)

Sadly for me, the UK is a microsoft bedfellow, but elsewhere in Europe you'll find about 1/3 use firefox in countries like Finland, Slovenia, and Germany.
reference

Of course that's at the weekend when people have a choice.

If your site doesn't work in one of the dozens of standard browsers (will it work in IE7? Does it work in IE5?) you wont get many readers. I haven't been to the Odeon website in years for that reason, and of coruse that means I haven't been to the Odeon cinema either, but if you're happy throwing away 20% of your customers that's fine by me.

Whats wrong with designing a site that works in all browsers anyway? Use advanced features available in Firefox, Opera, Safari etc (all of which were last updated this century), and have a graceful fallback to browsers from the 90's like lynx and IE.

Re:*sigh*

[isorox]

There is always one little thing that looks different in Mozilla than in IE

So? I bet it looks different to people with super-large fonts and black on white contrast, or screen readers (I suspect unintellegable for the later group). Still does the job though. You're designing a webpage, not a pamplet.

How do you cope with people with large resolution screens, or small windows on that screen? It looks different, but it's no biggy.

Re:*sigh*

$1000 in a year!! You sir are going to get rich fast!!

Re:*sigh*

[bunratty]

There's just one subtle flaw in your argument. People do use Firefox. And sites do work in Firefox. Two! Two flaws in your argument. People use Firefox, sites work in Firefox, and sites are programmed to work in Firefox. Three! Three flaws in your... wait, let me come in again.

Re:*sigh*

[bunratty]

I just make the site look good in Firefox and make the site verify, then fix what IE users complain about. I have better things to do with my time than to keep dicking around with a site until it looks perfect in IE.

Re:*sigh*

[tsm_sf]

I'd also like to think there are a few people out there willing to ask their web developers why they should lose 5% of their customers over a bell and/or whistle. And then ask themselves if they might not be able to find a better developer, since it's not like we're exactly running low.

Re:Yep...

Does that mean we can declare war on Microsoft for having Weapons of Mass Disfunction?

OLD! Look at the date of this info

What is happening to slashdot? This is sooooo OLD!!!

Re:OLD! Look at the date of this info

[Mornedhel]

What is happening to slashdot? This is sooooo OLD!!!
You must be new here.

Re:OLD! Look at the date of this info

[TrappedByMyself]

What is happening to slashdot? This is sooooo OLD!!!

Hmmm... I think you're right. As I was walking home, a news boy on the corner yelled to me "Extra! Extra! Web Site Attacks Against Unpatch IE Flaw Spike". At first I though he was mentally challenged, but when I got home, I pointed the browser to Slashdot, and here it is! I hear a new business model is coming out where news distributors deliver printed news to your doorstep each moring! Imagine getting news that fast! Slashdot should really consider this.

nope

[dotpavan]

FTFA: "According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). "

So, it wasnt pr0n. But c'mon, couldnt he check the history and let others know?

Re:nope

[UberOogie]

You and your facts and your articles, bah. It's funnier my way.

Re:nope

[Neoncow]

After days of sifting through browser histories of infected computers, Security Fix has announced that http://www.google.com/ is the only website that all victims visited.

In other news...

[zolaris]

Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".

Re:In other news...

[LiquidCoooled]

Is IE 7.0 included in that definition?

Re:In other news...

[zolaris]

I am going to take a wild stab and assume they meant stable non-beta releases.

Re:In other news...

[geobeck]

It's sad when the solution is "Any other browser".

I see a new web site tag line/gif coming into use soon:

This site is best viewed with Any Other Browser.

Re:In other news...

[LiquidCoooled]

It would be interesting to know if the new features of IE 7.0 do actually prevent this attack.
Finding out it is vulnerable to another IE 6.0 exploit makes you wonder just how much work has actually been done on the browser code.

Re:In other news...

[0xA]

I was vulnerable but they have fixed it in the March release. Yes, they fixed the Beta version before they fixed anything else.

Re:In other news...

[whitehatlurker]

See also Secunia's alert. There is a reference there to the finder's website.

Not a good week for MS IE, eh?

Re:In other news...

[RzUpAnmsCwrds]

Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".

No, it's not sad at all. Apparently, you don't understand the basic fact that when an attack targets a particular product, other separate products are not inherently vulnerable.

Of course other browsers aren't vulnerable to an attack that specifically targets a bug in Internet Explorer!

Here we go again....

[beheaderaswp]

Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.

Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:

http://news.bbc.co.uk/2/hi/technology/4849904.stm

Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.

I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.

Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.

Re:Here we go again....

Microsoft can't do it any earlier, because they have redirected all programmers to work on Vista.

Re:Here we go again....

[I'm+Don+Giovanni]

I suppose I wouldn't have a problem with Microsoft's monopoly..

But Microsoft *doesn't* have a monopoly in browsers. Use something besides IE, there are plenty of choices available.

Re:Here we go again....

[raddan]

Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

Here's why: nearly every day, when I come into work, I have a request from a user to "enable IE" for them. See, in our office, we've locked down IE (using privoxy) so that it can only go to certain, "approved", sites. Users usually want to use something like MSN Video, which will not run on anything but IE, and, despite the fact that this isn't really important stuff for work, I don't blame them for being angry about it not working. I explain calmly that if I were to allow IE across the board, I wouldn't have time to do other things, like set up that shiny new printer for you, or give you access that that spiffy new intranet server, etc-- I would be removing spyware from your machine. They usually see it my way (or at least pretend to) in the end.

Microsoft has too much control of the market, and so "market forces" just don't work the same way.

I'd love to switch the company off of MS, but we're firmly tied in: MS Exchange, intranet sites that require ActiveX, Windows-only database software, etc. It's a joke, because there's no reason why we can't be doing the same things on a better platform, but people get used to a software monoculture and make business decisions based on that environment. I think of myself as the voice of reason, but I think I'm probably more widely perceived as an irritating shithead.

When I came on to this company, they already had a well-established MS install base. I'm convinced that the easiest way to break free is to literally start a new company.

Anyhow, that's how MS has the marketshare they do.

Re:Here we go again....

[NuShrike]

It's ironic that "anti-virus" software companies don't spend their time patching Windows -- to be really effective. Instead, they let you subscribe to their reactive database that catch things in the act instead of just permanently fixing it.

Remember the hey-days of VBS viruses? The instant easy fix would've been to entirely disable windows scripting host, but did the "anti-virus" companies do that?

I think something about 'no profit' is the problem.

Serious Question (not flaimbait)

[MudButt]

What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...

Re:Serious Question (not flaimbait)

[99BottlesOfBeerInMyF]

What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

What makes you think the majority don't focus on alternative browsers now? From what I've seen there are about as many people pounding on Firefox as there are on IE. It's just the people who find things in Firefox usually get them fixed much more quickly. Of course if Firefox gains in market share more people will look for holes, but that does not mean it will ever have the level of problems IE does because of the design decisions and the development process. Heck, right now their are two completely different unpatched remote exploits to install and execute Foo via IE. The fact that a hole can be discovered, reported, the discoverer can get tired of waiting for MS, it can be publicly published, someone can make an exploit, and script kiddies can deploy it everywhere all before MS can get a patch out is intolerable. That more than one such hole can happen at a time is just sad.

Re:Serious Question (not flaimbait)

[redheaded_stepchild]

It's not a question of perfect, unexploitable code, it's a question of timeliness to patch the exploit. AFAIK, Firefox, Opera, etc. tend to have turn around times far quicker than MS does for IE. This particular exploit has been out since what, December? And they apparently plan to patch it in April? That's an awfully large gaping window for the script-kiddies to go to town. Also, whenever MS does release a patch, there's a fair chance the patch itself is exploitable or opens another exploit. Besides, why use a browser you KNOW will be compromised one way or the other when there are functional, similar-to-use browsers available for FREE? Top that off with the optionals being somewhat more secure by default, more compliant with web standards, and user-configurable (let's hear it for Firefox Extensions).
 
Seems like a no-brainer to me...

Re:Serious Question (not flaimbait)

"What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?"

Why would you need to reverse engineer software when you have the complete source code?

"If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before..."

If browser market share was more evenly split, this disincentive would apply to *all* of them.

Re:Serious Question (not flaimbait)

[beheaderaswp]

Serious answer:

I'm not picky. I'll use whatever doesn't have a major exploit against it at any given time. I really could care less who makes my browser. I generally like Firefox best, but there are times I run IE for a few compatibility reasons.

My primary concern is always my clients. Current and former clients who get news updates from me via e-mail number in the low 1000s. They don't know when there's a new exploit. Which is one of the reasons they pay me.

I think it boils down to this: Having multple browsers means people can use the browser that is not currently under attack. That is an advantage. Sure, if Mozilla had more users it might be targeted more, but right now it doesn't, and it probably won't for a couple of years.

The alternatives are just simply safer through obscurity.

Re:Serious Question (not flaimbait)

[domanova]

Parasite or symbiote? I think that the Mozilla code is, as it happens, more difficult to compromise. Why I think that? Because I really dislike Microsnot and hope they are awful at coding. (joke hahaha do not respond).
If - when - for-profit crackers are not able to be parasitic, symbiotic relationships may become profitable. Be nice to the machine, protect from nasties, and use it for your own ends.
Although many of the users of exploits are our much-derided kiddies, there are some smart hackers doing real stuff. Black hat ain't necessarily dumb: if the money says it's worth it, Firefox will be hacked. At the moment, it seems IE in its current deployment is just too easy

Re:Serious Question (not flaimbait)

[I'm+Don+Giovanni]

Why would you need to reverse engineer software when you have the complete source code?

I'm not a hacker, but it may be that it's easier to use tried-and-true hacking methods to find holes in a product rather than slogging through mountains of lines of source code.

Re:Serious Question (not flaimbait)

[clevershark]

When you don't use the web browser as a wide-open portal to the internals of your operating system you run a lot less risks. Whether it's Firefox or Opera or whatever else, other browsers are unable to do the sort of damage that IE can do BY DESIGN.

Why do I say BY DESIGN? Try and use Windows Update with any browser but IE...

Incidentally, that question is asked every time a new Windows or IE critical security flaw comes along, and the answer is always the same.

Re:Serious Question (not flaimbait)

[mpe]

Also, whenever MS does release a patch, there's a fair chance the patch itself is exploitable or opens another exploit.

Or will just plain break something...

Re:Serious Question (not flaimbait)

[whitehatlurker]

(at best) you could only hope to control a fraction

I'm presuming you mean a small fraction ;-).

I would think that there would be more prestige involved in releasing an exploit for FF or Opera, simply because everyone says they are more secure. Security does not appear to have been a large concern for MS IE 6.x, though this was a larger priority for ME IS 7. If IE 7.x has been hardened sufficiently, will this force the poorer exploiters towards alternative browsers? We'll have to see ...

Will IE in Vista be in managed code?

[WoTG]

Of all the bits of software in Windows, perhaps the IE should be at the top of the list for migrating to .net managed code. It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).

Re:Will IE in Vista be in managed code?

[SloppyElvis]

Not if Richard Grimes' analysis is correct...

Re:Will IE in Vista be in managed code?

It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).

If it is just because it's a big juicy target for hackers... then why the looooong endless list (you don't really think this is the last, do ya?) of similar, very nasty, security vulnerabilities in IE? WTF? How many bugs can there be in a fsckin' browser?

To paraphrase Bill Gates: "It is about the code quality! It is about the code quality!"

a programmer for Oracle Corp

[Ajehals]

So he really should know better then?

Re:a programmer for Oracle Corp

[slakdrgn]

Its more, how much longer will he have a job after releasing this information...

I doubt he talked to his boss before blabbing that one.

Re:a programmer for Oracle Corp

[Ajehals]

Using a fatally flawed version of internet explorer - £10

Having your corporate VPN un/pw disclosed to [the evildoers] hackers whatever.. - £20

Not telling your boss about it or changing your password after posting the fact on the internet - Priceless

---

alright its lame but it was funny in my head

Re:Yep...

[Elwood+P+Dowd]

In a better analogy, we would declare war on Novell.

META MODDERS; Please handle.

[WindBourne]

This is not redundant as it is the first post. It may be redundant overall, but it seems like that is needed.

Screw that - use IE

[Weaselmancer]

And keep on using it. IE gets attacked most often because it's the most popular browser.

It keeps my Firefox experience nice. And it keeps the guys at Geek Squad employed.

Was the City of Tuttle, Oklahoma...

[sharkey]

one of the sites that has been "hacked" to exploit this flaw?

Re:Was the City of Tuttle, Oklahoma...

In other news, Joe Schmoe, a FORMER programmer for Oracle Corp. who workED out of his home in Orlando, Fla., seeks challenging and rewarding oportunity to Super Size your order.

Keep an eye on this one..

[Dynamoo]

If you're an admin of machines running IE then it will be worth keeping an eye on this one. The best place is the Internet Storm Center which usually updates several times a day and links to other sites of interest. (Be sure to check the diary archive).

This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.

Windows is more secure.

[xmorg]

I have heard about all these tests that they put up a windows server vs a Linux/BSD server and you get Windows being more "secure" in certain areas, etc.

But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues to leave the \windows \windows\system, windows\system32, and the system registry wide open to any executable/script hacker who wants in.

My friends logon to the net and start clicking around, etc, and whala! you are full of virii and malware so thick it baffles most techs nowdays.

Re:Windows is more secure.

[Dolda2000]

My friends logon to the net and start clicking around, etc, and whala! you are full of virii and malware so thick it baffles most techs nowdays.

Now, I'm really not one to promote French, but I think that the word you were looking for is "Voila".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not really

[WindBourne]

You are making the assumption that attacks come after the most popular software. If you read the interviews with the coders (not the SKs that will grab, slightly mod, and release them), you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so. Basically, Windows, IE, Outlook, and IIS are just so easy to attack.

In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and other *nix will be the target. Statisically and historically, I seriously doubt that MS can do it, but they appear to be doing the right thing.

Re:Not really

By not releasing new software? Isn't that cheating?

Re:Not really

you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so.

Yeah.. for targeting 3-4% of net population (Mac/Linux) surely gives the hacker the same effect as targeting 92-94% (Windows). Especially now that this is "big business".

IE7 beta2 is the solution? Not for 2K users

[smooth+wombat]

From the article:

Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code" and that people who want to use IE should either disable "active scripting" or download the IE7 beta2 preview.

That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?

They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?

Just another reason not to go with Vista. Another Mac convert on the way.

Title: WTF!

[starman97]

Someone's been smoking way too much crack@!

That title makes no sense at all.
It's just a list of keywords for google to latch onto.

Re:IE7 beta2 is the solution? Not for 2K users

Don't switch!
http://www.google.com/search?hl=en&q=switched.mov

Use IE to browse your own website only

[Eustace+Tilley]

What kind of wishful thinking persuades someone that IE is suitable for browsing any website except the ones you have written personally?

Re:Use IE to browse your own website only

[fatmal]

What kind of wishful thinking persuades someone that IE is suitable for browsing any website except the ones you have written personally?

Actually, that is exactly what I do! Any sites that I develop get tested locally using all installed browsers, including IE, but only with the machine 'stand-alone'. If I'm out on the web, IE never gets used!

easy fix in XP

[TheRealBurKaZoiD]

Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It just never stops

How many patches for IE bugs have we been through? How many more do you suspect there still are? Does anyone really think IE7 will be any better? Why isn't everybody using any other browser? Let me emphasize that: any other browser does not have this problem and most every other problem that IE as suffered from for the last 10 years! Why the hell is everyone still using it? Why will everyone still be using it when the next vulnerability is discovered that allows hackers to steal passwords, bank accounts, everything? When will Microsoft finally be liable financially for the shitty code they have foisted upon the world?

Re:As someone involved in IT...

He's not involved in IT. He's a fucking oracle employee - that means he doesn't know jack fuckin shit.

Sites wit hthe attack

[G00F]

"said he's not sure which site he browsed in the past 24 hours that hijacked his browser"

Sure he does, he just doesn't want to admit to otehrs that he still surfs pr0n.

DISABLE ACTIVEX!!!

[erroneus]

For crying out loud, that's probably like 99% of MSIE's vulnerability. I know it's one of Microsoft's "gems" and one of its primary tools to keep the competition locked out the areas they currently control, but it's seemingly forever the access point to evil-doers' access to peoples computers. Disabling ActiveX is almost always if not entirely the answer to the problem in the short term.

I don't know what the best answer should be for those who need to use activex in the meantime... I guess it's kinda like smoking or other addictions that are generally risky and unhealthy -- it's painful to stop but pretty damned necessary.

Re:DISABLE ACTIVEX!!!

Correct me if I'm wrong but doesn't that also disable "AJAX"? I guess it might be something to think about where everyone toots their horn about AJAX technology only to have MSIE users stuble onto a site with Active X disabled.

If that isn't the Most Slashdottish Comment Ever..

[wiredog]

Cat got your tongue? (something important seems to be missing from your comment ... like the body or the subject!)

Editors let another dupe through? ;)

[necro2607]

Man, those Slashdot editors sure do let a lot of dupes through, eh? ;) hehehe...

Editors

Besides, doesn't /. have Editors who should Edit the stories submitted?

Re:Editors

[E+IS+mC(Square)]

You mean, er, Editors can Edit stories? OMG!!

Re:Editors

Well, I said they should. Weather they can or not remains to be seen.

Re:Editors

[Intron]

Snow use blaming it on the weather. The rain of the editors will continue to be hail and hearty.

Re:Editors

Whoosh!

Re:"... said he's not sure which site he browsed..

Have you ever tried to use Internet Explorer with "Active Scripting" set to ask for permission before running?

It's impossible to get anything done. So you either leave it on (if you want sites with JavaScript to work) or you turn it off and then decide to use another browser.

If you *are* stuck with IE, you can't reasonably get around this.

Coming soon on slashdot

[Spy+der+Mann]

I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?

Next! On Slashdot!
Grammar Nazi vs. Spelling Nazi deathmatch!
Sponsored by Uwe Boll films, ltd.

Huh?

The #2 and #3 have enough features to be useful but gets less attention then #1.

So, you are claiming that as #2 and #3 get less attention, they'll eventually become #1? I don't think so. They can only become #1 by getting more attention, not less.

What do the Wall street guys think?

It is going to be interesting to see when one of these "late patches" will cause major infection on computers, used by the Wall street guys, who analyse Microsoft corporation as a business.

Microsoft's new product line development is pretty much based on more sophisticated, easier integration of different, existing Microsoft products and features - instead of new products. These integration features create security risks.

It's like having a mining company, which has a business model, which is specifically based on exploring increasingly dangerous resources. At one stage this business strategy itself will have to be deemed extremely risky and unmaintainable.

Is Microsoft approaching this borderline?

Enter Sherlock Holmes ...

[molarmass192]

So he really should know better then?

From that one line I deduce that you've never worked at Oracle. There are still some talented people there, but much of the top talent has long since jumped ship.

Re:Enter Sherlock Holmes ...

[Ajehals]

Never worked at Oracle but ended up doing an eval of 10g, which whilst it wasnt what I needed, certainly wasnt poor.

I guess I dont understand IT Pro's who arent fanatical about IT and therefore are at least aware of issues like this one - although I admit that I have failed to patch windows boxes when needed to ensure that my dev or production environments stayed stable.

I figure that if you dont patch though you dont get to whine. - Before I get flamed on that point obviously you can only patch when you have a patch available - and if you dont patch you have got to use other forms of protection.

(turning you PC off and leaving it off works well but hurts productivity - or at least should hurt productivity!)

Re:"... said he's not sure which site he browsed..

If you were to spend so much time on making sure your machine that secure, how much time you think have left to be productive? Big O, Zero, Nill, Nada, Zill'sh etc...

Repeat after me--"Use FireFox"

[bill_kress]

Use FireFox, Use FireFox, Use FireFox, Use FireFox...

I know I'm preaching to the choir, but maybe we need another round of "Spread the word". I keep the "Open in IE" function available for emergencies (like a root login), but by default I use a browser that is not so heavily integrated into the OS, is lighter weight and is peer reviewed.

Why aren't we ALL insisting on these features wherever possible???

Re:Repeat after me--"Use FireFox"

[bunratty]

But doesn't Firefox take up more RAM than other browsers? Bring on the spyware. I need my RAM. What if another application needs it? I'll get a horrible "system is running low on memory" dialog. And then what would I do? Boo hoo.

Time to really, really sue/open up microsoft

Why can't somebody with large ammounts of cash, when they get their computers trashed by microsofts obviously crappy products, just sue the crap out of that company and set a precident so that every one can do the same?

If you make a crappy product, you deserve to get sued, the auto companies etc.

In fact, this shows how unbelievably stupid this world situation is, would we accept one auto company making ALL the cars (no, that would be some sort of weird Gilliamest nightmare), one company making all the books, houses, dishwashers etc, yet we accept ONE software company making most of the worlds software?? (how stupid/retarded is that?).

There must be something special about microsoft to warrent this special circumstance? oh, yes there is!, the lack of open software/hardware standards!!
If the power companies were allowed to only provide power to their patent/copyright wires and products that you, the consumer have paid for?

Its time that the future hardware and software (design and interface standards) became unliscenced open world standards, with no one single company/country owning/hiding the specs etc. (and no more hassling of open source too).

The progress of the human race is at stake here, we can't progress in a world of crappy hardware and software (intellectual and materially), just look a what vista is going to require, that viturally half of the worlds current state of the art pc's are going to have to be junked and sent to the land fills so that we can run some fancy eycandy and some badly engineered version of findfast etc. For crist's sake, its just an operating system, they have been making operating systems for 4 dacades now!!!! (go buy a mac or an open source computer, at least they work and you won't be trashing the enviroment!)

Re:Time to really, really sue/open up microsoft

[TCaptain]

Why can't somebody with large ammounts of cash, when they get their computers trashed by microsofts obviously crappy products, just sue the crap out of that company and set a precident so that every one can do the same?

Easy. Because of the EULA.

Re:Time to really, really sue/open up microsoft

[soupdevil]

I wonder what percentage of people using IE at any given time actually clicked through an EULA on that particular PC.

Let's be l While We're at it

Although Forefox is a heck of a lot safer than IE, Opera currently has a better security standing.

Re:Let's be l While We're at it

[mOOzilla]

Pfft, I telnet to port 80 and handcraft my own HTTP requests. You kids have it easy.

Re:Let's be l While We're at it

[ObsessiveMathsFreak]

Telnet eh? You lucky bastard. Some of us are still manually completing and checking TCP packets with a 15 second timeout limit. And we like it!

Re:Let's be l While We're at it

[mOOzilla]

Pah, try beating my magnets I run over the telephone cable.

Re:Let's be l While We're at it

[whoever57]

Pah, try beating my magnets I run over the telephone cable.

Magnets? You have it easy. I have to use pigeons

Just a rough guess: Adware

[Opportunist]

Imagine this scenario:

User installs $program. $program comes with $adware because someone's gotta pay, since the user doesn't really like paying for his software. Yes, he could switch to free... let's drop that idea. Requires brains.

$adware sells space on their servers (or they sell linking to pages containing ads). $adware displays $infected_site.

I can't prove it yet, so I won't post which company I consider responsible. But it's strange, every single computer I get into my hands that contains a trojan that used a browser flaw to get onto the machine also contained a certain piece of adware.

Re:Just a rough guess: Adware

[homer_ca]

Maybe you mean this story? The sequence of events is actually reversed. The botnet operator had control of all these home PCs. He rented them out for DDoS and spam, and later he installed 180solutions adware to collect the affiliate fees.

Re:Just a rough guess: Adware

[Opportunist]

Actually I was refering to a development I see at work. No further details possible, but I do see a trend.

The edges between botnetters, phishers, adwarers (is there such a word? If not, can I copyright it?) and spammers are blurring rapidly. Adware is bundled with applications. Other malware writers use them to infect computers. They sell the "foot in the door" to other malware writers. Spammers buy botnets to send out phishing mails or spreading more malware...

Jeez!

[caffeination]

Godwin already!

Re:Jeez!

[hunterx11]

Didn't the Nazis draw on Nietzsche for inspiration? How can Godwin if Goddied?

What webserver software is getting commandeered?

[wernst]

So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.

So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...

Re:"... said he's not sure which site he browsed..

[hal9000(jr)]

I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.

Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.

Re:"... said he's not sure which site he browsed..

I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large

what? 'Active Scripting' (which is what MSIE calls javascript, btw) is essential for a good proportion of the internet to work. Especially given the AJAX craze of late.

Disabling javascript is totally unworkable.
(switching to firefox or opera, OTOH, is a very sensible course of action)

Chowdhury is an idiot

How else is he still using IE? Are Oracle programmers this stupid in general?

Re:Chowdhury is an idiot

[realmolo]

Have you ever worked with programmers?

They generally know NOTHING about actually running/securing/tweaking/customizing their workstation. They know how to program. They know how to use the applications they need to use. That's IT.

A programmer that really knows how to USE his computer is a rarity. That's why so much software has a terrible interface. Programmers aren't users.

Another Microsoft advise

Don't use the Internet. It's dangerous for you.

Opps: This Time With The Link

Although Firefox is a heck of a lot safer than IE, Opera currently has a better security standing.

(This correction would have been posted much sooner if Slashdot did not have an insanely long timeout on ac posts).

No

No legislation needed, perhaps certification should be required, and the government should certify the software themselves if they want to use it. Perhaps more competant admins and IT staff? Or PHBs who decide what software to use? We already have too much legislation in the software arena, I'm telling you.

IE Again

[Bizzeh]

why does the IE flaw hit slashdot and all the papers again... yet the many firefox ones that have also been in firefox for a while, never see anywhere.

Re:IE Again

[Khyber]

Because those of us that do find and report bugs/expoits with proof of concept get their attention that much quicker, and they get a patch rolling fast so they don't get in the papers and media?

Re:DISABLE ACTIVEX!!! - Corporate users can't

[poopie]

Many corporate users depend on windows-only tools that *REQUIRE* ActiveX to do their daily job. Until those tools change or no longer require ActiveX, it's an unreasonable solution to suggest disabling ActiveX for many corporate users.

Not this time

For this one, you have to disable Javascript (Active Scripting).

ubuntu

[irimi_00]

don't you wish you'd used ubuntu?

Not Helpful In Terms of Security

[EXTomar]

I'm not saying that having IE written in full managed code isn't a good idea but it won't help with security. A good chunk of the problems come from the ambiguous uses of various technology in IE (Active X, jscript, etc). Many of these are functioning exactly as designed but still having undesirable side effects such as completely unsecured. These are problems that would exist reguardless of the language binding used to build IE upon because logical problems are still logical problems reguardless if they are in C or Perl or C#. Rewriting a poorly designed, insecure system in C# does not automatically create a secured system (although it might make it more obscured).

Besides, the .Net Framework itself has yet another security tool that needs to be configured and can subsequently misconfigured. It is another "confusing to the nominal user" setting that most laymen are likely to ignore than pay attention too.

SIR, YOU ARE HILARIOUS.

[airherbe]

Patch Released: Download here: http: //www.mozilla.com/firefox/

"Ha ha ha! Oh gosh that's funny! That's really funny! Do you write your own material? Do you? Because that is so fresh. The 'Patch to IE: here' joke. You know, I've never heard anyone make that joke before. Hmm. You're the first. I've never heard anyone reference that specific link before. Because that's a link to another browser, isn't it? And, and yet you've taken that and used it out of context to insult IE in this everyday situation. God what a clever, smart person you must be, to come up with a joke like that all by yourself. That's so fresh too. Any Titanic jokes you want to throw out, as long as we're hitting these phenomena at the height of their popularity? God you're so funny!"
-- Unoriginally paraphrased from S. Gilligan Griffin

Re:SIR, YOU ARE HILARIOUS.

You *are* the weakest link. Goodbye.

Re:IE7 beta2 is the solution? Not for 2K users

[dhardisty]

Sorry to break it to you, but Mac OSX makes you pay for updates too. You have to pay for every update -- 10.1, 10.2, 10.3, etc. Each of them costs money. So if you bought OSX or OS 10.1 and you want to update to the latest version of Safari or Firefox -- guess what, you have to shell out some cash because Firefox requires Mac OS X 10.2.x and the secure version of Safari requires 10.3 I think.

Because of this, my girlfriend who has an old Apple powerbook can't surf the web worth shit. So don't think that a for-profit company such as Apple will be the cure to all your M$ woes.

Anyone..

[Viraptor]

Anyone else finds something funny in this sentence?
"...hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors)."
I see two things...

Re:Anyone..

I'd imagine it has something to do with STDs and somehow pirating an entire vendor of software.

But that's just me :D

Re:Anyone..

[cyberwench]

Ah, I finally figured it out. It's just a really poorly-written sentence. He's trying to say that attacks are coming from sites you wouldn't expect, unlike the usual ones, ie porn/pirate sites.

Re:What webserver software is getting commandeered

[slughead]

So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

I think it's any webservers whose webmasters use IE. Lemme explain:

1) a dumb webmaster has his PW for his webspace stored in windows
2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues

Beleaguered

[phongleland]

It's time for tech reporters to start prepending "Beleaguered" to everything they write about Microsoft, similar to what they used to write Apple. i.e. "Beleaguered software company, Microsoft, today announced it will delay Vista" or "Beleaguered software company, Microsoft, will pushed back the launch of Office to coincide with Windows" or "Beleaguered software company, Microsoft, announced $8 billion quarterly profits"

Re:Beleaguered

[TheOtherChimeraTwin]

Microsoft is doing just fine, thank you very much. Microsoft's customers, on the other hand, are beleaguered.

There is no reason to be bashing Microsoft everything a negative story about them comes out, or you'd be unfairly complaining about them every day. Why don't you look at your own dirty laundry -- your so-called super secure OpenBSD had a remote hole eight years ago, but I don't see you posting anything about THAT on Slashdot. How biased can you get?

Depends on the nature of the beast/bug

[jd]

I have no objection to the Government criminalizing the witholding of a patch for a security flaw, where that flaw could endanger national security OR could cause significant economic harm (over the country, not just for some individual). This would require a fix to exist, but be knowingly or deliberately not released (eg: to "encourage" people to update to Vista, once it is available). I can't see any sane objection to such legislation, since if the code already exists, there is no further cost in producing it. All the production cost has already been spent. Such patches would not have been QA'd properly, so would be "at own risk", but all software is "at own risk" anyway.

I have no objection - and firmly believe the Government should - mandate that ALL software used in any Government institution - regardless of where or how - should be reasonably secure against any intrusion or misuse, should have a minimum of a 99.9% uptime under heavy but situationally-plausible stress, and should be considered clean of defects when tested against industry-standard closed- and open-source security scanners.

(You don't need massive reliability and security when playing minesweeper, but you do if your computer is controlling a warship or contains highly classified data.)

Many people like to say that it would be too expensive (or even impossible) to make software defect-free. Perhaps that is true, for totally off-the-shelf, totally generic systems. I think it's nowhere near as expensive or difficult as people imagine (although it certainly isn't cheap or easy), so think it's possible to have limited lemon laws. Where such requirements go beyond desires and become actual needs - particularly where the failure to meet those needs could have major consequences - I certainly believe that it is important to sacrifice unwanted functionality to the point where what is left CAN be secured to a high standard.

(I also believe that good programming methods can eliminate most problems, so that quality design can become the cheapest, most practical option for these sorts of cases.)

Re:What!?

[The+Meshback]

BIG gaping security holes will happen.

Oh, I'm sorry, I thought you started talking about Goatse for a minute there.

Carry on.

Re:"... said he's not sure which site he browsed..

[ergo98]

but it seems that a lot of problems with IE are really a result of users who don't take the time to secure it in the options

I'm late to the party, but this is just ridiculous. This isn't the user's fault whatsoever, and basic, supposed-to-be-sandboxed scripting is essential for the browser to be marginally useful.

Re:Yep...

I've never regretted having used all of my mod points as much as I do right now after reading the parent.

You, sir, should shut up.

They already do

[Opportunist]

Many "modern" trojans already support both, IE and FF.

Re:Yep...

Oh yea. Typical neocon response: "Shut up". It works for Rush Limbaugh. It works for Bill O'Reilly. But it doesn't work for neocon assholes on Slashdot. My only words to you: "Ken Olbermann"!!!! Are you going to send Fox security to my door now?

Health inspectors: Was Re:Now that's a solution!

[PlusFiveTroll]

Actually this is no different than real life.

It's like a restraunt that you've never been to, how do you know that you will not die of food poisoning?

Luckly for us, restraunts are randomly inspected by health services and get a score around here.

Maybe its time for random website inspections to see what kind of crapware/spyware/scripts are on them, sounds like a good place for a firefox plugin.

Patch them...

[sam0737]

I wish there was someone writing a virus exploiting this hole to patch the users with firefox, opera or alike.

Re:IE7 beta2 is the solution? Not for 2K users

[Cro+Magnon]

It's interesting that their beta product is (allegedly) more secure than a product that has been in production half a decade.

Re:IE7 beta2 is the solution? Not for 2K users

[Nosklo]

And what about their own anti-virus product that you can buy to protect you from virus and trojans and spywares?
All these malware that wouldn't even exist if they did their homework correctly, and they charge you for a tool to fix what wasn't supposed to happen in first place.

*SIGH*

Additional prefixes

[gregarican]

Don't forget about "another crippling bombshell has hit the..."

All U-R /. HEDLINEZ R BELUNG 2 ZONK!!!!~!

[hobo+sapiens]

See subject line.

Software Restriction Policies

[Kagami001]

Software restriction policies are a nifty tool, and it's a shame more people (or at least offices) don't use them.

Blocking just temporary internet files is obviously not fool proof (the exploit code itself could download files to another location besides the temporary internet files folder) but it does seem likely to break any malware that's written to have the browser do the work of caching scripts from the website ahead of time. (Does IE work that way? Cache scripts fully, even if they contain code that isn't allowed to execute in the zone the script is from?)

Then again, merely running in a limited user account breaks most malware.

One thing to watch out for is runtime engines that are unaware of group policy. For example, if you have a Java runtime environment installed, and you add JAR to the list of restricted file types, then trying to start malware.jar through the shell will fail with the standard software restriction policy message--but executing "java -jar malware.jar" will still work (unless you have a special custom Java runtime that's smart enough to check group policy :)

This is as opposed to, for example, VB script, because the VB script engine itself is aware of software restriction policies, so "wscript malware.vbs" doesn't work.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Oracle vpn this bad?

His username and password to the vpn logged? Is there any real company out there which actually uses a static password for the vpn? Most places I have worked use a token card of some sort which keep generating new alphanumeric strings to be used as passwords.

Re:Oracle vpn this bad?

[lucm]

After scanning your comment, I had to change a fuse on my bullshit detector.

Last time this kind of thing happened, my detector was left open for an entire episode of O'Reilly on Fox News.

Serious Respose (not flaimbait)

[rob_squared]

Check the users/bugs ratio between IIS and Apache.

Re:Serious Respose (not flaimbait)

[MudButt]

Check the users/bugs ratio between IIS and Apache.

What does IIS/Apache have to do with IE/Firefox?

Re:Serious Respose (not flaimbait)

There's a little rare thing known as an analogy.

Re:Serious Respose (not flaimbait)

[Mad+Merlin]

What does IIS/Apache have to do with IE/Firefox?

Perhaps because Apache is hugely dominant (~70%) over IIS (~25%), yet IIS is still exploited far more? Apache vs IIS is the canonical example of the number of exploits being a function of more than just market share.

Its a fine line for M$...

[hebie]

It should be not secure enough that you jump for their next uber secure OS, but not so much that you run to another OS

Not necessarily

[Beryllium+Sphere(tm)]

Many of the attacks seem to be coming from reputable but poorly secured web sites which have been taken over by attackers.

Something else that's come up in the past is some blackhat compromising an ad server and making it serve poison, thus instantly turning thousands of web sites into malware distributors simply because they were running ads from the 0wned ad server.

Javascript enabling site-by-site

[Beryllium+Sphere(tm)]

Even in Firefox you may want to minimize your exposure to Javascript. I have become a dedicated fan of the Noscript extension, which allows temporary or permanent whitelisting without groveling through configuration dialogs.

Absolutely right about the need for sandboxing.

Call for more system transparency

[B.+Pascal]

Hello all:

Think about how many key-loggers and zombies are in-the-wild running silently in computer own by every-day users?

As always, MS receives much flaks for writing vulnerable software. Truth-be-told, the reason why there are so many vulnerabilities in IE is because there are many people who actively look for security flaws in IE, since it is the most popular system. I don't think using Firefox or escaping to Linux are a permanent solutions. Think of people who write attacks as "testers". At the very least, these "testers" found many flaws in MS products. With less "testers" working, who knows how many Firefox and Linux vulnerabilities there are?

Patching is important. However, it is just unrealistic to expect softwares as large as Windows and IE to be patched in a timely manner. Rather than putting the focus on more secured software, we need to make the system more transparent. A system that expose hidden processes, hidden files, and hidden system configurations would allow a user to detect whether his/her system has been compromised (granted, this does not address such attacks as phishing). Also, we need to have some user-friendly features (even comments and descriptions would be nice) to help the user make sense of all these process/file/config information. This way, the user can actually decide whether a system is running in a non-secure state or not.

Many would argue that making the system more transparent makes the system less userable. I agree. However, I think (and I think we all agree) that users, even non-technical ones, can adopt faster than MS put out a security patch...

Cheers.

B. Pascal.

Comment removed

[account_deleted]

Comment removed based on user account deletion

unfamiliar sites

"take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"

My drain is clogged.
Go to google.
type in plumber.

12,600,000 web sites that I have never heard of.
They are unfamiliar. I do not trust them.
Especially 'the pink plumber' and 'backwater-plumber'.

Re:unfamiliar sites

... and "pipelayers"

actually...

...that "not our fault no matter what happens" EULA is PRIME for a supreme court challenge. No other consumer product is sold without an implied or explicit minimum warranty. yet software can be "leased to use" without it. software has patents, gets exchanged for cash, is protected by trademarks and copyrights, etc, so there is no reason to give an exemption. What the parent poster said is true, they could be sued, and it's a fair chance they would lose if it first went to a cheery picked court, then up the scale to the supreme court.

Software is a mature industry, it doesn't need hand holding or training wheels any more "to get off the ground". Can't offer a minimum warranty and release something suitable for purpose? Get another job where you can then, choose a different product to manufacture or go get a laborer job or something. The rest of "industry" had the same exact whines when they were ordered by law to drop "caveat emptor" (that's all these various EULAS are, snake oil caveat emptor) and start offering warranties/honoring implied warranties.

  The other industries ALSO complained "it isn't possible!", whine, kvetch, gnash teeth, threaten dire consequences "we'll have to charge 10 times as much!1 blah blah, yada yada, snivel, OMGBBQ!! and etc. Funny, they manage to survive now, even with a FEW defects, and WITH warranties.

  That's the key, too many, yes, you'll "go out of business" quickly (MS would have years ago if warranties existed). Just a *few* on the other hand, you'll be able to absorb the costs on returns/fixes and still stay in business. All other products have that feature, and business is still booming.

This is the main reason I won't pay for software any longer. Man, I sure used to, never even burned a shareware app. I paid for everything unless it was free beer gratis from the devs. No warez, no shared discs, nothing, same with music and movies, never pirated one scene or one note to this day, NEV-AH.

  But today, 2006?? No warranty,you want me to be a beta tester forever? Fine, the minimum I charge for Q and A work is to get the software for free. I may or may not file bugs reports depending on how much a PITA it is to do that. Too much hassle, no automatic crash grabber and automatic send it off to whomever, nope, not even going to do that any longer. Show me NON BETA WARE or something that really is close to production, we'll talk. Too many things are called beta when they are still pre alpha and shipped as 'current-stable' Screw it. Homey don't play that anymore.

    Now, offer a normal consumer warranty for your software "product", I'll really think about "buying" it, or "lease to use it", open source, closed source, it don't matter once you start talking cash, completely changes things. Free, I'll put up with some defects, MONEY??. It BETTER work as advertised and not require daily patching and it should work for AT LEAST a year before any new "model" is introduced. Cash in your hands then, no probs! Until then, my cash sits in my wallet. Same with the **AAs music and movies, screw it, drop the prices way back down to reflect what bits on a plastic disk are worth (a few dollars tops for music or movie "entertainment", a little more for good games, a little more than that for full bore decent software like a full OS with a decent range of installed apps), and I'll go back to buying bits on a disk every single paycheck.

    In the past decade, all three of these ripoff industries have about lost me as a cash paying customer.

Dope

That what he should have happen for using IE.

Internet Exploder and the people who still use it

There are die-hard people who just insist that the only browser they use is internet exploder. For those people, go out, find this virus, get your computer infected, let the bad people steal your banking information and your identity. Then when you've had just about enough, go to the mirror, stare into it with intensity, suck in a big deep breath of air, clench your fists, lower your eyebrows and shout at the image in the mirror "DUMBASS!" Then, go out and get another browser (one that doesn't suck or turn your computer into a botnet slave). You could switch before you get the infection (and all that), but if you haven't switched before now, then its best if the therapy is more harsh.

Whats that I heard Konqueror??

[westyvw]

Get real and quit bothering with the toy OS.

Whoops Wrong URL:

[westyvw]

You meant http://distrowatch.com/.

Re:IE7 beta2 is the solution? Not for 2K users

Looks like there may be a solution for those of us that don't have that option of switching. I read on Full Disclosure that eEye has made a patch available; has anyone else seen this claim? The post directs the user to the following site:

http://www.eeye.com/html/research/alerts/AL2006032 4.html

I've installed it on my wife's laptop running WinXP; however, I don't have anything confirm the fix. Just curious if anyone tried it?

Re:"... said he's not sure which site he browsed..

[cyber-vandal]

Yes because Windows is marketed at the users who would know how to do this. Fixing IE would be a better idea or encouraging them to move away from it altogether to Opera or FF (haha I'd love MS to advise that).
And don't get me started on MS Word, some of the bugs in 2002 are an absolute disgrace.

Suggestion!

[Hyperhaplo]

Can we rate people 'Grammar Nazi' - perhaps have their name highlighted in red and underlined with a wavey line?

Re:IE7 beta2 is the solution? Not for 2K users

I tested this. Works and has no ill effects.

And the bottom line is ...

[RockDoctor]

FTFA : Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.

BEATS HEAD SLOWLY AGAINST BRICK WALL.
THIS IS UNSATISFACTORY.
GOES OUT AND FINDS granite WALL.
BEATS HEAD AGAINST IT.
MUCH BETTER!

Re:IE7 beta2 is the solution? Not for 2K users

[Ziwcam]

Yes, but thankfully you have the OPTION of upgrading to a newer version of the OS. From a New York Times article, "In those five years (Since XP was released), Apple Computer has turned out four new versions of its Macintosh operating system" Now, say what you will about the expense of upgrading, of buying a new OS almost every year, but I've found that those upgrades were always worth the money. At the very least, it shows a company thats not stagnate, and that will be able to react should a huge, unpatchable flaw appear in their OS. I predict Apple will release 10.5 before Vista comes out.

Re:What webserver software is getting commandeered

[ArsenneLupin]

Or alternatively, any website which uses ass pee.