MS Finds Security Flaw In Google Chrome Frame

← Back to Stories (view on slashdot.org)

MS Finds Security Flaw In Google Chrome Frame

Posted by timothy on Thursday November 19, 2009 @10:40PM from the they're-the-experts dept.

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

214 comments

Dude by Anonymous Coward · 2009-11-19 22:43 · Score: 5, Funny

MS Finds Security Flaw In Google Chrome Frame
Timothy, you owe me a new Transformers t-shirt. I just spat coffee all over myself.
1. Re:Dude by erroneus · 2009-11-20 00:26 · Score: 0, Troll
  
  I had nearly the same reaction. Microsoft does not appear to be in the "finding security flaws" business and to my knowledge, this is the first I have ever heard of Microsoft's researchers finding anything. Seems to me Microsoft depends on its customers, competitors and 'haters' to find security flaws.
2. Re:Dude by blowdart · 2009-11-20 00:38 · Score: 3, Insightful
  
  Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.
  Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?
3. Re:Dude by Anonymous Coward · 2009-11-20 01:50 · Score: 4, Interesting
  
  > in much the same way that Google doesn't go looking for software bugs in Microsoft products.
  You need to keep a closer eye on Microsoft bulletins, it actually happens regularly.
  http://www.google.com/search?hl=en&q=site:microsoft.com+Google+intitle:"Microsoft+Security+Bulletin"
4. Re:Dude by naasking · 2009-11-20 02:03 · Score: 1, Funny
  
  in much the same way that Google doesn't go looking for software bugs in Microsoft products.
  
  To be fair, you don't really have to "look" to find bugs in MS products...
  
  --
  Higher Logics: where programming meets science.
5. Re:Dude by blowdart · 2009-11-20 02:07 · Score: 1
  
  Dear god, that's impressive. Now if we read down and take all the "MS are doing this embarrass Google", would it be said for bugs reported from Google to Microsoft? No, don't be silly. *sigh* Hypocrisy abounds.
6. Re:Dude by Anonymous Coward · 2009-11-20 02:22 · Score: 0
  
  Hurf durf.
7. Re:Dude by Evil+Shabazz · 2009-11-20 03:00 · Score: 0
  
  in much the same way that Google doesn't go looking for software bugs in Microsoft products.
  To be fair, you don't really have to "look" to find bugs in software products...
  Fixed it for you, if you were really being fair. But then, this is /. so we love to rail on MS anywhere we can.
  
  --
  Down with the career politician! SUPPORT TERM LIMITS
8. Re:Dude by MrData · 2009-11-20 03:21 · Score: 2, Insightful
  
  What is surprising is that an Operating System vendor (Microsoft) has so poorly designed it product to allow an application (often running in user space) to access proctected resources.
  This violates the very definition of an Operating System, and what worse is that MS has done absolutely nothing to address these issues despite the vast resources at their disposal.
9. Re:Dude by hrimhari · 2009-11-20 03:51 · Score: 2, Funny
  
  But then, this is /. so we love to rail on MS, Apple and even Linux anywhere we can.
  There, ported it to the present ; )
  
  --
  http://dilbert.com/2010-12-13
10. Re:Dude by Supergibbs · 2009-11-20 04:58 · Score: 1
  
  Come on they did warn us when Google released it... :-P http://arstechnica.com/microsoft/news/2009/09/microsoft-google-chrome-frame-makes-ie-less-secure.ars
  
  --
  First post! (just in case I am...)
11. Re:Dude by Hurricane78 · 2009-11-27 00:39 · Score: 1
  
  Transformers t-shirt
  Dude, you just officially lost your geek membership! Please hand the card it in. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
Expected by Stratoukos · 2009-11-19 22:44 · Score: 1, Insightful

I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

--
It may be 7 digits, but at least it's a semiprime
1. Re:Expected by Jojoba86 · 2009-11-19 22:51 · Score: 2, Insightful
  
  Great thing is even if they'd done the alternative and decided not to look for security flaws they can still get a bashing from the pro-Google crowd! Either way Microsoft loses!
2. Re:Expected by badran · 2009-11-19 22:53 · Score: 0
  
  I guess google is happy that MS is doing some of the testing for them.
3. Re:Expected by MrMista_B · 2009-11-19 22:59 · Score: 3, Insightful
  
  And Google doesn't have to pay them a cent. :)
4. Re:Expected by Ed+Avis · 2009-11-19 23:02 · Score: 3, Insightful
  
  I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.
  Heh. If so, it's a good reason to use Google Chrome Frame. A program that has an active bug-finding team is more trustworthy than one where bugs and security holes are hushed up.
  However, I don't think Microsoft would set out to help their competitor in this way.
  
  --
  -- Ed Avis ed@membled.com
5. Re:Expected by Ginger+Unicorn · 2009-11-19 23:13 · Score: 5, Informative
  
  At first i thought the "google has hurried out a patch" in the summary was a quote from MS glibly dismissing the notion of fixing the problem in a timely manner, but looking through the article it seems this is a remark made by the submitter.
  
  --
  (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
6. Re:Expected by cl333r · 2009-11-19 23:25 · Score: 1
  
  Me too, one has to be very naive (if not completely stupid) to believe otherwise.
7. Re:Expected by calmofthestorm · 2009-11-19 23:44 · Score: 5, Insightful
  
  Hardly, they helped another company secure its product. Everybody wins!
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
8. Re:Expected by Anonymous Coward · 2009-11-19 23:46 · Score: 1, Insightful
  
  A security hole was found, and was patched. Who cares what Microsoft's motives were? This is competition, and it's working!
9. Re:Expected by Narpak · 2009-11-19 23:53 · Score: 3, Funny
  
  In an attempt at humour I will add that making "IE less secure" seems redundant. Much like this post.
  
  --
  The Long Now Foundation
10. Re:Expected by sa666_666 · 2009-11-19 23:54 · Score: 3, Insightful
  
  Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate. You can bet that this whole situation is an embarrassment to Microsoft; it took another company to patch their software to work correctly, when they should have been able to do it themselves. Some egos were bruised in the process, and you can be damn well sure that there's a team willing to do everything they can to discredit Googles achievement.
  So while I commend Microsoft on doing some testing on Google Frame, I don't commend them on the reason for Google having to write the code in the first place. Not to mention that their motives are suspect as well. If they can find a bug so quickly, what's their excuse for having their other products so buggy?
11. Re:Expected by Starayo · 2009-11-20 00:00 · Score: 1
  
  Maybe they should spend more time trying to find security flaws in their own products. :P
  
  --
  Ezekiel 23:20
12. Re:Expected by spyrochaete · 2009-11-20 00:19 · Score: 3, Insightful
  
  Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate.
  Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. IE9 will support it, I believe, though MS balked at supporting a non-final language.
  I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels. It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked. Microsoft releases beta software too, but with warnings not to use the software in production. HTML5 is a good example of this difference of philosophy, and certainly so is this Chrome Frame plugin which is essentially a sloppy man-in-the-middle attack vector. It's like one of those obnoxious browser toolbars that acts as an intermediary to hijack all your search queries.
13. Re:Expected by Arancaytar · 2009-11-20 00:21 · Score: 4, Insightful
  
  Good thing too. If competitors spent more time actively looking for bugs in each others' software instead of paying their marketroids to spread FUD, everyone would be better off.
14. Re:Expected by Gadget_Guy · 2009-11-20 00:40 · Score: 5, Insightful
  
  I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.
  In that case, why didn't Microsoft loudly announce it to the world and shame Google?
  Instead, they quietly reported it to Google so that they could fix the problem. Once the bug was fixed, Google acknowledged the security researcher who discovered the bug. This is exactly how the system is supposed to work so that everybody wins - we get safer software, Google doesn't have to "hurry out a patch" (without proper testing) and Microsoft gets the credit for the discovery. The bug gets fixed without tipping off the malware writers.
  And why does everybody act so responsibly? Because next time it might be a Google employee that finds a bug in Microsoft's products. Microsoft would like to be afforded the same courtesy. Similarly, if Google didn't acknowledge Microsoft, then the next security researcher who finds a bug in Chrome may decide to get their credit by going public rather than following protocol. Remember that this public recognition is the same as an academic being published in a journal. It is how they build their reputation, and ultimately how they will get future employment.
15. Re:Expected by SkunkPussy · 2009-11-20 00:41 · Score: 2, Insightful
  
  I guess part of it is css support
  
  --
  SURELY NOT!!!!!
16. Re:Expected by edumacator · 2009-11-20 00:42 · Score: 1
  
  I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels.
  Really? I very seriously doubt that they did this just to turn their collective nose up at Microsoft. Might it be that they want a more usable browser, so they get more eyes on their own products?
  
  I believe, though MS balked at supporting a non-final language.
  Wouldn't you consider the fast pace of development a reason to at least support the most obvious standards. If our browsers wait for the final standards, that will slow the development process down. Now before you come flaming back at me, I'm not saying everything should be released bleeding edge, but there has to be some place in the middle that could be effective. You have to admit, IE hasn't had a stellar record of being a progressive, or even current browser.
  
  --
  An important change for education.
17. Re:Expected by Anonymous Coward · 2009-11-20 00:47 · Score: 0
  
  Standards are based on implementation. Standards committees rarely invent anything. If you think it's not established yet, you're already behind the curve.
  As far as Microsoft dragging their heels, Microsoft has already dragged their heels and as proof, they only started showing up for HTML5 discussions a month ago even though they were co-chair of that working group.
  The IEBlog released early details about IE9 and it looks like it will catch up to where all the other browsers were a couple years ago, yet IE9 won't be out for two more, making it at least 5 years behind everyone else. Talk about dragging their heels. Kicking and screaming I'd say.
18. Re:Expected by fuzzyfuzzyfungus · 2009-11-20 00:49 · Score: 4, Insightful
  
  Consider the landscape of alternatives, though.
  
  Web designers have, for years, been depending on functionality that isn't even on any kind of standards track, much less maturely standardized. We call it Flash(and to a lesser extent other "rich content" plugins; but mostly Flash). Web designers have, frequently, depended on it for all kinds of things, it is often considered a must-have for web browsers, and is every bit as ghastly, if not considerably more so, in implementation.
  
  By comparison, HTML5 is positively civilized. Chrome Frame is basically just an "HTML 5 Player" plugin, whose necessity will hopefully evaporate over time. It is, certainly, a kludge; but there are presently no alternatives to that. You can either give up broad swaths of web application features entirely, and deal with the oh-so-standard world of native application development; or base your webapp features on one or more plugins(flash, java, silverlight, etc.), or you can use HTML5 stuff.
19. Re:Expected by Kaitnieks · 2009-11-20 00:50 · Score: 3, Funny
  
  It's been reported that Google will pay Microsoft in adwords coupons.
20. Re:Expected by tepples · 2009-11-20 00:56 · Score: 1
  
  Is this a comment about HTML5 support?
  The 80 percent of Acid3 that Internet Explorer 8 fails can't be all HTML5. For example, where is SVG in IE8?
21. Re:Expected by JasterBobaMereel · 2009-11-20 00:58 · Score: 1
  
  HTML 5 not a standard yet .... Like HTML 4 was not a standard until 2000, but supported in every browser well before this, including IE (with IE only extensions)
  And IE *still* does not fully support ISO HTML (HTML 4.01) Nine years later .....
  
  --
  Puteulanus fenestra mortis
22. Re:Expected by LordSnooty · 2009-11-20 01:43 · Score: 1
  
  Does this mean they already went through Firefox's code and found nothing amiss?
23. Re:Expected by clone53421 · 2009-11-20 01:43 · Score: 1
  
  No, it's a comment on how (historically) awful IE has been with respects to security. HTML5 is just icing on the cake. If MS wants to reverse this trend they're going to have to put some serious effort into it – one decent browser, if we're going to call IE8 that, isn't enough to overlook the trend.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
24. Re:Expected by Aldenissin · 2009-11-20 02:04 · Score: 1
  
  So, you mean there is a nice man at Microsoft that wants to make something secure other than Microsoft's software! Thanks nice man!
  
  --
  Like a city whose walls are broken down is a man who lacks self-control.
25. Re:Expected by Aldenissin · 2009-11-20 02:11 · Score: 1
  
  Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. ....
  What about the open document standard proposed by Microsoft? They expect everyone else to use a format for their framework that is on a standard that many testified didn't make technical sense and flat out wouldn't work as written. Yet there was an optional standard already being used in practice but they opposed it since THEY didn't come up with it and wouldn't put them in the advantage.
  
  --
  Like a city whose walls are broken down is a man who lacks self-control.
26. Re:Expected by mcgrew · 2009-11-20 02:29 · Score: 1
  
  If they can find a bug so quickly, what's their excuse for having their other products so buggy?
  That's an easy question. All their security guys are looking for bugs in other companies' products.
  
  --
  Free Martian Whores!
27. Re:Expected by VGPowerlord · 2009-11-20 02:37 · Score: 1
  
  Is this a comment about CSS3 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers.
  I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels. It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked. Microsoft releases beta software too, but with warnings not to use the software in production. HTML5 is a good example of this difference of philosophy, and certainly so is this Chrome Frame plugin which is essentially a sloppy man-in-the-middle attack vector. It's like one of those obnoxious browser toolbars that acts as an intermediary to hijack all your search queries.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
28. Re:Expected by Just+Some+Guy · 2009-11-20 02:37 · Score: 0
  
  It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked.
  Gmail was listed as beta until July. Hotmail was listed as production since like 1998. Therefore, Hotmail is better than Gmail, case closed. Right?
  I'd much rather have "release early and release often" than "stick a fork in it and languish".
  
  --
  Dewey, what part of this looks like authorities should be involved?
29. Re:Expected by lorenlal · 2009-11-20 02:41 · Score: 0
  
  Besides, since when has IE depended on "industry standards?" Before someone goes and marks me as a troll, or flamebait, or whatever, IE is the only browser that supports ActiveX, and ASP.... By design.
  And there are plenty of web developers out there that have depended on it for years... so much so that newer editions of IE that provide "better security" require a compatibility view for some of those sites to render properly.
30. Re:Expected by VGPowerlord · 2009-11-20 02:46 · Score: 1
  
  HTML 5 not a standard yet .... Like HTML 4 was not a standard until 2000, but supported in every browser well before this, including IE (with IE only extensions)
  And IE *still* does not fully support ISO HTML (HTML 4.01) Nine years later .....
  Neither does Mozilla/Firefox. In fact, they never will, because the Mozilla developers have chosen to not implement full support for col and colgroup by not supporting certain attributes on them, such as align.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
31. Re:Expected by aesiamun · 2009-11-20 02:50 · Score: 1
  
  What does Chrome Frame have to do with security? It just implements HTML5 in Internet Explorer.
32. Re:Expected by Evil+Shabazz · 2009-11-20 03:06 · Score: 1
  
  Welcome to capitalism and competition. Microsoft is little different from most any caplitalistic company in that once it has established a product in the marketplace, the innovation on that product is most often reduced to only the minimum necessary investment to maintain marketshare and maximize short-term profit (especially if the company is a publicly traded company focusing on short-term share value). It generally takes stiff competition, in the form of a better mousetrap, to really drive major innovation. Google playing with Mozilla and Microsoft in the browser world is a good thing for us because their competition will mean a better overall browser for us.
  
  --
  Down with the career politician! SUPPORT TERM LIMITS
33. Re:Expected by clone53421 · 2009-11-20 03:16 · Score: 1
  
  What does Chrome Frame have to do with security?
  Did you miss the whole story about how MS claimed that Chrome Frame doubled the potential for exploitation in IE?
  If so, surely you can't possibly have missed the story about how MS has found a security exploit in Chrome Frame... erm, did you RTFheadline?
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
34. Re:Expected by Sulphur · 2009-11-20 03:25 · Score: 1
  
  They get one day a week to find bugs in Google.
35. Re:Expected by jones_supa · 2009-11-20 03:30 · Score: 1
  
  No, there isn't, but it still was the practical outcome.
36. Re:Expected by jzhos · 2009-11-20 03:55 · Score: 1
  
  really? firefox does not support ASP by design? Do you even know what ASP is?
37. Re:Expected by Anonymous Coward · 2009-11-20 03:59 · Score: 0
  
  And what does this have to do with GP's comment?
38. Re:Expected by Will.Woodhull · 2009-11-20 04:04 · Score: 1
  
  Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. IE9 will support it, I believe, though MS balked at supporting a non-final language.
  No, that's not right. Parent post is rife with disinformation.
  The HTML5 standard will be in development for years and will be influenced by real world feedback. This is a change in strategy that is leading to a more robust standard. Quoting from the WHATWG FAQ
  It is estimated, again by the editor, that HTML5 will reach a W3C recommendation in the year 2022 or later. This will be approximately 18-20 years of development, since beginning in mid-2004. That's actually not that crazy, though. Work on HTML4 started in the mid 90s, and HTML4 still, more than ten years later, hasn't reached the level that we want to reach with HTML5. There is no real test suite, there are many parts of the spec that are lacking real implementations, there are big parts that aren't interoperable, and the spec has hundreds if not thousands of known errors that haven't been fixed. When HTML4 came out, REC meant something much less exciting than it does now.
  Many browsers, including MSIEv8, are incorporating at least some of the stable HTML5 features. HTML5 is also being designed so that features that are not available on a particular browser can be emulated with JavaScript. Common JavaScript libraries (JQuery,etc) are incorporating HTML5 emulations.
  Microsoft, and other browser makers, are not going to wait until 2022 for a completed standard before beginning to implement HTML5 features. This is already well under way. And since the HTML5 approach deliberately eases the work of emulating its features in browsers that do not offer native support, we can expect to see more third party libraries, plug-ins, and so on that provide missing features to various browser versions.
  
  --
  Will
39. Re:Expected by GigaHurtsMyRobot · 2009-11-20 04:06 · Score: 0, Offtopic
  
  Kind of like how the Associated Press assigned 11 reporters to fact check a book by Sarah Palin who holds no office (and found basically nothing false), but has never tried to fact check anything written by Obama.
40. Re:Expected by ShatteredArm · 2009-11-20 04:07 · Score: 1
  
  There is a flaw in your argument. It clearly does not account for the fact that Microsoft is the devil incarnate. We need wild implications of Microsoft skulduggery, not your fancy "logic."
41. Re:Expected by yuhong · 2009-11-20 04:11 · Score: 1
  
  Because next time it might be a Google employee that finds a bug in Microsoft's products.
  Which has happened already, look at the Acknowledgments section of say MS09-058.
42. Re:Expected by Chapter80 · 2009-11-20 04:28 · Score: 1
  
  IE is the only browser that supports... ASP.... By design.
  How can this be modded Informative?
  That's like saying IE is the only browser that supports SQL Server By design. Or IIS by design.
  In other words, it makes no sense.
  Clearly this person has no clue as to what ASP is.
43. Re:Expected by u-235-sentinel · 2009-11-20 04:41 · Score: 1
  
  I'm guessing they have more experience finding bugs than any other company on the planet. Comes from years of experience with writing bad code ;-)
  
  --
  Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
44. Re:Expected by AmberBlackCat · 2009-11-20 05:07 · Score: 1
  
  Maybe they should do as Firefox did, and find some way to block Google Chrome Frame until an update is available.
45. Re:Expected by Anonymous Coward · 2009-11-20 05:12 · Score: 0
  
  I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.
  You would lose your money. MSVR is looking at bunch of third-party programs and IE add-ons, but there's no team that targets specific companies.
  Btw, are you by any chance payed by Google to spread FUD about Mictrosoft?
46. Re:Expected by n0tWorthy · 2009-11-20 05:16 · Score: 1
  
  Was "Microsoft" (as in management) even involved? Most likely it was some guy toiling away in the MS bowels that found this and simply opened a bug tracking ticket (from the announcement:
  [Credit: Thanks to Billy Rios and Microsoft Vulnerability Research (MSVR) and also to Lostmon for finding and reporting this vulnerability responsibly.]
  it's hard to tell who is resopnsible).
  Is that Billy Rios of MSVR or Billy Rios and MSVR. Anyway, once the patch came out I'm sure MS marketing was all over it.
  So just like you or I would simply open an incident and do reponsible disclosure I'm willing to bet that's all that happened here.
  
  --
  "Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
47. Re:Expected by Anonymous Coward · 2009-11-20 05:27 · Score: 0
  
  Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate.
  That is utterly wrong. Google did not write Chrome because IE(6) was buggy. Firefox was meeting that demand quite well (at least for a while), and if Google's main concern was to provide users with a secure alternative to IE, they could've just continue pouring money in Mozilla Foundation.
  Google's whole purpose of building Chrome is the same one as their involvement with HTML5. They are trying to build a platform on both the client and the server side that meets their main goal - a commoditization of the content. If the content becomes a commodity, the only way to monetize it for the producers would be on volume; and the way to distinguish own content from the rest of it on the internet is to be easily discoverable. This means to make money in such world, one's content has to be on top of the searches; which translates into direct advertisement dollars to Google.
48. Re:Expected by SadButTrue · 2009-11-20 07:05 · Score: 1
  
  want to borrow one of my tinfoil hats?
  
  --
  grape - the GNU free, open source rape
49. Re:Expected by natehoy · 2009-11-20 07:20 · Score: 4, Insightful
  
  You had me right up until "just to discredit them".
  Microsoft clearly was concerned that Frame would add to the possible attack vectors into IE. They've certainly said as much. And that is a valid concern, frankly. Due to that concern, they had their research team test for security vulnerabilities in Frame, obviously with particular focus on ones that could compromise a Windows system.
  And, whaddya know, they found one.
  Now, if they were trying to discredit Google, the first place they'd go is (MS)NBC and put out headlines "Google Chrome Frame Has a security breach! Look at those losers!"
  Instead, we see an announcement from Google that they have a patch for the defect, and acknowledging Microsoft as having found the bug and reported it to them.
  Sounds to me like Microsoft was acting out of enlightened self-interest, and is demonstrating good team-playing skills by telling Google about it in enough detail for Google to come out with a fast fix.
  Kudos to Microsoft for extending their security research beyond their own software and to external sources they might consider a threat. Further kudos to Microsoft for reporting the issue to Google with enough detail to make a fix possible, without exposing it to the black hats so this never became a zero-day attack.
  Kudos to Google for getting a fix out there quickly. Further kudos to Google for having the respect to acknowledge Microsoft's contribution.
  I'd say this is a perfect example of vendors being good players in the security arena, and respectful competitors.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
50. Re:Expected by man_of_mr_e · 2009-11-20 07:47 · Score: 2, Interesting
  
  You do realize that ActiveX is an industry standard, supported by the Open Group (you now, the same people that standardized X Windows).
  http://www.opengroup.org/pubs/catalog/ax01.htm
  
  --
  If you need web hosting, you could do worse than here
51. Re:Expected by man_of_mr_e · 2009-11-20 07:48 · Score: 1
  
  Where is SVG in any HTML standard?
  
  --
  If you need web hosting, you could do worse than here
52. Re:Expected by man_of_mr_e · 2009-11-20 07:56 · Score: 1
  
  How, exactly, does someone have an extension to something that's not even a standard? All browsers had "extensions" because the W3C dropped the ball on HTML 3.
  
  --
  If you need web hosting, you could do worse than here
53. Re:Expected by man_of_mr_e · 2009-11-20 08:01 · Score: 1
  
  This is just ridiculous. It's HTML 3 all over again. This lack of formalized standard leads to browser vendors creating proprietary extensions in the hope they might eventually be included in some final standard. Canvas is a good example of this.. thankfully the working group accepted it (but again, not officially standard) or we'd have tons of sites utilizing non-standard features.
  
  --
  If you need web hosting, you could do worse than here
54. Re:Expected by clone53421 · 2009-11-20 08:03 · Score: 1
  
  ASP
  Did you perhaps mean VBS? or there’s another form of basic client-side scripting that you can do in IE, called conditional comments, and perhaps that is what you were thinking of...
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
55. Re:Expected by clone53421 · 2009-11-20 08:04 · Score: 1
  
  It still has no business injecting itself into the web.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
56. Re:Expected by man_of_mr_e · 2009-11-20 08:18 · Score: 1
  
  There is no functional difference between ActiveX and Mozilla plug-ins, other than a half-assed white-listing system. In fact, I was just reading that a bunch of security vulnerabilities have been found in firefox plug-ins, and that FF has no security system in place to deal with this.
  
  --
  If you need web hosting, you could do worse than here
57. Re:Expected by tepples · 2009-11-20 08:26 · Score: 1
  
  Where is SVG in any HTML standard?
  SVG 1.1 has been a W3C Recommendation since January 14, 2003, yet IE still can't display it.
58. Re:Expected by spyrochaete · 2009-11-20 08:45 · Score: 2, Insightful
  
  I very seriously doubt that they did this just to turn their collective nose up at Microsoft. Might it be that they want a more usable browser, so they get more eyes on their own products?
  Google is shoehorning their own browser into their competitor's browser. This is the equivalent of Burger King selling their hamburgers inside a McDonalds restaurant. It's a very drastic move that goes too far in my opinion.
  
  Wouldn't you consider the fast pace of development a reason to at least support the most obvious standards. If our browsers wait for the final standards, that will slow the development process down. Now before you come flaming back at me, I'm not saying everything should be released bleeding edge, but there has to be some place in the middle that could be effective. You have to admit, IE hasn't had a stellar record of being a progressive, or even current browser.
  You're right that standards should be backed, but they're not standards until they are finalized. A standard means something that will not be changed, but if it's not finalized it could change at any minute. I don't think "being progressive" should be a priority of any web browser - reliability should be #1. I'm not going to make any statements about IE's track record concerning reliability, but I can empathize with Microsoft for their reasons why they made this decision.
59. Re:Expected by clone53421 · 2009-11-20 08:45 · Score: 1
  
  There is no functional difference between ActiveX and Mozilla plug-ins, other than a half-assed white-listing system.
  Pages that attempt to install Firefox plugins are quite a bit more well presented than ones that want to run some ActiveX control. IE users when confronted with the ActiveX installation prompt: “wut.” Perhaps it’s mostly an issue of educating the users, but I think Firefox does a better job at it.
  
  FF has no security system in place to deal with this.
  Sure it does. I doubt it will be very long before those plugins are listed.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
60. Re:Expected by Will.Woodhull · 2009-11-20 08:48 · Score: 1
  
  No, it is not ridiculous. It is a recognition that to avoid another HTML 3 fiasco, all parties, including vendors, have to be brought to the table. And forced to stay at the table through various market pressures, if need be.
  Check out the Web Hypertext Application Technology Working Group. This is an extensive web site and will probably have an answer to all reasonable questions.
  
  --
  Will
61. Re:Expected by clone53421 · 2009-11-20 09:19 · Score: 1
  
  Wait... you’re not even trying to argue with what he posted, but you’re calling him paranoid for saying it?
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
62. Re:Expected by spyrochaete · 2009-11-20 10:50 · Score: 1
  
  Gmail was listed as beta until July. Hotmail was listed as production since like 1998. Therefore, Hotmail is better than Gmail, case closed. Right?
  I'd much rather have "release early and release often" than "stick a fork in it and languish".
  I'd rather have "release when it's done" and not "the public will do our QA for us". And I'd certainly rather have the web browser whose icon I just double clicked, rather than a rogue web browser injected into the UI of what I thought I was using.
63. Re:Expected by spyrochaete · 2009-11-20 10:55 · Score: 1
  
  Thanks for this explanation. All I've read on the subject is that HTML5 is not yet finalized, but it's very interesting to hear how much real-world use influences the spec.
64. Re:Expected by Zaiff+Urgulbunger · 2009-11-20 12:28 · Score: 1
  
  Your wording is curiously similar to the GP -- are you both related?!
  
  Anyway, AFAIK the reason Google is pushing Chrome Frame is so that _even_ IE users can use Google WebApps. Obviously IE6 (and IE7 to a lesser extent) needs some "help" because it is so far behind all other browsers; note, this isn't a dig at IE6/7 -- they're old, so it's to be expected. But unlike other old browsers, these are still being used.
  
  But even with IE8, the JavaScript runs a bit slow compared with everything else, there are still some CSS issues (albeit far far less then previous IE versions), and it does not support SVG or Canvas. These latter two are kind of useful when you want to build webapps that are more like current desktop apps without resorting to something proprietary like Adobe Flash or SliverLight.
  
  HTML5 is a good example of this difference of philosophy, and certainly so is this Chrome Frame plugin which is essentially a sloppy man-in-the-middle attack vector. It's like one of those obnoxious browser toolbars that acts as an intermediary to hijack all your search queries.
  If MS showed some interest in implementing Canvas/SVG, I might buy your argument. But the reason they have no interest in this is because open technologies such as these threaten Microsofts business model and do not allow them to control the market... what with being open an'all!
  
  If MS were to implement HTML5 / CSS3 features now, that would not make the software beta. It would mean that some of the features are subject to change, so anyone using them, might have to tweak their websites in the future... but that's okay, 'cos we're all grown up developers and we understand this. But having working implementations out in the wild is what standards development is all about. This is how we discover if what _seems_ like a good idea on paper, really is a good idea or not.
  
  As for your comments "sloppy man-in-the-middle attack vector" and "hijack all your search queries", I'm not sure where you're getting your information from, but those do sound remarkably like FUD.
65. Re:Expected by tigerhawkvok · 2009-11-20 13:08 · Score: 1
  
  And ice can be a blistering 273 Kelvin! Wow, that's a huge number!
  The AP has ~4k fact checkers. So you're looking at about 0.25% of the total AP fact-checking force to look at a new release political book. Whadda ya know, context means something.
  Also, various news programs and reports from members in the McCain campaign, including John McCain himself, has criticized the veracity of several comments in the book. There are also email records directly at odds with her statements regarding the Tina Fey skits.
  Finally, here's an AP fact check from yesterday, and a direct check on a speech in September. Took me 15 seconds on Google to prove you wrong. I somehow suspect you get all your news from Glenn Beck and O'Reilly. It has that familiar evangelical pundit feel of "translate every criticism into an attack on Obama, warranted or not, because OMGZOBAMASSOCIALIST and eats Christian babies".
  In other words, pwnd.
  
  --
  Blog
66. Re:Expected by Zaiff+Urgulbunger · 2009-11-20 13:14 · Score: 1
  
  Standards like HTML5 and CSS3 are/will-be based on existing implementations -- these standards are never designed by committee and *then* implemented! We need working implementations that we can then refine if they aren't working as anticipated, so the implementations that exist in Firefox/Chrome/Opera are all potentially subject to change. But that's fine, because (1). if you're a web-developer and you absolutely don't want to risk having to change your code, then stick with older standards, and (2). in practise, they're probably not going to change much if at all and that means we can take advantage.
  
  I'd rather have "release when it's done" and not "the public will do our QA for us".
  What public? The public just use browsers to access websites. Going on what you said in your GP post, you seem to mixing up "beta" software with currently implementations of HTML5 and CSS3, but that is incorrect. Beta software is software that may contain bugs, so should not be used for mission critical tasks. However, the HTML5/CSS3 implementations in Firefox/Chrome/Opera are not "test" versions... they're solid implementations of the currently unfinalised standards.
  
  As a user, I am not doing QA for anyone by using any of these browsers.
  
  As a web-developer, if I choose to use HTML5 and/or CSS3, then I do so on the understanding that since these standards are not final, I may need to update my code in the future. But I don't have to do this -- I can stick with older standards if I so choose.
  
  And I'd certainly rather have the web browser whose icon I just double clicked, rather than a rogue web browser injected into the UI of what I thought I was using.
  It's hardly "rogue" if you've installed it is it? No one is sneaking code onto your computer!
  
  However, if you want to use modern web apps such as Google Wave, whilst using the familiar IE interface, then the only way to do this is using the Chrome Frame plugin.
  
  Alternatively, you could download Firefox/Chrome/Opera/whatever separately. But IE does not support the technologies required to make Google Wave (+ other apps) possible.
  
  From Google's perspective, if they did not require HTML5/CSS3 (or SVG/Canvas or whatever it is they require) for Wave, then they would've had to use something like Flash or Silverlight.... both of which are browser plugins, same as Chrome Frame. Except of-course that Flash/Silverlight are proprietary. Oh, and not based on standards -- even unfinalised ones!
67. Re:Expected by man_of_mr_e · 2009-11-20 15:20 · Score: 1
  
  You didn't answer my question. What part of any HTML standard mandates SVG? How about recommends?
  The W3C has tons of recommendations that aren't implemented by Firefox, or Opera, or Chrome, or Safari...
  
  --
  If you need web hosting, you could do worse than here
68. Re:Expected by man_of_mr_e · 2009-11-20 15:23 · Score: 1
  
  Doesn't help if it's already installed, and that's not what I was referring to. I was referring to the fact that there is no security mechanism between plug-ins and the browser, so once installed they are fully trusted, just like ActiveX.
  
  --
  If you need web hosting, you could do worse than here
69. Re:Expected by clone53421 · 2009-11-20 15:31 · Score: 1
  
  No, but if you know you’re installing something you’re better able to police what you do install.
  Addons have the potential to wreak havoc. That’s why the countdown dialog pops up and makes you confirm that yes, you want to install it. It’s by design, and limiting addons’ ability to interact with the browser and other addons would also hamper their ability to implement the features that the users want.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
70. Re:Expected by tepples · 2009-11-20 15:40 · Score: 1
  
  What part of any HTML standard mandates SVG?
  None, but I don't see how that's relevant. The policy of Internet Explorer has never been "if it's not mandatory, it's forbidden". For example: What part of any HTML standard mandates the use of JPEG image format? Yet IE still supports it. What part of any HTML standard mandates the use of JavaScript language in <script> elements? Yet IE still supports it.
71. Re:Expected by spyrochaete · 2009-11-20 15:44 · Score: 1
  
  All fair points. I guess my difference in opinion comes from my feeling that Flash and Silverlight are optional add-ons, while HTML5 is (or will be) more of a core protocol. Maybe the line is greyer than it used to be.
72. Re:Expected by VGPowerlord · 2009-11-20 18:37 · Score: 1
  
  Your wording is curiously similar to the GP -- are you both related?!
  I was going for a funny mod by copying most of the GGP's post and changing HTML5 to CSS3. (and I only changed the first one, whoops)
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
73. Re:Expected by man_of_mr_e · 2009-11-20 20:35 · Score: 1
  
  I didn't say it's forbidden... My point is that there are a ton of standards out there any given browser *could* support, for example, which browser supports WebCGM or XForms? The closest you get are plug-ins that support them.
  Who defines what a browser is "supposed" to support? Who says it has to support PNG, or JPG or SVG? In general, a browser tends to support things that are commonly used on the web, which makes it a bit of a chicken and egg scenario because SVG is just not commonly used.
  
  --
  If you need web hosting, you could do worse than here
74. Re:Expected by man_of_mr_e · 2009-11-20 20:38 · Score: 1
  
  And clicking "Yes, I want to install this add-on", then "Yes, I really really mean I want to install this add-on", and then "Yes, I want to run this add-on" isn't "knowing you're installing something"?
  I'd argue that ActiveX has far more intentional installation than Firefox plug-ins do. Users don't care. They just want to do whatever it takes for them to see the naked pictures.
  
  --
  If you need web hosting, you could do worse than here
75. Re:Expected by clone53421 · 2009-11-20 21:23 · Score: 1
  
  Like I said, it might just be a better job of educating the users. Firefox users tend to be more reluctant to install an addon to view certain content – flash, java, and you should really have it mostly all set, right? IE users are beset with targeted attacks, and they are relatively unconcerned with security.
  Not sure how much this has to do with the users, and how much it has to do with the attackers – but if all the gullible users are still using IE, it stands to reason that most of the gullible-user exploits will be targeted toward IE.
  Particularly helpful, though, is the Mozilla addons site. If you want an addon, you go there. If you are not at the official addons site, you probably do not want to install the helpful addon that the page you’ve visited just requested.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
76. Re:Expected by Anonymous Coward · 2009-11-21 00:22 · Score: 0
  
  aww, you jealous that he got modded up?
77. Re:Expected by tepples · 2009-11-21 00:52 · Score: 1
  
  In general, a browser tends to support things that are commonly used on the web, which makes it a bit of a chicken and egg scenario because SVG is just not commonly used.
  How did PNG happen to get included into Internet Explorer when GIF was already in wide use?
78. Re:Expected by Zaiff+Urgulbunger · 2009-11-21 04:35 · Score: 1
  
  Good call -- far too subtle though!! ;)
79. Re:Expected by man_of_mr_e · 2009-11-21 07:50 · Score: 1
  
  largely because of the Unisys LZW patent issues.
  
  --
  If you need web hosting, you could do worse than here
80. Re:Expected by man_of_mr_e · 2009-11-21 07:53 · Score: 1
  
  But whitelists are easily counterable with DNS poisoning. AFAIK, mozilla plugins aren't even digitally signed, unlike ActiveX.
  
  --
  If you need web hosting, you could do worse than here
At least they patched it by santax · 2009-11-19 22:45 · Score: 4, Interesting

And not wait another week until it's patch-Tuesday.
1. Re:At least they patched it by Tim+C · 2009-11-19 22:48 · Score: 5, Informative
  
  Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.
  I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.
  
  --
  It's official. Most of you are morons.
2. Re:At least they patched it by heffrey · 2009-11-19 23:18 · Score: 4, Insightful
  
  Yeah it would be much better if the patches came out like they do for Firefox so that every other time you start Firefox you have to navigate an update dialog!
3. Re:At least they patched it by santax · 2009-11-19 23:23 · Score: 4, Insightful
  
  That is a small price to pay for an updated browser that is secure against attacks that already are in the wild. Remember: the exploit always comes before the fix.
4. Re:At least they patched it by Carewolf · 2009-11-19 23:53 · Score: 2, Funny
  
  Binaries installed or modified outside the packaging system is a security flaw, not to mention impossible to maintain. Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.
5. Re:At least they patched it by Nerdfest · 2009-11-19 23:53 · Score: 3, Informative
  
  The exploit usually comes before the fix, but not always. Firefox frequently deploys fixes for security hole they've found themselves where not even a 'proof of concept' exists. Many other applications are the same.
6. Re:At least they patched it by Anonymous Coward · 2009-11-19 23:54 · Score: 2, Informative
  
  I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.
  I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.
7. Re:At least they patched it by jonwil · 2009-11-20 00:02 · Score: 1
  
  Me, I run Adblock alone and dont bother with noscript, its more trouble than its worth...
8. Re:At least they patched it by EyelessFade · 2009-11-20 00:06 · Score: 1, Troll
  
  In linux they push patches all the time, but a company (like the one I work for) can still screen and test them before they roll out. They can also push it out faster if its a critical bug, and not have to wait for the vendor first.
9. Re:At least they patched it by tokul · 2009-11-20 00:23 · Score: 5, Funny
  
  Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.
  
  Not on your Linux installation, but in your own home directory. Unless you run as root. If you do run Firefox as root, then you should not worry about kittens killed when firefox is updated. You kill them every second spend in your X session.
10. Re:At least they patched it by heffrey · 2009-11-20 00:28 · Score: 1
  
  I don't use noscript
11. Re:At least they patched it by QuoteMstr · 2009-11-20 00:45 · Score: 1
  
  Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.
12. Re:At least they patched it by Gadget_Guy · 2009-11-20 00:47 · Score: 2, Informative
  
  And not wait another week until it's patch-Tuesday.
  How do you know exactly when the bug was first reported to Google? For all you know, they may have sat on the problem for a month.
  It seems that they did batch the updates together, because this update to version 4.0.245.1 fixes 9 different issues.
13. Re:At least they patched it by santax · 2009-11-20 00:47 · Score: 4, Insightful
  
  I know where you going here. But smart criminals don't publish proof of concepts. They just exploit and hope no-one will find the same exploit so it won't be fixed. Therefor I still stand behind my golden rule of security: the exploit comes before the patch. Although I suppose I can alter it a bit. The hole is there before the fix.
14. Re:At least they patched it by Anonymous Coward · 2009-11-20 00:53 · Score: 1, Interesting
  
  Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.
  I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.
  A true statement but not fully accurate. The reason they went to Patch Tuesday is, as you pointed out, at the request of their corporate users. What you don't point out is that the reason behind the request was because Microsoft was pushing out patches every time you turned around, in some cases daily. Some of these so called patches weren't just "fixes" but new functionality or functionality changes, not something addressing security vulnerabilities. Many times these functionality changes, and some of the security fixes, caused existing systems to stop working with no warning. This is why the corporate users really requested a scheduled patch system, they were tired of unexpected updates breaking the systems.
15. Re:At least they patched it by Anonymous Coward · 2009-11-20 00:56 · Score: 1, Insightful
  
  Then your distro is fucking retarded. The update mechanism in firefox can be and, on my distro is, disabled. File a bug report with your distro.
16. Re:At least they patched it by Anonymous Coward · 2009-11-20 01:02 · Score: 3, Informative
  
  Microsoft will release a patch "out of band" (not on patch Tuesday) when it is an emergency critical type issue. The others, they release on the same day so that corporations get the benefit of a single set of patches to look for and home users get all the patches with one reboot instead of a dribble of patches over the month, some of which require a reboot and some of which don't.
17. Re:At least they patched it by Anonymous Coward · 2009-11-20 01:05 · Score: 0
  
  Listen to some customers, thats right. If you have a customer base like the one MS have, you can probably excuse every move on customer request.
  If they had made their Update procedure a little more flexible, more customers might be happy.
18. Re:At least they patched it by genik76 · 2009-11-20 01:39 · Score: 0, Redundant
  
  The browser shouldn't be so insecure it has to be patched constanly in the first place. No, I don't have any suggestions how to do it better, but there must be a better way.
19. Re:At least they patched it by Rockoon · 2009-11-20 01:40 · Score: 1
  
  Yes this "small price to pay" works very well in an environment where everything must be *certified* before being deployed... oh wait... no, it doesn't. Its all fun and games until half of your employees can't perform their work because some dipshit deployed before testing.
  
  --
  "His name was James Damore."
20. Re:At least they patched it by FlyingBishop · 2009-11-20 01:55 · Score: 1
  
  Well, sure, but that's only because I have
  while [$TRUE]; do ; killall kitten; sleep 1; done;
  In my .xinitrc.
21. Re:At least they patched it by TheNinjaroach · 2009-11-20 01:57 · Score: 1
  
  In linux they push patches all the time, but a company (like the one I work for) can still screen and test them before they roll out.
  It works that way in the Windows world, as well. We have some kind of Windows Update server here that downloads all patches for all the flavors of Windows that we use. Then an administrator clicks approve for each patch and our local server pushes the updates to our Windows desktops and servers.
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
22. Re:At least they patched it by naasking · 2009-11-20 02:06 · Score: 1
  
  I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.
  The customer is not *always* right...
  
  --
  Higher Logics: where programming meets science.
23. Re:At least they patched it by heffrey · 2009-11-20 02:30 · Score: 1
  
  I'm very appreciative of the patches. It's the endless flow of dialogs that I abhor. Why can't they update it all in the background? I just want to use my browser, NOW!
24. Re:At least they patched it by Gadget_Guy · 2009-11-20 02:30 · Score: 1
  
  Remember: the exploit always comes before the fix.
  That is not true. One easy way of finding security holes to exploit is to examine what gets fixed by patches. It shines a spotlight on the security hole and puts up a sign saying "hack me!".
  There are numerous examples of worms appearing after the official patch. There was the Sasser worm:
  
  The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.
  And the Blaster worm
  
  The worm spread by exploiting a buffer overflow discovered by the Polish cracking group [4] Last Stage of Delirium in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039.
25. Re:At least they patched it by cloudmaster · 2009-11-20 02:35 · Score: 1
  
  That extra semicolon between the "do" and "killall" (and lack of spaces between the test operator and condition - unless you have a binary named [$TRUE]) is a clever way to prevent X from starting as root, but it'd be easier to just not type startx at all. Putting syntax errors in the .xinitrc seems sketchy.
26. Re:At least they patched it by santax · 2009-11-20 02:36 · Score: 1
  
  Then maybe you should have a look at this: http://support.mozilla.com/en-US/kb/Updating+Firefox Although you probably also check the fuel and oil-level of your car and tire-pressure, just so you know you can have a safe ride. It's just standard maintenance and it is (unfortunately) needed. Hopefully there will come a time when all software is 100% safe out of the box. For now that is an utopia.
27. Re:At least they patched it by santax · 2009-11-20 02:47 · Score: 1
  
  You do realize that the ones patching those holes first had to confirm they existed? Sure, I agree with you when you say, some people write an exploit based on a patch. But that doesn't invalidate my comment.
28. Re:At least they patched it by j.sanchez1 · 2009-11-20 03:12 · Score: 1
  
  I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.
  I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.
  
  about:config, then search for "noscript.firstRunRedirection" and set it to false.
  
  --
  Speedy thing goes in; speedy thing comes out.
29. Re:At least they patched it by greed · 2009-11-20 03:47 · Score: 1
  
  Just out of curiosity, what files do you have that you care about which are NOT owned by your user account?
  All my photos, videos, music files, word processing and spreadsheet files, FileMaker databases (yes I'm old), source code, and so on are all owned by me.
  The stuff that's protected from my account is the stuff I can recover with the Fedora or Mac OS DVD and a visit to the appropriate patch site for updates.
  Of course, Time Machine, Retrospect, and cron+dumpe2fs make sure stuff I care about is in more than one place.
30. Re:At least they patched it by heffrey · 2009-11-20 04:22 · Score: 1
  
  I have my Firefox configured to automatically download and install updates. That's what I want. It's all the dialogs that go with that process that annoy me. I would love for FF to update itself silently without bugging me.
  I fully understand that software will never be 100% safe out of the box, I just don't want all the bloody nagging dialogs!
31. Re:At least they patched it by Anonymous Coward · 2009-11-20 04:22 · Score: 0
  
  Oh noes, its like a kitten genocide in here! :(
32. Re:At least they patched it by nametaken · 2009-11-20 04:26 · Score: 1
  
  The difference with an MS patch is more like we'd have known about it since 2007.
33. Re:At least they patched it by Carewolf · 2009-11-20 04:32 · Score: 1
  
  Not on your Linux installation, but in your own home directory.
  Yes, but this means any security updates or modifications that is done on system level is overrided by outdated versions in the users home directory. You can not have both, you either have controlled and maintained security or you have ad-hoc security randomly applied by users downloading and runing binaries of the internet.
34. Re:At least they patched it by klui · 2009-11-20 05:30 · Score: 1
  
  This means you need to run as administrator. My installs for my parents call for them being just Users and their installations don't get patched until I visit. Not an issue as I live relatively close by.
35. Re:At least they patched it by LeotheQuick · 2009-11-20 06:18 · Score: 1
  
  Wtf, modded insightful? I am the only one who recognized the sarcasm here!?
36. Re:At least they patched it by ascari · 2009-11-20 07:09 · Score: 1
  
  Mr. Ballmer, is that you?
37. Re:At least they patched it by heffrey · 2009-11-20 07:33 · Score: 1
  
  Surely it would be possible for software to apply security patches without requiring an interactive admin/root log-in? Windows manages to do this.
38. Re:At least they patched it by klui · 2009-11-20 11:25 · Score: 1
  
  Windows update is done by a system service running as Local System (higher privileges than Administrators). Apps like Firefox and Flash don't have this mechanism so it is a bit of an inconvenience for doing family remote support.
39. Re:At least they patched it by bollox4 · 2009-11-20 19:23 · Score: 1
  
  Oooh, you're one of those recent Linux converts. Would you like me to read from the Man pages aloud whilst you shout n00b every two minutes?
Bad day for goodle by Anonymous Coward · 2009-11-19 22:46 · Score: 0, Troll

Not a good day for google...first a OS that can only run web apps...completely rejected by the community...& now this...
1. Re:Bad day for goodle by surmak · 2009-11-20 04:52 · Score: 1
  
  Not a good day for google...first a OS that can only run web apps...completely rejected by the community...& now this...
  Didn't Apple say exactly the same thing about the iPhone when it first came out? Look where that platform is now. A active app development platform, and even a vibrant jailbreak community, for those who feel Apple is too restrictive.
I can't believe this by obarthelemy · 2009-11-19 22:53 · Score: 0, Flamebait

MS has security researchers ?
Don't they have anything better to do than nitpick with an addon that 0.001% of the user base has ?
Come on !

--
The Cloud - because you don't care if your apps and data are up in the air.
This is possible? by TheDarkMaster · 2009-11-19 22:53 · Score: 3, Funny

Internet Explorer less secure? This is really possible?

--
Religion: The greatest weapon of mass destruction of all time
1. Re:This is possible? by SnarfQuest · 2009-11-20 05:43 · Score: 1
  
  When you study the math of infinities, you will discover many amazing things.
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
For the better good by Anonymous Coward · 2009-11-19 23:05 · Score: 0

Anything that helps this product improve ultimately helps that adoption of HTML5. Thank you, Microsoft! ;)
Awesome! by L4t3r4lu5 · 2009-11-19 23:07 · Score: 2, Insightful

Now, can you please fix the sanitiser in the IE8 output encoding?

So quick to point out mistakes in others software, but so slow to fix your own.

--
Finally had enough. Come see us over at https://soylentnews.org/
1. Re:Awesome! by hyfe · 2009-11-19 23:31 · Score: 1
  
  Blærg. Finding vulnerabalities is a good thing. Fixing them is even better.
  Microsoft just did a good thing. Google did too. The world just became a slightly better place.
  If we just fixed the rest of the softwarebugs, ended world hunger, fixed the environment and I got together with my ex (whom I still a miss even a year afterwards..I'm such a f***ing loser) the world be kinda ok.
  Smile :)
  
  --
  "" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
2. Re:Awesome! by Anonymous Coward · 2009-11-19 23:39 · Score: 0
  
  So quick to point out mistakes in others software, but so slow to fix your own.
  Exactly. They are probably pissed by Google trying to invade their browser so they'll try hard to prove this plug-in is buggy/useless/whatever.
3. Re:Awesome! by Jeff+DeMaagd · 2009-11-20 00:41 · Score: 1
  
  That's the problem, IE and Windows has historically required numerous patches, it would be nice if MS would do better to get their software fixed first. Finding flaws in someone else's software is not something I want to see when they don't really have their own house in order yet.
4. Re:Awesome! by Antiocheian · 2009-11-20 00:45 · Score: 1
  
  Finding flaws in someone else's software is not something I want to see
  I don't think you really believe that. Personally, I'd value the published discovery of a flaw not matter who the discoverer is.
5. Re:Awesome! by Tim+C · 2009-11-20 02:27 · Score: 1
  
  So... you're saying that they should have sat on this until they'd fixed all outstanding issues in their own software?
  
  --
  It's official. Most of you are morons.
6. Re:Awesome! by L4t3r4lu5 · 2009-11-20 02:43 · Score: 1
  
  I'm saying they should have been concentrating on their own software in the first place, not being spiteful children and "getting them back" for showing up their rendering engine.
  
  It's the internet equivalent of calling Google a stinky poo face, because they drew a better dinosaur in Art class.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
7. Re:Awesome! by tool462 · 2009-11-20 07:01 · Score: 1
  
  Both Google and MS are being quite responsible about this. MS notices a bug, informs Google. Google fixes the bug, informs the world--and gives MS credit for finding it.
  The only spiteful child here is you.
8. Re:Awesome! by Anonymous Coward · 2009-11-20 09:19 · Score: 0
  
  Well said, but then again I wouldn't know. I stopped using Windows a long time ago.
  If you don't like M$ I suggest using alternatives. Walking with your $$ is the strongest incentive for change.
i can see it all now by Anonymous Coward · 2009-11-19 23:14 · Score: 1, Funny

Google makes IE less secure, users switch to real Chrome, google (somehow) profits!
I dub thee... by Anonymous Coward · 2009-11-19 23:16 · Score: 1, Funny

... the ``glass house'' security team. Stones complimentary from the house.
woah Microsoft has good eyesight by Anonymous Coward · 2009-11-19 23:28 · Score: 0

they can see the wood for the trees
huh by noob749 · 2009-11-19 23:41 · Score: 1

who didn't see this coming? :)
Question by Anonymous Coward · 2009-11-19 23:41 · Score: 0

Does MSIE suffer from this exploit?
They were right by TheRaven64 · 2009-11-19 23:55 · Score: 3, Insightful

The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.

--
I am TheRaven on Soylent News
1. Re:They were right by teknopurge · 2009-11-20 03:56 · Score: 1
  
  The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.
  Your common sense has no place on this board. Good day, sir.
  
  --
  Website Hosting
2. Re:They were right by Anonymous Coward · 2009-11-20 04:16 · Score: 0
  
  Sudo mod parent down
  
  To prove a point, I changed a few words in the parent's post. I think you can see why the parent is being rather narrow in their thinking and making gross generalizations:
  
  Cygwin was never a good idea for security. By making it opt-in for users, like an other software, it dramatically increased the attack surface of Windows. Now any attacker can exploit holes in Windows, holes in Cygwin, or holes coming from the interactions between the two. If you want the features of the Cygwin in a more secure package, use Linux.
3. Re:They were right by Anonymous Coward · 2009-11-22 16:27 · Score: 0
  
  Your alteration of the point of opt-in makes your version not compare to the original version at all in non-lexical senses, since the fact that users aren't the opt-in point for Chrome Frame is the most major part of the perceived problem.
  You're also equating Cygwin to both Chrome Frame and Chrome.
DOuble whammy from Google by argent · 2009-11-20 00:24 · Score: 3, Insightful

Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.
For example, FTA: "All users should be updated automatically,"
Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.
Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.
1. Re:DOuble whammy from Google by cloudmaster · 2009-11-20 02:39 · Score: 1
  
  Isn't that how MS wants you to configure windows update - so that a web page can trigger an update without your interaction? And isn't that an option in synaptic? And can't you turn the "silent updates" option off in all three of those situations? And aren't these rhetorical questions?
2. Re:DOuble whammy from Google by Anonymous Coward · 2009-11-20 02:54 · Score: 0
  
  I imagine any updates are cryptographically signed.
3. Re:DOuble whammy from Google by Anonymous Coward · 2009-11-20 04:34 · Score: 0
  
  Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.
  For example, FTA: "All users should be updated automatically,"
  Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.
  Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.
  I don't understand what you mean by "allows a web page to push an update on you".
  Google updater only updates Google products.
  http://code.google.com/p/omaha/wiki/CustomizingOmaha :
  "As is, the open source Omaha code on this site builds "Google Update". Google Update communicates with Google's update servers, which only support Google applications. The main difference between code compiled from this site and Google Update is the Authenticode signature and version number."
4. Re:DOuble whammy from Google by Tim+C · 2009-11-20 05:25 · Score: 1
  
  Isn't that how MS wants you to configure windows update - so that a web page can trigger an update without your interaction?
  No - there is a Windows service that runs and periodically phones home to check to see if there are any updates available. It has absolutely nothing whatsoever to do with a web page.
  You are probably thinking of the Windows (or Microsoft) Update website, which can't do anything automatically (you have to go there, and choose what you want to have installed), and which in any case is not used by any Windows OS from Vista onwards (which use a dedicated application, not a bunch of ActiveX controls on a web page).
  
  --
  It's official. Most of you are morons.
5. Re:DOuble whammy from Google by cloudmaster · 2009-11-20 09:21 · Score: 1
  
  The Windows Vista machine across the street requests this: http://www.update.microsoft.com/v9/windowsupdate/selfupdate/wuident.cab
  And my Windows 7 workstation requests these:
  http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab
  http://download.windowsupdate.com/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab
  Those are technically web pages, as is this one requested nightly by a bunch of Linux machines at my house:
  http://us.archive.ubuntu.com/ubuntu/dists/karmic-updates/multiverse/source/Sources.bz2
  None of those are in HTML format, but they're served via http from a web server - just like the Google updates. Also like the Google updates, the "update service" can be set to install updates found on those "web accessible pieces of data" (aka "web pages") with no user interaction.
  Google updater installs either the "google pack" (which is not a web page) or just Google software (also, not a web page). It can be configured: http://www.google.com/support/pack/bin/answer.py?hl=en&answer=46708 and works pretty much the same way as synaptic, windows update service, adobe updater, java updater, symantec live update, etc etc etc.
  They all work pretty much the same way. There's an initial setup - in which you chose what you want automatically installed - and then something that runs automatically thenceforth (is that a word?) and requests updates from a web site. If that site's hijacked, your DNS is comprmised, etc; there's varying levels of bad things which can happen.
6. Re:DOuble whammy from Google by argent · 2009-11-20 11:49 · Score: 1
  
  I don't understand what you mean by "allows a web page to push an update on you".
  I looked at the Javascript wrappers around the API that Google Update installs in your browser, and the process of querying the user whether they want to install the package or not is implemented in the Javascript. Their plugin will download and install a component without any user interaction if the web page asks it to. No matter how good their security, implementing it in this way does increase the surface are to attack.
  I do not see the benefit to implementing this functionality as a web plugin instead of a standalone application that performs all the verification and user interaction.
7. Re:DOuble whammy from Google by argent · 2009-11-20 11:51 · Score: 1
  
  But in all those cases the operation is triggered by an agent running on the local computer.
  Google Update installs a plugin that allows a web page to request the download and installation of a component on your computer without notification or authorization just by visiting that web page.
8. Re:DOuble whammy from Google by cloudmaster · 2009-11-23 17:12 · Score: 1
  
  That's what I suspected from the discussion. I looked briefly but couldn't find real confirmation one way or another on that - just people saying that's what it does and worrying (rightfully so if they're corect) about it. :)
9. Re:DOuble whammy from Google by argent · 2009-11-24 11:48 · Score: 1
  
  It's easy enough to see what it does. When Google Update opens a browser to perform the download, view the source of the web page it pulls up. Observe that the GU*() API allows it to trigger a download and install without user intervention.
10. Re:DOuble whammy from Google by cloudmaster · 2009-11-26 14:13 · Score: 1
  
  Yeah - but that's the update service requesting a web page (which presumably had my approval at some point), just like any other update service does. It's not the same thing as me navigating to, say, Slashdot.org and Slashdot triggering a download that installs some other program without my approval.
  I dunno - there's some disconnect here that one of us just isn't getting. :) I don't have either Google update service installed on either of my Windows machines, and the various Linux boxes don't use that junk, so I guess it doesn't matter...
This is just a temporary inconvenience by bbbaldie · 2009-11-20 00:24 · Score: 2, Funny

Once we end all of this open standards silliness, and get you to do your internet business with safe, secure ActiveX and .Net, security woes will be a thing of the past!
Re:That's a good thing! by Anonymous Coward · 2009-11-20 00:25 · Score: 0

of course competitors software gets more scrutiny than their own... it was their reverse engineering team (later to be dubbed MSVR) that noticed a bug when they were ripping it apart.....
Breaking news! by davidbrit2 · 2009-11-20 00:29 · Score: 4, Funny

We have early word that the security vulnerability goes by the name "Internet Explorer". Details are thin at this time, but we'll have more as the story develops. Janet, back to you in the studio.
Hell froze over! by agoliveira · 2009-11-20 00:39 · Score: 0, Troll

So Microsoft found a security problem in another company's software? Damn... maybe 2012 *is* real! The end is nigh!

--
Scientia est Potentia
Shut up? by blowdart · 2009-11-20 00:44 · Score: 5, Insightful

Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?
1. Re:Shut up? by blind+biker · 2009-11-20 01:58 · Score: 4, Interesting
  
  Yeah. For once, this case was conducted in a civilized manner, much to my own surprise. Yes, I admit I am surprised, because I expected a slightly different modus operandi from a company like Microsoft, with a uber-competitive, testosterone-saturated corporate culture. This, for me, more than any other, is a proof that Microsoft is changing.
  
  --
  "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
2. Re:Shut up? by blowdart · 2009-11-20 02:16 · Score: 1
  
  Actually you'll find that most security flaws are treated like this, in order to give the vendor time to patch. It's part of the whole responsible disclosure credo. As an indication of how seriously MS take this they facilitated the disclosure of Kaminsky's DNS cache poisoning discovery. he was contracting there at the time. MS called all the major vendors, and hosted meetings in Redmond to kick the whole response off. He talked about it at Bluehat on 2008. Heck even Bluehat itself demonstrates something. They had speakers from Adobe and other "rivals" this year, and after about a month they put the session videos up and available to all for free.
3. Re:Shut up? by Anonymous Coward · 2009-11-20 04:05 · Score: 0
  
  Yeah. For once, this post was conducted in a civilized manner, much to my own surprise. Yes, I admit I am surprised, because I expected a slightly different modus operandi from a place like Slashdot, with a uber-competitive, testosterone-saturated geek culture. This, for me, more than any other, is a proof that Slashdot is changing.
... shipped a new version ... with a patch ... by l3v1 · 2009-11-20 00:51 · Score: 1

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

Case closed.

Makes you wish IE flaws were so short-lived.

--
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Microsoft Vulnerability Research. Very funny. by Anonymous Coward · 2009-11-20 00:57 · Score: 0

"...a security researcher in the Microsoft Vulnerability Research"
Well at least they realise that Chrome is a vulnerability to Microsoft. Sadly for them, I doubt this announcement will stop the profit leak.
theres a proverb by rossdee · 2009-11-20 00:57 · Score: 1, Insightful

about removing the log from your own eye before removing the mote from your neighbours eye.
1. Re:theres a proverb by Anonymous Coward · 2009-11-20 02:39 · Score: 0
  
  what?
2. Re:theres a proverb by mea37 · 2009-11-20 03:28 · Score: 1
  
  Not sure I've seen it phrased quite that way, but yes, there is. And it is completely inapplicable to this situation.
3. Re:theres a proverb by Torodung · 2009-11-20 03:33 · Score: 1
  
  Jesus FTW.
Delayed full disclosure by tepples · 2009-11-20 01:16 · Score: 3, Informative

Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.
The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.
1. Re:Delayed full disclosure by clone53421 · 2009-11-20 02:59 · Score: 1
  
  So delay the full disclosure...
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
2. Re:Delayed full disclosure by mea37 · 2009-11-20 03:21 · Score: 1
  
  ...because nobody looking at a patch could possibly be tipped off as to what that patch does.</sarcasm>
3. Re:Delayed full disclosure by clone53421 · 2009-11-20 03:28 · Score: 1
  
  They’d have to figure out what the original patched code did, not the patch. The patch would be a clue, sure, but mostly just telling you where to look.
  Good point, though. I hadn’t really considered that.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
4. Re:Delayed full disclosure by jonaskoelker · 2009-11-20 04:39 · Score: 1
  
  The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.
  Delaying the patch really doesn't help against independently discovered vulns. People might be already exploiting it.
No wonder by Exitar · 2009-11-20 01:19 · Score: 1, Troll

that MS cannot find bugs in their products if they spend all the time looking for vulnerabilities in competitors products.
It's called WSUS by gravyface · 2009-11-20 01:32 · Score: 1

You can tell WSUS to queue up and wait for approval before rolling any patches out -- the rest of us can get our patches when they're ready.

--
body massage!
1. Re:It's called WSUS by dave562 · 2009-11-20 07:13 · Score: 1
  
  Although even with WSUS, the server only gets the patches on patch Tuesday along with everyone else. You don't get patches any earlier just because you are running WSUS. Where I work we only have about twenty servers so we let the servers download their patches with Automatic Updates and prompt for install. That way we're sure that the servers get all the patches that they need. The 100+ workstations are managed with WSUS.
so what's "chome"? by patsw · 2009-11-20 01:48 · Score: 1

What's "chome"? "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users..."
http://threatpost.com/en_us/blogs/microsoft-finds-security-flaw-google-chrome-frame-111909
original post
I wonder how much time & money by goffster · 2009-11-20 02:24 · Score: 1

I wonder how much time & money they invested in finding a google bug than their own software?
My guess is more than the entire budget allowed for IE6.
1. Re:I wonder how much time & money by siyavash · 2009-11-20 03:25 · Score: 1
  
  Idiot.
This story should have been titled... by Dammital · 2009-11-20 02:30 · Score: 4, Insightful

... Microsoft security researcher confirms advantages of open source transparency
1. Re:This story should have been titled... by nametaken · 2009-11-20 04:34 · Score: 3, Insightful
  
  Wow, congrats man... changing "MS finds security flaw in Google Chrome Frame" to "Microsoft security researcher confirms advantages of open source transparency" is a spin worthy of Fox News. You might have a future in public relations. :)
Really? by celt63 · 2009-11-20 02:41 · Score: 2, Informative

Perhaps MS should be more concerned about their own protocols.
"Most secure Os ever;
What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
How funny."
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
What does this mean to us? by b4dc0d3r · 2009-11-20 02:58 · Score: 1

More likely, someone at a management meeting said "What does this mean to us?" and no one had an answer, so someone with that responsibility said "I'll form a team to go look at it." He got together with his highly paid coworkers over a 3 hour power lunch with martinis and found someone who wouldn't blink during the "I don't have funding or responsibility in this area" game, and assigned the investigation to them.
This person asked his team to conduct a technical review of the implementation, and in the process the team found a potential security risk.
That sounds more like big business operation to me, from a fortune <15 employee. Microsoft was #44 in 2008, so probably operates like big business.
Less likely is "Let's spend money on highly paid technical folks looking for ways to make a headline people will forget in a week." Possible, but less likely.
tally 1000+ plus in windows/IE; 2 in Chrome? by peter303 · 2009-11-20 03:38 · Score: 1

I'm sure more in Chrome will appear in upcoming months. But MS is hardly blameless in criticising another another company's security.

In the long runt his constant bitching will make both products stronger.
Re:they do by thePowerOfGrayskull · 2009-11-20 04:02 · Score: 1

And this story once again proves that MS could improve its public image instantly with one simple statement. SILENCE. MS, really, hire a lawyer as your public relations advisor. A good lawyer who always tells his clients to "SHUT THE FUCK UP".
I had just about forgotten about all the bugs in MS software... and this made me remember the entire long list of highly exploitable bugs unpatched for months or even years. Great job.
Of course, if you read TFA, you'd see that it was Google who credited Microsoft with finding the issue. I saw nothing that indicates MS publicized or announced the issue in any way.
In Soviet Russia... by Anonymous Coward · 2009-11-20 05:43 · Score: 0

In Soviet Russia, Microsoft finds your bugs!
Desktop = Corporate WarZone. by miknix · 2009-11-20 05:45 · Score: 1

Seems to me that some computer desktops are starting to be a corporate warzone.
In other words: *All your desktop are belong to us*
Mod Parent Up, Grandparent Down by Crazy+Taco · 2009-11-20 06:00 · Score: 2, Informative

Clearly this person has no clue as to what ASP is.
Absolutely true. As a web-developer, let me clue you (the grandparent) in... ASP is a server side programming language used to create HTML based web pages on the fly. It is exactly the same kind of technology as PHP... it's on the server and, and the client has no knowledge of it. All it gets is HTML, and it doesn't care whether it was static or created by PHP or ASP on the fly.
And just to add to the chorus, I have viewed many a webpage that was generated by ASP using firefox.

--
Beware of bugs in the above code; I have only proved it correct, not tried it.
Re:That's a good thing! by Anonymous Coward · 2009-11-20 06:22 · Score: 1, Insightful

MSVR is dedicated to finding security issues in THIRD PARTY systems that are in common use today in a bid to improve the overall effective security of the windows platform.
The reason should be pretty obvious.. Whatever the source of the expliot its ALWAYS Microsofts fault even if the expliot leverages a defect in third party software not written by MS.
Whenever windows crashes its ALWAYS Microsofts fault when in reality anyone whos looked at the data knows that crashes come from poor quality of driver software MS did not write and hardware issues such as bad memory, flaky power/PSUs and poor HW design (glitching..etc)
If you look at the general quality space MS has launched a number of initiatives over the years aimed at improving third party code quality and problem detection. Most visibly the WHQL program and online crash analysis.
Now is MS going after google chrome because the two companies don't get along? .. thats quite possible. Whatever the motive there is no excuse for any company to be releasing code with security vulnerabilities.
But how was it communicated to Google? by niftymitch · 2009-11-20 18:31 · Score: 1

How did MS communicate the bug to Google?
Were they polite and inform Google so that the issue could be addressed in a timely update or was it communicated in a public way enabling hackers to race google in an exploit .vs. patch race.

--
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.