Zero-Day IE Exploit In the Wild

Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

Whatever

[paranode]

This thing is so hyped up, my IE has never NO CARRIER

Re:Whatever

[Plutonite]

[hick] Nah, you're just paranode [/hick]

sorry :)

Sorry, has to be done...

[RManning]

Dupe!!!

Re:Sorry, has to be done...

[Rakshasa+Taisab]

So this is in fact merely a one-dupe exploit?

Zero-day patch already available

Details here.

(hey, we gotta get creative every once in a while, no?)

Re:Zero-day patch already available

Lynx? The absolutely safest method is this:

$ telnet slashdot.org 80
Trying 66.35.250.150...
Connected to slashdot.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org
User-agent: none



It even makes it easier to read the Futurama quotes in the headers!

Re:Zero-day patch already available

Ahhh.... telnet doesn't work; just checked it out. This will work:

curl http://slashdot.org/ | less

Enjoy........

Re:Zero-day patch already available

[imemyself]

Telnet works just fine for me.


mini:~ idontwanttoputmyrealusernamehere$ telnet slashdot.org 80
Trying 66.35.250.150...
Connected to slashdot.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org

HTTP/1.1 200 OK
Date: Tue, 19 Sep 2006 03:53:05 GMT
Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_perl/1.29
SLASH_LOG_DATA: shtml
X-Powered-By: Slash 2.005000126
X-Bender: That's not my gold-plated 25-pin connector.
Cache-Control: private

Re:Zero-day patch already available

[bangenge]

I love lynx and all, but there are people who need too see pr0n, right? The more pop-ups that lead to more pr0n sites, the better! Think of the children!

Re:Zero-day patch already available

[BenjiTheGreat98]

You mean the children you leave on your old crusty sock?

Re:Zero-day patch already available

[inertiatic]

I have wiped entire civilizations off my chest with a gym sock! - Bill Hicks

Re:Zero-day patch already available

[userlame]

I recommend adding a

Connection: Close

Just so you don't have to wait around at the end or kill it.

You know, come to think of it, I wonder how many times I've typed that line out to save myself a ctrl+c at the end. Scratch everything I said. Wow, I'm dumb. :(

Well yeah

[cheese-cube]

It was bound to happen. Exploits like this don't just go unused. I have a real gripe against Javascript. I hate using it because its messy and insecure. They should really smarten up Javascript just like they did with VB in its .NET form.

Re:Well yeah

[Scoria]

You shouldn't blame the language. Blame their implementation of that language.

Re:Well yeah

The Javascript language is not insecure. It's a high-level object-oriented language which does not allow you to mess with pointers, memory, etc. What is insecure is MS's implementation of it and the functions they expose to it through various objects.

Re:Well yeah

[masklinn]

WTF?

• Javascript isn't insecure, some of it's implementations are, mostly because they try to cater for the stupid and to interpret messy code instead of dropping it
• I fail to see how javascript is "messy". Quirky by places, but it's a fairly clean language, much cleaner than, say, PHP for example, and with extremely high level and flexible features (prototype-based OO, higher order functions, closures, ...)

Re:Well yeah

[BenevolentGenius]

No No No. Using Firefox solves the problem to right? Stop telling people to switch off Javascript just because IE can't solve its security issues as quick as hackers can find/create them. Why? Because I and probably thousands like me, rely on Javascript to access the web.

I use Talklets to help with my reading difficulties, when out and about. Switching off Javascript on public machines will realy cause me issues! So don't. Switch to Firefox. Thanx

Re:Well yeah

"VB in its .NET form" ? That's a new expression to me.
What about "the B.A.S.I.C. syntax for the Sharp Virtual Machine" or even better "B#" ? Something was needed to keep the BASIC crowd from feeling betrayed and abandonned.

Back to the topic. I support your idea that the MS javascript/basicscript interpreter engine needs a Managed replacement, something like BEANSHELL for the Java Virtual Machine. Maybe we will get that for the 3.0 release of the Sharp Platform?

Re:Well yeah

[Shaper_pmp]

What, you mean rewrite it totally and break backwards-compatibility until it's essentially semantically equivalent to any of the brackets-and-braces languages like C#, C++ or Java?

Oh, wait-

Re:Well yeah

> Javascript isn't insecure, some of it's implementations are

Javascript as a language is not insecure but allowing scripts to run from within a webpage is.

I don't understand why people are still having this debate, the only javascript I run is loaded from my local machine (and not the browser cache at that). Scripts embedded in a web page or executed directly from the web are a security risk and will be until there's a decent security model.

Wow, nice resolution!

[Scoria]

The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

I'm certain that most Internet Explorer users don't write JavaScript.

No surprise

[Cold_Lestat]

There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).

Re:No surprise

[Schraegstrichpunkt]

If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

They could just adopt Firefox if they wanted to, but they won't because it's Not Invented Here.

Re:No surprise

[smash]

If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

This is not necessarily a smart idea.

If you simply start afresh, chances are that you're going to end up with all the same exploits all over again.

They either need to do a full security audit of the code (unlikley for microsoft), or they need to start afresh *and* write it in a language/toolkit that is impossible/much harder to attack via buffer-overflow.

I guess my point is that simply starting over (without changes made to the development method) will not help. I'll be interested to see how many issues vista has actually, seeing as they finally got the TCP/IP stack working reasonably well in XP SP2 and have decided to re-write it for vista from scratch :D

Re:No surprise

[strstrep]

The only reason that there are so many zero day exploits is that they're duped so many times.

Re:No surprise

[AmberBlackCat]

Guys, my computer's still running. It's running Windows XP and I use all three browsers. I use Outlook and Thunderbird. I haven't reinstalled Windows ever on this machine. It's not crashing. Am I doing something wrong? My phone isn't snapping in half either. What am I doing wrong?

Re:No surprise

[msobkow]

I don't think that's true any more. This time it would be reasonable for Microsoft to rewrite their browser in C#.Net, which theoretically provides the kind of sandboxing protection that prevents buffer overflows.

But would that address evil Java/J/Ecma Scripts? Image file exploits? Any of the vulnerabilities that are actually rooted in the Win32 APIs and the NT kernel?

Re:No surprise

Who cares about the 0-day exploit. I use a sandbox for IE. It is called SpyWall.

Frankly people, software bugs will never go away. Learn to add protection.

Re:No surprise

[epine]

The problem is the incentive structure. No-one ever got as rich at Microsoft finding bugs as hatching them, from Alchin on down.

Re:No surprise

[robogun]

br0wse for pr0n in I3 or clicky on linkies in yuor 0utlook emailz, you wil be 0wned. You probably already are & don't know it.

Re:No surprise

[Opportunist]

Oh, that was certainly never a deterrent for MS. They have a long history of acquiring instead of developing.

But how do you acquire something you cannot buy, hmm? The point is, it is not under their control and they couldn't get it there with open source being the base. Besides, imagine the image loss when it becomes blatantly obvious that open source code holes are fixed by magnitudes faster than their own. Because one thing is certain: Should FF become the default browser for Windows, you'll see the malware writer jump on it like flies on a dead cow. And then you'd see just how long it takes the OS community to close the bugs.

And with MS, we already know this takes about a month. Unless it matters to DRM.

Re:No surprise

You're doing nothing wrong. And I'm earning $15/minute for all the spam I keep sending from your computer too. By the way, could you type your credit card data into Amazon once again? The keylogger has crashed when you did this before.

Re:No surprise

[suv4x4]

The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).

Well, as a guy who works on actual projects and know how it works, your opinion has completely dissapointed me in Earth, so I suggest we blow it up and start from scratch.

Furthermore, your bias is obvious. Netscape for the most of its life was a terrible browser (4.x being slow and terrible support for... well HTML and CSS, comapres to IE4 at the time, and NS6/7 for being huge and slow, NS8 for being uuuugly, ad-ridden, and embedding IE).

Re:No surprise

[Gr8Apes]

seeing as they finally got the TCP/IP stack working reasonably well in XP SP2

multi-casting

As for your other point, if they wrote it fresh, they could start with a sandboxed language (C#) with no unsafe blocks. They also have to rewrite a bunch of plugins, such as the WMF renderer in C# though to be truly sandboxed. Not a bad idea, considering the exploits in WMF and JPG that were out recently.

Re:No surprise

If you simply start afresh, chances are that you're going to end up with all the same exploits all over again.

No.

The reason IE sucks is that it was designed to suck. Nobody in their right mind would have put ActiveX in a web browser, and crap like Javascript would have been fought hard in the 1990s too (though it's probably too late to resist that now).

Dozens (perhaps hundreds?) of web browsers have been written, and most (realistically: possibly all) of them aren't nearly as unsafe as IE. If Joe Random college student writes a browser, it's going to be safer than IE. If Microsoft writes a browser and decides that it is not required to suck, then it's going to be safer than IE. The only way a web browser can be as unsafe as IE, is if a PHB demands that it be as unsafe.

Re:No surprise

[rawg]

But what is more amazing is all the people that flat out refuse to use anything other than MSIE. Almost all my customers are brain washed into thinking that MSIE _is_ the internet. I try to get them to use FireFox, but they just will not do it. Even with all the problems MSIE has, they still will not switch to FireFox.

Re:No surprise

Or it could be the result of overworked programmers. Do programmers at Microsoft work perpetual overtime?

Re:No surprise

[Princeofcups]

> If they are wise (Personal Opinion) I would scrap the entire codebase of IE and
> start with an entireley new one for VISTA and change the name so the product gets
> a new start at life.

Microsoft's bread and butter is third party coders. Any radical change to the code base would break existing apps, especially those that are locked into using extensions or "features" that make them IE only (e.g. non-standards-compliant, do not work on Firefox). And many of those features are the ones with exploits. Each one has to be carefully coded around.

jfs

Re:No surprise

[99BottlesOfBeerInMyF]

One thing i can't get over is how this is still happening?

Motivation. What is MS's motivation to fix this? Will fewer people buy Windows because IE is broken? Nope, more people will because it locks them in.

The ammount[sic] of stigma now attached to IE has really damaged the product.

Has it? Has MS's market share for the Windows+IE bundle dropped or are they selling more of it?

If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

They could buy an existing engine, but it would cost them money. They could move to open source, but it would make it easier to switch away from Windows and cost them money. They could just change the name of IE and it would cost them nothing, but it is not even clear that such a PR move would help in any way.

I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).

Unless you've switched away from Windows, why should MS care? You paid for the development of IE when you bought a machine that came with Windows and had it bundled. MS has been paid, after that, all they care about is lock-in. Your switching decreases that, but not enough to effect sales. So long as the majority is on IE, they are happy.

Re:No surprise

[fm6]

The ammount of stigma now attached to IE has really damaged the product.

Damaged how? They still own (pun intended) 90% of the marketplace, with no sign that this is going to change. Firefox zealots continue to kvell about every 0.1% gain in market share, but I see no sign of a significant move away from IE by corporate decisionmakers.

I would scrap the entire codebase of IE and start with an entireley new one ...

Except that this exploit isn't in the IE codebase, it's in the VML codebase. Microsoft's security fuckups are not localized to IE by any means — they pervade their OS, their libraries, and their applications. IE only gets the blame because it's the application that serves as the main conduit to the web, where most of the malicious software lives. If Microsoft takes the "scrap the codebase and start over" approach, they're basically going to have to throw out every piece of code written in the last 10 years. Yeah, I know what you're saying, "That sounds like a good idea." But not economically feasible.

Re:No surprise

[Doyle]

change the name so the product gets a new start at life.

They have!

It's now called Windows Internet Explorer. ;-)

Re:No surprise

[ArtStone]

Not to mention if you forgot a closing </table> tag, Netscape 4.x went into a CPU loop and/or would not render the entire table...

Sure, in a perfect world everyone would validate their HTML, but most of us live in the real world.

Re:No surprise

[spatial-the-hedgehog]

call it Vic the Vista internet client (or Voom sounds better)

Let's not go into the naming sector of things. Not that Dilbert couldn't manage to pull through the dreaded Product Naming Project, but because Vista already means 'chicken' in Latvian -- and who knows what Vista Vic and Vista Voom might end up referring to in some more obscure foreign languages?!

easier solution

[User+956]

The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

It can also be mitigated by using firefox.

Re:easier solution

[MadMidnightBomber]

It can also be mitigated by using firefox.

Screw that! I'm going back to "telnet www.google.com 80"

And I'll do that within a VMware image running from a Live CD.

Re:easier solution

[Timesprout]

sure, javascript errors sorted

Re:easier solution

[nmb3000]

Blah blah Firefox

I suppose now is as good a time as any to ask a question.

I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.

Are there any ways to reduce the time to load firefox? I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory. Is this possible? I like a lot about Firefox, but it's startup time and the GUI's "feel" have kept me using IE.

Thanks for any suggestions.

Re:easier solution

[shodai]

There are many IE lookalike skins/themes available for Firefox. FF does have a fairly slow initial loading time, but I think it's only the first time it loads during that session, otherwise it's near instant. There are several tweaks available also, but i've never looked into anything dealing with launch delays.

Re:easier solution

[mrbcs]

Buy more ram. Firefox will take longer to load the first time till it's in memory. IE "loads fast" because it's right in the windows code base. That is also why there are so many problems with it. Since it's tied to the OS, if the browser has an issue.. the OS has an issue.

I use Netscape 7.2 and yes, IE blows it away for start up time. Once I load Netscape the first time, any other time I load it it's almost instant because windows doesn't release the memeory that it's stored in. Doesn't hurt to have a gig of ram either.

Try it. It's way safer and only a slight delay after a reboot.

Re:easier solution

[canadiangoose]

Well, you could put a link to it in your 'startup' folder and modify the properties of the link to start Firefox minimized. I'm not sure how you could keep a constant copy loaded in the background as I'm assuming IE does. As for the interface, you can get skins for Firefox that look almost exactly like IE.

Re:easier solution

[Jerf]

I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory.

There is a folder in your Start Menu labelled "Startup" (or something similar). Drag a copy of the Firefox shortcut into that folder. It will now load when windows loads. Don't close it.

If you're worried about taskbar pollution... well, you're using the wrong OS. (Or the wrong window manager, anyhow, but my experience is that certain basic assumptions about how Windows works are so deeply embedded into the Windows environment that alternate shells are usually pretty unsatisfactory.)

Re:easier solution

[sporkme]

Fasterfox makes firefox load pages more quickly through various methods.
The Firefox Tweak Guide has many options for about:config and other tips for improving your specific experience.
Firefox Preloader will make Firefox load more quickly by making Firefox do the same thing Internet Explorer does. Firefox will use system resources before being specifically called. The application will remain resident in memory like IE does, waiting for you to click the little fox. In this way, IE loads faster but slows overall system performance.
How to use UPX to speed it up a little is what this article can tell you. Probably not the best way to go about it, but I have implemented this method on my HTPC.

It is VERY important to realize that the few seconds you wait around for the initial loading of Firefox are quickly surpassed by the lag you experience while using Microsoft's Explorer. Firefox ignores many advertisements right off the showroom floor, but can be configured to show NEARLY NO ADS AT ALL. FlashBlock, AdBlock, and NoScript will make your browsing much faster and cleaner.

Using Firefox, especially with these and other add-ons, will make your browsing incredibly secure. Explorer is left in the dust in comparison.

So the trade-off you seem to have made is this: A few seconds at load time in exhange for a combined several minutes waiting for ads to be displayed, just so you can fall victim to the shiny! new! IE exploit that seems to get barfed all over Slashdot once a week. This while using an underdeveloped, overpriced, practically featureless browser that has no database of expansions. Unless you are using the Vista beta (7 beta) you aren't even using tabs! Do you choose to commut on a horse? HOW DID YOU EVER SURVIVE THE PERMIAN MASS EXTINCTION? BAH! Why did I bother?

Re:easier solution

[MightyYar]

Yup... go here to install MinimizeToTray. MinimizeToTray enables the old "-turbo" option on the command line. Quit Firefox. Right click on the shortcut icon for Firefox that you use (mine is in the "Quick Launch" part of the taskbar). Click Properties. In the "Target" box you will see something like

"C:\Program Files\Mozilla Firefox\firefox.exe"

Add the -turbo option so that it reads:

"C:\Program Files\Mozilla Firefox\firefox.exe" -turbo

The behavior now is a little confusing... the first time you click the shortcut, it will not open a window. Instead, it will make a Firefox icon appear in the tray. This confuses the holy fuck out of my wife (rightfully). However, subsequent clicks on the icon will give you instant Firefox. To make it cleaner, you can put a copy of the shortcut in your Startup folder. I don't do this because I hate startup programs :)

Re:easier solution

[causality]

The reason why IE starts up so quickly is because the act of booting up Windows pre-loads IE in memory. When you click that blue 'E' icon (which points to an .exe file that is about 30k, as the rest is in DLLs which are already in memory), you're loading practically all of the program from memory, not the hard drive. This also means that whether you are using it or not, the amount of memory required for IE is always being consumed, even after you "close" it. Contrast this with clicking the Firefox icon, which has to read the executable off the hard drive and into memory prior to being able to run it. You didn't think the difference was due to IE being a leaner, more efficient program, did you?

There is a utility which will allow you to also preload Firefox in memory on Windows. Of course, this does not give you the ability to unload IE from memory (decoupling IE from Windows, to any degree, is problematic at best).

Of course, how much an extra 6-7 seconds of load time will impact you would depend on usage. Personally I often leave the same instance of Firefox running for days at a time and leave it minimized on a virtual desktop when it is not in use, but if I were really worried about this on a Linux box then I would use prelink.

Re:easier solution

[kestasjk]

Using add-ons like NoScript you can stop Firefox from executing JavaScript without your consent, but IE has this functionality built in. Using the Windows Live addon you can have tabs in IE too.

FF needs add-ons to remove JavaScript, IE needs add-ons for FF's tabs. The reason the IE seems more secure is that fewer people use it, those who do use it tend to be more computer savvy, and IE has bad default security settings (as is the Windows way). You can't really blame the IE team for this.

Re:easier solution

[cachimaster]

Good thing that i never go to the porn websites that may trigger th NO CARRIER

Re:easier solution

[imaginate]

Or you can just use Opera :)

Re:easier solution

[Hachey]

You sir, are hilarious. 'Do you commute on a horse?!' I cracked up so hard, I'm going to use that one (good heartedly) the next time I switch an IE user. ;)

Re:easier solution

[gumpish]

And which extension plugs the embarassingly large memory leak? I'd like to know.

Re:easier solution

[benplaut]

The darn terminal is clogging the tubes!

  gimmick:~ % telnet www.google.com 80
Trying 66.102.7.99...
Connected to www.l.google.com.
Escape character is '^]'.

and then it just stops...
no wonder the internets have been taking so long lately!

Re:easier solution

hmm, you are pretty wrong when saying IE is slow... at least on Windows
  it beats the hell out of Mozzila/etco at rendering and javascript etc.
  don't just assume Mozzila is better because is open source and such...
  yes, IE has bugs, but so what? Have you heard of workarounds?
  and Mozilla has plenty of bugs too

Re:easier solution

[codepunk]

Actually IE's java script engine is dirt ass dog slow. Mozilla smokes it by at least a factor of five when executing java script.

Re:easier solution

[Spliffster]

How can this be +3 insightful ?

"FF needs add-ons to remove JavaScript ... ", i beg your pardon ? since javascript was introduced in netscape, netscape and all it's siblings (read gecko based browsers) had an option to turn off javascript. You can even decide what to prevent (want no statusbar changes which are pretty anoying, turn that off). NoScript exists to give the user finer graned control.

"The reason the IE seems more secure is that fewer people use it, those who ..." IE is still the most used browser in the world.

" ... use it, those who do use it tend to be more computer savvy" IE is mostly used by the computer un-savy people!

Re:easier solution

[feepness]

I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.

Interesting, I just did a test. Firefox: 2-3 seconds, IE: 5 seconds. Of course, I was just using and closed Firefox and restarted it again so that probably had an effect.

Consider your productivity beyond just the startup though... for example, Adblock with automated updater removes almost all advertisement. When I use IE I think I'm going to go crazy with everything popping up. Also I almost never CLOSE firefox because with tabbed browing I just hit CTRL-T and I've got a fresh page in less than a second. There's far more to it than that, but I feel like I'm going back in time ten years when I'm stuck with IE.

But, hey, it's whatever makes you happy I guess. I suppose if everyone used Firefox+Adblock then more advertisers would figure out workarounds.. so... maybe I should just shutup now.

Re:easier solution

[masklinn]

Using add-ons like NoScript you can stop Firefox from executing JavaScript without your consent, but IE has this functionality built in.

BEEEP you completely and utterly missed Noscript's point.

First of all, Firefox does have Javascript blocking built in, and in a much more flexible way than MSIE (since in firefox you can remove Javascript, but you can also just forbid stuff such as moving and resizing windows, hiding parts of the interface such as the toolbars, modifying the content of the status bar or replacing/removing context menus).

Second, the point of noscript is to be able to accept/ban javascript execution on a per-domain or a per-script basis, and either forever or for a session. This is something that Internet Explorer doesn't even come close, and probably won't in a million years.

FF needs add-ons to remove JavaScript

Idiot.

You can't really blame the IE team for this.

Of course you can, who else would you blame for idiotic default settings, Jesus?

Re:easier solution

[Opportunist]

Hmm? You close your Firefox? Why?

Re:easier solution

[SharpFang]

I'm not sure if you realize why IE loads fast.
IE loads fast because Windows load slowly. IE loads for about 10 seconds, before the desktop appears. Once you click the blue e, you just open a small executable that tells the system to open a new browser window. If you see "start" button, it means IE is already loaded, it's the same program only called with different parameters.

As others suggested, dropping Firefox into the startup folder gives about the same result - its load time extends Windows load time. Clicking the fox icon simply tells it to open a new window instead of loading from scratch.

Re:easier solution

[smash]

Try typing in something like: get http://www.google.com/ HTTP/1.0 into the terminal window :D

Re:easier solution

[rylin]

Sadly, you're bullshitting.
The only thing preloaded for IE when windows starts is the GUI controls and the common-controls (dialog boxes such as print).
The IE/mshtml stuff gets loaded:
a) If you're starting Explorer (not in shell mode, but as the browsing component) with web-functionality (single-click folder change or common tasks)
b) When you load IE, go to a web address with Explorer, or load an app utilizing mshtml

That said, those dlls are kept in memory after that point, but please give up the fucking bullshit.

Re:easier solution

[huge+colin]

I still use IE as my default browser, simply because it loads *fast*.

Do you also just go in your pants instead of walking to the bathroom? That's faster, too.

Just because it's faster doesn't mean it's the best way.

Re:easier solution

[angulion]

Try entering:
--------------------
GET / HTTP/1.1
Host: www.google.com:80

--------------------
No dashed lines, but an extra enter at the last line.

There - Google in all its glory for you.

Re:easier solution

[angulion]

IE doesn't really "load fast" as it is already mostly running if explorer is (always), so it is more of a "Open new window" operation.

Something I found that might help you:
http://sourceforge.net/projects/ffpreloader/

It is a preloader that you run at windows startup and that is supposed to reduce FF startup time (can't confirm as I don't use it).

Re:easier solution

[suv4x4]

Fasterfox [mozdev.org] makes firefox load pages more quickly through various methods.
The Firefox Tweak Guide [tweakfactor.com] has many options for about:config and other tips for improving your specific experience.
Firefox Preloader [sourceforge.net] will make Firefox load more quickly by making Firefox do the same thing Internet Explorer does. Firefox will use system resources before being specifically called. The application will remain resident in memory like IE does, waiting for you to click the little fox. In this way, IE loads faster but slows overall system performance.

Since I use Firefox out of necessity (nice developer features), I've tried all of those.

Not only they don't speed up little, if anything, but that cause a bunch of problems.

Fasterfox tweaks your browser to work in a way non-compliant to HTTP, doesn't decrease resource usage or startup times. I've noticed no faster experience too.

The Firefox Tweak Guide is not something a casual user would tyr, but even if we forget this, it doesn't offer you to tweak anything else Fasterfox won't (pretty much).

The "preloader" causes slower Windows startup, obnoxious taskbar icon, inability to update Firefox without jumping trhough multiple hoops, no faster startup, more system resource usage and requirement to exit from Firefox in a "special" way so not to unload it.

No thanks.

Re:easier solution

[EvilMonkeySlayer]

You use Netscape 7.2? What are you, a masochist?

Re:easier solution

[nra1871]

In what way does IE render better?

Re:easier solution

[mrbcs]

What can I say? It works and I like it. I've had way too many problems with Firefox. It just doesn't want to work for me. Netscape is basically the same code and has worked perfectly for me since 7.2 came out. More than I can say for any other browser actually.

At least I'm not using 4.08. (I still have it on my system for laughs.)

Re:easier solution

[99BottlesOfBeerInMyF]

I still use IE as my default browser, simply because it loads *fast*.

That is such an amusing statement. I mean, how often do you restart programs and why? My Web browser has been running for six days, since it crashed when I found a fun new bug in some weird javascript I was developing. Previous to that it was running for a few weeks (I had to restart to install some updates). It is not uncommon for my browser to be running for a month or more. It could take two minutes to start and I really wouldn't care much at all.

I suppose the difference is I use an operating system with both reasonable reliability and fair multitasking. As a result, there is no reason to close my browser. It does not leak memory and if it did the OS would clean up after it. If it is idle in the background or not in view, it has very low priority to resources so there is no reason to shut it down if I'm playing a game or using some resource intensive application. My portable sleeps instantly when I close it, so there is no real point to shutting it down, unless I plan to leave it unplugged for the week it takes to run down in sleep mode. The fact that this criteria even matters to you is most likely a sad commentary on the state of your OS of choice.

Re:easier solution

[88NoSoup4U88]

I don't do this because I hate startup programs

And because you love confusing the fuck out of your wife ;)

Nice tip btw, as it's been one of the few annoyances Firefox has been giving me.

Re:easier solution

[Ant+P.]

Fasterfox makes pages load faster in a way that's forced me to block all fasterfox users from my server. Requesting the same image thirty times on each page does not speed up your browser, despite what you might think.

Re:easier solution

[ChoGGi]

install a ramdisk
install firefox to it then tar the firefox folder
make a script to copy/extract the tar on startup

Re:easier solution

[MightyYar]

And because you love confusing the fuck out of your wife ;)

Don't get her started about my use of the Dvorak keyboard :)

Re:easier solution

[RobertLTux]

hey I WALK TO WORK you ignorant clod

Re:easier solution

[shiyun074238]

Turning off Javascripting is no longer a valid mitigation.
A valid mitigation is unregistering the VML dll.
Read this
Not having VML support is not a big deal as not many websites use it.

javascript

a lot of commercial sites wont work with JS enabled these days, what a shame.

Re:javascript

[Agelmar]

I have rarely seen a site that won't work with JavaScript enabled. I'm assuming you meant without JavaScript enabled...

Re:javascript

You don't know what you're missing with Javascript enabled. There's a whole noscript world out there ready to explore and enjoy.

Fine

[omeg12121293]

My IE is fine and dandy over here

Let's help users move away from IE.

Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.

It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary.

The only reason I can think of is ignorance. But even then, most people likely know somebody who could help them install Firefox or Opera for the first time. Maybe each one of us should pledge to tell one other person who isn't aware of the alternatives about them. Make a pact with that person: if they are pleased with their new browser, or it keeps their Windows system free of malware, have them tell one new person about Firefox or Opera.

Very rapidly, many people will be able to find out about the alternatives, and it'll benefit us all. Us geeks won't have to help relatives and friends with their malware-infested systems. Those users won't have to ask us to help them, or in the worst case, call the Geek Squad or otherwise bring theirs systems in for expensive and inconvenient "decontaminations" (often performed by fools). Plus the private data of those users is far more safe. In short, we all benefit.

Re:Let's help users move away from IE.

[Nimey]

$ORK has a semi-custom intranet app that requires not only IE but ActiveX and (wait for it) the MS Java runtime. No, I don't know what adulterated crack they were smoking; it was before my time.

I've tried to switch users from IE to FF. It's been more successful with the ex-Netscape users, 'cause I can sell it and T-bird as a direct upgrade. Some people need Outhouse's calendaring features, and some people just can't cope with certain webshites not being compatible with FF, and other people just think that Microsoft writes the best software (whether it's from ignorance or just being used to MS products, I don't know). Personally I wish we'd have a Policy that forbids using Intestinal Expander (for security reasons, of course) that I can point to once I've disabled their access with Group Policy, but $DEPT has had a reputation for being jack-booted thugs that management is trying to escape.

Re:Let's help users move away from IE.

[soxos]

It's been said before, but I'll link you to it again. IETab for Firefox will allow users to register sites to use (or open arbitrary tabs) using IE. It's still using IE to visit those sites (through the magic of imbedding) but at least you get your users to get used to Firefox. Then just install cards extension and show them adblock and you may find them as converts. http://ietab.mozdev.org/

Re:Let's help users move away from IE.

[Z34107]

People start with IE because it's the Windows default.

People stay with IE either becasue:

• They don't care
• They like it

If they don't care, why should we? It's their computer that they're leaving vulnerable, after all. Besides, Firefox is starting to lose it's most difinitive advantage over IE - as it's popularity is increasing, so is the number of security vulnerabilities found, rivaling and even surpassing IE month to month.

Any differences in "speed" are pretty much a wash, too. Internet Explorer definitely starts faster, but it's integrated with the shell. Firefox uses an ungodly amount of memory and leaks it like a sieve. IE7 waits until it has the page 99% rendered before actually drawing it; Firefox will start drawing immediately, piece-by-piece as the site's downloaded. (Both, in total, seem to take the same amount of time.) ActiveX is known for being full of holes, but at least they try to sandbox it - Firefox extentions just blindly run native code.

Point is that as the differences between the browsers are diminishing - Firefox has forced IE to innovate and comply with standards and more and more pages are designed for Firefox and non-IE browsers. But, the security differences between the two are diminishing, and IE7s interface is cleaner and snappier now, IMHO.

Save the digivangelism for something more important than "Firefox isn't Microsoft." In Vista especially, IE is next to bulletproof - a reworked Windows kernel runs it within a virtual machine of sorts - and IE+Aero Glass has a much cleaner and prettyfuler interface. Use your browser of choice, but with alternatives and a little healthy competition forcing some new life into the browser world, there's fewer reasons to pick one over the other.

Re:Let's help users move away from IE.

because their vulnerable computer, once part of a botnet, can be used to help attack our computers.

why should we get our friends to fix the brakes on their, car? afterall, it's their car, right?

Re:Let's help users move away from IE.

[msobkow]

It's rare these days to find a public site that depends only on IE.

I guess you don't download updates for video games. Several such sites mandate IE, and look like absolute crap in any other browser. Some won't let you download updates with anything other than their IE plugins.

Re:Let's help users move away from IE.

[Z34107]

Not exactly an apt metaphor - a botnot can't kill you, and you would only be affected if you didn't have a virusscanner/firewall/security combo. (Even Windows has a firewall now!)

Re:Let's help users move away from IE.

[Jedi+Alec]

Not exactly an apt metaphor - a botnot can't kill you, and you would only be affected if you didn't have a virusscanner/firewall/security combo. (Even Windows has a firewall now!)

Oh indeed, and that's gonna be a lot of help when script kiddie x starts to dDos your personal machine/website/irc servers.

Re:Let's help users move away from IE.

[smash]

A firewall, even if it rejects packets, doesn't stop them hitting it.

They might not kill *you*, but it's quite feasible they'll kill your bandwidth, your bandwidth usage quota, your mailbox, etc...

Re:Let's help users move away from IE.

[cortana]

Such as?

No game I have ever played demanded the use of IE. Gamers are more likely than the average user to have customised their PC with non-default programs such as Firefox, so I find it hard to believe that game publishers would chop off a large proportion of their market in this way.

Re:Let's help users move away from IE.

[huge+colin]

If they don't care, why should we?

Widespread poor security practices are bad for the general health of the network.

Re:Let's help users move away from IE.

[bronzey214]

"It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary." Ever try to use Microsoft/Windows Update in Firefox? For that matter, ever try to do ANYTHING on Microsoft's webpage on Firefox? Sooner or later, you're going to get a page saying "This page can only be displayed using MS Internet Explorer 5.0 or above." ...or something like that.

Re:Let's help users move away from IE.

[0racle]

Firefox stops DDoS's now too? IE is the only way to infect a machine?

Re:Let's help users move away from IE.

[Luscious868]

Save the digivangelism for something more important than "Firefox isn't Microsoft." In Vista especially, IE is next to bulletproof - a reworked Windows kernel runs it within a virtual machine of sorts

Oh please! I'll take that bet in a heartbeat. Given Microsoft's track record I'd wait until the product has actually been released for a sufficient amount of time before making such a bold statement. It may be bulletproof in theory, but as we all should know by now there is probably next to no chance that it will actually remain that way once Vista gets a sufficient enough market share so as to attract the attention of the black hats.

Re:Let's help users move away from IE.

[Ant+P.]

Stop making strawman excuses.

Re:Let's help users move away from IE.

[K-074512]

people who are using windows are lazy to migrate to other browser...wait until they realized that they are vulnerable to threat or they've been hacked, just then they will find or using other browser... but then it will be too late...
i'm wondering...is it possible that the crackers and virus writer is trying to educate internet users about security???

Re:Let's help users move away from IE.

[danpsmith]

Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.

People use IE due to a variety of factors, I know because I help these people:

1. It's the only thing installed. Many people, believe it or not, don't even know how to install 3rd party applications, unless it's a set of screensavers that will give them a handful of trojans.
2. They don't know it even exists. Many people assume that not only is IE the only browser, or just about the only browser, but they possibly think that you have to use it, or in the real edge cases, that IE is the Internet in some way.
3. They don't recognize IE as the problem. Many people think that they need better virus scanners, better spyware protection, etc. and they blame the spyware, viruses, and trojans they encounter on not having these 3rd party pieces of software.

My honest suggestion on this, is to get the word out. Everytime you encounter a computer loaded with crapware take the time to introduce them to firefox, show them how it's pretty much just like IE, tell them how it's not as easily exploitable. Download it and install it for them, ask them if they want it as their default browser. Most people couldn't care less. Explain to them how IE is loaded with bugs and that it's not typically (except in super lame users that like to download weirdo screensavers) their behavior but the browser they are using. I personally used to have a boatload of issues with spyware due to the sites I was visiting with IE a few years back. I got firefox and magically the problems disappeared. I tell this story anytime anyone asks what is causing the spyware and using IE as their browser at the same time.

For the people that don't read slashdot or aren't technologically aware, you must realize that their sources of information are TV, newspapers, magazines and word of mouth. They aren't tied into the Internet the way you are, and they are only going off of what they had heard from these sources. In most cases, these sources are very unreliable on the things they tell consumers or they print for people to read in the paper. People believe that spyware, malware, and viruses are inherent computer problems that will always arise regardless of software or system, and the only way they can prevent them is by buying off the shelf products at their local bestbuy.

While you are at it, if they ask for another install of that Microsoft Office, or pirated Office or whatever they want, suggest OpenOffice and other alternatives. You are their source of info, so be a good one and explain all these things without condescending.

Re:Let's help users move away from IE.

[msobkow]

No game I have ever played demanded the use of IE.

Where did I say the game required IE?

It's the game websites that require IE for the D/L manager/queuing systems in order to download updates and add-ons.

I *only* use IE to run Javascript and ActiveX

[billstewart]

If I'm using IE, it's because I'm trying to access some site that uses ActiveX or uses Javascript in some IE-broken way, mainly doing tricks that the people who write the HR apps at work think are "useful", or one of the online web-based conferencing systems we or our customers use.

If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.

Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.

Re:I *only* use IE to run Javascript and ActiveX

[wirefarm]

You might want to point out to management that HR is opening up a security risk to the company by requiring that you use software that opens up numerous security holes.

In effect, it's not much different than if they required you to rent a spare room in your house to a crack-addicted violent sex offender.
Sure, IE gets "patched" now and then, but crack-addicted violent sex offenders do stints in rehab, too. Doesn't mean I want them around in between...

Yes, you may quote me on that.

Re:I *only* use IE to run Javascript and ActiveX

[ottffssent]

Virtual machines are your friend. VMware Workstation is free, and it's pretty easy to set up a vanilla Windows install that will roll back to a snapshot when you're done using it, ready for its next dose of abuse. Perfect for doing dangerous or stupid things, whether in IE or not.

Re:I *only* use IE to run Javascript and ActiveX

I've been acting in the next mode since several months: if a certain web only loads in IE, then that web doesn't interest me. I'm happier now.

Re:I *only* use IE to run Javascript and ActiveX

[dudeyman]

VMware Player (and Server) is free. Workstation is not.

Re:I *only* use IE to run Javascript and ActiveX

[ottffssent]

Er, yes. You're right. I meant the free not-Player app, but the wrong word came out of my mouth. Server lacks some of the new features of Workstation, in particular the USB toys, but is otherwise quite useful.

Also note EMC gives away quite a few Workstation copies at their various gigs, if you happen to be in or near a big enough city to cheaply attend.

You know...

[dexomn]

You can't blame the vm if the browser is responsible.

Re:You know...

[abigor]

Javascript has no virtual machine. It is not Java. The two languages are unrelated.

Re:You know...

[republican+gourd]

Not *entirely* true. Javascript (perhaps originally even) has some hooks to try and dig functionality out of actual Java Applets - code can be passed back and forth between them. But this was back from the bad old days when everybody thought that Applets would be the way of *everything*, when in fact it turns out they are just good for making spinning cubes and water effects and such.

Re:You know...

[porkThreeWays]

I think naming it javascript was perhaps the worst naming decision of anything since colon blow. I've had to explain the difference so many times I'm tired. It's not even like the cracker/hacker mixup where you can fool yourself into keeping quiet. The languages almost nothing to do with each other and would be like someone mixing up a whale and a rhino.

russian bastards

[darkchubs]

russian bastards

Re:russian bastards

Did they kill your son?

Oh wait, that was Klingons.

Anyway, I'm sure the needs of the many outweigh the needs of the few.

Or something like that.

Re:russian bastards

[Zaatxe]

In Soviet Russia, the IE exploits the malign javascript!

Two browsers...

[HatchedEggs]

This is the reason why I have two browsers... I use IE7 and Firefox, and if an exploit pops up, I can switch to the other until it is plugged. I generally prefer to use IE7 and keep the Firefox for back-up.

Of course, there are also tons of other browsers out there.. but I recommend to everyone to have two so that they can move to the other when an exploit is found in one of them.

Re:Two browsers...

[dexomn]

The question is: Are you going to get 'owned' before you know there is an exploit?

Re:Two browsers...

[Schraegstrichpunkt]

Of course not! Exploits don't exist until somebody announces them publicly!

Re:Two browsers...

[HatchedEggs]

Ahh, well that is always the problem, and it could happen to any browser.

Many exploits (though not all) are revealed before they are in the wild. Not all of course, but one has to accept a certain amount of risk. One should definitely take as many security precautions as possible.. but there will always be some risk.

Re:Two browsers...

[masklinn]

You could also just use Opera, very few exploits are found for that one.

Re:Two browsers...

[packeteer]

Unless you obsessivly follow exloit trackers you wont be informed for most exploits of any programs IE and firefox both. You can't just say "well i trust it untill its proven unsafe" when its something important like your computer security which leads to your identity security.

Re:Two browsers...

[Derek+Pomery]

A significant number of recent exploits, possibly this one too, actually, impact IE7 as well.

Re:Sorry, has to be done...To kdawson

[cloricus]

I blame kdawson...Please for the love of god learn formatting!

I realise you are new and it's probably hard though more effort is required! Don't post crap, and don't spam up the crap you do post with extra lines and pointless links and and and and and...Just be CmdrTaco or Zonk then there wont be a problem! It's getting annoying reading /. while you are editing it. :( (Watches karma playfully slide around in the mud from this comment.) Also welcome to our favourite IT news site. ;)

Re:The power of Open Source

[dosius]

You confuse Java and Javascript. Javascript comes from Netscape, not Sun, and it's certainly open source for the Netscape implementation (GPL even!). So "whatchu talkin' 'bout Willis?"

-uso.

Moo

[Chacham]

Zero-Day Slashdot
Posted by Chacham on 10:45 PM -- Monday September 18 2006
from the zero-day-is-overused dept.
[ Slashdot ] [ Teenagers ] [ Slow News Day ]
Chacham writes to tell us that an old zero-day Slashdot exploit has been found again and again and again. It looks to be a bug in all browsers. This comment notes, "The bug is in the Submit Story link, which is apparently easy available in the side bar."

No patch has been released. Story posters are standing by.

Re:Moo

[iknowcss]

This is one of those comments where I wish I had a sock puppet account. One to mark this comment as funny, and one to mark it as insightful.

No, you need to blame Javascript too.

[billstewart]

Java was designed with a heavy-duty security model, using sandboxes and virtual machines and such to make sure that you could safely download code from other sites and run it, and while it's probably possible for somebody to come up with some implementation bug that lets you outside the box in ways that are exploitable, it's basically been solid since it came out, because it was designed to be safe.

Javascript was designed to be lightweight, friendly, and convenient, and almost anything related to security was later bandaids applied to the gaping wounds. It's possible and easy to write perfectly safe Javascript, but that's unfortunately totally irrelevant because it's possible to write Evil Javascript as well - so anybody who wants to run your "Safe" Javascript has to leave Javascript turned on for the Evil Javascripters as well.

IE does theoretically have a "security zone" mechanism that lets you identify trusted sites, so you can theoretically allow it to run purportedly-safe Javascript from people you trust while not running it from people you don't trust, but that's an annoying hassle. It'd be much safer if they'd built "WimpyScript", designed to be absolutely safe even if all it lets you do is make stuff flash decoratively when you wave a mouse at it; I guess CSS is as close as we get to that. PDF used to be safe, back when all it would do would be display static black or colored marks on virtual paper, but now it's helpfully willing to open web pages and run programs on your PC too.

Re:No, you need to blame Javascript too.

[homerjfong]

Don't be silly. The problem is implementation, not the language itself. The language was designed to do things like open windows, add popups, and manipulate strings. The reason there are security holes is that it was implemented as a fully-priveleged com service, as was IE (via shdowvw). Basically the problem is that Javascript in IE can do anything that IE can do, and that IE can do just about anything, including installing software and monkeying around with files. It's possible to implement IE and Javascript in sandboxes just like you describe java. That's why (for the most part) Firefox is ok. It's only when FFX uses some core windows libraries (like WMF) that it gets into trouble. Now: it should be said that this isn't. strictly speaking, Microsoft's fault. They built a very open. flexible system, which was subsequently exploited by a lot of people who want to do you harm. Nevertheless, in the modern internet environment, they should really lock down what they're doing.

Re:No, you need to blame Javascript too.

You can disable Java Script in Adobe:

Edit ->Preferences -> Javascript ( in categories seciton) -> uncheck the box called " Enable Acrobat Javascript"

Re:No, you need to blame Javascript too.

[AnarkiNet]

But, its a "damned if you do, damned if you don't" situation for Microsoft. If they had "locked down" anything, people would be barking up their tree about lack of interoperability.

Re:No, you need to blame Javascript too.

[Ucklak]

No, it stems from the fact that they tied explorer into IE.

They wouldn't have been damned if they didn't, they just would have had to compete on merits instead of pushing product.
ActiveX is what really kicked Netscapes ass because that is what the masses liked, not IE's implementation of JS.

Re:No, you need to blame Javascript too.

Java isn't even secure. The only way to have a 100% secure web browser is to use a text browser with no scripts. Maybe that is what we need to, go back to using text browsers. Web sties shouldn't be using images let alone animations,music,fonts, or any kind of programming. A web page should only consist of markup language and text, nothing more. The markup language should only deal with hyperlinks, text styles such as bold, underline, etc., text input, and maybe colour. The files should only be saved, not run from the web browser with text based files being the only exception.

Re:No, you need to blame Javascript too.

[Don+Giovanni]

Couldn't some future browser (hopefully written in c#/.net/mono/cocoasharp) support only allowing per site scripts? Wait a minute! Firefox has the noscript extension, which never allows any javascript except those you explicitly allow.

D'oh!

Re:No, you need to blame Javascript too.

[joe90]

Don't you mean switched off and encased in a few cubic meters of concrete?

There is no such thing as "100% secure".

Re:No, you need to blame Javascript too.

[porl]

actually, what 'kicked netscape's ass' is the fact that you didn't *need* to download netscape... you already had a browser that the majority of other people used, so why download another one? by the way, i despise the fact that this was done by microsoft, in case you think i was arguing in favour of ie...

Re:No, you need to blame Javascript too.

[Beryllium+Sphere(tm)]

>The only way to have a 100% secure web browser is to use a text browser with no scripts

http://old.zone-h.org/advisories/read/id=8276
https://rhn.redhat.com/errata/RHSA-2003-029.html

I'd suggest telnet to port 80, typing in GET commands, and reading the HTML. But then someone would embed the nam-shub of Enki and you'd be even worse off.

Re:No, you need to blame Javascript too.

[masklinn]

ActiveX is what really kicked Netscapes ass because that is what the masses liked, not IE's implementation of JS.

Uh, no, what "kicked Netscape's ass" is that

• With IE on your box, you didn't have to download netscape in the first place
• Netscape 4.7 was a slow ugly, buggy, crash-prone piece of shit
• Websites looked better in IE.

In a word, what killed netscape is that MSIE was, at the time, a much better browser than Navigator

Re:No, you need to blame Javascript too.

[ocelotbob]

I would say that JS needs to distribute the various calls in terms of security/privacy impact more than anything. There are certain things that are nice and harmless in the spec, and certain areas that are more like satan in computer code. The problem with noscript is more that it is an all or nothing sort of approach, which honestly discourages people from playing nice -- it puts all code in the same basket of evil. If noscript were more of a code-level app, it would be assloads more useful, and would make auditing suspect code a lot easier.

Re:No, you need to blame Javascript too.

[DagdaMor]

Overpowered HTTP, use GOPHER.

Re:No, you need to blame Javascript too.

[molarmass192]

Don't underestimate the power of your first point "IE on your box". Ask any media player vendor, disk defragmenter, or email software vendor the power of having that luxury. NS may not have been as good as IE at the time, but it wasn't so much worse as to explain the massive shift in user mindshare.

Re:No, you need to blame Javascript too.

[Shaper_pmp]

There's nothing wrong with the Javascript language.

Various implementations of it have been buggy, but this is the fault of the browser-writers.

And IIRC, some of the worst security problems for Javascript have been a direct result of Microsoft extending it into JScript, giving it access to the filesystem and OS and trying to turn what was a nice, safe harmless web-scripting language into a full-permissions do-what-the-hell-you-want desktop scripting language, without (surprise!) paying enough attention to security.

XSS is the only thing that really stands out as a "javascript" problem, but technically that's caused more by whoever wrote the server-side code responsible, in whatever language they wrote it.

Re:No, you need to blame Javascript too.

[Shaper_pmp]

Security != interoperability.

For an extreme case, look at all the public-key cryptography apps out there. They all interoperate, and yet offer great security.

I'm going to take a punt and guess that either you didn't think that through, or you're not really a developer with any experience of the kind of things you use Javascript for.

Re:No, you need to blame Javascript too.

[It's+all+Krista's+Fa]

No, it really was.

I never made the migration to 4.7 for years because it was such a POS. The first betas of Mozilla were an improvement, and that entire codebase got scrapped.

Re:No, you need to blame Javascript too.

But from the consumer's point of view (the consumer who just wants to install the OS and have the stupid thing work without having to screw around with other apps and their (possible...likely...certain) interoperability issues) having the browser "already on the box" (because, face it, of the gazillion people who buy compters every year relatively few are into anything more than just wanting to surf the 'net...) is akin to buying a new car and expecting there to be a radio in the dash (even if it's a crappy radio) -- if you hopped into your new car and found, when you reached to turn on the radio, a blank faceplate inscribed "Install the radio of your choice here" you'd have a cow right then and there (and if you didn't, the cow would show up when you called the manufacturer to complain and they tried to "spin" the lack of a "built-in" radio as a "feature" that allows you the "freedom" of choosing your own...)

Re:No, you need to blame Javascript too.

[Ucklak]

Websites coded to standards looked identical on Netscape 4.0 and IE 4.0

Websites coded to MS standards looked better in IE4 - and that is what kept the weight in MS' court.
All the fun and media based content woked on IE4.

In the Enterprise, Java was 1000% better in Netscape than it was in IE as MS-Java was a POS.
Ask anyone supporting the Insurance industry and University. Netscape 4.x was the platform to use.
Even as late as 2000, Netscape 4.7x was demanded to be used over IE in the insurance industry.

Re:No, you need to blame Javascript too.

[Aqualung812]

Don't forget Netscape RELOADING every time you resized the page. On 14.4 or 28.8, that blew.

Re:No, you need to blame Javascript too.

[ultranova]

NS may not have been as good as IE at the time, but it wasn't so much worse as to explain the massive shift in user mindshare.

Oh yes it was. Netscape Communicator 4 was truly horrible in every respect, and a huge step backwards from Navigator 3.

Re:No, you need to blame Javascript too.

[Don+Giovanni]

The nice thing about c# is that if someone did code a web browser in it, a plugin could be written in any language that supports msil, and be compiled into the code, afaik.

Re:No, you need to blame Javascript too.

Don't you mean switched off and encased in a few cubic meters of concrete?

There is no such thing as "100% secure".

Read what I wrote "100% secure web browser" That means it won't have spyware issues nor will it have cookies. The only way to make such a browser less than 100% secure is to have fucktards like you that is too stupid to even exist let alone use a computer use the software.

IE expliots

[sporkme]

For a long time now, I have been sick of reading about IE exploits. When I was a retail repair tech, these could mean an extra buck or two for the next few weeks. The only real news about internet browser exploits comes when browser != iexplore.

Does it really matter anymore?

[diablo-d3]

If the stats on my website are any indication, there are more Firefox users than MSIE users. Since the beginning of September there have been roughly two times as many Firefox users as MSIE users, over almost 159k visitors.

IE on VM

[coobird]

It seems like we're getting to a point where probably the only safe way to be surfing is by using a browser on a sandboxed virtual machine environment.

I'm not trying to point my finger only at Internet Explorer, but with security holes that can allow code execution, that's pretty scary. (And another case of buffer overrun? Maybe they ought to rewrite IE as managed code, but that's another topic all together.)

Re:IE on VM

[ettlz]

Good idea to protect the system, but what about all the valuable personal information that flows through browsers these days?

Re:IE on VM

Or you could just disable scripting, rendering the majority of browser exploits harmless. You have to decide if allowing sites to hide your status bar, 'pop-up' windows without chrome and generally break the web (__doPostBack()) makes up for a total lack of security.

Given the choice between dancing pigs and security, people will choose dancing pigs every time.
-- Ed Felton

Oh that's perfect

[internetstruck]

"Zero-Day IE Exploit In the Wild" And I learn of this on the day I start surfing the web with Internet Explorer because I got my new computer and had to head over to mozilla.org to get Firefox. I hope the folks over there don't take advantage of all of the Internet Explorer users huh?

IE7?

[Kaenneth]

Is the IE7 Beta/RC/whatever currently out affected?

I thought ...

[tomstdenis]

"zero-day" meant you have something effective before release, e.g. "zero-day keygen" means you have a keygen that works before the product goes retail such that on the first day of distribution people can use it.

Clearly IE has been "out for a while" so you can't make a zero-day for IE.

Tom

Re:I thought ...

[smash]

This is zero day, because it exploits a flaw before it has been reported to (or fixed by) Microsoft :)

It's not IE that's zero day, it's the exploit...

Re:I thought ...

[BeeBeard]

No, but you're close. "Zero day" is a term of art in the warez and virus writing communities. Here it just means that the exploit was released the same day as information about the vulnerability.

Re:I thought ...

[jschottm]

I thought "zero-day" meant you have something effective before release

In exploit terms, n-day means the number of days after a fix is released for the problem exploited by the attack. Most notable worms of the past have been n >= 1 (often much more) attacks - either someone deduces the flaw based on the patch release or the flaw was already known but only guardedly used in order to do high level target attacks while it was still unknown to the public.

Zero day refers to attacks that are released before the flaw is publically known. It's based on the specific flaw, not the application in general. Zero day attacks are nasty on two fronts - first, no one has specific protection or detection available for it, second, as mentioned, they are sometimes used on very specific targets. There was a recent string of what appears to be industrial espionage where very specific people have been sent MS Office attachments with previously unknown exploits in them.

Re:I thought ...

[NearlyHeadless]

From http://en.wikipedia.org/wiki/Zero_day

"Zero-Day exploits are released on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The term 'zero-day exploits' is sometimes misused to indicate publicly known exploits for which no patches yet exist."

The misuse of "zero day" in this article and "back door" in the Adobe article bother me more than the existence of the exploits themselves! Silly, perhaps, but true!

Re:I thought ...

[smash]

Hrm, regardless of what wikipedia says, i take 0 day to mean "zero warning"... whether it's out before the vulnerability is made public (which it kinda is anyway, by way of the exploit being out for it :D) or at the same time, the end result is the same...

Re:I thought ...

[MadMidnightBomber]

"zero-day" meant you have something effective before release, e.g. "zero-day keygen" means you have a keygen that works before the product goes retail such that on the first day of distribution people can use it.

"Zero-Day exploits are released on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The term 'zero-day exploits' is sometimes misused to indicate publicly known exploits for which no patches yet exist." [reference].

Now, I'd be sympathetic if you said it was a sucky term, but that's the accepted usage for better or worse.

Re:I thought ...

[marcushnk]

That's how I see it as well.

My two cents...

[Antony-Kyre]

Internet Explorer users should know by now not to surf with Javascript enabled. Disable it and add trusted sites to the "Trusted sites" list.

Re:My two cents...

[shird]

You do realise that would result in *less* security? The 'Trusted Sites' zone has far less security restrictions that the 'Internet' zone.

What you propose would require people to add the likes of Slashdot and Hotmail to the 'Trusted Sites' zone to function correctly. This effectively gives such sites far more access than you would probably like, much more than without playing with your 'zones' at all.

thats a daft proposal.

Re:My two cents...

[Antony-Kyre]

Hotmail yes, because I believe Javascript is needed to click on some of the links, like for the folders.

Slashdot, no. Slashdot works fine without Javascript.

You don't have to pour a bunch of sites into the Trusted sites category. Only the ones that you are positive are safe and constantly use that REQUIRE javascript.

Re:My two cents...

[NewToNix]

Slashdot, no. Slashdot works fine without Javascript.

Unless you click the "I am willing to help test Slashdot's New Discussion System." box...

Re:My two cents...

[Antony-Kyre]

I don't know what that is like, but if it requires Javascript, I hope the old format works still once it becomes the norm.

Re:My two cents...

[NewToNix]

you should try it. I can't guaranty anything, but I doubt that Pudge's code is compromised. So I wouldn't be too worried about the javascript aspect of the new Slash code - at least as implemented on Slashdot.

I can't get it to work with Konqueror,but it works fine with Firefox. I don't even own a 'doze box so I don't know about that - but I'm sure it should work with IE.

But I also hope they just run the two versions side by side, so to speak, although the new system is interesting.

Re:My two cents...

> you should try it.

It worked without script when I tried it, I just didn't like it.

> I doubt that Pudge's code is compromised.
> So I wouldn't be too worried about the javascript aspect of the new Slash code -
> at least as implemented on Slashdot.

But slashdot also loads script from doubleclick, google and "an.tacoda.net". Do you trust that all these servers will be completely secure and no XSS will ever be found in slashcode?

Do you trust doubleclick at all?

Really?

Re:My two cents...

[Antony-Kyre]

That is exactly why you update your firewall to block those sites.

By the way, just out of curiosity, does anyone here have it set up so they see no advertisements in Hotmail? (For legal purposes, I won't admit nor deny I block their ads.)

No need to worry!

Your Windows Genuine Advantage will protect you!

Re:No need to worry!

[K-074512]

so do your windows firewall...( i guess )

good thing...

I use firefox :P

Zonk? Are you kidding me?

[bunions]

Half his posts contain simple spelling errors a spellchecker could find, and the other half are dupes.

Scientology (Off Topic)

OT, is anyone else creeped out by this creepy Scientology outfit, Sunbelt, getting into Windows vulns? One sure sees their name all over the place in the last year or so, and no one ever heard of them before. What is the Church of Scientology up to?

Re:Scientology (Off Topic)

I have never heard of them being involved in Scientology. I have been aware of them for much longer than a year, they make Counterspy which is the best anti-spyware product around (or was when we did an evaluation of everything available). We run the Enterprise Edition of it at work, it's awesome, we haven't had a single major infection since we deployed it. In my interactions with Sunbelt staff none of them have seemed weird or creepy, they certainly haven't mentioned Scientology! In my experience, they are one of the better companies to deal with as far as professionalism and responsiveness goes.

Wait...

[fullphaser]

Someone took the time to actually learn vml?

I thought for sure that non W3 sactioned were part of the forbidden scripts

But on a more serious note, the user that understands JS being off, is usually also not running online with IE, and there are even fewer users who have JS off, and run IE. I would say not to much of a threat.

To be fair to Zonk

Some of his posts are both error filled and dupes.

Re:The power of Open Source

[painQuin]

billions of people are counting on Sun ... for light and heat and not going spiraling off into the void of nothingness! yeah, that sun.

There is no such thing

[flyingfsck]

as bad publicity...

The only thing people remember is the name.

Here's what VML is...

VML stands for Vector Markup Language, and it's equivalent to SVG. It was in IE5, and IE5 was out before W3C came out with SVG so it's always been an IE-only alternative to SVG.

It's recently make a comeback due to people try to make IE do standards such as WhatWG's Canvas (as supported natively by Firefox, Safari, Opera). And of course people have been mapping SVG to VML in JavaScript.

Re:Here's what VML is...

Actually, VML is a little less "powerful" and therefore a little easier to use (or at least to learn) than SVG (kind of like it's easier to learn to ride on a pony than with a bronco; then you can work your way up to something more powerful and unwieldy if the desire exists...) -- that and the "native" support in IE -vs- having to install a third-party viewer (which, to my knowledge, you have to do to view SVG in any browser, IE included) makes SVG pretty attractive (especially where installing a 3rd-party app would involve going through all the paperwork necessary to get authorization to actually do the install, etc., which is the world I live in, at least for the moment...)

Oh, okay...

[Skudd]

Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?

One acronym: AJAX.

Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.

Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).

I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.

Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.

Re:Oh, okay...

[93+Escort+Wagon]

"Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. ... Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE..."

Dude, you must be one master coder - you've got an AJAX framework that will work with wget?

Re:Oh, okay...

[Skudd]

Okay, you've got me there. But still, the point is that IE is the most popular browser, AJAX is becoming increasingly popular, and the advisory suggested disabling JavaScript.

Re:Oh, okay...

[cinarus]

It's really easy but cumbersome. Every version of wget has a different kind of buffer overflow and I have to code for specific wgets all the time. I wish there was some sort of a standard..

Re:Oh, okay...

Agreed that using IE is dangerous...

So does drinking and driving...

Despite fines, revoking of licenses and jail people still drink and drive. What do you recommend to force people to stop using IE?

Re:Oh, okay...

But still, the point is that IE is the most popular browser, AJAX is becoming increasingly popular, and the advisory suggested disabling JavaScript.

So what is your point? Aids has become increasingly popular even though people are advised to use protection. Javascript allows for remote code execution, therefore AJAX relies on a security flaw, that has nothing to do with how popular it is.

Re:Oh, okay...

[suv4x4]

Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.

I'd agree with your IE rant except that part. First of all IE being "part of the OS" was never a security issue. It's a myth. There's no pieces of IE running in "kernel mode". That's a myth too.

Hell, IE7 isn't even a part of the OS. It's a standalone app, and Windows Explorer uses different libraries and processes.

In essence you'll be surprised to find that as a Firefox user reading the security bulletins, there are are plenty of critical security flaws in Firefox, Opera. The main threat is running as administrator. Any browser's critical vulnearbility is as bad as a critical vulnerability in IE for that basic reason.

The solution is either to run in limited mode and suffer the consequences (namely pretty limited way of work, Windows was not designed to normally operate like this), or wait for Vista or not use Windows.

I guess pick your own way out of this.

Re:Oh, okay...

[RAMMS+EIN]

``Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).''

That's only if the programmers throw graceful degradation out of the window. Graceful degradation has been there since the beginning of HTML and Javascript, and I feel webmasters who break it are not worth the name (unless, of course, their bosses force them to, in which case the bosses are acting dumb).

The right way to make websites is as it's always been: make a simple page that displays the content and works in all browsers _first_, and _then_ add fancy things like CSS, and JavaScript. Browser-specific code comes _last_ (and please, no code that detects a specific browser and displays messages to the effect that the page doesn't work with the browser the user has - it's ok to make mistakes, but it's most definitely NOT ok to knowingly make mistaken and then refuse to fix them).

Re:Oh, okay...

[Ant+P.]

Any decent coder knows AJAX is _added_ functionality, not a replacement for what should be there.

Re:Oh, okay...

[j79zlr]

Sorry, but Opera may be free, but it is not Open Source

this article sucks

[larry+bagina]

Theres two pictures proving the computer was up to date with all patches, then a picture of a console window with some gibberish.

I wonder if Keith Dawson's only purpose in lifes it to make Zonk look competent.

Well

based on their previous fix of teh DRM hole in their WMV software with a turn around of 3 days. expect a patch by the end of the day! Woot! Go microsoft! Show us how to fix critical holes!!

Re:The power of Open Source

[ruiner13]

And javascript comes from ECMAScript... which is an open standard.

Javascript: Not a verb

[LFS.Morpheus]

...javascripting.

That made me cringe.

Re:Javascript: Not a verb

[Burb]

Didn't you know? You can verb any noun in English.

Re:The power of Open Source

[DragonWriter]

I think you've got that backwards; ECMASCript is a standardization of JavaScript (and its MS-spawned bastard child, JScript), JavaScript doesn't "come from" ECMAScript.

Safe browsing

[nidarion]

I've been running Firefox for four months with "Noscript" installed. Javascript itself is being abused far too much to bypass popup blockers and generally screw around with a browser in a way that shouldn't be allowed. If I want a website to mess with me, I have to whitelist it first. It's annoying, especially around ecommerce sites, but I have peace of mind.

Re:The power of Open Source

[Spliffster]

ECMAscript 262 comes from JavaScript.

There, fixed that for you.

Cheers,
-S

from your link (which is what I had in my mind):
"Netscape submitted the JavaScript specification to Ecma International for standardization; the work on the specification, ECMA-262, began in November 1996. The first edition of ECMA-262 was adopted by the ECMA General Assembly of June 1997."

Re:Zonk? Are you kidding me?

[bytesex]

It's Zonk's way to correct his spelling mistakes, you see. First he posts, then he dupes, but the second time the spelling mistakes are gone.

So... I RTFA and...

[entrigant]

What, exactly, is this exploit? As a previous poster mentioned all there is on the site are a couple of screenshots showing the system is up to date and a console window showing some gibberish. All the text of the article says is that there is some mysterious bug in a general part of IE that is being used to install spyware. There's not a damn thing else. What is the nature of this bug? What websites exploit it? How can I reproduce the exploit? There are absolutely no details beyond an accusation and a screenshot that demonstrates nothing. I could "discover" a new 0day exploit in IE every day like this!

which ie version?

which versions of IE does this work on?
does it work on IE7 RC1?
firefox rulez!

Go on

[cortana]

You love Marketing really.

Flashblock and Noscript

[rs232]

"I've been running Firefox for four months with "Noscript" installed"

Flashblock doesn't work if Noscript is blocking a site.

was Re:Safe browsing

Re:Flashblock and Noscript

[Giorgio+Maone]

But NoScript can be configured to block Flash movies as well and behave like FlashBlock (i.e. enabling them on demand with one click): NoScript FAQ 1.3.

Run with JavaScript enabled, OK?

[leonbrooks]

Just don't do it using MSIE.

Simple, eh?

Of the 4 browsers I have here, all are safer in JavaScript than MSIE (FireFox, SeaMonkey, Opera, Konqueror). Three of those are easily available for 'doze & even Konqueror can be made to work in it.

Er... sorry, I also have lynx, links & w3m available, plus Galeon and a few other GNOMEish built-ins kicking around. Spoilt for choice!

Re:Run with JavaScript enabled, OK?

[Brickwall]

In Korea, only old people use Internet Exploder.

Why disable javascript? Change to firefox ...

[weeb0]

"This exploit can be mitigated by turning off Javascripting."
"This exploit can be mitigated by turning off activeX"
"This exploit can be mitigated by turning off ie"
"This exploit can be mitigated by turning off windows"
"This exploit can be mitigated by turning on Linux"
"This exploit can be mitigated by turning on Firefox"

In fact, I really don't understand why on the news they NEVER recommand to use another browser than IE... Sorry, but when there is an exploit, why disable some web functionality like javascript (I don't have any problem to disable ActiveX (very bad and insecure thing)) to continue to use IE ?!

I don't understand, is that the Microsoft lobby the reason ?

And then, I think there is some technology website that are very stupid, like the website silicon.fr, they say the red "panda" for the firefox logo ... -DUH-

Re:Why disable javascript? Change to firefox ...

[Winterblink]

Because whether you like it or not, in some places the corporate standard is Internet Explorer, and people might not have the ability to install an alternative browser.

Re:Why disable javascript? Change to firefox ...

[madcow_bg]

We're talking about media coverage. If the corporate standard commands IE, IE it is. But the news are supposed to be informative, and all they do is repeat: "Turn off this, turn off that..."

I am sure that this is because of their overall education, but that is no excuse.

Re:Why disable javascript? Change to firefox ...

[Winterblink]

Agreed, but my comment was directed more to his particular critique of the article, and his own suggested solution of ditching settings, programs, and even entire platforms to address the issue. While it might be possible for him to take that route, even a decent number of individuals, corporate entities often do not have that kind of luxury to make knee-jerk decisions like that. Though I'm sure they wish sometimes that they could. :)

"mitigated by turning off Javascripting..."

[dpbsmith]

...but, isn't that the "J" in AJAX, the underpinnings of Web 2.0?

Why do people even bother to give advice that is basically impossible to follow?

It's not my fault that so many of the websites I want to use now rely on Javascript, but the fact is they do.

Saying "This exploit can be mitigated by turning off Javascripting" is true, but as about as useful as saying "the risks of plane crashes can be mitigated by not flying."

FREE is "overpriced"? Are slaves "overpaid" too?

eom

In the Wild!

[exp(pi*sqrt(163))]

In the Wild

I bet geeks just love saying this. Anything to make something as boring as a security issue in an application seem exciting. Let's use the language of big game. Oooohhhh. "In the Wild!". Makes exploits seem as exciting as going on safari or hunting crocodiles.

Re:In the Wild!

IE stabbed in the heart in a freak sting ray attack incident

Re:In the Wild!

[jseale]

Steve Irwin was probably turning in his grave as you were typing this. LOL

IE on your box?

[spun]

My girlfriend in college had IE on her box once, but we got a cream that cleared that right up...

We just need to find another "J"

[The_REAL_DZA]

If "Javascript" is the "J" in "AJAX", then let's replace it with something less "dangerous". I propose:

• Juice
• Jam
• Jelly

Of course, I may just be needing a snack...

MS adopting FF = bullseye on FF's back

[I'm+Don+Giovanni]

If MS adopted FF, then instantely FF becomes the number one target, and, evidenced by FF's constant security updates, the holes are there for the exploiting.

Re:MS adopting FF = bullseye on FF's back

[Schraegstrichpunkt]

Good. Then the issues would be discovered and fixed faster.

Another one?

[Klaidas]

Anoether bug of IE?
Must be a slow news day...

It's worse than that.

[twitter]

What you propose would require people to add the likes of Slashdot and Hotmail to the 'Trusted Sites' zone to function correctly. This effectively gives such sites far more access than you would probably like, much more than without playing with your 'zones' at all.

My first question is, "Could it really be worse than it is?" Can an OS with a half life of 12 minutes on any network actually be exploited faster? I suppose it can with a little misdirection. The misdirection is based on a sane principle that is easy to implement on any current GNU/Linux distribution.

It's clearly worse than the user expects and it's a clear trap. "How bad can it be if I only trust one or two sites?" is exactly the trap M$ established. The list of sites would grow. If you multiply that by the number of unscrupulous advertisers on said sites, you end up with an even bigger problem. The user, as you point out, does not even know they've actually degraded their already flimsy security.

Getting Firefox is good, but the OS is still shit underneath. Hackers will make things that reach right past FF to things out of FF control like activeX controls.

Running Firefox on free software is better still, but most people want their non free flash and other junk. The easy solution to that is to use a reasonable browser, like Konqueror for everyday use and only right click open Firefox + non free junk for the one or two sites that demand it. There you have a sane and usable tiered browser approach.

Re:It's worse than that.

[Antony-Kyre]

I'll say this. It would probably be in someone's best interest to never start out using Windows or it's programs. I would think starting a person, any person, on Linux or something else would be the best thing to do.

Unfortunately, I'm not willing to change. One time I did try using Mozilla, but I quickly hated it and uninstalled it. Another time I believe I had Linux installed (to learn side-by-side so-to-speak), but within days/hours my hard drive crashed beyond repair, and started over (and with Windows). Linux wasn't the reason why it crashed. I think it was Windows. Not even a low-level format would make it boot. Something about the first sector being damaged I think.

Re:It's worse than that.

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

• As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
• Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
• A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
• Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
• Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
• Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
• Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
• Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
• Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
• There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy

"This exploit can be mitigated by turning off Java

[kimvette]

"This exploit can be mitigated by turning off Javascripting."

. . . and you can avoid >99% of car accidents by not turning on the engine, but then the car isn't very useful, is it.

Gagging on the name

call it Vic the Vista internet client (or Voom sounds better)

Or to chuck up another possibility, how about calling it the Vista online media and information tool ?

Black Hats

[Z34107]

Of course Microsoft (or any) products will eventually have security holes when released to the general public.

Two points - the IE7 betas (since 2) have been publicly available on Microsoft's website - everyone and their mother's mad-hatted donkey already has a copy.

Also, the new Vista kernel runs the iexplore.exe process under a separate, super-limited user. This user has all output redirected to a virtual folder with zero NTFS priviliges (think any file written to "c:\windows" will be placed by the kernel in "c:\program files\internet explorer\temp\c\windows").

So, this is in effect running IE in a virtual machine. There are always ways to tunnel under or to elevate priviliges, but the "hypo-user"/virtual machine analogy is exactly what they're trying to do

Java or JavaScript

[IT074803]

Java was designed with a heavy-duty security model, using sandboxes and virtual machines and such to make sure that you could safely download code from other sites and run it, and while it's probably possible for somebody to come up with some implementation bug that lets you outside the box in ways that are exploitable, it's basically been solid since it came out, because it was designed to be safe. Javascript was designed to be lightweight, friendly, and convenient, and almost anything related to security was later bandaids applied to the gaping wounds. It's possible and easy to write perfectly safe Javascript, but that's unfortunately totally irrelevant because it's possible to write Evil Javascript as well - so anybody who wants to run your "Safe" Javascript has to leave Javascript turned on for the Evil Javascripters as well. IE does theoretically have a "security zone" mechanism that lets you identify trusted sites, so you can theoretically allow it to run purportedly-safe Javascript from people you trust while not running it from people you don't trust, but that's an annoying hassle. It'd be much safer if they'd built "WimpyScript", designed to be absolutely safe even if all it lets you do is make stuff flash decoratively when you wave a mouse at it; I guess CSS is as close as we get to that. PDF used to be safe, back when all it would do would be display static black or colored marks on virtual paper, but now it's helpfully willing to open web pages and run programs on your PC too.

Zero Day Go Figure..

[tt074266]

well done bill...IE is now full load of patches..i'd say..if a ship were to have some holes and were patched,it still would not sink and thus those hole would remain be patched......but for an IE(or any particular microsoft softwarw), no matter how much u'd patch it up..new holes would then reappear...as if it was ENDLESS!!..come on Bill...u suck us dry with ur Windows..now do something quickly or else shit might happens again...