Slashdot Mirror
Hackers Jump On Newest IE7 Bug
CWmike writes "Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft patched just last week, security researchers warned today. Although the attacks are currently in 'very, very small numbers,' they may be just the forerunner of a larger campaign, said Trend Micro's Jamz Yaneza. 'I see this as a proof-of-concept,' said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time. 'I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,' he added. The new attack code, which Trend Micro dubbed 'XML_Dloadr.a,' arrives in a spam message as a malicious file masquerading as a Microsoft Word document."
Glad I'm using Lotus Notes. Hmm...
...when Microsoft stops bundling IE with Windows (depending on what happens with that anti-trust case in the EU). Does anyone know if that would also affect NA?
Obligatory blog plug: http://www.caseybanner.ca/
So naturally, it begins again. What is it that allows these hackers to reverse Microsofts patches? Is there no format that would protect them? Perhaps a more open security policy? Imagine that mess?
Bored at work? Play Game!
Sigh... I was going to post a quick rant about using the term "Hacker" when obviously "Cracker" or "Black Hat Hacker" would be better....but ohhhh what the hell... I give up.
I've been doing computer stuff ("hacking") since the mid-1970s and consider myself a "Hacker"...but not in the bad way.
maybe I should turn to the dark side and just get it over with.
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
The new attack code, which Trend Micro dubbed "XML_Dloadr.a," arrives in a spam message as a malicious file masquerading as a Microsoft Word document. If the fake document is opened, the exploit hijacks PCs that have not been patched...
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Must've been harder than usual. I would've expected it on Wednesday or Thursday of last week.
I know. I'm just thinking in terms of the botnet spread "factor", I think that will go down as more people start using firefox/more secure browsers, and that market share will go up when Microsoft stops bundling IE. Of course they are just going to get the OEMs to do it for them, maybe some OEMs will package Firefox, who knows.
Obligatory blog plug: http://www.caseybanner.ca/
I wonder, what would un-bundling REALLY mean? Just that its easier to remove or that Microsoft OS' come with no browser? Now that would be a fun one for new users...
Bored at work? Play Game!
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Linux will.
a malicious file masquerading as a Microsoft Word document
I don't think this is the same definition that the rest of us use. In related news, a lizard was seen masquerading as a gecko.
I am TheRaven on Soylent News
"They invade our computers, and we fall back. They assimilate entire servers, and we fall back. Not again. The line must be drawn here! This far and no further! And I will make them pay for what they've done!" - Linus Torvald
No one apart from uber nerds care - its just a word. Hoover were probably pissed that their name became the de facto name for vacuum cleaners too. Tough, deal.
Set the default viewer for msWord docs to the Word Viewer, make normal.dot read only, disable auto-opening of macros ..
... pretending to be helpful but surreptitiously twirling its moustache while doing nfaerious deeds to the computer and generally making life miserable for the user.... actually thinking about it - thats not too different from the real clippy.
So millions of web users are in danger because
a) IE is insecure and Microsoft evil
or
b) Because they did not apply a patch which has been recommended by Win update
Being on Slashdot, i get those two confused...
Linux makes you smarter.
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Linux will.
No. It will only stop the current exploits from being effective.
How would switching to FireFox help? So you can get a different brand of virus?
Patch and keep patching. That is the only safe bet.
Yes I am using Firefox right now.
exactly. this is precisely the reason that Apache has far more exploits published than IIS.
That will be true if all those people running windows using administrator accounts move over to running linux as root. Those running linux properly will still be pretty much unaffected.
Will it blow my version of OO when I try to open the WORD document?
I am glad to hear that it wont affect the REGISTRY on Slack.
I am so waiting for the malware that runs "FORMAT C: " or whatever
it is nowadays.
Have you seen how much trouble it is to write a Linux virus? There was an article up recently(I may be crazy, could have been a comment) about writing a Linux virus/worm/trojan. It had a number of caveats and required a great deal of luck. HOWEVER, I can imagine the typical Windows user migrating to Linux and as mentioned above, running as root. However, Ubuntu(and others of course) do not allow root access by default...might not be so bad.
Bored at work? Play Game!
Running Linux will.
Apparently not if you're using KDE or GNOME.
When it was run, this attachment would helpfully and quietly forward itself to everyone in your address book. A couple of days later, after cleaning up the smoking wreckage of the E-mail system, system administration would send out an E-mail suggesting that it's not a good idea to run programs from unknown sources.
This was on IBM VM/CMS, a notably not-Microsoft OS.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Idiots opening strange attachments won't run Linux.
Running Linux stops idiots from doing anything to their computers.
Viruses were made back in the single user day. Linux and MacOS even Newer Version of windows don't need Virus to do its damage. Worms that hack into the system and run and install separate process then war dial different IP Address do the trick just as well. The reason people still make viruses for windows is the fact they most people run with Administrator access and they are simple to program (And they think they are Hot stuff if they do), programming worms is still less glory but is more willing to effect a Linux Majority network infrastructure.
Just because Linux or MacOS or your favorite Unix doesn't have viruses they can still get hacked into especially if you poorly administrator or neglect them. The fact they they can get hacked into allows for such worms to operate. Heck a well neglected Unix box running a worm can also have an Auto Update feature to adjust for newly found security.
Being smug about security is the worse thing you can do.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Not all that much really. Easy enough to run a spambot with user privs. Any of the data you want to steal is in ~. If you last long enough without detection, you can grab the user's password with an X keylogger and start doing extra naughty stuff with root.
"Strangers have the best candy" -Me
I think you underestimate the idiots.
There are fixes: .desktop files to be executable to launch them
1. Require
2. Ignore the Exec= line in user overrides
It's just a matter of someone contributing a suitable patch. It is not an architectural problem.
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
So a more diverse set of browsers in use leads to fewer people being exploited. Sounds like something worth encouraging. And while we're at it, how can we encourage vendors to make their browsers more secure and generally better. If only there were some way to motivate developers using common human motivations. I know, we could have them compete with each other on a level playing field in a fee market and the best browser will gain the most market share, so they will all work extra hard to make theirs the best. It's brilliant!
What the law already mandates this? Well, better yet. What one company is breaking the law and preventing competition and thus removing the motivation for much improvement and lowering the bar for everyone? Surely the courts will act quickly and decisively to stop this criminal behavior.
You know, I'll cede your point for any 'sufficiently complicated' application--what that means up for definition. But please--find me one remote code execution vulnerability for lynx. People keep crying for more complicated, more advanced web content with better scripting abilities--and the developers rush to meet the need without a second thought as to security. Yeah--if I've gotta run javascript, flash, mono, microsoft browser plugins, or even XUL--there's a lot of avenues for problems (especially if I'm stupid and click yes). But plain old HTML viewers... It's certainly possible to get a *secure* one. Bug free--well...the CSS standards and all that aren't clear enough yet.
So you are suggesting that a significant flaw in Linux has lasted so long, even though it is "just a matter of someone contributing a suitable patch"? Hardly a good arguement.
Pointing out there are possible fixes doesn't absolve it from blame.
virii
If that's an attempt at Latin, it failed. In Latin, virus is in the fourth declension and its plural is virus (yep, just like the singular), and NOT viri or virii.
Of course, as an English word, the plural of virus is viruses.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Yes, and this is really the main valid argument against technological monocultures. Stupid people (sorry, inexperienced people) running [Another OS/Another Browser] will do the same stupid (sorry, inexperienced) things they do now. But as long as there isn't a browser gobbling up 90% of the installed user base, the number of available targets is substantially reduced. The black hats rely on the sheer weight of numbers to succeed, and let's face it, exploits are written for profit now, not to prove something or because it's cool. Shrink the target pool and you'll minimize the amount of damage done to the targets and everyone sharing the same tubes.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
That's an interesting story, but you're missing the most important part: did you get the Christmas tree? Were there flashing ornaments?
The key word here is "published". This is, because Apache has an open bug tracker. And IIS has -- I guess from the quality ;) -- no bug tracker at all.
But Apache fixes its bugs quickly, or even at all, compared to ISS.
Well, I guess to get some useful numbers, one would have to count the numbers of actually used exploits.
But then again, writing it anonymously most likely means that you are a troll...
Any sufficiently advanced intelligence is indistinguishable from stupidity.
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
All you are doing when you replace IE with Firefox is swapping security holes for bugs. Both are very very annoying.
One you can use flawlessly, but get hacked/malware. The other, secure, but barely usable.
Granted, IE security issues are worse, but all you do is replace a crap browser with a slightly less crap (but more secure) browser. It's hardly a "Firefox is AWESOME!" endorsement.
Firefox need to sort out bugs before they add even more bloat...sorry features to their browser.
It is almost unusable in Ubuntu and I don't much care for it in Windows either.
Although I wonder why "Internet Explorer has a security hole" is a story (yet again). Oh yeah, a free advert for Firefox.
Or am I just too cynical?
I would suggest giving Opera a try (which is what I intend to do).
then teach the user to only give pw to
A)Stuff that looks like gksu (you don't even need to explain what that is, just what it looks like)
B)If something speaks of "Updates", direct it to the Update manager, and ignore ~all else
C)If the User is stupid anyway, no system will ever be secure enough except one that does not give this person the ability to act as root in the first place, which means using a Mac, which I will never do because it is too user-obsequious
$ make available
The only exploit is the user herself. Just don't open attachments from people you don't know. That's what the spam folder is for. Now, if it's tricky and has already infected one of your friends, then call your friend up and ask him what this document that reads "Make 1 Million Dollars In A Day!" is all about. Simple, fight social hacking with social un-hacking.
Running a virtually 100% secure OS like OS X minimizes this.
I'll take C - Regis,
final answer.
WTF? Over?
Of course, you can always execute unsigned, untrusted code by downloading Firefox extensions on the Mozilla site.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
There's always the matter of a no-password "sudo" setup.
Do any linux distros come set up for this by default? How long until they do?
My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
And in all likelihood be far less significant, as the browser in question wouldn't be so damn tightly integrated into the OS.
upon the advice of my lawyer, i have no sig at this time
Why wouldn't the open source nature of some browsers (and some OSs) mean that it's just a matter of time before someone finds the flaws and fixes them?
Why is it always the doomsdayers and naysayers?
Aren't there far more do-gooders than do-badders?
cheers,
Yes, but linux will also stop them from opening not-so-strange attachments, unfortunately.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
That's because you have to step through the 9 levels of dependency hell in order to run anything on Linux.
This could be done with Windows. Teach the users not to click "Continue" on UAC prompts unless they know what they're doing.
The problem has been, is, and always will be the users. They want their shiny "asteroid cursors" and their "desktop playmates" and they're going to get them, along with whatever crap comes along with it.
There are patches for this exploit as well. What's your point?
No, it was kind of garbled. I did learn that it was a bad idea to run applications that came as Email attachments though...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I just don't believe that's true. Some code is inherently more secure. UNIX is generally more secure than Windows. People like to say (for example) that the reason Mac OS has few trojans, and no real viruses to date (that I am aware of) is because of its market share. You'd have to be exceptionally naive to believe that among the legions of Apple hating Microsofties that no one has been able to create a successful virus yet. I'm certain it has absolutely nothing to do with the inherent security of UNIX - Nope that's not possible. has to be market share. :)
I have no proof to back this up, but there is also zero proof to back up the market share theory.
I still cannot find the droids I am looking for...
This is exactly why I use Lynx. The ASCII porn is getting a bit old, though.
Let me fix that for you...
Er wait, scratch that last part. I get carried away talking in this deep voice.
I want this account deleted.
Pointing out there are possible fixes doesn't absolve it from blame.
No, it doesn't, and that is one of the major problems with FOSS: devs tend to avoid disturbing the ecosystem as much as possible, even when doing so is a good idea. If this was run in a traditional (read:closed-source) setting and IT heard that it would take the flip of a few bits to get rid of a major security vulnerability, how long would the bug live?
I know some idiot mod will mark this as a troll because it is critical of FOSS. Really people, let's at least pretend to be civilized, please.
$ make available
...and I won't run it, nor will any of my users....
Update my system .. ok I just go in the package manager ... no updates .. oh well
Social engineering works both ways, If you make sure you never, ever, send updates via email then the users notice it's unexpected and ask first ... Too many Windows systems are updated by users clicking on links in/attachments to emails ... and far too many websites give download and run links for Windows systems so that the users expect it to work like that
Linux does not make hijacking and exploits impossible, or even that difficult... but it does make it inherently less likely that the simple ones will succeed (don't run as admin, make it painful to run downloaded files, update via package manager not by running a program/script)
Puteulanus fenestra mortis
I'm surpised you missed the most glaring grammatical blunder in the comment: prevolent, which, of course, should be prevalent
see, ubuntu users are useful to some...
I do agree, that Ubuntu would solve most of the issues of an attacker not needing to escalate privileges.
The main problem, still, has been and always will be the users lack of knowledge in what they are doing. It would be the same either way and quite honestly, it is not that hard to write a script to pwn a linux box. It's done mostly the same way as Windows pwnage... shell scripting. The oferflows are still there, as are the vulns in the software. It is simply that attackers are not currently tarketing linux (outside of servers) very much.
In short. There is no way to escape the attacks. Linux (which I favor above all other OS types) is still largely secured by obscurity, as there are fewer desktop users and a good majority of those are savvy enough to harden their system beyond a fresh install and AV.
Once all those Windows users start migrating to Linux because it's safer, do you think they'll suddenly be infused with large doses of simple common sense? apt-get install effin-common-sense-0.2.3 or something like that? =)
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it.
Trojans are a serious concern, but still a small portion of the problem today. Most exploits, by number of infections, are via automated worms with no user interaction.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS.
The interesting thing about non-Windows OS's is they adapt to threats. Right now trojans are not a problem for the average Linux user, but in a few high security environments they are a concern. Those environments use technologies like SELinux to mitigate the risks and make social engineering a lot harder indeed. If trojans are ever a threat to the average Linux user, these technologies will be ubiquitously employed helping to defeat said threat. That's the thing about not being a monopolist. You have serious motivation to fix your users problems and if you don't someone else will.
Neither you nor your data are the target.
This has never been completely true, but it is becoming less and less so. More malware is starting to collect passwords to online accounts, banking info, and credit card numbers.
Root access or not doesn't really matter if a virus wants to cause harm or spread itself, all the users data happens to be user accessible and his favorite email app and webstuff of course too. But even if that isn't enough, it wouldn't be to hard for a virus to fake a password prompt to catch the password or just to wait for the user to use sudo and then use it himself, since sudo is often used with a timeout that gives the user full root access without a password for a couple of minutes or even forever.
On normal single-user desktop the separation of root and user account is nothing more then a little annoyance then a real barrier for a virus writer.
Now that doesn't mean that one can't build a secure Linux box, Sugar on the OLPC tries something like that with each application running in its own isolated environment which would make it pretty hard to break out of, but your average Ubuntu box doesn't do that and likely won't until viruses become a real problem for Linux.
But what about those of us who are callous (lazy) enough to run as root 24/7 ? We're just not naive enough to run foreign attachments from people we don't know (or don't trust).
Sure, make things nerf-safe for the common user, but don't go bashing those of us who actually run these machines.
-Billco, Fnarg.com
Your arrogance would amaze me if it weren't so common here.
It would mean the user has to stop and wait for an automated download and install process to run their programs for the first time. In order to maintain compatibility with existing software IE must be installed.
Ask the Wine community why they are implementing an IE replacement in Wine. Many programs depend on having IE and its API around to render HTML documents. Steam and WoW are two such titles for those who don't think its significant or wide spread.
The alternative is to have broken applications.
I want this account deleted.
Stupid people (sorry, inexperienced people) running [Another OS/Another Browser] will do the same stupid (sorry, inexperienced) things they do now.
I'd go further in my argument than you do. Without a monoculture users may take the same action in the same circumstances, but will gravitate to technology that presents them with better situations and better handles those actions (makes them do what the user intended not what a third party wants). For example, this exploit relies upon an executable masquerading as an MSWord file. The fact that Windows presents the file in such a way as it is not differentiated from a Word file or even from trusted executable files is a failing of the OS. In a competitive market, MS would fix this problem in Windows or lose market share to people who did fix it. Is there no way the OS can distinguish executables from non executables, like maybe adding a non-changeable flag to the icons? What about checking to see if the executable is signed and verifying that signature or running it in a sandbox by default? These are perfectly doable solutions if competition were driving OS makers to significantly invest in real improvements.
Yes, because God forbid we have more prevolent attacks.
I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it.
(emphasis added)
Sure - and I can wipe your home directory with this little script and ask you to run it:
#!/bin/sh
rm -rf $HOME/*
exit 0
Most folks that get hold of Linux and install it are probably going to be smart enough to open an e-mailed media file with a media player, and won't touch anything they don't know the extension to. Now there you might be able to do some damage (if you manage to modify the player or find an exploitable hole in it), but otherwise c'mon - this is getting stupid.
Quo usque tandem abutere, Nimbus, patientia nostra?
But what about those of us who are callous (lazy) enough to run as root 24/7 ? We're just not naive enough to run foreign attachments from people we don't know (or don't trust).
Sure, make things nerf-safe for the common user, but don't go bashing those of us who actually run these machines.
Tell me about it.
I got rid of my front door a few weeks ago as I was sick of trying to find my keys. I can live with all the thefts and waking up to find the odd vagrant crashed out on my sofa, but it's the people that bash on me about it that pisses me off.
Hey! I remember that! (shit, I'm old)
Running Linux will.
Never underestimate the compatibility of Wine.
I wonder, what would un-bundling REALLY mean? Just that its easier to remove or that Microsoft OS' come with no browser?
Well, literally it would mean Windows ships without IE to OEMs. That's not to say that this is the remedy the EU will choose. It is just one of their options and by itself, certainly not enough to remedy the broken market.
Now that would be a fun one for new users...
The EU's remedies will likely affect only MS, not OEMs. If you're technical enough that you're building a computer and installing Windows yourself, you're probably technical enough to download and install a browser too. If you're a normal person you buy a computer with software, OS, and hardware pre-configured by an OEM and you'll almost certainly already have a browser installed by the OEM... maybe just not IE.
The only exploit is the user herself. Just don't open attachments from people you don't know.
Viruses have already become more clever then that long ago, From headers have zero trust value and are constantly faked and using titles from documents found on a users disks have replaced non-trustworthy gibberish. So getting mail from a friend with trustworthy subject tells you little to nothing.
This really isn't something you can fix socially, if you could we would have already solved it. Its just a technical problem that needs fixing, a mail program should just run attachment in a chroot/jail/vm-like environment and the problem pretty much disappears.
It would mean the user has to stop and wait for an automated download and install process to run their programs for the first time. In order to maintain compatibility with existing software IE must be installed.
I think you're missing the point of how bundling is perceived by the law. If MS installed software to auto-download IE, that would still be illegal. OEMs aren't going to ship without a browser or HTML engine though, so the normal user would not likely see much difference excepting which browser and HTM engine is pre-installed. Any remedy from the EU is going to be intended to change the situation MS has created where IE is required, or it has failed. The point is to restore the market to a state where IE is competing on its merits, not on the fact that it is a de facto standard or pre-installed. That includes providing incentive for both Web developers and application developers to no longer depend upon IE being there but to write for standards instead and use whatever is there.
Ask the Wine community why they are implementing an IE replacement in Wine. Many programs depend on having IE and its API around to render HTML documents.
Actually, they depend upon an HTML engine answering their calls to the APIs. It is entirely possible for the EU to require MS to abstract those APIs and allow plug-in HTML engines to respond. The EU could require this in all future versions of MS along with some degree of standards compliance from IE itself.
Steam and WoW are two such titles for those who don't think its significant or wide spread.
One test of a proper remedy might be Steam and WoW. When updating their applications to use the next versions of Windows/IE, is there anything that causes users to use IE specifically, instead of Opera, Firefox, or Chrome? Is their anything about the way those developers code the next versions that would lead users to install IE specifically not because of better features but because it has been the de facto standard so long and because it is made by MS? If so, the remedy is failing.
The alternative is to have broken applications.
Hopefully, the EU will implement a remedy that specifically prevents that from being the case going forward.
Hackers exploit already patched code! Security vendors come up with detection routine to protect from exploits targetting at already patched code. Sysadmins everywhere say to themselves, "I'm sure glad I applied that patch last week." Life goes on.
Most folks that get hold of Linux and install it are probably going to be smart enough to open an e-mailed media file with a media player, and won't touch anything they don't know the extension to.
I don't see the relation between IE7 and opening an email. I don't use IE or windows so I am missing something?
Last I checked, Linux let programs running under my account read personal data stored under my account and then send it to random computers on the internet.
Sure, it might have more trouble insinuating itself into the kernel and being nigh-undetectable, but if you don't have software that looks for it, there's plenty of damage it can do. My biggest worry is about data I have access to when logged in as my normal user account.
>Running Chrome or Firefox won't stop idiots from opening strange attachments.
False.
An idiot user will not know how to chmod +x a strange file, so your logic falls flat.
And there's plenty of Linux users happy to run with whatever is available in the Ubuntu repository, that they don't mind being "locked out" of desktop changes.
Contrast this with the Windows desktop user who will bitterly complain about not being able to open the Windows Clock on the taskbar, just to check dates on a calendar [a step which requires admin privs.], and that user will be instructed to just run as Administrator.
Those of you out there who get designated "family tech support"... you know EXACTLY what I mean. Those people will call you because they installed malware, OR they will call you because (after last time...) you gave them a "rights limited" account, and now they can't install some shitty piece of shareware (even though you typed notes on how they could 'Switch User' over to Admin just to install apps).
Not being retarded is a perfectly good alternative to running OSX.
Running OpenOffice will stop the macro from accessing IE, though. MS Office isn't even bundled with most XP anymore. It wasn't on mine, anyway.
It's annoying that I can open everyone's files, but I need to export to a buggy format for others to open mine. But this news item proves it's worth it.
Don't underestimate user stupidity, not even your own. Users are always the weakest link.
.mozilla directory with all your passwords in plaintext form(a good reason to use a master password or clicking the Never button).
The recent article showed that trojans are a serious concern for Linux users, some weeks ago someone showed how to exploit sudo timeout in a way that wouldn't ring a bell even for intermediate users.
If you let something slip it might not be able to hijack your computer, but it can send the bad guys your
The underlying problem is that UNIX security sucks for desktop use.
Running Linux will.
Running "Lynx" will. Fixed that for you.
Yes, finding all those dependencies is so difficult!
emerge app
apt-get app
yum install app
Password-protect your sensible data.
No but it has been consistently shown that FF users keep their browsers up to date much sooner. Case in point : the huge number of IE6 users compared to FF 1.5 users out there. Even within major revisions, the less painfull FF upgrade system keeps the vast majority of people on the latest minor update or patch. Many IE users disable auto-updates because they're seen as an annoyance (asking themselves "why do I have to reboot simply to upgrade my web browser ?").
I'm not sure it's possible to paint all of FOSS, or all of closed source devs with such a wide brush. You do have some projects that are extremely risk and innovation averse, a classic example being GNOME, while others on the contrary have no problems starting everything from scratch like KDE has done. Similarly, you have Apple, the constant innovator, willing to dump legacy code to move forward, and MS, where their commitment to binary compability is limiting their progress.
Each strategy has its advantages and disadvantages of course. For some projects it does make sense to do your utmost not to disturb the ecosystem.
Dear Sir,
I am writing in reference to the "Chinese Exploit Kits" you mentioned on the Slash Dot on 18 February. Please inform me if you have further information on availability of these kits.
I would also be interested in subscribing to your newsletter.
Sincerely,
TheModelEskimo
Wasn't this also the time of the naive internet ? When all smtp traffic was on port 25 with forwarding enabled ? Before AOL and the dark times ...
C)If the User is stupid anyway, no system will ever be secure enough except one that does not give this person the ability to act as root in the first place, which means using a Mac, which I will never do because it is too user-obsequious
User-obsequious? You mean, the computer does what the user wants it do? My heavens, that's terrible! If the people start using Macs, they won't have a use for that condescending bearded guy that hangs out in the server room all day!
PS I'd never describe a Mac as "obsequious," they are far too haughty for that.
(-1, Raw and Uncut is the only way to read)
Wrong! Try to compile VirtualBox on Ubuntu.
I'm not new here, but seriously: since when is Slashdot a completely clueless news source that confuses crackers with hackers?
Hackers are the good guys who, you know, hack away on free software.
Crackers are the bad guys who think they're cool because they know enough to get around security holes and whatnot.
Fire Fox has it's own Zero Day attack
I got nailed with the XP Police 'anti-virus' by navigating to a url via FireFox. No additional clicking, no user-error, no accepting/running/allowing anything out of the ordinary. Simply watched page load then was infected.
I went back to the page in question with IE 8 and it wasn't vulnerable to whatever attacked FF 3.06.
The browser religion war is over and we've all lost to shoddy programming. You can always attempt to hide in the latest obscure OS/browser, but at some point you will be caught by someoneelses mistakes.
-Malakai
A Dragon Lives in my Garage
I totally disagree. Here's my software:
print 'Hello World!'
It does exactly what I want and it has ZERO bugs. Don't give me some esoteric BS argument about how it really is bug ridden because you don't know that the requirements are. I do. And it works perfectly.
Or do want to give me a BS argument that only programs of a certain complexity ("software") ALWAYS have bugs. Pray tell, what is that level of complexity? Please show me an exampe of a simple bug free program (like above) that CANNOT be made more functional without introducing a bug. Oh you can't? Maybe because your idea is proveably false.
"All software has bugs" is something I'd expect to hear from Microsoft, but not marked 5-Insightful on Slashdot.
Tried that, I had a problem -
apt-get install effin-common-sense-0.2.3
Sorry, but the following packages have unmet dependencies:
effin-common-sense: Depends: brain-2-1.0 but it is not going to be installed
Depends: intelligence (>= moron) but it is not going to be installed
I think the problem is I installed unstable brain so that I could make use fetish-69-99.0
BM3
Well yeah, back then you didn't have to fear the act of just opening your E-Mail either, since mail was text based and didn't execute random shit or send you off to random sites on the Internet for graphics or web bugs. This exploit actually required the user to save and run the attachment. It was also (usually) decent enough to not delete all your files in the process of forwarding itself to other users.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
No, thats not how it works. In a modern development environment, the developers would pop the dialog box that would show all their installed and registered components... the dev goes down the list, and go "Hmm...Adobe PDF renderer...nope... Gecko? Hmm...no... IE Control...bingo!". If they (and they most likely were) using something a little less "drag and drop", they had to make a conscious decision to pick and load an instance of that particular COM control. Its pretty god damn likely that the Steam and WoW developers had access to alternate browsers (Is there really anyone in IT who doesnt at least have some form of alternative browser installed?), so if Firefox's installer doesn't register and expose the rendering engine in an easily discoverable and consumable method, thats their loss...
Now the first thing that came to my mind when I was typing the above at first was "Well, maybe the Steam/WoW team figured it would be one less dependency", but really, these engines are a couple of megs at most, if that, and modern installer toolkits (like InstallShield) will pick it up automatically either way... so really, it HAD to be a conscious decision, and the availability of the rendering engine was probably not the first reason, considering the date those software were first created.
The IE COM component is just dead easy to use. The gecko rendering engine API blows balls.
good morning class... roll call... yaneza, jamz, anyone? anyone? yaneza, jamz?
Questionable whether you can call it a bug or exploit when you have to accept a dodgy email and open its attachment for it to work? Might be more of an exploit in human nature...
By the way I've got a bridge to sell you.. I'm gonna take advantage of this exploit too... or it is the bridge builders fault?
1. Require .desktop files to be executable to launch them
In addition, make the desktop environment not execute .desktop files under /home, and/or mount /home with noexec.
If a user wants a launcher icon on their desktop, enforce that the icon is actually symlink to the real .desktop file under /usr/share/applications. (Can be done while hiding the mechanics from the UI trivially.)
FFS when even this place gets hackers and crackers mixed up, how the hell can we hope to teach mainstream media about the difference...
The attachment purported to display an ASCII Christmas tree on your terminal, complete with flashing ornaments and such.
Sounds cool, do you have a copy that'll work in a Linux terminal with ncurses?
bug jumps on newest IE7 Hackers!
and YOUR computer ALONE.
You don't let the wife use it. The kids don't use it. Nobody. Just you.
Not many people have enough dosh and space to have a computer solely for one person.
Not that you'd ever want to do it like this anyway unless you were patching it yourself (you'd just get the binaries from the package manager) but:
If anyone still believes that dependency hell is a problem in modern Linux distributions, I advise them to look at the third line of what I did above and be disillusioned; nothing about what I did apart from the filenames depends in any way on VirtualBox, I could have used any other package instead. (This particular technique only works for .DEBs, but both RPMs and portage are equally capable of solving the problem in their own ways, and I suspect most other Linux package managers can too.)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
The default configuration of windows stinks. It is a technical problem, but it stems from many decisions to favor backwards compatibility, not from the capabilities of the operating system (well, post NT anyway).
The end result is that it is more attractive to exploit a windows box, as it will probably be easier, and the box will expose more resources once it has been exploited.
Nerd rage is the funniest rage.
The underlying problem is that good security sucks for desktop use.
Fixed that for you.
I know tobacco is bad for you, so I smoke weed with crack.